thepopebot 1.2.74 → 1.2.75-beta.2

package/lib/chat/components/settings-jobs-page.jsx

@@ -1,8 +1,8 @@
 'use client';
 
 import { useState, useEffect, useRef, useCallback } from 'react';
-import { PlusIcon, CopyIcon, CheckIcon, SpinnerIcon } from './icons.js';
-import { SecretRow, Dialog, EmptyState } from './settings-shared.js';
+import { PlusIcon, CopyIcon, CheckIcon, SpinnerIcon, TrashIcon } from './icons.js';
+import { SecretRow, StatusBadge, Dialog, EmptyState } from './settings-shared.js';
 import { OAUTH_PROVIDERS } from '../../oauth/providers.js';
 import {
   getAgentJobSecrets,
@@ -183,7 +183,7 @@ function ProviderCombobox({ value, onChange, inputClass }) {
 // Unified add secret dialog (manual + OAuth modes)
 // ─────────────────────────────────────────────────────────────────────────────
 
-function AddSecretDialog({ open, onAdd, onCancel, onOAuthSuccess }) {
+function AddSecretDialog({ open, onAdd, onCancel, onOAuthSuccess, editingSecret }) {
   // Shared state
   const [mode, setMode] = useState('manual');
   const [name, setName] = useState('');
@@ -209,8 +209,8 @@ function AddSecretDialog({ open, onAdd, onCancel, onOAuthSuccess }) {
   // Reset all state on open
   useEffect(() => {
     if (open) {
-      setMode('manual');
-      setName('');
+      setMode(editingSecret ? 'oauth' : 'manual');
+      setName(editingSecret?.key || '');
       setError(null);
       // Manual
       setValue('');
@@ -224,7 +224,7 @@ function AddSecretDialog({ open, onAdd, onCancel, onOAuthSuccess }) {
       setStatus('form');
       setCopied(false);
       setRedirectUri(`${window.location.origin}/api/oauth/callback`);
-      setTimeout(() => nameRef.current?.focus(), 50);
+      if (!editingSecret) setTimeout(() => nameRef.current?.focus(), 50);
     }
     return () => {
       if (timeoutRef.current) clearTimeout(timeoutRef.current);
@@ -344,7 +344,7 @@ function AddSecretDialog({ open, onAdd, onCancel, onOAuthSuccess }) {
   const inputClass = 'w-full rounded-md border border-border bg-background px-3 py-1.5 text-sm font-mono focus:outline-none focus:ring-1 focus:ring-foreground';
 
   return (
-    <Dialog open={open} onClose={onCancel} title="Add Secret">
+    <Dialog open={open} onClose={onCancel} title={editingSecret ? 'Re-authorize Secret' : 'Add Secret'}>
       {status === 'success' ? (
         <div className="flex items-center justify-center gap-2 py-8 text-green-500">
           <CheckIcon size={20} />
@@ -359,31 +359,33 @@ function AddSecretDialog({ open, onAdd, onCancel, onOAuthSuccess }) {
       ) : (
         <>
           <div className="space-y-3">
-            {/* Mode toggle */}
-            <div className="flex rounded-md border border-border overflow-hidden">
-              <button
-                type="button"
-                onClick={() => handleModeChange('manual')}
-                className={`flex-1 px-3 py-1.5 text-xs font-medium transition-colors ${
-                  mode === 'manual'
-                    ? 'bg-foreground text-background'
-                    : 'text-muted-foreground hover:text-foreground hover:bg-accent'
-                }`}
-              >
-                Manual
-              </button>
-              <button
-                type="button"
-                onClick={() => handleModeChange('oauth')}
-                className={`flex-1 px-3 py-1.5 text-xs font-medium transition-colors ${
-                  mode === 'oauth'
-                    ? 'bg-foreground text-background'
-                    : 'text-muted-foreground hover:text-foreground hover:bg-accent'
-                }`}
-              >
-                OAuth
-              </button>
-            </div>
+            {/* Mode toggle — hidden when re-authorizing */}
+            {!editingSecret && (
+              <div className="flex rounded-md border border-border overflow-hidden">
+                <button
+                  type="button"
+                  onClick={() => handleModeChange('manual')}
+                  className={`flex-1 px-3 py-1.5 text-xs font-medium transition-colors ${
+                    mode === 'manual'
+                      ? 'bg-foreground text-background'
+                      : 'text-muted-foreground hover:text-foreground hover:bg-accent'
+                  }`}
+                >
+                  Manual
+                </button>
+                <button
+                  type="button"
+                  onClick={() => handleModeChange('oauth')}
+                  className={`flex-1 px-3 py-1.5 text-xs font-medium transition-colors ${
+                    mode === 'oauth'
+                      ? 'bg-foreground text-background'
+                      : 'text-muted-foreground hover:text-foreground hover:bg-accent'
+                  }`}
+                >
+                  OAuth
+                </button>
+              </div>
+            )}
 
