thepopebot 1.2.75-beta.6 → 1.2.75-beta.7

package/config/instrumentation.js

@@ -70,9 +70,9 @@ export async function register() {
   const { startClusterRuntime } = await import('../lib/cluster/runtime.js');
   startClusterRuntime();
 
-  // Start internal maintenance cron (cleanup expired agent job keys, etc.)
-  const { startMaintenanceCron } = await import('../lib/maintenance.js');
-  startMaintenanceCron();
+  // Maintenance cron disabled — agent job key cleanup will be redesigned
+  // const { startMaintenanceCron } = await import('../lib/maintenance.js');
+  // startMaintenanceCron();
 
   console.log('thepopebot initialized');
 }

package/lib/ai/tools.js

@@ -54,9 +54,6 @@ const agentChatCodingTool = tool(
       const codingAgent = getConfig('CODING_AGENT') || 'claude-code';
       const containerName = `${codingAgent}-headless-${randomUUID().slice(0, 8)}`;
 
-      const { createAgentJobApiKey } = await import('../db/api-keys.js');
-      const { key: agentJobToken } = createAgentJobApiKey(randomUUID());
-
       const { runHeadlessContainer, tailContainerLogs, waitForContainer, removeContainer } = await import('../tools/docker.js');
       await runHeadlessContainer({
         containerName,
@@ -67,7 +64,6 @@ const agentChatCodingTool = tool(
         taskPrompt: prompt,
         mode,
         injectSecrets: true,
-        agentJobToken,
       });
 
       const streamCallback = runtime.configurable.streamCallback;

package/lib/code/actions.js

@@ -138,12 +138,6 @@ export async function ensureCodeWorkspaceContainer(id) {
   const chat = getChatByWorkspaceId(id);
   const injectSecrets = chat?.chatMode === 'agent';
 
-  let agentJobToken;
-  if (injectSecrets) {
-    const { createAgentJobApiKey } = await import('../db/api-keys.js');
-    ({ key: agentJobToken } = createAgentJobApiKey(id));
-  }
-
   try {
     const { inspectContainer, startContainer, removeContainer, runInteractiveContainer } =
       await import('../tools/docker.js');
@@ -159,7 +153,6 @@ export async function ensureCodeWorkspaceContainer(id) {
         featureBranch: workspace.featureBranch,
         workspaceId: id,
         injectSecrets,
-        agentJobToken,
       });
       return { status: 'created' };
     }
@@ -188,7 +181,6 @@ export async function ensureCodeWorkspaceContainer(id) {
       featureBranch: workspace.featureBranch,
       workspaceId: id,
       injectSecrets,
-      agentJobToken,
     });
     return { status: 'created' };
   } catch (err) {
@@ -217,12 +209,6 @@ export async function startInteractiveMode(id) {
   const chat = getChatByWorkspaceId(id);
   const injectSecrets = chat?.chatMode === 'agent';
 
-  let agentJobToken;
-  if (injectSecrets) {
-    const { createAgentJobApiKey } = await import('../db/api-keys.js');
-    ({ key: agentJobToken } = createAgentJobApiKey(id));
-  }
-
   try {
     const { getConfig } = await import('../config.js');
     const agent = getConfig('CODING_AGENT') || 'claude-code';
@@ -237,7 +223,6 @@ export async function startInteractiveMode(id) {
       featureBranch: workspace.featureBranch,
       workspaceId: id,
       injectSecrets,
-      agentJobToken,
     });
 
     updateContainerName(id, containerName);

package/lib/db/api-keys.js

@@ -5,9 +5,6 @@ import { settings } from './schema.js';
 
 const KEY_PREFIX = 'tpb_';
 
-// In-memory cache: array of { id, keyHash } or null (not loaded)
-let _cache = null;
-
 /**
  * Generate a new API key: tpb_ + 64 hex chars (32 random bytes).
  * @returns {string}
@@ -25,44 +22,6 @@ export function hashApiKey(key) {
   return createHash('sha256').update(key).digest('hex');
 }
 
