thepopebot 1.0.0

package/setup/lib/auth.mjs

@@ -0,0 +1,160 @@
+import { writeFileSync, readFileSync, existsSync } from 'fs';
+import { join } from 'path';
+
+const ROOT_DIR = process.cwd();
+
+/**
+ * Validate Anthropic API key by making a minimal test call
+ */
+export async function validateAnthropicKey(key) {
+  try {
+    const response = await fetch('https://api.anthropic.com/v1/messages', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'x-api-key': key,
+        'anthropic-version': '2023-06-01',
+      },
+      body: JSON.stringify({
+        model: 'claude-3-haiku-20240307',
+        max_tokens: 1,
+        messages: [{ role: 'user', content: 'Hi' }],
+      }),
+    });
+
+    if (response.status === 401) {
+      return { valid: false, error: 'Invalid API key' };
+    }
+    if (response.status === 400) {
+      // Bad request but key is valid (e.g., rate limit, model error)
+      return { valid: true };
+    }
+    if (response.ok) {
+      return { valid: true };
+    }
+    return { valid: false, error: `HTTP ${response.status}` };
+  } catch (error) {
+    return { valid: false, error: error.message };
+  }
+}
+
+/**
+ * Build flat secrets JSON for SECRETS GitHub secret.
+ * Includes GH_TOKEN + API keys. entrypoint.sh decodes and exports each as an env var.
+ */
+export function buildSecretsJson(pat, keys) {
+  const secrets = { GH_TOKEN: pat, ANTHROPIC_API_KEY: keys.anthropic };
+
+  if (keys.openai) secrets.OPENAI_API_KEY = keys.openai;
+  if (keys.groq) secrets.GROQ_API_KEY = keys.groq;
+
+  return secrets;
+}
+
+/**
+ * Encode secrets to base64 for SECRETS GitHub secret
+ */
+export function encodeSecretsBase64(pat, keys) {
+  const secrets = buildSecretsJson(pat, keys);
+  return Buffer.from(JSON.stringify(secrets)).toString('base64');
+}
+
+/**
+ * Build LLM secrets JSON for LLM_SECRETS GitHub secret.
+ * These credentials are accessible to the LLM (not filtered by env-sanitizer).
+ */
+export function buildLlmSecretsJson(keys) {
+  const secrets = {};
+  if (keys.brave) secrets.BRAVE_API_KEY = keys.brave;
+  return secrets;
+}
+
+/**
+ * Encode LLM secrets to base64 for LLM_SECRETS GitHub secret.
+ * Returns null if no LLM secrets are configured.
+ */
+export function encodeLlmSecretsBase64(keys) {
+  const secrets = buildLlmSecretsJson(keys);
+  if (Object.keys(secrets).length === 0) return null;
+  return Buffer.from(JSON.stringify(secrets)).toString('base64');
+}
+
+/**
+ * Write .env file at project root
+ */
+export function writeEnvFile(config) {
+  const {
+    apiKey,
+    githubToken,
+    githubOwner,
+    githubRepo,
+    telegramBotToken,
+    telegramWebhookSecret,
+    ghWebhookSecret,
+    anthropicApiKey,
+    openaiApiKey,
+    telegramChatId,
+    telegramVerification,
+  } = config;
+
+  const envContent = `# thepopebot Configuration
+# Generated by setup wizard
+
+# Authentication key for /api/webhook endpoint
+API_KEY=${apiKey}
+
+# GitHub Personal Access Token (fine-grained: Actions, Contents, Metadata, Pull requests)
+GH_TOKEN=${githubToken}
+
+# Repository info
+GH_OWNER=${githubOwner}
+GH_REPO=${githubRepo}
+
+# Telegram bot token from @BotFather
+TELEGRAM_BOT_TOKEN=${telegramBotToken || ''}
+
+# Telegram webhook secret (validates requests are from Telegram)
+TELEGRAM_WEBHOOK_SECRET=${telegramWebhookSecret || ''}
+
+# Telegram chat ID (restricts bot to this chat only)
+TELEGRAM_CHAT_ID=${telegramChatId || ''}
+
+# Telegram verification code (used during setup, can be removed after)
+TELEGRAM_VERIFICATION=${telegramVerification || ''}
+
+# Secret for GitHub Actions webhook auth (must match GH_WEBHOOK_SECRET secret)
+GH_WEBHOOK_SECRET=${ghWebhookSecret}
+
+# Anthropic API key for Claude chat features
