kimaki 0.4.78 → 0.4.80

package/src/database.ts

@@ -4,6 +4,7 @@
 
 import { getPrisma, closePrisma } from './db.js'
 import type { Prisma, session_events, BotMode, VerbosityLevel, WorktreeStatus, ChannelType as PrismaChannelType } from './generated/client.js'
+import crypto from 'node:crypto'
 
 import { store } from './store.js'
 import { createLogger, LogPrefix } from './logger.js'
@@ -209,6 +210,65 @@ export async function listScheduledTasks({
   return rows.map((row) => toScheduledTask(row))
 }
 
+export async function getScheduledTask(
+  taskId: number,
+): Promise<ScheduledTask | null> {
+  const prisma = await getPrisma()
+  const row = await prisma.scheduled_tasks.findUnique({
+    where: { id: taskId },
+  })
+  return row ? toScheduledTask(row) : null
+}
+
+export async function updateScheduledTask({
+  taskId,
+  payloadJson,
+  promptPreview,
+  scheduleKind,
+  runAt,
+  cronExpr,
+  timezone,
+  nextRunAt,
+}: {
+  taskId: number
+  payloadJson: string
+  promptPreview: string
+  scheduleKind?: ScheduledTaskScheduleKind
+  runAt?: Date | null
+  cronExpr?: string | null
+  timezone?: string | null
+  nextRunAt?: Date
+}): Promise<boolean> {
+  const prisma = await getPrisma()
+  const data: Record<string, unknown> = {
+    payload_json: payloadJson,
+    prompt_preview: promptPreview,
+  }
+  if (scheduleKind !== undefined) {
+    data.schedule_kind = scheduleKind
+  }
+  if (runAt !== undefined) {
+    data.run_at = runAt
+  }
+  if (cronExpr !== undefined) {
+    data.cron_expr = cronExpr
+  }
+  if (timezone !== undefined) {
+    data.timezone = timezone
+  }
+  if (nextRunAt !== undefined) {
+    data.next_run_at = nextRunAt
+  }
+  const result = await prisma.scheduled_tasks.updateMany({
+    where: {
+      id: taskId,
+      status: 'planned',
+    },
+    data,
+  })
+  return result.count > 0
+}
+
 export async function cancelScheduledTask(taskId: number): Promise<boolean> {
   const prisma = await getPrisma()
   const result = await prisma.scheduled_tasks.updateMany({
@@ -1173,6 +1233,7 @@ export async function getBotTokenWithMode(): Promise<
   | {
       appId: string
       token: string
+      gatewayToken: string
       mode: BotMode
       clientId: string | null
       clientSecret: string | null
@@ -1191,9 +1252,11 @@ export async function getBotTokenWithMode(): Promise<
   if (!row) {
     return undefined
   }
+  const gatewayToken = await ensureServiceAuthToken({ appId: row.app_id })
+  const serviceParts = splitServiceAuthToken({ token: gatewayToken })
   const mode: BotMode = row.bot_mode === 'gateway' ? 'gateway' : 'self_hosted'
-  const token = (mode === 'gateway' && row.client_id && row.client_secret)
-    ? `${row.client_id}:${row.client_secret}`
+  const token = (mode === 'gateway' && serviceParts)
+    ? gatewayToken
     : row.token
   // Always reset discordBaseUrl on every read so a mode switch within
   // the same process (e.g. DB has gateway row but user proceeds self-hosted)
@@ -1201,27 +1264,90 @@ export async function getBotTokenWithMode(): Promise<
   const discordBaseUrl = (mode === 'gateway' && row.proxy_url)
     ? row.proxy_url
     : 'https://discord.com'
-  store.setState({ discordBaseUrl })
+  store.setState({ discordBaseUrl, gatewayToken })
   return {
     appId: row.app_id,
     token,
+    gatewayToken,
     mode,
-    clientId: row.client_id,
-    clientSecret: row.client_secret,
+    clientId: serviceParts?.clientId || row.client_id,
+    clientSecret: serviceParts?.clientSecret || row.client_secret,
     proxyUrl: row.proxy_url,
   }
 }
 
