thepopebot 1.2.74-beta.9 → 1.2.74

package/README.md

@@ -22,36 +22,36 @@ Build autonomous AI agents that work for you 24/7, individually or in teams.
 │                                                                      │
 │  ┌─────────────────┐         ┌─────────────────┐                     │
 │  │  Event Handler  │ ──1──►  │     GitHub      │                     │
-│  │  (creates job)  │         │ (job/* branch)  │                     │
-│  └────────▲────────┘         └────────┬────────┘                     │
-│           │                           │                              │
-│           │                           2 (triggers run-job.yml)       │
-│           │                           │                              │
-│           │                           ▼                              │
-│           │                  ┌─────────────────┐                     │
-│           │                  │  Docker Agent   │                     │
-│           │                  │(Pi/Claude Code) │                     │
-│           │                  └────────┬────────┘                     │
-│           │                           │                              │
-│           │                           3 (creates PR)                 │
-│           │                           │                              │
-│           │                           ▼                              │
-│           │                  ┌─────────────────┐                     │
-│           │                  │     GitHub      │                     │
-│           │                  │   (PR opened)   │                     │
-│           │                  └────────┬────────┘                     │
-│           │                           │                              │
-│           │                           4a (auto-merge.yml)            │
-│           │                           4b (rebuild-event-handler.yml) │
-│           │                           │                              │
-│           5 (notify-pr-complete.yml / │                              │
-│           │  notify-job-failed.yml)   │                              │
-│           └───────────────────────────┘                              │
+│  │ (creates branch)│         │(agent-job/* br) │                     │
+│  └────────▲────────┘         └─────────────────┘                     │
+│           │                                                          │
+│           │  2 (launches Docker container locally)                   │
+│           │                                                          │
+│           ▼                                                          │
+│  ┌─────────────────┐                                                 │
+│  │  Docker Agent   │                                                 │
+│  │ (coding agent)  │                                                 │
+│  └────────┬────────┘                                                 │
+│           │                                                          │
+│           │  3 (commits, pushes, creates PR)                         │
+│           │                                                          │
+│           ▼                                                          │
+│  ┌─────────────────┐                                                 │
+│  │     GitHub      │                                                 │
+│  │   (PR opened)   │                                                 │
+│  └────────┬────────┘                                                 │
+│           │                                                          │
+│           │  4a (auto-merge.yml)                                     │
+│           │  4b (rebuild-event-handler.yml)                          │
+│           │                                                          │
+│           5 (notify-pr-complete.yml →                                │
+│           │  webhook to event handler)                               │
+│           └──────────────────────────►  Event Handler                │
 │                                                                      │
 └──────────────────────────────────────────────────────────────────────┘
 ```
 
-You interact with your bot via the web chat interface or Telegram (optional). The Event Handler creates a job branch. GitHub Actions spins up a Docker container with the Pi coding agent. The agent does the work, commits the results, and opens a PR. Auto-merge handles the rest. You get a notification when it's done.
+You interact with your bot via the web chat interface or Telegram (optional). The Event Handler creates an agent-job branch and launches a Docker container locally with the coding agent. The agent does the work, commits the results, pushes, and opens a PR. Auto-merge handles the rest. You get a notification when it's done.
 
 ---
 
@@ -94,19 +94,18 @@ npm run setup
 ```
 
 The wizard walks you through everything:
-- Checks prerequisites (Node.js, Git, GitHub CLI)
+- Checks prerequisites (Node.js, Git, GitHub CLI, Docker)
 - Creates a GitHub repository and pushes your initial commit
 - Creates a GitHub Personal Access Token (scoped to your repo)
-- Collects API keys (Anthropic required; OpenAI, Brave optional)
-- Sets GitHub repository secrets and variables
-- Generates `.env`
-- Builds the project and starts Docker for you
+- Configures your public URL and webhook secret
+- Syncs settings to `.env`, database, and GitHub secrets/variables
+- Starts Docker for you
 
