gigaclaw 1.4.0

package/lib/ai/tools.js

@@ -0,0 +1,269 @@
+import fs from 'fs';
+import path from 'path';
+import { tool } from '@langchain/core/tools';
+import { z } from 'zod';
+import { createJob } from '../tools/create-job.js';
+import { getJobStatus } from '../tools/github.js';
+import { claudeMd, skillGuidePath, skillsDir } from '../paths.js';
+
+const createJobTool = tool(
+  async ({ job_description }) => {
+    const result = await createJob(job_description);
+    return JSON.stringify({
+      success: true,
+      job_id: result.job_id,
+      branch: result.branch,
+      title: result.title,
+    });
+  },
+  {
+    name: 'create_job',
+    description:
+      'Create an autonomous job that runs a Docker agent in a container. The Docker agent has full filesystem access, web search, browser automation, and other abilities. The job description you provide becomes the Docker agent\'s task prompt. Returns the job ID and branch name.',
+    schema: z.object({
+      job_description: z
+        .string()
+        .describe(
+          'Detailed job description including context and requirements. Be specific about what needs to be done.'
+        ),
+    }),
+  }
+);
+
+const getJobStatusTool = tool(
+  async ({ job_id }) => {
+    const result = await getJobStatus(job_id);
+    return JSON.stringify(result);
+  },
+  {
+    name: 'get_job_status',
+    description:
+      'Check status of running jobs. Returns list of active workflow runs with timing and current step. Use when user asks about job progress, running jobs, or job status.',
+    schema: z.object({
+      job_id: z
+        .string()
+        .optional()
+        .describe(
+          'Optional: specific job ID to check. If omitted, returns all running jobs.'
+        ),
+    }),
+  }
+);
+
+const getSystemTechnicalSpecsTool = tool(
+  async () => {
+    try {
+      return fs.readFileSync(claudeMd, 'utf8');
+    } catch {
+      return 'No technical documentation found (CLAUDE.md not present in project root).';
+    }
+  },
+  {
+    name: 'get_system_technical_specs',
+    description:
+      'Read the system architecture and technical documentation (CLAUDE.md). You MUST call this before modifying any config file (CRONS.json, TRIGGERS.json, etc.) or system infrastructure — config entries have advanced fields (per-entry LLM overrides, webhook options, etc.) that are only documented here. Also use this when you need to understand how the system works — event handler, Docker agent, API routes, database, GitHub Actions, deployment, or file structure. NOT for skill creation (use get_skill_building_guide for that).',
+    schema: z.object({}),
+  }
+);
+
+/**
+ * Scan skills/ for all skill directories and build an inventory
+ * showing which are active vs available (inactive).
+ */
+function loadSkillInventory() {
+  const activeDir = path.join(skillsDir, 'active');
+  const SKIP = new Set(['active', 'LICENSE', 'README.md', '.git', '.github']);
+
+  try {
+    // Get all skill directories
+    const allEntries = fs.existsSync(skillsDir)
+      ? fs.readdirSync(skillsDir, { withFileTypes: true })
+          .filter(e => (e.isDirectory() || e.isSymbolicLink()) && !SKIP.has(e.name))
+      : [];
+
+    // Get active skill names
+    const activeNames = new Set();
+    if (fs.existsSync(activeDir)) {
+      for (const entry of fs.readdirSync(activeDir, { withFileTypes: true })) {
+        if (entry.isDirectory() || entry.isSymbolicLink()) {
+          activeNames.add(entry.name);
+        }
+      }
+    }
+
+    // Read frontmatter for each skill
+    const skills = [];
+    for (const entry of allEntries) {
+      const skillMdPath = path.join(skillsDir, entry.name, 'SKILL.md');
+      if (!fs.existsSync(skillMdPath)) continue;
+
+      const content = fs.readFileSync(skillMdPath, 'utf8');
+      const frontmatterMatch = content.match(/^---\n([\s\S]*?)\n---/);
+      if (!frontmatterMatch) continue;
+
+      const frontmatter = frontmatterMatch[1];
+      const nameMatch = frontmatter.match(/^name:\s*(.+)$/m);
+      const descMatch = frontmatter.match(/^description:\s*(.+)$/m);
+
+      skills.push({
+        dirName: entry.name,
+        name: nameMatch ? nameMatch[1].trim() : entry.name,
+        description: descMatch ? descMatch[1].trim() : 'No description',
+        active: activeNames.has(entry.name),
+      });
+    }
+
+    if (skills.length === 0) return '';
+
+    const active = skills.filter(s => s.active);
+    const inactive = skills.filter(s => !s.active);
+
+    let inventory = '## Current Skills\n\n';
+
+    if (active.length > 0) {
+      inventory += '### Active\n';
+      for (const s of active) {
+        inventory += `- **${s.dirName}** — ${s.description}\n`;
+      }
+      inventory += '\n';
+    }
+
+    if (inactive.length > 0) {
+      inventory += '### Available (not active)\n';
+      for (const s of inactive) {
+        inventory += `- **${s.dirName}** — ${s.description}\n`;
+      }
+      inventory += '\n';
+    }
+
+    inventory += 'Use `get_skill_details` with a skill name to read its full documentation, setup requirements, and usage.\n\n---\n\n';
+
+    return inventory;
+  } catch {
+    return '';
+  }
+}
+
+const getSkillBuildingGuideTool = tool(
