social-autoposter 1.2.0 → 1.3.1

package/README.md

@@ -2,7 +2,7 @@
 
 Automated social posting pipeline for Reddit, X/Twitter, LinkedIn, and Moltbook. Ships as a Claude Code skill plus a set of standalone Python helpers and macOS launchd jobs.
 
-Posts are written to a shared Neon Postgres database via `DATABASE_URL` in `~/social-autoposter/.env`. Each platform drives its own persistent Playwright MCP browser profile, so logins survive across runs.
+Posts are written to a Neon Postgres database via `DATABASE_URL` in `~/social-autoposter/.env`. Bring your own Neon DB and apply `schema-postgres.sql` once. Each platform drives its own persistent Playwright MCP browser profile, so logins survive across runs.
 
 ## Prerequisites
 
@@ -29,7 +29,7 @@ npx social-autoposter init
 `bin/cli.js` does all of the wiring in one shot:
 
 1. Copies `scripts/`, `skill/`, `setup/`, `SKILL.md`, `schema-postgres.sql`, and `browser-agent-configs/` into `~/social-autoposter/`
-2. Creates `config.json` from `config.example.json` and `.env` from `.env.example` (the shared Neon `DATABASE_URL` is pre-filled)
+2. Creates `config.json` from `config.example.json` and writes a blank `.env` template (fill in your own `DATABASE_URL` and optional `MOLTBOOK_API_KEY`)
 3. Installs `psycopg2-binary` via `pip3` if missing
 4. Generates launchd plists in `~/social-autoposter/launchd/` with the user's actual `HOME` and `PATH`
 5. Installs the Playwright MCP configs to `~/.claude/browser-agent-configs/` (twitter, reddit, linkedin) with `__HOME__` and `__NODE_BIN__` placeholders substituted. Existing files are left alone, so any window-position tweaks survive `npx social-autoposter update`.
@@ -63,7 +63,7 @@ launchd  ──▶  skill/run-{platform}.sh  ──▶  claude -p  --strict-mcp-
                        │                                                       │
                        │                                                       └──▶  ~/.claude/browser-profiles/{platform}/  (persistent userDataDir)
                        │
-                       ├──▶  scripts/find_{tweets,threads}.py  (no browser, API + DB dedup)
+                       ├──▶  scripts/find_threads.py, top_twitter_queries.py  (no browser, API + DB dedup)
                        ├──▶  scripts/pick_project.py            (weighted project rotation)
                        ├──▶  scripts/top_performers.py          (feedback report from past stats)
                        └──▶  Neon Postgres                      (DATABASE_URL in .env)
@@ -78,19 +78,18 @@ Each `skill/run-*.sh`:
 5. Calls `find_*.py` for API-side candidates already deduped against the DB
 6. Spawns a child Claude process with `--strict-mcp-config` so it only sees the one platform's browser MCP
 
-The launchd schedules from `bin/cli.js`:
+The launchd schedules generated by `bin/cli.js` on install:
 
 | Job | Cadence |
 |-----|---------|
-| `com.m13v.social-autoposter` (`run.sh`) | every 3600 s (hourly) |
 | `com.m13v.social-stats` (`stats.sh`) | every 21600 s (6 h) |
 | `com.m13v.social-engage` (`engage.sh`) | every 21600 s (6 h) |
 
-Per-platform plists in `launchd/` (twitter, reddit, linkedin, moltbook, github, octolens, audit, dm-replies, scan-replies, etc.) use either `StartInterval` or `StartCalendarInterval` for fixed wall-clock times. Activate them with:
+All per-platform plists live in `launchd/` (reddit-search, reddit-threads, twitter-cycle, linkedin, moltbook, github, octolens, audit, dm-replies-*, link-edit-*, scan-reddit-replies, scan-moltbook-replies, etc.) and use either `StartInterval` or `StartCalendarInterval` for fixed wall-clock times. Activate any of them with:
 
 ```bash
-ln -sf ~/social-autoposter/launchd/com.m13v.social-twitter.plist ~/Library/LaunchAgents/
-launchctl load ~/Library/LaunchAgents/com.m13v.social-twitter.plist
+ln -sf ~/social-autoposter/launchd/com.m13v.social-twitter-cycle.plist ~/Library/LaunchAgents/
+launchctl load ~/Library/LaunchAgents/com.m13v.social-twitter-cycle.plist
 ```
 