-/**
- * Lazy-load all API key hashes into the in-memory cache.
- */
-function _ensureCache() {
-  if (_cache !== null) return _cache;
-
-  const db = getDb();
-  const ONE_HOUR = 60 * 60 * 1000;
-  const cutoff = Date.now() - ONE_HOUR;
-
-  const rows = db
-    .select()
-    .from(settings)
-    .where(eq(settings.type, 'api_key'))
-    .all();
-
-  const jobKeyRows = db
-    .select()
-    .from(settings)
-    .where(eq(settings.type, 'agent_job_api_key'))
-    .all()
-    .filter(r => r.lastUsedAt !== null ? r.lastUsedAt > cutoff : r.createdAt > cutoff);
-
-  _cache = [...rows, ...jobKeyRows].map((row) => {
-    const parsed = JSON.parse(row.value);
-    return { id: row.id, keyHash: parsed.key_hash, type: row.type };
-  });
-
-  return _cache;
-}
-
-/**
- * Clear the in-memory cache (call after create/delete).
- */
-export function invalidateApiKeyCache() {
-  _cache = null;
-}
-
 /**
  * Create a new named API key.
  * @param {string} name - Human-readable name for the key
@@ -89,7 +48,6 @@ export function createApiKeyRecord(name, createdBy) {
   };
 
   db.insert(settings).values(record).run();
-  invalidateApiKeyCache();
 
   return {
     key,
@@ -143,7 +101,6 @@ export function getApiKey() {
 export function deleteApiKeyById(id) {
   const db = getDb();
   db.delete(settings).where(eq(settings.id, id)).run();
-  invalidateApiKeyCache();
 }
 
 /**
@@ -152,11 +109,11 @@ export function deleteApiKeyById(id) {
 export function deleteApiKey() {
   const db = getDb();
   db.delete(settings).where(eq(settings.type, 'api_key')).run();
-  invalidateApiKeyCache();
 }
 
 /**
- * Verify a raw API key against all cached hashes.
+ * Verify a raw API key against stored hashes.
+ * Queries the database directly on each call (SQLite is in-process, no caching needed).
  * @param {string} rawKey - Raw API key from request header
  * @returns {object|null} Record if valid, null otherwise
  */
@@ -164,27 +121,32 @@ export function verifyApiKey(rawKey) {
   if (!rawKey || !rawKey.startsWith(KEY_PREFIX)) return null;
 
   const keyHash = hashApiKey(rawKey);
-  const cached = _ensureCache();
+  const db = getDb();
 
-  if (!cached || cached.length === 0) return null;
+  const rows = [
+    ...db.select().from(settings).where(eq(settings.type, 'api_key')).all(),
+    ...db.select().from(settings).where(eq(settings.type, 'agent_job_api_key')).all(),
+  ];
+
+  if (rows.length === 0) return null;
 
   const b = Buffer.from(keyHash, 'hex');
 
-  for (const entry of cached) {
-    const a = Buffer.from(entry.keyHash, 'hex');
+  for (const row of rows) {
+    const parsed = JSON.parse(row.value);
+    const a = Buffer.from(parsed.key_hash, 'hex');
     if (a.length === b.length && timingSafeEqual(a, b)) {
-      // Update last_used_at column directly (non-blocking)
+      // Update last_used_at
       try {
-        const db = getDb();
         const now = Date.now();
         db.update(settings)
           .set({ lastUsedAt: now, updatedAt: now })
-          .where(eq(settings.id, entry.id))
+          .where(eq(settings.id, row.id))
           .run();
-      } catch {
-        // Non-fatal: last_used_at is informational
+      } catch (err) {
+        console.error('[api-keys] Failed to update last_used_at:', err.message);
       }
-      return entry;
+      return { id: row.id, keyHash: parsed.key_hash, type: row.type };
     }
   }
 