 **That's it.** Visit your APP_URL when the wizard finishes.
 
 - **Web Chat**: Visit your APP_URL to chat with your agent, create jobs, upload files
 - **Telegram** (optional): Run `npm run setup-telegram` to connect a Telegram bot
-- **Webhook**: Send a POST to `/api/create-job` with your API key to create jobs programmatically
+- **Webhook**: Send a POST to `/api/create-agent-job` with your API key to create jobs programmatically
 - **Cron**: Edit `config/CRONS.json` to schedule recurring jobs
 
 ### Chat vs Agent LLM
@@ -135,7 +134,7 @@ claude setup-token
 
 Paste the token (starts with `sk-ant-oat01-`) into the setup wizard. Your agent jobs will now run through your subscription. Note that usage counts toward your Claude.ai limits, and you still need an API key for the chat side.
 
-See [Claude Code vs Pi](docs/CLAUDE_CODE_VS_PI.md) for more details on the two agent backends.
+See [Coding Agents](docs/CODING_AGENTS.md) for details on all five agent backends.
 
 > **Local installs**: Your server needs to be reachable from the internet for GitHub webhooks and Telegram. On a VPS/cloud server, your APP_URL is just your domain. For local development, use [ngrok](https://ngrok.com) (`ngrok http 80`) or port forwarding to expose your machine.
 >
@@ -187,9 +186,9 @@ See [Security](docs/SECURITY.md) for full details on what's exposed, the risks,
 
 ## Different Models
 
-The Event Handler (chat, Telegram, webhooks) and Jobs (Docker agent) are two independent layers — each can run a different LLM. Use Claude for interactive chat and a cheaper or local model for long-running jobs, mix providers per cron entry, or run everything on a single model.
+thepopebot supports 9 built-in LLM providers (Anthropic, OpenAI, Google, DeepSeek, MiniMax, Mistral, xAI, Kimi, OpenRouter) plus custom OpenAI-compatible endpoints. The chat layer and coding agents are independent — use Claude for interactive chat and a different model for code tasks, or run everything on a single provider.
 
-See [Different Models](docs/RUNNING_DIFFERENT_MODELS.md) for the full guide: Event Handler config, job defaults, per-job overrides, provider table, and custom provider setup.
+See [Different Models](docs/RUNNING_DIFFERENT_MODELS.md) for the full provider reference, admin UI configuration, per-job overrides, and custom provider setup.
 
 ---
 
@@ -199,13 +198,13 @@ See [Different Models](docs/RUNNING_DIFFERENT_MODELS.md) for the full guide: Eve
 |----------|-------------|
 | [Architecture](docs/ARCHITECTURE.md) | Two-layer design, file structure, API endpoints, GitHub Actions, Docker agent |
 | [CLI Reference](docs/CLI.md) | `init`, managed vs user files, template conventions, all CLI commands |
-| [Configuration](docs/CONFIGURATION.md) | Environment variables, GitHub secrets, repo variables, ngrok, Telegram setup |
+| [Configuration](docs/CONFIGURATION.md) | Admin UI, DB-backed config, infrastructure variables, GitHub secrets, Docker Compose |
 | [Customization](docs/CUSTOMIZATION.md) | Personality, skills, operating system files, using your bot, security details |
 | [Chat Integrations](docs/CHAT_INTEGRATIONS.md) | Web chat, Telegram, adding new channels |
-| [Different Models](docs/RUNNING_DIFFERENT_MODELS.md) | Event Handler vs job model config, per-job overrides, providers, custom provider |
+| [Different Models](docs/RUNNING_DIFFERENT_MODELS.md) | 9 built-in LLM providers, chat vs coding agent config, per-job overrides, custom providers |
 | [Auto-Merge](docs/AUTO_MERGE.md) | Auto-merge controls, ALLOWED_PATHS configuration |
 | [Deployment](docs/DEPLOYMENT.md) | VPS setup, Docker Compose, HTTPS with Let's Encrypt |
-| [Claude Code vs Pi](docs/CLAUDE_CODE_VS_PI.md) | Comparing the two agent backends (subscription vs API credits) |
+| [Coding Agents](docs/CODING_AGENTS.md) | 5 coding agent backends, OAuth tokens, LiteLLM proxy, per-agent config |
 | [How to Build Skills](docs/HOW_TO_BUILD_SKILLS.md) | Guide to building and activating agent skills |
 | [Pre-Release](docs/PRE_RELEASE.md) | Installing beta/alpha builds |
 | [Code Workspaces](docs/CODE_WORKSPACES.md) | Interactive Docker containers with in-browser terminal |