 ## Skill commands

package/SKILL.md

@@ -53,7 +53,8 @@ Standalone Python scripts — no LLM needed.
 
 ```bash
 python3 ~/social-autoposter/scripts/find_threads.py --include-moltbook
-python3 ~/social-autoposter/scripts/scan_replies.py
+python3 ~/social-autoposter/scripts/scan_reddit_replies.py
+python3 ~/social-autoposter/scripts/scan_moltbook_replies.py
 python3 ~/social-autoposter/scripts/update_stats.py --quiet
 ```
 
@@ -205,7 +206,7 @@ Daily-cadence original Reddit threads across all products, automated via launchd
 - `own_community`: `{subreddit, cadence, floor_days}` (optional). Defaults to 1-day floor.
 - `external_subreddits`: list of external subs (default 3-day floor, override via `external_floor_days`)
 - `topic_angles`: discussion-starter ideas the agent picks from
-- `voice_notes`: per-thread voice guidance on top of `projects[].voice`
+- Voice guidance comes from `projects[].voice` (tone, never)
 - `content_sources.guide_dir` / `link_base`: optional source paths/URLs
 - `dynamic_context.day_counter` / `static_facts`: live-calculated facts injected into the prompt
 
@@ -213,7 +214,7 @@ Daily-cadence original Reddit threads across all products, automated via launchd
 
 **Picker** (`scripts/pick_thread_target.py`): weighted project selection with:
 - Per-sub floor-days filter (queries `posts` table for this account's last original thread)
-- `banned_subreddits` filter (top-level config, all groups flattened)
+- `subreddit_bans` filter: `banned` (can't post or comment) + `skip_threads` (threads blocked, comments OK)
 - Own-community candidates always picked first when eligible
 
 **Schedule**: `com.m13v.social-reddit-threads.plist` fires 4x/day at 00:15, 06:15, 12:15, 18:15.
@@ -236,7 +237,8 @@ After running, view updated stats at `https://s4l.ai/stats/[handle]`. Stats are
 
 ### Phase A: Scan for replies (no browser)
 ```bash
-python3 ~/social-autoposter/scripts/scan_replies.py
+python3 ~/social-autoposter/scripts/scan_reddit_replies.py
+python3 ~/social-autoposter/scripts/scan_moltbook_replies.py
 ```
 
 ### Phase B: Respond to pending replies
@@ -305,6 +307,22 @@ GOOD title: "just did my 7th course, some things that surprised me"
 BAD body: Structured with headers, bold, numbered lists, "As a tech founder..."
 GOOD body: Paragraphs, incomplete thoughts, personal details, casual tone, ends with a genuine question
 
+### Bad vs Good (DM Replies)
+
+DM replies are texting-style. 1 to 3 sentences. Always reference something specific from the inbound. No unearned call offers, no fabricated links, no time-bound commitments. Booking links only when the matched project has `booking_link_auto_share: true` AND `qualification_status=qualified` on the DM row.
+
+BAD: "Hey! I saw your comment on r/startups about agent orchestration. I'd love to share what we're working on, would you be open to a quick call?" (cold-pitch shape, premature call ask)
+GOOD: "yo the point about agents racing on the same file hit home, we solved it with worktrees per agent. what's your setup?"
+
+BAD: "Great question! Our product handles exactly that scenario. Check out [link] for more details." (sales register, leading with link in an early DM)
+GOOD: "we hit that too, ended up using the accessibility API route because screenshot-based kept flaking on retina displays"
+
+BAD: "Absolutely! Let's do Thursday at 3pm, I'll send an invite." (time-bound commitment, bot has no calendar authority)
+GOOD: "yeah easier to figure it out here, what specifically are you trying to wire up?"
+
+BAD: "I totally understand your hesitation. But our solution is different because..." (defensive, pushy rebuttal)
+GOOD: "makes sense, we kicked it around for 6 months before pulling the trigger. what's been the blocker on your end?"
+
 ---
 
