thepopebot 1.2.74-beta.39 → 1.2.74-beta.40

package/bin/CLAUDE.md

@@ -13,8 +13,6 @@ Entry point: `cli.js` (invoked via `npx thepopebot <command>`).
 | `reset [file]` | Restore a template file to defaults |
 | `diff [file]` | Show diff between user file and package template |
 | `reset-auth` | Regenerate `AUTH_SECRET` (invalidates all sessions) |
-| `set-agent-secret <KEY> [VALUE]` | Set GitHub secret with `AGENT_` prefix + update `.env` |
-| `set-agent-llm-secret <KEY> [VALUE]` | Set GitHub secret with `AGENT_LLM_` prefix |
 | `set-var <KEY> [VALUE]` | Set GitHub repository variable |
 | `user:password <email>` | Change user password |
 | `sync <path>` | Dev helper — sync local package to test install |

package/bin/cli.js

@@ -57,8 +57,6 @@ Commands:
   reset [file]                      Restore a template file (or list available templates)
   diff [file]                       Show differences between project files and package templates
   sync <path>                       Sync local package to a test install (build, pack, Docker)
-  set-agent-secret <KEY> [VALUE]    Set a GitHub secret with AGENT_ prefix (also updates .env)
-  set-agent-llm-secret <KEY> [VALUE]  Set a GitHub secret with AGENT_LLM_ prefix
   set-var <KEY> [VALUE]             Set a GitHub repository variable
   user:password <email>             Change a user's password
 `);
@@ -264,7 +262,7 @@ async function init() {
   }
 
   // Create default skill activation symlinks
-  const defaultSkills = ['browser-tools', 'llm-secrets', 'modify-self'];
+  const defaultSkills = ['get-secret'];
   const activeDir = path.join(cwd, 'skills', 'active');
   fs.mkdirSync(activeDir, { recursive: true });
   for (const skill of defaultSkills) {
@@ -711,56 +709,6 @@ async function promptForValue(key) {
   return value;
 }
 
-async function setAgentSecret(key, value) {
-  if (!key) {
-    console.error('\n  Usage: thepopebot set-agent-secret <KEY> [VALUE]\n');
-    console.error('  Example: thepopebot set-agent-secret ANTHROPIC_API_KEY\n');
-    process.exit(1);
-  }
-
-  if (!value) value = await promptForValue(key);
-
-  const { owner, repo } = loadRepoInfo();
-  const prefixedName = `AGENT_${key}`;
-
-  const { setSecret } = await import(path.join(__dirname, '..', 'setup', 'lib', 'github.mjs'));
-  const { updateEnvVariable } = await import(path.join(__dirname, '..', 'setup', 'lib', 'auth.mjs'));
-
-  const result = await setSecret(owner, repo, prefixedName, value);
-  if (result.success) {
-    console.log(`\n  Set GitHub secret: ${prefixedName}`);
-    updateEnvVariable(key, value);
-    console.log(`  Updated .env: ${key}`);
-    console.log('');
-  } else {
-    console.error(`\n  Failed to set ${prefixedName}: ${result.error}\n`);
-    process.exit(1);
-  }
-}
-
-async function setAgentLlmSecret(key, value) {
-  if (!key) {
-    console.error('\n  Usage: thepopebot set-agent-llm-secret <KEY> [VALUE]\n');
-    console.error('  Example: thepopebot set-agent-llm-secret BRAVE_API_KEY\n');
-    process.exit(1);
-  }
-
-  if (!value) value = await promptForValue(key);
-
-  const { owner, repo } = loadRepoInfo();
-  const prefixedName = `AGENT_LLM_${key}`;
-
-  const { setSecret } = await import(path.join(__dirname, '..', 'setup', 'lib', 'github.mjs'));
-
-  const result = await setSecret(owner, repo, prefixedName, value);
-  if (result.success) {
-    console.log(`\n  Set GitHub secret: ${prefixedName}\n`);
-  } else {
-    console.error(`\n  Failed to set ${prefixedName}: ${result.error}\n`);
-    process.exit(1);
-  }
-}
-
 async function setVar(key, value) {
   if (!key) {
     console.error('\n  Usage: thepopebot set-var <KEY> [VALUE]\n');
@@ -843,12 +791,6 @@ switch (command) {
     await sync(args[0]);
     break;
   }
-  case 'set-agent-secret':
-    await setAgentSecret(args[0], args[1]);
-    break;
-  case 'set-agent-llm-secret':
-    await setAgentLlmSecret(args[0], args[1]);
-    break;
   case 'set-var':
     await setVar(args[0], args[1]);
     break;