             {/* Secret name — shared */}
             <div>
@@ -394,7 +396,8 @@ function AddSecretDialog({ open, onAdd, onCancel, onOAuthSuccess }) {
                 value={name}
                 onChange={(e) => setName(e.target.value.toUpperCase().replace(/[^A-Z0-9_]/g, ''))}
                 placeholder={mode === 'manual' ? 'e.g. GOOGLE_SERVICE_ACCOUNT_KEY' : 'e.g. GOOGLE_OAUTH_TOKEN'}
-                className={inputClass}
+                className={`${inputClass}${editingSecret ? ' text-muted-foreground bg-muted' : ''}`}
+                readOnly={!!editingSecret}
                 onKeyDown={(e) => e.key === 'Enter' && mode === 'manual' && handleSave()}
               />
             </div>
@@ -522,6 +525,53 @@ function AddSecretDialog({ open, onAdd, onCancel, onOAuthSuccess }) {
   );
 }
 
+// ─────────────────────────────────────────────────────────────────────────────
+// OAuth secret row — Re-authorize instead of inline edit
+// ─────────────────────────────────────────────────────────────────────────────
+
+function OAuthSecretRow({ secret, onReauthorize, onDelete }) {
+  const [confirmDelete, setConfirmDelete] = useState(false);
+
+  const handleDelete = async () => {
+    if (!confirmDelete) {
+      setConfirmDelete(true);
+      setTimeout(() => setConfirmDelete(false), 3000);
+      return;
+    }
+    await onDelete();
+    setConfirmDelete(false);
+  };
+
+  return (
+    <div className="flex flex-col gap-1 sm:flex-row sm:items-center sm:justify-between py-3">
+      <div className="flex items-center gap-2 min-w-0">
+        <span className="text-sm font-medium font-mono">{secret.key}</span>
+        <span className="text-xs text-muted-foreground">OAuth</span>
+        <StatusBadge isSet={secret.isSet} />
+      </div>
+      <div className="flex items-center gap-1.5 shrink-0 self-start sm:self-auto">
+        <button
+          onClick={onReauthorize}
+          className="rounded-md px-2.5 py-1.5 text-xs font-medium border border-border text-muted-foreground hover:bg-accent hover:text-foreground transition-colors"
+        >
+          Re-authorize
+        </button>
+        <button
+          onClick={handleDelete}
+          className={`rounded-md p-1.5 text-xs border transition-colors ${
+            confirmDelete
+              ? 'border-destructive text-destructive hover:bg-destructive/10'
+              : 'border-border text-muted-foreground hover:text-destructive hover:border-destructive'
+          }`}
+          title={confirmDelete ? 'Click again to confirm' : 'Delete'}
+        >
+          <TrashIcon size={12} />
+        </button>
+      </div>
+    </div>
+  );
+}
+
 // ─────────────────────────────────────────────────────────────────────────────
 // Jobs page
 // ─────────────────────────────────────────────────────────────────────────────
@@ -530,6 +580,7 @@ export function JobsPage() {
   const [secrets, setSecrets] = useState([]);
   const [loading, setLoading] = useState(true);
   const [showAdd, setShowAdd] = useState(false);
+  const [reauthorizing, setReauthorizing] = useState(null);
 