 ## Tiered Reply Strategy

package/bin/auth.js

@@ -0,0 +1,110 @@
+'use strict';
+
+// Firebase auth for the dashboard when CLIENT_MODE=1.
+// When CLIENT_MODE is unset (local operator use), authorize() is a no-op
+// and returns a synthetic admin principal so every existing route keeps
+// working unchanged.
+
+let _admin = null;
+
+function getAdmin() {
+  if (_admin) return _admin;
+  const admin = require('firebase-admin');
+  if (!admin.apps.length) {
+    const projectId = process.env.FIREBASE_PROJECT_ID || 's4l-app-prod';
+    admin.initializeApp({ projectId });
+  }
+  _admin = admin;
+  return _admin;
+}
+
+const CLIENT_MODE = process.env.CLIENT_MODE === '1';
+
+// Routes that require an admin claim even when authenticated.
+// Clients authenticated with only a project scope cannot hit these.
+const ADMIN_ONLY_PATTERNS = [
+  /^\/api\/pause$/,
+  /^\/api\/resume$/,
+  /^\/api\/jobs\/[^/]+\/(toggle|run|stop|interval)$/,
+  /^\/api\/phase\/[^/]+\/interval$/,
+  /^\/api\/config$/,
+  /^\/api\/env$/,
+  /^\/api\/logs(\/.*)?$/,
+  /^\/api\/webhooks(\/.*)?$/,
+  /^\/api\/status$/,
+  /^\/api\/pending$/,
+];
+
+function isAdminOnly(pathname) {
+  return ADMIN_ONLY_PATTERNS.some(re => re.test(pathname));
+}
+
+function extractToken(req) {
+  const h = req.headers['authorization'] || req.headers['Authorization'];
+  if (!h) return null;
+  const m = String(h).match(/^Bearer\s+(.+)$/);
+  return m ? m[1].trim() : null;
+}
+
+async function verifyAuth(req, pathname) {
+  if (!CLIENT_MODE) {
+    return { ok: true, user: { uid: 'local', email: 'local', admin: true, projects: [] } };
+  }
+  const token = extractToken(req);
+  if (!token) {
+    console.warn(JSON.stringify({ event: 'auth_reject', reason: 'missing_token', path: pathname, authHeaderPresent: !!(req.headers['authorization'] || req.headers['Authorization']) }));
+    return { ok: false, status: 401, error: 'missing_token' };
+  }
+  try {
+    const decoded = await getAdmin().auth().verifyIdToken(token);
+    const user = {
+      uid: decoded.uid,
+      email: decoded.email || null,
+      admin: decoded.admin === true,
+      projects: Array.isArray(decoded.projects) ? decoded.projects : [],
+    };
+    if (isAdminOnly(pathname) && !user.admin) {
+      console.warn(JSON.stringify({ event: 'auth_reject', reason: 'admin_required', path: pathname, uid: user.uid, email: user.email }));
+      return { ok: false, status: 403, error: 'admin_required' };
+    }
+    return { ok: true, user };
+  } catch (e) {
+    console.warn(JSON.stringify({ event: 'auth_reject', reason: 'invalid_token', path: pathname, errCode: e.code || null, errMessage: e.message, tokenHead: token.slice(0, 20), tokenLen: token.length }));
+    return { ok: false, status: 401, error: 'invalid_token', detail: e.message };
+  }
+}
+
+function scopedProjects(user, requested) {
+  if (user.admin) {
+    return requested && requested !== 'all' ? [requested] : null;
+  }
+  if (!user.projects.length) return [];
+  if (!requested || requested === 'all') return user.projects.slice();
+  return user.projects.includes(requested) ? [requested] : [];
+}
+
+// Returns { clause, ok } where clause is a " AND <column> IN ('a','b')" fragment
+// (possibly empty when admin + no filter) and ok=false means the user has no
+// access (non-admin with empty projects claim) so the handler should 403.
+// Project names are validated against a conservative charset; single quotes
+// are also SQL-escaped below as defense in depth. Spaces are allowed because
+// real config.json names include them ('WhatsApp MCP', 'AI Browser Profile',
+// 'macOS MCP', 'macOS Session Replay').
+const PROJECT_NAME_RE = /^[A-Za-z0-9 _\-]{1,64}$/;
+
+function projectClause(user, column, requested) {
+  const list = scopedProjects(user, requested);
+  if (list === null) return { clause: '', ok: true }; // admin, unfiltered
+  const safe = list.filter(p => PROJECT_NAME_RE.test(p));
+  if (!safe.length) return { clause: '', ok: false };
+  const quoted = safe.map(p => `'${p.replace(/'/g, "''")}'`).join(',');
+  return { clause: ` AND ${column} IN (${quoted})`, ok: true, list: safe };
+}
+
+module.exports = {
+  CLIENT_MODE,
+  verifyAuth,
+  isAdminOnly,
+  scopedProjects,
+  projectClause,
+};