package/lib/chat/components/containers-page.js

@@ -93,18 +93,15 @@ function ContainerRow({ container, onRequestStop, isStopping, isStarting }) {
   const isStopped = container.state === "exited" || container.state === "dead" || container.state === "created";
   const imageName = container.image.includes("/") ? container.image.split("/").pop() : container.image;
   return /* @__PURE__ */ jsxs("tr", { className: "border-t border-border", children: [
-    /* @__PURE__ */ jsx("td", { className: "py-2.5 pr-3", children: /* @__PURE__ */ jsx(StateBadge, { state: container.state }) }),
-    /* @__PURE__ */ jsxs("td", { className: "py-2.5 pr-3 min-w-0", children: [
-      /* @__PURE__ */ jsx("div", { className: "text-sm font-medium truncate", children: container.name }),
-      /* @__PURE__ */ jsx("div", { className: "text-xs text-muted-foreground truncate", children: imageName })
-    ] }),
-    /* @__PURE__ */ jsx("td", { className: "py-2.5 pr-3 text-xs text-right hidden md:table-cell", children: isRunning && container.stats ? /* @__PURE__ */ jsxs("span", { children: [
+    /* @__PURE__ */ jsx("td", { className: "py-2.5 pr-3 whitespace-nowrap", children: /* @__PURE__ */ jsx(StateBadge, { state: container.state }) }),
+    /* @__PURE__ */ jsx("td", { className: "py-2.5 pr-3 min-w-0 whitespace-nowrap", children: /* @__PURE__ */ jsx("div", { className: "text-sm font-medium truncate", title: imageName, children: container.name }) }),
+    /* @__PURE__ */ jsx("td", { className: "py-2.5 pr-3 text-xs text-right hidden md:table-cell whitespace-nowrap", children: isRunning && container.stats ? /* @__PURE__ */ jsxs("span", { children: [
       container.stats.cpu.toFixed(1),
       "%"
     ] }) : /* @__PURE__ */ jsx("span", { className: "text-muted-foreground", children: "\u2014" }) }),
-    /* @__PURE__ */ jsx("td", { className: "py-2.5 pr-3 text-xs text-right hidden md:table-cell", children: isRunning && container.stats ? /* @__PURE__ */ jsx("span", { children: formatBytes(container.stats.memUsage) }) : /* @__PURE__ */ jsx("span", { className: "text-muted-foreground", children: "\u2014" }) }),
-    /* @__PURE__ */ jsx("td", { className: "py-2.5 pr-3 text-xs text-muted-foreground hidden lg:table-cell", children: container.status }),
-    /* @__PURE__ */ jsx("td", { className: "py-2.5 text-right", children: /* @__PURE__ */ jsxs("div", { className: "inline-flex items-center gap-1.5", children: [
+    /* @__PURE__ */ jsx("td", { className: "py-2.5 pr-3 text-xs text-right hidden md:table-cell whitespace-nowrap", children: isRunning && container.stats ? /* @__PURE__ */ jsx("span", { children: formatBytes(container.stats.memUsage) }) : /* @__PURE__ */ jsx("span", { className: "text-muted-foreground", children: "\u2014" }) }),
+    /* @__PURE__ */ jsx("td", { className: "py-2.5 pr-3 text-xs text-muted-foreground hidden lg:table-cell whitespace-nowrap", children: container.status }),
+    /* @__PURE__ */ jsx("td", { className: "py-2.5 text-right whitespace-nowrap", children: /* @__PURE__ */ jsxs("div", { className: "inline-flex items-center gap-1.5", children: [
       isRunning && (isStopping ? /* @__PURE__ */ jsxs(
         "button",
         {

package/lib/chat/components/containers-page.jsx

@@ -121,31 +121,30 @@ function ContainerRow({ container, onRequestStop, isStopping, isStarting }) {
 