package/api/CLAUDE.md

@@ -10,21 +10,22 @@ Auth flow: `x-api-key` header -> `verifyApiKey()` -> database lookup (hashed, ti
 
 ## Do NOT use these routes for browser UI
 
-Browser-facing features must use **Server Actions** (`'use server'` functions) with `requireAuth()` session checks — never `/api` fetch calls. The only exception is chat streaming, which has its own dedicated route at `/stream/chat` with session auth.
+Browser-facing data fetching uses **fetch route handlers** colocated with pages (`route.js` files in `web/app/`). These check `auth()` session — never use `/api` routes from the browser. Server actions (`'use server'`) are used only for **mutations** (rename, delete, star, config updates) — never for data fetching (causes page refresh issues). Handler implementations live in `lib/chat/api.js`; route files are thin re-exports.
 
 | Caller | Mechanism | Auth |
 |--------|-----------|------|
 | External (cURL, GitHub Actions, Telegram) | `/api` route | `x-api-key` header |
-| Browser UI (data/mutations) | Server Action | `requireAuth()` session |
-| Browser UI (chat streaming) | `/stream/chat` | `auth()` session |
+| Browser UI (data fetching) | Fetch route handler colocated with page | `auth()` session |
+| Browser UI (mutations) | Server action | `requireAuth()` session |
+| Browser UI (streaming) | `/stream/chat`, `/stream/containers`, `/stream/cluster/*/logs` | `auth()` session |
 
 ## Routes
 
 | Method | Path | Auth | Handler |
 |--------|------|------|---------|
 | GET | `/api/ping` | None | Health check |
-| POST | `/api/create-job` | `x-api-key` | Create agent job |
-| GET | `/api/jobs/status` | `x-api-key` | Job status (query: `?job_id=`) |
+| POST | `/api/create-agent-job` | `x-api-key` | Create agent job |
+| GET | `/api/agent-jobs/status` | `x-api-key` | Agent job status (query: `?agent_job_id=`) |
 | POST | `/api/telegram/webhook` | Telegram webhook secret | Telegram message handler |
 | POST | `/api/telegram/register` | `x-api-key` | Register bot token + webhook URL |
 | POST | `/api/github/webhook` | GitHub webhook secret | GitHub event handler |

package/api/index.js

@@ -1,13 +1,15 @@
 import { createHash, timingSafeEqual } from 'crypto';
-import { createJob } from '../lib/tools/create-job.js';
+import { createAgentJob } from '../lib/tools/create-agent-job.js';
 import { setWebhook } from '../lib/tools/telegram.js';
-import { getJobStatus, fetchJobLog } from '../lib/tools/github.js';
+import { getAgentJobStatus, fetchAgentJobLog } from '../lib/tools/github.js';
 import { getTelegramAdapter } from '../lib/channels/index.js';
-import { chat, summarizeJob } from '../lib/ai/index.js';
+import { chat, summarizeAgentJob } from '../lib/ai/index.js';
 import { createNotification } from '../lib/db/notifications.js';
 import { loadTriggers } from '../lib/triggers.js';
 import { verifyApiKey } from '../lib/db/api-keys.js';
 import { getConfig } from '../lib/config.js';
+import { parseOAuthState, exchangeCodeForToken } from '../lib/oauth/helper.js';
+import { setAgentJobSecret } from '../lib/db/config.js';
 