package/bin/cli.js

@@ -6,6 +6,9 @@ const fs = require('fs');
 const os = require('os');
 const { spawnSync } = require('child_process');
 
+const platform = require('./platform');
+const scheduler = require('./scheduler');
+
 const DEST = path.join(os.homedir(), 'social-autoposter');
 const PKG_ROOT = path.join(__dirname, '..');
 const HOME = os.homedir();
@@ -15,13 +18,26 @@ const COPY_TARGETS = [
   'scripts',
   'schema-postgres.sql',
   'config.example.json',
-  '.env.example',
+  'requirements.txt',
   'SKILL.md',
   'skill',
   'setup',
   'browser-agent-configs',
 ];
 
+const ENV_TEMPLATE = `# social-autoposter environment variables
+# Fill in your values below.
+
+# Moltbook API key (required for Moltbook posting/scanning)
+# Get it from: https://www.moltbook.com/settings/api
+MOLTBOOK_API_KEY=
+
+# Neon Postgres connection string. Bring your own Neon DB — apply schema with:
+#   psql "$DATABASE_URL" -f schema-postgres.sql
+# Format: postgresql://<user>:<password>@<host>/<db>?sslmode=require
+DATABASE_URL=
+`;
+
 // Never overwrite these user files during update
 const USER_FILES = new Set(['config.json', '.env', 'SKILL.md']);
 
@@ -89,13 +105,64 @@ function installBrowserAgentConfigs() {
   console.log(`  browser profile dirs ready -> ${profilesDir}/{${BROWSER_PROFILES.join(',')}}`);
 }
 
