arisa 2.0.8 → 2.1.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "arisa",
-  "version": "2.0.8",
+  "version": "2.1.1",
   "description": "Arisa - dynamic agent runtime with daemon/core architecture that evolves through user interaction",
   "preferGlobal": true,
   "bin": {
@@ -27,6 +27,7 @@
     "core": "bun src/core/index.ts"
   },
   "dependencies": {
+    "@inquirer/prompts": "^8.2.0",
     "croner": "^9.0.0",
     "crypto-js": "^4.2.0",
     "deepbase": "^3.4.9",

package/src/core/index.ts

@@ -76,7 +76,7 @@ await initScheduler();
 await initAttachments();
 
 const server = await serveWithRetry({
-  port: config.corePort,
+  unix: config.coreSocket,
   async fetch(req) {
     const url = new URL(req.url);
 
@@ -461,4 +461,4 @@ ${messageText}`;
   },
 });
 
-log.info(`Core server listening on port ${config.corePort}`);
+log.info(`Core server listening on ${config.coreSocket}`);

package/src/core/onboarding.ts

@@ -72,12 +72,6 @@ export async function getOnboarding(chatId: string): Promise<{ message: string;
 
   const deps = checkDeps();
 
-  // Everything set up — skip onboarding
-  if (deps.claude && deps.codex && deps.openaiKey) {
-    await markOnboarded(chatId);
-    return null;
-  }
-
   // No CLI at all — block
   if (!deps.claude && !deps.codex) {
     const lines = [
@@ -94,23 +88,15 @@ export async function getOnboarding(chatId: string): Promise<{ message: string;
     return { message: lines.join("\n"), blocking: true };
   }
 
-  // At least one CLI — inform and continue
+  // At least one CLI — minimal greeting and continue
   await markOnboarded(chatId);
 
   const using = deps.claude ? "Claude" : "Codex";
   const lines = [`<b>Arisa</b> — using <b>${using}</b>`];
 
-  if (!deps.claude) {
-    lines.push("Claude CLI not installed. Add it with <code>bun add -g @anthropic-ai/claude-code</code>");
-  } else if (!deps.codex) {
-    lines.push("Codex CLI not installed. Add it with <code>bun add -g @openai/codex</code>");
-  } else {
+  if (deps.claude && deps.codex) {
     lines.push("Use /codex or /claude to switch backend.");
   }
 
-  if (!deps.openaiKey) {
-    lines.push("No OpenAI API key — voice and image processing disabled. Add <code>OPENAI_API_KEY</code> to <code>~/.arisa/.env</code> to enable.");
-  }
-
   return { message: lines.join("\n"), blocking: false };
 }

package/src/core/scheduler.ts

@@ -59,14 +59,15 @@ async function executeTask(task: ScheduledTask) {
     if (!tasks.includes(task) || !result) return;
 
     // Send the processed result to Telegram via Daemon
-    const response = await fetch(`http://localhost:${config.daemonPort}/send`, {
+    const response = await fetch("http://localhost/daemon/send", {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
         chatId: task.chatId,
         text: result,
       }),
-    });
+      unix: config.daemonSocket,
+    } as any);
     if (!response.ok) {
       log.error(`Daemon returned ${response.status} for task ${task.id}`);
     }

