telecodex 0.1.0

package/dist/config.js

@@ -0,0 +1,69 @@
+import path from "node:path";
+export const SANDBOX_MODES = ["read-only", "workspace-write", "danger-full-access"];
+export const APPROVAL_POLICIES = ["on-request", "on-failure", "never"];
+export const MODE_PRESETS = ["read", "write", "danger", "yolo"];
+export const REASONING_EFFORTS = ["none", "minimal", "low", "medium", "high", "xhigh"];
+export const WEB_SEARCH_MODES = ["disabled", "cached", "live"];
+export const DEFAULT_SESSION_PROFILE = {
+    sandboxMode: "read-only",
+    approvalPolicy: "on-request",
+};
+export function buildConfig(input) {
+    const defaultCwd = path.resolve(input.defaultCwd ?? process.cwd());
+    return {
+        telegramBotToken: input.telegramBotToken,
+        defaultCwd,
+        defaultModel: input.defaultModel?.trim() || "gpt-5.4",
+        dbPath: path.resolve(input.dbPath),
+        codexBin: input.codexBin,
+        updateIntervalMs: input.updateIntervalMs ?? 700,
+    };
+}
+export function isSessionSandboxMode(value) {
+    return SANDBOX_MODES.includes(value);
+}
+export function isSessionApprovalPolicy(value) {
+    return APPROVAL_POLICIES.includes(value);
+}
+export function isSessionModePreset(value) {
+    return MODE_PRESETS.includes(value);
+}
+export function isSessionReasoningEffort(value) {
+    return REASONING_EFFORTS.includes(value);
+}
+export function isSessionWebSearchMode(value) {
+    return WEB_SEARCH_MODES.includes(value);
+}
+export function profileFromPreset(preset) {
+    switch (preset) {
+        case "read":
+            return {
+                sandboxMode: "read-only",
+                approvalPolicy: "on-request",
+            };
+        case "write":
+            return {
+                sandboxMode: "workspace-write",
+                approvalPolicy: "on-request",
+            };
+        case "danger":
+            return {
+                sandboxMode: "danger-full-access",
+                approvalPolicy: "on-request",
+            };
+        case "yolo":
+            return {
+                sandboxMode: "danger-full-access",
+                approvalPolicy: "never",
+            };
+    }
+}
+export function presetFromProfile(profile) {
+    for (const preset of MODE_PRESETS) {
+        const candidate = profileFromPreset(preset);
+        if (candidate.sandboxMode === profile.sandboxMode && candidate.approvalPolicy === profile.approvalPolicy) {
+            return preset;
+        }
+    }
+    return "custom";
+}

package/dist/runtime/appPaths.js

@@ -0,0 +1,14 @@
+import { homedir } from "node:os";
+import path from "node:path";
+export function getAppHome() {
+    return path.join(homedir(), ".telecodex");
+}
+export function getStateDbPath() {
+    return path.join(getAppHome(), "state.sqlite");
+}
+export function getLogsDir() {
+    return path.join(getAppHome(), "logs");
+}
+export function getLogFilePath() {
+    return path.join(getLogsDir(), "telecodex.log");
+}