+// Register the three browser-agent MCP servers with Claude so they show up
+// under user scope (writes to ~/.claude.json). Idempotent: parses the output
+// of `claude mcp list` and only calls `add-json` for missing entries.
+// If the `claude` CLI is not on PATH, prints manual instructions and returns.
+function registerBrowserAgentMcpServers() {
+  const configDir = path.join(HOME, '.claude', 'browser-agent-configs');
+  const servers = [
+    { name: 'twitter-agent', file: path.join(configDir, 'twitter-agent-mcp.json') },
+    { name: 'reddit-agent', file: path.join(configDir, 'reddit-agent-mcp.json') },
+    { name: 'linkedin-agent', file: path.join(configDir, 'linkedin-agent-mcp.json') },
+  ];
+
+  const claudeBin = spawnSync('claude', ['--version'], { stdio: 'pipe' });
+  if (claudeBin.status !== 0) {
+    console.log('  claude CLI not on PATH; skipping MCP registration.');
+    console.log('  Once Claude Code is installed, register manually with:');
+    for (const s of servers) {
+      console.log(`    claude mcp add-json ${s.name} "$(jq -c .mcpServers['\\"'${s.name}'\\"'] ${s.file})"`);
+    }
+    return;
+  }
+
+  const list = spawnSync('claude', ['mcp', 'list'], { encoding: 'utf8' });
+  const existing = list.status === 0 ? list.stdout : '';
+
+  let added = 0;
+  let skipped = 0;
+  for (const s of servers) {
+    if (!fs.existsSync(s.file)) {
+      console.warn(`  MCP config missing: ${s.file}`);
+      continue;
+    }
+    // `claude mcp list` prints one server per line starting with the name.
+    // Use a word-boundary check so twitter-agent does not false-match reddit-agent.
+    const re = new RegExp(`(^|\\s)${s.name.replace(/[.*+?^${}()|[\\]\\\\]/g, '\\\\$&')}(:|\\s|$)`, 'm');
+    if (re.test(existing)) {
+      skipped++;
+      continue;
+    }
+    const tpl = JSON.parse(fs.readFileSync(s.file, 'utf8'));
+    const stanza = tpl.mcpServers && tpl.mcpServers[s.name];
+    if (!stanza) {
+      console.warn(`  ${s.file} has no mcpServers.${s.name} stanza; skipping`);
+      continue;
+    }
+    const r = spawnSync('claude', ['mcp', 'add-json', s.name, JSON.stringify(stanza)], { stdio: 'pipe', encoding: 'utf8' });
+    if (r.status === 0) {
+      added++;
+    } else {
+      console.warn(`  claude mcp add-json ${s.name} failed: ${(r.stderr || r.stdout || '').trim()}`);
+    }
+  }
+  console.log(`  MCP servers registered with Claude (added ${added}, already present ${skipped})`);
+}
+
 function generatePlists() {
-  // Detect PATH for launchd (include node, homebrew, system)
   const nodeBin = path.dirname(process.execPath);
-  const pathDirs = new Set([nodeBin, '/opt/homebrew/bin', '/usr/local/bin', '/usr/bin', '/bin']);
-  const launchdPath = [...pathDirs].join(':');
-
-  const plists = [
+  const jobs = [
     {
       file: 'com.m13v.social-stats.plist',
       label: 'com.m13v.social-stats',
@@ -105,53 +172,92 @@ function generatePlists() {
       stdoutLog: `${DEST}/skill/logs/launchd-stats-stdout.log`,
       stderrLog: `${DEST}/skill/logs/launchd-stats-stderr.log`,
     },
-    {
-      file: 'com.m13v.social-engage.plist',
-      label: 'com.m13v.social-engage',
-      script: `${DEST}/skill/engage.sh`,
-      interval: 21600,
-      runAtLoad: false,
-      stdoutLog: `${DEST}/skill/logs/launchd-engage-stdout.log`,
-      stderrLog: `${DEST}/skill/logs/launchd-engage-stderr.log`,
-    },
   ];
 
