multis 0.1.0

package/src/bot/telegram.js

@@ -0,0 +1,51 @@
+const { Telegraf } = require('telegraf');
+const { logAudit } = require('../governance/audit');
+const { DocumentIndexer } = require('../indexer/index');
+const {
+  handleStart, handleStatus, handleUnpair,
+  handleExec, handleRead,
+  handleIndex, handleDocument, handleSearch, handleDocs,
+  handleSkills, handleHelp, handleMessage
+} = require('./handlers');
+
+/**
+ * Create and configure the Telegram bot
+ * @param {Object} config - App configuration
+ * @returns {Telegraf} - Configured bot instance
+ */
+function createBot(config) {
+  if (!config.telegram_bot_token) {
+    throw new Error('TELEGRAM_BOT_TOKEN is required. Set it in .env or ~/.multis/config.json');
+  }
+
+  const bot = new Telegraf(config.telegram_bot_token);
+  const indexer = new DocumentIndexer();
+
+  // Commands
+  bot.start(handleStart(config));
+  bot.command('status', handleStatus(config));
+  bot.command('exec', handleExec(config));
+  bot.command('read', handleRead(config));
+  bot.command('index', handleIndex(config, indexer));
+  bot.command('search', handleSearch(config, indexer));
+  bot.command('docs', handleDocs(config, indexer));
+  bot.command('skills', handleSkills(config));
+  bot.command('help', handleHelp(config));
+  bot.command('unpair', handleUnpair(config));
+
+  // Document uploads (PDF, DOCX, etc.)
+  bot.on('document', handleDocument(config, indexer));
+
+  // Text messages
+  bot.on('text', handleMessage(config));
+
+  // Log errors
+  bot.catch((err, ctx) => {
+    console.error('Bot error:', err.message);
+    logAudit({ action: 'error', error: err.message, update: ctx?.update?.update_id });
+  });
+
+  return bot;
+}
+
+module.exports = { createBot };