   return (
     <tr className="border-t border-border">
-      <td className="py-2.5 pr-3">
+      <td className="py-2.5 pr-3 whitespace-nowrap">
         <StateBadge state={container.state} />
       </td>
-      <td className="py-2.5 pr-3 min-w-0">
-        <div className="text-sm font-medium truncate">{container.name}</div>
-        <div className="text-xs text-muted-foreground truncate">{imageName}</div>
+      <td className="py-2.5 pr-3 min-w-0 whitespace-nowrap">
+        <div className="text-sm font-medium truncate" title={imageName}>{container.name}</div>
       </td>
-      <td className="py-2.5 pr-3 text-xs text-right hidden md:table-cell">
+      <td className="py-2.5 pr-3 text-xs text-right hidden md:table-cell whitespace-nowrap">
         {isRunning && container.stats ? (
           <span>{container.stats.cpu.toFixed(1)}%</span>
         ) : (
           <span className="text-muted-foreground">&mdash;</span>
         )}
       </td>
-      <td className="py-2.5 pr-3 text-xs text-right hidden md:table-cell">
+      <td className="py-2.5 pr-3 text-xs text-right hidden md:table-cell whitespace-nowrap">
         {isRunning && container.stats ? (
           <span>{formatBytes(container.stats.memUsage)}</span>
         ) : (
           <span className="text-muted-foreground">&mdash;</span>
         )}
       </td>
-      <td className="py-2.5 pr-3 text-xs text-muted-foreground hidden lg:table-cell">
+      <td className="py-2.5 pr-3 text-xs text-muted-foreground hidden lg:table-cell whitespace-nowrap">
         {container.status}
       </td>
-      <td className="py-2.5 text-right">
+      <td className="py-2.5 text-right whitespace-nowrap">
         <div className="inline-flex items-center gap-1.5">
           {isRunning && (
             isStopping ? (

package/lib/tools/docker.js

@@ -162,7 +162,7 @@ async function runContainer({ containerName, image, env = [], workingDir, hostCo
  * @param {boolean} [options.injectSecrets] - Inject agent job secrets into container env
  * @returns {Promise<{containerId: string, containerName: string}>}
  */
-async function runInteractiveContainer({ containerName, repo, branch, codingAgent, featureBranch, workspaceId, injectSecrets }) {
+async function runInteractiveContainer({ containerName, repo, branch, codingAgent, featureBranch, workspaceId, injectSecrets, continueSession = true }) {
   const agent = codingAgent || getConfig('CODING_AGENT') || 'claude-code';
   const version = process.env.THEPOPEBOT_VERSION;
   const image = `stephengpope/thepopebot:coding-agent-${agent}-${version}`;
@@ -184,6 +184,9 @@ async function runInteractiveContainer({ containerName, repo, branch, codingAgen
   if (featureBranch) {
     env.push(`FEATURE_BRANCH=${featureBranch}`);
   }
+  if (continueSession) {
+    env.push(`CONTINUE_SESSION=1`);
+  }
 
   // Inject agent job secrets when running in agent chat mode
   if (injectSecrets) {
@@ -194,6 +197,9 @@ async function runInteractiveContainer({ containerName, repo, branch, codingAgen
         env.push(`${key}=${value}`);
       }
     }
+    if (jobSecrets.length > 0) {
+      env.push(`AGENT_JOB_SECRETS=${JSON.stringify(Object.fromEntries(jobSecrets.map(s => [s.key, s.value])))}`);
+    }
   }
 
   const hostConfig = {};
@@ -338,7 +344,7 @@ function buildAgentAuthEnv(agent) {
  * @param {boolean} [options.injectSecrets] - Inject agent job secrets into container env
  * @returns {Promise<{containerId: string, containerName: string}>}
  */
-async function runHeadlessContainer({ containerName, repo, branch, featureBranch, workspaceId, taskPrompt, mode = 'plan', codingAgent, systemPrompt, continueSession, injectSecrets }) {
+async function runHeadlessContainer({ containerName, repo, branch, featureBranch, workspaceId, taskPrompt, mode = 'plan', codingAgent, systemPrompt, continueSession = true, injectSecrets }) {
   const agent = codingAgent || getConfig('CODING_AGENT') || 'claude-code';
   const version = process.env.THEPOPEBOT_VERSION;
   const image = `stephengpope/thepopebot:coding-agent-${agent}-${version}`;
@@ -382,6 +388,9 @@ async function runHeadlessContainer({ containerName, repo, branch, featureBranch
         env.push(`${key}=${value}`);
       }
     }
+    if (jobSecrets.length > 0) {
+      env.push(`AGENT_JOB_SECRETS=${JSON.stringify(Object.fromEntries(jobSecrets.map(s => [s.key, s.value])))}`);
+    }
   }
 