+  async () => {
+    const inventory = loadSkillInventory();
+    try {
+      const guide = fs.readFileSync(skillGuidePath, 'utf8');
+      return inventory + guide;
+    } catch {
+      return inventory || 'Skill guide not found.';
+    }
+  },
+  {
+    name: 'get_skill_building_guide',
+    description:
+      'Load the skill building guide and a full inventory of all skills (active and available-but-inactive). You MUST call this before creating or modifying any skill — the guide contains required file structure, naming conventions, SKILL.md frontmatter format, activation steps, and testing procedures that are only documented there. Also use this when you need to check what skills already exist — it shows both active and inactive skills with descriptions. Skills are lightweight bash/Node.js wrappers in `skills/` that extend what agents can do. NOT for understanding the system architecture (use get_system_technical_specs for that).',
+    schema: z.object({}),
+  }
+);
+
+const getSkillDetailsTool = tool(
+  async ({ skill_name }) => {
+    const skillMdPath = path.join(skillsDir, skill_name, 'SKILL.md');
+    try {
+      return fs.readFileSync(skillMdPath, 'utf8');
+    } catch {
+      return `Skill "${skill_name}" not found. Use get_skill_building_guide to see available skills.`;
+    }
+  },
+  {
+    name: 'get_skill_details',
+    description:
+      'Read the full documentation for a specific skill by name. Returns the complete SKILL.md including setup requirements, usage examples, and credential needs. Use this to understand what a skill does before suggesting it to the user, or to get credential setup details. Works with both active and inactive skills.',
+    schema: z.object({
+      skill_name: z.string(),
+    }),
+  }
+);
+
+/**
+ * Create a start_coding tool bound to a specific workspace context.
+ * @param {object} context
+ * @param {string} context.repo - GitHub repo (e.g. "owner/repo")
+ * @param {string} context.branch - Git branch
+ * @param {string} context.workspaceId - Pre-created workspace row ID
+ * @returns {import('@langchain/core/tools').StructuredTool}
+ */
+function createStartCodingTool({ repo, branch, workspaceId }) {
+  return tool(
+    async ({ task_description }) => {
+      try {
+        const { randomUUID } = await import('crypto');
+        const containerName = `code-workspace-${randomUUID().slice(0, 8)}`;
+
+        const { getCodeWorkspaceById, updateContainerName } = await import('../db/code-workspaces.js');
+        const workspace = getCodeWorkspaceById(workspaceId);
+        const codingAgent = workspace?.codingAgent || 'claude-code';
+
+        const { createCodeWorkspaceContainer } = await import('../tools/docker.js');
+        await createCodeWorkspaceContainer({ containerName, repo, branch, codingAgent });
+
+        updateContainerName(workspaceId, containerName);
+
+        return JSON.stringify({
+          success: true,
+          workspaceId,
+          workspaceUrl: `/code/${workspaceId}`,
+        });
+      } catch (err) {
+        console.error('[start_coding] Failed to launch workspace:', err);
+        return JSON.stringify({
+          success: false,
+          error: err.message || 'Failed to launch workspace',
+        });
+      }
+    },
+    {
+      name: 'start_coding',
+      description:
+        'Launch a live code workspace in a Docker container. Only call this when the user explicitly says they are ready to start coding (e.g. "let\'s start coding", "okay let\'s get started", "launch it"). Returns a link to the live workspace.',
+      schema: z.object({
+        task_description: z
+          .string()
+          .describe('A summary of what the user wants to build or work on, based on the conversation so far.'),
+      }),
+    }
+  );
+}
+
+/**
+ * Create a get_repository_details tool bound to a specific repo/branch.
+ * Fetches CLAUDE.md and README.md from the repo via GitHub API.
+ * @param {object} context
+ * @param {string} context.repo - GitHub repo (e.g. "owner/repo")
+ * @param {string} context.branch - Git branch
+ * @returns {import('@langchain/core/tools').StructuredTool}
+ */
+function createGetRepositoryDetailsTool({ repo, branch }) {
+  return tool(
+    async () => {
+      const { githubApi } = await import('../tools/github.js');
+      const files = ['CLAUDE.md', 'README.md'];
+      const results = {};
+
+      for (const file of files) {
+        try {
+          const data = await githubApi(`/repos/${repo}/contents/${file}?ref=${branch}`);
+          results[file] = Buffer.from(data.content, 'base64').toString('utf8');
+        } catch {
+          results[file] = 'Not found';
+        }
+      }
+
+      return JSON.stringify(results);
+    },
+    {
+      name: 'get_repository_details',
+      description:
+        'Fetch CLAUDE.md and README.md from the selected repository and branch. Call this as your first action when the user sends their first message to understand the project context.',
+      schema: z.object({}),
+    }
+  );
+}
+
+export { createJobTool, getJobStatusTool, getSystemTechnicalSpecsTool, getSkillBuildingGuideTool, getSkillDetailsTool, createStartCodingTool, createGetRepositoryDetailsTool };

