get-claudia 1.10.2 → 1.10.4

package/gateway/scripts/install.ps1

@@ -352,7 +352,24 @@ if ($showGuide -match "^[Yy]") {
             Write-Host "          (or open: ${DIM}https://t.me/userinfobot${NC})"
             Write-Host "          Send it any message. It replies with your ID (a number)."
             Write-Host ""
-            $userId = Read-Host "  Paste your user ID here (or press Enter to skip)"
+            while ($true) {
+                $userId = Read-Host "  Paste your user ID here (or press Enter to skip)"
+
+                # Empty = skip
+                if (-not $userId) { break }
+
+                # Strip leading @
+                $userId = $userId -replace '^@', ''
+
+                # Validate: must be all digits
+                if ($userId -match '^\d+$') { break }
+
+                Write-Host ""
+                Write-Host "  ${RED}✗${NC} That looks like a username, not a numeric ID."
+                Write-Host "    Telegram user IDs are numbers only (e.g. ${BOLD}1588190837${NC})."
+                Write-Host "    Get yours from ${BOLD}@userinfobot${NC} in Telegram."
+                Write-Host ""
+            }
 
             if ($userId) {
                 # Write the config
@@ -392,6 +409,15 @@ if ($showGuide -match "^[Yy]") {
                     Add-Content -Path $profilePath -Value "`n# Claudia Gateway - Telegram`n$tokenLine"
                     Write-Host "  ${GREEN}✓${NC} Bot token saved to PowerShell profile"
                 }
+
+                Write-Host ""
+                Write-Host "  ${YELLOW}┌─────────────────────────────────────────────────┐${NC}"
+                Write-Host "  ${YELLOW}│${NC}  ${BOLD}Open a NEW terminal${NC} to run the gateway.         ${YELLOW}│${NC}"
+                Write-Host "  ${YELLOW}│${NC}  This terminal doesn't have your token yet.      ${YELLOW}│${NC}"
+                Write-Host "  ${YELLOW}│${NC}                                                   ${YELLOW}│${NC}"
+                Write-Host "  ${YELLOW}│${NC}  Or reload your profile in this terminal:         ${YELLOW}│${NC}"
+                Write-Host "  ${YELLOW}│${NC}    ${CYAN}. `$PROFILE${NC}                                      ${YELLOW}│${NC}"
+                Write-Host "  ${YELLOW}└─────────────────────────────────────────────────┘${NC}"
             } else {
                 Write-Host ""
                 Write-Host "  ${YELLOW}!${NC} Skipped user ID. You'll need to add it manually:"

package/gateway/scripts/install.sh

@@ -22,6 +22,14 @@ BIN_DIR="$CLAUDIA_DIR/bin"
 # Upgrade mode: skip config generation if config exists
 IS_UPGRADE="${CLAUDIA_GATEWAY_UPGRADE:-0}"
 
+# Detect shell rc file (used for PATH and token persistence)
+SHELL_RC=""
+if [ -n "$ZSH_VERSION" ] || [ "$(basename "$SHELL")" = "zsh" ]; then
+    SHELL_RC="$HOME/.zshrc"
+elif [ -n "$BASH_VERSION" ] || [ "$(basename "$SHELL")" = "bash" ]; then
+    SHELL_RC="$HOME/.bashrc"
+fi
+
 # Clear screen and show banner
 clear
 
@@ -244,14 +252,6 @@ PATH_ADDED=0
 if [[ ":$PATH:" != *":$BIN_DIR:"* ]]; then
     PATH_LINE='export PATH="$HOME/.claudia/bin:$PATH"'
 
-    # Detect shell rc file
-    SHELL_RC=""
-    if [ -n "$ZSH_VERSION" ] || [ "$(basename "$SHELL")" = "zsh" ]; then
-        SHELL_RC="$HOME/.zshrc"
-    elif [ -n "$BASH_VERSION" ] || [ "$(basename "$SHELL")" = "bash" ]; then
-        SHELL_RC="$HOME/.bashrc"
-    fi
-
     if [ -n "$SHELL_RC" ]; then
         # Check if already in rc file (even if not in current PATH)
         if [ -f "$SHELL_RC" ] && grep -q '\.claudia/bin' "$SHELL_RC" 2>/dev/null; then
@@ -409,7 +409,28 @@ if [[ "$SHOW_GUIDE" =~ ^[Yy] ]]; then
             echo -e "          (or tap: ${DIM}https://t.me/userinfobot${NC})"
             echo -e "          Send it any message. It replies with your ID (a number)."
             echo
-            read -p "  Paste your user ID here (or press Enter to skip): " USER_ID
+            while true; do
+                read -p "  Paste your user ID here (or press Enter to skip): " USER_ID
+
+                # Empty = skip
+                if [ -z "$USER_ID" ]; then
+                    break
+                fi
+
+                # Strip leading @
+                USER_ID="${USER_ID#@}"
+
+                # Validate: must be all digits
+                if [[ "$USER_ID" =~ ^[0-9]+$ ]]; then
+                    break
+                else
+                    echo
+                    echo -e "  ${RED}✗${NC} That looks like a username, not a numeric ID."
+                    echo -e "    Telegram user IDs are numbers only (e.g. ${BOLD}1588190837${NC})."
+                    echo -e "    Get yours from ${BOLD}@userinfobot${NC} in Telegram."
+                    echo
+                fi
+            done
 