package/dist/runtime/bootstrap.js

@@ -0,0 +1,213 @@
+import { cancel, confirm, intro, isCancel, note, password, spinner, text, } from "@clack/prompts";
+import clipboard from "clipboardy";
+import { spawnSync } from "node:child_process";
+import { randomBytes } from "node:crypto";
+import { existsSync } from "node:fs";
+import path from "node:path";
+import { Bot, GrammyError, HttpError } from "grammy";
+import { buildConfig } from "../config.js";
+import { openDatabase } from "../store/db.js";
+import { ProjectStore } from "../store/projects.js";
+import { SessionStore } from "../store/sessions.js";
+import { getStateDbPath } from "./appPaths.js";
+import { PLAINTEXT_TOKEN_FALLBACK_ENV, SecretStore, } from "./secrets.js";
+const MAC_CODEX_BIN = "/Applications/Codex.app/Contents/Resources/codex";
+export async function bootstrapRuntime() {
+    intro("telecodex");
+    const dbPath = getStateDbPath();
+    const db = openDatabase(dbPath);
+    const store = new SessionStore(db);
+    const projects = new ProjectStore(db);
+    const secrets = new SecretStore(store, {
+        allowPlaintextFallback: process.env[PLAINTEXT_TOKEN_FALLBACK_ENV] === "1",
+    });
+    const codexBin = await ensureCodexBin(store);
+    await ensureCodexLogin(codexBin);
+    const { token, botUsername, storageMode } = await ensureTelegramBotToken(secrets);
+    if (storageMode === "plaintext-fallback") {
+        note("System keychain unavailable. Telegram bot token fell back to local state storage.", "Token Storage");
+    }
+    const config = buildConfig({
+        telegramBotToken: token,
+        defaultCwd: process.cwd(),
+        dbPath,
+        codexBin,
+    });
+    let bootstrapCode = null;
+    if (store.getAuthorizedUserId() == null) {
+        bootstrapCode = store.getBootstrapCode();
+        if (!bootstrapCode) {
+            bootstrapCode = generateBootstrapCode();
+            store.setBootstrapCode(bootstrapCode);
+        }
+    }
+    if (bootstrapCode) {
+        const copied = await copyBootstrapCode(bootstrapCode);
+        note([
+            `Bot: ${botUsername ? `@${botUsername}` : "unknown"}`,
+            `Workspace: ${config.defaultCwd}`,
+            copied ? "Binding code copied to the clipboard." : "Failed to copy the binding code. Copy it manually.",
+            "This binding code stays valid until an admin account successfully claims it.",
+            "",
+            bootstrapCode,
+        ].join("\n"), "Admin Binding");
+    }
+    return {
+        config,
+        store,
+        projects,
+        bootstrapCode,
+        botUsername,
+    };
+}
+async function ensureTelegramBotToken(secrets) {
+    const existing = secrets.getTelegramBotToken();
+    if (existing) {
+        const validated = await validateTelegramBotToken(existing);
+        if (validated) {
+            return {
+                token: existing,
+                botUsername: validated.username,
+                storageMode: "existing",
+            };
+        }
+        note("The saved Telegram bot token failed validation. Enter it again.", "Telegram");
+    }
+    while (true) {
+        const raw = await password({
+            message: "Paste Telegram bot token",
+            mask: "*",
+        });
+        const token = requirePromptValue(raw).trim();
+        if (!token) {
+            note("Bot token cannot be empty.", "Telegram");
+            continue;
+        }
+        const validating = spinner();
+        validating.start("Validating Telegram bot token");
+        const validated = await validateTelegramBotToken(token);
+        if (!validated) {
+            validating.stop("Telegram bot token validation failed");
+            continue;
+        }
+        const storageMode = secrets.setTelegramBotToken(token);
