thepopebot 1.2.75-beta.4 → 1.2.75-beta.6

package/lib/ai/tools.js

@@ -54,6 +54,9 @@ const agentChatCodingTool = tool(
       const codingAgent = getConfig('CODING_AGENT') || 'claude-code';
       const containerName = `${codingAgent}-headless-${randomUUID().slice(0, 8)}`;
 
+      const { createAgentJobApiKey } = await import('../db/api-keys.js');
+      const { key: agentJobToken } = createAgentJobApiKey(randomUUID());
+
       const { runHeadlessContainer, tailContainerLogs, waitForContainer, removeContainer } = await import('../tools/docker.js');
       await runHeadlessContainer({
         containerName,
@@ -64,6 +67,7 @@ const agentChatCodingTool = tool(
         taskPrompt: prompt,
         mode,
         injectSecrets: true,
+        agentJobToken,
       });
 
       const streamCallback = runtime.configurable.streamCallback;

package/lib/chat/actions.js

@@ -1270,7 +1270,7 @@ export async function initiateOAuthFlow({ secretName, clientId, clientSecret, to
   try {
     const { createOAuthState } = await import('../oauth/helper.js');
     const redirectUri = `${process.env.AUTH_URL}/api/oauth/callback`;
-    const state = createOAuthState({ secretName, clientId, clientSecret, tokenUrl, secretType: secretType || 'agent_job_secret', returnPath: returnPath || '/admin/event-handler/agent-jobs' });
+    const state = createOAuthState({ secretName, clientId, clientSecret, tokenUrl, secretType: secretType || 'agent_job_secret', returnPath: returnPath || '/admin/event-handler/agent-secrets' });
     return { state, redirectUri };
   } catch (err) {
     console.error('Failed to initiate OAuth flow:', err);
@@ -1278,6 +1278,21 @@ export async function initiateOAuthFlow({ secretName, clientId, clientSecret, to
   }
 }
 
+/**
+ * Get stored OAuth credentials for an agent job secret (for re-authorization pre-fill).
+ * @param {string} name
+ */
+export async function getOAuthSecretCredentials(name) {
+  await requireAuth();
+  try {
+    const { getAgentJobSecretOAuthCredentials } = await import('../db/config.js');
+    return getAgentJobSecretOAuthCredentials(name) || { error: 'Not an OAuth secret' };
+  } catch (err) {
+    console.error('Failed to get OAuth credentials:', err);
+    return { error: 'Failed to get credentials' };
+  }
+}
+
 /**
  * Delete an agent job secret.
  * @param {string} name

package/lib/chat/components/chat-header.js

@@ -30,6 +30,7 @@ function ChatHeader({ chatId: chatIdProp, workspaceId }) {
           setStarred(data.starred || 0);
           setResolvedChatId(data.chatId);
           if (data.chatMode) setChatMode(data.chatMode);
+          document.title = data.title;
         }
       }).catch(() => {
       });
@@ -41,6 +42,7 @@ function ChatHeader({ chatId: chatIdProp, workspaceId }) {
         setTitle(data.title);
         setStarred(data.starred || 0);
         if (data.chatMode) setChatMode(data.chatMode);
+        document.title = data.title;
       }
     }).catch(() => {
     });
@@ -51,6 +53,7 @@ function ChatHeader({ chatId: chatIdProp, workspaceId }) {
       if (e.detail.chatId === chatId) {
         setTitle(e.detail.title);
         if (e.detail.chatMode) setChatMode(e.detail.chatMode);
+        document.title = e.detail.title;
       }
     };
     const starHandler = (e) => {
@@ -63,6 +66,7 @@ function ChatHeader({ chatId: chatIdProp, workspaceId }) {
     return () => {
       window.removeEventListener("chatTitleUpdated", titleHandler);
       window.removeEventListener("chatStarUpdated", starHandler);
+      document.title = "ThePopeBot";
     };
   }, [fetchMeta, chatId]);
   useEffect(() => {

