obol-ai 0.1.3 → 0.1.5

package/README.md

@@ -41,10 +41,10 @@ Named after the AI in [The Last Instruction](https://latentpress.com) — a mach
 ```bash
 npm install -g obol-ai
 obol init
-obol start
+obol start -d
 ```
 
-The init wizard walks you through everything — credentials are validated inline, and your Telegram ID is auto-detected. OBOL handles the rest.
+The init wizard walks you through everything — credentials are validated inline, and your Telegram ID is auto-detected. `obol start -d` runs as a background daemon via pm2 (auto-installs pm2 if missing).
 
 ## How It Works
 
@@ -339,7 +339,7 @@ For Telegram user IDs, OBOL auto-detects by checking who messaged the bot. Just
 
 ### First Conversation
 
-Send your first message. OBOL introduces itself, asks 2-3 questions, then writes its own SOUL.md and USER.md. After that, it silently hardens your VPS (Linux only — skipped on macOS/Windows):
+Send your first message. OBOL introduces itself, asks 2-3 questions, then writes its own SOUL.md and USER.md. After that, it hardens your VPS and reports progress directly in the Telegram chat (Linux only — skipped on macOS/Windows):
 
 | Task | What |
 |------|------|
@@ -354,6 +354,69 @@ Send your first message. OBOL introduces itself, asks 2-3 questions, then writes
 
 > ⚠️ After first run, SSH moves to port 2222: `ssh -p 2222 root@YOUR_IP`
 
+## Running the Bot
+
+### Foreground (testing)
+
+```bash
+obol start
+```
+
+Logs print to stdout. Ctrl+C to stop.
+
+### Daemon (production)
+
+```bash
+obol start -d
+```
+
+This uses pm2 under the hood (auto-installs if needed). The bot auto-restarts on crash and survives reboots.
+
+```bash
+obol status              # check if running + uptime + memory
+obol logs                # tail logs
+obol stop                # stop the daemon
+
+# pm2 commands also work directly
+pm2 logs obol            # tail logs
+pm2 restart obol         # restart
+pm2 monit                # live dashboard
+```
+
+To survive server reboots:
+
+```bash
+pm2 startup
+pm2 save
+```
+
+### Authentication
+
+OBOL supports two Anthropic auth methods:
+
+| Method | How | Fallback |
+|--------|-----|----------|
+| **API Key** | `sk-ant-...` from console.anthropic.com | — |
+| **Claude Max OAuth** | Browser sign-in during `obol init` | Auto-refreshes tokens; falls back to API key if refresh fails |
+
+You can configure both during init. If OAuth tokens expire and refresh fails, OBOL silently falls back to the API key.
+
+### Secret Storage (pass)
+
+On Linux, OBOL auto-encrypts all credentials on first boot:
+
+1. Installs GPG + `pass`
+2. Migrates plaintext secrets from `config.json` into the encrypted store
+3. Config values become references like `pass:obol/anthropic-key`
+
+If a pass key is missing at runtime, the value resolves to `null` and OBOL falls back gracefully (skips OAuth, uses API key, etc). You'll see a one-time error in logs.
+
+```bash
+pass ls                         # list stored secrets
+pass show obol/anthropic-key    # reveal a secret
+pass insert obol/my-secret      # add a new secret
+```
+
 ## Resilience
 