package/src/daemon/auto-install.ts

@@ -0,0 +1,140 @@
+/**
+ * @module daemon/auto-install
+ * @role Auto-install missing AI CLIs at daemon startup.
+ * @responsibilities
+ *   - Check which CLIs (claude, codex) are missing
+ *   - Attempt `bun add -g <package>` for each missing CLI
+ *   - Log results, notify chats on success
+ * @dependencies shared/ai-cli
+ * @effects Spawns bun install processes, modifies global packages
+ */
+
+import { createLogger } from "../shared/logger";
+import { isAgentCliInstalled, buildBunWrappedAgentCliCommand, type AgentCliName } from "../shared/ai-cli";
+
+const log = createLogger("daemon");
+
+const CLI_PACKAGES: Record<AgentCliName, string> = {
+  claude: "@anthropic-ai/claude-code",
+  codex: "@openai/codex",
+};
+
+const INSTALL_TIMEOUT = 120_000; // 2min
+
+type NotifyFn = (text: string) => Promise<void>;
+let notifyFn: NotifyFn | null = null;
+
+export function setAutoInstallNotify(fn: NotifyFn) {
+  notifyFn = fn;
+}
+
+async function installCli(cli: AgentCliName): Promise<boolean> {
+  const pkg = CLI_PACKAGES[cli];
+  log.info(`Auto-install: installing ${cli} (${pkg})...`);
+
+  try {
+    const proc = Bun.spawn(["bun", "add", "-g", pkg], {
+      stdout: "pipe",
+      stderr: "pipe",
+      env: { ...process.env },
+    });
+
+    const timeout = setTimeout(() => proc.kill(), INSTALL_TIMEOUT);
+    const exitCode = await proc.exited;
+    clearTimeout(timeout);
+
+    if (exitCode === 0) {
+      log.info(`Auto-install: ${cli} installed successfully`);
+      return true;
+    } else {
+      const stderr = await new Response(proc.stderr).text();
+      log.error(`Auto-install: ${cli} install failed (exit ${exitCode}): ${stderr.slice(0, 300)}`);
+      return false;
+    }
+  } catch (error) {
+    log.error(`Auto-install: ${cli} install error: ${error}`);
+    return false;
+  }
+}
+
+export async function autoInstallMissingClis(): Promise<void> {
+  const missing: AgentCliName[] = [];
+
+  for (const cli of Object.keys(CLI_PACKAGES) as AgentCliName[]) {
+    if (!isAgentCliInstalled(cli)) {
+      missing.push(cli);
+    }
+  }
+
+  if (missing.length === 0) {
+    log.info("Auto-install: all CLIs already installed");
+    return;
+  }
+
+  log.info(`Auto-install: missing CLIs: ${missing.join(", ")}`);
+
+  const installed: string[] = [];
+  for (const cli of missing) {
+    const ok = await installCli(cli);
+    if (ok) installed.push(cli);
+  }
+
+  if (installed.length > 0) {
+    const msg = `Auto-installed: <b>${installed.join(", ")}</b>`;
+    log.info(msg);
+    await notifyFn?.(msg).catch((e) => log.error(`Auto-install notify failed: ${e}`));
+  }
+
+  // After install, probe auth for all installed CLIs
+  await probeCliAuth();
+}
+
+type AuthProbeFn = (cli: AgentCliName, errorText: string) => void;
+let authProbeFn: AuthProbeFn | null = null;
+
+export function setAuthProbeCallback(fn: AuthProbeFn) {
+  authProbeFn = fn;
+}
+
+const PROBE_TIMEOUT = 15_000;
+
+/**
+ * Run a minimal command with each installed CLI to detect auth errors early.
+ * Uses a real API call (cheap haiku / short exec) so auth errors surface.
+ * When an auth error is found, the callback triggers the appropriate login flow.
+ */
+export async function probeCliAuth(): Promise<void> {
+  for (const cli of ["claude", "codex"] as AgentCliName[]) {
+    if (!isAgentCliInstalled(cli)) continue;
+
+    log.info(`Auth probe: testing ${cli}...`);
+    try {
+      const args = cli === "claude"
+        ? ["-p", "say ok", "--model", "haiku", "--dangerously-skip-permissions"]
+        : ["exec", "--dangerously-bypass-approvals-and-sandbox", "echo ok"];
+
+      const proc = Bun.spawn(buildBunWrappedAgentCliCommand(cli, args), {
+        stdout: "pipe",
+        stderr: "pipe",
+        env: { ...process.env },
+      });
+
+      const timeout = setTimeout(() => proc.kill(), PROBE_TIMEOUT);
+      const exitCode = await proc.exited;
+      clearTimeout(timeout);
+
+      const stdout = await new Response(proc.stdout).text();
+      const stderr = await new Response(proc.stderr).text();
+
+      if (exitCode === 0) {
+        log.info(`Auth probe: ${cli} authenticated OK`);
+      } else {
+        const combined = stdout + "\n" + stderr;
+        log.warn(`Auth probe: ${cli} failed (exit ${exitCode}): ${combined.slice(0, 200)}`);
+        authProbeFn?.(cli, combined);
+      }
+    } catch (e) {
+      log.error(`Auth probe: ${cli} error: ${e}`);
+    }
+  }
+}

package/src/daemon/bridge.ts

@@ -2,7 +2,7 @@
  * @module daemon/bridge
  * @role HTTP client from Daemon to Core with smart fallback to local AI CLI.
  * @responsibilities
- *   - POST messages to Core at :51777/message
+ *   - POST messages to Core via Unix socket
  *   - Respect Core lifecycle state (starting/up/down)
  *   - Wait for Core during startup, fallback only when truly down
  *   - Serialize fallback calls (one CLI process at a time)
@@ -18,7 +18,7 @@ import { getCoreState, getCoreError, waitForCoreReady } from "./lifecycle";
 
 const log = createLogger("daemon");
 
-const CORE_URL = `http://localhost:${config.corePort}`;
+const CORE_URL = "http://localhost/core";
 const STARTUP_WAIT_MS = 15_000;
 const RETRY_DELAY = 3000;
 