package/src/cli/setup-beeper.js

@@ -0,0 +1,239 @@
+#!/usr/bin/env node
+/**
+ * Beeper Desktop API onboarding.
+ *
+ * Guides the user through:
+ * 1. Installing Beeper Desktop and enabling the API
+ * 2. OAuth PKCE authentication
+ * 3. Verifying connected accounts
+ * 4. Enabling Beeper in multis config
+ *
+ * Run: node src/cli/setup-beeper.js
+ */
+const crypto = require('crypto');
+const http = require('http');
+const fs = require('fs');
+const path = require('path');
+const readline = require('readline');
+const { execSync } = require('child_process');
+
+const BASE = 'http://localhost:23373';
+const MULTIS_DIR = path.join(process.env.HOME || process.env.USERPROFILE, '.multis');
+const TOKEN_FILE = path.join(MULTIS_DIR, 'beeper-token.json');
+const CONFIG_PATH = path.join(MULTIS_DIR, 'config.json');
+
+function prompt(question) {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise(resolve => {
+    rl.question(question, answer => {
+      rl.close();
+      resolve(answer);
+    });
+  });
+}
+
+async function checkDesktop() {
+  try {
+    await fetch(`${BASE}/v1/spec`, { signal: AbortSignal.timeout(2000) });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function loadToken() {
+  try {
+    return JSON.parse(fs.readFileSync(TOKEN_FILE, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function saveToken(tokenData) {
+  if (!fs.existsSync(MULTIS_DIR)) fs.mkdirSync(MULTIS_DIR, { recursive: true });
+  fs.writeFileSync(TOKEN_FILE, JSON.stringify(tokenData, null, 2));
+}
+
+async function api(token, method, apiPath) {
+  const res = await fetch(`${BASE}${apiPath}`, {
+    method,
+    headers: { 'Authorization': `Bearer ${token}`, 'Content-Type': 'application/json' },
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(`${res.status}: ${text}`);
+  }
+  return res.json();
+}
+
+async function oauthPKCE() {
+  // Dynamic client registration
+  const regRes = await fetch(`${BASE}/oauth/register`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      client_name: 'multis',
+      redirect_uris: ['http://127.0.0.1:9876/callback'],
+      grant_types: ['authorization_code'],
+      response_types: ['code'],
+      token_endpoint_auth_method: 'none',
+    }),
+  });
+  const client = await regRes.json();
+  const clientId = client.client_id;
+
+  // PKCE
+  const verifier = crypto.randomBytes(32).toString('base64url');
+  const challenge = crypto.createHash('sha256').update(verifier).digest('base64url');
+
+  return new Promise((resolve, reject) => {
+    const server = http.createServer(async (req, res) => {
+      if (!req.url.startsWith('/callback')) return;
+      const url = new URL(req.url, 'http://127.0.0.1:9876');
+      const code = url.searchParams.get('code');
+
+      if (!code) {
+        res.writeHead(400);
+        res.end('No code received');
+        server.close();
+        reject(new Error('No auth code'));
+        return;
+      }
+
+      const tokenRes = await fetch(`${BASE}/oauth/token`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+          grant_type: 'authorization_code',
+          client_id: clientId,
+          code,
+          redirect_uri: 'http://127.0.0.1:9876/callback',
+          code_verifier: verifier,
+        }),
+      });
+      const tokenData = await tokenRes.json();
+
+      res.writeHead(200, { 'Content-Type': 'text/html' });
+      res.end('<h2>Authorized! You can close this tab.</h2>');
+      server.close();
+
+      saveToken(tokenData);
+      resolve(tokenData.access_token);
+    });
+
+    server.listen(9876, '127.0.0.1', () => {
+      const authUrl = `${BASE}/oauth/authorize?` + new URLSearchParams({
+        response_type: 'code',
+        client_id: clientId,
+        redirect_uri: 'http://127.0.0.1:9876/callback',
+        code_challenge: challenge,
+        code_challenge_method: 'S256',
+        scope: 'read write',
+      });
+      console.log('  Opening browser for authorization...');
+      try {
+        execSync(`xdg-open "${authUrl}"`, { stdio: 'ignore' });
+      } catch {
+        console.log(`  Open manually: ${authUrl}`);
+      }
+    });
+
+    setTimeout(() => { server.close(); reject(new Error('OAuth timeout (60s)')); }, 60000);
+  });
+}
+
+function updateConfig() {
+  try {
+    const config = JSON.parse(fs.readFileSync(CONFIG_PATH, 'utf8'));
+    if (!config.platforms) config.platforms = {};
+    if (!config.platforms.beeper) config.platforms.beeper = {};
+    config.platforms.beeper.enabled = true;
+    config.platforms.beeper.url = config.platforms.beeper.url || BASE;
+    config.platforms.beeper.command_prefix = config.platforms.beeper.command_prefix || '//';
+    config.platforms.beeper.poll_interval = config.platforms.beeper.poll_interval || 3000;
+    fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2) + '\n');
+    return true;
+  } catch (err) {
+    console.error(`  Could not update config: ${err.message}`);
+    return false;
+  }
+}
+
+async function main() {
+  console.log('=== multis: Beeper Desktop Setup ===\n');
+
+  // Step 1: Instructions
+  console.log('Prerequisites:');
+  console.log('  1. Install Beeper Desktop from https://beeper.com');
+  console.log('  2. Sign in and connect your accounts (WhatsApp, etc.)');
+  console.log('  3. Enable Desktop API: Settings > Developers > toggle on');
+  console.log();
+
+  await prompt('Press Enter when ready...');
+
+  // Step 2: Check Desktop is running
+  console.log('\n[1] Checking Beeper Desktop API...');
+  let reachable = await checkDesktop();
+
+  if (!reachable) {
+    console.log('  Not reachable at localhost:23373');
+    console.log('  Make sure Beeper Desktop is open and the API is enabled.');
+    await prompt('Press Enter to retry...');
+    reachable = await checkDesktop();
+    if (!reachable) {
+      console.error('  Still not reachable. Aborting.');
+      process.exit(1);
+    }
+  }
+  console.log('  Desktop API is reachable.');
+
+  // Step 3: OAuth (reuse saved token if valid)
+  console.log('\n[2] Authentication...');
+  let token = null;
+  const saved = loadToken();
+  if (saved?.access_token) {
+    try {
+      await api(saved.access_token, 'GET', '/v1/accounts');
+      token = saved.access_token;
+      console.log('  Using existing token.');
+    } catch {
+      console.log('  Saved token expired, re-authenticating...');
+    }
+  }
+
+  if (!token) {
+    console.log('  Starting OAuth PKCE flow...');
+    token = await oauthPKCE();
+    console.log('  Authenticated!');
+  }
+
+  // Step 4: List accounts
+  console.log('\n[3] Connected accounts:');
+  const accounts = await api(token, 'GET', '/v1/accounts');
+  const list = Array.isArray(accounts) ? accounts : accounts.items || [];
+  for (const acc of list) {
+    const name = acc.user?.displayText || acc.user?.id || acc.accountID || '?';
+    console.log(`  - ${acc.network || '?'}: ${name}`);
+  }
+
+  if (list.length === 0) {
+    console.log('  No accounts found. Connect accounts in Beeper Desktop first.');
+  }
+
+  // Step 5: Update config
+  console.log('\n[4] Updating multis config...');
+  if (updateConfig()) {
+    console.log('  Beeper enabled in ~/.multis/config.json');
+  }
+
+  // Done
+  console.log('\n=== Setup complete! ===');
+  console.log('Start multis with: node src/index.js');
+  console.log(`Send ${list.length > 0 ? '//' : '//'}status from any Beeper chat to test.`);
+  console.log('Only messages starting with // from your accounts will be processed.');
+}
+
+main().catch(err => {
+  console.error('Error:', err.message);
+  process.exit(1);
+});