 OBOL is designed to stay alive without babysitting:
@@ -404,6 +467,7 @@ obol stop              # Stop (pm2 or PID fallback)
 obol logs              # Tail logs (pm2 or log file fallback)
 obol status            # Status
 obol backup            # Manual backup
+obol upgrade           # Update to latest version
 ```
 
 ## Directory Structure

package/bin/obol.js

@@ -70,4 +70,12 @@ program
     await backup();
   });
 
+program
+  .command('upgrade')
+  .description('Update to the latest version')
+  .action(async () => {
+    const { upgrade } = require('../src/cli/upgrade');
+    await upgrade();
+  });
+
 program.parse();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "obol-ai",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "description": "Self-evolving AI assistant that learns, remembers, and acts on its own. Persistent vector memory, self-rewriting personality, proactive heartbeats.",
   "main": "src/index.js",
   "bin": {

package/src/claude.js

@@ -31,7 +31,7 @@ const SENSITIVE_READ_PATHS = [
 ];
 
 function createAnthropicClient(anthropicConfig, { useOAuth = true } = {}) {
-  if (useOAuth && anthropicConfig.oauth) {
+  if (useOAuth && anthropicConfig.oauth?.accessToken) {
     return new Anthropic({
       apiKey: null,
       authToken: anthropicConfig.oauth.accessToken,
@@ -48,8 +48,17 @@ function createAnthropicClient(anthropicConfig, { useOAuth = true } = {}) {
 }
 
 async function ensureFreshToken(anthropicConfig) {
-  if (!anthropicConfig.oauth) return;
+  if (!anthropicConfig.oauth?.accessToken) return;
   if (!isExpired(anthropicConfig.oauth)) return;
+  if (!anthropicConfig.oauth.refreshToken) {
+    if (anthropicConfig.apiKey) {
+      anthropicConfig._oauthFailed = true;
+      return;
+    }
+    const err = new Error('OAuth token expired and no refresh token available. Re-authenticate with: obol config → Anthropic → OAuth');
+    err.isOAuthExpiry = true;
+    throw err;
+  }
 
   try {
     const tokens = await refreshTokens(anthropicConfig.oauth.refreshToken);
@@ -77,7 +86,7 @@ async function ensureFreshToken(anthropicConfig) {
 
 function createClaude(anthropicConfig, { personality, memory, userDir, bridgeEnabled }) {
   let client = createAnthropicClient(anthropicConfig);
-  const useOAuth = !!anthropicConfig.oauth;
+  const useOAuth = !!anthropicConfig.oauth?.accessToken;
 
   const baseSystemPrompt = buildSystemPrompt(personality, userDir, { bridgeEnabled });
 
@@ -282,9 +291,14 @@ ${workDir}/
 
 ## Secrets (pass)
 
-When storing secrets with \`pass\`, ALWAYS use the prefix \`${passPrefix}/\`.
+When storing NEW user secrets with \`pass\`, use the prefix \`${passPrefix}/\`.
 Example: \`pass insert ${passPrefix}/gmail-key\`
-Shared bot credentials (Anthropic, Telegram, Supabase) live under \`obol/\` — do NOT touch those.
+
+Shared bot credentials live under \`obol/\` — do NOT touch or re-create these:
+\`obol/anthropic-key\`, \`obol/telegram-token\`, \`obol/supabase-url\`, \`obol/supabase-key\`, \`obol/github-token\`, \`obol/vercel-token\`
+
+To check if a secret exists: \`pass show obol/github-token\`
+To list all secrets: \`pass ls\`
 `);
 
   if (opts.bridgeEnabled) {
@@ -509,13 +523,19 @@ async function executeToolCall(toolUse, memory, context = {}) {
           }
         }
         const timeout = Math.min(input.timeout || 30, MAX_EXEC_TIMEOUT) * 1000;
+        const realHome = process.env.HOME || '/root';
         const output = execSync(input.command, {
           encoding: 'utf-8',
           timeout,
           maxBuffer: 1024 * 1024,
           stdio: ['pipe', 'pipe', 'pipe'],
           cwd: userDir || undefined,
-          env: userDir ? { ...process.env, HOME: userDir } : process.env,