package/lib/ai/web-search.js

@@ -0,0 +1,42 @@
+/**
+ * Web search tool factory for supported LLM providers.
+ * Anthropic and OpenAI provide server-side web search — the provider
+ * runs the search and the model's synthesized answer streams normally.
+ */
+
+export function getProvider() {
+  return process.env.LLM_PROVIDER || 'anthropic';
+}
+
+export function isWebSearchAvailable() {
+  if (process.env.WEB_SEARCH === 'false') return false;
+  const provider = getProvider();
+  return provider === 'anthropic' || provider === 'openai';
+}
+
+/**
+ * Create a server-side web search tool for the current provider.
+ * Returns null if the provider doesn't support it or if the import fails.
+ */
+export async function createWebSearchTool() {
+  if (!isWebSearchAvailable()) return null;
+
+  const provider = getProvider();
+
+  try {
+    if (provider === 'anthropic') {
+      const { tools } = await import('@langchain/anthropic');
+      return tools.webSearch_20250305();
+    }
+
+    if (provider === 'openai') {
+      const { tools } = await import('@langchain/openai');
+      return tools.webSearch();
+    }
+
+    return null;
+  } catch (err) {
+    console.warn(`[web-search] Failed to create web search tool for ${provider}:`, err.message);
+    return null;
+  }
+}

package/lib/auth/actions.js

@@ -0,0 +1,28 @@
+'use server';
+
+import { createFirstUser } from '../db/users.js';
+
+/**
+ * Create the first admin user (setup action).
+ * Uses atomic createFirstUser() to prevent race conditions.
+ * No session/token is created — the admin must log in through the normal auth flow.
+ *
+ * @param {string} email
+ * @param {string} password
+ * @returns {Promise<{ success?: boolean, error?: string }>}
+ */
+export async function setupAdmin(email, password) {
+  if (!email || !password) {
+    return { error: 'Email and password are required.' };
+  }
+  if (password.length < 8) {
+    return { error: 'Password must be at least 8 characters.' };
+  }
+
+  const created = createFirstUser(email, password);
+  if (!created) {
+    return { error: 'Setup already completed.' };
+  }
+
+  return { success: true };
+}