+function splitServiceAuthToken({ token }: { token: string }): { clientId: string; clientSecret: string } | null {
+  const separatorIndex = token.indexOf(':')
+  if (separatorIndex <= 0 || separatorIndex >= token.length - 1) {
+    return null
+  }
+  return {
+    clientId: token.slice(0, separatorIndex),
+    clientSecret: token.slice(separatorIndex + 1),
+  }
+}
+
+function createServiceCredentials(): { clientId: string; clientSecret: string } {
+  return {
+    clientId: crypto.randomUUID(),
+    clientSecret: crypto.randomBytes(32).toString('hex'),
+  }
+}
+
+export async function ensureServiceAuthToken({
+  appId,
+  preferredGatewayToken,
+}: {
+  appId: string
+  preferredGatewayToken?: string
+}): Promise<string> {
+  const prisma = await getPrisma()
+  const row = await prisma.bot_tokens.findUnique({
+    where: { app_id: appId },
+  })
+  if (!row) {
+    throw new Error(`Bot token row not found for app_id ${appId}`)
+  }
+
+  const preferred = preferredGatewayToken
+    ? splitServiceAuthToken({ token: preferredGatewayToken })
+    : null
+  const existing = (row.client_id && row.client_secret)
+    ? { clientId: row.client_id, clientSecret: row.client_secret }
+    : null
+  const fromStoredToken = splitServiceAuthToken({ token: row.token })
+  const resolved = preferred || existing || fromStoredToken || createServiceCredentials()
+
+  if (row.client_id !== resolved.clientId || row.client_secret !== resolved.clientSecret) {
+    await prisma.bot_tokens.update({
+      where: { app_id: appId },
+      data: {
+        client_id: resolved.clientId,
+        client_secret: resolved.clientSecret,
+      },
+    })
+  }
+
+  return `${resolved.clientId}:${resolved.clientSecret}`
+}
+
 /**
  * Store a bot token.
  */
 export async function setBotToken(appId: string, token: string): Promise<void> {
   const prisma = await getPrisma()
+  const generated = createServiceCredentials()
   await prisma.bot_tokens.upsert({
     where: { app_id: appId },
-    create: { app_id: appId, token },
+    create: {
+      app_id: appId,
+      token,
+      client_id: generated.clientId,
+      client_secret: generated.clientSecret,
+    },
     update: { token },
   })
+  await ensureServiceAuthToken({ appId })
 }
 
 export type { BotMode }
@@ -1250,11 +1376,16 @@ export async function setBotMode({
     client_secret: clientSecret ?? null,
     proxy_url: proxyUrl ?? null,
   }
+  const createToken = (clientId && clientSecret) ? `${clientId}:${clientSecret}` : ''
   await prisma.bot_tokens.upsert({
     where: { app_id: appId },
-    create: { app_id: appId, token: `${clientId}:${clientSecret}`, ...data },
+    create: { app_id: appId, token: createToken, ...data },
     update: data,
   })
+  await ensureServiceAuthToken({
+    appId,
+    preferredGatewayToken: (clientId && clientSecret) ? `${clientId}:${clientSecret}` : undefined,
+  })
 }
 
 

package/src/db.ts

@@ -4,6 +4,7 @@
 
 import fs from 'node:fs'
 import path from 'node:path'
+import crypto from 'node:crypto'
 import { PrismaLibSql } from '@prisma/adapter-libsql'
 import { PrismaClient, Prisma } from './generated/client.js'
 import { getDataDir } from './config.js'
@@ -60,6 +61,14 @@ function getDbUrl(): string {
   return `file:${dbPath}`
 }
 
+function getDbAuthToken(): string | undefined {
+  const token = process.env.KIMAKI_DB_AUTH_TOKEN
+  if (!token) {
+    return undefined
+  }
+  return token
+}
+
 async function initializePrisma(): Promise<PrismaClient> {
   const dbUrl = getDbUrl()
   const isFileMode = dbUrl.startsWith('file:')
@@ -78,7 +87,11 @@ async function initializePrisma(): Promise<PrismaClient> {
 
   dbLogger.log(`Opening database via: ${dbUrl}`)
 