 // Bot token — resolved from DB/env, can be overridden by /telegram/register
 let telegramBotToken = null;
@@ -31,7 +33,7 @@ function getFireTriggers() {
 }
 
 // Routes that have their own authentication
-const PUBLIC_ROUTES = ['/telegram/webhook', '/github/webhook', '/ping'];
+const PUBLIC_ROUTES = ['/telegram/webhook', '/github/webhook', '/ping', '/oauth/callback'];
 
 /**
  * Timing-safe string comparison.
@@ -71,28 +73,34 @@ function checkAuth(routePath, request) {
 }
 
 /**
- * Extract job ID from branch name (e.g., "job/abc123" -> "abc123")
+ * Extract agent job ID from branch name (e.g., "agent-job/abc123" -> "abc123")
  */
-function extractJobId(branchName) {
-  if (!branchName || !branchName.startsWith('job/')) return null;
-  return branchName.slice(4);
+function extractAgentJobId(branchName) {
+  if (!branchName) return null;
+  if (branchName.startsWith('agent-job/')) return branchName.slice(10);
+  // Backwards compatibility with old job/ prefix
+  if (branchName.startsWith('job/')) return branchName.slice(4);
+  return null;
 }
 
 // ─────────────────────────────────────────────────────────────────────────────
 // Route handlers
 // ─────────────────────────────────────────────────────────────────────────────
 
-async function handleWebhook(request) {
+async function handleCreateAgentJob(request) {
   const body = await request.json();
   const { job } = body;
   if (!job) return Response.json({ error: 'Missing job field' }, { status: 400 });
 
   try {
-    const result = await createJob(job);
+    const result = await createAgentJob(job, {
+      llmModel: body.llm_model,
+      agentBackend: body.agent_backend,
+    });
     return Response.json(result);
   } catch (err) {
     console.error(err);
-    return Response.json({ error: 'Failed to create job' }, { status: 500 });
+    return Response.json({ error: 'Failed to create agent job' }, { status: 500 });
   }
 }
 
@@ -168,14 +176,14 @@ async function handleGithubWebhook(request) {
   }
 
   const payload = await request.json();
-  const jobId = payload.job_id || extractJobId(payload.branch);
-  if (!jobId) return Response.json({ ok: true, skipped: true, reason: 'not a job' });
+  const agentJobId = payload.agent_job_id || payload.job_id || extractAgentJobId(payload.branch);
+  if (!agentJobId) return Response.json({ ok: true, skipped: true, reason: 'not an agent job' });
 
   try {
     // Fetch log from repo via API (no longer sent in payload)
     let log = payload.log || '';
     if (!log) {
-      log = await fetchJobLog(jobId, payload.commit_sha);
+      log = await fetchAgentJobLog(agentJobId, payload.commit_sha);
     }
 
     const results = {
@@ -189,10 +197,10 @@ async function handleGithubWebhook(request) {
       commit_message: payload.commit_message || '',
     };
 
-    const message = await summarizeJob(results);
+    const message = await summarizeAgentJob(results);
     await createNotification(message, payload);
 
-    console.log(`Notification saved for job ${jobId.slice(0, 8)}`);
+    console.log(`Notification saved for agent-job ${agentJobId.slice(0, 8)}`);
 
     return Response.json({ ok: true, notified: true });
   } catch (err) {
@@ -201,18 +209,77 @@ async function handleGithubWebhook(request) {
   }
 }
 