package/lib/auth/config.js

@@ -0,0 +1,27 @@
+import NextAuth from 'next-auth';
+import Credentials from 'next-auth/providers/credentials';
+import { authConfig } from './edge-config.js';
+
+export const { handlers, signIn, signOut, auth } = NextAuth({
+  ...authConfig,
+  providers: [
+    Credentials({
+      credentials: {
+        email: { label: 'Email', type: 'email' },
+        password: { label: 'Password', type: 'password' },
+      },
+      async authorize(credentials) {
+        if (!credentials?.email || !credentials?.password) return null;
+
+        const { getUserByEmail, verifyPassword } = await import('../db/users.js');
+        const user = getUserByEmail(credentials.email);
+        if (!user) return null;
+
+        const valid = await verifyPassword(user, credentials.password);
+        if (!valid) return null;
+
+        return { id: user.id, email: user.email, role: user.role };
+      },
+    }),
+  ],
+});

package/lib/auth/edge-config.js

@@ -0,0 +1,27 @@
+/**
+ * Edge-safe auth configuration — shared between middleware and server.
+ * Contains only JWT/session/callbacks/pages config. No providers, no DB imports.
+ * Both instances use the same AUTH_SECRET for JWT signing/verification.
+ *
+ * Official pattern: https://authjs.dev/guides/edge-compatibility
+ */
+export const authConfig = {
+  providers: [],
+  session: { strategy: 'jwt' },
+  pages: { signIn: '/login' },
+  callbacks: {
+    jwt({ token, user }) {
+      if (user) {
+        token.role = user.role;
+      }
+      return token;
+    },
+    session({ session, token }) {
+      if (session.user) {
+        session.user.id = token.sub;
+        session.user.role = token.role;
+      }
+      return session;
+    },
+  },
+};

package/lib/auth/index.js

@@ -0,0 +1,27 @@
+import { handlers, auth } from './config.js';
+
+// Re-export Auth.js route handlers (GET + POST for [...nextauth])
+export const { GET, POST } = handlers;
+
+// Re-export auth for session checking
+export { auth };
+
+/**
+ * Get the auth state for the main page (server component).
+ * Returns both the session and whether setup is needed, in one call.
+ * DB import is dynamic so it doesn't get pulled in at module level.
+ *
+ * @returns {Promise<{ session: object|null, needsSetup: boolean }>}
+ */
+export async function getPageAuthState() {
+  const { getUserCount } = await import('../db/users.js');
+  const [session, userCount] = await Promise.all([
+    auth(),
+    Promise.resolve(getUserCount()),
+  ]);
+
+  return {
+    session,
+    needsSetup: userCount === 0,
+  };
+}