@@ -193,8 +155,8 @@ export function verifyApiKey(rawKey) {
 
 /**
  * Create a per-job API key for an agent job container.
- * Stored as type 'agent_job_api_key'. Valid for 1 hour since last use.
- * @param {string} jobId - Agent job ID (stored as key column for traceability)
+ * Stored as type 'agent_job_api_key'.
+ * @param {string} jobId - Agent job or workspace ID (stored as key column for traceability)
  * @returns {{ key: string }} The raw API key to inject into the container
  */
 export function createAgentJobApiKey(jobId) {
@@ -210,7 +172,6 @@ export function createAgentJobApiKey(jobId) {
     createdAt: now,
     updatedAt: now,
   }).run();
-  invalidateApiKeyCache();
   return { key };
 }
 

package/lib/maintenance.js

@@ -2,7 +2,6 @@ import cron from 'node-cron';
 import { eq } from 'drizzle-orm';
 import { getDb } from './db/index.js';
 import { settings } from './db/schema.js';
-import { invalidateApiKeyCache } from './db/api-keys.js';
 
 const ONE_HOUR = 60 * 60 * 1000;
 
@@ -22,7 +21,6 @@ function cleanExpiredAgentJobKeys() {
       for (const id of expiredIds) {
         db.delete(settings).where(eq(settings.id, id)).run();
       }
-      invalidateApiKeyCache();
       console.log(`[maintenance] Deleted ${expiredIds.length} expired agent job key(s)`);
     } else {
       console.log(`[maintenance] No expired agent job keys (${rows.length} active)`);

package/lib/tools/create-agent-job.js

@@ -3,8 +3,6 @@ import { z } from 'zod';
 import { githubApi } from './github.js';
 import { createModel } from '../ai/model.js';
 import { getConfig } from '../config.js';
-import { createAgentJobApiKey } from '../db/api-keys.js';
-
 /**
  * Generate a short descriptive title for an agent job using the LLM.
  * Uses structured output to avoid thinking-token leaks with extended-thinking models.
@@ -93,7 +91,6 @@ async function createAgentJob(agentJobDescription, options = {}) {
 
   // 6. Launch Docker container locally (fire-and-forget with async cleanup)
   const repoSlug = `${GH_OWNER}/${GH_REPO}`;
-  const { key: agentJobToken } = createAgentJobApiKey(agentJobId);
   launchAgentJobContainer({
     agentJobId,
     repo: repoSlug,
@@ -102,7 +99,6 @@ async function createAgentJob(agentJobDescription, options = {}) {
     description: agentJobDescription,
     codingAgent: options.agentBackend,
     llmModel: options.llmModel,
-    agentJobToken,
   }).catch(err => {
     console.error(`[agent-job] Failed to launch container for ${agentJobId}:`, err.message);
   });

package/lib/tools/docker.js

@@ -196,7 +196,7 @@ async function runContainer({ containerName, image, env = [], workingDir, hostCo
  * @param {boolean} [options.injectSecrets] - Inject agent job secrets into container env
  * @returns {Promise<{containerId: string, containerName: string}>}
  */
-async function runInteractiveContainer({ containerName, repo, branch, codingAgent, featureBranch, workspaceId, injectSecrets, agentJobToken, continueSession = true }) {
+async function runInteractiveContainer({ containerName, repo, branch, codingAgent, featureBranch, workspaceId, injectSecrets, continueSession = true }) {
   const agent = codingAgent || getConfig('CODING_AGENT') || 'claude-code';
   const version = process.env.THEPOPEBOT_VERSION;
   const image = `stephengpope/thepopebot:coding-agent-${agent}-${version}`;
@@ -234,11 +234,12 @@ async function runInteractiveContainer({ containerName, repo, branch, codingAgen
     if (jobSecrets.length > 0) {
       env.push(`AGENT_JOB_SECRETS=${JSON.stringify(Object.fromEntries(jobSecrets.map(s => [s.key, s.value])))}`);
     }
-    if (agentJobToken) {
-      env.push(`AGENT_JOB_TOKEN=${agentJobToken}`);
-      const appUrl = getConfig('APP_URL');
-      if (appUrl) env.push(`APP_URL=${appUrl}`);
-    }
+    // Create per-container API key for agent-secrets access
+    const { createAgentJobApiKey } = await import('../db/api-keys.js');
+    const { key: agentJobToken } = createAgentJobApiKey(workspaceId || containerName);
+    env.push(`AGENT_JOB_TOKEN=${agentJobToken}`);
+    const appUrl = getConfig('APP_URL');
+    if (appUrl) env.push(`APP_URL=${appUrl}`);
   }
 