package/src/config.js

@@ -0,0 +1,157 @@
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+
+const MULTIS_DIR = path.join(process.env.HOME || process.env.USERPROFILE, '.multis');
+const CONFIG_PATH = path.join(MULTIS_DIR, 'config.json');
+const GOVERNANCE_PATH = path.join(MULTIS_DIR, 'governance.json');
+
+/**
+ * Ensure ~/.multis directory exists with default config files
+ */
+function ensureMultisDir() {
+  if (!fs.existsSync(MULTIS_DIR)) {
+    fs.mkdirSync(MULTIS_DIR, { recursive: true });
+  }
+
+  // Copy default config if not present
+  if (!fs.existsSync(CONFIG_PATH)) {
+    const templateDir = path.join(__dirname, '..', '.multis-template');
+    fs.copyFileSync(path.join(templateDir, 'config.json'), CONFIG_PATH);
+  }
+
+  // Copy default governance if not present
+  if (!fs.existsSync(GOVERNANCE_PATH)) {
+    const templateDir = path.join(__dirname, '..', '.multis-template');
+    fs.copyFileSync(path.join(templateDir, 'governance.json'), GOVERNANCE_PATH);
+  }
+}
+
+/**
+ * Load .env file into process.env (simple key=value parser)
+ */
+function loadEnv() {
+  const envPath = path.join(__dirname, '..', '.env');
+  if (!fs.existsSync(envPath)) return;
+
+  const content = fs.readFileSync(envPath, 'utf8');
+  for (const line of content.split('\n')) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) continue;
+    const eqIndex = trimmed.indexOf('=');
+    if (eqIndex === -1) continue;
+    const key = trimmed.slice(0, eqIndex).trim();
+    const value = trimmed.slice(eqIndex + 1).trim();
+    if (!process.env[key]) {
+      process.env[key] = value;
+    }
+  }
+}
+
+/**
+ * Generate a 6-character pairing code
+ */
+function generatePairingCode() {
+  return crypto.randomBytes(3).toString('hex').toUpperCase();
+}
+
+/**
+ * Load and merge configuration from ~/.multis/config.json and .env
+ * .env values override config.json values
+ */
+function loadConfig() {
+  loadEnv();
+  ensureMultisDir();
+
+  const config = JSON.parse(fs.readFileSync(CONFIG_PATH, 'utf8'));
+
+  // Ensure platforms block exists
+  if (!config.platforms) config.platforms = {};
+  if (!config.platforms.telegram) config.platforms.telegram = { enabled: true };
+  if (!config.platforms.beeper) config.platforms.beeper = { enabled: false };
+
+  // .env overrides
+  if (process.env.TELEGRAM_BOT_TOKEN) {
+    config.telegram_bot_token = process.env.TELEGRAM_BOT_TOKEN;
+  }
+  if (process.env.PAIRING_CODE) {
+    config.pairing_code = process.env.PAIRING_CODE;
+  }
+  if (process.env.LLM_PROVIDER) {
+    config.llm.provider = process.env.LLM_PROVIDER;
+  }
+  // Set API key based on active provider
+  const provider = config.llm.provider;
+  if (provider === 'anthropic' && process.env.ANTHROPIC_API_KEY) {
+    config.llm.apiKey = process.env.ANTHROPIC_API_KEY;
+  } else if (provider === 'openai' && process.env.OPENAI_API_KEY) {
+    config.llm.apiKey = process.env.OPENAI_API_KEY;
+  } else if (provider === 'gemini' && process.env.GEMINI_API_KEY) {
+    config.llm.apiKey = process.env.GEMINI_API_KEY;
+  }
+  if (process.env.LLM_MODEL) {
+    config.llm.model = process.env.LLM_MODEL;
+  }
+
+  // Migrate: set first allowed user as owner if owner_id missing
+  if (!config.owner_id && config.allowed_users && config.allowed_users.length > 0) {
+    config.owner_id = config.allowed_users[0];
+    saveConfig(config);
+  }
+
+  // Backward compat: sync telegram_bot_token into platforms block
+  if (config.telegram_bot_token && !config.platforms.telegram.bot_token) {
+    config.platforms.telegram.bot_token = config.telegram_bot_token;
+  }
+
+  // Generate pairing code if not set
+  if (!config.pairing_code) {
+    config.pairing_code = generatePairingCode();
+    saveConfig(config);
+  }
+
+  return config;
+}
+
+/**
+ * Save config back to ~/.multis/config.json
+ */
+function saveConfig(config) {
+  ensureMultisDir();
+  fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2) + '\n', 'utf8');
+}
+
+/**
+ * Add a user ID to the allowed users list.
+ * First paired user automatically becomes owner.
+ */
+function addAllowedUser(userId) {
+  const config = loadConfig();
+  if (!config.allowed_users.includes(userId)) {
+    config.allowed_users.push(userId);
+  }
+  // First paired user becomes owner
+  if (!config.owner_id) {
+    config.owner_id = userId;
+  }
+  saveConfig(config);
+  return config;
+}
+
+/**
+ * Check if a user is the owner
+ */
+function isOwner(userId, config) {
+  return config.owner_id === userId;
+}
+
+module.exports = {
+  loadConfig,
+  saveConfig,
+  addAllowedUser,
+  isOwner,
+  generatePairingCode,
+  ensureMultisDir,
+  MULTIS_DIR,
+  CONFIG_PATH
+};