+          env: userDir ? {
+            ...process.env,
+            HOME: userDir,
+            GNUPGHOME: process.env.GNUPGHOME || `${realHome}/.gnupg`,
+            PASSWORD_STORE_DIR: process.env.PASSWORD_STORE_DIR || `${realHome}/.password-store`,
+          } : process.env,
         });
         const truncated = output.substring(0, 10000);
         return output.length > 10000 ? truncated + '\n...(truncated)' : truncated;
@@ -584,10 +604,14 @@ async function executeToolCall(toolUse, memory, context = {}) {
       case 'vercel_list': {
         const token = context.config?.vercel?.token;
         if (!token) return 'Vercel not configured.';
-        const output = execSync(
-          `npx vercel ls ${input.project} 2>&1`,
-          { encoding: 'utf-8', timeout: 30000, env: { ...process.env, VERCEL_TOKEN: token } }
-        );
+        const listArgs = ['vercel', 'ls'];
+        if (input.project) {
+          const safeProject = input.project.replace(/[^a-zA-Z0-9_\-./]/g, '');
+          if (safeProject) listArgs.push(safeProject);
+        }
+        const output = execFileSync('npx', listArgs, {
+          encoding: 'utf-8', timeout: 30000, env: { ...process.env, VERCEL_TOKEN: token },
+        });
         return output.substring(0, 5000);
       }
 

package/src/cli/config.js

@@ -1,5 +1,6 @@
 const inquirer = require('inquirer');
 const { loadConfig, saveConfig, CONFIG_FILE, ensureUserDir, getUserDir } = require('../config');
+const { spawnSync } = require('child_process');
 const fs = require('fs');
 
 const SECTIONS = [
@@ -98,10 +99,29 @@ function maskSecret(value) {
 function formatValue(value, secret) {
   if (value === undefined || value === null) return '(not set)';
   if (Array.isArray(value)) return value.join(', ');
+  if (typeof value === 'string' && value.startsWith('pass:')) {
+    if (!secret) return value;
+    const passKey = value.slice(5);
+    try {
+      const { execSync } = require('child_process');
+      const resolved = execSync(`pass show ${passKey}`, { encoding: 'utf-8' }).trim();
+      return maskSecret(resolved);
+    } catch {
+      return '(pass key missing)';
+    }
+  }
   if (secret) return maskSecret(value);
   return String(value);
 }
 
+function updatePassSecret(passKey, newValue) {
+  const result = spawnSync('pass', ['insert', '-f', '-m', passKey], {
+    input: newValue,
+    stdio: ['pipe', 'pipe', 'pipe'],
+  });
+  return result.status === 0;
+}
+
 async function detectTelegramUsers(token) {
   if (!token) return null;
   const res = await fetch(`https://api.telegram.org/bot${token}/getUpdates?limit=50`);
@@ -318,6 +338,7 @@ async function config() {
       setNestedValue(cfg, field.key, parseInt(newVal.trim()));
     } else {
       const promptType = field.secret ? 'password' : 'input';
+      const isPassRef = typeof currentVal === 'string' && currentVal.startsWith('pass:');
       const opts = {
         type: promptType,
         name: 'newVal',
@@ -325,14 +346,23 @@ async function config() {
       };
       if (field.secret) {
         opts.mask = '*';
-        if (currentVal) {
-          console.log(`  Current: ${maskSecret(currentVal)}`);
-        }
+        console.log(`  Current: ${formatValue(currentVal, true)}`);
       } else {
         opts.default = currentVal != null ? String(currentVal) : '';
       }
       const { newVal } = await inquirer.prompt([opts]);
-      setNestedValue(cfg, field.key, newVal);
+
+      if (isPassRef) {
+        const passKey = currentVal.slice(5);
+        if (updatePassSecret(passKey, newVal)) {
+          console.log(`  ✅ Updated in pass store (${passKey})`);
+        } else {
+          console.log(`  ⚠️  Failed to update pass store, saving to config directly`);