   const hostConfig = {};
@@ -399,7 +400,7 @@ function buildAgentAuthEnv(agent) {
  * @param {boolean} [options.injectSecrets] - Inject agent job secrets into container env
  * @returns {Promise<{containerId: string, containerName: string}>}
  */
-async function runHeadlessContainer({ containerName, repo, branch, featureBranch, workspaceId, taskPrompt, mode = 'plan', codingAgent, systemPrompt, continueSession = true, injectSecrets, agentJobToken }) {
+async function runHeadlessContainer({ containerName, repo, branch, featureBranch, workspaceId, taskPrompt, mode = 'plan', codingAgent, systemPrompt, continueSession = true, injectSecrets }) {
   const agent = codingAgent || getConfig('CODING_AGENT') || 'claude-code';
   const version = process.env.THEPOPEBOT_VERSION;
   const image = `stephengpope/thepopebot:coding-agent-${agent}-${version}`;
@@ -446,11 +447,12 @@ async function runHeadlessContainer({ containerName, repo, branch, featureBranch
     if (jobSecrets.length > 0) {
       env.push(`AGENT_JOB_SECRETS=${JSON.stringify(Object.fromEntries(jobSecrets.map(s => [s.key, s.value])))}`);
     }
-    if (agentJobToken) {
-      env.push(`AGENT_JOB_TOKEN=${agentJobToken}`);
-      const appUrl = getConfig('APP_URL');
-      if (appUrl) env.push(`APP_URL=${appUrl}`);
-    }
+    // Create per-container API key for agent-secrets access
+    const { createAgentJobApiKey } = await import('../db/api-keys.js');
+    const { key: agentJobToken } = createAgentJobApiKey(workspaceId || containerName);
+    env.push(`AGENT_JOB_TOKEN=${agentJobToken}`);
+    const appUrl = getConfig('APP_URL');
+    if (appUrl) env.push(`APP_URL=${appUrl}`);
   }
 
   const hostConfig = {};
@@ -861,7 +863,7 @@ async function removeVolume(name) {
  * @param {string} [options.llmModel] - Model override
  * @returns {Promise<{containerId: string, containerName: string, volumeName: string}>}
  */
-async function runAgentJobContainer({ agentJobId, repo, branch, title, description, codingAgent, llmModel, agentJobToken }) {
+async function runAgentJobContainer({ agentJobId, repo, branch, title, description, codingAgent, llmModel }) {
   const agent = codingAgent || getConfig('CODING_AGENT') || 'claude-code';
   const version = process.env.THEPOPEBOT_VERSION;
   const image = `stephengpope/thepopebot:coding-agent-${agent}-${version}`;
@@ -899,8 +901,10 @@ async function runAgentJobContainer({ agentJobId, repo, branch, title, descripti
   const appUrl = getConfig('APP_URL');
   if (appUrl) env.push(`APP_URL=${appUrl}`);
 
-  // Inject per-job API token for agent-secrets skill
-  if (agentJobToken) env.push(`AGENT_JOB_TOKEN=${agentJobToken}`);
+  // Create per-container API key for agent-secrets access
+  const { createAgentJobApiKey } = await import('../db/api-keys.js');
+  const { key: agentJobToken } = createAgentJobApiKey(agentJobId);
+  env.push(`AGENT_JOB_TOKEN=${agentJobToken}`);
 