   const loadSecrets = async () => {
     try {
@@ -591,6 +642,13 @@ export function JobsPage() {
         onCancel={() => setShowAdd(false)}
         onOAuthSuccess={loadSecrets}
       />
+      <AddSecretDialog
+        open={!!reauthorizing}
+        onAdd={handleAdd}
+        onCancel={() => setReauthorizing(null)}
+        onOAuthSuccess={loadSecrets}
+        editingSecret={reauthorizing}
+      />
       {secrets.length === 0 ? (
         <EmptyState
           message="No job secrets configured yet."
@@ -600,7 +658,14 @@ export function JobsPage() {
       ) : (
         <div className="rounded-lg border bg-card p-4">
           <div className="divide-y divide-border">
-            {secrets.map((s) => (
+            {secrets.map((s) => s.secretType === 'oauth2' ? (
+              <OAuthSecretRow
+                key={s.key}
+                secret={s}
+                onReauthorize={() => setReauthorizing(s)}
+                onDelete={() => handleDelete(s.key)}
+              />
+            ) : (
               <SecretRow
                 key={s.key}
                 label={s.key}

package/lib/code/code-page.js

@@ -4,6 +4,7 @@ import { useState, useCallback, useEffect, useRef } from "react";
 import dynamic from "next/dynamic";
 import { DndContext, closestCenter, PointerSensor, useSensor, useSensors } from "@dnd-kit/core";
 import { SortableContext, horizontalListSortingStrategy, useSortable, arrayMove } from "@dnd-kit/sortable";
+import { restrictToHorizontalAxis } from "@dnd-kit/modifiers";
 import { CSS } from "@dnd-kit/utilities";
 import { AppSidebar } from "../chat/components/app-sidebar.js";
 import { SidebarProvider, SidebarInset } from "../chat/components/ui/sidebar.js";
@@ -276,7 +277,7 @@ function CodePage({ session, codeWorkspaceId }) {
               closeTitle: "Close session"
             }
           ),
-          /* @__PURE__ */ jsx(DndContext, { sensors, collisionDetection: closestCenter, onDragEnd: handleDragEnd, children: /* @__PURE__ */ jsx(SortableContext, { items: dynamicTabIds, strategy: horizontalListSortingStrategy, children: tabs.slice(1).map((tab) => /* @__PURE__ */ jsx(
+          /* @__PURE__ */ jsx(DndContext, { sensors, collisionDetection: closestCenter, onDragEnd: handleDragEnd, modifiers: [restrictToHorizontalAxis], autoScroll: false, children: /* @__PURE__ */ jsx(SortableContext, { items: dynamicTabIds, strategy: horizontalListSortingStrategy, children: tabs.slice(1).map((tab) => /* @__PURE__ */ jsx(
             SortableTab,
             {
               tab,

package/lib/code/code-page.jsx

@@ -4,6 +4,7 @@ import { useState, useCallback, useEffect, useRef } from 'react';
 import dynamic from 'next/dynamic';
 import { DndContext, closestCenter, PointerSensor, useSensor, useSensors } from '@dnd-kit/core';
 import { SortableContext, horizontalListSortingStrategy, useSortable, arrayMove } from '@dnd-kit/sortable';
+import { restrictToHorizontalAxis } from '@dnd-kit/modifiers';
 import { CSS } from '@dnd-kit/utilities';
 import { AppSidebar } from '../chat/components/app-sidebar.js';
 import { SidebarProvider, SidebarInset } from '../chat/components/ui/sidebar.js';
@@ -321,7 +322,7 @@ export default function CodePage({ session, codeWorkspaceId }) {
               />
 
               {/* Dynamic tabs — draggable */}
-              <DndContext sensors={sensors} collisionDetection={closestCenter} onDragEnd={handleDragEnd}>
+              <DndContext sensors={sensors} collisionDetection={closestCenter} onDragEnd={handleDragEnd} modifiers={[restrictToHorizontalAxis]} autoScroll={false}>
                 <SortableContext items={dynamicTabIds} strategy={horizontalListSortingStrategy}>
                   {tabs.slice(1).map((tab) => (
                     <SortableTab