-  const adapter = new PrismaLibSql({ url: dbUrl })
+  const dbAuthToken = getDbAuthToken()
+  const adapter = new PrismaLibSql({
+    url: dbUrl,
+    ...(dbAuthToken && { authToken: dbAuthToken }),
+  })
   const prisma = new PrismaClient({ adapter })
 
   try {
@@ -224,6 +237,32 @@ async function migrateSchema(prisma: PrismaClient): Promise<void> {
     }
   }
 
+  // Migration: ensure every bot row has service auth credentials.
+  // These credentials are used for local/internet control-plane auth.
+  try {
+    const botRows = await prisma.bot_tokens.findMany({
+      select: {
+        app_id: true,
+        client_id: true,
+        client_secret: true,
+      },
+    })
+    for (const botRow of botRows) {
+      if (botRow.client_id && botRow.client_secret) {
+        continue
+      }
+      await prisma.bot_tokens.update({
+        where: { app_id: botRow.app_id },
+        data: {
+          client_id: crypto.randomUUID(),
+          client_secret: crypto.randomBytes(32).toString('hex'),
+        },
+      })
+    }
+  } catch {
+    // Defensive migration only; ignore if table shape is not ready yet.
+  }
+
 }
 
 /**

package/src/discord-bot.ts

@@ -6,6 +6,7 @@ import {
   initDatabase,
   closeDatabase,
   getThreadWorktree,
+  getThreadSession,
   createPendingWorktree,
   setWorktreeReady,
   setWorktreeError,
@@ -26,6 +27,7 @@ import {
   splitMarkdownForDiscord,
   sendThreadMessage,
   SILENT_MESSAGE_FLAGS,
+  NOTIFY_MESSAGE_FLAGS,
   reactToThread,
   stripMentions,
   hasKimakiBotPermission,
@@ -40,6 +42,7 @@ import {
   getTextAttachments,
   resolveMentions,
 } from './message-formatting.js'
+import { isVoiceAttachment } from './voice-attachment.js'
 import {
   preprocessExistingThreadMessage,
   preprocessNewThreadMessage,
@@ -71,7 +74,7 @@ import {
 import { runShellCommand } from './commands/run-command.js'
 import { registerInteractionHandler } from './interaction-handler.js'
 import { getDiscordRestApiUrl } from './discord-urls.js'
-import { stopHranaServer } from './hrana-server.js'
+import { markDiscordGatewayReady, stopHranaServer } from './hrana-server.js'
 import { notifyError } from './sentry.js'
 import { flushDebouncedProcessCallbacks } from './debounced-process-flush.js'
 import { startRuntimeIdleSweeper } from './runtime-idle-sweeper.js'
@@ -276,6 +279,7 @@ export async function startDiscordBot({
     }
 
     voiceLogger.log('[READY] Bot is ready')
+    markDiscordGatewayReady()
 
     registerInteractionHandler({ discordClient: c, appId: currentAppId })
     registerVoiceStateHandler({ discordClient: c, appId: currentAppId })
@@ -299,7 +303,7 @@ export async function startDiscordBot({
       }
     })().catch((error) => {
       discordLogger.warn(
-        `Background guild channel scan failed: ${error instanceof Error ? error.message : String(error)}`,
+        `Background guild channel scan failed: ${error instanceof Error ? error.stack : String(error)}`,
       )
     })
   }
@@ -409,6 +413,9 @@ export async function startDiscordBot({
       const cliInjectedModel = isCliInjectedPrompt
         ? promptMarker?.model
         : undefined
+      const cliInjectedPermissions = isCliInjectedPrompt
+        ? promptMarker?.permissions
+        : undefined
 
       // Always ignore our own messages (unless CLI-injected prompt above).
       // Without this, assigning the Kimaki role to the bot itself would loop.
@@ -496,6 +503,19 @@ export async function startDiscordBot({
         const thread = channel as ThreadChannel
         discordLogger.log(`Message in thread ${thread.name} (${thread.id})`)
 