   // Inject agent job secrets (plain secrets as env vars; oauth types are null — agent must fetch via get)
   const { getAllAgentJobSecrets } = await import('../db/config.js');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thepopebot",
-  "version": "1.2.75-beta.6",
+  "version": "1.2.75-beta.7",
   "type": "module",
   "description": "Create autonomous AI agents with a two-layer architecture: Next.js Event Handler + Docker Agent.",
   "bin": {

package/templates/skills/agent-job-secrets/SKILL.md

@@ -7,14 +7,14 @@ description: List, get, or update agent secrets. Use get for OAuth credentials (
 
 ```bash
 # List available secrets (null = must fetch, plain = already in env)
-node skills/agent-job-secrets/agent-job-secrets.js
+node skills/agent-job-secrets/agent-job-secrets.mjs
 
 # Get a secret value (OAuth credentials are auto-refreshed)
-node skills/agent-job-secrets/agent-job-secrets.js get MY_CREDENTIALS
+node skills/agent-job-secrets/agent-job-secrets.mjs get MY_CREDENTIALS
 
 # Set/update a secret (plain string or piped value)
-node skills/agent-job-secrets/agent-job-secrets.js set MY_KEY "value"
-echo "$UPDATED_CREDENTIALS" | node skills/agent-job-secrets/agent-job-secrets.js set MY_KEY
+node skills/agent-job-secrets/agent-job-secrets.mjs set MY_KEY "value"
+echo "$UPDATED_CREDENTIALS" | node skills/agent-job-secrets/agent-job-secrets.mjs set MY_KEY
 ```
 
 ## Notes

package/templates/skills/agent-job-secrets/{agent-job-secrets.js → agent-job-secrets.mjs}

@@ -18,9 +18,8 @@ if (!cmd || cmd === 'list') {
     console.log('Available secrets:');
     keys.forEach(k => {
       const fetchRequired = secrets[k] === null;
-      console.log(`  - ${k}${fetchRequired ? '  (fetch required: use get)' : ''}`);
+      console.log(`  - ${k}${fetchRequired ? '  (use agent-job-secrets skill to fetch)' : ''}`);
     });
-    console.log('\nTo get a value: agent-job-secrets.js get KEY_NAME');
   }
   process.exit(0);
 }
@@ -31,33 +30,43 @@ if (!apiKey) { console.error('AGENT_JOB_TOKEN not available'); process.exit(1);
 if (!appUrl) { console.error('APP_URL not available'); process.exit(1); }
 
 if (cmd === 'get') {
-  if (!key) { console.error('Usage: agent-job-secrets.js get KEY_NAME'); process.exit(1); }
-  const res = await fetch(`${appUrl}/api/get-agent-job-secret?key=${encodeURIComponent(key)}`, {
+  if (!key) { console.error('Usage: agent-job-secrets get KEY_NAME'); process.exit(1); }
+  const url = `${appUrl}/api/get-agent-job-secret?key=${encodeURIComponent(key)}`;
+  const res = await fetch(url, {
     headers: { 'x-api-key': apiKey },
   });
+  if (!res.ok) {
+    const body = await res.text();
+    console.error(`GET ${url} → ${res.status} ${body}`);
+    process.exit(1);
+  }
   const json = await res.json();
-  if (!res.ok || json.error) { console.error('Failed:', json.error || res.status); process.exit(1); }
   console.log(json.value);
   process.exit(0);
 }
 
 if (cmd === 'set') {
   if (!key) {
-    console.error('Usage: agent-job-secrets.js set KEY_NAME [value]');
-    console.error('       echo "value" | agent-job-secrets.js set KEY_NAME');
+    console.error('Usage: agent-job-secrets set KEY_NAME [value]');
+    console.error('       echo "value" | agent-job-secrets set KEY_NAME');
     process.exit(1);
   }
   let value = inlineValue;
   if (value === undefined) {
     value = readFileSync('/dev/stdin', 'utf8').trim();
   }
-  const res = await fetch(`${appUrl}/api/set-agent-job-secret`, {
+  const url = `${appUrl}/api/set-agent-job-secret`;
+  const res = await fetch(url, {
     method: 'POST',
     headers: { 'Content-Type': 'application/json', 'x-api-key': apiKey },
     body: JSON.stringify({ key, value }),
   });
+  if (!res.ok) {
+    const body = await res.text();
+    console.error(`POST ${url} → ${res.status} ${body}`);
+    process.exit(1);
+  }
   const json = await res.json();
-  if (!res.ok || json.error) { console.error('Failed:', json.error || res.status); process.exit(1); }
   console.log(`Secret "${key}" updated.`);
   process.exit(0);
 }