   const hostConfig = {};
@@ -831,6 +840,9 @@ async function runAgentJobContainer({ agentJobId, repo, branch, title, descripti
       env.push(`${key}=${value}`);
     }
   }
+  if (jobSecrets.length > 0) {
+    env.push(`AGENT_JOB_SECRETS=${JSON.stringify(Object.fromEntries(jobSecrets.map(s => [s.key, s.value])))}`);
+  }
 
   console.log(`[agent-job] id=${shortId} agent=${agent} image=${image} backendApi=${backendApi}`);
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thepopebot",
-  "version": "1.2.74-beta.39",
+  "version": "1.2.74-beta.40",
   "type": "module",
   "description": "Create autonomous AI agents with a two-layer architecture: Next.js Event Handler + Docker Agent.",
   "bin": {

package/templates/docs/CLI.md

@@ -27,15 +27,9 @@ These set GitHub repository secrets/variables using the `gh` CLI. They read `GH_
 
 | Command | Description |
 |---------|-------------|
-| `set-agent-secret KEY [VALUE]` | Set `AGENT_<KEY>` GitHub secret and update `.env` |
-| `set-agent-llm-secret KEY [VALUE]` | Set `AGENT_LLM_<KEY>` GitHub secret |
 | `set-var KEY [VALUE]` | Set a GitHub repository variable |
 
-### Secret Prefix Convention
-
-- **`AGENT_`** — Protected secrets passed to Docker container, filtered from LLM bash env. Example: `AGENT_GH_TOKEN`, `AGENT_ANTHROPIC_API_KEY`
-- **`AGENT_LLM_`** — LLM-accessible secrets, not filtered. Example: `AGENT_LLM_BRAVE_API_KEY`
-- **No prefix** — Workflow-only secrets, never passed to container. Example: `GH_WEBHOOK_SECRET`
+Agent job secrets are now managed through the admin UI (Settings > Agent Jobs > Secrets), stored encrypted in SQLite, and injected directly into Docker containers.
 
 ## Common Workflows
 
@@ -61,5 +55,5 @@ npx thepopebot reset config/CRONS.json # accept new template
 ```bash
 npx thepopebot set-var LLM_PROVIDER openai
 npx thepopebot set-var LLM_MODEL gpt-4o
-npx thepopebot set-agent-secret OPENAI_API_KEY sk-...
+# Set API keys via admin UI: Settings > Agent Jobs > Secrets
 ```

package/templates/docs/CONFIGURATION.md

@@ -91,7 +91,7 @@ Restart your server after changes.
 ```bash
 npx thepopebot set-var LLM_PROVIDER openai
 npx thepopebot set-var LLM_MODEL gpt-4o
-npx thepopebot set-agent-secret OPENAI_API_KEY sk-...
+# Set API keys via admin UI: Settings > Agent Jobs > Secrets
 ```
 
 ### Per-Job Overrides
@@ -118,7 +118,7 @@ Point at any OpenAI-compatible endpoint (DeepSeek, Ollama, Together AI, etc.):
 npx thepopebot set-var LLM_PROVIDER custom
 npx thepopebot set-var LLM_MODEL deepseek-chat
 npx thepopebot set-var CUSTOM_OPENAI_BASE_URL https://api.deepseek.com/v1
-npx thepopebot set-agent-secret CUSTOM_API_KEY sk-...
+# Set CUSTOM_API_KEY via admin UI: Settings > Agent Jobs > Secrets
 
 # Local custom (Ollama, LM Studio, etc.) — needs self-hosted runner
 npx thepopebot set-var RUNS_ON self-hosted
@@ -129,20 +129,9 @@ npx thepopebot set-var CUSTOM_OPENAI_BASE_URL http://host.docker.internal:11434/
 