+          setNestedValue(cfg, field.key, newVal);
+        }
+      } else {
+        setNestedValue(cfg, field.key, newVal);
+      }
     }
 
     saveConfig(cfg);

package/src/cli/init.js

@@ -357,6 +357,7 @@ async function init(opts = {}) {
     obol start -d   Start as background daemon
     obol config     Edit configuration later
     obol status     Check bot status
+    obol upgrade    Update to latest version
 
   Config: ${CONFIG_FILE}
 `);
@@ -385,9 +386,22 @@ async function setupAnthropicOAuth() {
     validate: (v) => v.trim().length > 0 ? true : 'Required',
   }]);
 
-  let code, state;
   const input = callbackInput.trim();
 
+  if (input.includes('sk-ant-oat')) {
+    console.log('  ✅ OAuth token detected — using directly');
+    console.log('  ⚠️  No refresh token — you\'ll need to re-auth when it expires\n');
+    return {
+      oauth: {
+        accessToken: input,
+        refreshToken: null,
+        expires: Date.now() + 60 * 60 * 1000,
+      },
+    };
+  }
+
+  let code, state;
+
   if (input.includes('code=')) {
     const url = new URL(input);
     code = url.searchParams.get('code');

package/src/cli/upgrade.js

@@ -0,0 +1,71 @@
+const { execSync } = require('child_process');
+const pkg = require('../../package.json');
+
+/** @returns {string|null} */
+function getLatestVersion() {
+  try {
+    return execSync(`npm view ${pkg.name} version`, { encoding: 'utf-8' }).trim();
+  } catch {
+    return null;
+  }
+}
+
+/** @returns {boolean} */
+function isBotRunning() {
+  try {
+    const list = execSync('pm2 jlist', { encoding: 'utf-8' });
+    const procs = JSON.parse(list);
+    const obol = procs.find(p => p.name === 'obol');
+    return obol?.pm2_env?.status === 'online';
+  } catch {
+    return false;
+  }
+}
+
+async function upgrade() {
+  const current = pkg.version;
+  console.log(`🪙 Current version: ${current}`);
+
+  const latest = getLatestVersion();
+  if (!latest) {
+    console.error('  ❌ Could not reach npm registry');
+    process.exit(1);
+  }
+
+  if (current === latest) {
+    console.log(`  ✅ Already on latest (${latest})`);
+    return;
+  }
+
+  console.log(`  ⬆ New version available: ${latest}\n`);
+
+  const wasRunning = isBotRunning();
+
+  if (wasRunning) {
+    console.log('  Stopping bot...');
+    try {
+      execSync('pm2 stop obol', { stdio: 'pipe' });
+    } catch {}
+  }
+
+  console.log('  Installing update...');
+  try {
+    execSync(`npm install -g ${pkg.name}@latest`, { stdio: 'inherit' });
+  } catch (e) {
+    console.error(`\n  ❌ Update failed: ${e.message}`);
+    if (wasRunning) {
+      console.log('  Restarting bot...');
+      execSync('pm2 start obol', { stdio: 'pipe' });
+    }
+    process.exit(1);
+  }
+
+  if (wasRunning) {
+    console.log('\n  Restarting bot...');
+    execSync('pm2 start obol', { stdio: 'pipe' });
+  }
+
+  console.log(`\n🪙 Upgraded to ${latest}`);
+}
+
+module.exports = { upgrade };

package/src/config.js

@@ -23,7 +23,9 @@ function resolvePassValues(obj) {
         const { execSync } = require('child_process');
         result[key] = execSync(`pass show ${passKey}`, { encoding: 'utf-8' }).trim();
       } catch (e) {
-        console.warn(`[config] Failed to resolve pass:${passKey} — ${e.message?.includes('not found') ? 'key not found' : 'pass not installed or unavailable'}`);
+        const reason = e.message?.includes('not found') ? 'key not found' : 'pass not installed or unavailable';
+        console.error(`[config] Failed to resolve ${passKey} — ${reason}`);
+        result[key] = null;
       }
     } else if (typeof result[key] === 'object') {
       result[key] = resolvePassValues(result[key]);