thepopebot 1.2.75-beta.2 → 1.2.75-beta.20

package/README.md

@@ -106,7 +106,7 @@ The wizard walks you through everything:
 - **Web Chat**: Visit your APP_URL to chat with your agent, create jobs, upload files
 - **Telegram** (optional): Run `npm run setup-telegram` to connect a Telegram bot
 - **Webhook**: Send a POST to `/api/create-agent-job` with your API key to create jobs programmatically
-- **Cron**: Edit `config/CRONS.json` to schedule recurring jobs
+- **Cron**: Edit `agent-job/CRONS.json` to schedule recurring jobs
 
 ### Chat vs Agent LLM
 

package/api/CLAUDE.md

@@ -26,7 +26,7 @@ Browser-facing data fetching uses **fetch route handlers** colocated with pages
 | GET | `/api/ping` | None | Health check |
 | POST | `/api/create-agent-job` | `x-api-key` | Create agent job |
 | GET | `/api/get-agent-job-secret` | `x-api-key` | Get an agent job secret; oauth2 credentials return only the access_token (auto-refreshed) |
-| POST | `/api/set-agent-job-secret` | `x-api-key` | Set/update an agent job secret (for agents to persist rotated credentials) |
+| GET | `/api/agent-job-list-secrets` | `x-api-key` | List agent job secret keys (no values); returns `{secrets: [{key, isSet, updatedAt, secretType}]}` |
 | GET | `/api/agent-jobs/status` | `x-api-key` | Agent job status (query: `?agent_job_id=`) |
 | POST | `/api/telegram/webhook` | Telegram webhook secret | Telegram message handler |
 | POST | `/api/telegram/register` | `x-api-key` | Register bot token + webhook URL |

package/api/index.js

@@ -166,20 +166,13 @@ async function handleGetAgentSecret(request) {
   return Response.json({ value: raw });
 }
 
-async function handleSetAgentSecret(request) {
+async function handleListAgentSecrets(request) {
   const record = verifyApiKey(request.headers.get('x-api-key'));
   if (record.type !== 'agent_job_api_key') {
     return Response.json({ error: 'Forbidden' }, { status: 403 });
   }
-
-  const body = await request.json();
-  const { key, value } = body;
-  if (!key || typeof value !== 'string') {
-    return Response.json({ error: 'Missing key or value' }, { status: 400 });
-  }
-  const { setAgentJobSecret } = await import('../lib/db/config.js');
-  setAgentJobSecret(key, value, 'agent');
-  return Response.json({ success: true });
+  const { listAgentJobSecrets } = await import('../lib/db/config.js');
+  return Response.json({ secrets: listAgentJobSecrets() });
 }
 
 async function handleTelegramRegister(request) {
@@ -405,7 +398,6 @@ async function POST(request) {
   // Route to handler
   switch (routePath) {
     case '/create-agent-job':     return handleCreateAgentJob(request);
-    case '/set-agent-job-secret':  return handleSetAgentSecret(request);
     case '/telegram/webhook':   return handleTelegramWebhook(request);
     case '/telegram/register':  return handleTelegramRegister(request);
     case '/github/webhook':     return handleGithubWebhook(request);
@@ -424,7 +416,8 @@ async function GET(request) {
   switch (routePath) {
     case '/ping':               return Response.json({ message: 'Pong!' });
     case '/agent-jobs/status':  return handleAgentJobStatus(request);
-    case '/get-agent-job-secret':   return handleGetAgentSecret(request);
+    case '/get-agent-job-secret':     return handleGetAgentSecret(request);
+    case '/agent-job-list-secrets':  return handleListAgentSecrets(request);
     case '/oauth/callback':     return handleOAuthCallback(request);
     default:                    return Response.json({ error: 'Not found' }, { status: 404 });
   }

package/bin/CLAUDE.md

@@ -21,7 +21,7 @@ Entry point: `cli.js` (invoked via `npx thepopebot <command>`).
 
 `managed-paths.js` defines files auto-synced by `init`. These are overwritten on every init/upgrade — users should not edit them.
 
-**Managed paths**: `.github/workflows/`, `docker-compose.yml`, `.dockerignore`, `.gitignore`, `CLAUDE.md`, `config/CLAUDE.md`, `skills/CLAUDE.md`, `cron/CLAUDE.md`, `triggers/CLAUDE.md`, `docs/CLAUDE.md`.
+**Managed paths**: `.github/workflows/`, `docker-compose.yml`, `.dockerignore`, `.gitignore`, `agent-job/CLAUDE.md`, `event-handler/CLAUDE.md`, `skills/CLAUDE.md`.
 
 `isManaged(relPath)` — returns true if a path is managed (exact match or directory prefix).
 

package/bin/cli.js

@@ -52,11 +52,15 @@ Commands:
   init                              Scaffold a new thepopebot project
   upgrade|update [@beta|version]    Upgrade thepopebot (install, init, build, commit, push)
   setup                             Run interactive setup wizard
+  setup-ssl                         Configure SSL with Let's Encrypt wildcard cert
   setup-telegram                    Reconfigure Telegram webhook
   reset-auth                        Regenerate AUTH_SECRET (invalidates all sessions)
   reset [file]                      Restore a template file (or list available templates)
+  reset-all                         Nuclear reset — restore entire project to fresh init state
+  audit                             Show project state vs. package templates (modified/missing/unknown)
   diff [file]                       Show differences between project files and package templates
   sync <path>                       Sync local package to a test install (build, pack, Docker)
+  sync --fast <path>                Fast sync — copy source into running container, rebuild .next
   set-var <KEY> [VALUE]             Set a GitHub repository variable
   user:password <email>             Change a user's password
 `);
@@ -209,10 +213,13 @@ async function init() {
             const tmplPath = templatePath(relPath, templatesDir);
             const templateExists = fs.existsSync(path.join(templatesDir, tmplPath));
             if (!templateExists) {
-              backupFile(fullPath, relPath);
-              fs.unlinkSync(fullPath);
+              const bd = getBackupDir();
+              const dest = path.join(bd, relPath);
+              fs.mkdirSync(path.dirname(dest), { recursive: true });
+              fs.renameSync(fullPath, dest);
+              backedUp.push(relPath);
               deleted.push(relPath);
-              console.log(`  Deleted ${relPath} (stale managed file)`);
+              console.log(`  Removed ${relPath} (stale managed file)`);
             }
           }
         }
@@ -246,6 +253,7 @@ async function init() {
     const pkg = {
       name: dirName,
       private: true,
+      type: 'module',
       scripts: {
         setup: 'thepopebot setup',
         'setup-telegram': 'thepopebot setup-telegram',
@@ -258,18 +266,26 @@ async function init() {
     fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + '\n');
     console.log('  Created package.json');
   } else {
-    console.log('  Skipped package.json (already exists)');
+    // Ensure "type": "module" is set for ESM support
+    const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+    if (!pkg.type) {
+      pkg.type = 'module';
+      fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + '\n');
+      console.log('  Added "type": "module" to package.json');
+    } else {
+      console.log('  Skipped package.json (already exists)');
+    }
   }
 
   // Create default skill activation symlinks
-  const defaultSkills = ['agent-job-secrets'];
+  const defaultSkills = [];
   const activeDir = path.join(cwd, 'skills', 'active');
   fs.mkdirSync(activeDir, { recursive: true });
   for (const skill of defaultSkills) {
     const symlink = path.join(activeDir, skill);
     if (!fs.existsSync(symlink)) {
-      createDirLink(`../${skill}`, symlink);
-      console.log(`  Created skills/active/${skill} → ../${skill}`);
+      createDirLink(`../library/${skill}`, symlink);
+      console.log(`  Created skills/active/${skill} → ../library/${skill}`);
     }
   }
 
@@ -337,8 +353,7 @@ AUTH_TRUST_HOST=true
 DATABASE_PATH=data/db/thepopebot.sqlite
 THEPOPEBOT_VERSION=${version}
 
-# Uncomment to use a custom docker-compose file that won't be overwritten by upgrades.
-# Edit docker-compose.custom.yml with your changes, then uncomment:
+# To enable SSL with Let's Encrypt, run: npx thepopebot setup-ssl
 # COMPOSE_FILE=docker-compose.custom.yml
 `;
     fs.writeFileSync(envPath, seedEnv);
@@ -360,6 +375,36 @@ THEPOPEBOT_VERSION=${version}
   console.log('\nDone! Run: npm run setup\n');
 }
 
+/**
+ * Create a timestamped backup directory and return { dir, ts }.
+ */
+function createBackupDir(cwd) {
+  const now = new Date();
+  const ts = now.getFullYear().toString()
+    + String(now.getMonth() + 1).padStart(2, '0')
+    + String(now.getDate()).padStart(2, '0')
+    + '-'
+    + String(now.getHours()).padStart(2, '0')
+    + String(now.getMinutes()).padStart(2, '0')
+    + String(now.getSeconds()).padStart(2, '0');
+  return { dir: path.join(cwd, '.backups', ts), ts };
+}
+
+/**
+ * Move a file or symlink to the backup directory.
+ */
+function backupAndRemove(fullPath, relPath, backupDir) {
+  const dest = path.join(backupDir, relPath);
+  fs.mkdirSync(path.dirname(dest), { recursive: true });
+  if (fs.lstatSync(fullPath).isSymbolicLink()) {
+    const target = fs.readlinkSync(fullPath);
+    fs.symlinkSync(target, dest);
+    fs.unlinkSync(fullPath);
+  } else {
+    fs.renameSync(fullPath, dest);
+  }
+}
+
 /**
  * List all available template files, or restore a specific one.
  */
@@ -375,7 +420,7 @@ function reset(filePath) {
       console.log(`  ${destPath(file)}`);
     }
     console.log('\nUsage: thepopebot reset <file>');
-    console.log('Example: thepopebot reset config/SOUL.md\n');
+    console.log('Example: thepopebot reset agent-job/SOUL.md\n');
     return;
   }
 
@@ -389,13 +434,38 @@ function reset(filePath) {
     process.exit(1);
   }
 
+  // Back up existing file before overwriting
+  if (fs.existsSync(dest)) {
+    const { dir, ts } = createBackupDir(cwd);
+    if (fs.statSync(src).isDirectory()) {
+      // Back up all files in the directory
+      function walkBackup(d) {
+        const items = fs.readdirSync(d, { withFileTypes: true });
+        for (const item of items) {
+          const full = path.join(d, item.name);
+          const rel = path.relative(cwd, full);
+          if (item.isDirectory()) {
+            walkBackup(full);
+          } else {
+            backupAndRemove(full, rel, dir);
+          }
+        }
+      }
+      walkBackup(dest);
+      console.log(`\n  Backed up to .backups/${ts}/`);
+    } else {
+      backupAndRemove(dest, filePath, dir);
+      console.log(`\n  Backed up to .backups/${ts}/${filePath}`);
+    }
+  }
+
   if (fs.statSync(src).isDirectory()) {
     console.log(`\nRestoring ${filePath}/...\n`);
     copyDirSyncForce(src, dest, tmplPath);
   } else {
     fs.mkdirSync(path.dirname(dest), { recursive: true });
     fs.copyFileSync(src, dest);
-    console.log(`\nRestored ${filePath}\n`);
+    console.log(`Restored ${filePath}\n`);
   }
 }
 
@@ -432,7 +502,7 @@ function diff(filePath) {
       console.log('  All files match package templates.');
     }
     console.log('\nUsage: thepopebot diff <file>');
-    console.log('Example: thepopebot diff config/SOUL.md\n');
+    console.log('Example: thepopebot diff agent-job/SOUL.md\n');
     return;
   }
 
@@ -461,6 +531,98 @@ function diff(filePath) {
   }
 }
 
+/**
+ * Audit project state against package templates.
+ * Groups all non-protected files into: matching, modified, missing, unknown.
+ */
+function audit() {
+  const packageDir = path.join(__dirname, '..');
+  const templatesDir = path.join(packageDir, 'templates');
+  const cwd = process.cwd();
+
+  const templateFiles = getTemplateFiles(templatesDir);
+  const matching = [];
+  const modified = [];
+  const missing = [];
+
+  // Check every template file against the project
+  for (const relPath of templateFiles) {
+    const src = path.join(templatesDir, relPath);
+    const outPath = destPath(relPath);
+    const dest = path.join(cwd, outPath);
+
+    if (!fs.existsSync(dest)) {
+      missing.push(outPath);
+    } else {
+      const srcContent = fs.readFileSync(src);
+      const destContent = fs.readFileSync(dest);
+      if (srcContent.equals(destContent)) {
+        matching.push(outPath);
+      } else {
+        modified.push(outPath);
+      }
+    }
+  }
+
+  // Build a set of known template dest paths for lookup
+  const templateDestPaths = new Set(templateFiles.map(f => destPath(f)));
+
+  // Walk the project for unknown files (not in templates, not protected)
+  const unknown = [];
+  function walkProject(dir) {
+    const items = fs.readdirSync(dir, { withFileTypes: true });
+    for (const item of items) {
+      const fullPath = path.join(dir, item.name);
+      const relPath = path.relative(cwd, fullPath);
+      if (isProtected(relPath)) continue;
+      if (item.isDirectory() && !item.isSymbolicLink()) {
+        walkProject(fullPath);
+      } else if (!templateDestPaths.has(relPath)) {
+        unknown.push(relPath);
+      }
+    }
+  }
+  walkProject(cwd);
+
+  // Report
+  console.log('\n  Project audit\n');
+
+  if (modified.length > 0) {
+    console.log(`  Modified (${modified.length}) — template exists, your version differs:`);
+    for (const f of modified) {
+      console.log(`    ${f}`);
+    }
+    console.log('');
+  }
+
+  if (missing.length > 0) {
+    console.log(`  Missing (${missing.length}) — template exists, not in your project:`);
+    for (const f of missing) {
+      console.log(`    ${f}`);
+    }
+    console.log('');
+  }
+
+  if (unknown.length > 0) {
+    console.log(`  Unknown (${unknown.length}) — in your project, no template (reset-all would remove):`);
+    for (const f of unknown) {
+      console.log(`    ${f}`);
+    }
+    console.log('');
+  }
+
+  console.log(`  ${matching.length} file(s) match package templates.`);
+
+  if (modified.length > 0 || missing.length > 0) {
+    console.log('\n  To reset a file:     thepopebot reset <file>');
+    console.log('  To view a diff:      thepopebot diff <file>');
+  }
+  if (unknown.length > 0 || modified.length > 0 || missing.length > 0) {
+    console.log('  To reset everything: thepopebot reset-all');
+  }
+  console.log('');
+}
+
 function copyDirSyncForce(src, dest, templateRelBase = '') {
   fs.mkdirSync(dest, { recursive: true });
   const entries = fs.readdirSync(src, { withFileTypes: true });
@@ -481,6 +643,134 @@ function copyDirSyncForce(src, dest, templateRelBase = '') {
   }
 }
 
+// Paths that reset-all must never touch (relative to project root).
+// Entries ending with '/' are directory prefixes.
+const PROTECTED_PATHS = [
+  '.env',
+  '.env.local',
+  'data/',
+  'logs/',
+  '.git/',
+  '.backups/',
+  'package-lock.json',
+  'package.json',
+  'docker-compose.custom.yml',
+  '.claude/',
+  '.pi/',
+  'skills/',
+  'node_modules/',
+];
+
+function isProtected(relPath) {
+  return PROTECTED_PATHS.some(p =>
+    p.endsWith('/') ? relPath === p.slice(0, -1) || relPath.startsWith(p) : relPath === p
+  );
+}
+
+async function resetAll() {
+  const cwd = process.cwd();
+
+  // Verify this is a thepopebot project
+  const pkgPath = path.join(cwd, 'package.json');
+  if (!fs.existsSync(pkgPath)) {
+    console.error('\n  Not a thepopebot project (no package.json found).\n');
+    process.exit(1);
+  }
+  const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+  const deps = { ...pkg.dependencies, ...pkg.devDependencies };
+  if (!deps.thepopebot) {
+    console.error('\n  Not a thepopebot project (thepopebot not in dependencies).\n');
+    process.exit(1);
+  }
+
+  // Dry run — collect all files that would be moved
+  const filesToMove = [];
+  function collectFiles(dir) {
+    const items = fs.readdirSync(dir, { withFileTypes: true });
+    for (const item of items) {
+      const fullPath = path.join(dir, item.name);
+      const relPath = path.relative(cwd, fullPath);
+      if (isProtected(relPath)) continue;
+      if (item.isDirectory() && !item.isSymbolicLink()) {
+        collectFiles(fullPath);
+      } else {
+        filesToMove.push(relPath);
+      }
+    }
+  }
+  collectFiles(cwd);
+
+  if (filesToMove.length === 0) {
+    console.log('\n  Nothing to reset — no non-protected files found.\n');
+    return;
+  }
+
+  const { confirm, isCancel } = await import('@clack/prompts');
+
+  console.log('\n  This will reset your entire project to a fresh thepopebot init state.');
+  console.log(`  ${filesToMove.length} file(s) will be moved to .backups/:\n`);
+  for (const f of filesToMove) {
+    console.log(`    ${f}`);
+  }
+  console.log('\n  Protected (will NOT be touched):');
+  for (const p of PROTECTED_PATHS) {
+    console.log(`    ${p}`);
+  }
+
+  const ok = await confirm({ message: '\nAre you sure? This is the nuclear option.' });
+  if (isCancel(ok) || !ok) {
+    console.log('\n  Cancelled.\n');
+    return;
+  }
+
+  // Move all files to backup
+  const { dir: backupDir, ts } = createBackupDir(cwd);
+
+  for (const relPath of filesToMove) {
+    const fullPath = path.join(cwd, relPath);
+    backupAndRemove(fullPath, relPath, backupDir);
+  }
+
+  // Remove empty directories left behind
+  function removeEmptyDirs(dir) {
+    if (!fs.existsSync(dir)) return;
+    const items = fs.readdirSync(dir, { withFileTypes: true });
+    for (const item of items) {
+      if (item.isDirectory()) {
+        removeEmptyDirs(path.join(dir, item.name));
+      }
+    }
+    const relPath = path.relative(cwd, dir);
+    if (relPath && !isProtected(relPath) && fs.readdirSync(dir).length === 0) {
+      fs.rmdirSync(dir);
+    }
+  }
+  removeEmptyDirs(cwd);
+
+  console.log(`\n  Moved ${filesToMove.length} file(s) to .backups/${ts}/`);
+
+  // Run init to rebuild from templates
+  console.log('\n  Running init to rebuild project...\n');
+  try {
+    execSync('npx thepopebot init --no-install', { stdio: 'inherit', cwd });
+  } catch {
+    console.error('\n  Init failed. Your backup is at .backups/' + ts + '/\n');
+    process.exit(1);
+  }
+
+  // Run npm install separately
+  console.log('\nInstalling dependencies...\n');
+  try {
+    execSync('npm install', { stdio: 'inherit', cwd });
+  } catch {
+    console.error('\n  npm install failed. Your backup is at .backups/' + ts + '/\n');
+    process.exit(1);
+  }
+
+  console.log('\n  Reset complete. Project restored to fresh init state.');
+  console.log(`  Backup: .backups/${ts}/\n`);
+}
+
 function setup() {
   const setupScript = path.join(__dirname, '..', 'setup', 'setup.mjs');
   try {
@@ -490,6 +780,15 @@ function setup() {
   }
 }
 
+function setupSsl() {
+  const setupScript = path.join(__dirname, '..', 'setup', 'setup-ssl.mjs');
+  try {
+    execFileSync(process.execPath, [setupScript], { stdio: 'inherit', cwd: process.cwd() });
+  } catch {
+    process.exit(1);
+  }
+}
+
 function setupTelegram() {
   const setupScript = path.join(__dirname, '..', 'setup', 'setup-telegram.mjs');
   try {
@@ -770,6 +1069,9 @@ switch (command) {
   case 'setup':
     setup();
     break;
+  case 'setup-ssl':
+    setupSsl();
+    break;
   case 'setup-telegram':
     setupTelegram();
     break;
@@ -779,6 +1081,12 @@ switch (command) {
   case 'reset':
     reset(args[0]);
     break;
+  case 'reset-all':
+    await resetAll();
+    break;
+  case 'audit':
+    audit();
+    break;
   case 'diff':
     diff(args[0]);
     break;
@@ -787,8 +1095,15 @@ switch (command) {
     await upgrade();
     break;
   case 'sync': {
-    const { sync } = await import('./sync.js');
-    await sync(args[0]);
+    const fast = args.includes('--fast');
+    const syncArgs = args.filter(a => a !== '--fast');
+    if (fast) {
+      const { syncFast } = await import('./sync.js');
+      await syncFast(syncArgs[0]);
+    } else {
+      const { sync } = await import('./sync.js');
+      await sync(syncArgs[0]);
+    }
     break;
   }
   case 'set-var':

package/bin/docker-build.js

@@ -62,6 +62,11 @@ const CODING_AGENTS = [
     context: 'docker/coding-agent',
     dockerfile: 'docker/coding-agent/Dockerfile.opencode',
   },
+  {
+    name: 'coding-agent-kimi-cli',
+    context: 'docker/coding-agent',
+    dockerfile: 'docker/coding-agent/Dockerfile.kimi-cli',
+  },
 ];
 
 // Non-coding-agent images (independent, built in parallel)

package/bin/managed-paths.js

@@ -4,16 +4,9 @@
 // Paths ending with '/' are directories (all contents are managed).
 export const MANAGED_PATHS = [
   '.github/workflows/',
-
   'docker-compose.yml',
   '.dockerignore',
   '.gitignore',
-  'CLAUDE.md',
-  'config/CLAUDE.md',
-  'skills/CLAUDE.md',
-  'cron/CLAUDE.md',
-  'triggers/CLAUDE.md',
-  'docs/',
 ];
 
 export function isManaged(relPath) {

package/bin/sync.js

@@ -306,6 +306,90 @@ function buildDockerImage(projectPath) {
   }
 }
 
+/**
+ * Fast sync — skip Docker image rebuild entirely.
+ *
+ *   1. Build package JSX (npm run build)
+ *   2. mirrorTemplates() — scaffold using init's managed-path logic
+ *   3. docker cp package source (lib/, api/, config/, package.json) into
+ *      the running container's /app/node_modules/thepopebot/
+ *   4. docker cp web/app/ + web/postcss.config.mjs into container
+ *   5. docker exec next build inside the container (tailwindcss already there)
+ *   6. Clean up copied source from container
+ *   7. docker exec pm2 restart all
+ */
+export async function syncFast(projectPath) {
+  if (!projectPath) {
+    console.error('\n  Usage: thepopebot sync --fast <path-to-project>\n');
+    process.exit(1);
+  }
+
+  projectPath = path.resolve(projectPath);
+
+  if (!fs.existsSync(path.join(projectPath, 'package.json'))) {
+    console.error(`\n  Not a project directory (no package.json): ${projectPath}\n`);
+    process.exit(1);
+  }
+
+  // 1. Build JSX
+  console.log('\n  Building package...');
+  execSync('npm run build', { stdio: 'inherit', cwd: PACKAGE_DIR });
+
+  // 2. Mirror templates
+  console.log('\n  Mirroring templates...');
+  mirrorTemplates(projectPath);
+
+  // 3. Get running container ID
+  const container = execSync('docker compose ps -q event-handler', {
+    encoding: 'utf8',
+    cwd: projectPath,
+  }).trim();
+
+  if (!container) {
+    console.error('\n  event-handler container is not running. Use full sync instead.\n');
+    process.exit(1);
+  }
+
+  // 4. Copy package source into container's node_modules/thepopebot/
+  const PKG_DEST = '/app/node_modules/thepopebot';
+  const PACKAGE_DIRS = ['lib', 'api', 'config'];
+
+  console.log('\n  Copying package source into container...');
+  for (const dir of PACKAGE_DIRS) {
+    execSync(`docker exec ${container} rm -rf ${PKG_DEST}/${dir}`, { stdio: 'inherit' });
+    execSync(`docker cp ${path.join(PACKAGE_DIR, dir)} ${container}:${PKG_DEST}/${dir}`, { stdio: 'inherit' });
+  }
+  // Also copy package.json for exports resolution
+  execSync(`docker cp ${path.join(PACKAGE_DIR, 'package.json')} ${container}:${PKG_DEST}/package.json`, { stdio: 'inherit' });
+
+  // 5. Copy web/app/ source into container for next build
+  const webDir = path.join(PACKAGE_DIR, 'web');
+  console.log('\n  Copying web source into container...');
+  execSync(`docker cp ${path.join(webDir, 'app')} ${container}:/app/app`, { stdio: 'inherit' });
+  execSync(`docker cp ${path.join(webDir, 'postcss.config.mjs')} ${container}:/app/postcss.config.mjs`, { stdio: 'inherit' });
+  execSync(`docker cp ${path.join(webDir, 'next.config.mjs')} ${container}:/app/next.config.mjs`, { stdio: 'inherit' });
+
+  // 6. Run next build inside the container
+  // Hide data/logs dirs so webpack's FileSystemInfo doesn't crawl them (causes OOM/RangeError
+  // when workspaces contain thousands of files). Restored immediately after build.
+  console.log('\n  Building Next.js inside container...');
+  execSync(`docker exec ${container} sh -c 'mv /app/data /app/.data-build-tmp 2>/dev/null; mv /app/logs /app/.logs-build-tmp 2>/dev/null; true'`, { stdio: 'inherit' });
+  try {
+    execSync(`docker exec ${container} ./node_modules/.bin/next build`, { stdio: 'inherit' });
+  } finally {
+    execSync(`docker exec ${container} sh -c 'mv /app/.data-build-tmp /app/data 2>/dev/null; mv /app/.logs-build-tmp /app/logs 2>/dev/null; true'`, { stdio: 'inherit' });
+  }
+
+  // 7. Clean up web source from container (not needed at runtime)
+  execSync(`docker exec ${container} rm -rf /app/app`, { stdio: 'inherit' });
+
+  // 8. Restart PM2
+  console.log('\n  Restarting server...');
+  execSync(`docker exec ${container} pm2 restart all`, { stdio: 'inherit' });
+
+  console.log('\n  Fast synced!\n');
+}
+
 export async function sync(projectPath) {
   if (!projectPath) {
     console.error('\n  Usage: thepopebot sync <path-to-project>\n');