-async function handleJobStatus(request) {
+async function handleAgentJobStatus(request) {
   try {
     const url = new URL(request.url);
-    const jobId = url.searchParams.get('job_id');
-    const result = await getJobStatus(jobId);
+    const agentJobId = url.searchParams.get('agent_job_id') || url.searchParams.get('job_id');
+    const result = await getAgentJobStatus(agentJobId);
     return Response.json(result);
   } catch (err) {
-    console.error('Failed to get job status:', err);
-    return Response.json({ error: 'Failed to get job status' }, { status: 500 });
+    console.error('Failed to get agent job status:', err);
+    return Response.json({ error: 'Failed to get agent job status' }, { status: 500 });
+  }
+}
+
+async function handleOAuthCallback(request) {
+  const url = new URL(request.url);
+  const code = url.searchParams.get('code');
+  const stateParam = url.searchParams.get('state');
+  const error = url.searchParams.get('error');
+
+  if (error) {
+    const desc = url.searchParams.get('error_description') || error;
+    return oauthResultPage(false, desc);
+  }
+
+  if (!code || !stateParam) {
+    return oauthResultPage(false, 'Missing code or state parameter.');
+  }
+
+  try {
+    const state = parseOAuthState(stateParam);
+    const redirectUri = `${process.env.AUTH_URL}/api/oauth/callback`;
+
+    const tokenData = await exchangeCodeForToken({
+      code,
+      clientId: state.clientId,
+      clientSecret: state.clientSecret,
+      tokenUrl: state.tokenUrl,
+      redirectUri,
+    });
+
+    // Save the full token JSON as the secret value
+    const tokenJson = JSON.stringify(tokenData);
+    setAgentJobSecret(state.secretName, tokenJson, 'oauth');
+
+    return oauthResultPage(true, state.secretName);
+  } catch (err) {
+    console.error('OAuth callback error:', err);
+    return oauthResultPage(false, err.message || 'Token exchange failed.');
   }
 }
 
+function oauthResultPage(success, detail) {
+  const safe = String(detail).replace(/[&<>"']/g, (c) => ({ '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;' })[c]);
+  const messagePayload = JSON.stringify({ type: success ? 'oauth-success' : 'oauth-error', detail: safe });
+  const fallback = success
+    ? `Token saved as <strong>${safe}</strong>. You can close this tab and return to settings.`
+    : `Error: ${safe}`;
+
+  const html = `<!DOCTYPE html><html><head><title>OAuth ${success ? 'Success' : 'Error'}</title></head><body>
+<script>
+  if (window.opener) {
+    window.opener.postMessage(${messagePayload}, window.location.origin);
+    window.close();
+  } else {
+    document.body.innerHTML = '<p style="font-family:sans-serif;padding:2rem;">${fallback.replace(/'/g, "\\'")}</p>';
+  }
+</script>
+<noscript><p style="font-family:sans-serif;padding:2rem;">${fallback}</p></noscript>
+</body></html>`;
+  return new Response(html, { status: success ? 200 : 400, headers: { 'Content-Type': 'text/html' } });
+}
+
 // ─────────────────────────────────────────────────────────────────────────────
 // Next.js Route Handlers (catch-all)
 // ─────────────────────────────────────────────────────────────────────────────
@@ -247,7 +314,7 @@ async function POST(request) {
 
   // Route to handler
   switch (routePath) {
-    case '/create-job':          return handleWebhook(request);
+    case '/create-agent-job':     return handleCreateAgentJob(request);
     case '/telegram/webhook':   return handleTelegramWebhook(request);
     case '/telegram/register':  return handleTelegramRegister(request);
     case '/github/webhook':     return handleGithubWebhook(request);
@@ -264,9 +331,10 @@ async function GET(request) {
   if (authError) return authError;
 
   switch (routePath) {
-    case '/ping':           return Response.json({ message: 'Pong!' });
-    case '/jobs/status':    return handleJobStatus(request);
-    default:                return Response.json({ error: 'Not found' }, { status: 404 });
+    case '/ping':               return Response.json({ message: 'Pong!' });
+    case '/agent-jobs/status':  return handleAgentJobStatus(request);
+    case '/oauth/callback':     return handleOAuthCallback(request);
+    default:                    return Response.json({ error: 'Not found' }, { status: 404 });
   }
 }
 

