thepopebot 1.2.57 → 1.2.59

package/README.md

@@ -200,6 +200,22 @@ Pushing to `main` triggers the `rebuild-event-handler.yml` workflow on your serv
 
 ---
 
+## Template File Conventions
+
+The `templates/` directory contains files scaffolded into user projects by `thepopebot init`. Two naming conventions handle files that npm or AI tools would otherwise misinterpret:
+
+**`.template` suffix** — Files ending in `.template` are scaffolded with the suffix stripped. This is used for files that npm mangles (`.gitignore`) or that AI tools would pick up as real project docs (`CLAUDE.md`).
+
+| In `templates/` | Scaffolded as |
+|-----------------|---------------|
+| `.gitignore.template` | `.gitignore` |
+| `CLAUDE.md.template` | `CLAUDE.md` |
+| `api/CLAUDE.md.template` | `api/CLAUDE.md` |
+
+**`CLAUDE.md` exclusion** — The scaffolding walker skips any file named `CLAUDE.md` (without the `.template` suffix). This is a safety net so a bare `CLAUDE.md` accidentally added to `templates/` never gets copied into user projects where AI tools would confuse it with real project instructions.
+
+---
+
 ## Docs
 
 | Document | Description |

package/api/index.js

@@ -161,12 +161,9 @@ async function processChannelMessage(adapter, normalized) {
 async function handleGithubWebhook(request) {
   const { GH_WEBHOOK_SECRET } = process.env;
 
-  // Validate webhook secret (timing-safe)
-  if (GH_WEBHOOK_SECRET) {
-    const headerSecret = request.headers.get('x-github-webhook-secret-token');
-    if (!safeCompare(headerSecret, GH_WEBHOOK_SECRET)) {
-      return Response.json({ error: 'Unauthorized' }, { status: 401 });
-    }
+  // Validate webhook secret (timing-safe, required)
+  if (!GH_WEBHOOK_SECRET || !safeCompare(request.headers.get('x-github-webhook-secret-token'), GH_WEBHOOK_SECRET)) {
+    return Response.json({ error: 'Unauthorized' }, { status: 401 });
   }
 
   const payload = await request.json();

package/bin/cli.js

@@ -25,6 +25,26 @@ function isManaged(relPath) {
   return MANAGED_PATHS.some(p => relPath === p || relPath.startsWith(p));
 }
 
+// Files that must never be scaffolded directly (use .template suffix instead).
+const EXCLUDED_FILENAMES = ['CLAUDE.md'];
+
+// Files ending in .template are scaffolded with the suffix stripped.
+// e.g. .gitignore.template → .gitignore, CLAUDE.md.template → CLAUDE.md
+function destPath(templateRelPath) {
+  if (templateRelPath.endsWith('.template')) {
+    return templateRelPath.slice(0, -'.template'.length);
+  }
+  return templateRelPath;
+}
+
+function templatePath(userPath, templatesDir) {
+  const withSuffix = userPath + '.template';
+  if (fs.existsSync(path.join(templatesDir, withSuffix))) {
+    return withSuffix;
+  }
+  return userPath;
+}
+
 function printUsage() {
   console.log(`
 Usage: thepopebot <command>
@@ -49,7 +69,7 @@ function getTemplateFiles(templatesDir) {
       const fullPath = path.join(dir, entry.name);
       if (entry.isDirectory()) {
         walk(fullPath);
-      } else {
+      } else if (!EXCLUDED_FILENAMES.includes(entry.name)) {
         files.push(path.relative(templatesDir, fullPath));
       }
     }
@@ -58,12 +78,47 @@ function getTemplateFiles(templatesDir) {
   return files;
 }
 
-function init() {
-  const cwd = process.cwd();
+async function init() {
+  let cwd = process.cwd();
   const packageDir = path.join(__dirname, '..');
   const templatesDir = path.join(packageDir, 'templates');
   const noManaged = args.includes('--no-managed');
 