+        // Only respond in threads kimaki knows about (has a session row in DB)
+        // or where the bot is explicitly @mentioned. This prevents the bot from
+        // hijacking user-created threads in project channels. (GitHub #84)
+        const hasExistingSession = await getThreadSession(thread.id)
+        const botMentioned =
+          discordClient.user && message.mentions.has(discordClient.user.id)
+        if (!hasExistingSession && !botMentioned && !isCliInjectedPrompt) {
+          discordLogger.log(
+            `Ignoring thread ${thread.id}: no existing session and bot not mentioned`,
+          )
+          return
+        }
+
         const parent = thread.parent as TextChannel | null
         let projectDirectory: string | undefined
         if (parent) {
@@ -518,7 +538,7 @@ export async function startDiscordBot({
           if (worktreeInfo.status === 'error') {
             await message.reply({
               content: `❌ Worktree creation failed: ${(worktreeInfo.error_message || '').slice(0, 1900)}`,
-              flags: SILENT_MESSAGE_FLAGS,
+              flags: NOTIFY_MESSAGE_FLAGS,
             })
             return
           }
@@ -536,7 +556,7 @@ export async function startDiscordBot({
           discordLogger.error(`Directory does not exist: ${projectDirectory}`)
           await message.reply({
             content: `✗ Directory does not exist: ${JSON.stringify(projectDirectory).slice(0, 1900)}`,
-            flags: SILENT_MESSAGE_FLAGS,
+            flags: NOTIFY_MESSAGE_FLAGS,
           })
           return
         }
@@ -563,8 +583,8 @@ export async function startDiscordBot({
           }
         }
 
-        const hasVoiceAttachment = message.attachments.some((a) => {
-          return a.contentType?.startsWith('audio/')
+        const hasVoiceAttachment = message.attachments.some((attachment) => {
+          return isVoiceAttachment(attachment)
         })
 
         if (!projectDirectory) {
@@ -622,6 +642,7 @@ export async function startDiscordBot({
           appId: currentAppId,
           agent: cliInjectedAgent,
           model: cliInjectedModel,
+          permissions: cliInjectedPermissions,
           sessionStartSource: sessionStartSource
             ? {
                 scheduleKind: sessionStartSource.scheduleKind,
@@ -687,7 +708,7 @@ export async function startDiscordBot({
           discordLogger.error(`Directory does not exist: ${projectDirectory}`)
           await message.reply({
             content: `✗ Directory does not exist: ${JSON.stringify(projectDirectory).slice(0, 1900)}`,
-            flags: SILENT_MESSAGE_FLAGS,
+            flags: NOTIFY_MESSAGE_FLAGS,
           })
           return
         }
@@ -708,9 +729,9 @@ export async function startDiscordBot({
           }
         }
 
-        const hasVoice = message.attachments.some((a) =>
-          a.contentType?.startsWith('audio/'),
-        )
+        const hasVoice = message.attachments.some((attachment) => {
+          return isVoiceAttachment(attachment)
+        })
 