package/lib/code/terminal-view.js

@@ -6,7 +6,6 @@ import { FitAddon } from "@xterm/addon-fit";
 import { SearchAddon } from "@xterm/addon-search";
 import { WebLinksAddon } from "@xterm/addon-web-links";
 import { SerializeAddon } from "@xterm/addon-serialize";
-import { ClipboardAddon } from "@xterm/addon-clipboard";
 import "@xterm/xterm/css/xterm.css";
 import { SpinnerIcon, MicIcon } from "../chat/components/icons.js";
 import { COMMAND_LABELS, CommandOutputDialog } from "../chat/components/code-mode-toggle.js";
@@ -171,7 +170,6 @@ function TerminalView({ codeWorkspaceId, wsPath, isActive = true, showToolbar =
     term.loadAddon(searchAddon);
     term.loadAddon(webLinksAddon);
     term.loadAddon(serializeAddon);
-    term.loadAddon(new ClipboardAddon());
     termRef.current = term;
     fitAddonRef.current = fitAddon;
     term.open(containerRef.current);
@@ -453,6 +451,11 @@ function TerminalView({ codeWorkspaceId, wsPath, isActive = true, showToolbar =
           color: #ef4444 !important;
           background: rgba(239,68,68,0.12) !important;
         }
+        @media (max-width: 767px) {
+          .code-toolbar-right {
+            overflow-x: auto;
+          }
+        }
         .code-voice-dialog {
           position: absolute;
           bottom: 100%;
@@ -620,7 +623,7 @@ function TerminalView({ codeWorkspaceId, wsPath, isActive = true, showToolbar =
                 ]
               }
             ) }),
-            /* @__PURE__ */ jsxs("div", { style: { display: "flex", alignItems: "center", gap: 6, overflowX: "auto" }, className: "scrollbar-hide", children: [
+            /* @__PURE__ */ jsxs("div", { style: { display: "flex", alignItems: "center", gap: 6 }, className: "code-toolbar-right scrollbar-hide", children: [
               voiceAvailable && /* @__PURE__ */ jsxs("div", { ref: voiceDialogRef, style: { position: "relative" }, children: [
                 /* @__PURE__ */ jsx(
                   "button",

package/lib/code/terminal-view.jsx

@@ -6,7 +6,6 @@ import { FitAddon } from '@xterm/addon-fit';
 import { SearchAddon } from '@xterm/addon-search';
 import { WebLinksAddon } from '@xterm/addon-web-links';
 import { SerializeAddon } from '@xterm/addon-serialize';
-import { ClipboardAddon } from '@xterm/addon-clipboard';
 import '@xterm/xterm/css/xterm.css';
 import { SpinnerIcon, MicIcon } from '../chat/components/icons.js';
 import { COMMAND_LABELS, CommandOutputDialog } from '../chat/components/code-mode-toggle.js';
@@ -204,7 +203,6 @@ export default function TerminalView({ codeWorkspaceId, wsPath, isActive = true,
     term.loadAddon(searchAddon);
     term.loadAddon(webLinksAddon);
     term.loadAddon(serializeAddon);
-    term.loadAddon(new ClipboardAddon());
 
     termRef.current = term;
     fitAddonRef.current = fitAddon;
@@ -524,6 +522,11 @@ export default function TerminalView({ codeWorkspaceId, wsPath, isActive = true,
           color: #ef4444 !important;
           background: rgba(239,68,68,0.12) !important;
         }
+        @media (max-width: 767px) {
+          .code-toolbar-right {
+            overflow-x: auto;
+          }
+        }
         .code-voice-dialog {
           position: absolute;
           bottom: 100%;
@@ -694,7 +697,7 @@ export default function TerminalView({ codeWorkspaceId, wsPath, isActive = true,
                 {themeLabel}
               </button>
             </div>
-            <div style={{ display: 'flex', alignItems: 'center', gap: 6, overflowX: 'auto' }} className="scrollbar-hide">
+            <div style={{ display: 'flex', alignItems: 'center', gap: 6 }} className="code-toolbar-right scrollbar-hide">
               {voiceAvailable && (
                 <div ref={voiceDialogRef} style={{ position: 'relative' }}>
                   <button

package/lib/db/api-keys.js

@@ -32,15 +32,25 @@ function _ensureCache() {
   if (_cache !== null) return _cache;
 
   const db = getDb();
+  const ONE_HOUR = 60 * 60 * 1000;
+  const cutoff = Date.now() - ONE_HOUR;
+
   const rows = db
     .select()
     .from(settings)
     .where(eq(settings.type, 'api_key'))
     .all();
 