+ANTHROPIC_API_KEY=${anthropicApiKey}
+
+# OpenAI API key for Whisper voice transcription (optional)
+OPENAI_API_KEY=${openaiApiKey || ''}
+`;
+
+  const envPath = join(ROOT_DIR, '.env');
+  writeFileSync(envPath, envContent);
+  return envPath;
+}
+
+/**
+ * Update a single variable in an existing .env file
+ */
+export function updateEnvVariable(key, value) {
+  const envPath = join(ROOT_DIR, '.env');
+  if (!existsSync(envPath)) {
+    throw new Error('.env file not found. Run npm run setup first.');
+  }
+
+  let content = readFileSync(envPath, 'utf-8');
+  const regex = new RegExp(`^${key}=.*$`, 'm');
+
+  if (regex.test(content)) {
+    content = content.replace(regex, `${key}=${value}`);
+  } else {
+    content = content.trimEnd() + `\n${key}=${value}\n`;
+  }
+
+  writeFileSync(envPath, content);
+  return envPath;
+}

package/setup/lib/github.mjs

@@ -0,0 +1,148 @@
+import { execSync, exec } from 'child_process';
+import { promisify } from 'util';
+import { randomBytes } from 'crypto';
+
+const execAsync = promisify(exec);
+
+/**
+ * Validate GitHub PAT by making a test API call
+ */
+export async function validatePAT(token) {
+  try {
+    const response = await fetch('https://api.github.com/user', {
+      headers: {
+        Authorization: `token ${token}`,
+        Accept: 'application/vnd.github.v3+json',
+      },
+    });
+    if (!response.ok) return { valid: false, error: 'Invalid token' };
+    const user = await response.json();
+    return { valid: true, user: user.login };
+  } catch (error) {
+    return { valid: false, error: error.message };
+  }
+}
+
+/**
+ * Check PAT scopes/permissions
+ * Works with both classic tokens (x-oauth-scopes header) and fine-grained tokens
+ */
+export async function checkPATScopes(token) {
+  try {
+    const response = await fetch('https://api.github.com/user', {
+      headers: {
+        Authorization: `token ${token}`,
+        Accept: 'application/vnd.github.v3+json',
+      },
+    });
+    const scopes = response.headers.get('x-oauth-scopes') || '';
+    const scopeList = scopes.split(',').map((s) => s.trim()).filter(Boolean);
+
+    // Classic tokens have x-oauth-scopes header
+    if (scopeList.length > 0) {
+      return {
+        hasRepo: scopeList.includes('repo'),
+        hasWorkflow: scopeList.includes('workflow'),
+        scopes: scopeList,
+        isFineGrained: false,
+      };
+    }
+
+    // Fine-grained tokens don't have x-oauth-scopes header
+    // We can't check permissions directly, so we assume valid if token works
+    return {
+      hasRepo: true,
+      hasWorkflow: true,
+      scopes: [],
+      isFineGrained: true,
+    };
+  } catch {
+    return { hasRepo: false, hasWorkflow: false, scopes: [], isFineGrained: false };
+  }
+}
+
+/**
+ * Set a GitHub repository secret using gh CLI
+ */
+export async function setSecret(owner, repo, name, value) {
+  try {
+    // Use stdin to pass the secret value securely
+    const { stdout, stderr } = await execAsync(
+      `echo "${value.replace(/"/g, '\\"')}" | gh secret set ${name} --repo ${owner}/${repo}`,
+      { encoding: 'utf-8' }
+    );
+    return { success: true };
+  } catch (error) {
+    return { success: false, error: error.message };
+  }
+}
+
+/**
+ * Set multiple GitHub secrets
+ */
+export async function setSecrets(owner, repo, secrets) {
+  const results = {};
+  for (const [name, value] of Object.entries(secrets)) {
+    results[name] = await setSecret(owner, repo, name, value);
+  }
+  return results;
+}
+
+/**
+ * List existing secrets
+ */
+export async function listSecrets(owner, repo) {
+  try {
+    const { stdout } = await execAsync(`gh secret list --repo ${owner}/${repo}`, {