@@ -135,7 +135,8 @@ async function postToCore(message: IncomingMessage): Promise<CoreResponse> {
     headers: { "Content-Type": "application/json" },
     body: JSON.stringify({ message }),
     signal: AbortSignal.timeout(config.claudeTimeout + 5000),
-  });
+    unix: config.coreSocket,
+  } as any);
 
   if (!response.ok) {
     throw new Error(`Core returned ${response.status}`);
@@ -154,7 +155,10 @@ function sleep(ms: number): Promise<void> {
 
 export async function isCoreHealthy(): Promise<boolean> {
   try {
-    const response = await fetch(`${CORE_URL}/health`, { signal: AbortSignal.timeout(2000) });
+    const response = await fetch(`${CORE_URL}/health`, {
+      signal: AbortSignal.timeout(2000),
+      unix: config.coreSocket,
+    } as any);
     return response.ok;
   } catch {
     return false;

package/src/daemon/claude-login.ts

@@ -0,0 +1,215 @@
+/**
+ * @module daemon/claude-login
+ * @role Trigger Claude setup-token (OAuth) flow from Daemon when auth errors are detected.
+ * @responsibilities
+ *   - Detect Claude auth-required signals in Core responses
+ *   - Run `claude setup-token` with piped I/O
+ *   - Parse OAuth URL from output, send to pending Telegram chats
+ *   - Accept OAuth code from user message and pipe it to the waiting process stdin
+ * @effects Spawns claude CLI process, writes to daemon logs/terminal
+ */
+
+import { config } from "../shared/config";
+import { createLogger } from "../shared/logger";
+import { buildBunWrappedAgentCliCommand } from "../shared/ai-cli";
+
+const log = createLogger("daemon");
+
+const AUTH_HINT_PATTERNS = [
+  /not logged in/i,
+  /please run \/login/i,
+  /invalid.*api.?key/i,
+  /authentication.*failed/i,
+  /not authenticated/i,
+  /ANTHROPIC_API_KEY/,
+  /api key not found/i,
+  /invalid x-api-key/i,
+];
+
+const RETRY_COOLDOWN_MS = 30_000;
+
+let loginInProgress = false;
+let lastLoginAttemptAt = 0;
+const pendingChatIds = new Set<string>();
+
+// The running setup-token process, so we can pipe the code to stdin
+let pendingProc: ReturnType<typeof Bun.spawn> | null = null;
+let urlSent = false;
+
+type NotifyFn = (chatId: string, text: string) => Promise<void>;
+let notifyFn: NotifyFn | null = null;
+
+export function setClaudeLoginNotify(fn: NotifyFn) {
+  notifyFn = fn;
+}
+
+function needsClaudeLogin(text: string): boolean {
+  return AUTH_HINT_PATTERNS.some((pattern) => pattern.test(text));
+}
+
+export function maybeStartClaudeSetupToken(rawCoreText: string, chatId?: string): void {
+  if (!rawCoreText || !needsClaudeLogin(rawCoreText)) return;
+  if (chatId) pendingChatIds.add(chatId);
+
+  if (loginInProgress) {
+    log.info("Claude setup-token already in progress; skipping duplicate trigger");
+    return;
+  }
+
+  const now = Date.now();
+  if (now - lastLoginAttemptAt < RETRY_COOLDOWN_MS) {
+    log.info("Claude setup-token trigger ignored (cooldown active)");
+    return;
+  }
+
+  lastLoginAttemptAt = now;
+  loginInProgress = true;
+  void runClaudeSetupToken().finally(() => {
+    loginInProgress = false;
+    pendingProc = null;
+  });
+}
+
+/**
+ * Start Claude setup-token proactively (e.g. during onboarding).
+ */
+export function startClaudeSetupToken(chatId: string): void {
+  pendingChatIds.add(chatId);
+
+  if (loginInProgress) {
+    log.info("Claude setup-token already in progress");
+    return;
+  }
+
+  loginInProgress = true;
+  lastLoginAttemptAt = Date.now();
+  void runClaudeSetupToken().finally(() => {
+    loginInProgress = false;
+    pendingProc = null;
+  });
+}
+
+/**
+ * Check if we're waiting for an OAuth code from this chat.
+ * If the message looks like a code, pipe it to the waiting setup-token process.
+ * Returns true if the message was consumed as a code.
+ */
+export function maybeFeedClaudeCode(chatId: string, text: string): boolean {
+  if (!pendingProc || !pendingChatIds.has(chatId)) return false;
+
+  const trimmed = text.trim();
+  // OAuth codes are typically short alphanumeric strings or URL params
+  // Reject obvious non-codes (long messages, commands, etc.)
+  if (trimmed.length > 200 || trimmed.startsWith("/") || trimmed.includes(" ")) return false;
+
+  log.info("Feeding OAuth code to claude setup-token process");
+  try {
+    const writer = pendingProc.stdin as WritableStream<Uint8Array>;
+    const w = writer.getWriter();
+    void w.write(new TextEncoder().encode(trimmed + "\n")).then(() => w.releaseLock());
+  } catch (e) {
+    log.error(`Failed to write to claude setup-token stdin: ${e}`);
+  }
+  return true;
+}
+
+async function notifyPending(text: string): Promise<void> {
+  if (!notifyFn || pendingChatIds.size === 0) return;
+  const chats = Array.from(pendingChatIds);
+  await Promise.all(
+    chats.map(async (chatId) => {
+      try { await notifyFn?.(chatId, text); } catch (e) {
+        log.error(`Failed to notify ${chatId}: ${e}`);
+      }
+    }),
+  );
+}
+
+async function runClaudeSetupToken(): Promise<void> {
+  log.warn("Claude auth required. Starting `claude setup-token`.");
+  urlSent = false;
+
+  let proc: ReturnType<typeof Bun.spawn>;
+  try {
+    proc = Bun.spawn(buildBunWrappedAgentCliCommand("claude", ["setup-token"]), {
+      cwd: config.projectDir,
+      stdin: "pipe",
+      stdout: "pipe",
+      stderr: "pipe",
+      env: { ...process.env, BROWSER: "echo" }, // Prevent browser auto-open on headless servers
+    });
+    pendingProc = proc;
+  } catch (error) {
+    log.error(`Failed to start claude setup-token: ${error}`);
+    return;
+  }
+
+  // Read stdout incrementally to detect URL early and send to Telegram
+  const readAndNotify = async (stream: ReadableStream<Uint8Array> | null, target: NodeJS.WriteStream): Promise<string> => {
+    if (!stream) return "";
+    const chunks: string[] = [];
+    const reader = stream.getReader();
+    const decoder = new TextDecoder();
+    try {
+      while (true) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        const text = decoder.decode(value, { stream: true });
+        chunks.push(text);
+        target.write(text);
+
+        // Try to parse and send URL as soon as we see it
+        if (!urlSent) {
+          const allText = chunks.join("");
+          const urlMatch = allText.match(/(https:\/\/claude\.ai\/oauth\/authorize\S+)/);
+          if (urlMatch) {
+            urlSent = true;
+            const msg = [
+              "<b>Claude login required</b>\n",
+              `1. Open this link:\n${urlMatch[1]}\n`,
+              "2. Authorize and copy the code",
+              "3. Reply here with the code",
+            ].join("\n");
+            await notifyPending(msg);
+          }
+        }
+      }
+    } finally {
+      reader.releaseLock();
+    }
+    return chunks.join("");
+  };
+
+  await Promise.all([
+    readAndNotify(proc.stdout, process.stdout),
+    readAndNotify(proc.stderr, process.stderr),
+  ]);
+
+  const exitCode = await proc.exited;
+  if (exitCode === 0) {
+    log.info("Claude setup-token completed successfully.");
+    await notifySuccess();
+  } else {
+    log.error(`Claude setup-token finished with exit code ${exitCode}`);
+  }
+}
+
+async function notifySuccess(): Promise<void> {
+  if (!notifyFn || pendingChatIds.size === 0) return;
+
+  const text = "<b>Claude login completed.</b>\nTry again.";
+  const chats = Array.from(pendingChatIds);
+  pendingChatIds.clear();
+
+  await Promise.all(
+    chats.map(async (chatId) => {
+      try { await notifyFn?.(chatId, text); } catch (e) {
+        log.error(`Failed to send Claude login success notice to ${chatId}: ${e}`);
+      }
+    }),
+  );
+}
+
+export function isClaudeLoginPending(): boolean {
+  return loginInProgress;
+}

