thepopebot 1.2.20 → 1.2.21

package/api/CLAUDE.md

@@ -0,0 +1,19 @@
+# /api — External API Routes
+
+This directory contains the route handlers for all `/api/*` endpoints. These routes are for **external callers only** — GitHub Actions, Telegram, cURL, third-party webhooks.
+
+## Auth
+
+All routes (except `/telegram/webhook` and `/github/webhook`, which use their own webhook secrets) require a valid API key passed via the `x-api-key` header. API keys are stored in the SQLite database and managed through the admin UI — they are NOT environment variables.
+
+Auth flow: `x-api-key` header -> `verifyApiKey()` -> database lookup (hashed, timing-safe comparison).
+
+## Do NOT use these routes for browser UI
+
+Browser-facing features must use **Server Actions** (`'use server'` functions) with `requireAuth()` session checks — never `/api` fetch calls. The only exception is chat streaming, which has its own dedicated route at `/stream/chat` with session auth.
+
+| Caller | Mechanism | Auth |
+|--------|-----------|------|
+| External (cURL, GitHub Actions, Telegram) | `/api` route | `x-api-key` header |
+| Browser UI (data/mutations) | Server Action | `requireAuth()` session |
+| Browser UI (chat streaming) | `/stream/chat` | `auth()` session |

package/api/index.js

@@ -30,7 +30,7 @@ function getFireTriggers() {
 }
 
 // Routes that have their own authentication
-const PUBLIC_ROUTES = ['/telegram/webhook', '/github/webhook'];
+const PUBLIC_ROUTES = ['/telegram/webhook', '/github/webhook', '/ping'];
 
 /**
  * Timing-safe string comparison.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thepopebot",
-  "version": "1.2.20",
+  "version": "1.2.21",
   "type": "module",
   "description": "Create autonomous AI agents with a two-layer architecture: Next.js Event Handler + Docker Agent.",
   "bin": {

package/setup/setup.mjs

@@ -19,8 +19,6 @@ import {
   promptForOptionalKey,
   promptForCustomProvider,
   promptForBraveKey,
-  promptForTelegramToken,
-  generateTelegramWebhookSecret,
   confirm,
   pressEnter,
   maskSecret,
@@ -41,8 +39,6 @@ import {
   encodeLlmSecretsBase64,
   updateEnvVariable,
 } from './lib/auth.mjs';
-import { setTelegramWebhook, validateBotToken, generateVerificationCode } from './lib/telegram.mjs';
-import { runVerificationFlow, verifyRestart } from './lib/telegram-verify.mjs';
 
 const logo = `
  _____ _          ____                  ____        _
@@ -81,7 +77,7 @@ function printInfo(message) {
 async function main() {
   printHeader();
 
-  const TOTAL_STEPS = 8;
+  const TOTAL_STEPS = 7;
   let currentStep = 0;
 
   // Collected values
@@ -90,8 +86,6 @@ async function main() {
   let agentModel = null;
   const collectedKeys = {};
   let braveKey = null;
-  let telegramToken = null;
-  let telegramWebhookSecret = null;
   let webhookSecret = null;
   let owner = null;
   let repo = null;
@@ -488,36 +482,21 @@ async function main() {
     }
   }
 
-  // Step 5: Telegram Setup
-  printStep(++currentStep, TOTAL_STEPS, 'Telegram Setup');
+  // Chat Interfaces (informational)
+  console.log(chalk.dim('\n  Your agent includes a web chat interface at your APP_URL.'));
+  console.log(chalk.dim('  You can also connect additional chat interfaces:\n'));
+  console.log(chalk.dim('    \u2022 Telegram:  ') + chalk.cyan('npm run setup-telegram'));
+  console.log('');
 
-  telegramToken = await promptForTelegramToken();
-
-  if (telegramToken) {
-    const validateSpinner = ora('Validating bot token...').start();
-    const validation = await validateBotToken(telegramToken);
-
-    if (!validation.valid) {
-      validateSpinner.fail(`Invalid token: ${validation.error}`);
-      telegramToken = null;
-    } else {
-      validateSpinner.succeed(`Bot: @${validation.botInfo.username}`);
-      telegramWebhookSecret = await generateTelegramWebhookSecret();
-    }
-  } else {
-    printInfo('Skipped Telegram setup');
-  }
-
-  // Write .env file (now at project root, not event_handler/)
-  const telegramVerification = telegramToken ? generateVerificationCode() : null;
+  // Write .env file
   const providerConfig = agentProvider !== 'custom' ? PROVIDERS[agentProvider] : null;
   const providerEnvKey = providerConfig ? providerConfig.envKey : 'CUSTOM_API_KEY';
   const envPath = writeEnvFile({
     githubToken: pat,
     githubOwner: owner,
     githubRepo: repo,
-    telegramBotToken: telegramToken,
-    telegramWebhookSecret,
+    telegramBotToken: null,
+    telegramWebhookSecret: null,
     ghWebhookSecret: webhookSecret,
     llmProvider: agentProvider,
     llmModel: agentModel,
@@ -525,11 +504,11 @@ async function main() {
     providerApiKey: collectedKeys[providerEnvKey] || '',
     openaiApiKey: collectedKeys['OPENAI_API_KEY'] || '',
     telegramChatId: null,
-    telegramVerification,
+    telegramVerification: null,
   });
   printSuccess(`Created ${envPath}`);
 
