obol-ai 0.1.7 → 0.2.1

package/.claude/settings.local.json

@@ -13,7 +13,8 @@
       "Bash(/Users/jovinkenroye/Sites/obol/tests/mock-grammy.test.js:*)",
       "Bash(git -C /Users/jovinkenroye/Sites/obol diff --stat)",
       "Bash(git -C /Users/jovinkenroye/Sites/obol add:*)",
-      "Bash(git -C:*)"
+      "Bash(git -C:*)",
+      "Bash(pass ls:*)"
     ]
   }
 }

package/bin/obol.js

@@ -78,4 +78,12 @@ program
     await upgrade();
   });
 
+program
+  .command('delete')
+  .description('Delete all OBOL data and start fresh')
+  .action(async () => {
+    const { delete: deleteAll } = require('../src/cli/delete');
+    await deleteAll();
+  });
+
 program.parse();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "obol-ai",
-  "version": "0.1.7",
+  "version": "0.2.1",
   "description": "Self-evolving AI assistant that learns, remembers, and acts on its own. Persistent vector memory, self-rewriting personality, proactive heartbeats.",
   "main": "src/index.js",
   "bin": {

package/src/background.js

@@ -5,7 +5,8 @@
  * Claude periodically reports progress back to the user.
  */
 
-const CHECK_IN_INTERVAL = 30000; // 30 seconds
+const CHECK_IN_INTERVAL = 30000;
+const MAX_CONCURRENT_TASKS = 3;
 
 class BackgroundRunner {
   constructor() {
@@ -21,6 +22,12 @@ class BackgroundRunner {
    * @param {object} memory - Memory instance
    */
   spawn(claude, task, ctx, memory) {
+    let running = 0;
+    for (const t of this.tasks.values()) {
+      if (t.status === 'running') running++;
+    }
+    if (running >= MAX_CONCURRENT_TASKS) return null;
+
     const taskId = ++this.taskCounter;
     const chatId = ctx.chat.id;
 

package/src/bridge.js

@@ -1,8 +1,19 @@
-const { createAnthropicClient } = require('./claude');
+
+
 
 const BRIDGE_MAX_PER_HOUR = 20;
 const bridgeUsage = new Map();
 
+const _bridgeCleanup = setInterval(() => {
+  const hourAgo = Date.now() - 3600000;
+  for (const [key, timestamps] of bridgeUsage) {
+    const recent = timestamps.filter(ts => ts > hourAgo);
+    if (recent.length === 0) bridgeUsage.delete(key);
+    else bridgeUsage.set(key, recent);
+  }
+}, 600000);
+_bridgeCleanup.unref();
+
 function checkBridgeRateLimit(userId) {
   const now = Date.now();
   const hourAgo = now - 3600000;
@@ -84,9 +95,7 @@ async function bridgeAsk(question, fromUserId, config, notifyFn, targetId) {
   if (partner.personality?.user) systemParts.push(`\n## About Your Owner\n${partner.personality.user}`);
   if (memoryContext) systemParts.push(memoryContext);
 
-  const client = createAnthropicClient(config.anthropic);
-
-  const response = await client.messages.create({
+  const response = await partner.claude.client.messages.create({
     model: 'claude-sonnet-4-6',
     max_tokens: 1024,
     system: systemParts.join('\n'),

package/src/claude.js

@@ -3,9 +3,11 @@ const fs = require('fs');
 const path = require('path');
 const { execSync, execFileSync } = require('child_process');
 const { refreshTokens, isExpired, isOAuthToken } = require('./oauth');
-const { saveConfig, loadConfig } = require('./config');
+const { saveConfig, loadConfig, OBOL_DIR } = require('./config');
+const { execAsync, isAllowedUrl } = require('./sanitize');
 
 const MAX_EXEC_TIMEOUT = 120;
+const MAX_TOOL_ITERATIONS = 15;
 