             if [ -n "$USER_ID" ]; then
                 # Write the config
@@ -446,6 +467,15 @@ if [[ "$SHOW_GUIDE" =~ ^[Yy] ]]; then
                         echo "$TOKEN_LINE" >> "$SHELL_RC"
                         echo -e "  ${GREEN}✓${NC} Bot token saved to ~/${SHELL_RC##*/}"
                     fi
+
+                    echo
+                    echo -e "  ${YELLOW}┌─────────────────────────────────────────────────┐${NC}"
+                    echo -e "  ${YELLOW}│${NC}  ${BOLD}Open a NEW terminal${NC} to run the gateway.         ${YELLOW}│${NC}"
+                    echo -e "  ${YELLOW}│${NC}  This terminal doesn't have your token yet.      ${YELLOW}│${NC}"
+                    echo -e "  ${YELLOW}│${NC}                                                   ${YELLOW}│${NC}"
+                    echo -e "  ${YELLOW}│${NC}  Or run in this terminal first:                   ${YELLOW}│${NC}"
+                    echo -e "  ${YELLOW}│${NC}    ${CYAN}source ~/${SHELL_RC##*/}${NC}                          ${YELLOW}│${NC}"
+                    echo -e "  ${YELLOW}└─────────────────────────────────────────────────┘${NC}"
                 else
                     echo -e "  ${YELLOW}!${NC} Add this to your shell profile to persist the token:"
                     echo -e "    ${DIM}${TOKEN_LINE}${NC}"

package/gateway/src/index.js

@@ -112,6 +112,28 @@ async function cmdStart(args) {
     }
   }
 
+  // Pre-flight: check for missing tokens before starting
+  const preflight = loadConfig();
+  const telegramEnabled = preflight.channels?.telegram?.enabled || overrides.channels?.telegram?.enabled;
+  const slackEnabled = preflight.channels?.slack?.enabled || overrides.channels?.slack?.enabled;
+  if (telegramEnabled && !process.env.TELEGRAM_BOT_TOKEN && !preflight.channels?.telegram?.token) {
+    console.error('Telegram is enabled but TELEGRAM_BOT_TOKEN is not set in this terminal.');
+    console.error('');
+    console.error('Your token was likely saved to your shell profile during install.');
+    console.error('Fix: Open a NEW terminal window and run claudia-gateway start');
+    console.error('  Or: source ~/.zshrc   (or ~/.bashrc)');
+    console.error('  Or: export TELEGRAM_BOT_TOKEN="your-token-here"');
+    process.exit(1);
+  }
+  if (slackEnabled && !process.env.SLACK_BOT_TOKEN && !preflight.channels?.slack?.token) {
+    console.error('Slack is enabled but SLACK_BOT_TOKEN is not set in this terminal.');
+    console.error('');
+    console.error('Fix: Open a NEW terminal window and run claudia-gateway start');
+    console.error('  Or: export SLACK_BOT_TOKEN="your-token-here"');
+    console.error('  Or: export SLACK_APP_TOKEN="your-token-here"');
+    process.exit(1);
+  }
+
   const gateway = new Gateway(overrides);
 
   // Graceful shutdown
@@ -137,7 +159,9 @@ async function cmdStart(args) {
     console.log(`  Channels: ${[...gateway.adapters.keys()].join(', ') || 'none'}`);
     console.log(`  Memory: ${gateway.bridge?.memoryAvailable ? 'connected' : 'unavailable'}`);
     console.log(`  PID: ${process.pid}`);
-    console.log('\nPress Ctrl+C to stop.\n');
+    console.log('');
+    console.log('This terminal is now dedicated to the gateway. Use Claude in a separate terminal.');
+    console.log('Press Ctrl+C to stop.\n');
 
     // Keep process alive
     await new Promise(() => {});

package/gateway/src/router.js

@@ -28,6 +28,7 @@ export class Router {
     this.auth = auth;
     this.adapters = adapters;
     this.sessions = new Map(); // sessionKey -> { history: [], lastActive: Date }
+    this._rejectedUsers = new Set(); // Track users we've already sent a rejection reply to
     this._cleanupInterval = null;
   }
 