+      encoding: 'utf-8',
+    });
+    const secrets = stdout
+      .trim()
+      .split('\n')
+      .filter(Boolean)
+      .map((line) => line.split('\t')[0]);
+    return secrets;
+  } catch {
+    return [];
+  }
+}
+
+/**
+ * Set a GitHub repository variable using gh CLI
+ */
+export async function setVariable(owner, repo, name, value) {
+  try {
+    const { stdout, stderr } = await execAsync(
+      `echo "${value.replace(/"/g, '\\"')}" | gh variable set ${name} --repo ${owner}/${repo}`,
+      { encoding: 'utf-8' }
+    );
+    return { success: true };
+  } catch (error) {
+    return { success: false, error: error.message };
+  }
+}
+
+/**
+ * Set multiple GitHub repository variables
+ */
+export async function setVariables(owner, repo, variables) {
+  const results = {};
+  for (const [name, value] of Object.entries(variables)) {
+    results[name] = await setVariable(owner, repo, name, value);
+  }
+  return results;
+}
+
+/**
+ * Generate a random webhook secret
+ */
+export function generateWebhookSecret() {
+  return randomBytes(32).toString('hex');
+}
+
+/**
+ * Get the GitHub PAT creation URL with pre-selected scopes
+ */
+export function getPATCreationURL() {
+  return 'https://github.com/settings/personal-access-tokens/new';
+}

package/setup/lib/prerequisites.mjs

@@ -0,0 +1,135 @@
+import { execSync, exec } from 'child_process';
+import { promisify } from 'util';
+
+const execAsync = promisify(exec);
+
+/**
+ * Check if a command exists
+ */
+function commandExists(cmd) {
+  try {
+    execSync(`which ${cmd}`, { stdio: 'ignore' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Get Node.js version
+ */
+function getNodeVersion() {
+  try {
+    const version = execSync('node --version', { encoding: 'utf-8' }).trim();
+    return version.replace('v', '');
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Check if gh CLI is authenticated
+ */
+async function isGhAuthenticated() {
+  try {
+    await execAsync('gh auth status');
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Get git remote info (owner/repo)
+ */
+function getGitRemoteInfo() {
+  try {
+    const remote = execSync('git remote get-url origin', { encoding: 'utf-8' }).trim();
+    // Handle both HTTPS and SSH formats
+    // https://github.com/owner/repo.git
+    // git@github.com:owner/repo.git
+    const httpsMatch = remote.match(/github\.com\/([^/]+)\/([^/.]+)/);
+    const sshMatch = remote.match(/github\.com:([^/]+)\/([^/.]+)/);
+    const match = httpsMatch || sshMatch;
+    if (match) {
+      return { owner: match[1], repo: match[2].replace('.git', '') };
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Get package manager (pnpm preferred, npm fallback)
+ */
+function getPackageManager() {
+  if (commandExists('pnpm')) return 'pnpm';
+  if (commandExists('npm')) return 'npm';
+  return null;
+}
+
+/**
+ * Check all prerequisites and return status
+ */
+export async function checkPrerequisites() {
+  const results = {
+    node: { installed: false, version: null, ok: false },
+    packageManager: { installed: false, name: null },
+    gh: { installed: false, authenticated: false },
+    ngrok: { installed: false },
+    git: { installed: false, remoteInfo: null },
+  };
+
+  // Check Node.js
+  const nodeVersion = getNodeVersion();
+  if (nodeVersion) {
+    results.node.installed = true;
+    results.node.version = nodeVersion;
+    const [major] = nodeVersion.split('.').map(Number);
+    results.node.ok = major >= 18;
+  }
+
+  // Check package manager
+  const pm = getPackageManager();
+  if (pm) {
+    results.packageManager.installed = true;
+    results.packageManager.name = pm;
+  }
+
+  // Check gh CLI