package/bin/CLAUDE.md

@@ -0,0 +1,37 @@
+# bin/ — CLI Tools
+
+Entry point: `cli.js` (invoked via `npx thepopebot <command>`).
+
+## Commands
+
+| Command | Purpose |
+|---------|---------|
+| `init [--no-managed] [--no-install]` | Scaffold project from templates, sync managed files, create `.env`, install deps |
+| `setup` | Run interactive setup wizard (see `setup/CLAUDE.md`) |
+| `setup-telegram` | Reconfigure Telegram webhook |
+| `upgrade [@beta\|version]` | Upgrade package, run init, rebuild, commit, push, restart Docker |
+| `reset [file]` | Restore a template file to defaults |
+| `diff [file]` | Show diff between user file and package template |
+| `reset-auth` | Regenerate `AUTH_SECRET` (invalidates all sessions) |
+| `set-var <KEY> [VALUE]` | Set GitHub repository variable |
+| `user:password <email>` | Change user password |
+| `sync <path>` | Dev helper — sync local package to test install |
+
+## Managed Paths System
+
+`managed-paths.js` defines files auto-synced by `init`. These are overwritten on every init/upgrade — users should not edit them.
+
+**Managed paths**: `.github/workflows/`, `docker-compose.yml`, `.dockerignore`, `.gitignore`, `CLAUDE.md`, `config/CLAUDE.md`, `skills/CLAUDE.md`, `cron/CLAUDE.md`, `triggers/CLAUDE.md`, `docs/CLAUDE.md`.
+
+`isManaged(relPath)` — returns true if a path is managed (exact match or directory prefix).
+
+## Template Processing
+
+- Templates live in `templates/` with optional `.template` suffix
+- `.template` suffix is stripped when copying to the user project (e.g., `CLAUDE.md.template` → `CLAUDE.md`)
+- Managed files are deleted from user projects if removed from templates
+- Non-managed template files are only created, never overwritten
+
+## docker-build.js
+
+Builds the event-handler Docker image locally. Used by `docker-compose.yml` build step. Bakes the npm package, `web/` source, and `.next` build output into the image.

package/bin/cli.js

@@ -57,8 +57,6 @@ Commands:
   reset [file]                      Restore a template file (or list available templates)
   diff [file]                       Show differences between project files and package templates
   sync <path>                       Sync local package to a test install (build, pack, Docker)
-  set-agent-secret <KEY> [VALUE]    Set a GitHub secret with AGENT_ prefix (also updates .env)
-  set-agent-llm-secret <KEY> [VALUE]  Set a GitHub secret with AGENT_LLM_ prefix
   set-var <KEY> [VALUE]             Set a GitHub repository variable
   user:password <email>             Change a user's password
 `);
@@ -89,6 +87,7 @@ async function init() {
   const packageDir = path.join(__dirname, '..');
   const templatesDir = path.join(packageDir, 'templates');
   const noManaged = args.includes('--no-managed');
+  const noInstall = args.includes('--no-install');
 
   // Guard: warn if the directory is not empty (unless it's an existing thepopebot project)
   const entries = fs.readdirSync(cwd);
@@ -262,18 +261,8 @@ async function init() {
     console.log('  Skipped package.json (already exists)');
   }
 
-  // Create .gitkeep files for empty dirs
-  const gitkeepDirs = ['cron', 'triggers', 'logs', 'tmp', 'data', 'data/clusters'];
-  for (const dir of gitkeepDirs) {
-    const gitkeep = path.join(cwd, dir, '.gitkeep');
-    if (!fs.existsSync(gitkeep)) {
-      fs.mkdirSync(path.join(cwd, dir), { recursive: true });
-      fs.writeFileSync(gitkeep, '');
-    }
-  }
-
   // Create default skill activation symlinks
-  const defaultSkills = ['browser-tools', 'llm-secrets', 'modify-self'];
+  const defaultSkills = ['get-secret'];
   const activeDir = path.join(cwd, 'skills', 'active');
   fs.mkdirSync(activeDir, { recursive: true });
   for (const skill of defaultSkills) {
@@ -325,9 +314,11 @@ async function init() {
     console.log('  To reset to default:  npx thepopebot reset <file>');
   }
 