package/src/governance/audit.js

@@ -0,0 +1,95 @@
+const fs = require('fs');
+const path = require('path');
+
+/**
+ * Log an action to the audit log (append-only, newline-delimited JSON)
+ * @param {Object} entry - Audit log entry
+ */
+function logAudit(entry) {
+  const auditPath = path.join(
+    process.env.HOME || process.env.USERPROFILE,
+    '.multis',
+    'audit.log'
+  );
+
+  const logEntry = {
+    timestamp: new Date().toISOString(),
+    ...entry
+  };
+
+  const line = JSON.stringify(logEntry) + '\n';
+
+  // Append-only (creates file if doesn't exist)
+  fs.appendFileSync(auditPath, line, 'utf8');
+}
+
+/**
+ * Read recent audit logs
+ * @param {number} limit - Number of recent entries to return
+ * @returns {Array} - Recent audit log entries
+ */
+function readAuditLogs(limit = 100) {
+  const auditPath = path.join(
+    process.env.HOME || process.env.USERPROFILE,
+    '.multis',
+    'audit.log'
+  );
+
+  if (!fs.existsSync(auditPath)) {
+    return [];
+  }
+
+  const content = fs.readFileSync(auditPath, 'utf8');
+  const lines = content.trim().split('\n').filter(Boolean);
+
+  // Parse last N lines
+  const recentLines = lines.slice(-limit);
+  return recentLines.map(line => JSON.parse(line));
+}
+
+/**
+ * Get audit statistics
+ * @returns {Object} - Statistics about audit logs
+ */
+function getAuditStats() {
+  const logs = readAuditLogs(1000); // Last 1000 entries
+
+  const stats = {
+    total: logs.length,
+    byUser: {},
+    byCommand: {},
+    denied: 0,
+    confirmed: 0
+  };
+
+  logs.forEach(log => {
+    // Count by user
+    if (log.user_id) {
+      stats.byUser[log.user_id] = (stats.byUser[log.user_id] || 0) + 1;
+    }
+
+    // Count by command
+    if (log.command) {
+      const baseCmd = log.command.split(' ')[0];
+      stats.byCommand[baseCmd] = (stats.byCommand[baseCmd] || 0) + 1;
+    }
+
+    // Count denied
+    if (log.allowed === false) {
+      stats.denied++;
+    }
+
+    // Count confirmed
+    if (log.confirmed === true) {
+      stats.confirmed++;
+    }
+  });
+
+  return stats;
+}
+
+module.exports = {
+  logAudit,
+  readAuditLogs,
+  getAuditStats
+};