package/lib/chat/components/chat-header.jsx

@@ -38,6 +38,7 @@ export function ChatHeader({ chatId: chatIdProp, workspaceId }) {
             setStarred(data.starred || 0);
             setResolvedChatId(data.chatId);
             if (data.chatMode) setChatMode(data.chatMode);
+            document.title = data.title;
           }
         })
         .catch(() => {});
@@ -51,6 +52,7 @@ export function ChatHeader({ chatId: chatIdProp, workspaceId }) {
           setTitle(data.title);
           setStarred(data.starred || 0);
           if (data.chatMode) setChatMode(data.chatMode);
+          document.title = data.title;
         }
       })
       .catch(() => {});
@@ -62,6 +64,7 @@ export function ChatHeader({ chatId: chatIdProp, workspaceId }) {
       if (e.detail.chatId === chatId) {
         setTitle(e.detail.title);
         if (e.detail.chatMode) setChatMode(e.detail.chatMode);
+        document.title = e.detail.title;
       }
     };
     const starHandler = (e) => {
@@ -74,6 +77,7 @@ export function ChatHeader({ chatId: chatIdProp, workspaceId }) {
     return () => {
       window.removeEventListener('chatTitleUpdated', titleHandler);
       window.removeEventListener('chatStarUpdated', starHandler);
+      document.title = 'ThePopeBot';
     };
   }, [fetchMeta, chatId]);
 

package/lib/chat/components/settings-jobs-page.js

@@ -8,7 +8,8 @@ import {
   getAgentJobSecrets,
   updateAgentJobSecret,
   deleteAgentJobSecretAction,
-  initiateOAuthFlow
+  initiateOAuthFlow,
+  getOAuthSecretCredentials
 } from "../actions.js";
 function buildProviderOptions() {
   const options = [];
@@ -170,6 +171,16 @@ function AddSecretDialog({ open, onAdd, onCancel, onOAuthSuccess, editingSecret
       setCopied(false);
       setRedirectUri(`${window.location.origin}/api/oauth/callback`);
       if (!editingSecret) setTimeout(() => nameRef.current?.focus(), 50);
+      if (editingSecret?.key) {
+        getOAuthSecretCredentials(editingSecret.key).then((creds) => {
+          if (creds && !creds.error) {
+            setClientId(creds.clientId);
+            setClientSecret(creds.clientSecret);
+            const match = PROVIDER_OPTIONS.find((o) => o.tokenUrl === creds.tokenUrl);
+            if (match) setSelectedOption(match.id);
+          }
+        });
+      }
     }
     return () => {
       if (timeoutRef.current) clearTimeout(timeoutRef.current);
@@ -236,7 +247,7 @@ function AddSecretDialog({ open, onAdd, onCancel, onOAuthSuccess, editingSecret
       tokenUrl: opt.tokenUrl,
       scopes,
       secretType: "agent_job_secret",
-      returnPath: "/admin/event-handler/agent-jobs"
+      returnPath: "/admin/event-handler/agent-secrets"
     });
     if (result?.error) {
       setError(result.error);

package/lib/chat/components/settings-jobs-page.jsx

@@ -9,6 +9,7 @@ import {
   updateAgentJobSecret,
   deleteAgentJobSecretAction,
   initiateOAuthFlow,
+  getOAuthSecretCredentials,
 } from '../actions.js';
 
 // ─────────────────────────────────────────────────────────────────────────────
@@ -225,6 +226,19 @@ function AddSecretDialog({ open, onAdd, onCancel, onOAuthSuccess, editingSecret
       setCopied(false);
       setRedirectUri(`${window.location.origin}/api/oauth/callback`);
       if (!editingSecret) setTimeout(() => nameRef.current?.focus(), 50);
+
+      // Pre-fill OAuth credentials from stored secret
+      if (editingSecret?.key) {
+        getOAuthSecretCredentials(editingSecret.key).then((creds) => {
+          if (creds && !creds.error) {
+            setClientId(creds.clientId);
+            setClientSecret(creds.clientSecret);
+            // Auto-select provider by matching tokenUrl
+            const match = PROVIDER_OPTIONS.find((o) => o.tokenUrl === creds.tokenUrl);
+            if (match) setSelectedOption(match.id);
+          }
+        });
+      }
     }
     return () => {
       if (timeoutRef.current) clearTimeout(timeoutRef.current);
@@ -306,7 +320,7 @@ function AddSecretDialog({ open, onAdd, onCancel, onOAuthSuccess, editingSecret
       tokenUrl: opt.tokenUrl,
       scopes,
       secretType: 'agent_job_secret',
-      returnPath: '/admin/event-handler/agent-jobs',
+      returnPath: '/admin/event-handler/agent-secrets',
     });
 