+  // Guard: warn if the directory is not empty (unless it's an existing thepopebot project)
+  const entries = fs.readdirSync(cwd);
+  if (entries.length > 0) {
+    const pkgPath = path.join(cwd, 'package.json');
+    let isExistingProject = false;
+    if (fs.existsSync(pkgPath)) {
+      try {
+        const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+        const deps = pkg.dependencies || {};
+        const devDeps = pkg.devDependencies || {};
+        if (deps.thepopebot || devDeps.thepopebot) {
+          isExistingProject = true;
+        }
+      } catch {}
+    }
+
+    if (!isExistingProject) {
+      console.log('\nThis directory is not empty.');
+      const { default: inquirer } = await import('inquirer');
+      const { dirName } = await inquirer.prompt([
+        {
+          type: 'input',
+          name: 'dirName',
+          message: 'Project directory name:',
+          default: 'my-popebot',
+        },
+      ]);
+      const newDir = path.resolve(cwd, dirName);
+      fs.mkdirSync(newDir, { recursive: true });
+      process.chdir(newDir);
+      cwd = newDir;
+      console.log(`\nCreated ${dirName}/`);
+    }
+  }
+
   console.log('\nScaffolding thepopebot project...\n');
 
   const templateFiles = getTemplateFiles(templatesDir);
@@ -74,29 +129,30 @@ function init() {
 
   for (const relPath of templateFiles) {
     const src = path.join(templatesDir, relPath);
-    const dest = path.join(cwd, relPath);
+    const outPath = destPath(relPath);
+    const dest = path.join(cwd, outPath);
 
     if (!fs.existsSync(dest)) {
       // File doesn't exist — create it
       fs.mkdirSync(path.dirname(dest), { recursive: true });
       fs.copyFileSync(src, dest);
-      created.push(relPath);
-      console.log(`  Created ${relPath}`);
+      created.push(outPath);
+      console.log(`  Created ${outPath}`);
     } else {
       // File exists — check if template has changed
       const srcContent = fs.readFileSync(src);
       const destContent = fs.readFileSync(dest);
       if (srcContent.equals(destContent)) {
-        skipped.push(relPath);
-      } else if (!noManaged && isManaged(relPath)) {
+        skipped.push(outPath);
+      } else if (!noManaged && isManaged(outPath)) {
         // Managed file differs — auto-update to match package
         fs.mkdirSync(path.dirname(dest), { recursive: true });
         fs.copyFileSync(src, dest);
-        updated.push(relPath);
-        console.log(`  Updated ${relPath}`);
+        updated.push(outPath);
+        console.log(`  Updated ${outPath}`);
       } else {
-        changed.push(relPath);
-        console.log(`  Skipped ${relPath} (already exists)`);
+        changed.push(outPath);
+        console.log(`  Skipped ${outPath} (already exists)`);
       }
     }
   }
@@ -163,14 +219,6 @@ function init() {
     console.log('  To reset to default:  npx thepopebot reset <file>');
   }
 
-  // Handle gitignore rename (npm strips .gitignore from packages)
-  const gitignoreSrc = path.join(templatesDir, 'gitignore');
-  const gitignoreDest = path.join(cwd, '.gitignore');
-  if (fs.existsSync(gitignoreSrc) && !fs.existsSync(gitignoreDest)) {
-    fs.copyFileSync(gitignoreSrc, gitignoreDest);
-    console.log('  Created .gitignore');
-  }
-
   // Run npm install
   console.log('\nInstalling dependencies...\n');
   execSync('npm install', { stdio: 'inherit', cwd });
@@ -207,14 +255,15 @@ function reset(filePath) {
     console.log('\nAvailable template files:\n');
     const files = getTemplateFiles(templatesDir);
     for (const file of files) {
-      console.log(`  ${file}`);
+      console.log(`  ${destPath(file)}`);
     }
     console.log('\nUsage: thepopebot reset <file>');
     console.log('Example: thepopebot reset config/SOUL.md\n');
     return;
   }
 