-  // Step 6: Start Server
+  // Step 5: Start Server
   printStep(++currentStep, TOTAL_STEPS, 'Start Server');
 
   console.log(chalk.bold('  Start the dev server in a new terminal window:\n'));
@@ -552,10 +531,10 @@ async function main() {
     }
   }
 
-  // Step 7: APP_URL
+  // Step 6: APP_URL
   printStep(++currentStep, TOTAL_STEPS, 'App URL');
 
-  console.log(chalk.dim('  Your app needs a public URL for GitHub webhooks and Telegram.\n'));
+  console.log(chalk.dim('  Your app needs a public URL for GitHub webhooks.\n'));
   console.log(chalk.dim('  Examples:'));
   console.log(chalk.dim('    \u2022 ngrok: ') + chalk.cyan('https://abc123.ngrok.io'));
   console.log(chalk.dim('    \u2022 VPS:   ') + chalk.cyan('https://mybot.example.com'));
@@ -598,45 +577,6 @@ async function main() {
     }
   }
 
-  // Register Telegram webhook if configured
-  if (telegramToken) {
-    const webhookUrl = `${appUrl}/api/telegram/webhook`;
-    let tgWebhookSet = false;
-    while (!tgWebhookSet) {
-      const tgSpinner = ora('Registering Telegram webhook...').start();
-      const tgResult = await setTelegramWebhook(telegramToken, webhookUrl, telegramWebhookSecret);
-      if (tgResult.ok) {
-        tgSpinner.succeed(`Telegram webhook registered: ${webhookUrl}`);
-        tgWebhookSet = true;
-      } else {
-        tgSpinner.fail(`Failed: ${tgResult.description}`);
-        await pressEnter('Fix the issue, then press enter to retry');
-      }
-    }
-
-    // Chat ID verification
-    let chatVerified = false;
-    while (!chatVerified) {
-      const chatId = await runVerificationFlow(telegramVerification);
-
-      if (chatId) {
-        updateEnvVariable('TELEGRAM_CHAT_ID', chatId);
-        printSuccess(`Chat ID saved: ${chatId}`);
-
-        const verified = await verifyRestart(appUrl);
-        if (verified) {
-          printSuccess('Telegram bot is configured and working!');
-        } else {
-          printWarning('Could not verify bot. Check your configuration.');
-        }
-        chatVerified = true;
-      } else {
-        printWarning('Chat ID is required \u2014 the bot will not respond without it.');
-        await pressEnter('Fix the issue, then press enter to retry');
-      }
-    }
-  }
-
   // Step 7: Summary
   printStep(++currentStep, TOTAL_STEPS, 'Setup Complete!');
 
@@ -651,7 +591,6 @@ async function main() {
     console.log(`  ${chalk.dim(`${envVar}:`)}  ${maskSecret(value)}`);
   }
   if (braveKey) console.log(`  ${chalk.dim('Brave Search:')}    ${maskSecret(braveKey)}`);
-  if (telegramToken) console.log(`  ${chalk.dim('Telegram Bot:')}    Webhook registered`);
 
   console.log(chalk.bold('\n  GitHub Secrets Set:\n'));
   console.log('  \u2022 SECRETS');
@@ -667,11 +606,8 @@ async function main() {
 
   console.log(chalk.bold.green('\n  You\'re all set!\n'));
 
-  if (telegramToken) {
-    console.log(chalk.cyan('  Message your Telegram bot to create your first job!'));
-  } else {
-    console.log(chalk.dim('  Use the /api/create-job endpoint to create jobs.'));
-  }
+  console.log(chalk.dim('  Chat with your agent at ') + chalk.cyan(appUrl));
+  console.log(chalk.dim('  To connect Telegram: ') + chalk.cyan('npm run setup-telegram'));
 