+        validating.stop(`Telegram bot verified: @${validated.username ?? "unknown"}`);
+        return {
+            token,
+            botUsername: validated.username,
+            storageMode,
+        };
+    }
+}
+async function validateTelegramBotToken(token) {
+    try {
+        const bot = new Bot(token);
+        const me = await bot.api.getMe();
+        return { username: me.username ?? null };
+    }
+    catch (error) {
+        if (error instanceof GrammyError) {
+            note(`Telegram returned an error: ${error.description}`, "Telegram");
+            return null;
+        }
+        if (error instanceof HttpError) {
+            note(`Unable to reach Telegram: ${error.message}`, "Telegram");
+            return null;
+        }
+        note(error instanceof Error ? error.message : String(error), "Telegram");
+        return null;
+    }
+}
+async function ensureCodexBin(store) {
+    const saved = store.getAppState("codex_bin");
+    for (const candidate of [saved, MAC_CODEX_BIN, "codex"]) {
+        if (!candidate)
+            continue;
+        if (isWorkingCodexBin(candidate)) {
+            store.setAppState("codex_bin", candidate);
+            return candidate;
+        }
+    }
+    note("Could not automatically find a working Codex binary.", "Codex");
+    while (true) {
+        const raw = await text({
+            message: "Path to codex binary",
+            placeholder: MAC_CODEX_BIN,
+        });
+        const candidate = path.resolve(requirePromptValue(raw).trim());
+        if (!candidate) {
+            note("Codex path cannot be empty.", "Codex");
+            continue;
+        }
+        if (!isWorkingCodexBin(candidate)) {
+            note("That path is not an executable Codex binary.", "Codex");
+            continue;
+        }
+        store.setAppState("codex_bin", candidate);
+        return candidate;
+    }
+}
+function isWorkingCodexBin(candidate) {
+    if (candidate !== "codex" && !existsSync(candidate))
+        return false;
+    const result = spawnSync(candidate, ["--version"], {
+        encoding: "utf8",
+        stdio: ["ignore", "pipe", "pipe"],
+    });
+    return !result.error && result.status === 0;
+}
+async function ensureCodexLogin(codexBin) {
+    while (true) {
+        const status = readCodexLoginStatus(codexBin);
+        if (status.loggedIn)
+            return;
+        note(status.message || "Codex is not logged in.", "Codex Login");
+        const shouldLogin = await confirm({
+            message: "Run `codex login` now?",
+            initialValue: true,
+        });
+        if (isCancel(shouldLogin))
+            exitCancelled();
+        if (!shouldLogin) {
+            throw new Error("Codex login is required before starting telecodex.");
+        }
+        const result = spawnSync(codexBin, ["login"], {
+            stdio: "inherit",
+        });
+        if (result.error) {
+            throw new Error(`Failed to run codex login: ${result.error.message}`);
+        }
+    }
+}
+function readCodexLoginStatus(codexBin) {
+    const result = spawnSync(codexBin, ["login", "status"], {
+        encoding: "utf8",
+        stdio: ["ignore", "pipe", "pipe"],
+    });
+    const message = [result.stdout, result.stderr].map((value) => value.trim()).filter(Boolean).join(" | ");
+    return {
+        loggedIn: result.status === 0 && /logged in/i.test(message),
+        message,
+    };
+}
+async function copyBootstrapCode(code) {
+    try {
+        await clipboard.write(code);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function requirePromptValue(value) {
+    if (isCancel(value))
+        exitCancelled();
+    return String(value);
+}
+function exitCancelled() {
+    cancel("Cancelled");
+    process.exit(0);
+}
+function generateBootstrapCode() {
+    return `bind-${randomBytes(6).toString("base64url")}`;
+}