 ---
 
-## GitHub Secrets
+## Agent Job Secrets
 
-Set via CLI. Each value is stored as a GitHub repository secret.
-
-| Prefix | Purpose | Visible to LLM? |
-|--------|---------|------------------|
-| `AGENT_` | Protected credentials (filtered from LLM bash env) | No |
-| `AGENT_LLM_` | LLM-accessible credentials (skills, browser logins) | Yes |
-| *(none)* | Workflow-only secrets | N/A |
-
-```bash
-npx thepopebot set-agent-secret GH_TOKEN ghp_xxx          # Protected
-npx thepopebot set-agent-llm-secret BRAVE_API_KEY xxx      # LLM-accessible
-```
+Agent job secrets are managed through the admin UI (Settings > Agent Jobs > Secrets). They are stored encrypted in SQLite and injected as env vars into Docker containers. The agent can discover available secrets via the `get-secret` skill.
 
 ---
 

package/templates/docs/SECURITY.md

@@ -25,22 +25,9 @@ thepopebot includes these security measures by default:
 4. SDKs (Anthropic, GitHub CLI) read their keys from `process.env` normally
 5. The LLM cannot `echo $ANYTHING` — subprocess env is filtered
 
-### Protected vs. LLM-Accessible
-
-| Credential Type | Set with | Visible to LLM? |
-|-----------------|----------|------------------|
-| Infrastructure keys (`GH_TOKEN`, `ANTHROPIC_API_KEY`) | `set-agent-secret` | No — filtered from bash |
-| Skill API keys, browser logins | `set-agent-llm-secret` | Yes — skills need these |
-
-```bash
-# Protected (filtered from LLM)
-npx thepopebot set-agent-secret GH_TOKEN ghp_xxx
-npx thepopebot set-agent-secret ANTHROPIC_API_KEY sk-ant-xxx
-
-# Accessible to LLM (not filtered)
-npx thepopebot set-agent-llm-secret BROWSER_PASSWORD mypass123
-npx thepopebot set-agent-llm-secret BRAVE_API_KEY xxx
-```
+### Agent Job Secrets
+
+Agent job secrets are managed through the admin UI (Settings > Agent Jobs > Secrets). They are stored encrypted in SQLite and injected as env vars into Docker containers. The agent can discover available secrets via the `get-secret` skill.
 
 ---
 

package/templates/docs/SKILLS.md

@@ -21,9 +21,7 @@ These are activated out of the box:
 
 | Skill | Description |
 |-------|-------------|
-| `browser-tools` | Interactive browser automation via Chrome DevTools Protocol |
-| `llm-secrets` | List available LLM-accessible credentials |
-| `modify-self` | Modify the agent's own code, configuration, personality, or cron jobs |
+| `get-secret` | List available LLM-accessible credentials |
 
 ## Available Skills
 
@@ -104,21 +102,7 @@ If bash + curl isn't sufficient, use Node.js with a `package.json`. Dependencies
 
 ## Credential Setup
 
-If a skill needs an API key:
-
-```bash
-# Set as LLM-accessible GitHub secret
-npx thepopebot set-agent-llm-secret MY_API_KEY your-key-here
-
-# Also add to .env for local development
-echo "MY_API_KEY=your-key-here" >> .env
-```
-
-For multi-line secrets (e.g., JSON service account files), pipe via stdin:
-
-```bash
-npx thepopebot set-agent-llm-secret GOOGLE_CREDENTIALS < credentials.json
-```
+If a skill needs an API key, add it via the admin UI (Settings > Agent Jobs > Secrets). The secret will be injected as an env var into Docker containers. The agent can discover available secrets via the `get-secret` skill.
 
 ---
 

package/templates/skills/CLAUDE.md.template

@@ -98,18 +98,7 @@ The `skills/active/` directory is shared by both agent backends via symlink brid
 
 ## Credential Setup
 
-If a skill needs an API key, set it up before the job runs:
-
-```bash
-npx thepopebot set-agent-llm-secret KEY_NAME value
-```
-
-This creates a GitHub secret with `AGENT_LLM_` prefix, exposed as an env var in the Docker container. Also add to `.env` for local development.
-
-**Multi-line secrets** (e.g., JSON service account files):
-```bash
-npx thepopebot set-agent-llm-secret GOOGLE_CREDENTIALS < credentials.json
-```
+If a skill needs an API key, add it via the admin UI (Settings > Agent Jobs > Secrets). The secret will be injected as an env var into Docker containers. The agent can discover available secrets via the `get-secret` skill.
 