-  _cache = rows.map((row) => {
+  const jobKeyRows = db
+    .select()
+    .from(settings)
+    .where(eq(settings.type, 'agent_job_api_key'))
+    .all()
+    .filter(r => r.lastUsedAt !== null ? r.lastUsedAt > cutoff : r.createdAt > cutoff);
+
+  _cache = [...rows, ...jobKeyRows].map((row) => {
     const parsed = JSON.parse(row.value);
-    return { id: row.id, keyHash: parsed.key_hash };
+    return { id: row.id, keyHash: parsed.key_hash, type: row.type };
   });
 
   return _cache;
@@ -181,6 +191,29 @@ export function verifyApiKey(rawKey) {
   return null;
 }
 
+/**
+ * Create a per-job API key for an agent job container.
+ * Stored as type 'agent_job_api_key'. Valid for 1 hour since last use.
+ * @param {string} jobId - Agent job ID (stored as key column for traceability)
+ * @returns {{ key: string }} The raw API key to inject into the container
+ */
+export function createAgentJobApiKey(jobId) {
+  const db = getDb();
+  const key = generateApiKey();
+  const keyHash = hashApiKey(key);
+  const now = Date.now();
+  db.insert(settings).values({
+    id: randomUUID(),
+    type: 'agent_job_api_key',
+    key: jobId,
+    value: JSON.stringify({ key_hash: keyHash }),
+    createdAt: now,
+    updatedAt: now,
+  }).run();
+  invalidateApiKeyCache();
+  return { key };
+}
+
 /**
  * Backfill lastUsedAt column from JSON value for existing api_key rows.
  * Idempotent — only processes rows that still have last_used_at in JSON.

package/lib/db/config.js

@@ -272,11 +272,23 @@ export function deleteAgentJobSecret(key) {
 export function listAgentJobSecrets() {
   const db = getDb();
   const rows = db
-    .select({ key: settings.key, updatedAt: settings.updatedAt })
+    .select({ key: settings.key, value: settings.value, updatedAt: settings.updatedAt })
     .from(settings)
     .where(eq(settings.type, 'agent_job_secret'))
     .all();
-  return rows.map((r) => ({ key: r.key, isSet: true, updatedAt: r.updatedAt }));
+  return rows.map((r) => {
+    let secretType = 'manual';
+    try {
+      const decrypted = decrypt(JSON.parse(r.value));
+      try {
+        const parsed = JSON.parse(decrypted);
+        if (parsed.type === 'oauth2' || parsed.type === 'oauth_token') {
+          secretType = parsed.type;
+        }
+      } catch {}
+    } catch {}
+    return { key: r.key, isSet: true, updatedAt: r.updatedAt, secretType };
+  });
 }
 
 /**
@@ -292,13 +304,37 @@ export function getAllAgentJobSecrets() {
     .all();
   return rows.map((r) => {
     try {
-      return { key: r.key, value: decrypt(JSON.parse(r.value)) };
-    } catch {
+      const decrypted = decrypt(JSON.parse(r.value));
+      try {
+        const parsed = JSON.parse(decrypted);
+        if (parsed.type === 'oauth2' || parsed.type === 'oauth_token') {
+          return { key: r.key, value: null };
+        }
+      } catch {}
+      return { key: r.key, value: decrypted };
+    } catch (err) {
+      console.warn(`[secrets] failed to decrypt agent secret "${r.key}":`, err.message);
       return null;
     }
   }).filter(Boolean);
 }
 
+/**
+ * Get a single agent job secret, decrypted. Returns the raw stored string (may be JSON).
+ * @param {string} key
+ * @returns {string|null}
+ */
+export function getAgentJobSecretRaw(key) {
+  const db = getDb();
+  const row = db
+    .select()
+    .from(settings)
+    .where(and(eq(settings.type, 'agent_job_secret'), eq(settings.key, key)))
+    .get();
+  if (!row) return null;
+  try { return decrypt(JSON.parse(row.value)); } catch { return null; }
+}
+
 // ─────────────────────────────────────────────────────────────────────────────
 // Migration: import env vars to DB on first run
 // ─────────────────────────────────────────────────────────────────────────────