package/dist/runtime/instanceLock.js

@@ -0,0 +1,89 @@
+import { closeSync, mkdirSync, openSync, readFileSync, unlinkSync, writeFileSync } from "node:fs";
+import path from "node:path";
+import { getAppHome } from "./appPaths.js";
+export function acquireInstanceLock(input) {
+    const logger = input?.logger;
+    const lockPath = input?.lockPath ?? path.join(getAppHome(), "telecodex.lock");
+    mkdirSync(path.dirname(lockPath), { recursive: true });
+    while (true) {
+        try {
+            const fd = openSync(lockPath, "wx");
+            try {
+                writeFileSync(fd, `${JSON.stringify({ pid: process.pid, createdAt: new Date().toISOString() })}\n`);
+            }
+            finally {
+                closeSync(fd);
+            }
+            break;
+        }
+        catch (error) {
+            if (!isNodeError(error) || error.code !== "EEXIST") {
+                throw error;
+            }
+            const existing = readExistingLock(lockPath);
+            if (existing?.pid != null && isProcessAlive(existing.pid)) {
+                throw new Error(`telecodex is already running (pid ${existing.pid})`);
+            }
+            logger?.warn("removing stale telecodex instance lock", {
+                lockPath,
+                existingPid: existing?.pid ?? null,
+            });
+            try {
+                unlinkSync(lockPath);
+            }
+            catch (unlinkError) {
+                if (!isNodeError(unlinkError) || unlinkError.code !== "ENOENT") {
+                    throw unlinkError;
+                }
+            }
+        }
+    }
+    let released = false;
+    const release = () => {
+        if (released)
+            return;
+        released = true;
+        try {
+            unlinkSync(lockPath);
+        }
+        catch (error) {
+            if (!isNodeError(error) || error.code !== "ENOENT") {
+                logger?.warn("failed to release telecodex instance lock", {
+                    lockPath,
+                    error,
+                });
+            }
+        }
+    };
+    process.once("exit", release);
+    return {
+        path: lockPath,
+        release,
+    };
+}
+function readExistingLock(lockPath) {
+    try {
+        const raw = readFileSync(lockPath, "utf8").trim();
+        if (!raw)
+            return null;
+        const parsed = JSON.parse(raw);
+        const pid = typeof parsed.pid === "number" && Number.isInteger(parsed.pid) ? parsed.pid : null;
+        const createdAt = typeof parsed.createdAt === "string" ? parsed.createdAt : null;
+        return { pid, createdAt };
+    }
+    catch {
+        return null;
+    }
+}
+function isProcessAlive(pid) {
+    try {
+        process.kill(pid, 0);
+        return true;
+    }
+    catch (error) {
+        return isNodeError(error) && error.code === "EPERM";
+    }
+}
+function isNodeError(error) {
+    return error instanceof Error;
+}

package/dist/runtime/logger.js

@@ -0,0 +1,75 @@
+import pino from "pino";
+import { getLogFilePath } from "./appPaths.js";
+class PinoLoggerAdapter {
+    base;
+    destination;
+    scope;
+    filePath;
+    constructor(base, destination, scope, filePath) {
+        this.base = base;
+        this.destination = destination;
+        this.scope = scope;
+        this.filePath = filePath;
+    }
+    child(scope) {
+        return new PinoLoggerAdapter(this.base, this.destination, `${this.scope}/${scope}`, this.filePath);
+    }
+    debug(message, details) {
+        logWithDetails(this.base.debug.bind(this.base), this.scope, message, details);
+    }
+    info(message, details) {
+        logWithDetails(this.base.info.bind(this.base), this.scope, message, details);
+    }
+    warn(message, details) {
+        logWithDetails(this.base.warn.bind(this.base), this.scope, message, details);
+    }
+    error(message, details) {
+        logWithDetails(this.base.error.bind(this.base), this.scope, message, details);
+    }
+    flush() {
+        try {
+            this.destination.flushSync();
+        }
+        catch {
+            // Ignore flush races during early startup failure and process teardown.
+        }
+    }
+}
+export function createLogger(filePath = getLogFilePath()) {
+    const destination = pino.destination({
+        dest: filePath,
+        mkdir: true,
+        sync: false,
+    });
+    const base = pino({
+        level: process.env.TELECODEX_LOG_LEVEL ?? "info",
+        base: {
+            service: "telecodex",
+            pid: process.pid,
+        },
+        timestamp: pino.stdTimeFunctions.isoTime,
+        serializers: {
+            err: pino.stdSerializers.err,
+            error: pino.stdSerializers.err,
+        },
+    }, destination);
+    return new PinoLoggerAdapter(base, destination, "telecodex", filePath);
+}
+function logWithDetails(log, scope, message, details) {
+    if (details === undefined) {
+        log({ scope }, message);
+        return;
+    }
+    if (details instanceof Error) {
+        log({ scope, err: details }, message);
+        return;
+    }
+    if (isRecord(details)) {
+        log({ ...details, scope }, message);
+        return;
+    }
+    log({ scope, value: details }, message);
+}
+function isRecord(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}