-  const src = path.join(templatesDir, filePath);
+  const tmplPath = templatePath(filePath, templatesDir);
+  const src = path.join(templatesDir, tmplPath);
   const dest = path.join(cwd, filePath);
 
   if (!fs.existsSync(src)) {
@@ -225,7 +274,7 @@ function reset(filePath) {
 
   if (fs.statSync(src).isDirectory()) {
     console.log(`\nRestoring ${filePath}/...\n`);
-    copyDirSyncForce(src, dest);
+    copyDirSyncForce(src, dest, tmplPath);
   } else {
     fs.mkdirSync(path.dirname(dest), { recursive: true });
     fs.copyFileSync(src, dest);
@@ -248,16 +297,17 @@ function diff(filePath) {
     let anyDiff = false;
     for (const file of files) {
       const src = path.join(templatesDir, file);
-      const dest = path.join(cwd, file);
+      const outPath = destPath(file);
+      const dest = path.join(cwd, outPath);
       if (fs.existsSync(dest)) {
         const srcContent = fs.readFileSync(src);
         const destContent = fs.readFileSync(dest);
         if (!srcContent.equals(destContent)) {
-          console.log(`  ${file}`);
+          console.log(`  ${outPath}`);
           anyDiff = true;
         }
       } else {
-        console.log(`  ${file} (missing)`);
+        console.log(`  ${outPath} (missing)`);
         anyDiff = true;
       }
     }
@@ -269,7 +319,8 @@ function diff(filePath) {
     return;
   }
 
-  const src = path.join(templatesDir, filePath);
+  const tmplPath = templatePath(filePath, templatesDir);
+  const src = path.join(templatesDir, tmplPath);
   const dest = path.join(cwd, filePath);
 
   if (!fs.existsSync(src)) {
@@ -293,17 +344,22 @@ function diff(filePath) {
   }
 }
 
-function copyDirSyncForce(src, dest) {
+function copyDirSyncForce(src, dest, templateRelBase = '') {
   fs.mkdirSync(dest, { recursive: true });
   const entries = fs.readdirSync(src, { withFileTypes: true });
   for (const entry of entries) {
+    if (EXCLUDED_FILENAMES.includes(entry.name)) continue;
     const srcPath = path.join(src, entry.name);
-    const destPath = path.join(dest, entry.name);
+    const templateRel = templateRelBase
+      ? path.join(templateRelBase, entry.name)
+      : entry.name;
+    const outName = path.basename(destPath(templateRel));
+    const destFile = path.join(dest, outName);
     if (entry.isDirectory()) {
-      copyDirSyncForce(srcPath, destPath);
+      copyDirSyncForce(srcPath, destFile, templateRel);
     } else {
-      fs.copyFileSync(srcPath, destPath);
-      console.log(`  Restored ${path.relative(process.cwd(), destPath)}`);
+      fs.copyFileSync(srcPath, destFile);
+      console.log(`  Restored ${path.relative(process.cwd(), destFile)}`);
     }
   }
 }
@@ -345,7 +401,7 @@ async function resetAuth() {
 
 switch (command) {
   case 'init':
-    init();
+    await init();
     break;
   case 'setup':
     setup();

package/config/index.js

@@ -16,6 +16,8 @@ export function withThepopebot(nextConfig = {}) {
     serverExternalPackages: [
       ...(nextConfig.serverExternalPackages || []),
       'better-sqlite3',
+      'drizzle-orm',
+      'bcrypt-ts',
     ],
   };
 }

package/lib/auth/config.js

@@ -1,10 +1,9 @@
 import NextAuth from 'next-auth';
 import Credentials from 'next-auth/providers/credentials';
-
-// DB imports are dynamic inside authorize() so they don't get pulled in
-// at module level — middleware runs on Edge which has no fs/better-sqlite3.
+import { authConfig } from './edge-config.js';
 