package/src/governance/validate.js

@@ -0,0 +1,99 @@
+const fs = require('fs');
+const path = require('path');
+
+/**
+ * Load governance configuration
+ * @returns {Object} Governance config
+ */
+function loadGovernance() {
+  const configPath = path.join(
+    process.env.HOME || process.env.USERPROFILE,
+    '.multis',
+    'governance.json'
+  );
+
+  if (!fs.existsSync(configPath)) {
+    throw new Error('Governance config not found. Run: multis init');
+  }
+
+  return JSON.parse(fs.readFileSync(configPath, 'utf8'));
+}
+
+/**
+ * Check if a command is allowed by governance policy
+ * @param {string} command - Full command string (e.g., "ls -la ~/Documents")
+ * @returns {Object} - { allowed: boolean, reason?: string, requiresConfirmation: boolean }
+ */
+function isCommandAllowed(command) {
+  const gov = loadGovernance();
+  const parts = command.trim().split(/\s+/);
+  const baseCmd = parts[0];
+
+  // Check denylist first (explicit deny wins)
+  if (gov.commands.denylist.includes(baseCmd)) {
+    return {
+      allowed: false,
+      reason: `Command '${baseCmd}' is explicitly denied by governance policy`,
+      requiresConfirmation: false
+    };
+  }
+
+  // Check if requires confirmation
+  const needsConfirmation = gov.commands.requireConfirmation.includes(baseCmd);
+
+  // Check allowlist
+  if (gov.commands.allowlist.includes(baseCmd)) {
+    return {
+      allowed: true,
+      requiresConfirmation: needsConfirmation
+    };
+  }
+
+  // Not in allowlist = denied
+  return {
+    allowed: false,
+    reason: `Command '${baseCmd}' is not in the allowlist`,
+    requiresConfirmation: false
+  };
+}
+
+/**
+ * Check if a path is allowed by governance policy
+ * @param {string} filePath - Path to check
+ * @returns {Object} - { allowed: boolean, reason?: string }
+ */
+function isPathAllowed(filePath) {
+  const gov = loadGovernance();
+  const expandedPath = filePath.replace(/^~/, process.env.HOME || process.env.USERPROFILE);
+
+  // Check denied paths first
+  for (const deniedPath of gov.paths.denied) {
+    const expandedDenied = deniedPath.replace(/^~/, process.env.HOME || process.env.USERPROFILE);
+    if (expandedPath.startsWith(expandedDenied)) {
+      return {
+        allowed: false,
+        reason: `Path '${filePath}' is in a denied directory`
+      };
+    }
+  }
+
+  // Check allowed paths
+  for (const allowedPath of gov.paths.allowed) {
+    const expandedAllowed = allowedPath.replace(/^~/, process.env.HOME || process.env.USERPROFILE);
+    if (expandedPath.startsWith(expandedAllowed)) {
+      return { allowed: true };
+    }
+  }
+
+  // Not in allowed paths = denied
+  return {
+    allowed: false,
+    reason: `Path '${filePath}' is not in an allowed directory`
+  };
+}
+
+module.exports = {
+  loadGovernance,
+  isCommandAllowed,
+  isPathAllowed
+};