package/src/daemon/codex-login.ts

@@ -60,17 +60,57 @@ export function maybeStartCodexDeviceAuth(rawCoreText: string, chatId?: string):
   });
 }
 
+async function readStreamAndEcho(stream: ReadableStream<Uint8Array> | null, target: NodeJS.WriteStream): Promise<string> {
+  if (!stream) return "";
+  const chunks: string[] = [];
+  const reader = stream.getReader();
+  const decoder = new TextDecoder();
+  try {
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      const text = decoder.decode(value, { stream: true });
+      chunks.push(text);
+      target.write(text); // Echo to console for server admins
+    }
+  } finally {
+    reader.releaseLock();
+  }
+  return chunks.join("");
+}
+
+function parseAuthInfo(output: string): { url: string; code: string } | null {
+  const urlMatch = output.match(/(https:\/\/auth\.openai\.com\/\S+)/);
+  const codeMatch = output.match(/([A-Z0-9]{4}-[A-Z0-9]{5})/);
+  if (urlMatch && codeMatch) return { url: urlMatch[1], code: codeMatch[1] };
+  return null;
+}
+
+async function notifyPending(text: string): Promise<void> {
+  if (!notifyFn || pendingChatIds.size === 0) return;
+  const chats = Array.from(pendingChatIds);
+  await Promise.all(
+    chats.map(async (chatId) => {
+      try { await notifyFn?.(chatId, text); } catch (e) {
+        log.error(`Failed to notify ${chatId}: ${e}`);
+      }
+    }),
+  );
+}
+
+let authInfoSent = false;
+
 async function runCodexDeviceAuth(): Promise<void> {
   log.warn("Codex auth required. Starting `bun --bun <path-to-codex> login --device-auth` now.");
-  log.warn("Complete device auth using the URL/code printed below in this Arisa terminal.");
+  authInfoSent = false;
 
   let proc: ReturnType<typeof Bun.spawn>;
   try {
     proc = Bun.spawn(buildBunWrappedAgentCliCommand("codex", ["login", "--device-auth"]), {
       cwd: config.projectDir,
       stdin: "inherit",
-      stdout: "inherit",
-      stderr: "inherit",
+      stdout: "pipe",
+      stderr: "pipe",
       env: { ...process.env },
     });
   } catch (error) {
@@ -78,9 +118,30 @@ async function runCodexDeviceAuth(): Promise<void> {
     return;
   }
 
