arisa 2.3.28 → 2.3.30

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "arisa",
-  "version": "2.3.28",
+  "version": "2.3.30",
   "description": "Arisa - dynamic agent runtime with daemon/core architecture that evolves through user interaction",
   "keywords": [
     "tinyclaw",

package/src/daemon/agent-cli.ts

@@ -110,7 +110,7 @@ export async function runWithCliFallback(prompt: string, timeoutMs: number): Pro
       }
 
       const reason = result.exitCode === 0
-        ? "empty output"
+        ? `empty output${result.stderr ? ` (stderr: ${summarizeError(result.stderr)})` : ""}`
         : `exit=${result.exitCode}: ${summarizeError(result.stderr || result.output)}`;
       failures.push(`${getAgentCliLabel(cli)} ${reason}`);
     } catch (error) {

package/src/daemon/fallback.ts

@@ -15,6 +15,25 @@ import { getAgentCliLabel, runWithCliFallback } from "./agent-cli";
 
 const log = createLogger("daemon");
 
+/** Detect CLI output that is an error message, not a real response */
+function looksLikeCliError(output: string): boolean {
+  const lower = output.toLowerCase();
+  const errorPatterns = [
+    "authentication_error",
+    "invalid bearer token",
+    "invalid api key",
+    "api error: 401",
+    "api error: 403",
+    "failed to authenticate",
+    "permission_error",
+    "rate_limit_error",
+    "overloaded_error",
+    "api error: 429",
+    "api error: 529",
+  ];
+  return errorPatterns.some(p => lower.includes(p));
+}
+
 export async function fallbackClaude(message: string, coreError?: string): Promise<string> {
   const systemContext = coreError
     ? `[System: Core process is down. Error: ${coreError}. You are running in fallback mode from Daemon. The user's project is at ${config.projectDir}. Respond to the user normally. If they ask about the error, explain what you see.]\n\n`
@@ -37,6 +56,11 @@ export async function fallbackClaude(message: string, coreError?: string): Promi
     const cli = getAgentCliLabel(result.cli);
     if (result.partial) {
       log.warn(`Fallback ${cli} returned output but exited with code ${result.exitCode}`);
+      // Don't forward CLI error messages (auth failures, API errors) to the user
+      if (looksLikeCliError(result.output)) {
+        log.error(`Fallback ${cli} output is a CLI error, not forwarding to user: ${result.output.slice(0, 300)}`);
+        return `[Fallback mode] ${cli} CLI failed (exit ${result.exitCode}). Please check server logs.`;
+      }
     } else {
       log.warn(`Using fallback ${cli} CLI`);
     }

package/src/daemon/setup.ts

@@ -246,6 +246,32 @@ async function installCli(cli: AgentCliName): Promise<boolean> {
   }
 }
 
+/**
+ * Read the OAuth token from Claude CLI's credentials file.
+ * Claude CLI stores credentials at ~/.claude/.credentials.json after login.
+ */
+function readClaudeCredentialsToken(): string | null {
+  const candidateDirs = [
+    isRunningAsRoot() ? "/home/arisa/.claude" : null,
+    join(process.env.HOME || "~", ".claude"),
+  ].filter(Boolean) as string[];
+
+  for (const dir of candidateDirs) {
+    const credsPath = join(dir, ".credentials.json");
+    if (!existsSync(credsPath)) continue;
+    try {
+      const raw = JSON.parse(readFileSync(credsPath, "utf8"));
+      const token = raw?.claudeAiOauth?.accessToken;
+      if (typeof token === "string" && token.startsWith("sk-ant-") && token.length > 50) {
+        return token;
+      }
+    } catch {
+      // Malformed file, skip
+    }
+  }
+  return null;
+}
+
 async function runInteractiveLogin(cli: AgentCliName, vars: Record<string, string>): Promise<boolean> {
   const args = cli === "claude"
     ? ["setup-token"]
@@ -317,6 +343,14 @@ async function runInteractiveLogin(cli: AgentCliName, vars: Record<string, strin
           token = tokenArea.replace(/[^A-Za-z0-9_-]/g, "");
         }
 