-  const launchdDir = path.join(DEST, 'launchd');
-  fs.mkdirSync(launchdDir, { recursive: true });
-
-  for (const p of plists) {
-    const xml = `<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-\t<key>Label</key>
-\t<string>${p.label}</string>
-\t<key>ProgramArguments</key>
-\t<array>
-\t\t<string>/bin/bash</string>
-\t\t<string>${p.script}</string>
-\t</array>
-\t<key>StartInterval</key>
-\t<integer>${p.interval}</integer>
-\t<key>StandardOutPath</key>
-\t<string>${p.stdoutLog}</string>
-\t<key>StandardErrorPath</key>
-\t<string>${p.stderrLog}</string>
-\t<key>EnvironmentVariables</key>
-\t<dict>
-\t\t<key>PATH</key>
-\t\t<string>${launchdPath}</string>
-\t\t<key>HOME</key>
-\t\t<string>${HOME}</string>
-\t</dict>
-\t<key>RunAtLoad</key>
-\t<${p.runAtLoad}/>
-</dict>
-</plist>
-`;
-    fs.writeFileSync(path.join(launchdDir, p.file), xml);
+  const driver = scheduler.driverFor();
+  const env = driver.defaultEnv({ home: HOME, nodeBin });
+  const kind = platform.scheduler();
+  const outDir = path.join(DEST, kind === 'systemd' ? 'systemd' : 'launchd');
+  driver.generate({ jobs, outDir, env });
+  console.log(`  generated ${kind} units at ${outDir}`);
+}
+
+// On Linux we translate every shipped launchd plist into a systemd
+// .service + .timer pair at install time. Plists remain the source of truth
+// so the macOS pipeline is untouched; the systemd/ dir is derived.
+function generateSystemdFromPlists() {
+  const launchdDriver = scheduler.driverFor('launchd');
+  const systemdDriver = scheduler.driverFor('systemd');
+  const srcDir = path.join(DEST, 'launchd');
+  const outDir = path.join(DEST, 'systemd');
+  if (!fs.existsSync(srcDir)) return 0;
+  const plists = fs.readdirSync(srcDir).filter(f => f.endsWith('.plist'));
+  const nodeBin = path.dirname(process.execPath);
+  const env = systemdDriver.defaultEnv({ home: HOME, nodeBin });
+
+  const jobs = [];
+  let skipped = 0;
+  for (const f of plists) {
+    const xml = fs.readFileSync(path.join(srcDir, f), 'utf8');
+    const { label, scriptPath } = launchdDriver.parseUnit(xml);
+    if (!label || !scriptPath) { skipped++; continue; }
+    const sched = launchdDriver.scheduleFromUnit(xml);
+    if (!sched.intervalSecs) {
+      console.log(`  skip ${f}: calendar schedule not yet translated to OnCalendar`);
+      skipped++;
+      continue;
+    }
+    // Plists ship with the publisher's absolute paths baked in. Rebuild
+    // paths against the current user's DEST so any user on any host gets
+    // correct units without us having to re-ship plists per install target.
+    const scriptBase = path.basename(scriptPath);
+    const stdoutMatch = (xml.match(/<key>StandardOutPath<\/key>\s*<string>([^<]+)<\/string>/) || [])[1];
+    const stderrMatch = (xml.match(/<key>StandardErrorPath<\/key>\s*<string>([^<]+)<\/string>/) || [])[1];
+    const shortLabel = label.replace(/^com\.m13v\.social-/, '');
+    const stdout = `${DEST}/skill/logs/${stdoutMatch ? path.basename(stdoutMatch) : `launchd-${shortLabel}-stdout.log`}`;
+    const stderr = `${DEST}/skill/logs/${stderrMatch ? path.basename(stderrMatch) : `launchd-${shortLabel}-stderr.log`}`;
+    const runAtLoad = /<key>RunAtLoad<\/key>\s*<true\s*\/>/.test(xml);
+    jobs.push({
+      file: f,
+      label,
+      script: `${DEST}/skill/${scriptBase}`,
+      interval: sched.intervalSecs,
+      runAtLoad,
+      stdoutLog: stdout,
+      stderrLog: stderr,
+    });
+  }
+  systemdDriver.generate({ jobs, outDir, env });
+  console.log(`  translated ${jobs.length} launchd plists -> systemd units (skipped ${skipped})`);
+  return jobs.length;
+}
+
+// Link every DEST/systemd/*.{service,timer} into ~/.config/systemd/user/ and
+// reload the user daemon. Caller is expected to `systemctl --user enable --now
+// <timer>` for each timer they actually want running; this mirrors how macOS
+// setup leaves loading to the user via the SKILL.md wizard.
+function installSystemdUnits() {
+  const driver = scheduler.driverFor('systemd');
+  const unitDir = path.join(DEST, 'systemd');
+  const agentsDir = platform.agentsDir();
+  if (!fs.existsSync(unitDir)) return;
+  fs.mkdirSync(agentsDir, { recursive: true });
+  const services = fs.readdirSync(unitDir).filter(f => f.endsWith('.service'));
+  let linked = 0;
+  for (const f of services) {
+    if (driver.install(path.join(unitDir, f), agentsDir)) linked++;
+  }
+  const r = spawnSync('systemctl', ['--user', 'daemon-reload'], { encoding: 'utf8' });
+  if (r.status === 0) {
+    console.log(`  linked ${linked} unit pair(s) into ${agentsDir}; systemctl --user daemon-reload OK`);
+  } else {
+    console.warn(`  linked ${linked} unit pair(s); daemon-reload failed: ${(r.stderr || '').trim()}`);
+  }
+  const linger = spawnSync('loginctl', ['show-user', os.userInfo().username, '--property=Linger'], { encoding: 'utf8' });
+  if (!/Linger=yes/.test(linger.stdout || '')) {
+    console.log('  note: run `sudo loginctl enable-linger $USER` so timers fire when nobody is logged in');
   }
-  console.log('  generated launchd plists with correct paths');
+  console.log('  next: systemctl --user enable --now <timer> for each job you want scheduled');
 }
 
 function init() {
@@ -175,8 +281,17 @@ function init() {
   // Generate launchd plists with user's actual HOME
   generatePlists();
 