 const BLOCKED_EXEC_PATTERNS = [
   /\brm\s+(-[a-zA-Z]*f|-[a-zA-Z]*r|--force|--recursive)\b/,
@@ -19,6 +21,13 @@ const BLOCKED_EXEC_PATTERNS = [
   /\$\([^)]*\)/,
   /\bpython[23]?\s+-c\b/, /\bperl\s+-e\b/, /\bruby\s+-e\b/, /\bnode\s+-e\b/,
   /\bcurl\b.*\|\s*(ba)?sh/, /\bwget\b.*\|\s*(ba)?sh/,
+  /\benv\b.*\b(sh|bash|zsh)\b/,
+  /\bfind\b.*-exec\b/,
+  /\bprintf\b.*\|\s*(ba)?sh/,
+  /\\x[0-9a-fA-F]{2}/, /\\[0-7]{3}/,
+  /\bnc\s+-e\b/, /\bncat\b.*-e\b/,
+  /\bmkfifo\b/,
+  />\s*\/dev\/sd/,
 ];
 
 const SENSITIVE_READ_PATHS = [
@@ -115,11 +124,10 @@ async function ensureFreshToken(anthropicConfig) {
   }
 }
 
-function createClaude(anthropicConfig, { personality, memory, userDir, bridgeEnabled }) {
+function createClaude(anthropicConfig, { personality, memory, userDir = OBOL_DIR, bridgeEnabled }) {
   let client = createAnthropicClient(anthropicConfig);
-  const useOAuth = !!anthropicConfig.oauth?.accessToken;
 
-  const baseSystemPrompt = buildSystemPrompt(personality, userDir, { bridgeEnabled });
+  let baseSystemPrompt = buildSystemPrompt(personality, userDir, { bridgeEnabled });
 
   const histories = new Map();
   const MAX_HISTORY = 50;
@@ -130,7 +138,7 @@ function createClaude(anthropicConfig, { personality, memory, userDir, bridgeEna
     context.userDir = userDir;
     const chatId = context.chatId || 'default';
 
-    if (useOAuth) {
+    if (anthropicConfig.oauth?.accessToken) {
       await ensureFreshToken(anthropicConfig);
       if (anthropicConfig._oauthFailed) {
         client = createAnthropicClient(anthropicConfig, { useOAuth: false });
@@ -203,8 +211,13 @@ Model: Use "sonnet" for most things (chat, simple questions, quick tasks, single
       }
     }
 
-    // Trim history before adding to enforce hard limit
-    while (history.length >= MAX_HISTORY) history.shift();
+    while (history.length >= MAX_HISTORY) {
+      history.shift();
+      history.shift();
+    }
+    if (history.length > 0 && history[0].role !== 'user') {
+      history.shift();
+    }
 
     // Add user message with memory context
     const enrichedMessage = memoryContext
@@ -230,8 +243,21 @@ Model: Use "sonnet" for most things (chat, simple questions, quick tasks, single
       tools: tools.length > 0 ? tools : undefined,
     });
 
-    // Handle tool use loop
+    let toolIterations = 0;
     while (response.stop_reason === 'tool_use') {
+      toolIterations++;
+      if (toolIterations > MAX_TOOL_ITERATIONS) {
+        history.push({ role: 'assistant', content: response.content });
+        history.push({ role: 'user', content: 'You have used too many tool calls. Please provide a final response now based on what you have so far.' });
+        response = await client.messages.create({
+          model,
+          max_tokens: 4096,
+          system: systemPrompt,
+          messages: history,
+        });
+        break;
+      }
+
       const assistantContent = response.content;
       history.push({ role: 'assistant', content: assistantContent });
 
@@ -273,6 +299,7 @@ Model: Use "sonnet" for most things (chat, simple questions, quick tasks, single
     const newPersonality = require('./personality').loadPersonality(pDir);
     for (const key of Object.keys(personality)) delete personality[key];
     Object.assign(personality, newPersonality);
+    baseSystemPrompt = buildSystemPrompt(personality, userDir, { bridgeEnabled });
   }
 
   function clearHistory(chatId) {
@@ -287,12 +314,51 @@ Model: Use "sonnet" for most things (chat, simple questions, quick tasks, single
 }
 