package/lib/maintenance.js

@@ -0,0 +1,35 @@
+import cron from 'node-cron';
+import { eq } from 'drizzle-orm';
+import { getDb } from './db/index.js';
+import { settings } from './db/schema.js';
+import { invalidateApiKeyCache } from './db/api-keys.js';
+
+const ONE_HOUR = 60 * 60 * 1000;
+
+function cleanExpiredAgentJobKeys() {
+  try {
+    const db = getDb();
+    const cutoff = Date.now() - ONE_HOUR;
+    const rows = db
+      .select({ id: settings.id, lastUsedAt: settings.lastUsedAt, createdAt: settings.createdAt })
+      .from(settings)
+      .where(eq(settings.type, 'agent_job_api_key'))
+      .all();
+    const expiredIds = rows
+      .filter(r => r.lastUsedAt !== null ? r.lastUsedAt < cutoff : r.createdAt < cutoff)
+      .map(r => r.id);
+    if (expiredIds.length > 0) {
+      for (const id of expiredIds) {
+        db.delete(settings).where(eq(settings.id, id)).run();
+      }
+      invalidateApiKeyCache();
+      console.log(`[maintenance] Deleted ${expiredIds.length} expired agent job key(s)`);
+    }
+  } catch (err) {
+    console.error('[maintenance] cleanExpiredAgentJobKeys failed:', err);
+  }
+}
+
+export function startMaintenanceCron() {
+  cron.schedule('0 * * * *', cleanExpiredAgentJobKeys);
+}

package/lib/oauth/helper.js

@@ -56,3 +56,37 @@ export async function exchangeCodeForToken({ code, clientId, clientSecret, token
 
   return data;
 }
+
+/**
+ * Refresh an OAuth2 access token using a refresh token.
+ *
+ * POSTs to the provider's token endpoint with grant_type=refresh_token.
+ * Returns the full JSON response (new access_token, possibly new refresh_token, etc.).
+ */
+export async function refreshOAuthToken({ refreshToken, clientId, clientSecret, tokenUrl }) {
+  const body = new URLSearchParams({
+    grant_type: 'refresh_token',
+    refresh_token: refreshToken,
+    client_id: clientId,
+    client_secret: clientSecret,
+  });
+
+  const response = await fetch(tokenUrl, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: body.toString(),
+  });
+
+  const data = await response.json();
+
+  if (!response.ok) {
+    const errorMsg = data.error_description || data.error || 'Token refresh failed';
+    throw new Error(errorMsg);
+  }
+
+  if (!data.access_token) {
+    throw new Error('No access_token in refresh response');
+  }
+
+  return data;
+}

package/lib/tools/create-agent-job.js

@@ -3,6 +3,7 @@ import { z } from 'zod';
 import { githubApi } from './github.js';
 import { createModel } from '../ai/model.js';
 import { getConfig } from '../config.js';
+import { createAgentJobApiKey } from '../db/api-keys.js';
 
 /**
  * Generate a short descriptive title for an agent job using the LLM.
@@ -92,6 +93,7 @@ async function createAgentJob(agentJobDescription, options = {}) {
 
   // 6. Launch Docker container locally (fire-and-forget with async cleanup)
   const repoSlug = `${GH_OWNER}/${GH_REPO}`;
+  const { key: agentJobToken } = createAgentJobApiKey(agentJobId);
   launchAgentJobContainer({
     agentJobId,
     repo: repoSlug,
@@ -100,6 +102,7 @@ async function createAgentJob(agentJobDescription, options = {}) {
     description: agentJobDescription,
     codingAgent: options.agentBackend,
     llmModel: options.llmModel,
+    agentJobToken,
   }).catch(err => {
     console.error(`[agent-job] Failed to launch container for ${agentJobId}:`, err.message);
   });