+  // On Linux, derive systemd units from every plist and link them into
+  // ~/.config/systemd/user/. macOS install is unchanged.
+  if (platform.scheduler() === 'systemd') {
+    generateSystemdFromPlists();
+    installSystemdUnits();
+  }
+
   // Install browser agent MCP configs + profile dirs (skips existing files)
   installBrowserAgentConfigs();
+  // Register those MCP servers with Claude so they show up in `claude mcp list`.
+  registerBrowserAgentMcpServers();
 
   // config.json — only if it doesn't exist
   const configDest = path.join(DEST, 'config.json');
@@ -187,29 +302,18 @@ function init() {
     console.log('  config.json exists — skipping');
   }
 
-  // .env — only if it doesn't exist
+  // .env — only if it doesn't exist. Written from an in-package template so
+  // the NPM tarball no longer ships a credential-bearing .env.example file.
   const envDest = path.join(DEST, '.env');
   if (!fs.existsSync(envDest)) {
-    fs.copyFileSync(path.join(PKG_ROOT, '.env.example'), envDest);
-    console.log('  created .env from template');
+    fs.writeFileSync(envDest, ENV_TEMPLATE);
+    console.log('  created .env from template (fill in DATABASE_URL and MOLTBOOK_API_KEY)');
   } else {
     console.log('  .env exists — skipping');
   }
 
-  // Check psycopg2-binary (required to connect to Neon DB)
-  const pip3Check = spawnSync('pip3', ['show', 'psycopg2-binary'], { stdio: 'pipe' });
-  if (pip3Check.status !== 0) {
-    console.log('  installing psycopg2-binary (required for Neon DB)...');
-    const pipInstall = spawnSync('pip3', ['install', 'psycopg2-binary', '-q'], { stdio: 'inherit' });
-    if (pipInstall.status !== 0) {
-      console.warn('  WARNING: psycopg2-binary install failed — run manually:');
-      console.warn('    pip3 install psycopg2-binary');
-    } else {
-      console.log('  psycopg2-binary installed');
-    }
-  } else {
-    console.log('  psycopg2-binary already installed');
-  }
+  installPythonDeps();
+  installEngagementStylesSidecar();
 
   // Remove stale skill/SKILL.md if it exists (SKILL.md lives at repo root only)
   const skillMd = path.join(DEST, 'skill', 'SKILL.md');
@@ -259,8 +363,21 @@ function update() {
   // Regenerate launchd plists with correct paths
   generatePlists();
 
+  // Refresh systemd units on Linux so plist changes propagate.
+  if (platform.scheduler() === 'systemd') {
+    generateSystemdFromPlists();
+    installSystemdUnits();
+  }
+
   // Top up browser agent configs (won't overwrite user customizations)
   installBrowserAgentConfigs();
+  // Register any newly added MCP servers with Claude (idempotent).
+  registerBrowserAgentMcpServers();
+
+  // Refresh Python deps every update so version-bumps land on existing installs
+  // and the candidate-style sidecar gets merged (preserves VM-side candidates).
+  installPythonDeps();
+  installEngagementStylesSidecar();
 
   // Remove stale skill/SKILL.md if it exists (SKILL.md lives at repo root only)
   const skillMd = path.join(DEST, 'skill', 'SKILL.md');
@@ -281,18 +398,92 @@ function update() {
   console.log('Update complete. config.json was preserved.');
 }
 