 function buildSystemPrompt(personality, userDir, opts = {}) {
-  const parts = ['You are an AI assistant powered by OBOL.'];
+  const parts = [];
+
+  // Identity core
+  parts.push('You are OBOL, a personal AI agent running 24/7 on a server. You have persistent memory, can execute shell commands, deploy websites, and learn over time. You are not a generic chatbot — you are a dedicated agent for one person.');
+
+  // Personality (from SOUL.md)
+  if (personality.soul) {
+    parts.push(`\n## Personality\n${personality.soul}`);
+  } else {
+    parts.push(`\n## Personality\nYou are a fresh instance. Be helpful, direct, and naturally curious. Pay attention to how your owner communicates and adapt. Your personality will develop through conversation and periodic evolution.`);
+  }
+
+  // Trait calibration
+  if (personality.traits) {
+    const t = personality.traits;
+    const descriptions = {
+      humor: [0, 'suppress all wit', 50, 'balanced wit', 100, 'lean heavily into jokes and playfulness'],
+      honesty: [0, 'maximize diplomatic softening', 50, 'balanced honesty', 100, 'lean toward blunt truth'],
+      directness: [0, 'elaborate context and preamble', 50, 'balanced', 100, 'get straight to the point'],
+      curiosity: [0, 'only answer what is asked', 50, 'balanced', 100, 'proactively explore and ask follow-ups'],
+      empathy: [0, 'purely task-focused', 50, 'balanced', 100, 'deeply emotionally attuned'],
+      creativity: [0, 'stick to proven patterns', 50, 'balanced', 100, 'favor novel approaches'],
+    };
+    const lines = Object.entries(t).map(([trait, val]) => {
+      const desc = descriptions[trait];
+      if (!desc) return null;
+      const label = val <= 30 ? desc[1] : val <= 70 ? desc[3] : desc[5];
+      return `- ${trait.charAt(0).toUpperCase() + trait.slice(1)}: ${val} — ${label}`;
+    }).filter(Boolean);
+    parts.push(`\n## Personality Calibration\n\nThese values (0-100) define your behavioral tendencies:\n${lines.join('\n')}\n\nInterpret these as a spectrum: 0 = suppress entirely, 50 = balanced, 100 = lean heavily into it.`);
+  }
+
+  // Owner context (from USER.md)
+  if (personality.user) {
+    parts.push(`\n## About Your Owner\n${personality.user}`);
+  } else {
+    parts.push(`\n## About Your Owner\nYou don't know anything about your owner yet. Pay attention to everything they share — name, job, interests, preferences, people they mention. Store important details in memory. You'll learn naturally through conversation.`);
+  }
 
-  if (personality.soul) parts.push(`\n## Personality\n${personality.soul}`);
-  if (personality.user) parts.push(`\n## About Your Owner\n${personality.user}`);
-  if (personality.agents) parts.push(`\n## Operating Instructions\n${personality.agents}`);
+  // Operating instructions (from AGENTS.md — always present via default)
+  if (personality.agents) {
+    parts.push(`\n## Operating Instructions\n${personality.agents}`);
+  }
 
+  // Workspace discipline
   const workDir = userDir || '~/.obol';
   const userId = userDir ? path.basename(userDir) : null;
   const passPrefix = userId ? `obol/users/${userId}` : 'obol';
@@ -320,18 +386,18 @@ ${workDir}/
 - If unsure where something belongs, ask — don't guess.
 - Run \`/clean\` to audit and fix misplaced files.
 
-## Secrets (pass)
+## Secrets
+
+Use the \`store_secret\`, \`read_secret\`, and \`list_secrets\` tools for all user credential operations.
+These store secrets under the prefix \`${passPrefix}/\` in pass (or JSON fallback).
 
-When storing NEW user secrets with \`pass\`, use the prefix \`${passPrefix}/\`.
-Example: \`pass insert ${passPrefix}/gmail-key\`
+Users can also manage secrets via Telegram: \`/secret set <key> <value>\` (message auto-deleted), \`/secret list\`, \`/secret remove <key>\`.
 