package/lib/tools/docker.js

@@ -227,7 +227,7 @@ async function runInteractiveContainer({ containerName, repo, branch, codingAgen
     const { getAllAgentJobSecrets } = await import('../db/config.js');
     const jobSecrets = getAllAgentJobSecrets();
     for (const { key, value } of jobSecrets) {
-      if (!env.some(e => e.startsWith(`${key}=`))) {
+      if (value !== null && !env.some(e => e.startsWith(`${key}=`))) {
         env.push(`${key}=${value}`);
       }
     }
@@ -434,7 +434,7 @@ async function runHeadlessContainer({ containerName, repo, branch, featureBranch
     const { getAllAgentJobSecrets } = await import('../db/config.js');
     const jobSecrets = getAllAgentJobSecrets();
     for (const { key, value } of jobSecrets) {
-      if (!env.some(e => e.startsWith(`${key}=`))) {
+      if (value !== null && !env.some(e => e.startsWith(`${key}=`))) {
         env.push(`${key}=${value}`);
       }
     }
@@ -851,7 +851,7 @@ async function removeVolume(name) {
  * @param {string} [options.llmModel] - Model override
  * @returns {Promise<{containerId: string, containerName: string, volumeName: string}>}
  */
-async function runAgentJobContainer({ agentJobId, repo, branch, title, description, codingAgent, llmModel }) {
+async function runAgentJobContainer({ agentJobId, repo, branch, title, description, codingAgent, llmModel, agentJobToken }) {
   const agent = codingAgent || getConfig('CODING_AGENT') || 'claude-code';
   const version = process.env.THEPOPEBOT_VERSION;
   const image = `stephengpope/thepopebot:coding-agent-${agent}-${version}`;
@@ -885,11 +885,18 @@ async function runAgentJobContainer({ agentJobId, repo, branch, title, descripti
     env.push(`GH_TOKEN=${ghToken}`);
   }
 
-  // Inject custom job secrets (merge, don't override built-in env vars)
+  // Inject APP_URL so agents can call back to the event handler
+  const appUrl = getConfig('APP_URL');
+  if (appUrl) env.push(`APP_URL=${appUrl}`);
+
+  // Inject per-job API token for agent-secrets skill
+  if (agentJobToken) env.push(`AGENT_JOB_TOKEN=${agentJobToken}`);
+
+  // Inject agent job secrets (plain secrets as env vars; oauth types are null — agent must fetch via get)
   const { getAllAgentJobSecrets } = await import('../db/config.js');
   const jobSecrets = getAllAgentJobSecrets();
   for (const { key, value } of jobSecrets) {
-    if (!env.some(e => e.startsWith(`${key}=`))) {
+    if (value !== null && !env.some(e => e.startsWith(`${key}=`))) {
       env.push(`${key}=${value}`);
     }
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thepopebot",
-  "version": "1.2.74",
+  "version": "1.2.75-beta.2",
   "type": "module",
   "description": "Create autonomous AI agents with a two-layer architecture: Next.js Event Handler + Docker Agent.",
   "bin": {
@@ -32,6 +32,7 @@
     "./middleware": "./lib/auth/middleware.js",
     "./oauth": "./lib/oauth/helper.js",
     "./oauth/providers": "./lib/oauth/providers.js",
+    "./maintenance": "./lib/maintenance.js",
     "./package.json": "./package.json"
   },
   "files": [
@@ -68,6 +69,7 @@
     "@ai-sdk/react": "^2.0.0",
     "@clack/prompts": "^0.10.0",
     "@dnd-kit/core": "^6.3.1",
+    "@dnd-kit/modifiers": "^9.0.0",
     "@dnd-kit/sortable": "^10.0.0",
     "@grammyjs/parse-mode": "^2.2.0",
     "@langchain/anthropic": "^1.3.17",
@@ -77,7 +79,6 @@
     "@langchain/langgraph-checkpoint-sqlite": "^1.0.1",
     "@langchain/openai": "^1.2.7",
     "@monaco-editor/react": "^4.7.0",
-    "@xterm/addon-clipboard": "^0.2.0",
     "@xterm/addon-fit": "^0.10.0",
     "@xterm/addon-search": "^0.15.0",
     "@xterm/addon-serialize": "^0.13.0",

package/templates/docker-compose.custom.yml

@@ -67,6 +67,7 @@ services:
       ACCESS_TOKEN: ${GH_TOKEN}
       RUNNER_SCOPE: repo
       LABELS: self-hosted
+      EPHEMERAL: "1"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - .:/project

package/templates/docker-compose.litellm.yml

@@ -65,6 +65,7 @@ services:
       ACCESS_TOKEN: ${GH_TOKEN}
       RUNNER_SCOPE: repo
       LABELS: self-hosted
+      EPHEMERAL: "1"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - .:/project

package/templates/docker-compose.yml

@@ -62,6 +62,8 @@ services:
       ACCESS_TOKEN: ${GH_TOKEN}
       RUNNER_SCOPE: repo
       LABELS: self-hosted
+      EPHEMERAL: "1"
+      DISABLE_AUTO_UPDATE: "true"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - .:/project