+// Install Python deps from requirements.txt (preferred) or fall back to the
+// hardcoded list. Idempotent — pip3 install is a no-op when the package is
+// already at the requested version. Playwright also needs the Chromium
+// browser binary; we run `playwright install chromium` after the pip install.
+function installPythonDeps() {
+  const reqPath = path.join(PKG_ROOT, 'requirements.txt');
+  const base = fs.existsSync(reqPath)
+    ? ['install', '-r', reqPath, '-q']
+    : ['install', '-q', 'psycopg2-binary', 'playwright'];
+  console.log('  installing Python deps (psycopg2-binary, playwright, ...)');
+  // Debian/Ubuntu 23+ ship a PEP 668 marker that blocks pip3 against the
+  // system Python without --break-system-packages. Try without first
+  // (safer on macOS) and retry with the flag if the marker fires.
+  let r = spawnSync('pip3', base, { stdio: 'inherit' });
+  if (r.status !== 0) {
+    console.log('  retrying with --break-system-packages (PEP 668 environments)');
+    r = spawnSync('pip3', [...base, '--break-system-packages'], { stdio: 'inherit' });
+  }
+  if (r.status !== 0) {
+    console.warn('  WARNING: pip3 install failed — run manually:');
+    console.warn(`    pip3 ${base.join(' ')} --break-system-packages`);
+    return;
+  }
+  // Playwright needs its browser binary downloaded separately. Chromium
+  // is the only engine the repo uses today; skip Firefox/WebKit.
+  console.log('  installing Playwright Chromium binary (one-time, ~150MB)...');
+  const pw = spawnSync('python3', ['-m', 'playwright', 'install', 'chromium'], { stdio: 'inherit' });
+  if (pw.status !== 0) {
+    console.warn('  WARNING: playwright install chromium failed — run manually:');
+    console.warn('    python3 -m playwright install chromium');
+  }
+}
+
+// Copy the candidate-style sidecar JSON into ~/social-autoposter/scripts/
+// if missing; merge if present so VM-side invented candidates survive
+// across updates. Promoted (status=active) entries from the shipped baseline
+// always win.
+function installEngagementStylesSidecar() {
+  const src = path.join(PKG_ROOT, 'scripts', 'engagement_styles_extra.json');
+  const dest = path.join(DEST, 'scripts', 'engagement_styles_extra.json');
+  if (!fs.existsSync(src)) return;
+
+  if (!fs.existsSync(dest)) {
+    fs.mkdirSync(path.dirname(dest), { recursive: true });
+    fs.copyFileSync(src, dest);
+    console.log('  installed scripts/engagement_styles_extra.json');
+    return;
+  }
+
+  let shipped = {};
+  let local = {};
+  try { shipped = JSON.parse(fs.readFileSync(src, 'utf8')) || {}; } catch {}
+  try { local = JSON.parse(fs.readFileSync(dest, 'utf8')) || {}; } catch {}
+
+  // Start from local (preserves VM-only candidates), overlay shipped active
+  // entries so newly promoted styles always land. Shipped wins on conflict.
+  const merged = { ...local };
+  for (const [name, entry] of Object.entries(shipped)) {
+    merged[name] = entry;
+  }
+  fs.writeFileSync(dest, JSON.stringify(merged, null, 2) + '\n');
+  console.log('  merged scripts/engagement_styles_extra.json (shipped wins on conflict)');
+}
+
 const cmd = process.argv[2];
 if (cmd === 'init') {
   init();
 } else if (cmd === 'update') {
   update();
+} else if (cmd === 'export-cookies') {
+  // Forward to cookie-helper with 'export' + remaining args
+  process.argv = [process.argv[0], process.argv[1], 'export', ...process.argv.slice(3)];
+  require('./cookie-helper.js');
+} else if (cmd === 'import-cookies') {
+  // Forward to cookie-helper with 'import' + remaining args
+  process.argv = [process.argv[0], process.argv[1], 'import', ...process.argv.slice(3)];
+  require('./cookie-helper.js');
 } else if (!cmd) {
   require('./server.js');
 } else {
   console.log('social-autoposter — automated social posting for Claude agents');
   console.log('');
   console.log('Usage:');
-  console.log('  npx social-autoposter          open the dashboard');
-  console.log('  npx social-autoposter init      first-time setup');
-  console.log('  npx social-autoposter update    update scripts, preserve config');
+  console.log('  npx social-autoposter              open the dashboard');
+  console.log('  npx social-autoposter init          first-time setup');
+  console.log('  npx social-autoposter update        update scripts, preserve config');
+  console.log('  npx social-autoposter export-cookies [dir]  export browser cookies');
+  console.log('  npx social-autoposter import-cookies [dir]  import browser cookies');
 }