@@ -67,6 +68,29 @@ export class Router {
     // 1. Auth check
     if (!this.auth.isAuthorized(channel, userId)) {
       log.warn('Unauthorized message rejected', { channel, userId });
+
+      // Send a one-time rejection reply so the user knows what's wrong
+      const rejectKey = `${channel}:${userId}`;
+      if (!this._rejectedUsers.has(rejectKey)) {
+        this._rejectedUsers.add(rejectKey);
+        const rejectMsg =
+          `I don't recognize your user ID. Your ${channel} user ID is: ${userId}\n` +
+          `Ask the person who set me up to add it to the allowlist in ~/.claudia/gateway.json`;
+        try {
+          const adapter = this.adapters.get(channel);
+          if (adapter && metadata?.ctx && channel === 'telegram') {
+            await metadata.ctx.reply(rejectMsg);
+          } else if (adapter && metadata?.say && channel === 'slack') {
+            await metadata.say({ text: rejectMsg });
+          } else if (adapter) {
+            const targetId = metadata?.chatId || metadata?.channelId || userId;
+            await adapter.sendMessage(targetId, rejectMsg);
+          }
+        } catch (err) {
+          log.debug('Failed to send rejection reply', { channel, userId, error: err.message });
+        }
+      }
+
       return;
     }
 

package/gateway/src/utils/auth.js

@@ -42,14 +42,42 @@ export class AuthManager {
 
     // Fall back to global allowlist
     if (this.globalAllowed.size > 0) {
-      return this.globalAllowed.has(userIdStr);
+      if (this.globalAllowed.has(userIdStr)) return true;
+    }
+
+    // Denied -- figure out why and log an actionable message
+    const channelEntries = this.channelAllowed[channel]
+      ? [...this.channelAllowed[channel]]
+      : [];
+    const globalEntries = [...this.globalAllowed];
+    const allEntries = [...channelEntries, ...globalEntries];
+
+    if (allEntries.length === 0) {
+      // No allowlists configured at all
+      log.warn('No allowlists configured - denying all access. Add user IDs to gateway config.', {
+        channel,
+        userId: userIdStr,
+      });
+    } else if (allEntries.some(e => !/^\d+$/.test(e))) {
+      // Allowlist contains non-numeric entries (likely usernames instead of IDs)
+      const nonNumeric = allEntries.filter(e => !/^\d+$/.test(e));
+      log.warn(
+        'Auth denied: allowlist may contain usernames instead of numeric IDs. ' +
+        'Telegram requires numeric user IDs (get yours from @userinfobot).', {
+          channel,
+          userId: userIdStr,
+          hint: 'Replace usernames with numeric IDs in gateway.json',
+          suspectEntries: nonNumeric,
+        }
+      );
+    } else {
+      // Allowlist exists with numeric IDs, user just isn't in it
+      log.warn('Auth denied: user not in allowlist.', {
+        channel,
+        userId: userIdStr,
+      });
     }
 
-    // If no allowlists configured at all, deny by default (secure default)
-    log.warn('No allowlists configured - denying all access. Add user IDs to gateway config.', {
-      channel,
-      userId: userIdStr,
-    });
     return false;
   }
 }

package/gateway/tests/auth.test.js

@@ -59,4 +59,50 @@ describe('AuthManager', () => {
     assert.equal(auth.isAuthorized('telegram', 12345), true);
     assert.equal(auth.isAuthorized('telegram', '12345'), true);
   });
+
+  it('detects non-numeric allowlist entries (username instead of ID)', (t) => {
+    const warnings = [];
+    // Intercept log.warn by patching console (auth uses createLogger which uses console)
+    const auth = new AuthManager({
+      globalAllowedUsers: [],
+      channels: {
+        telegram: { allowedUsers: ['@kamba85'] },
+      },
+    });
+
+    // The auth check should deny and the warning should reference usernames
+    assert.equal(auth.isAuthorized('telegram', '1588190837'), false);
+  });
+
+  it('logs generic denial for numeric allowlist mismatch', () => {
+    const auth = new AuthManager({
+      globalAllowedUsers: [],
+      channels: {
+        telegram: { allowedUsers: ['999999'] },
+      },
+    });
+
+    // User not in allowlist, but entries are numeric -- no username warning
+    assert.equal(auth.isAuthorized('telegram', '1588190837'), false);
+  });
+
+  it('logs no-allowlists warning only when truly empty', () => {
+    const auth = new AuthManager({
+      globalAllowedUsers: [],
+      channels: {
+        telegram: { allowedUsers: [] },
+      },
+    });
+
+    assert.equal(auth.isAuthorized('telegram', '123'), false);
+  });
+
+  it('detects bare username without @ prefix', () => {
+    const auth = new AuthManager({
+      globalAllowedUsers: ['kamba85'],
+      channels: {},
+    });
+
+    assert.equal(auth.isAuthorized('telegram', '1588190837'), false);
+  });
 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "get-claudia",
-  "version": "1.10.2",
+  "version": "1.10.4",
   "description": "An AI assistant who learns how you work.",
   "keywords": [
     "claudia",