package/dist/runtime/secrets.js

@@ -0,0 +1,45 @@
+import { Entry } from "@napi-rs/keyring";
+const SERVICE = "telecodex";
+const ACCOUNT = "telegram-bot-token";
+const FALLBACK_KEY = "telegram_bot_token";
+export const PLAINTEXT_TOKEN_FALLBACK_ENV = "TELECODEX_ALLOW_PLAINTEXT_TOKEN_FALLBACK";
+export class SecretStore {
+    store;
+    options;
+    entry = new Entry(SERVICE, ACCOUNT);
+    constructor(store, options) {
+        this.store = store;
+        this.options = options;
+    }
+    getTelegramBotToken() {
+        try {
+            const token = this.entry.getPassword();
+            if (token)
+                return token;
+        }
+        catch {
+            // Fallback below.
+        }
+        if (!this.options?.allowPlaintextFallback) {
+            return null;
+        }
+        return this.store.getAppState(FALLBACK_KEY);
+    }
+    setTelegramBotToken(token) {
+        try {
+            this.entry.setPassword(token);
+            this.store.deleteAppState(FALLBACK_KEY);
+            return "keyring";
+        }
+        catch {
+            if (!this.options?.allowPlaintextFallback) {
+                throw new Error([
+                    "System keychain is unavailable, and plaintext Telegram bot token fallback is disabled.",
+                    `If you accept storing the token unencrypted in local state, set ${PLAINTEXT_TOKEN_FALLBACK_ENV}=1 and run telecodex again.`,
+                ].join(" "));
+            }
+            this.store.setAppState(FALLBACK_KEY, token);
+            return "plaintext-fallback";
+        }
+    }
+}

package/dist/runtime/sessionRuntime.js

@@ -0,0 +1,53 @@
+export async function applySessionRuntimeEvent(input) {
+    const session = input.store.get(input.sessionKey);
+    if (!session)
+        return null;
+    const next = reduceSessionRuntimeState(session, input.event);
+    input.store.setRuntimeState(session.sessionKey, next);
+    return input.store.get(session.sessionKey);
+}
+export function reduceSessionRuntimeState(session, event, updatedAt = new Date().toISOString()) {
+    switch (event.type) {
+        case "turn.preparing":
+            return {
+                status: "preparing",
+                detail: event.detail ?? null,
+                updatedAt,
+                activeTurnId: null,
+            };
+        case "turn.started":
+            return {
+                status: "running",
+                detail: null,
+                updatedAt,
+                activeTurnId: event.turnId,
+            };
+        case "turn.completed":
+        case "turn.interrupted":
+            return {
+                status: "idle",
+                detail: null,
+                updatedAt,
+                activeTurnId: null,
+            };
+        case "turn.failed":
+            return {
+                status: "failed",
+                detail: event.message?.trim() || null,
+                updatedAt,
+                activeTurnId: null,
+            };
+    }
+}
+export function formatSessionRuntimeStatus(status) {
+    switch (status) {
+        case "idle":
+            return "idle";
+        case "running":
+            return "running";
+        case "preparing":
+            return "preparing";
+        case "failed":
+            return "failed";
+    }
+}