 export const { handlers, signIn, signOut, auth } = NextAuth({
+  ...authConfig,
   providers: [
     Credentials({
       credentials: {
@@ -25,21 +24,4 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
       },
     }),
   ],
-  session: { strategy: 'jwt' },
-  pages: { signIn: '/login' },
-  callbacks: {
-    jwt({ token, user }) {
-      if (user) {
-        token.role = user.role;
-      }
-      return token;
-    },
-    session({ session, token }) {
-      if (session.user) {
-        session.user.id = token.sub;
-        session.user.role = token.role;
-      }
-      return session;
-    },
-  },
 });

package/lib/auth/edge-config.js

@@ -0,0 +1,26 @@
+/**
+ * Edge-safe auth configuration — shared between middleware and server.
+ * Contains only JWT/session/callbacks/pages config. No providers, no DB imports.
+ * Both instances use the same AUTH_SECRET for JWT signing/verification.
+ *
+ * Official pattern: https://authjs.dev/guides/edge-compatibility
+ */
+export const authConfig = {
+  session: { strategy: 'jwt' },
+  pages: { signIn: '/login' },
+  callbacks: {
+    jwt({ token, user }) {
+      if (user) {
+        token.role = user.role;
+      }
+      return token;
+    },
+    session({ session, token }) {
+      if (session.user) {
+        session.user.id = token.sub;
+        session.user.role = token.role;
+      }
+      return session;
+    },
+  },
+};

package/lib/auth/middleware.js

@@ -1,6 +1,9 @@
-import { auth } from './config.js';
+import NextAuth from 'next-auth';
+import { authConfig } from './edge-config.js';
 import { NextResponse } from 'next/server';
 
+const { auth } = NextAuth(authConfig);
+
 export const middleware = auth((req) => {
   const { pathname } = req.nextUrl;
 

package/lib/channels/telegram.js

@@ -21,12 +21,14 @@ class TelegramAdapter extends ChannelAdapter {
   async receive(request) {
     const { TELEGRAM_WEBHOOK_SECRET, TELEGRAM_CHAT_ID, TELEGRAM_VERIFICATION } = process.env;
 
-    // Validate secret token if configured
-    if (TELEGRAM_WEBHOOK_SECRET) {
-      const headerSecret = request.headers.get('x-telegram-bot-api-secret-token');
-      if (headerSecret !== TELEGRAM_WEBHOOK_SECRET) {
-        return null;
-      }
+    // Validate secret token (required)
+    if (!TELEGRAM_WEBHOOK_SECRET) {
+      console.error('[telegram] TELEGRAM_WEBHOOK_SECRET not configured — rejecting webhook');
+      return null;
+    }
+    const headerSecret = request.headers.get('x-telegram-bot-api-secret-token');
+    if (headerSecret !== TELEGRAM_WEBHOOK_SECRET) {
+      return null;
     }
 
     const update = await request.json();

package/lib/db/api-keys.js

@@ -1,4 +1,4 @@
-import { randomUUID, randomBytes, createHash } from 'crypto';
+import { randomUUID, randomBytes, createHash, timingSafeEqual } from 'crypto';
 import { eq } from 'drizzle-orm';
 import { getDb } from './index.js';
 import { settings } from './schema.js';
@@ -137,7 +137,10 @@ export function verifyApiKey(rawKey) {
   const keyHash = hashApiKey(rawKey);
   const cached = _ensureCache();
 
-  if (!cached || cached.keyHash !== keyHash) return null;
+  if (!cached) return null;
+  const a = Buffer.from(cached.keyHash, 'hex');
+  const b = Buffer.from(keyHash, 'hex');
+  if (a.length !== b.length || !timingSafeEqual(a, b)) return null;
 
   // Update last_used_at in background (non-blocking)
   try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thepopebot",
-  "version": "1.2.57",
+  "version": "1.2.59",
   "type": "module",
   "description": "Create autonomous AI agents with a two-layer architecture: Next.js Event Handler + Docker Agent.",
   "bin": {