-  // Run npm install
-  console.log('\nInstalling dependencies...\n');
-  execSync('npm install', { stdio: 'inherit', cwd });
+  // Run npm install to ensure lock file reflects installed dependencies
+  if (!noInstall) {
+    console.log('\nInstalling dependencies...\n');
+    execSync('npm install', { stdio: 'inherit', cwd });
+  }
 
   // Create or update .env with auto-generated infrastructure values
   const envPath = path.join(cwd, '.env');
@@ -343,6 +334,7 @@ async function init() {
 
 AUTH_SECRET=${authSecret}
 AUTH_TRUST_HOST=true
+DATABASE_PATH=data/db/thepopebot.sqlite
 THEPOPEBOT_VERSION=${version}
 
 # Uncomment to use a custom docker-compose file that won't be overwritten by upgrades.
@@ -641,7 +633,7 @@ async function upgrade() {
       const running = execSync('docker compose ps --status running -q', { encoding: 'utf8', cwd }).trim();
       if (running) {
         console.log('  Pulling new image and restarting Docker containers...\n');
-        execSync('docker compose pull event-handler && docker compose up -d', { stdio: 'inherit', cwd });
+        execSync('docker compose pull event-handler && docker compose up -d --force-recreate event-handler', { stdio: 'inherit', cwd });
       }
     } catch {
       // Docker not available or not running — skip
@@ -717,56 +709,6 @@ async function promptForValue(key) {
   return value;
 }
 
-async function setAgentSecret(key, value) {
-  if (!key) {
-    console.error('\n  Usage: thepopebot set-agent-secret <KEY> [VALUE]\n');
-    console.error('  Example: thepopebot set-agent-secret ANTHROPIC_API_KEY\n');
-    process.exit(1);
-  }
-
-  if (!value) value = await promptForValue(key);
-
-  const { owner, repo } = loadRepoInfo();
-  const prefixedName = `AGENT_${key}`;
-
-  const { setSecret } = await import(path.join(__dirname, '..', 'setup', 'lib', 'github.mjs'));
-  const { updateEnvVariable } = await import(path.join(__dirname, '..', 'setup', 'lib', 'auth.mjs'));
-
-  const result = await setSecret(owner, repo, prefixedName, value);
-  if (result.success) {
-    console.log(`\n  Set GitHub secret: ${prefixedName}`);
-    updateEnvVariable(key, value);
-    console.log(`  Updated .env: ${key}`);
-    console.log('');
-  } else {
-    console.error(`\n  Failed to set ${prefixedName}: ${result.error}\n`);
-    process.exit(1);
-  }
-}
-
-async function setAgentLlmSecret(key, value) {
-  if (!key) {
-    console.error('\n  Usage: thepopebot set-agent-llm-secret <KEY> [VALUE]\n');
-    console.error('  Example: thepopebot set-agent-llm-secret BRAVE_API_KEY\n');
-    process.exit(1);
-  }
-
-  if (!value) value = await promptForValue(key);
-
-  const { owner, repo } = loadRepoInfo();
-  const prefixedName = `AGENT_LLM_${key}`;
-
-  const { setSecret } = await import(path.join(__dirname, '..', 'setup', 'lib', 'github.mjs'));
-
-  const result = await setSecret(owner, repo, prefixedName, value);
-  if (result.success) {
-    console.log(`\n  Set GitHub secret: ${prefixedName}\n`);
-  } else {
-    console.error(`\n  Failed to set ${prefixedName}: ${result.error}\n`);
-    process.exit(1);
-  }
-}
-
 async function setVar(key, value) {
   if (!key) {
     console.error('\n  Usage: thepopebot set-var <KEY> [VALUE]\n');
@@ -849,12 +791,6 @@ switch (command) {
     await sync(args[0]);
     break;
   }
-  case 'set-agent-secret':
-    await setAgentSecret(args[0], args[1]);
-    break;
-  case 'set-agent-llm-secret':
-    await setAgentLlmSecret(args[0], args[1]);
-    break;
   case 'set-var':
     await setVar(args[0], args[1]);
     break;