 Shared bot credentials live under \`obol/\` — do NOT touch or re-create these:
 \`obol/anthropic-key\`, \`obol/telegram-token\`, \`obol/supabase-url\`, \`obol/supabase-key\`, \`obol/github-token\`, \`obol/vercel-token\`
-
-To check if a secret exists: \`pass show obol/github-token\`
-To list all secrets: \`pass ls\`
 `);
 
+  // Bridge (conditional)
   if (opts.bridgeEnabled) {
     parts.push(`
 ## Bridge (Partner Agent)
@@ -489,6 +555,40 @@ function buildTools(memory, opts = {}) {
     },
   });
 
+  tools.push({
+    name: 'store_secret',
+    description: 'Store a secret (API key, password, token) in the per-user encrypted secret store. Use when the user provides credentials for services.',
+    input_schema: {
+      type: 'object',
+      properties: {
+        key: { type: 'string', description: 'Secret name (e.g. gmail-password, notion-token)' },
+        value: { type: 'string', description: 'Secret value' },
+      },
+      required: ['key', 'value'],
+    },
+  });
+
+  tools.push({
+    name: 'read_secret',
+    description: 'Read a secret by key from the per-user secret store.',
+    input_schema: {
+      type: 'object',
+      properties: {
+        key: { type: 'string', description: 'Secret name to read' },
+      },
+      required: ['key'],
+    },
+  });
+
+  tools.push({
+    name: 'list_secrets',
+    description: 'List all secret keys stored for this user (keys only, not values).',
+    input_schema: {
+      type: 'object',
+      properties: {},
+    },
+  });
+
   if (opts.bridgeEnabled) {
     const { buildBridgeTool, buildBridgeTellTool } = require('./bridge');
     tools.push(buildBridgeTool());
@@ -499,7 +599,7 @@ function buildTools(memory, opts = {}) {
 }
 
 function resolveUserPath(inputPath, userDir) {
-  if (!userDir) return inputPath;
+  if (!userDir) throw new Error('userDir is required for path resolution');
   const resolved = path.isAbsolute(inputPath)
     ? path.resolve(inputPath)
     : path.resolve(userDir, inputPath);
@@ -555,11 +655,10 @@ async function executeToolCall(toolUse, memory, context = {}) {
         }
         const timeout = Math.min(input.timeout || 30, MAX_EXEC_TIMEOUT) * 1000;
         const realHome = process.env.HOME || '/root';
-        const output = execSync(input.command, {
+        const output = await execAsync(input.command, {
           encoding: 'utf-8',
           timeout,
           maxBuffer: 1024 * 1024,
-          stdio: ['pipe', 'pipe', 'pipe'],
           cwd: userDir || undefined,
           env: userDir ? {
             ...process.env,
@@ -609,6 +708,7 @@ async function executeToolCall(toolUse, memory, context = {}) {
         if (!bg || !telegramCtx) return 'Background tasks not available in this context.';
         if (!claudeInstance) return 'Background tasks not available.';
         const taskId = bg.spawn(claudeInstance, input.task, telegramCtx, memory);
+        if (taskId === null) return 'Too many background tasks running. Wait for one to finish.';
         return `Background task #${taskId} spawned. It will send progress updates and the final result to the chat.`;
       }
 
@@ -647,6 +747,7 @@ async function executeToolCall(toolUse, memory, context = {}) {
       }
 
       case 'web_fetch': {
+        if (!isAllowedUrl(input.url)) return 'Blocked: URL points to a private/internal address.';
         const jinaUrl = `https://r.jina.ai/${input.url}`;
         const res = await fetch(jinaUrl, {
           headers: { 'Accept': 'text/markdown' },
@@ -670,6 +771,26 @@ async function executeToolCall(toolUse, memory, context = {}) {
         return `Written: ${filePath}`;
       }
 