package/dist/runtime/startTelecodex.js

@@ -0,0 +1,118 @@
+import { run } from "@grammyjs/runner";
+import { createBot } from "../bot/createBot.js";
+import { CodexSdkRuntime } from "../codex/sdkRuntime.js";
+import { bootstrapRuntime } from "./bootstrap.js";
+import { acquireInstanceLock } from "./instanceLock.js";
+import { createLogger } from "./logger.js";
+let processHandlersInstalled = false;
+export async function startTelecodex() {
+    const logger = createLogger();
+    let instanceLock = null;
+    installProcessErrorHandlers(logger);
+    logger.info("telecodex startup requested", {
+        pid: process.pid,
+        cwd: process.cwd(),
+        logFile: logger.filePath,
+    });
+    try {
+        instanceLock = acquireInstanceLock({
+            logger: logger.child("instance-lock"),
+        });
+        logger.info("telecodex instance lock acquired", {
+            lockPath: instanceLock.path,
+            pid: process.pid,
+        });
+        const { config, store, projects, bootstrapCode, botUsername } = await bootstrapRuntime();
+        const configOverrides = parseCodexConfigOverrides(store.getAppState("codex_config_overrides"));
+        const codex = new CodexSdkRuntime({
+            codexBin: config.codexBin,
+            logger: logger.child("codex-sdk"),
+            ...(configOverrides ? { configOverrides } : {}),
+        });
+        const bot = createBot({
+            config,
+            store,
+            projects,
+            codex,
+            bootstrapCode,
+            logger: logger.child("bot"),
+            onAdminBound: () => {
+                logger.info("telegram admin bound");
+                console.log("telegram admin binding completed");
+                console.log("telecodex is now ready to accept commands from the bound Telegram account");
+            },
+        });
+        const botProfile = await bot.api.getMe();
+        if (!botProfile.can_read_all_group_messages) {
+            logger.warn("telegram bot privacy mode is enabled; plain topic messages will not reach telecodex", {
+                botUsername: botProfile.username ?? botUsername,
+            });
+            console.warn("warning: this bot cannot read all group messages yet");
+            console.warn("disable privacy mode in @BotFather with /setprivacy, then choose this bot and Disable");
+            console.warn("Telegram may take a few minutes to apply the change");
+        }
+        const runner = run(bot);
+        const stopRuntime = (signal) => {
+            logger.info("received shutdown signal", { signal });
+            codex.interruptAll();
+            runner.stop();
+            instanceLock?.release();
+            instanceLock = null;
+            logger.flush();
+            process.exit(0);
+        };
+        process.once("SIGINT", () => stopRuntime("SIGINT"));
+        process.once("SIGTERM", () => stopRuntime("SIGTERM"));
+        console.log(`telecodex started as @${botUsername ?? "unknown"}`);
+        console.log(`workspace: ${config.defaultCwd}`);
+        console.log(`codex: ${config.codexBin}`);
+        console.log(`logs: ${logger.filePath}`);
+        if (bootstrapCode) {
+            console.log("telegram admin is not bound yet");
+            console.log("waiting for admin binding from Telegram private chat...");
+            console.log("bootstrap code was shown during setup and copied to the clipboard when possible");
+        }
+        else {
+            console.log(`authorized telegram user id: ${store.getAuthorizedUserId()}`);
+        }
+        logger.info("telecodex started", {
+            botUsername,
+            workspace: config.defaultCwd,
+            codexBin: config.codexBin,
+            bootstrapPending: bootstrapCode != null,
+            authorizedUserId: store.getAuthorizedUserId(),
+        });
+    }
+    catch (error) {
+        instanceLock?.release();
+        logger.error("telecodex startup failed", error);
+        throw error;
+    }
+}
+function parseCodexConfigOverrides(value) {
+    if (!value)
+        return undefined;
+    try {
+        const parsed = JSON.parse(value);
+        return typeof parsed === "object" && parsed !== null && !Array.isArray(parsed)
+            ? parsed
+            : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+function installProcessErrorHandlers(logger) {
+    if (processHandlersInstalled)
+        return;
+    processHandlersInstalled = true;
+    process.on("unhandledRejection", (reason) => {
+        logger.error("unhandled rejection", reason);
+        logger.flush();
+    });
+    process.on("uncaughtException", (error) => {
+        logger.error("uncaught exception", error);
+        logger.flush();
+        process.exit(1);
+    });
+}