+  // Read stdout and stderr in parallel, echoing to console
+  const [stdoutText, stderrText] = await Promise.all([
+    readStreamAndEcho(proc.stdout, process.stdout),
+    readStreamAndEcho(proc.stderr, process.stderr),
+  ]);
+
+  // Parse auth info from combined output and send to Telegram
+  const combined = stdoutText + "\n" + stderrText;
+  if (!authInfoSent) {
+    const auth = parseAuthInfo(combined);
+    if (auth) {
+      authInfoSent = true;
+      const msg = [
+        "<b>Codex login required</b>\n",
+        `1. Open: ${auth.url}`,
+        `2. Enter code: <code>${auth.code}</code>`,
+      ].join("\n");
+      await notifyPending(msg);
+    }
+  }
+
   const exitCode = await proc.exited;
   if (exitCode === 0) {
-    log.info("Codex device auth finished successfully. You can retry your message.");
+    log.info("Codex device auth finished successfully.");
     await notifySuccess();
   } else {
     log.error(`Codex device auth finished with exit code ${exitCode}`);

package/src/daemon/index.ts

@@ -23,12 +23,14 @@ const { config } = await import("../shared/config");
 // Initialize encrypted secrets
 await config.secrets.initialize();
 const { createLogger } = await import("../shared/logger");
-const { serveWithRetry, claimProcess, releaseProcess } = await import("../shared/ports");
+const { serveWithRetry, claimProcess, releaseProcess, cleanupSocket } = await import("../shared/ports");
 const { TelegramChannel } = await import("./channels/telegram");
 const { sendToCore } = await import("./bridge");
 const { startCore, stopCore, setLifecycleNotify } = await import("./lifecycle");
 const { setAutoFixNotify } = await import("./autofix");
 const { maybeStartCodexDeviceAuth, setCodexLoginNotify } = await import("./codex-login");
+const { maybeStartClaudeSetupToken, maybeFeedClaudeCode, setClaudeLoginNotify, isClaudeLoginPending } = await import("./claude-login");
+const { autoInstallMissingClis, setAutoInstallNotify, setAuthProbeCallback } = await import("./auto-install");
 const { chunkMessage, markdownToTelegramHtml } = await import("../core/format");
 const { saveMessageRecord } = await import("../shared/db");
 
@@ -61,12 +63,36 @@ const sendToAllChats = async (text: string) => {
 
 setLifecycleNotify(sendToAllChats);
 setAutoFixNotify(sendToAllChats);
+setAutoInstallNotify(sendToAllChats);
+setAuthProbeCallback((cli, errorText) => {
+  if (cli === "claude") {
+    // Start Claude setup-token for all known chats
+    for (const chatId of knownChatIds) {
+      maybeStartClaudeSetupToken(errorText, chatId);
+    }
+  } else if (cli === "codex") {
+    // Start Codex device-auth for all known chats
+    for (const chatId of knownChatIds) {
+      maybeStartCodexDeviceAuth(errorText, chatId);
+    }
+  }
+});
 setCodexLoginNotify(async (chatId, text) => {
   await telegram.send(chatId, text);
 });
+setClaudeLoginNotify(async (chatId, text) => {
+  await telegram.send(chatId, text);
+});
 
 telegram.onMessage(async (msg) => {
   knownChatIds.add(msg.chatId);
+
+  // If Claude login is pending and user sends what looks like an OAuth code, feed it
+  if (isClaudeLoginPending() && msg.text && maybeFeedClaudeCode(msg.chatId, msg.text)) {
+    await telegram.send(msg.chatId, "Code received, authenticating...");
+    return;
+  }
+
   // Keep typing indicator alive while Core processes (expires every ~5s)
   const typingInterval = setInterval(() => telegram.sendTyping(msg.chatId), 4000);
 
@@ -82,6 +108,7 @@ telegram.onMessage(async (msg) => {
 
     const raw = response.text || "";
     maybeStartCodexDeviceAuth(raw, msg.chatId);
+    maybeStartClaudeSetupToken(raw, msg.chatId);
     const messageParts = raw.split(/\n---CHUNK---\n/g);
     let sentText = false;
 
@@ -148,7 +175,7 @@ telegram.onMessage(async (msg) => {
 
 // --- HTTP server for Core → Daemon pushes (scheduler) ---
 const pushServer = await serveWithRetry({
-  port: config.daemonPort,
+  unix: config.daemonSocket,
   async fetch(req) {
     const url = new URL(req.url);
 