+        // Fallback: if stdout scraping missed the token, read from Claude CLI's credentials file
+        if (!token || !token.startsWith("sk-ant-") || token.length <= 50 || token.length >= 150) {
+          token = readClaudeCredentialsToken() || "";
+          if (token) {
+            console.log(`  ✓ token read from credentials file`);
+          }
+        }
+
         if (token && token.startsWith("sk-ant-") && token.length > 50 && token.length < 150) {
           console.log(`  [token] ${token.slice(0, 20)}...${token.slice(-6)} (${token.length} chars)`);
           vars.CLAUDE_CODE_OAUTH_TOKEN = token;
@@ -324,31 +358,28 @@ async function runInteractiveLogin(cli: AgentCliName, vars: Record<string, strin
           saveEnv(vars);
           console.log("  ✓ claude token saved to .env");
 
-          // Also write credentials file for arisa user (belt + suspenders)
-          const claudeDir = isRunningAsRoot() ? "/home/arisa/.claude" : join(process.env.HOME || "~", ".claude");
-          try {
-            if (!existsSync(claudeDir)) mkdirSync(claudeDir, { recursive: true });
-            const credsPath = join(claudeDir, ".credentials.json");
-            const creds = {
-              claudeAiOauth: {
-                accessToken: token,
-                expiresAt: Date.now() + 365 * 24 * 60 * 60 * 1000,
-                scopes: ["user:inference", "user:profile"],
-              },
-            };
-            writeFileSync(credsPath, JSON.stringify(creds, null, 2) + "\n");
-            if (isRunningAsRoot()) {
-              Bun.spawnSync(["chown", "-R", "arisa:arisa", claudeDir]);
+          // Also write credentials file for arisa user when running as root
+          if (isRunningAsRoot()) {
+            const arisaClaudeDir = "/home/arisa/.claude";
+            try {
+              if (!existsSync(arisaClaudeDir)) mkdirSync(arisaClaudeDir, { recursive: true });
+              const credsPath = join(arisaClaudeDir, ".credentials.json");
+              const creds = {
+                claudeAiOauth: {
+                  accessToken: token,
+                  expiresAt: Date.now() + 365 * 24 * 60 * 60 * 1000,
+                  scopes: ["user:inference", "user:profile"],
+                },
+              };
+              writeFileSync(credsPath, JSON.stringify(creds, null, 2) + "\n");
+              Bun.spawnSync(["chown", "-R", "arisa:arisa", arisaClaudeDir]);
+              console.log(`  ✓ credentials written to ${credsPath}`);
+            } catch (e) {
+              console.log(`  ⚠ could not write credentials file: ${e}`);
             }
-            console.log(`  ✓ credentials written to ${credsPath}`);
-          } catch (e) {
-            console.log(`  ⚠ could not write credentials file: ${e}`);
           }
         } else {
-          console.log(`  ⚠ token extraction failed (indexOf=${startIdx}, len=${token.length})`);
-          if (startIdx >= 0) {
-            console.log(`  [clean] ${clean.substring(startIdx, startIdx + 150).replace(/\n/g, "\\n")}`);
-          }
+          console.log(`  ⚠ token not captured (Claude CLI stored credentials internally)`);
         }
         console.log(`  ✓ claude login successful`);
         return true;

package/src/shared/ai-cli.ts

@@ -101,7 +101,7 @@ export function buildBunWrappedAgentCliCommand(cli: AgentCliName, args: string[]
     // Run as arisa user — Claude CLI refuses to run as root.
     // This path is used by Daemon fallback calls; Core runs as arisa directly.
     const cliPath = resolveAgentCliPath(cli) || join(ROOT_BUN_BIN, cli);
-    const inner = ["bun", "--bun", INK_SHIM, cliPath, ...args].map(shellEscape).join(" ");
+    const inner = ["bun", "--bun", "--preload", INK_SHIM, cliPath, ...args].map(shellEscape).join(" ");
     // su without "-" preserves parent env (tokens, keys); explicit HOME/PATH for arisa
     return ["su", "arisa", "-s", "/bin/bash", "-c", `${ARISA_BUN_ENV} && ${buildEnvExports()}${inner}`];
   }
@@ -112,5 +112,5 @@ export function buildBunWrappedAgentCliCommand(cli: AgentCliName, args: string[]
   }
   // Preload shim that patches process.stdin.setRawMode to prevent Ink crash
   // when running without a TTY (systemd, su -c, etc.)
-  return ["bun", "--bun", INK_SHIM, cliPath, ...args];
+  return ["bun", "--bun", "--preload", INK_SHIM, cliPath, ...args];
 }