thepopebot 1.2.74-beta.3 → 1.2.74-beta.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/lib/github-api.js +14 -2
  2. package/package.json +1 -1
  3. package/setup/lib/targets.mjs +1 -1
  4. package/setup/setup.mjs +1 -0
package/lib/github-api.js CHANGED
@@ -60,16 +60,28 @@ export async function listGitHubSecrets() {
60
60
  }
61
61
 
62
62
  /**
63
- * Set a repository secret.
63
+ * Set a repository secret (encrypted with repo public key per GitHub API requirement).
64
64
  */
65
65
  export async function setGitHubSecret(name, value) {
66
66
  const repo = getRepoPath();
67
67
  if (!repo) return { error: 'GitHub not configured' };
68
68
  try {
69
+ const pubKey = await ghFetch(`/repos/${repo}/actions/secrets/public-key`);
70
+
71
+ const sodium = await import('libsodium-wrappers');
72
+ await sodium.default.ready;
73
+ const binKey = sodium.default.from_base64(pubKey.key, sodium.default.base64_variants.ORIGINAL);
74
+ const binValue = sodium.default.from_string(value);
75
+ const encrypted = sodium.default.crypto_box_seal(binValue, binKey);
76
+ const encryptedBase64 = sodium.default.to_base64(encrypted, sodium.default.base64_variants.ORIGINAL);
77
+
69
78
  await ghFetch(`/repos/${repo}/actions/secrets/${name}`, {
70
79
  method: 'PUT',
71
80
  headers: { 'Content-Type': 'application/json' },
72
- body: JSON.stringify({ value }),
81
+ body: JSON.stringify({
82
+ encrypted_value: encryptedBase64,
83
+ key_id: pubKey.key_id,
84
+ }),
73
85
  });
74
86
  return { success: true };
75
87
  } catch (err) {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "thepopebot",
3
- "version": "1.2.74-beta.3",
3
+ "version": "1.2.74-beta.4",
4
4
  "type": "module",
5
5
  "description": "Create autonomous AI agents with a two-layer architecture: Next.js Event Handler + Docker Agent.",
6
6
  "bin": {
package/setup/lib/targets.mjs CHANGED
@@ -15,7 +15,7 @@
15
15
  */
16
16
  export const CONFIG_TARGETS = {
17
17
  // Secrets → DB encrypted (never .env)
18
- GH_TOKEN: { dbSecret: true, secret: 'AGENT_GH_TOKEN' },
18
+ GH_TOKEN: { env: true, dbSecret: true, secret: 'AGENT_GH_TOKEN' },
19
19
  ANTHROPIC_API_KEY: { dbSecret: true, secret: 'AGENT_ANTHROPIC_API_KEY' },
20
20
  OPENAI_API_KEY: { dbSecret: true, secret: 'AGENT_OPENAI_API_KEY' },
21
21
  GOOGLE_API_KEY: { dbSecret: true, secret: 'AGENT_GOOGLE_API_KEY' },
package/setup/setup.mjs CHANGED
@@ -315,6 +315,7 @@ async function main() {
315
315
  ' Contents: Read and write\n' +
316
316
  ' Metadata: Read-only (required, auto-selected)\n' +
317
317
  ' Pull requests: Read and write\n' +
318
+ ' Secrets: Read and write (required for managing agent secrets from UI)\n' +
318
319
  ' Workflows: Read and write'
319
320
  );
320
321