@@ -193,7 +220,10 @@ const pushServer = await serveWithRetry({
   },
 });
 
-log.info(`Daemon push server listening on port ${config.daemonPort}`);
+log.info(`Daemon push server listening on ${config.daemonSocket}`);
+
+// --- Auto-install missing CLIs (non-blocking) ---
+void autoInstallMissingClis();
 
 // --- Start Core process ---
 startCore();
@@ -208,6 +238,8 @@ telegram.connect().catch((error) => {
 function shutdown() {
   log.info("Shutting down Daemon...");
   stopCore();
+  cleanupSocket(config.daemonSocket);
+  cleanupSocket(config.coreSocket);
   releaseProcess("daemon");
   process.exit(0);
 }

package/src/daemon/lifecycle.ts

@@ -91,9 +91,10 @@ function startHealthCheck() {
       return;
     }
     try {
-      const res = await fetch(`http://localhost:${config.corePort}/health`, {
+      const res = await fetch("http://localhost/core/health", {
         signal: AbortSignal.timeout(2000),
-      });
+        unix: config.coreSocket,
+      } as any);
       if (res.ok) {
         coreState = "up";
         log.info("Core is ready (health check passed)");

package/src/daemon/setup.ts

@@ -1,22 +1,30 @@
 /**
  * @module daemon/setup
- * @role Interactive first-run setup. Prompts for missing config via stdin.
+ * @role Interactive first-run setup with inquirer prompts.
  * @responsibilities
  *   - Check required config (TELEGRAM_BOT_TOKEN)
  *   - Check optional config (OPENAI_API_KEY)
- *   - Prompt user interactively and save to runtime .env
- * @dependencies shared/paths (avoids importing config to prevent module caching issues)
- * @effects Reads stdin, writes runtime .env
+ *   - Detect / install missing CLIs (Claude, Codex)
+ *   - Run interactive login flows for installed CLIs
+ *   - Persist tokens to both .env and encrypted DB
+ * @dependencies shared/paths, shared/secrets, shared/ai-cli
+ * @effects Reads stdin, writes runtime .env, spawns install/login processes
  */
 
 import { existsSync, readFileSync, writeFileSync, mkdirSync } from "fs";
 import { dirname, join } from "path";
 import { dataDir } from "../shared/paths";
-import { secrets } from "../shared/secrets";
+import { secrets, setSecret } from "../shared/secrets";
+import { isAgentCliInstalled, buildBunWrappedAgentCliCommand, type AgentCliName } from "../shared/ai-cli";
 
 const ENV_PATH = join(dataDir, ".env");
 const SETUP_DONE_KEY = "ARISA_SETUP_COMPLETE";
 
+const CLI_PACKAGES: Record<AgentCliName, string> = {
+  claude: "@anthropic-ai/claude-code",
+  codex: "@openai/codex",
+};
+
 function loadExistingEnv(): Record<string, string> {
   if (!existsSync(ENV_PATH)) return {};
   const vars: Record<string, string> = {};
@@ -36,7 +44,8 @@ function saveEnv(vars: Record<string, string>) {
   writeFileSync(ENV_PATH, content);
 }
 
-async function prompt(question: string): Promise<string> {
+// Fallback readline for non-TTY environments
+async function readLine(question: string): Promise<string> {
   process.stdout.write(question);
   for await (const line of console) {
     return line.trim();
@@ -50,40 +59,215 @@ export async function runSetup(): Promise<boolean> {
   const openaiSecret = await secrets.openai();
   let changed = false;
   const setupDone = vars[SETUP_DONE_KEY] === "1" || process.env[SETUP_DONE_KEY] === "1";
+  const isFirstRun = !setupDone;
+
+  // Try to load inquirer for interactive mode
+  let inq: typeof import("@inquirer/prompts") | null = null;
+  if (process.stdin.isTTY) {
+    try {
+      inq = await import("@inquirer/prompts");
+    } catch {
+      // Fall back to basic prompts
+    }
+  }
+
+  // ─── Phase 1: Tokens ────────────────────────────────────────────
+
+  const hasTelegram = !!(vars.TELEGRAM_BOT_TOKEN || process.env.TELEGRAM_BOT_TOKEN || telegramSecret);
+  const hasOpenAI = !!(vars.OPENAI_API_KEY || process.env.OPENAI_API_KEY || openaiSecret);
 