     if (result?.error) {

package/lib/chat/components/settings-secrets-layout.js

@@ -30,7 +30,7 @@ const EVENT_HANDLER_TABS = [
   { id: "llms", label: "LLMs", href: "/admin/event-handler/llms" },
   { id: "chat", label: "Chat", href: "/admin/event-handler/chat" },
   { id: "coding-agents", label: "Coding Agents", href: "/admin/event-handler/coding-agents" },
-  { id: "agent-jobs", label: "Agent Jobs", href: "/admin/event-handler/agent-jobs" },
+  { id: "agent-secrets", label: "Agent Secrets", href: "/admin/event-handler/agent-secrets" },
   { id: "webhooks", label: "Webhooks", href: "/admin/event-handler/webhooks" },
   { id: "telegram", label: "Telegram", href: "/admin/event-handler/telegram" },
   { id: "voice", label: "Voice", href: "/admin/event-handler/voice" }

package/lib/chat/components/settings-secrets-layout.jsx

@@ -52,7 +52,7 @@ const EVENT_HANDLER_TABS = [
   { id: 'llms', label: 'LLMs', href: '/admin/event-handler/llms' },
   { id: 'chat', label: 'Chat', href: '/admin/event-handler/chat' },
   { id: 'coding-agents', label: 'Coding Agents', href: '/admin/event-handler/coding-agents' },
-  { id: 'agent-jobs', label: 'Agent Jobs', href: '/admin/event-handler/agent-jobs' },
+  { id: 'agent-secrets', label: 'Agent Secrets', href: '/admin/event-handler/agent-secrets' },
   { id: 'webhooks', label: 'Webhooks', href: '/admin/event-handler/webhooks' },
   { id: 'telegram', label: 'Telegram', href: '/admin/event-handler/telegram' },
   { id: 'voice', label: 'Voice', href: '/admin/event-handler/voice' },

package/lib/code/actions.js

@@ -138,6 +138,12 @@ export async function ensureCodeWorkspaceContainer(id) {
   const chat = getChatByWorkspaceId(id);
   const injectSecrets = chat?.chatMode === 'agent';
 
+  let agentJobToken;
+  if (injectSecrets) {
+    const { createAgentJobApiKey } = await import('../db/api-keys.js');
+    ({ key: agentJobToken } = createAgentJobApiKey(id));
+  }
+
   try {
     const { inspectContainer, startContainer, removeContainer, runInteractiveContainer } =
       await import('../tools/docker.js');
@@ -153,6 +159,7 @@ export async function ensureCodeWorkspaceContainer(id) {
         featureBranch: workspace.featureBranch,
         workspaceId: id,
         injectSecrets,
+        agentJobToken,
       });
       return { status: 'created' };
     }
@@ -181,6 +188,7 @@ export async function ensureCodeWorkspaceContainer(id) {
       featureBranch: workspace.featureBranch,
       workspaceId: id,
       injectSecrets,
+      agentJobToken,
     });
     return { status: 'created' };
   } catch (err) {
@@ -209,6 +217,12 @@ export async function startInteractiveMode(id) {
   const chat = getChatByWorkspaceId(id);
   const injectSecrets = chat?.chatMode === 'agent';
 
+  let agentJobToken;
+  if (injectSecrets) {
+    const { createAgentJobApiKey } = await import('../db/api-keys.js');
+    ({ key: agentJobToken } = createAgentJobApiKey(id));
+  }
+
   try {
     const { getConfig } = await import('../config.js');
     const agent = getConfig('CODING_AGENT') || 'claude-code';
@@ -223,6 +237,7 @@ export async function startInteractiveMode(id) {
       featureBranch: workspace.featureBranch,
       workspaceId: id,
       injectSecrets,
+      agentJobToken,
     });
 
     updateContainerName(id, containerName);
@@ -543,13 +558,21 @@ export async function getWorkspaceDiffStats(id, authenticatedUser) {
     const { execSync } = await import('child_process');
     const opts = { cwd: repoPath, encoding: 'utf8', timeout: 5000 };
 
-    const featureBranch = workspace.featureBranch || workspace.branch || 'main';
     const baseBranch = workspace.branch || 'main';
-    let diffRef;
+    let currentBranch;
     try {
-      execSync(`git -c safe.directory='*' rev-parse --verify origin/${featureBranch} 2>/dev/null`, opts);
-      diffRef = `origin/${featureBranch}`;
-    } catch {
+      const detected = execSync(`git -c safe.directory='*' rev-parse --abbrev-ref HEAD`, opts).trim();
+      currentBranch = (detected && detected !== 'HEAD') ? detected : null;
+    } catch { /* leave null */ }
+    let diffRef;
+    if (currentBranch) {
+      try {
+        execSync(`git -c safe.directory='*' rev-parse --verify origin/${currentBranch} 2>/dev/null`, opts);
+        diffRef = `origin/${currentBranch}`;
+      } catch {
+        diffRef = `origin/${baseBranch}`;
+      }
+    } else {
       diffRef = `origin/${baseBranch}`;
     }
 
@@ -618,13 +641,21 @@ export async function getWorkspaceDiffFull(id, authenticatedUser) {
     const { execSync } = await import('child_process');
     const opts = { cwd: repoPath, encoding: 'utf8', timeout: 10000 };
 
-    const featureBranch = workspace.featureBranch || workspace.branch || 'main';
     const baseBranch = workspace.branch || 'main';
-    let diffRef;
+    let currentBranch;
     try {
-      execSync(`git -c safe.directory='*' rev-parse --verify origin/${featureBranch} 2>/dev/null`, opts);
-      diffRef = `origin/${featureBranch}`;
-    } catch {
+      const detected = execSync(`git -c safe.directory='*' rev-parse --abbrev-ref HEAD`, opts).trim();
+      currentBranch = (detected && detected !== 'HEAD') ? detected : null;
+    } catch { /* leave null */ }
+    let diffRef;
+    if (currentBranch) {
+      try {
+        execSync(`git -c safe.directory='*' rev-parse --verify origin/${currentBranch} 2>/dev/null`, opts);
+        diffRef = `origin/${currentBranch}`;
+      } catch {
+        diffRef = `origin/${baseBranch}`;
+      }
+    } else {
       diffRef = `origin/${baseBranch}`;
     }
 

package/lib/code/port-forwards.js

@@ -143,6 +143,9 @@ function writeTraefikConfig() {
     if (sslDomain) {
       lines.push('      tls:');
       lines.push('        certResolver: letsencrypt');
+      lines.push('        domains:');
+      lines.push(`          - main: ${sslDomain}`);
+      lines.push(`            sans: "*.${sslDomain}"`);
     }
     lines.push(`      service: ${key}`);
   }

package/lib/db/config.js

@@ -254,6 +254,29 @@ export function setAgentJobSecret(key, value, userId) {
     .run();
 }
 
+/**
+ * Get OAuth credentials stored with an agent job secret.
+ * Returns { clientId, clientSecret, tokenUrl } if the secret is oauth2, null otherwise.
+ * @param {string} key
+ */
+export function getAgentJobSecretOAuthCredentials(key) {
+  const db = getDb();
+  const row = db
+    .select({ value: settings.value })
+    .from(settings)
+    .where(and(eq(settings.type, 'agent_job_secret'), eq(settings.key, key)))
+    .get();
+  if (!row) return null;
+  try {
+    const decrypted = decrypt(JSON.parse(row.value));
+    const parsed = JSON.parse(decrypted);
+    if (parsed.type === 'oauth2' && parsed.clientId && parsed.clientSecret) {
+      return { clientId: parsed.clientId, clientSecret: parsed.clientSecret, tokenUrl: parsed.tokenUrl };
+    }
+  } catch {}
+  return null;
+}
+
 /**
  * Delete an agent job secret.
  * @param {string} key

package/lib/maintenance.js

@@ -24,12 +24,19 @@ function cleanExpiredAgentJobKeys() {
       }
       invalidateApiKeyCache();
       console.log(`[maintenance] Deleted ${expiredIds.length} expired agent job key(s)`);
+    } else {
+      console.log(`[maintenance] No expired agent job keys (${rows.length} active)`);
     }
   } catch (err) {
     console.error('[maintenance] cleanExpiredAgentJobKeys failed:', err);
   }
 }
 
+function runMaintenance() {
+  console.log('[maintenance] Running maintenance...');
+  cleanExpiredAgentJobKeys();
+}
+
 export function startMaintenanceCron() {
-  cron.schedule('0 * * * *', cleanExpiredAgentJobKeys);
+  cron.schedule('0 * * * *', runMaintenance);
 }

package/lib/tools/docker.js

@@ -196,7 +196,7 @@ async function runContainer({ containerName, image, env = [], workingDir, hostCo
  * @param {boolean} [options.injectSecrets] - Inject agent job secrets into container env
  * @returns {Promise<{containerId: string, containerName: string}>}
  */
-async function runInteractiveContainer({ containerName, repo, branch, codingAgent, featureBranch, workspaceId, injectSecrets, continueSession = true }) {
+async function runInteractiveContainer({ containerName, repo, branch, codingAgent, featureBranch, workspaceId, injectSecrets, agentJobToken, continueSession = true }) {
   const agent = codingAgent || getConfig('CODING_AGENT') || 'claude-code';
   const version = process.env.THEPOPEBOT_VERSION;
   const image = `stephengpope/thepopebot:coding-agent-${agent}-${version}`;
@@ -234,6 +234,11 @@ async function runInteractiveContainer({ containerName, repo, branch, codingAgen
     if (jobSecrets.length > 0) {
       env.push(`AGENT_JOB_SECRETS=${JSON.stringify(Object.fromEntries(jobSecrets.map(s => [s.key, s.value])))}`);
     }
+    if (agentJobToken) {
+      env.push(`AGENT_JOB_TOKEN=${agentJobToken}`);
+      const appUrl = getConfig('APP_URL');
+      if (appUrl) env.push(`APP_URL=${appUrl}`);
+    }
   }
 
   const hostConfig = {};
@@ -394,7 +399,7 @@ function buildAgentAuthEnv(agent) {
  * @param {boolean} [options.injectSecrets] - Inject agent job secrets into container env
  * @returns {Promise<{containerId: string, containerName: string}>}
  */
-async function runHeadlessContainer({ containerName, repo, branch, featureBranch, workspaceId, taskPrompt, mode = 'plan', codingAgent, systemPrompt, continueSession = true, injectSecrets }) {
+async function runHeadlessContainer({ containerName, repo, branch, featureBranch, workspaceId, taskPrompt, mode = 'plan', codingAgent, systemPrompt, continueSession = true, injectSecrets, agentJobToken }) {
   const agent = codingAgent || getConfig('CODING_AGENT') || 'claude-code';
   const version = process.env.THEPOPEBOT_VERSION;
   const image = `stephengpope/thepopebot:coding-agent-${agent}-${version}`;
@@ -441,6 +446,11 @@ async function runHeadlessContainer({ containerName, repo, branch, featureBranch
     if (jobSecrets.length > 0) {
       env.push(`AGENT_JOB_SECRETS=${JSON.stringify(Object.fromEntries(jobSecrets.map(s => [s.key, s.value])))}`);
     }
+    if (agentJobToken) {
+      env.push(`AGENT_JOB_TOKEN=${agentJobToken}`);
+      const appUrl = getConfig('APP_URL');
+      if (appUrl) env.push(`APP_URL=${appUrl}`);
+    }
   }
 
   const hostConfig = {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thepopebot",
-  "version": "1.2.75-beta.4",
+  "version": "1.2.75-beta.6",
   "type": "module",
   "description": "Create autonomous AI agents with a two-layer architecture: Next.js Event Handler + Docker Agent.",
   "bin": {

package/setup/setup-ssl.mjs

@@ -5,9 +5,12 @@
  *
  * Prompts for domain, DNS provider, API credentials, and server address.
  * Creates the wildcard DNS record via the provider's API.
- * Writes all config to .env and switches COMPOSE_FILE to docker-compose.custom.yml.
+ * Writes SSL config to .env, DNS provider credentials to .env.traefik,
+ * and switches COMPOSE_FILE to docker-compose.custom.yml.
  */
 
+import fs from 'fs';
+import path from 'path';
 import * as clack from '@clack/prompts';
 import { updateEnvVariable } from './lib/auth.mjs';
 import { loadEnvFile } from './lib/env.mjs';
@@ -299,17 +302,21 @@ async function main() {
   updateEnvVariable('SSL_DOMAIN', domain);
   updateEnvVariable('SSL_EMAIL', email);
   updateEnvVariable('SSL_DNS_PROVIDER', provider.traefikName);
-  updateEnvVariable('APP_HOSTNAME', domain);
 
-  // Write provider-specific credentials (standard names — Traefik reads them directly)
-  for (const envVar of provider.envVars) {
-    updateEnvVariable(envVar.key, credentials[envVar.key]);
+  // Set APP_HOSTNAME only if not already set (don't overwrite existing webhook hostname)
+  if (!env.APP_HOSTNAME) {
+    updateEnvVariable('APP_HOSTNAME', domain);
   }
 
+  // Write DNS provider credentials to .env.traefik (Traefik-only, not leaked to other services)
+  const traefikEnvPath = path.join(process.cwd(), '.env.traefik');
+  const traefikLines = provider.envVars.map((v) => `${v.key}=${credentials[v.key]}`);
+  fs.writeFileSync(traefikEnvPath, traefikLines.join('\n') + '\n');
+
   // Switch to custom compose file
   updateEnvVariable('COMPOSE_FILE', 'docker-compose.custom.yml');
 
-  s.stop('Configuration saved to .env');
+  s.stop('Configuration saved to .env and .env.traefik');
 
   // ── Summary ────────────────────────────────────────────────────────
   clack.log.success(

package/templates/.gitignore.template

@@ -1,6 +1,7 @@
 # Credentials - NEVER commit these
 .env
 .env.local
+.env.traefik
 *.pem
 *.key
 

package/templates/docker-compose.custom.yml

@@ -8,7 +8,9 @@
 #   SSL_DOMAIN          — your domain (e.g., bot.example.com)
 #   SSL_EMAIL           — email for Let's Encrypt notifications
 #   SSL_DNS_PROVIDER    — Traefik DNS provider name (e.g., cloudflare)
-#   Provider API creds  — standard env var names (e.g., CF_DNS_API_TOKEN for Cloudflare)
+#
+# DNS provider API credentials are stored in .env.traefik (created by setup-ssl).
+# Only this file is passed to the Traefik container — not the main .env.
 #
 # DNS: *.${SSL_DOMAIN} must resolve to this server (A record or CNAME).
 # The setup-ssl command can create this record for you.
@@ -28,7 +30,7 @@ services:
       - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
       - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=${SSL_DNS_PROVIDER}
       - --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=8.8.8.8:53,8.8.4.4:53
-    env_file: .env
+    env_file: .env.traefik
     ports:
       - "80:80"
       - "443:443"
@@ -60,6 +62,8 @@ services:
       - traefik.http.routers.event-handler.rule=Host(`${APP_HOSTNAME}`)
       - traefik.http.routers.event-handler.entrypoints=websecure
       - traefik.http.routers.event-handler.tls.certresolver=letsencrypt
+      - traefik.http.routers.event-handler.tls.domains[0].main=${SSL_DOMAIN}
+      - traefik.http.routers.event-handler.tls.domains[0].sans=*.${SSL_DOMAIN}
       - traefik.http.services.event-handler.loadbalancer.server.port=80
     stop_grace_period: 120s
     healthcheck: