thepopebot 1.2.67 → 1.2.69-beta.0

package/README.md

@@ -243,6 +243,80 @@ The `templates/` directory contains files scaffolded into user projects by `thep
 
 ---
 
+## Production Deployment
+
+Deploy your agent to a cloud VPS with HTTPS.
+
+### 1. Server prerequisites
+
+You need a VPS (any provider — Hetzner, DigitalOcean, AWS, etc.) with:
+
+- Docker + Docker Compose
+- Node.js 18+
+- Git
+- GitHub CLI (`gh`)
+
+Point a domain (e.g., `mybot.example.com`) to your server's IP address with a DNS A record.
+
+### 2. Scaffold and configure
+
+SSH into your server and scaffold the project:
+
+```bash
+mkdir my-agent && cd my-agent
+npx thepopebot@latest init
+npm run setup
+```
+
+When the setup wizard asks for `APP_URL`, enter your production URL with `https://` (e.g., `https://mybot.example.com`).
+
+Set the `RUNS_ON` GitHub variable so workflows use your server's self-hosted runner instead of GitHub-hosted runners:
+
+```bash
+gh variable set RUNS_ON --body "self-hosted" --repo OWNER/REPO
+```
+
+### 3. Enable HTTPS (Let's Encrypt)
+
+The `docker-compose.yml` has Let's Encrypt support built in but commented out. Three edits to enable it:
+
+**a) Add your email to `.env`:**
+
+```
+LETSENCRYPT_EMAIL=you@example.com
+```
+
+**b) Uncomment the TLS lines in the traefik service command:**
+
+```yaml
+- --entrypoints.web.http.redirections.entrypoint.to=websecure
+- --entrypoints.web.http.redirections.entrypoint.scheme=https
+- --certificatesresolvers.letsencrypt.acme.email=${LETSENCRYPT_EMAIL}
+- --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
+- --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
+```
+
+**c) Switch the event-handler labels from HTTP to HTTPS:**
+
+Comment out the HTTP entrypoint and uncomment the two HTTPS lines:
+
+```yaml
+# - traefik.http.routers.event-handler.entrypoints=web
+- traefik.http.routers.event-handler.entrypoints=websecure
+- traefik.http.routers.event-handler.tls.certresolver=letsencrypt
+```
+
+### 4. Build and launch
+
+```bash
+npm run build
+docker compose up -d
+```
+
+Ports 80 and 443 must be open on your server. Port 80 is required even with HTTPS — Let's Encrypt uses it for the ACME HTTP challenge to verify domain ownership.
+
+---
+
 ## Docs
 
 | Document | Description |

package/bin/cli.js

@@ -50,11 +50,15 @@ function printUsage() {
 Usage: thepopebot <command>
 
 Commands:
-  init               Scaffold a new thepopebot project
-  setup              Run interactive setup wizard
-  setup-telegram     Reconfigure Telegram webhook
-  reset-auth         Regenerate AUTH_SECRET (invalidates all sessions)
-  reset [file]       Restore a template file (or list available templates)
+  init                              Scaffold a new thepopebot project
+  setup                             Run interactive setup wizard
+  setup-telegram                    Reconfigure Telegram webhook
+  reset-auth                        Regenerate AUTH_SECRET (invalidates all sessions)
+  reset [file]                      Restore a template file (or list available templates)
+  diff [file]                       Show differences between project files and package templates
+  set-agent-secret <KEY> [VALUE]    Set a GitHub secret with AGENT_ prefix (also updates .env)
+  set-agent-llm-secret <KEY> [VALUE]  Set a GitHub secret with AGENT_LLM_ prefix
+  set-var <KEY> [VALUE]             Set a GitHub repository variable
 `);
 }
 
@@ -199,6 +203,17 @@ async function init() {
     }
   }
 
+  // Create default skill symlinks (brave-search, browser-tools)
+  const defaultSkills = ['brave-search', 'browser-tools'];
+  for (const skill of defaultSkills) {
+    const symlink = path.join(cwd, '.pi', 'skills', skill);
+    if (!fs.existsSync(symlink)) {
+      fs.mkdirSync(path.dirname(symlink), { recursive: true });
+      fs.symlinkSync(`../../pi-skills/${skill}`, symlink);
+      console.log(`  Created .pi/skills/${skill} → ../../pi-skills/${skill}`);
+    }
+  }
+
   // Report updated managed files
   if (updated.length > 0) {
     console.log('\n  Updated managed files:');
@@ -399,6 +414,115 @@ async function resetAuth() {
   console.log('  Restart your server for the change to take effect.\n');
 }
 
+/**
+ * Load GH_OWNER and GH_REPO from .env
+ */
+function loadRepoInfo() {
+  const envPath = path.join(process.cwd(), '.env');
+  if (!fs.existsSync(envPath)) {
+    console.error('\n  No .env file found. Run "npm run setup" first.\n');
+    process.exit(1);
+  }
+  const content = fs.readFileSync(envPath, 'utf-8');
+  const env = {};
+  for (const line of content.split('\n')) {
+    const match = line.match(/^([^#=]+)=(.*)$/);
+    if (match) env[match[1].trim()] = match[2].trim();
+  }
+  if (!env.GH_OWNER || !env.GH_REPO) {
+    console.error('\n  GH_OWNER and GH_REPO not found in .env. Run "npm run setup" first.\n');
+    process.exit(1);
+  }
+  return { owner: env.GH_OWNER, repo: env.GH_REPO };
+}
+
+/**
+ * Prompt for a secret value interactively if not provided as an argument
+ */
+async function promptForValue(key) {
+  const { default: inquirer } = await import('inquirer');
+  const { value } = await inquirer.prompt([{
+    type: 'password',
+    name: 'value',
+    message: `Enter value for ${key}:`,
+    mask: '*',
+    validate: (input) => input ? true : 'Value is required',
+  }]);
+  return value;
+}
+
+async function setAgentSecret(key, value) {
+  if (!key) {
+    console.error('\n  Usage: thepopebot set-agent-secret <KEY> [VALUE]\n');
+    console.error('  Example: thepopebot set-agent-secret ANTHROPIC_API_KEY\n');
+    process.exit(1);
+  }
+
+  if (!value) value = await promptForValue(key);
+
+  const { owner, repo } = loadRepoInfo();
+  const prefixedName = `AGENT_${key}`;
+
+  const { setSecret } = await import(path.join(__dirname, '..', 'setup', 'lib', 'github.mjs'));
+  const { updateEnvVariable } = await import(path.join(__dirname, '..', 'setup', 'lib', 'auth.mjs'));
+
+  const result = await setSecret(owner, repo, prefixedName, value);
+  if (result.success) {
+    console.log(`\n  Set GitHub secret: ${prefixedName}`);
+    updateEnvVariable(key, value);
+    console.log(`  Updated .env: ${key}`);
+    console.log('');
+  } else {
+    console.error(`\n  Failed to set ${prefixedName}: ${result.error}\n`);
+    process.exit(1);
+  }
+}
+
+async function setAgentLlmSecret(key, value) {
+  if (!key) {
+    console.error('\n  Usage: thepopebot set-agent-llm-secret <KEY> [VALUE]\n');
+    console.error('  Example: thepopebot set-agent-llm-secret BRAVE_API_KEY\n');
+    process.exit(1);
+  }
+
+  if (!value) value = await promptForValue(key);
+
+  const { owner, repo } = loadRepoInfo();
+  const prefixedName = `AGENT_LLM_${key}`;
+
+  const { setSecret } = await import(path.join(__dirname, '..', 'setup', 'lib', 'github.mjs'));
+
+  const result = await setSecret(owner, repo, prefixedName, value);
+  if (result.success) {
+    console.log(`\n  Set GitHub secret: ${prefixedName}\n`);
+  } else {
+    console.error(`\n  Failed to set ${prefixedName}: ${result.error}\n`);
+    process.exit(1);
+  }
+}
+
+async function setVar(key, value) {
+  if (!key) {
+    console.error('\n  Usage: thepopebot set-var <KEY> [VALUE]\n');
+    console.error('  Example: thepopebot set-var LLM_MODEL claude-sonnet-4-5-20250929\n');
+    process.exit(1);
+  }
+
+  if (!value) value = await promptForValue(key);
+
+  const { owner, repo } = loadRepoInfo();
+
+  const { setVariable } = await import(path.join(__dirname, '..', 'setup', 'lib', 'github.mjs'));
+
+  const result = await setVariable(owner, repo, key, value);
+  if (result.success) {
+    console.log(`\n  Set GitHub variable: ${key}\n`);
+  } else {
+    console.error(`\n  Failed to set ${key}: ${result.error}\n`);
+    process.exit(1);
+  }
+}
+
 switch (command) {
   case 'init':
     await init();
@@ -418,6 +542,15 @@ switch (command) {
   case 'diff':
     diff(args[0]);
     break;
+  case 'set-agent-secret':
+    await setAgentSecret(args[0], args[1]);
+    break;
+  case 'set-agent-llm-secret':
+    await setAgentLlmSecret(args[0], args[1]);
+    break;
+  case 'set-var':
+    await setVar(args[0], args[1]);
+    break;
   default:
     printUsage();
     process.exit(command ? 1 : 0);

package/lib/ai/agent.js

@@ -1,4 +1,5 @@
 import { createReactAgent } from '@langchain/langgraph/prebuilt';
+import { SystemMessage } from '@langchain/core/messages';
 import { createModel } from './model.js';
 import { createJobTool, getJobStatusTool } from './tools.js';
 import { SqliteSaver } from '@langchain/langgraph-checkpoint-sqlite';
@@ -10,19 +11,19 @@ let _agent = null;
 /**
  * Get or create the LangGraph agent singleton.
  * Uses createReactAgent which handles the tool loop automatically.
+ * Prompt is a function so {{datetime}} resolves fresh each invocation.
  */
 export async function getAgent() {
   if (!_agent) {
     const model = await createModel();
     const tools = [createJobTool, getJobStatusTool];
     const checkpointer = SqliteSaver.fromConnString(thepopebotDb);
-    const systemPrompt = render_md(chatbotMd);
 
     _agent = createReactAgent({
       llm: model,
       tools,
       checkpointSaver: checkpointer,
-      prompt: systemPrompt,
+      prompt: (state) => [new SystemMessage(render_md(chatbotMd)), ...state.messages],
     });
   }
   return _agent;

package/lib/cron.js

@@ -35,8 +35,11 @@ function setUpdateAvailable(v) {
  * @returns {boolean} true if candidate > baseline
  */
 function isVersionNewer(candidate, baseline) {
+  // Pre-release candidate is never "newer" for upgrade purposes
+  if (candidate.includes('-')) return false;
+
   const a = candidate.split('.').map(Number);
-  const b = baseline.split('.').map(Number);
+  const b = baseline.replace(/-.*$/, '').split('.').map(Number);
   for (let i = 0; i < Math.max(a.length, b.length); i++) {
     const av = a[i] || 0;
     const bv = b[i] || 0;

package/lib/utils/render-md.js

@@ -3,9 +3,27 @@ import path from 'path';
 import { PROJECT_ROOT } from '../paths.js';
 
 const INCLUDE_PATTERN = /\{\{([^}]+\.md)\}\}/g;
+const VARIABLE_PATTERN = /\{\{(datetime)\}\}/gi;
 
 /**
- * Render a markdown file, resolving {{filepath}} includes recursively.
+ * Resolve built-in variables like {{datetime}}.
+ * @param {string} content - Content with possible variable placeholders
+ * @returns {string} Content with variables resolved
+ */
+function resolveVariables(content) {
+  return content.replace(VARIABLE_PATTERN, (match, variable) => {
+    switch (variable.toLowerCase()) {
+      case 'datetime':
+        return new Date().toISOString();
+      default:
+        return match;
+    }
+  });
+}
+
+/**
+ * Render a markdown file, resolving {{filepath}} includes recursively
+ * and {{datetime}} built-in variables.
  * Referenced file paths resolve relative to the project root.
  * @param {string} filePath - Absolute path to the markdown file
  * @param {string[]} [chain=[]] - Already-resolved file paths (for circular detection)
@@ -27,13 +45,15 @@ function render_md(filePath, chain = []) {
   const content = fs.readFileSync(resolved, 'utf8');
   const currentChain = [...chain, resolved];
 
-  return content.replace(INCLUDE_PATTERN, (match, includePath) => {
+  const withIncludes = content.replace(INCLUDE_PATTERN, (match, includePath) => {
     const includeResolved = path.resolve(PROJECT_ROOT, includePath.trim());
     if (!fs.existsSync(includeResolved)) {
       return match;
     }
     return render_md(includeResolved, currentChain);
   });
+
+  return resolveVariables(withIncludes);
 }
 
 export { render_md };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thepopebot",
-  "version": "1.2.67",
+  "version": "1.2.69-beta.0",
   "type": "module",
   "description": "Create autonomous AI agents with a two-layer architecture: Next.js Event Handler + Docker Agent.",
   "bin": {

package/setup/lib/auth.mjs

@@ -39,41 +39,6 @@ export async function validateAnthropicKey(key) {
   }
 }
 
-/**
- * Build flat secrets JSON for SECRETS GitHub secret.
- * Takes a flat { ENV_VAR: value } map of collected keys.
- * entrypoint.sh decodes and exports each as an env var.
- */
-export function buildSecretsJson(pat, collectedKeys) {
-  return { GH_TOKEN: pat, ...collectedKeys };
-}
-
-/**
- * Encode secrets to base64 for SECRETS GitHub secret
- */
-export function encodeSecretsBase64(pat, collectedKeys) {
-  const secrets = buildSecretsJson(pat, collectedKeys);
-  return Buffer.from(JSON.stringify(secrets)).toString('base64');
-}
-
-/**
- * Build LLM secrets JSON for LLM_SECRETS GitHub secret.
- * These credentials are accessible to the LLM (not filtered by env-sanitizer).
- */
-export function buildLlmSecretsJson(llmKeys) {
-  return { ...llmKeys };
-}
-
-/**
- * Encode LLM secrets to base64 for LLM_SECRETS GitHub secret.
- * Returns null if no LLM secrets are configured.
- */
-export function encodeLlmSecretsBase64(llmKeys) {
-  const secrets = buildLlmSecretsJson(llmKeys);
-  if (Object.keys(secrets).length === 0) return null;
-  return Buffer.from(JSON.stringify(secrets)).toString('base64');
-}
-
 /**
  * Generate .pi/agent/models.json for providers not built into PI.
  * PI resolves the apiKey field as an env var name at runtime ($ENV_VAR).

package/setup/setup.mjs

@@ -37,8 +37,6 @@ import {
   writeEnvFile,
   updateEnvVariable,
   writeModelsJson,
-  encodeSecretsBase64,
-  encodeLlmSecretsBase64,
 } from './lib/auth.mjs';
 
 const logo = `
@@ -575,24 +573,24 @@ async function main() {
   }
 
   // Skip GitHub secrets if nothing changed on re-run
-  let llmSecretsBase64 = null;
+  let secrets = null;
   if (isRerun && !credentialsChanged && env?.GH_WEBHOOK_SECRET) {
     printSuccess('GitHub secrets unchanged');
     webhookSecret = env.GH_WEBHOOK_SECRET;
   } else {
     webhookSecret = generateWebhookSecret();
-    const secretsBase64 = encodeSecretsBase64(pat, collectedKeys);
-    const llmKeys = {};
-    if (braveKey) llmKeys.BRAVE_API_KEY = braveKey;
-    llmSecretsBase64 = encodeLlmSecretsBase64(llmKeys);
 
-    const secrets = {
-      SECRETS: secretsBase64,
+    secrets = {
       GH_WEBHOOK_SECRET: webhookSecret,
+      AGENT_GH_TOKEN: pat,
     };
 
-    if (llmSecretsBase64) {
-      secrets.LLM_SECRETS = llmSecretsBase64;
+    for (const [key, value] of Object.entries(collectedKeys)) {
+      if (value) secrets[`AGENT_${key}`] = value;
+    }
+
+    if (braveKey) {
+      secrets.AGENT_LLM_BRAVE_API_KEY = braveKey;
     }
 
     let allSecretsSet = false;
@@ -623,6 +621,12 @@ async function main() {
       LLM_PROVIDER: agentProvider,
       LLM_MODEL: agentModel,
     };
+    if (openaiBaseUrl) {
+      defaultVars.OPENAI_BASE_URL = openaiBaseUrl;
+    }
+    if (agentProvider === 'custom') {
+      defaultVars.RUNS_ON = 'self-hosted';
+    }
 
     let allVarsSet = false;
     while (!allVarsSet) {
@@ -821,11 +825,11 @@ async function main() {
   }
   if (braveKey) console.log(`  ${chalk.dim('Brave Search:')}    ${maskSecret(braveKey)}`);
 
-  if (!isRerun || credentialsChanged) {
+  if (secrets) {
     console.log(chalk.bold('\n  GitHub Secrets Set:\n'));
-    console.log('  \u2022 SECRETS');
-    if (llmSecretsBase64) console.log('  \u2022 LLM_SECRETS');
-    console.log('  \u2022 GH_WEBHOOK_SECRET');
+    for (const name of Object.keys(secrets)) {
+      console.log(`  \u2022 ${name}`);
+    }
 
     console.log(chalk.bold('\n  GitHub Variables Set:\n'));
     console.log('  \u2022 APP_URL');
@@ -833,6 +837,8 @@ async function main() {
     console.log('  \u2022 ALLOWED_PATHS = /logs');
     console.log(`  \u2022 LLM_PROVIDER = ${agentProvider}`);
     console.log(`  \u2022 LLM_MODEL = ${agentModel}`);
+    if (openaiBaseUrl) console.log(`  \u2022 OPENAI_BASE_URL = ${openaiBaseUrl}`);
+    if (agentProvider === 'custom') console.log('  \u2022 RUNS_ON = self-hosted');
   }
 
   console.log(chalk.bold.green('\n  You\'re all set!\n'));

package/templates/.github/workflows/run-job.yml

@@ -35,10 +35,12 @@ jobs:
 
       - name: Run thepopebot Agent
         env:
+          ALL_SECRETS: ${{ toJson(secrets) }}
           JOB_IMAGE_URL: ${{ vars.JOB_IMAGE_URL }}
           THEPOPEBOT_VERSION: ${{ steps.version.outputs.tag }}
           LLM_MODEL: ${{ vars.LLM_MODEL }}
           LLM_PROVIDER: ${{ vars.LLM_PROVIDER }}
+          OPENAI_BASE_URL: ${{ vars.OPENAI_BASE_URL }}
         run: |
           if [ -n "$JOB_IMAGE_URL" ]; then
             IMAGE="${JOB_IMAGE_URL}:latest"
@@ -46,11 +48,23 @@ jobs:
             IMAGE="stephengpope/thepopebot:job-${THEPOPEBOT_VERSION}"
           fi
           echo "Using image: $IMAGE"
+
+          # Build SECRETS JSON from AGENT_* (excluding AGENT_LLM_*) secrets
+          export SECRETS=$(echo "$ALL_SECRETS" | jq -c '
+            [to_entries[] | select(.key | startswith("AGENT_")) | select(.key | startswith("AGENT_LLM_") | not)]
+            | map({key: (.key | sub("^AGENT_"; "")), value: .value}) | from_entries')
+
+          # Build LLM_SECRETS JSON from AGENT_LLM_* secrets
+          export LLM_SECRETS=$(echo "$ALL_SECRETS" | jq -c '
+            [to_entries[] | select(.key | startswith("AGENT_LLM_"))]
+            | map({key: (.key | sub("^AGENT_LLM_"; "")), value: .value}) | from_entries')
+
           docker run --rm \
             -e REPO_URL="${{ github.server_url }}/${{ github.repository }}.git" \
             -e BRANCH="${{ github.ref_name }}" \
-            -e SECRETS='${{ secrets.SECRETS }}' \
-            -e LLM_SECRETS='${{ secrets.LLM_SECRETS }}' \
+            -e SECRETS \
+            -e LLM_SECRETS \
             -e LLM_MODEL="${LLM_MODEL}" \
             -e LLM_PROVIDER="${LLM_PROVIDER}" \
+            -e OPENAI_BASE_URL="${OPENAI_BASE_URL}" \
             "$IMAGE"

package/templates/.gitignore.template

@@ -10,8 +10,8 @@
 # Pi system prompt (generated at runtime from SOUL.md)
 .pi/SYSTEM.md
 
-# Pi skills symlinked at runtime from /pi-skills in Docker
-.pi/skills/brave-search
+# Pi skills dependencies (installed at runtime in Docker for correct arch)
+pi-skills/*/node_modules/
 
 # Node
 node_modules/

package/templates/.pi/skills/llm-secrets/llm-secrets.js

@@ -9,16 +9,15 @@
  * To get a value, use: echo $KEY_NAME
  */
 
-const secretsBase64 = process.env.LLM_SECRETS;
+const secretsJson = process.env.LLM_SECRETS;
 
-if (!secretsBase64) {
+if (!secretsJson) {
   console.log('No LLM_SECRETS configured.');
   process.exit(0);
 }
 
 try {
-  const decoded = Buffer.from(secretsBase64, 'base64').toString('utf-8');
-  const parsed = JSON.parse(decoded);
+  const parsed = JSON.parse(secretsJson);
   const keys = Object.keys(parsed);
 
   if (keys.length === 0) {

package/templates/CLAUDE.md.template

@@ -9,7 +9,8 @@ This is an autonomous AI agent powered by [thepopebot](https://github.com/stephe
 ```
 /
 ├── .github/workflows/          # CI/CD workflows (managed by thepopebot)
-├── .pi/skills/                 # Custom Pi agent skills
+├── .pi/skills/                 # Symlinks to active Pi agent skills
+├── pi-skills/                  # All available Pi agent skills (from thepopebot package)
 ├── config/                     # Agent configuration
 │   ├── SOUL.md                 # Agent personality and identity
 │   ├── CHATBOT.md              # Telegram chat system prompt
@@ -39,7 +40,8 @@ This is an autonomous AI agent powered by [thepopebot](https://github.com/stephe
 ## Customization
 
 - **config/** — Agent personality, prompts, crons, triggers
-- **.pi/skills/** — Custom Pi agent skills
+- **pi-skills/** — All available Pi agent skills (brave-search, browser-tools, youtube-transcript, etc.)
+- **.pi/skills/** — Symlinks to active skills (e.g., `ln -s ../../pi-skills/youtube-transcript .pi/skills/youtube-transcript`)
 - **cron/** and **triggers/** — Shell scripts for command-type actions
 - **app/** — Add Next.js pages, API routes, components
 

package/templates/config/AGENT.md

@@ -29,4 +29,6 @@ So you can assume that:
 
 **Always** use `/job/tmp/` for any temporary files you create.
 
-Scripts in `/job/tmp/` can use `__dirname`-relative paths (e.g., `../docs/data.json`) to reference repo files, because they're inside the repo tree. The `.gitignore` excludes `tmp/` so nothing in this directory gets committed.
+Scripts in `/job/tmp/` can use `__dirname`-relative paths (e.g., `../docs/data.json`) to reference repo files, because they're inside the repo tree. The `.gitignore` excludes `tmp/` so nothing in this directory gets committed.
+
+Current datetime: {{datetime}}

package/templates/config/CHATBOT.md

@@ -83,3 +83,5 @@ Below are technical details on how thepopebot is built.
 - Use these to help generate a solid plan when creating tasks or jobs that modify thepopebot codebase
 
 {{CLAUDE.md}}
+
+Current datetime: {{datetime}}

package/templates/docker/job/Dockerfile

@@ -36,13 +36,6 @@ RUN npm install -g @mariozechner/pi-coding-agent
 # Create Pi config directory (extension loaded from repo at runtime)
 RUN mkdir -p /root/.pi/agent
 
-# Clone pi-skills and install browser-tools (includes Puppeteer + Chromium)
-RUN git clone https://github.com/badlogic/pi-skills.git /pi-skills
-WORKDIR /pi-skills/browser-tools
-RUN npm install
-WORKDIR /pi-skills/brave-search
-RUN npm install
-
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 

package/templates/docker/job/entrypoint.sh

@@ -9,25 +9,16 @@ else
 fi
 echo "Job ID: ${JOB_ID}"
 
-# Start Chrome (using Puppeteer's chromium from pi-skills browser-tools)
-CHROME_BIN=$(find /root/.cache/puppeteer -name "chrome" -type f | head -1)
-$CHROME_BIN --headless --no-sandbox --disable-gpu --remote-debugging-port=9222 2>/dev/null &
-CHROME_PID=$!
-sleep 2
-
-# Export SECRETS (base64 JSON) as flat env vars (GH_TOKEN, ANTHROPIC_API_KEY, etc.)
+# Export SECRETS (JSON) as flat env vars (GH_TOKEN, ANTHROPIC_API_KEY, etc.)
 # These are filtered from LLM's bash subprocess by env-sanitizer extension
 if [ -n "$SECRETS" ]; then
-    SECRETS_JSON=$(echo "$SECRETS" | base64 -d)
-    eval $(echo "$SECRETS_JSON" | jq -r 'to_entries | .[] | "export \(.key)=\"\(.value)\""')
-    export SECRETS="$SECRETS_JSON"  # Keep decoded for extension to parse
+    eval $(echo "$SECRETS" | jq -r 'to_entries | .[] | "export \(.key)=\"\(.value)\""')
 fi
 
-# Export LLM_SECRETS (base64 JSON) as flat env vars
+# Export LLM_SECRETS (JSON) as flat env vars
 # These are NOT filtered - LLM can access these (browser logins, skill API keys, etc.)
 if [ -n "$LLM_SECRETS" ]; then
-    LLM_SECRETS_JSON=$(echo "$LLM_SECRETS" | base64 -d)
-    eval $(echo "$LLM_SECRETS_JSON" | jq -r 'to_entries | .[] | "export \(.key)=\"\(.value)\""')
+    eval $(echo "$LLM_SECRETS" | jq -r 'to_entries | .[] | "export \(.key)=\"\(.value)\""')
 fi
 
 # Git setup - derive identity from GitHub token
@@ -50,8 +41,22 @@ cd /job
 # Create temp directory for agent use (gitignored via tmp/)
 mkdir -p /job/tmp
 
-# Symlink pi-skills into .pi/skills/ so Pi discovers them
-ln -sf /pi-skills/brave-search /job/.pi/skills/brave-search
+# Install npm deps for symlinked skills (native deps need correct Linux arch)
+for skill_dir in /job/.pi/skills/*/; do
+    if [ -f "${skill_dir}package.json" ]; then
+        echo "Installing skill deps: $(basename "$skill_dir")"
+        (cd "$skill_dir" && npm install --production)
+    fi
+done
+
+# Start Chrome if available (installed by browser-tools skill via Puppeteer)
+CHROME_PID=""
+CHROME_BIN=$(find /root/.cache/puppeteer -name "chrome" -type f 2>/dev/null | head -1)
+if [ -n "$CHROME_BIN" ]; then
+    $CHROME_BIN --headless --no-sandbox --disable-gpu --remote-debugging-port=9222 2>/dev/null &
+    CHROME_PID=$!
+    sleep 2
+fi
 
 # Setup logs
 LOG_DIR="/job/logs/${JOB_ID}"
@@ -67,6 +72,9 @@ for i in "${!SYSTEM_FILES[@]}"; do
     fi
 done
 
+# Resolve {{datetime}} variable in SYSTEM.md
+sed -i "s/{{datetime}}/$(date -u +"%Y-%m-%dT%H:%M:%SZ")/g" /job/.pi/SYSTEM.md
+
 PROMPT="
 
 # Your Job
@@ -80,7 +88,27 @@ if [ -n "$LLM_MODEL" ]; then
     MODEL_FLAGS="$MODEL_FLAGS --model $LLM_MODEL"
 fi
 
-# Copy custom models.json to PI's global config if present in repo
+# Generate models.json for custom provider (OpenAI-compatible endpoints like Ollama)
+if [ "$LLM_PROVIDER" = "custom" ] && [ -n "$OPENAI_BASE_URL" ]; then
+    # If no API key was provided, set a dummy so Pi doesn't send empty auth
+    if [ -z "$CUSTOM_API_KEY" ]; then
+        export CUSTOM_API_KEY="not-needed"
+    fi
+    cat > /root/.pi/agent/models.json <<MODELS
+{
+  "providers": {
+    "custom": {
+      "baseUrl": "$OPENAI_BASE_URL",
+      "api": "openai-completions",
+      "apiKey": "CUSTOM_API_KEY",
+      "models": [{ "id": "$LLM_MODEL" }]
+    }
+  }
+}
+MODELS
+fi
+
+# Copy custom models.json to PI's global config if present in repo (overrides generated)
 if [ -f "/job/.pi/agent/models.json" ]; then
     mkdir -p /root/.pi/agent
     cp /job/.pi/agent/models.json /root/.pi/agent/models.json
@@ -104,5 +132,7 @@ git push origin
 gh pr create --title "thepopebot: job ${JOB_ID}" --body "Automated job" --base main || true
 
 # Cleanup
-kill $CHROME_PID 2>/dev/null || true
+if [ -n "$CHROME_PID" ]; then
+    kill $CHROME_PID 2>/dev/null || true
+fi
 echo "Done. Job ID: ${JOB_ID}"