+  results.gh.installed = commandExists('gh');
+  if (results.gh.installed) {
+    results.gh.authenticated = await isGhAuthenticated();
+  }
+
+  // Check ngrok
+  results.ngrok.installed = commandExists('ngrok');
+
+  // Check git
+  results.git.installed = commandExists('git');
+  if (results.git.installed) {
+    results.git.remoteInfo = getGitRemoteInfo();
+  }
+
+  return results;
+}
+
+/**
+ * Install a global npm package
+ */
+export async function installGlobalPackage(packageName) {
+  const pm = getPackageManager();
+  const cmd = pm === 'pnpm' ? `pnpm add -g ${packageName}` : `npm install -g ${packageName}`;
+  await execAsync(cmd);
+}
+
+/**
+ * Run gh auth login
+ */
+export async function runGhAuth() {
+  // This needs to be interactive, so we use execSync
+  execSync('gh auth login', { stdio: 'inherit' });
+}
+
+export { commandExists, getGitRemoteInfo, getPackageManager };

package/setup/lib/prompts.mjs

@@ -0,0 +1,268 @@
+import inquirer from 'inquirer';
+import open from 'open';
+
+/**
+ * Mask a secret, showing only last 4 characters
+ */
+export function maskSecret(secret) {
+  if (!secret || secret.length < 8) return '****';
+  return '****' + secret.slice(-4);
+}
+
+/**
+ * Prompt for GitHub PAT
+ */
+export async function promptForPAT() {
+  const { pat } = await inquirer.prompt([
+    {
+      type: 'password',
+      name: 'pat',
+      message: 'Paste your GitHub Personal Access Token:',
+      mask: '*',
+      validate: (input) => {
+        if (!input) return 'PAT is required';
+        if (!input.startsWith('ghp_') && !input.startsWith('github_pat_')) {
+          return 'Invalid PAT format. Should start with ghp_ or github_pat_';
+        }
+        return true;
+      },
+    },
+  ]);
+  return pat;
+}
+
+/**
+ * Prompt for Anthropic API key
+ */
+export async function promptForAnthropicKey() {
+  const { key } = await inquirer.prompt([
+    {
+      type: 'password',
+      name: 'key',
+      message: 'Enter your Anthropic API key:',
+      mask: '*',
+      validate: (input) => {
+        if (!input) return 'Anthropic API key is required';
+        if (!input.startsWith('sk-ant-')) {
+          return 'Invalid format. Should start with sk-ant-';
+        }
+        return true;
+      },
+    },
+  ]);
+  return key;
+}
+
+/**
+ * Prompt for optional OpenAI API key
+ */
+export async function promptForOpenAIKey() {
+  const { addKey } = await inquirer.prompt([
+    {
+      type: 'confirm',
+      name: 'addKey',
+      message: 'Add OpenAI API key? (optional)',
+      default: false,
+    },
+  ]);
+
+  if (!addKey) return null;
+
+  const { openPage } = await inquirer.prompt([
+    {
+      type: 'confirm',
+      name: 'openPage',
+      message: 'Open OpenAI API key page in browser?',
+      default: true,
+    },
+  ]);
+  if (openPage) {
+    await open('https://platform.openai.com/settings/organization/api-keys');
+  }
+
+  const { key } = await inquirer.prompt([
+    {
+      type: 'password',
+      name: 'key',
+      message: 'Enter your OpenAI API key:',
+      mask: '*',
+      validate: (input) => {
+        if (!input) return 'Key is required if adding';
+        if (!input.startsWith('sk-')) {
+          return 'Invalid format. Should start with sk-';
+        }
+        return true;
+      },
+    },
+  ]);
+  return key;
+}
+
+/**
+ * Prompt for optional Groq API key
+ */
+export async function promptForGroqKey() {
+  const { addKey } = await inquirer.prompt([
+    {
+      type: 'confirm',
+      name: 'addKey',
+      message: 'Add Groq API key? (optional)',
+      default: false,
+    },
+  ]);
+
+  if (!addKey) return null;
+
+  const { key } = await inquirer.prompt([