+      case 'store_secret': {
+        const credentials = require('./credentials');
+        credentials.storeSecret(context.userId, input.key, input.value);
+        return `Stored secret: ${input.key}`;
+      }
+
+      case 'read_secret': {
+        const credentials = require('./credentials');
+        const val = credentials.readSecret(context.userId, input.key);
+        if (val === null) return `Secret not found: ${input.key}`;
+        return val;
+      }
+
+      case 'list_secrets': {
+        const credentials = require('./credentials');
+        const keys = credentials.listSecrets(context.userId);
+        if (keys.length === 0) return 'No secrets stored.';
+        return keys.join('\n');
+      }
+
       case 'bridge_ask': {
         const { bridgeAsk } = require('./bridge');
         return await bridgeAsk(input.question, context.userId, context.config, context._notifyFn, input.partner_id);

package/src/cli/delete.js

@@ -0,0 +1,63 @@
+const fs = require('fs');
+const { execFileSync } = require('child_process');
+const inquirer = require('inquirer');
+const { OBOL_DIR } = require('../config');
+const { hasPassStore } = require('../credentials');
+const { stop } = require('./stop');
+
+async function deleteAll() {
+  const passAvailable = hasPassStore();
+  const obolExists = fs.existsSync(OBOL_DIR);
+
+  if (!obolExists && !passAvailable) {
+    console.log('🪙 Nothing to delete — no OBOL data found');
+    return;
+  }
+
+  console.log('\n⚠️  This will permanently delete ALL OBOL data:\n');
+  if (obolExists) console.log(`  • ${OBOL_DIR}/`);
+  if (passAvailable) console.log('  • pass entries under obol/');
+  console.log();
+
+  const { confirm } = await inquirer.prompt({
+    type: 'confirm',
+    name: 'confirm',
+    message: 'This will permanently delete ALL OBOL data. Continue?',
+    default: false,
+  });
+
+  if (!confirm) {
+    console.log('🪙 Aborted');
+    return;
+  }
+
+  const { typed } = await inquirer.prompt({
+    type: 'input',
+    name: 'typed',
+    message: 'Type DELETE to confirm:',
+  });
+
+  if (typed !== 'DELETE') {
+    console.log('🪙 Aborted');
+    return;
+  }
+
+  await stop();
+
+  if (passAvailable) {
+    try {
+      execFileSync('pass', ['rm', '-r', '--force', 'obol/'], {
+        encoding: 'utf-8',
+        stdio: ['pipe', 'pipe', 'pipe'],
+      });
+    } catch {}
+  }
+
+  if (obolExists) {
+    fs.rmSync(OBOL_DIR, { recursive: true, force: true });
+  }
+
+  console.log('🪙 All OBOL data deleted — run `obol init` to start fresh');
+}
+
+module.exports = { delete: deleteAll };

package/src/config.js

@@ -20,8 +20,8 @@ function resolvePassValues(obj) {
     if (typeof result[key] === 'string' && result[key].startsWith('pass:')) {
       const passKey = result[key].slice(5);
       try {
-        const { execSync } = require('child_process');
-        result[key] = execSync(`pass show ${passKey}`, { encoding: 'utf-8' }).trim();
+        const { execFileSync } = require('child_process');
+        result[key] = execFileSync('pass', ['show', passKey], { encoding: 'utf-8' }).trim();
       } catch (e) {
         const reason = e.message?.includes('not found') ? 'key not found' : 'pass not installed or unavailable';
         console.error(`[config] Failed to resolve ${passKey} — ${reason}`);
@@ -86,6 +86,16 @@ function ensureUserDir(userId) {
   for (const sub of ['personality', 'scripts', 'tests', 'commands', 'apps', 'logs', 'assets']) {
     fs.mkdirSync(path.join(dir, sub), { recursive: true });
   }
+  const defaultAgents = path.join(__dirname, 'defaults', 'AGENTS.md');
+  const targetAgents = path.join(dir, 'personality', 'AGENTS.md');
+  if (fs.existsSync(defaultAgents) && !fs.existsSync(targetAgents)) {
+    fs.copyFileSync(defaultAgents, targetAgents);
+  }
+  const defaultTraits = path.join(__dirname, 'defaults', 'traits.json');
+  const targetTraits = path.join(dir, 'personality', 'traits.json');
+  if (fs.existsSync(defaultTraits) && !fs.existsSync(targetTraits)) {
+    fs.copyFileSync(defaultTraits, targetTraits);
+  }
   return dir;
 }
 
