thepopebot 1.2.75-beta.17 → 1.2.75-beta.19

package/api/CLAUDE.md

@@ -26,7 +26,7 @@ Browser-facing data fetching uses **fetch route handlers** colocated with pages
 | GET | `/api/ping` | None | Health check |
 | POST | `/api/create-agent-job` | `x-api-key` | Create agent job |
 | GET | `/api/get-agent-job-secret` | `x-api-key` | Get an agent job secret; oauth2 credentials return only the access_token (auto-refreshed) |
-| POST | `/api/set-agent-job-secret` | `x-api-key` | Set/update an agent job secret (for agents to persist rotated credentials) |
+| GET | `/api/agent-job-list-secrets` | `x-api-key` | List agent job secret keys (no values); returns `{secrets: [{key, isSet, updatedAt, secretType}]}` |
 | GET | `/api/agent-jobs/status` | `x-api-key` | Agent job status (query: `?agent_job_id=`) |
 | POST | `/api/telegram/webhook` | Telegram webhook secret | Telegram message handler |
 | POST | `/api/telegram/register` | `x-api-key` | Register bot token + webhook URL |

package/api/index.js

@@ -166,20 +166,13 @@ async function handleGetAgentSecret(request) {
   return Response.json({ value: raw });
 }
 
-async function handleSetAgentSecret(request) {
+async function handleListAgentSecrets(request) {
   const record = verifyApiKey(request.headers.get('x-api-key'));
   if (record.type !== 'agent_job_api_key') {
     return Response.json({ error: 'Forbidden' }, { status: 403 });
   }
-
-  const body = await request.json();
-  const { key, value } = body;
-  if (!key || typeof value !== 'string') {
-    return Response.json({ error: 'Missing key or value' }, { status: 400 });
-  }
-  const { setAgentJobSecret } = await import('../lib/db/config.js');
-  setAgentJobSecret(key, value, 'agent');
-  return Response.json({ success: true });
+  const { listAgentJobSecrets } = await import('../lib/db/config.js');
+  return Response.json({ secrets: listAgentJobSecrets() });
 }
 
 async function handleTelegramRegister(request) {
@@ -405,7 +398,6 @@ async function POST(request) {
   // Route to handler
   switch (routePath) {
     case '/create-agent-job':     return handleCreateAgentJob(request);
-    case '/set-agent-job-secret':  return handleSetAgentSecret(request);
     case '/telegram/webhook':   return handleTelegramWebhook(request);
     case '/telegram/register':  return handleTelegramRegister(request);
     case '/github/webhook':     return handleGithubWebhook(request);
@@ -424,7 +416,8 @@ async function GET(request) {
   switch (routePath) {
     case '/ping':               return Response.json({ message: 'Pong!' });
     case '/agent-jobs/status':  return handleAgentJobStatus(request);
-    case '/get-agent-job-secret':   return handleGetAgentSecret(request);
+    case '/get-agent-job-secret':     return handleGetAgentSecret(request);
+    case '/agent-job-list-secrets':  return handleListAgentSecrets(request);
     case '/oauth/callback':     return handleOAuthCallback(request);
     default:                    return Response.json({ error: 'Not found' }, { status: 404 });
   }

package/bin/cli.js

@@ -57,6 +57,7 @@ Commands:
   reset-auth                        Regenerate AUTH_SECRET (invalidates all sessions)
   reset [file]                      Restore a template file (or list available templates)
   reset-all                         Nuclear reset — restore entire project to fresh init state
+  audit                             Show project state vs. package templates (modified/missing/unknown)
   diff [file]                       Show differences between project files and package templates
   sync <path>                       Sync local package to a test install (build, pack, Docker)
   sync --fast <path>                Fast sync — copy source into running container, rebuild .next
@@ -530,6 +531,98 @@ function diff(filePath) {
   }
 }
 
+/**
+ * Audit project state against package templates.
+ * Groups all non-protected files into: matching, modified, missing, unknown.
+ */
+function audit() {
+  const packageDir = path.join(__dirname, '..');
+  const templatesDir = path.join(packageDir, 'templates');
+  const cwd = process.cwd();
+
+  const templateFiles = getTemplateFiles(templatesDir);
+  const matching = [];
+  const modified = [];
+  const missing = [];
+
+  // Check every template file against the project
+  for (const relPath of templateFiles) {
+    const src = path.join(templatesDir, relPath);
+    const outPath = destPath(relPath);
+    const dest = path.join(cwd, outPath);
+
+    if (!fs.existsSync(dest)) {
+      missing.push(outPath);
+    } else {
+      const srcContent = fs.readFileSync(src);
+      const destContent = fs.readFileSync(dest);
+      if (srcContent.equals(destContent)) {
+        matching.push(outPath);
+      } else {
+        modified.push(outPath);
+      }
+    }
+  }
+
+  // Build a set of known template dest paths for lookup
+  const templateDestPaths = new Set(templateFiles.map(f => destPath(f)));
+
+  // Walk the project for unknown files (not in templates, not protected)
+  const unknown = [];
+  function walkProject(dir) {
+    const items = fs.readdirSync(dir, { withFileTypes: true });
+    for (const item of items) {
+      const fullPath = path.join(dir, item.name);
+      const relPath = path.relative(cwd, fullPath);
+      if (isProtected(relPath)) continue;
+      if (item.isDirectory() && !item.isSymbolicLink()) {
+        walkProject(fullPath);
+      } else if (!templateDestPaths.has(relPath)) {
+        unknown.push(relPath);
+      }
+    }
+  }
+  walkProject(cwd);
+
+  // Report
+  console.log('\n  Project audit\n');
+
+  if (modified.length > 0) {
+    console.log(`  Modified (${modified.length}) — template exists, your version differs:`);
+    for (const f of modified) {
+      console.log(`    ${f}`);
+    }
+    console.log('');
+  }
+
+  if (missing.length > 0) {
+    console.log(`  Missing (${missing.length}) — template exists, not in your project:`);
+    for (const f of missing) {
+      console.log(`    ${f}`);
+    }
+    console.log('');
+  }
+
+  if (unknown.length > 0) {
+    console.log(`  Unknown (${unknown.length}) — in your project, no template (reset-all would remove):`);
+    for (const f of unknown) {
+      console.log(`    ${f}`);
+    }
+    console.log('');
+  }
+
+  console.log(`  ${matching.length} file(s) match package templates.`);
+
+  if (modified.length > 0 || missing.length > 0) {
+    console.log('\n  To reset a file:     thepopebot reset <file>');
+    console.log('  To view a diff:      thepopebot diff <file>');
+  }
+  if (unknown.length > 0 || modified.length > 0 || missing.length > 0) {
+    console.log('  To reset everything: thepopebot reset-all');
+  }
+  console.log('');
+}
+
 function copyDirSyncForce(src, dest, templateRelBase = '') {
   fs.mkdirSync(dest, { recursive: true });
   const entries = fs.readdirSync(src, { withFileTypes: true });
@@ -991,6 +1084,9 @@ switch (command) {
   case 'reset-all':
     await resetAll();
     break;
+  case 'audit':
+    audit();
+    break;
   case 'diff':
     diff(args[0]);
     break;

package/lib/chat/components/chats-page.js

@@ -263,10 +263,10 @@ function ChatRow({ chat, onNavigate, onDelete, onStar, onRename }) {
         }
       },
       children: [
-        chat.chatMode === "code" ? /* @__PURE__ */ jsxs("span", { className: "relative", children: [
-          /* @__PURE__ */ jsx(CodeIcon, { size: 16 }),
+        /* @__PURE__ */ jsxs("span", { className: "relative", children: [
+          chat.chatMode === "code" ? /* @__PURE__ */ jsx(CodeIcon, { size: 16 }) : /* @__PURE__ */ jsx(AgentIcon, { size: 16 }),
           chat.hasChanges ? /* @__PURE__ */ jsx("span", { className: "absolute -bottom-0.5 -right-0.5 w-2 h-2 rounded-full bg-destructive" }) : null
-        ] }) : /* @__PURE__ */ jsx(AgentIcon, { size: 16 }),
+        ] }),
         /* @__PURE__ */ jsxs("div", { className: "flex-1 min-w-0", children: [
           editing ? /* @__PURE__ */ jsx(
             "input",

package/lib/chat/components/chats-page.jsx

@@ -312,12 +312,10 @@ function ChatRow({ chat, onNavigate, onDelete, onStar, onRename }) {
         }
       }}
     >
-      {chat.chatMode === 'code' ? (
-        <span className="relative">
-          <CodeIcon size={16} />
-          {chat.hasChanges ? <span className="absolute -bottom-0.5 -right-0.5 w-2 h-2 rounded-full bg-destructive" /> : null}
-        </span>
-      ) : <AgentIcon size={16} />}
+      <span className="relative">
+        {chat.chatMode === 'code' ? <CodeIcon size={16} /> : <AgentIcon size={16} />}
+        {chat.hasChanges ? <span className="absolute -bottom-0.5 -right-0.5 w-2 h-2 rounded-full bg-destructive" /> : null}
+      </span>
       <div className="flex-1 min-w-0">
         {editing ? (
           <input

package/lib/chat/components/sidebar-history-item.js

@@ -40,10 +40,10 @@ function SidebarHistoryItem({ chat, isActive, onDelete, onStar, onRename }) {
                 setOpenMobile(false);
               },
               children: [
-                chat.chatMode === "code" ? /* @__PURE__ */ jsxs("span", { className: "relative", children: [
-                  /* @__PURE__ */ jsx(CodeIcon, { size: 14 }),
+                /* @__PURE__ */ jsxs("span", { className: "relative", children: [
+                  chat.chatMode === "code" ? /* @__PURE__ */ jsx(CodeIcon, { size: 14 }) : /* @__PURE__ */ jsx(AgentIcon, { size: 14 }),
                   chat.hasChanges ? /* @__PURE__ */ jsx("span", { className: "absolute -bottom-0.5 -right-0.5 w-2 h-2 rounded-full bg-destructive" }) : null
-                ] }) : /* @__PURE__ */ jsx(AgentIcon, { size: 14 }),
+                ] }),
                 /* @__PURE__ */ jsx("span", { className: "truncate flex-1", children: chat.title })
               ]
             }

package/lib/chat/components/sidebar-history-item.jsx

@@ -40,12 +40,10 @@ export function SidebarHistoryItem({ chat, isActive, onDelete, onStar, onRename
             setOpenMobile(false);
           }}
         >
-          {chat.chatMode === 'code' ? (
-            <span className="relative">
-              <CodeIcon size={14} />
-              {chat.hasChanges ? <span className="absolute -bottom-0.5 -right-0.5 w-2 h-2 rounded-full bg-destructive" /> : null}
-            </span>
-          ) : <AgentIcon size={14} />}
+          <span className="relative">
+            {chat.chatMode === 'code' ? <CodeIcon size={14} /> : <AgentIcon size={14} />}
+            {chat.hasChanges ? <span className="absolute -bottom-0.5 -right-0.5 w-2 h-2 rounded-full bg-destructive" /> : null}
+          </span>
           <span className="truncate flex-1">
             {chat.title}
           </span>

package/lib/tools/docker.js

@@ -233,9 +233,6 @@ async function runInteractiveContainer({ containerName, repo, branch, codingAgen
         env.push(`${key}=${value}`);
       }
     }
-    if (jobSecrets.length > 0) {
-      env.push(`AGENT_JOB_SECRETS=${JSON.stringify(Object.fromEntries(jobSecrets.map(s => [s.key, s.value])))}`);
-    }
     // Create per-container API key for agent-secrets access
     const { createAgentJobApiKey } = await import('../db/api-keys.js');
     const { key: agentJobToken } = createAgentJobApiKey(containerName);
@@ -446,9 +443,6 @@ async function runHeadlessContainer({ containerName, repo, branch, featureBranch
         env.push(`${key}=${value}`);
       }
     }
-    if (jobSecrets.length > 0) {
-      env.push(`AGENT_JOB_SECRETS=${JSON.stringify(Object.fromEntries(jobSecrets.map(s => [s.key, s.value])))}`);
-    }
     // Create per-container API key for agent-secrets access
     const { createAgentJobApiKey } = await import('../db/api-keys.js');
     const { key: agentJobToken } = createAgentJobApiKey(containerName);
@@ -916,9 +910,6 @@ async function runAgentJobContainer({ agentJobId, repo, branch, title, descripti
       env.push(`${key}=${value}`);
     }
   }
-  if (jobSecrets.length > 0) {
-    env.push(`AGENT_JOB_SECRETS=${JSON.stringify(Object.fromEntries(jobSecrets.map(s => [s.key, s.value])))}`);
-  }
 
   console.log(`[agent-job] id=${shortId} agent=${agent} image=${image} backendApi=${backendApi}`);
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thepopebot",
-  "version": "1.2.75-beta.17",
+  "version": "1.2.75-beta.19",
   "type": "module",
   "description": "Create autonomous AI agents with a two-layer architecture: Next.js Event Handler + Docker Agent.",
   "bin": {

package/templates/.tmp/CLAUDE.md.template

@@ -0,0 +1,5 @@
+# .tmp/ — Scratch Directory
+
+Temporary working files — downloads, screenshots, snapshots, intermediate data, generated files. This directory is gitignored and nothing here gets committed.
+
+Playwright MCP saves screenshots and snapshots here. Other tools and scripts should use this directory for any transient output that doesn't belong in the repo.

package/templates/agent-job/SYSTEM.md

@@ -4,7 +4,12 @@ You are an autonomous AI agent running inside a Docker container on thepopebot.
 
 ## Runtime Environment
 
-Your workspace is `/home/coding-agent/workspace` — a live git repository. Use `/tmp` for working files — downloads, intermediate data, scripts, generated files. `/tmp` is outside the repo and nothing there gets committed. If a tool downloads a file to `/tmp`, leave it there and reference it directly.
+Your workspace is `/home/coding-agent/workspace` — a live git repository.
+
+## Temporary Files
+Use `/home/coding-agent/workspace/.tmp/` for working files — downloads, screenshots, intermediate data, scripts, generated files. `/home/coding-agent/workspace/.tmp/` is gitignored and nothing there gets committed. If a tool downloads a file, save it to `/home/coding-agent/workspace/.tmp/` and reference it directly.
+
+**DO NOT USE** `/tmp` because that will continue waste disk space writing extra layers to the container.
 
 Everything in the workspace is automatically committed and pushed when your job finishes. You do not control this. Be intentional about what you put here — **any file you create, move, or download into the workspace WILL be committed.**
 

package/templates/skills/CLAUDE.md.template

@@ -10,7 +10,30 @@ Skills are lightweight plugins that extend agent abilities. Each skill lives in
 
 Both Pi and Claude Code discover skills from the same `skills/active/` directory (via `.pi/skills` and `.claude/skills` symlink bridges).
 
-## SKILL.md Format
+## Conventions
+
+### Language Preference
+
+**Bash first.** Skills are glue code — API calls, data piping, file manipulation. Bash + curl + python3 (for JSON) handles nearly everything. No module systems, no dependency management, no surprises.
+
+Use Node.js **only** when a required library has no alternative (e.g., `youtube-transcript-plus`). Never for new skills where bash + curl would work.
+
+### Bash Script Standards
+
+- Include `#!/bin/bash` and `set -euo pipefail` at the top
+- `chmod +x` after creating
+
+### Node.js Module Rules
+
+The root `package.json` has `"type": "module"`, which forces **all** `.js` files in the project tree to be treated as ESM. This silently breaks any script using `require()`.
+
+- **`.cjs`** — for CommonJS scripts (uses `require()`)
+- **`.mjs`** — for ESM scripts (uses `import`)
+- **Never use plain `.js`** for skill scripts. The behavior depends on the nearest `package.json` and will break unpredictably.
+
+If you encounter a broken `.js` script in a skill, rename it to `.cjs` or `.mjs` as appropriate and update SKILL.md references.
+
+### SKILL.md Format
 
 Every skill must have a `SKILL.md` with YAML frontmatter:
 
@@ -32,12 +55,30 @@ skills/skill-name/script.sh <args>
 - The `description` field appears in the system prompt — keep it concise and action-oriented.
 - Use project-root-relative paths in documentation (e.g., `skills/skill-name/script.sh`).
 
-## Skill Structure
+### Skill Structure
 
 - **`SKILL.md`** (required) — YAML frontmatter + markdown documentation
-- **Scripts** (optional) — prefer bash (`.sh`) for simplicity
+- **Scripts** — bash (`.sh`) by default, `.cjs`/`.mjs` only when necessary
 - **`package.json`** (optional) — only if Node.js dependencies are truly needed
 
+### Credential Setup
+
+If a skill needs an API key, add it via the admin UI (Settings > Agent Jobs > Secrets). The secret will be injected as an env var into Docker containers. The agent can discover available secrets via the `get-secret` skill.
+
+### Activation & Deactivation
+
+```bash
+# Activate
+ln -s ../skill-name skills/active/skill-name
+
+# Deactivate
+rm skills/active/skill-name
+```
+
+The `skills/active/` directory is shared by both agent backends via symlink bridges:
+- `.claude/skills → skills/active`
+- `.pi/skills → skills/active`
+
 ## Creating a Skill
 
 ### Simple bash skill (most common)
@@ -67,6 +108,8 @@ skills/my-skill/run.sh <args>
 **skills/my-skill/run.sh:**
 ```bash
 #!/bin/bash
+set -euo pipefail
+
 if [ -z "$1" ]; then echo "Usage: run.sh <args>"; exit 1; fi
 if [ -z "$MY_API_KEY" ]; then echo "Error: MY_API_KEY not set"; exit 1; fi
 # ... skill logic
@@ -80,25 +123,7 @@ ln -s ../my-skill skills/active/my-skill
 
 ### Node.js skill
 
-Use this pattern only when bash + curl isn't sufficient (e.g., HTML parsing, complex data processing). Add a `package.json` with dependencies — they're installed automatically in Docker.
-
-## Activation & Deactivation
-
-```bash
-# Activate
-ln -s ../skill-name skills/active/skill-name
-
-# Deactivate
-rm skills/active/skill-name
-```
-
-The `skills/active/` directory is shared by both agent backends via symlink bridges:
-- `.claude/skills → skills/active`
-- `.pi/skills → skills/active`
-
-## Credential Setup
-
-If a skill needs an API key, add it via the admin UI (Settings > Agent Jobs > Secrets). The secret will be injected as an env var into Docker containers. The agent can discover available secrets via the `get-secret` skill.
+Use only when a required library has no bash/curl alternative. Add a `package.json` with dependencies — they're installed automatically in Docker. Use `.cjs` for CommonJS or `.mjs` for ESM — never plain `.js`.
 
 ## Testing
 

package/templates/skills/agent-job-secrets/SKILL.md

@@ -1,25 +1,23 @@
 ---
 name: agent-job-secrets
-description: List, get, or update agent secrets. Use get for OAuth credentials (auto-refreshed on every call). Use set to persist updated credentials back to the event handler.
+description: List and retrieve agent secrets. Plain secrets are also available as env vars. OAuth credentials are auto-refreshed on every get call.
 ---
 
 ## Usage
 
 ```bash
-# List available secrets (null = must fetch, plain = already in env)
+# List available secret keys (fetches current list from server)
 node skills/agent-job-secrets/agent-job-secrets.js
 
 # Get a secret value (OAuth credentials are auto-refreshed)
 node skills/agent-job-secrets/agent-job-secrets.js get MY_CREDENTIALS
-
-# Set/update a secret (plain string or piped value)
-node skills/agent-job-secrets/agent-job-secrets.js set MY_KEY "value"
-echo "$UPDATED_CREDENTIALS" | node skills/agent-job-secrets/agent-job-secrets.js set MY_KEY
 ```
 
 ## Notes
 
 - `AGENT_JOB_TOKEN` and `APP_URL` are injected automatically — no setup required
-- OAuth credentials show as `null` in the list and must be fetched via `get`
-- `get` on an OAuth credential refreshes it and persists the updated token immediately
-- Plain secrets are available directly as env vars (e.g. `echo $MY_KEY`)
+- Plain (non-OAuth) secrets are also available directly as env vars (e.g. `echo $MY_KEY`)
+- OAuth credentials must be fetched via `get` — they are not available as env vars
+- `get` on an OAuth credential refreshes it server-side and returns a fresh access token
+- If a fetched credential stops working (expired token, 401 error), call `get` again to obtain a fresh one
+- `list` always fetches from the server, so it reflects secrets added after the container started

package/templates/skills/agent-job-secrets/agent-job-secrets.js

@@ -1,31 +1,43 @@
 #!/usr/bin/env node
-import { readFileSync } from 'fs';
 
-const [cmd, key, inlineValue] = process.argv.slice(2);
+const [cmd, key] = process.argv.slice(2);
+
+const apiKey = process.env.AGENT_JOB_TOKEN;
+const appUrl = process.env.APP_URL;
 
 // Default to list
 if (!cmd || cmd === 'list') {
-  const secretsJson = process.env.AGENT_JOB_SECRETS;
-  if (!secretsJson) {
-    console.log('No agent secrets configured.');
+  if (!apiKey || !appUrl) {
+    console.log('No agent secrets available (missing AGENT_JOB_TOKEN or APP_URL).');
     process.exit(0);
   }
-  const secrets = JSON.parse(secretsJson);
-  const keys = Object.keys(secrets);
-  if (keys.length === 0) {
+  const url = `${appUrl}/api/agent-job-list-secrets`;
+  const res = await fetch(url, {
+    headers: { 'x-api-key': apiKey },
+  });
+  if (!res.ok) {
+    const body = await res.text();
+    console.error(`GET ${url} → ${res.status} ${body}`);
+    process.exit(1);
+  }
+  const json = await res.json();
+  const secrets = json.secrets;
+  if (!secrets || secrets.length === 0) {
     console.log('No agent secrets configured.');
   } else {
     console.log('Available secrets:');
-    keys.forEach(k => {
-      const fetchRequired = secrets[k] === null;
-      console.log(`  - ${k}${fetchRequired ? '  (use agent-job-secrets skill to fetch)' : ''}`);
+    secrets.forEach(s => {
+      const hint = s.secretType === 'oauth2' ? '  (OAuth — use get to fetch access token)'
+                 : s.secretType === 'oauth_token' ? '  (OAuth token — use get to fetch)'
+                 : '';
+      console.log(`  - ${s.key}${hint}`);
     });
+    console.log('\nUse: agent-job-secrets get KEY_NAME');
+    console.log('If a fetched value stops working, call get again for a fresh one.');
   }
   process.exit(0);
 }
 
-const apiKey = process.env.AGENT_JOB_TOKEN;
-const appUrl = process.env.APP_URL;
 if (!apiKey) { console.error('AGENT_JOB_TOKEN not available'); process.exit(1); }
 if (!appUrl) { console.error('APP_URL not available'); process.exit(1); }
 
@@ -45,31 +57,6 @@ if (cmd === 'get') {
   process.exit(0);
 }
 
-if (cmd === 'set') {
-  if (!key) {
-    console.error('Usage: agent-job-secrets set KEY_NAME [value]');
-    console.error('       echo "value" | agent-job-secrets set KEY_NAME');
-    process.exit(1);
-  }
-  let value = inlineValue;
-  if (value === undefined) {
-    value = readFileSync('/dev/stdin', 'utf8').trim();
-  }
-  const url = `${appUrl}/api/set-agent-job-secret`;
-  const res = await fetch(url, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json', 'x-api-key': apiKey },
-    body: JSON.stringify({ key, value }),
-  });
-  if (!res.ok) {
-    const body = await res.text();
-    console.error(`POST ${url} → ${res.status} ${body}`);
-    process.exit(1);
-  }
-  const json = await res.json();
-  console.log(`Secret "${key}" updated.`);
-  process.exit(0);
-}
-
 console.error(`Unknown command: ${cmd}`);
+console.error('Available commands: list, get');
 process.exit(1);