         const baseThreadName = hasVoice
           ? 'Voice Message'
@@ -767,7 +788,7 @@ export async function startDiscordBot({
             })
             await thread.send({
               content: `⚠️ Failed to create worktree: ${errMsg}\nUsing main project directory instead.`,
-              flags: SILENT_MESSAGE_FLAGS,
+              flags: NOTIFY_MESSAGE_FLAGS,
             })
           } else {
             await setWorktreeReady({
@@ -824,7 +845,7 @@ export async function startDiscordBot({
         ).slice(0, 1900)
         await message.reply({
           content: `Error: ${errMsg}`,
-          flags: SILENT_MESSAGE_FLAGS,
+          flags: NOTIFY_MESSAGE_FLAGS,
         })
       } catch (sendError) {
         voiceLogger.error(
@@ -855,7 +876,7 @@ export async function startDiscordBot({
         .catch((error) => {
           discordLogger.warn(
             `[THREAD_CREATE] Failed to fetch starter message for thread ${thread.id}:`,
-            error instanceof Error ? error.message : String(error),
+            error instanceof Error ? error.stack : String(error),
           )
           return null
         })
@@ -915,7 +936,7 @@ export async function startDiscordBot({
         )
         await thread.send({
           content: `✗ Directory does not exist: ${JSON.stringify(projectDirectory).slice(0, 1900)}`,
-          flags: SILENT_MESSAGE_FLAGS,
+          flags: NOTIFY_MESSAGE_FLAGS,
         })
         return
       }
@@ -958,11 +979,11 @@ export async function startDiscordBot({
           })
           await (worktreeStatusMessage?.edit({
             content: `⚠️ Failed to create worktree: ${worktreeResult.message}\nUsing main project directory instead.`,
-            flags: SILENT_MESSAGE_FLAGS,
+            flags: NOTIFY_MESSAGE_FLAGS,
           }) ||
             thread.send({
               content: `⚠️ Failed to create worktree: ${worktreeResult.message}\nUsing main project directory instead.`,
-              flags: SILENT_MESSAGE_FLAGS,
+              flags: NOTIFY_MESSAGE_FLAGS,
             }))
           return projectDirectory
         }
@@ -1013,6 +1034,7 @@ export async function startDiscordBot({
         appId: currentAppId,
         agent: marker.agent,
         model: marker.model,
+        permissions: marker.permissions,
         mode: 'opencode',
         sessionStartSource: botThreadStartSource
           ? {
@@ -1033,7 +1055,7 @@ export async function startDiscordBot({
         ).slice(0, 1900)
         await thread.send({
           content: `Error: ${errMsg}`,
-          flags: SILENT_MESSAGE_FLAGS,
+          flags: NOTIFY_MESSAGE_FLAGS,
         })
       } catch (sendError) {
         voiceLogger.error(
@@ -1050,7 +1072,12 @@ export async function startDiscordBot({
     disposeRuntime(thread.id)
   })
 
-  await discordClient.login(token)
+  // Skip login if the caller already connected the client (e.g. cli.ts logs in
+  // before calling startDiscordBot). Calling login() again destroys the existing
+  // WebSocket (close code 1000) and triggers a spurious ShardReconnecting event.
+  if (!discordClient.isReady()) {
+    await discordClient.login(token)
+  }
 
   startHeapMonitor()
   const stopTaskRunner = startTaskRunner({ token })
@@ -1072,7 +1099,7 @@ export async function startDiscordBot({
       await flushDebouncedProcessCallbacks().catch((error) => {
         discordLogger.warn(
           'Failed to flush debounced process callbacks:',
-          error instanceof Error ? error.message : String(error),
+          error instanceof Error ? error.stack : String(error),
         )
       })
 

package/src/discord-urls.ts

@@ -56,6 +56,18 @@ export function createDiscordRest(token: string): REST {
   return new REST({ api: getDiscordRestApiUrl() }).setToken(token)
 }
 
+/**
+ * Returns the internet-reachable base URL for this kimaki instance.
+ * When KIMAKI_INTERNET_REACHABLE_URL is set (e.g. "https://my-kimaki.fly.dev"),
+ * kimaki binds the hrana server to 0.0.0.0 and exposes a /kimaki/wake endpoint
+ * so the gateway-proxy can wake this instance. Discord traffic still flows
+ * through the normal path (gateway-proxy in gateway mode, direct in self-hosted).
+ * Returns null when not set (kimaki only reachable on localhost).
+ */
+export function getInternetReachableBaseUrl(): string | null {
+  return process.env['KIMAKI_INTERNET_REACHABLE_URL'] || null
+}
+
 /**
  * Derive an HTTPS REST base URL from a WebSocket gateway URL.
  * Swaps wss→https and ws→http. Used for gateway mode where the

package/src/errors.ts

@@ -160,7 +160,7 @@ export class NotFastForwardError extends createTaggedError({
 export class ConflictingFilesError extends createTaggedError({
   name: 'ConflictingFilesError',
   message:
-    'Cannot merge: $target worktree has uncommitted changes in overlapping files',
+    'Cannot merge: $target worktree has uncommitted changes in overlapping files. Commit changes in main worktree first, then run `/merge-worktree` again.',
 }) {}
 
 export class PushError extends createTaggedError({