 ## Testing
 

package/templates/skills/README.md

@@ -74,7 +74,6 @@ ln -s ~/pi-skills/youtube-transcript .claude/skills/youtube-transcript
 | Skill | Description |
 |-------|-------------|
 | [brave-search](brave-search/SKILL.md) | Web search and content extraction via Brave Search |
-| [browser-tools](browser-tools/SKILL.md) | Interactive browser automation via Chrome DevTools Protocol |
 | [gccli](gccli/SKILL.md) | Google Calendar CLI for events and availability |
 | [gdcli](gdcli/SKILL.md) | Google Drive CLI for file management and sharing |
 | [gmcli](gmcli/SKILL.md) | Gmail CLI for email, drafts, and labels |
@@ -105,7 +104,6 @@ Skills use project-root-relative paths (e.g., `skills/brave-search/search.js`).
 Some skills require additional setup. Generally, the agent will walk you through that. But if not, here you go:
 
 - **brave-search**: Requires Node.js. Run `npm install` in the skill directory.
-- **browser-tools**: Requires Chrome and Node.js. Run `npm install` in the skill directory.
 - **gccli**: Requires Node.js. Install globally with `npm install -g @mariozechner/gccli`.
 - **gdcli**: Requires Node.js. Install globally with `npm install -g @mariozechner/gdcli`.
 - **gmcli**: Requires Node.js. Install globally with `npm install -g @mariozechner/gmcli`.

package/templates/skills/{llm-secrets → get-secret}/SKILL.md

@@ -1,12 +1,12 @@
 ---
-name: llm-secrets
+name: get-secret
 description: List available LLM-accessible credentials. Use when you need API keys, passwords, or other secrets that have been made available to you.
 ---
 
 # List Available Secrets
 
 ```bash
-skills/llm-secrets/llm-secrets.js
+skills/get-secret/get-secret.js
 ```
 
 Shows the names of available secret keys (not values). Output example:

package/templates/skills/{llm-secrets/llm-secrets.js → get-secret/get-secret.js}

@@ -1,18 +1,18 @@
 #!/usr/bin/env node
 
 /**
- * llm-secrets.js - List available LLM-accessible secret keys
+ * get-secret.js - List available agent job secret keys
  *
- * Usage: llm-secrets.js
+ * Usage: get-secret.js
  *
- * Lists the key names from LLM_SECRETS (not the values).
+ * Lists the key names from AGENT_JOB_SECRETS (not the values).
  * To get a value, use: echo $KEY_NAME
  */
 
-const secretsJson = process.env.LLM_SECRETS;
+const secretsJson = process.env.AGENT_JOB_SECRETS;
 
 if (!secretsJson) {
-  console.log('No LLM_SECRETS configured.');
+  console.log('No AGENT_JOB_SECRETS configured.');
   process.exit(0);
 }
 
@@ -21,13 +21,13 @@ try {
   const keys = Object.keys(parsed);
 
   if (keys.length === 0) {
-    console.log('LLM_SECRETS is empty.');
+    console.log('AGENT_JOB_SECRETS is empty.');
   } else {
     console.log('Available secrets:');
     keys.forEach(key => console.log(`  - ${key}`));
     console.log('\nTo get a value: echo $KEY_NAME');
   }
 } catch (e) {
-  console.error('Error parsing LLM_SECRETS:', e.message);
+  console.error('Error parsing AGENT_JOB_SECRETS:', e.message);
   process.exit(1);
 }

package/templates/skills/modify-self/SKILL.md

@@ -1,12 +0,0 @@
----
-name: modify-self
-description: Use when a job requires modifying the agent's own code, configuration, personality, cron jobs, skills, or operating system files.
----
-
-# Modify Self
-
-Before making any changes, read the project documentation for a full understanding of the system architecture:
-
-```bash
-cat CLAUDE.md
-```