   console.log('\n');
 }

package/templates/.github/workflows/redeploy-event-handler.yml

@@ -0,0 +1,37 @@
+name: Deploy Event Handler
+
+on:
+  push:
+    branches: [main]
+
+concurrency:
+  group: deploy
+  cancel-in-progress: true
+
+jobs:
+  deploy:
+    runs-on: self-hosted
+    steps:
+      - name: Deploy event handler
+        run: |
+          docker exec thepopebot-event-handler bash -c '
+            # Authenticate git via GitHub CLI
+            echo "${GH_TOKEN}" | gh auth login --with-token
+            gh auth setup-git
+
+            # Check if there are code changes (not just logs)
+            git fetch origin main
+            CHANGED=$(git diff --name-only HEAD origin/main)
+            if ! echo "$CHANGED" | grep -qv "^logs/"; then
+              echo "Logs-only change, skipping rebuild"
+              git reset --hard origin/main
+              exit 0
+            fi
+
+            # Pull, build, reload
+            git reset --hard origin/main
+            npm install --omit=dev
+            npm run build
+            echo "Rebuild complete, reloading Next.js..."
+            npx pm2 reload all
+          '

package/templates/api/CLAUDE.md

@@ -0,0 +1,19 @@
+# /api — External API Routes
+
+This directory contains the route handlers for all `/api/*` endpoints. These routes are for **external callers only** — GitHub Actions, Telegram, cURL, third-party webhooks.
+
+## Auth
+
+All routes (except `/telegram/webhook` and `/github/webhook`, which use their own webhook secrets) require a valid API key passed via the `x-api-key` header. API keys are stored in the SQLite database and managed through the admin UI — they are NOT environment variables.
+
+Auth flow: `x-api-key` header -> `verifyApiKey()` -> database lookup (hashed, timing-safe comparison).
+
+## Do NOT use these routes for browser UI
+
+Browser-facing features must use **Server Actions** (`'use server'` functions) with `requireAuth()` session checks — never `/api` fetch calls. The only exception is chat streaming, which has its own dedicated route at `/stream/chat` with session auth.
+
+| Caller | Mechanism | Auth |
+|--------|-----------|------|
+| External (cURL, GitHub Actions, Telegram) | `/api` route | `x-api-key` header |
+| Browser UI (data/mutations) | Server Action | `requireAuth()` session |
+| Browser UI (chat streaming) | `/stream/chat` | `auth()` session |

package/templates/docker/event-handler/Dockerfile

@@ -1,11 +1,20 @@
 FROM node:22-bookworm-slim
 
-RUN apt-get update && apt-get install -y curl python3 make g++ && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y curl git python3 make g++ && \
+    curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
+      | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg && \
+    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
+      | tee /etc/apt/sources.list.d/github-cli.list > /dev/null && \
+    apt-get update && apt-get install -y gh && \
+    rm -rf /var/lib/apt/lists/*
+RUN npm install -g pm2
 
 WORKDIR /app
 COPY package.json package-lock.json* ./
 RUN npm install --omit=dev && \
     npm install --no-save thepopebot@$(node -p "require('./package.json').version")
 
+COPY ecosystem.config.cjs ./
+
 EXPOSE 80
-CMD ["node_modules/.bin/next", "start", "-p", "80"]
+CMD ["pm2-runtime", "ecosystem.config.cjs"]

package/templates/docker/event-handler/ecosystem.config.cjs

@@ -0,0 +1,8 @@
+module.exports = {
+  apps: [{
+    name: 'next',
+    script: 'node_modules/.bin/next',
+    args: 'start -p 80',
+    kill_timeout: 120000,
+  }]
+};

package/templates/docker-compose.yml

@@ -21,7 +21,8 @@ services:
       - traefik_certs:/letsencrypt
     restart: unless-stopped
 
-  event_handler:
+  event-handler:
+    container_name: thepopebot-event-handler
     image: ${EVENT_HANDLER_IMAGE_URL:-stephengpope/thepopebot:event-handler-${THEPOPEBOT_VERSION:-latest}}
     volumes:
       - .:/app
@@ -29,12 +30,19 @@ services:
     labels:
       - traefik.enable=true
       # Set APP_HOSTNAME in .env to the domain from APP_URL (e.g., mybot.example.com)
-      - traefik.http.routers.event_handler.rule=Host(`${APP_HOSTNAME}`)
-      - traefik.http.routers.event_handler.entrypoints=web
-      - traefik.http.services.event_handler.loadbalancer.server.port=80
+      - traefik.http.routers.event-handler.rule=Host(`${APP_HOSTNAME}`)
+      - traefik.http.routers.event-handler.entrypoints=web
+      - traefik.http.services.event-handler.loadbalancer.server.port=80
       ## Uncomment the following lines to enable TLS via Let's Encrypt:
-      # - traefik.http.routers.event_handler.entrypoints=websecure
-      # - traefik.http.routers.event_handler.tls.certresolver=letsencrypt
+      # - traefik.http.routers.event-handler.entrypoints=websecure
+      # - traefik.http.routers.event-handler.tls.certresolver=letsencrypt
+    stop_grace_period: 120s
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:80/api/ping"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
     restart: unless-stopped
 
   runner: