thepopebot 1.2.75-beta.2 → 1.2.75-beta.21

package/lib/paths.js

@@ -1,43 +1,6 @@
-import path from 'path';
-
 /**
  * Central path resolver for thepopebot.
  * All paths resolve from process.cwd() (the user's project root).
  */
 
-const PROJECT_ROOT = process.cwd();
-
-export {
-  PROJECT_ROOT,
-};
-
-// config/ files
-export const configDir = path.join(PROJECT_ROOT, 'config');
-export const cronsFile = path.join(PROJECT_ROOT, 'config', 'CRONS.json');
-export const triggersFile = path.join(PROJECT_ROOT, 'config', 'TRIGGERS.json');
-export const agentJobPlanningMd = path.join(PROJECT_ROOT, 'config', 'agent-chat', 'SYSTEM.md');
-export const codePlanningMd = path.join(PROJECT_ROOT, 'config', 'code-chat', 'SYSTEM.md');
-export const agentJobSummaryMd = path.join(PROJECT_ROOT, 'config', 'agent-job', 'SUMMARY.md');
-export const claudeMd = path.join(PROJECT_ROOT, 'CLAUDE.md');
-
-// Skills directory
-export const skillsDir = path.join(PROJECT_ROOT, 'skills');
-
-// Working directories for command-type actions
-export const cronDir = path.join(PROJECT_ROOT, 'cron');
-export const triggersDir = path.join(PROJECT_ROOT, 'triggers');
-
-// Logs
-export const logsDir = path.join(PROJECT_ROOT, 'logs');
-
-// Database
-export const thepopebotDb = process.env.DATABASE_PATH || path.join(PROJECT_ROOT, 'data', 'db', 'thepopebot.sqlite');
-
-// Cluster data (bind-mount root for cluster containers)
-export const clusterDataDir = process.env.CLUSTER_DATA_PATH || path.join(PROJECT_ROOT, 'data', 'clusters');
-
-// Code workspace data (bind-mount root for workspace containers)
-export const workspacesDir = path.join(PROJECT_ROOT, 'data', 'workspaces');
-
-// .env
-export const envFile = path.join(PROJECT_ROOT, '.env');
+export const PROJECT_ROOT = process.cwd();

package/lib/tools/create-agent-job.js

@@ -3,8 +3,6 @@ import { z } from 'zod';
 import { githubApi } from './github.js';
 import { createModel } from '../ai/model.js';
 import { getConfig } from '../config.js';
-import { createAgentJobApiKey } from '../db/api-keys.js';
-
 /**
  * Generate a short descriptive title for an agent job using the LLM.
  * Uses structured output to avoid thinking-token leaks with extended-thinking models.
@@ -93,7 +91,6 @@ async function createAgentJob(agentJobDescription, options = {}) {
 
   // 6. Launch Docker container locally (fire-and-forget with async cleanup)
   const repoSlug = `${GH_OWNER}/${GH_REPO}`;
-  const { key: agentJobToken } = createAgentJobApiKey(agentJobId);
   launchAgentJobContainer({
     agentJobId,
     repo: repoSlug,
@@ -102,7 +99,6 @@ async function createAgentJob(agentJobDescription, options = {}) {
     description: agentJobDescription,
     codingAgent: options.agentBackend,
     llmModel: options.llmModel,
-    agentJobToken,
   }).catch(err => {
     console.error(`[agent-job] Failed to launch container for ${agentJobId}:`, err.message);
   });

package/lib/tools/docker.js

@@ -4,7 +4,9 @@ import path from 'path';
 import { getConfig } from '../config.js';
 import { getCustomProvider } from '../db/config.js';
 import { BUILTIN_PROVIDERS } from '../llm-providers.js';
-import { workspacesDir } from '../paths.js';
+import { PROJECT_ROOT } from '../paths.js';
+
+const workspacesDir = path.join(PROJECT_ROOT, 'data/workspaces');
 
 // UID/GID of the coding-agent user inside agent containers (pinned in Dockerfile)
 const CODING_AGENT_UID = 1001;
@@ -231,9 +233,12 @@ async function runInteractiveContainer({ containerName, repo, branch, codingAgen
         env.push(`${key}=${value}`);
       }
     }
-    if (jobSecrets.length > 0) {
-      env.push(`AGENT_JOB_SECRETS=${JSON.stringify(Object.fromEntries(jobSecrets.map(s => [s.key, s.value])))}`);
-    }
+    // Create per-container API key for agent-secrets access
+    const { createAgentJobApiKey } = await import('../db/api-keys.js');
+    const { key: agentJobToken } = createAgentJobApiKey(containerName);
+    env.push(`AGENT_JOB_TOKEN=${agentJobToken}`);
+    const appUrl = getConfig('APP_URL');
+    if (appUrl) env.push(`APP_URL=${appUrl}`);
   }
 
   const hostConfig = {};
@@ -334,9 +339,9 @@ function buildAgentAuthEnv(agent) {
         }
       }
     }
-  } else if (agent === 'pi-coding-agent' || agent === 'opencode') {
-    // Pi and OpenCode share the same multi-provider auth pattern
-    const configPrefix = agent === 'opencode' ? 'CODING_AGENT_OPENCODE' : 'CODING_AGENT_PI';
+  } else if (agent === 'pi-coding-agent' || agent === 'opencode' || agent === 'kimi-cli') {
+    // Pi, OpenCode, and Kimi share the same multi-provider auth pattern
+    const configPrefix = agent === 'opencode' ? 'CODING_AGENT_OPENCODE' : agent === 'kimi-cli' ? 'CODING_AGENT_KIMI_CLI' : 'CODING_AGENT_PI';
     const provider = getConfig(`${configPrefix}_PROVIDER`) || 'anthropic';
     backendApi = provider;
     const model = getConfig(`${configPrefix}_MODEL`);
@@ -438,9 +443,12 @@ async function runHeadlessContainer({ containerName, repo, branch, featureBranch
         env.push(`${key}=${value}`);
       }
     }
-    if (jobSecrets.length > 0) {
-      env.push(`AGENT_JOB_SECRETS=${JSON.stringify(Object.fromEntries(jobSecrets.map(s => [s.key, s.value])))}`);
-    }
+    // Create per-container API key for agent-secrets access
+    const { createAgentJobApiKey } = await import('../db/api-keys.js');
+    const { key: agentJobToken } = createAgentJobApiKey(containerName);
+    env.push(`AGENT_JOB_TOKEN=${agentJobToken}`);
+    const appUrl = getConfig('APP_URL');
+    if (appUrl) env.push(`APP_URL=${appUrl}`);
   }
 
   const hostConfig = {};
@@ -851,7 +859,7 @@ async function removeVolume(name) {
  * @param {string} [options.llmModel] - Model override
  * @returns {Promise<{containerId: string, containerName: string, volumeName: string}>}
  */
-async function runAgentJobContainer({ agentJobId, repo, branch, title, description, codingAgent, llmModel, agentJobToken }) {
+async function runAgentJobContainer({ agentJobId, repo, branch, title, description, codingAgent, llmModel }) {
   const agent = codingAgent || getConfig('CODING_AGENT') || 'claude-code';
   const version = process.env.THEPOPEBOT_VERSION;
   const image = `stephengpope/thepopebot:coding-agent-${agent}-${version}`;
@@ -889,8 +897,10 @@ async function runAgentJobContainer({ agentJobId, repo, branch, title, descripti
   const appUrl = getConfig('APP_URL');
   if (appUrl) env.push(`APP_URL=${appUrl}`);
 
-  // Inject per-job API token for agent-secrets skill
-  if (agentJobToken) env.push(`AGENT_JOB_TOKEN=${agentJobToken}`);
+  // Create per-container API key for agent-secrets access
+  const { createAgentJobApiKey } = await import('../db/api-keys.js');
+  const { key: agentJobToken } = createAgentJobApiKey(containerName);
+  env.push(`AGENT_JOB_TOKEN=${agentJobToken}`);
 
   // Inject agent job secrets (plain secrets as env vars; oauth types are null — agent must fetch via get)
   const { getAllAgentJobSecrets } = await import('../db/config.js');
@@ -900,9 +910,6 @@ async function runAgentJobContainer({ agentJobId, repo, branch, title, descripti
       env.push(`${key}=${value}`);
     }
   }
-  if (jobSecrets.length > 0) {
-    env.push(`AGENT_JOB_SECRETS=${JSON.stringify(Object.fromEntries(jobSecrets.map(s => [s.key, s.value])))}`);
-  }
 
   console.log(`[agent-job] id=${shortId} agent=${agent} image=${image} backendApi=${backendApi}`);
 

package/lib/triggers.js

@@ -1,5 +1,6 @@
 import fs from 'fs';
-import { triggersFile, triggersDir } from './paths.js';
+import path from 'path';
+import { PROJECT_ROOT } from './paths.js';
 import { executeAction } from './actions.js';
 
 /**
@@ -29,7 +30,7 @@ async function executeActions(trigger, context) {
       const resolved = { ...action };
       if (resolved.command) resolved.command = resolveTemplate(resolved.command, context);
       if (resolved.job) resolved.job = resolveTemplate(resolved.job, context);
-      const result = await executeAction(resolved, { cwd: triggersDir, data: context.body });
+      const result = await executeAction(resolved, { cwd: PROJECT_ROOT, data: context.body });
       console.log(`[TRIGGER] ${trigger.name}: ${result || 'ran'}`);
     } catch (err) {
       console.error(`[TRIGGER] ${trigger.name}: error - ${err.message}`);
@@ -42,7 +43,7 @@ async function executeActions(trigger, context) {
  * @returns {{ triggerMap: Map, fireTriggers: Function }}
  */
 function loadTriggers() {
-  const triggerFile = triggersFile;
+  const triggerFile = path.join(PROJECT_ROOT, 'event-handler/TRIGGERS.json');
   const triggerMap = new Map();
 
   console.log('\n--- Triggers ---');

package/lib/utils/render-md.js

@@ -1,6 +1,8 @@
 import fs from 'fs';
 import path from 'path';
-import { PROJECT_ROOT, skillsDir } from '../paths.js';
+import { PROJECT_ROOT } from '../paths.js';
+
+const skillsDir = path.join(PROJECT_ROOT, 'skills');
 
 const INCLUDE_PATTERN = /\{\{([^}]+\.md)\}\}/g;
 const VARIABLE_PATTERN = /\{\{(datetime|skills)\}\}/gi;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thepopebot",
-  "version": "1.2.75-beta.2",
+  "version": "1.2.75-beta.21",
   "type": "module",
   "description": "Create autonomous AI agents with a two-layer architecture: Next.js Event Handler + Docker Agent.",
   "bin": {
@@ -15,6 +15,7 @@
     "./auth/actions": "./lib/auth/actions.js",
     "./chat/api": "./lib/chat/api.js",
     "./db": "./lib/db/index.js",
+    "./db/chats": "./lib/db/chats.js",
     "./db/oauth-tokens": "./lib/db/oauth-tokens.js",
     "./chat": "./lib/chat/components/index.js",
     "./chat/actions": "./lib/chat/actions.js",

package/setup/setup-ssl.mjs

@@ -0,0 +1,414 @@
+#!/usr/bin/env node
+
+/**
+ * Interactive SSL setup — configures Let's Encrypt wildcard cert via Traefik DNS challenge.
+ *
+ * Prompts for domain, DNS provider, API credentials, and server address.
+ * Creates the wildcard DNS record via the provider's API.
+ * Writes SSL config to .env, DNS provider credentials to .env.traefik,
+ * and switches COMPOSE_FILE to docker-compose.custom.yml.
+ */
+
+import fs from 'fs';
+import path from 'path';
+import * as clack from '@clack/prompts';
+import { updateEnvVariable } from './lib/auth.mjs';
+import { loadEnvFile } from './lib/env.mjs';
+
+function handleCancel(value) {
+  if (clack.isCancel(value)) {
+    clack.cancel('Setup cancelled.');
+    process.exit(0);
+  }
+  return value;
+}
+
+// DNS providers supported by Traefik's ACME DNS challenge (via lego).
+// Each entry maps to the Traefik provider name and the env vars it expects.
+const DNS_PROVIDERS = {
+  cloudflare: {
+    label: 'Cloudflare',
+    traefikName: 'cloudflare',
+    envVars: [
+      { key: 'CF_DNS_API_TOKEN', label: 'Cloudflare API Token', secret: true },
+    ],
+    apiCreate: createCloudflareRecord,
+    helpUrl: 'https://dash.cloudflare.com/profile/api-tokens',
+    helpSteps: [
+      'Go to your Cloudflare dashboard → Profile → API Tokens',
+      'Click "Create Token"',
+      'Use the "Edit zone DNS" template',
+      'Select the zone (domain) you want to use',
+      'Copy the token',
+    ],
+  },
+  route53: {
+    label: 'AWS Route 53',
+    traefikName: 'route53',
+    envVars: [
+      { key: 'AWS_ACCESS_KEY_ID', label: 'AWS Access Key ID', secret: false },
+      { key: 'AWS_SECRET_ACCESS_KEY', label: 'AWS Secret Access Key', secret: true },
+      { key: 'AWS_REGION', label: 'AWS Region', secret: false, default: 'us-east-1' },
+    ],
+    apiCreate: null, // TODO: implement
+    helpUrl: 'https://console.aws.amazon.com/iam/',
+    helpSteps: [
+      'Create an IAM user with Route53 permissions',
+      'Generate access keys for the user',
+    ],
+  },
+  digitalocean: {
+    label: 'DigitalOcean',
+    traefikName: 'digitalocean',
+    envVars: [
+      { key: 'DO_AUTH_TOKEN', label: 'DigitalOcean API Token', secret: true },
+    ],
+    apiCreate: null, // TODO: implement
+    helpUrl: 'https://cloud.digitalocean.com/account/api/tokens',
+    helpSteps: [
+      'Go to DigitalOcean → API → Tokens',
+      'Generate a new personal access token with read/write scope',
+    ],
+  },
+  namecheap: {
+    label: 'Namecheap',
+    traefikName: 'namecheap',
+    envVars: [
+      { key: 'NAMECHEAP_API_USER', label: 'Namecheap API User', secret: false },
+      { key: 'NAMECHEAP_API_KEY', label: 'Namecheap API Key', secret: true },
+    ],
+    apiCreate: null, // TODO: implement
+    helpUrl: 'https://www.namecheap.com/support/api/intro/',
+    helpSteps: [
+      'Enable API access in your Namecheap account',
+      'Whitelist your server IP',
+      'Copy your API key',
+    ],
+  },
+  godaddy: {
+    label: 'GoDaddy',
+    traefikName: 'godaddy',
+    envVars: [
+      { key: 'GODADDY_API_KEY', label: 'GoDaddy API Key', secret: true },
+      { key: 'GODADDY_API_SECRET', label: 'GoDaddy API Secret', secret: true },
+    ],
+    apiCreate: null, // TODO: implement
+    helpUrl: 'https://developer.godaddy.com/keys',
+    helpSteps: [
+      'Go to GoDaddy Developer Portal → API Keys',
+      'Create a Production key',
+    ],
+  },
+  porkbun: {
+    label: 'Porkbun',
+    traefikName: 'porkbun',
+    envVars: [
+      { key: 'PORKBUN_API_KEY', label: 'Porkbun API Key', secret: true },
+      { key: 'PORKBUN_SECRET_API_KEY', label: 'Porkbun Secret Key', secret: true },
+    ],
+    apiCreate: null, // TODO: implement
+    helpUrl: 'https://porkbun.com/account/api',
+    helpSteps: [
+      'Go to Porkbun → Account → API Access',
+      'Create an API key pair',
+    ],
+  },
+};
+
+async function main() {
+  clack.intro('SSL Setup — Let\'s Encrypt wildcard cert');
+
+  const env = loadEnvFile() || {};
+
+  // ── Domain ──────────────────────────────────────────────────────────
+  const existingDomain = env.SSL_DOMAIN;
+  let domain;
+
+  if (existingDomain) {
+    clack.log.info(`Current domain: ${existingDomain}`);
+    const reconfig = handleCancel(await clack.confirm({
+      message: 'Change domain?',
+      initialValue: false,
+    }));
+    domain = reconfig ? null : existingDomain;
+  }
+
+  if (!domain) {
+    domain = handleCancel(await clack.text({
+      message: 'Enter your domain (e.g., bot.example.com):',
+      placeholder: 'bot.example.com',
+      validate: (input) => {
+        if (!input) return 'Domain is required';
+        if (!input.includes('.')) return 'Enter a valid domain';
+        if (input.startsWith('*.')) return 'Enter the base domain without the wildcard (e.g., bot.example.com)';
+      },
+    }));
+  }
+
+  // ── Email ───────────────────────────────────────────────────────────
+  const existingEmail = env.SSL_EMAIL;
+  let email;
+
+  if (existingEmail) {
+    clack.log.info(`Current email: ${existingEmail}`);
+    const reconfig = handleCancel(await clack.confirm({
+      message: 'Change email?',
+      initialValue: false,
+    }));
+    email = reconfig ? null : existingEmail;
+  }
+
+  if (!email) {
+    email = handleCancel(await clack.text({
+      message: 'Email for Let\'s Encrypt notifications:',
+      validate: (input) => {
+        if (!input) return 'Email is required';
+        if (!input.includes('@')) return 'Enter a valid email';
+      },
+    }));
+  }
+
+  // ── DNS Provider ────────────────────────────────────────────────────
+  const providerKey = handleCancel(await clack.select({
+    message: 'Who manages your DNS?',
+    options: Object.entries(DNS_PROVIDERS).map(([key, p]) => ({
+      label: p.label,
+      value: key,
+    })),
+  }));
+
+  const provider = DNS_PROVIDERS[providerKey];
+
+  // Show help steps for getting the API credentials
+  clack.log.info(
+    `To get your ${provider.label} API credentials:\n` +
+    provider.helpSteps.map((s, i) => `  ${i + 1}. ${s}`).join('\n') +
+    `\n\n  ${provider.helpUrl}`
+  );
+
+  // ── API Credentials ─────────────────────────────────────────────────
+  const credentials = {};
+  for (const envVar of provider.envVars) {
+    const existing = env[envVar.key];
+    if (existing) {
+      const masked = '****' + existing.slice(-4);
+      clack.log.info(`${envVar.label}: ${masked}`);
+      const reconfig = handleCancel(await clack.confirm({
+        message: `Change ${envVar.label}?`,
+        initialValue: false,
+      }));
+      if (!reconfig) {
+        credentials[envVar.key] = existing;
+        continue;
+      }
+    }
+
+    if (envVar.secret) {
+      credentials[envVar.key] = handleCancel(await clack.password({
+        message: `${envVar.label}:`,
+        validate: (input) => {
+          if (!input && !envVar.default) return `${envVar.label} is required`;
+        },
+      }));
+    } else {
+      credentials[envVar.key] = handleCancel(await clack.text({
+        message: `${envVar.label}:`,
+        defaultValue: envVar.default || '',
+        placeholder: envVar.default || '',
+        validate: (input) => {
+          if (!input && !envVar.default) return `${envVar.label} is required`;
+        },
+      }));
+    }
+    credentials[envVar.key] = credentials[envVar.key] || envVar.default;
+  }
+
+  // ── DNS Record Target ──────────────────────────────────────────────
+  const targetType = handleCancel(await clack.select({
+    message: `How should *.${domain} resolve?`,
+    options: [
+      { label: 'IP address (VPS, bare metal, cloud VM)', value: 'A' },
+      { label: 'CNAME (Tailscale hostname, another domain)', value: 'CNAME' },
+    ],
+  }));
+
+  let recordValue;
+  if (targetType === 'A') {
+    // Try to detect public IP
+    let detectedIp;
+    try {
+      const resp = await fetch('https://api.ipify.org');
+      if (resp.ok) detectedIp = (await resp.text()).trim();
+    } catch {}
+
+    recordValue = handleCancel(await clack.text({
+      message: 'Server IP address:',
+      defaultValue: detectedIp || '',
+      placeholder: detectedIp || '203.0.113.10',
+      validate: (input) => {
+        if (!input) return 'IP address is required';
+        if (!/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(input)) return 'Enter a valid IPv4 address';
+      },
+    }));
+  } else {
+    recordValue = handleCancel(await clack.text({
+      message: 'CNAME target (e.g., mybox.tailnet.ts.net):',
+      validate: (input) => {
+        if (!input) return 'CNAME target is required';
+        if (!input.includes('.')) return 'Enter a valid hostname';
+      },
+    }));
+  }
+
+  // ── Create DNS Record ──────────────────────────────────────────────
+  const s = clack.spinner();
+
+  if (provider.apiCreate) {
+    s.start(`Creating *.${domain} ${targetType} record → ${recordValue}`);
+    try {
+      await provider.apiCreate(domain, targetType, recordValue, credentials);
+      s.stop(`Created *.${domain} → ${recordValue}`);
+    } catch (err) {
+      s.stop(`Failed to create DNS record: ${err.message}`);
+      clack.log.warn(
+        `Create this record manually in your ${provider.label} dashboard:\n` +
+        `  Type: ${targetType}\n` +
+        `  Name: *.${domain}\n` +
+        `  Value: ${recordValue}`
+      );
+      const proceed = handleCancel(await clack.confirm({
+        message: 'Continue anyway? (you can create the record manually)',
+        initialValue: true,
+      }));
+      if (!proceed) process.exit(0);
+    }
+  } else {
+    clack.log.warn(
+      `Automatic DNS record creation is not yet supported for ${provider.label}.\n` +
+      `  Create this record in your ${provider.label} dashboard:\n\n` +
+      `  Type: ${targetType}\n` +
+      `  Name: *.${domain}\n` +
+      `  Value: ${recordValue}\n`
+    );
+    handleCancel(await clack.text({
+      message: 'Press enter once you\'ve created the record',
+      defaultValue: '',
+    }));
+  }
+
+  // ── Write .env ─────────────────────────────────────────────────────
+  s.start('Writing configuration to .env');
+
+  updateEnvVariable('SSL_DOMAIN', domain);
+  updateEnvVariable('SSL_EMAIL', email);
+  updateEnvVariable('SSL_DNS_PROVIDER', provider.traefikName);
+
+  // Set APP_HOSTNAME only if not already set (don't overwrite existing webhook hostname)
+  if (!env.APP_HOSTNAME) {
+    updateEnvVariable('APP_HOSTNAME', domain);
+  }
+
+  // Write DNS provider credentials to .env.traefik (Traefik-only, not leaked to other services)
+  const traefikEnvPath = path.join(process.cwd(), '.env.traefik');
+  const traefikLines = provider.envVars.map((v) => `${v.key}=${credentials[v.key]}`);
+  fs.writeFileSync(traefikEnvPath, traefikLines.join('\n') + '\n');
+
+  // Switch to custom compose file
+  updateEnvVariable('COMPOSE_FILE', 'docker-compose.custom.yml');
+
+  s.stop('Configuration saved to .env and .env.traefik');
+
+  // ── Summary ────────────────────────────────────────────────────────
+  clack.log.success(
+    `SSL configured!\n\n` +
+    `  Domain:    ${domain}\n` +
+    `  Wildcard:  *.${domain}\n` +
+    `  Provider:  ${provider.label}\n` +
+    `  Compose:   docker-compose.custom.yml\n\n` +
+    `  Traefik will automatically obtain and renew your wildcard cert.\n\n` +
+    `  Next: restart your containers with \`docker compose up -d\``
+  );
+
+  clack.outro('Done!');
+}
+
+// ── Cloudflare API ─────────────────────────────────────────────────────
+
+async function createCloudflareRecord(domain, type, value, credentials) {
+  const token = credentials.CF_DNS_API_TOKEN;
+
+  // Find the zone — walk up the domain to find the registered zone.
+  // e.g., for "bot.example.com", the zone is "example.com"
+  const parts = domain.split('.');
+  let zoneId;
+  let zoneName;
+
+  for (let i = 0; i < parts.length - 1; i++) {
+    const candidate = parts.slice(i).join('.');
+    const resp = await fetch(`https://api.cloudflare.com/client/v4/zones?name=${candidate}`, {
+      headers: { Authorization: `Bearer ${token}` },
+    });
+    const data = await resp.json();
+    if (data.result?.length > 0) {
+      zoneId = data.result[0].id;
+      zoneName = data.result[0].name;
+      break;
+    }
+  }
+
+  if (!zoneId) {
+    throw new Error(`Could not find a Cloudflare zone for ${domain}. Make sure your domain is added to Cloudflare.`);
+  }
+
+  // Create the wildcard record: *.domain → value
+  const recordName = `*.${domain}`;
+
+  // Check if record already exists
+  const existingResp = await fetch(
+    `https://api.cloudflare.com/client/v4/zones/${zoneId}/dns_records?type=${type}&name=${recordName}`,
+    { headers: { Authorization: `Bearer ${token}` } }
+  );
+  const existing = await existingResp.json();
+
+  if (existing.result?.length > 0) {
+    // Update existing record
+    const recordId = existing.result[0].id;
+    const updateResp = await fetch(
+      `https://api.cloudflare.com/client/v4/zones/${zoneId}/dns_records/${recordId}`,
+      {
+        method: 'PUT',
+        headers: {
+          Authorization: `Bearer ${token}`,
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ type, name: recordName, content: value, proxied: false }),
+      }
+    );
+    const updateData = await updateResp.json();
+    if (!updateData.success) {
+      throw new Error(updateData.errors?.[0]?.message || 'Failed to update DNS record');
+    }
+  } else {
+    // Create new record
+    const createResp = await fetch(
+      `https://api.cloudflare.com/client/v4/zones/${zoneId}/dns_records`,
+      {
+        method: 'POST',
+        headers: {
+          Authorization: `Bearer ${token}`,
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ type, name: recordName, content: value, proxied: false }),
+      }
+    );
+    const createData = await createResp.json();
+    if (!createData.success) {
+      throw new Error(createData.errors?.[0]?.message || 'Failed to create DNS record');
+    }
+  }
+}
+
+main().catch((err) => {
+  clack.log.error(err.message);
+  process.exit(1);
+});

package/templates/.github/workflows/rebuild-event-handler.yml

@@ -48,6 +48,9 @@ jobs:
                 cd /project && npx --yes thepopebot@latest init --no-install
               fi
 
+              # Install the new version into node_modules so local CLI stays current
+              cd /project && npm install
+
               # Commit any template changes from init
               git -C /project add -A
               if ! git -C /project diff --cached --quiet; then

package/templates/.github/workflows/upgrade-event-handler.yml

@@ -53,7 +53,7 @@ jobs:
               git commit -m "chore: upgrade thepopebot to $NEW_VERSION"
               git push origin "$BRANCH"
               gh pr create --title "chore: upgrade thepopebot" --body "Automated upgrade via upgrade-event-handler workflow." --base main --head "$BRANCH"
-              gh pr merge "$BRANCH" --squash --auto --delete-branch
+              gh pr merge "$BRANCH" --squash --delete-branch
             else
               echo "No changes — thepopebot is already up to date."
             fi

package/templates/.gitignore.template

@@ -1,20 +1,24 @@
 # Credentials - NEVER commit these
 .env
 .env.local
+.env.traefik
 *.pem
 *.key
 
 # Claude Code
 .claude/*
 
+# Playwright MCP
+.playwright-mcp/
+
 # Pi system prompt (generated at runtime from SOUL.md)
 .pi/SYSTEM.md
 
-# Skills dependencies (installed at runtime in Docker for correct arch)
-skills/*/node_modules/
+# Dynamically activated skills (created at container runtime, not user config)
+skills/active/agent-job-secrets
 
 # Database
-data/
+/data/
 
 # Node
 node_modules/

package/templates/.tmp/CLAUDE.md.template

@@ -0,0 +1,5 @@
+# .tmp/ — Scratch Directory
+
+Temporary working files — downloads, screenshots, snapshots, intermediate data, generated files. This directory is gitignored and nothing here gets committed.
+
+Playwright MCP saves screenshots and snapshots here. Other tools and scripts should use this directory for any transient output that doesn't belong in the repo.