package/lib/auth/middleware.js

@@ -0,0 +1,62 @@
+import NextAuth from 'next-auth';
+import { authConfig } from './edge-config.js';
+import { NextResponse } from 'next/server';
+
+const { auth } = NextAuth(authConfig);
+
+export const middleware = auth((req) => {
+  const { pathname } = req.nextUrl;
+
+  // API routes use their own centralized auth (checkAuth in api/index.js)
+  if (pathname.startsWith('/api')) return;
+
+  // Static assets from public/ — skip auth for common file extensions
+  if (/\.(?:svg|png|jpg|jpeg|gif|webp|ico|css|js|woff2?|ttf|eot|mp4|webm)$/i.test(pathname)) {
+    return;
+  }
+
+  // /login is the only unprotected page (login + first-user setup)
+  if (pathname === '/login') {
+    if (req.auth) return NextResponse.redirect(new URL('/', req.url));
+    return;
+  }
+
+  // Everything else requires auth
+  if (!req.auth) {
+    const response = NextResponse.redirect(new URL('/login', req.url));
+
+    // Clear stale session cookies that can't be decrypted (e.g. after AUTH_SECRET rotation
+    // or container restart). Auth.js clears these internally in route handlers via
+    // sessionStore.clean(), but NOT in middleware — so the bad cookie loops forever.
+    // Only session-token cookies are cleared; csrf-token and callback-url are left intact.
+    const cookieNames = Object.keys(req.cookies.getAll().reduce((acc, c) => { acc[c.name] = true; return acc; }, {}));
+    const staleSessionCookies = cookieNames.filter(name =>
+      name === 'authjs.session-token' ||
+      name === '__Secure-authjs.session-token' ||
+      /^authjs\.session-token\.\d+$/.test(name) ||
+      /^__Secure-authjs\.session-token\.\d+$/.test(name)
+    );
+
+    if (staleSessionCookies.length > 0) {
+      for (const name of staleSessionCookies) {
+        response.cookies.set(name, '', { maxAge: 0, path: '/' });
+      }
+    }
+
+    return response;
+  }
+});
+
+// IMPORTANT: The `config` export (matcher) is intentionally NOT defined here.
+//
+// Next.js / Turbopack requires the `config` export to be a static literal object
+// defined DIRECTLY in the project's root middleware.js file. It cannot be
+// re-exported from a module (including this one) because the bundler statically
+// analyses it at compile time and will throw:
+//
+//   "The `config` export in Middleware must be a static object literal."
+//
+// The correct pattern lives in the project template at templates/middleware.js:
+//
+//   export { middleware } from 'gigaclaw/middleware';
+//   export const config = { matcher: ['/((?!_next|favicon.ico).*)'] };

package/lib/channels/base.js

@@ -0,0 +1,56 @@
+/**
+ * Base channel adapter interface.
+ * Every chat channel (Telegram, Slack, web, etc.) implements this contract.
+ */
+class ChannelAdapter {
+  /**
+   * Handle an incoming webhook request from this channel.
+   * Returns normalized message data or null if no action needed.
+   *
+   * @param {Request} request - Incoming HTTP request
+   * @returns {Promise<{ threadId: string, text: string, attachments: Array, metadata: object } | null>}
+   *
+   * Attachments array (may be empty) — only non-text content that the LLM needs to see:
+   *   { category: "image", mimeType: "image/png", data: Buffer }  — send to LLM as vision
+   *   { category: "document", mimeType: "application/pdf", data: Buffer } — future: extract/attach
+   *
+   * The adapter downloads authenticated files and normalizes them.
+   * Voice/audio messages are fully resolved by the adapter — transcribed to text
+   * and included in the `text` field. They are NOT passed as attachments.
+   */
+  async receive(request) {
+    throw new Error('Not implemented');
+  }
+
+  /**
+   * Called when message is received — adapter shows acknowledgment.
+   * Telegram: thumbs up reaction. Slack: emoji reaction. Web: no-op.
+   */
+  async acknowledge(metadata) {}
+
+  /**
+   * Called while AI is processing — adapter shows activity.
+   * Telegram: typing indicator. Slack: typing indicator. Web: no-op (streaming handles this).
+   * Returns a stop function.
+   */
+  startProcessingIndicator(metadata) {
+    return () => {};
+  }
+
+  /**
+   * Send a complete (non-streaming) response back to the channel.
+   */
+  async sendResponse(threadId, text, metadata) {
+    throw new Error('Not implemented');
+  }
+
+  /**
+   * Whether this channel supports real streaming (e.g., web chat via Vercel AI SDK).
+   * If true, the AI layer provides a stream instead of a complete response.
+   */
+  get supportsStreaming() {
+    return false;
+  }
+}
+
+export { ChannelAdapter };

package/lib/channels/index.js

@@ -0,0 +1,15 @@
+import { TelegramAdapter } from './telegram.js';
+
+let _telegramAdapter = null;
+
+/**
+ * Get the Telegram channel adapter (lazy singleton).
+ * @param {string} botToken - Telegram bot token
+ * @returns {TelegramAdapter}
+ */
+export function getTelegramAdapter(botToken) {
+  if (!_telegramAdapter || _telegramAdapter.botToken !== botToken) {
+    _telegramAdapter = new TelegramAdapter(botToken);
+  }
+  return _telegramAdapter;
+}