-  // Required: TELEGRAM_BOT_TOKEN
-  if (!vars.TELEGRAM_BOT_TOKEN && !process.env.TELEGRAM_BOT_TOKEN && !telegramSecret) {
-    console.log("\n🔧 Arisa Setup\n");
-    console.log("Telegram Bot Token required. Get one from @BotFather on Telegram.");
-    const token = await prompt("TELEGRAM_BOT_TOKEN: ");
-    if (!token) {
+  if (!hasTelegram) {
+    if (isFirstRun) console.log("\n🔧 Arisa Setup\n");
+
+    let token: string;
+    if (inq) {
+      token = await inq.input({
+        message: "Telegram Bot Token (from @BotFather):",
+        validate: (v) => (v.trim() ? true : "Token is required"),
+      });
+    } else {
+      console.log("Telegram Bot Token required. Get one from @BotFather on Telegram.");
+      token = await readLine("TELEGRAM_BOT_TOKEN: ");
+    }
+
+    if (!token.trim()) {
       console.log("No token provided. Cannot start without Telegram Bot Token.");
       return false;
     }
-    vars.TELEGRAM_BOT_TOKEN = token;
+
+    vars.TELEGRAM_BOT_TOKEN = token.trim();
+    await setSecret("TELEGRAM_BOT_TOKEN", token.trim()).catch((e) =>
+      console.warn(`[setup] Could not persist TELEGRAM_BOT_TOKEN to encrypted DB: ${e}`)
+    );
+    console.log("[setup] TELEGRAM_BOT_TOKEN saved to .env + encrypted DB");
     changed = true;
+  } else {
+    const src = telegramSecret ? "encrypted DB" : vars.TELEGRAM_BOT_TOKEN ? ".env" : "env var";
+    console.log(`[setup] TELEGRAM_BOT_TOKEN found in ${src}`);
   }
 
-  // Optional: OPENAI_API_KEY
-  if (!vars.OPENAI_API_KEY && !process.env.OPENAI_API_KEY && !openaiSecret && !setupDone) {
-    if (!changed) console.log("\n🔧 Arisa Setup\n");
-    console.log("\nOpenAI API Key (optional — enables voice transcription + image analysis).");
-    const key = await prompt("OPENAI_API_KEY (enter to skip): ");
-    if (key) {
-      vars.OPENAI_API_KEY = key;
+  if (!hasOpenAI && isFirstRun) {
+    let key: string;
+    if (inq) {
+      key = await inq.input({
+        message: "OpenAI API Key (optional — voice + image, enter to skip):",
+      });
+    } else {
+      console.log("\nOpenAI API Key (optional — enables voice transcription + image analysis).");
+      key = await readLine("OPENAI_API_KEY (enter to skip): ");
+    }
+
+    if (key.trim()) {
+      vars.OPENAI_API_KEY = key.trim();
+      await setSecret("OPENAI_API_KEY", key.trim()).catch((e) =>
+        console.warn(`[setup] Could not persist OPENAI_API_KEY to encrypted DB: ${e}`)
+      );
+      console.log("[setup] OPENAI_API_KEY saved to .env + encrypted DB");
       changed = true;
     }
+  } else if (hasOpenAI) {
+    const src = openaiSecret ? "encrypted DB" : vars.OPENAI_API_KEY ? ".env" : "env var";
+    console.log(`[setup] OPENAI_API_KEY found in ${src}`);
   }
 
+  // Save tokens
   if (!setupDone) {
     vars[SETUP_DONE_KEY] = "1";
     changed = true;
   }
-
   if (changed) {
     saveEnv(vars);
-    console.log(`\nConfig saved to ${ENV_PATH}\n`);
+    console.log(`\nConfig saved to ${ENV_PATH}`);
+  }
+
+  // ─── Phase 2: CLI Installation (first run, interactive) ─────────
+
+  if (isFirstRun && process.stdin.isTTY) {
+    await setupClis(inq);
   }
 