+    {
+      type: 'password',
+      name: 'key',
+      message: 'Enter your Groq API key:',
+      mask: '*',
+      validate: (input) => {
+        if (!input) return 'Key is required if adding';
+        return true;
+      },
+    },
+  ]);
+  return key;
+}
+
+/**
+ * Prompt for optional Brave Search API key
+ */
+export async function promptForBraveKey() {
+  const { addKey } = await inquirer.prompt([
+    {
+      type: 'confirm',
+      name: 'addKey',
+      message: 'Add Brave Search API key? (free tier, greatly improves agent)',
+      default: true,
+    },
+  ]);
+
+  if (!addKey) return null;
+
+  console.log('\n  To get a free Brave Search API key:');
+  console.log('  1. Go to https://api-dashboard.search.brave.com/app/keys');
+  console.log('  2. Click "Get Started"');
+  console.log('  3. Create an account (or sign in)');
+  console.log('  4. Subscribe to the "Free" plan (2,000 queries/month)');
+  console.log('  5. Copy your API key\n');
+
+  const { openPage } = await inquirer.prompt([
+    {
+      type: 'confirm',
+      name: 'openPage',
+      message: 'Open Brave Search API page in browser?',
+      default: true,
+    },
+  ]);
+  if (openPage) {
+    await open('https://api-dashboard.search.brave.com/app/keys');
+  }
+
+  const { key } = await inquirer.prompt([
+    {
+      type: 'password',
+      name: 'key',
+      message: 'Enter your Brave Search API key:',
+      mask: '*',
+      validate: (input) => {
+        if (!input) return 'Key is required if adding';
+        return true;
+      },
+    },
+  ]);
+  return key;
+}
+
+/**
+ * Prompt for Telegram bot token
+ */
+export async function promptForTelegramToken() {
+  const { addTelegram } = await inquirer.prompt([
+    {
+      type: 'confirm',
+      name: 'addTelegram',
+      message: 'Set up Telegram bot?',
+      default: true,
+    },
+  ]);
+
+  if (!addTelegram) return null;
+
+  const { token } = await inquirer.prompt([
+    {
+      type: 'password',
+      name: 'token',
+      message: 'Enter your Telegram bot token from @BotFather:',
+      mask: '*',
+      validate: (input) => {
+        if (!input) return 'Token is required';
+        if (!/^\d+:[A-Za-z0-9_-]+$/.test(input)) {
+          return 'Invalid format. Should be like 123456789:ABC-DEF...';
+        }
+        return true;
+      },
+    },
+  ]);
+  return token;
+}
+
+/**
+ * Generate a Telegram webhook secret
+ */
+export async function generateTelegramWebhookSecret() {
+  const { randomBytes } = await import('crypto');
+  return randomBytes(32).toString('hex');
+}
+
+/**
+ * Prompt for deployment method
+ */
+export async function promptForDeployMethod() {
+  const { method } = await inquirer.prompt([
+    {
+      type: 'list',
+      name: 'method',
+      message: 'How would you like to deploy the event handler?',
+      choices: [
+        { name: 'Deploy to Vercel via CLI (recommended)', value: 'vercel' },
+        { name: 'Open Vercel Deploy Button in browser', value: 'button' },
+        { name: 'Skip - I\'ll deploy manually later', value: 'skip' },
+      ],
+    },
+  ]);
+  return method;
+}
+
+/**
+ * Prompt for confirmation
+ */
+export async function confirm(message, defaultValue = true) {
+  const { confirmed } = await inquirer.prompt([
+    {
+      type: 'confirm',
+      name: 'confirmed',
+      message,
+      default: defaultValue,
+    },
+  ]);
+  return confirmed;
+}
+
+/**
+ * Prompt for text input
+ */
+export async function promptText(message, defaultValue = '') {
+  const { value } = await inquirer.prompt([
+    {
+      type: 'input',
+      name: 'value',
+      message,
+      default: defaultValue,
+    },
+  ]);
+  return value;
+}