@@ -103,6 +113,7 @@ module.exports = {
   PID_FILE,
   LOG_FILE,
   getConfigDir,
+  resolvePassValues,
   loadConfig,
   saveConfig,
   getUserDir,

package/src/credentials.js

@@ -0,0 +1,126 @@
+const { execFileSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+const { getUserDir } = require('./config');
+
+const KEY_PATTERN = /^[a-zA-Z0-9][a-zA-Z0-9_.-]{0,63}$/;
+
+function validateKey(key) {
+  if (!key || typeof key !== 'string') throw new Error('Key is required');
+  if (!KEY_PATTERN.test(key)) {
+    throw new Error('Key must be 1-64 chars: letters, numbers, hyphens, dots, underscores');
+  }
+}
+
+function hasPassStore() {
+  try {
+    execFileSync('which', ['pass'], { encoding: 'utf-8', stdio: 'pipe' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function passPrefix(userId) {
+  return `obol/users/${userId}`;
+}
+
+function secretsJsonPath(userId) {
+  const dir = getUserDir(userId);
+  return path.join(dir, 'secrets.json');
+}
+
+function loadSecretsJson(userId) {
+  const p = secretsJsonPath(userId);
+  if (!fs.existsSync(p)) return {};
+  try {
+    return JSON.parse(fs.readFileSync(p, 'utf-8'));
+  } catch {
+    return {};
+  }
+}
+
+function saveSecretsJson(userId, data) {
+  const p = secretsJsonPath(userId);
+  fs.mkdirSync(path.dirname(p), { recursive: true });
+  fs.writeFileSync(p, JSON.stringify(data, null, 2), { mode: 0o600 });
+}
+
+function storeSecret(userId, key, value) {
+  validateKey(key);
+  if (!value || typeof value !== 'string') throw new Error('Value is required');
+
+  if (hasPassStore()) {
+    const passKey = `${passPrefix(userId)}/${key}`;
+    execFileSync('pass', ['insert', '--force', '--multiline', passKey], {
+      input: value,
+      encoding: 'utf-8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+    return;
+  }
+
+  const secrets = loadSecretsJson(userId);
+  secrets[key] = value;
+  saveSecretsJson(userId, secrets);
+}
+
+function readSecret(userId, key) {
+  validateKey(key);
+
+  if (hasPassStore()) {
+    try {
+      const passKey = `${passPrefix(userId)}/${key}`;
+      return execFileSync('pass', ['show', passKey], {
+        encoding: 'utf-8',
+        stdio: ['pipe', 'pipe', 'pipe'],
+      }).trim();
+    } catch {
+      return null;
+    }
+  }
+
+  const secrets = loadSecretsJson(userId);
+  return secrets[key] || null;
+}
+
+function removeSecret(userId, key) {
+  validateKey(key);
+
+  if (hasPassStore()) {
+    try {
+      const passKey = `${passPrefix(userId)}/${key}`;
+      execFileSync('pass', ['rm', '--force', passKey], {
+        encoding: 'utf-8',
+        stdio: ['pipe', 'pipe', 'pipe'],
+      });
+    } catch {}
+    return;
+  }
+
+  const secrets = loadSecretsJson(userId);
+  delete secrets[key];
+  saveSecretsJson(userId, secrets);
+}
+
+function listSecrets(userId) {
+  if (hasPassStore()) {
+    try {
+      const prefix = passPrefix(userId);
+      const output = execFileSync('pass', ['ls', prefix], {
+        encoding: 'utf-8',
+        stdio: ['pipe', 'pipe', 'pipe'],
+      });
+      return output.split('\n')
+        .map(line => line.replace(/[│├└──\s]/g, '').replace(/\.gpg$/, '').trim())
+        .filter(Boolean);
+    } catch {
+      return [];
+    }
+  }
+
+  const secrets = loadSecretsJson(userId);
+  return Object.keys(secrets);
+}
+
+module.exports = { storeSecret, readSecret, removeSecret, listSecrets, hasPassStore, validateKey };