   return true;
 }
+
+async function setupClis(inq: typeof import("@inquirer/prompts") | null) {
+  let claudeInstalled = isAgentCliInstalled("claude");
+  let codexInstalled = isAgentCliInstalled("codex");
+
+  console.log("\nCLI Status:");
+  console.log(`  ${claudeInstalled ? "✓" : "✗"} Claude${claudeInstalled ? "" : " — not installed"}`);
+  console.log(`  ${codexInstalled ? "✓" : "✗"} Codex${codexInstalled ? "" : " — not installed"}`);
+
+  // Install missing CLIs
+  const missing: AgentCliName[] = [];
+  if (!claudeInstalled) missing.push("claude");
+  if (!codexInstalled) missing.push("codex");
+
+  if (missing.length > 0) {
+    let toInstall: AgentCliName[] = [];
+
+    if (inq) {
+      toInstall = await inq.checkbox({
+        message: "Install missing CLIs? (space to select, enter to confirm)",
+        choices: missing.map((cli) => ({
+          name: `${cli === "claude" ? "Claude" : "Codex"} (${CLI_PACKAGES[cli]})`,
+          value: cli as AgentCliName,
+          checked: true,
+        })),
+      });
+    } else {
+      // Non-inquirer fallback: install all
+      const answer = await readLine("\nInstall missing CLIs? (Y/n): ");
+      if (answer.toLowerCase() !== "n") toInstall = missing;
+    }
+
+    for (const cli of toInstall) {
+      console.log(`\nInstalling ${cli}...`);
+      const ok = await installCli(cli);
+      console.log(ok ? `  ✓ ${cli} installed` : `  ✗ ${cli} install failed`);
+    }
+
+    // Refresh status
+    claudeInstalled = isAgentCliInstalled("claude");
+    codexInstalled = isAgentCliInstalled("codex");
+  }
+
+  // Login CLIs
+  if (claudeInstalled) {
+    let doLogin = true;
+    if (inq) {
+      doLogin = await inq.confirm({ message: "Log in to Claude?", default: true });
+    } else {
+      const answer = await readLine("\nLog in to Claude? (Y/n): ");
+      doLogin = answer.toLowerCase() !== "n";
+    }
+    if (doLogin) {
+      console.log();
+      await runInteractiveLogin("claude");
+    }
+  }
+
+  if (codexInstalled) {
+    let doLogin = true;
+    if (inq) {
+      doLogin = await inq.confirm({ message: "Log in to Codex?", default: true });
+    } else {
+      const answer = await readLine("\nLog in to Codex? (Y/n): ");
+      doLogin = answer.toLowerCase() !== "n";
+    }
+    if (doLogin) {
+      console.log();
+      await runInteractiveLogin("codex");
+    }
+  }
+
+  if (!claudeInstalled && !codexInstalled) {
+    console.log("\n⚠ No CLIs installed. Arisa needs at least one to work.");
+    console.log("  The daemon will auto-install them in the background.\n");
+  } else {
+    console.log("\n✓ Setup complete!\n");
+  }
+}
+
+async function installCli(cli: AgentCliName): Promise<boolean> {
+  try {
+    const proc = Bun.spawn(["bun", "add", "-g", CLI_PACKAGES[cli]], {
+      stdout: "inherit",
+      stderr: "inherit",
+    });
+    const timeout = setTimeout(() => proc.kill(), 120_000);
+    const exitCode = await proc.exited;
+    clearTimeout(timeout);
+    return exitCode === 0;
+  } catch (e) {
+    console.error(`  Install error: ${e}`);
+    return false;
+  }
+}
+
+async function runInteractiveLogin(cli: AgentCliName): Promise<boolean> {
+  const args = cli === "claude"
+    ? ["setup-token"]
+    : ["login", "--device-auth"];
+
+  console.log(`Starting ${cli} login...`);
+
+  try {
+    const proc = Bun.spawn(buildBunWrappedAgentCliCommand(cli, args), {
+      stdin: "inherit",
+      stdout: "inherit",
+      stderr: "inherit",
+    });
+    const exitCode = await proc.exited;
+
+    if (exitCode === 0) {
+      console.log(`  ✓ ${cli} login successful`);
+      return true;
+    } else {
+      console.log(`  ✗ ${cli} login failed (exit ${exitCode})`);
+      return false;
+    }
+  } catch (e) {
+    console.error(`  Login error: ${e}`);
+    return false;
+  }
+}

package/src/shared/config.ts

@@ -107,6 +107,8 @@ export const config = {
 
   corePort: 51777,
   daemonPort: 51778,
+  coreSocket: join(dataDir, "core.sock"),
+  daemonSocket: join(dataDir, "daemon.sock"),
 
   // API keys - use async getters for first load
   get telegramBotToken() { return secureConfig.telegramBotToken; },

package/src/shared/ports.ts

@@ -78,19 +78,37 @@ export function releaseProcess(name: string): void {
 }
 
 /**
- * Bun.serve() with retry — if port is busy, waits for previous process to die.
+ * Remove a Unix socket file if it exists (stale leftover from crash).
+ */
+export function cleanupSocket(socketPath: string): void {
+  try { unlinkSync(socketPath); } catch {}
+}
+
+/**
+ * Bun.serve() with retry — handles both TCP ports and Unix sockets.
+ * For Unix sockets, cleans up stale socket file before first attempt.
  */
 export async function serveWithRetry(
   options: Parameters<typeof Bun.serve>[0],
   retries = 5,
 ): Promise<ReturnType<typeof Bun.serve>> {
+  const socketPath = (options as any).unix as string | undefined;
+
+  // Pre-clean stale Unix socket from a previous crash
+  if (socketPath) cleanupSocket(socketPath);
+
   for (let i = 0; i < retries; i++) {
     try {
       return Bun.serve(options);
     } catch (e: any) {
       if (e?.code !== "EADDRINUSE" || i === retries - 1) throw e;
-      const port = (options as any).port ?? "?";
-      console.log(`[ports] Port ${port} busy, retrying (${i + 1}/${retries})...`);
+      if (socketPath) {
+        console.log(`[ports] Socket ${socketPath} busy, cleaning up and retrying (${i + 1}/${retries})...`);
+        cleanupSocket(socketPath);
+      } else {
+        const port = (options as any).port ?? "?";
+        console.log(`[ports] Port ${port} busy, retrying (${i + 1}/${retries})...`);
+      }
       await new Promise((r) => setTimeout(r, 1000));
     }
   }