thepopebot 1.2.76-beta.3 → 1.2.76-beta.30

package/README.md

@@ -104,7 +104,7 @@ The wizard walks you through everything:
 **That's it.** Visit your APP_URL when the wizard finishes.
 
 - **Web Chat**: Visit your APP_URL to chat with your agent, create jobs, upload files
-- **Telegram** (optional): Run `npm run setup-telegram` to connect a Telegram bot
+- **Telegram** (optional): Connect a Telegram bot from `/admin/event-handler/telegram`
 - **Webhook**: Send a POST to `/api/create-agent-job` with your API key to create jobs programmatically
 - **Cron**: Edit `agent-job/CRONS.json` to schedule recurring jobs
 
@@ -143,9 +143,9 @@ See [Coding Agents](docs/CODING_AGENTS.md) for details on all five agent backend
 > ```bash
 > # Update .env and GitHub variable in one command:
 > npx thepopebot set-var APP_URL https://your-new-url.ngrok.io
-> # If Telegram is configured, re-register the webhook:
-> npm run setup-telegram
 > ```
+>
+> If Telegram is configured, click **Re-register webhook** at `/admin/event-handler/telegram` after the URL change.
 
 ---
 

package/api/CLAUDE.md

@@ -4,9 +4,14 @@ This directory contains the route handlers for all `/api/*` endpoints. These rou
 
 ## Auth
 
-All routes (except `/telegram/webhook` and `/github/webhook`, which use their own webhook secrets) require a valid API key passed via the `x-api-key` header. API keys are stored in the SQLite database and managed through the admin UI — they are NOT environment variables.
+Most routes require a valid API key passed via the `x-api-key` header. API keys are stored in the SQLite database and managed through the admin UI — they are NOT environment variables.
 
-Auth flow: `x-api-key` header -> `verifyApiKey()` -> database lookup (hashed, timing-safe comparison).
+**Public routes** (no API key needed): `/ping`, `/telegram/webhook` (Telegram webhook secret), `/github/webhook` (GitHub webhook secret), `/oauth/callback` (validated via short-lived `state` token).
+
+Auth flow: `x-api-key` header → `verifyApiKey()` → DB lookup (hashed, timing-safe comparison). Two key types exist:
+
+- **User-owned API keys** — long-lived, created via the admin UI, used by external callers (cURL, GitHub Actions, Telegram register).
+- **Per-job agent API keys** (`agent_job_api_key`) — short-lived, auto-created when an agent-job container launches (`createAgentJobApiKey()` in `lib/db/api-keys.js`), tied to the container name, and cleaned up by the maintenance cron after expiry. Only this key type is allowed to call `/api/get-agent-job-secret` (the route rejects other types).
 
 ## Do NOT use these routes for browser UI
 
@@ -24,11 +29,13 @@ Browser-facing data fetching uses **fetch route handlers** colocated with pages
 | Method | Path | Auth | Handler |
 |--------|------|------|---------|
 | GET | `/api/ping` | None | Health check |
-| POST | `/api/create-agent-job` | `x-api-key` | Create agent job |
-| GET | `/api/get-agent-job-secret` | `x-api-key` | Get an agent job secret; oauth2 credentials return only the access_token (auto-refreshed) |
+| POST | `/api/create-agent-job` | `x-api-key` | Create agent job. Body: `{ agent_job, llm_model?, agent_backend?, scope? }` |
+| GET | `/api/get-agent-job-secret` | `agent_job_api_key` only | Get an agent job secret. `oauth2` credentials return only the access_token (auto-refreshed under a lock; rotated refresh tokens are persisted back). Other secret types return the raw value. |
+| POST | `/api/set-agent-job-secret` | `agent_job_api_key` only | Create or update an agent-job secret from inside the container (used by the `set-secret` skill). |
 | GET | `/api/agent-job-list-secrets` | `x-api-key` | List agent job secret keys (no values); returns `{secrets: [{key, isSet, updatedAt, secretType}]}` |
 | GET | `/api/agent-jobs/status` | `x-api-key` | Agent job status (query: `?agent_job_id=`) |
-| POST | `/api/telegram/webhook` | Telegram webhook secret | Telegram message handler |
+| POST | `/api/telegram/webhook` | Telegram webhook secret | Telegram message handler (per-user routing via `user_channels`; verifies via `/verify <code>`, dispatches `/session` commands) |
 | POST | `/api/telegram/register` | `x-api-key` | Register bot token + webhook URL |
 | POST | `/api/github/webhook` | GitHub webhook secret | GitHub event handler |
 | POST | `/api/cluster/:clusterId/role/:roleId/webhook` | `x-api-key` | Trigger cluster role execution |
+| GET/POST | `/api/oauth/callback` | `state` token | OAuth provider redirect target. Exchanges `code` for tokens, persists via `setAgentJobSecret(name, stored, 'oauth')`. |

package/api/index.js

@@ -1,11 +1,14 @@
-import { createHash, timingSafeEqual } from 'crypto';
+import { createHash, timingSafeEqual, randomUUID } from 'crypto';
 import { createAgentJob } from '../lib/tools/create-agent-job.js';
 import { setWebhook } from '../lib/tools/telegram.js';
 import { getAgentJobStatus, fetchAgentJobLog } from '../lib/tools/github.js';
 import { getTelegramAdapter } from '../lib/channels/index.js';
-import { chat, summarizeAgentJob } from '../lib/ai/index.js';
+import { dispatchCommand, dispatchPreAuthCommand } from '../lib/channels/commands/index.js';
+import { getByChannelChatId, getVerifiedChannels, setActiveThread } from '../lib/db/user-channels.js';
+import { getAllUsers, getUserById } from '../lib/db/users.js';
+import { chat, chatStream, summarizeAgentJob } from '../lib/ai/index.js';
 import { createNotification } from '../lib/db/notifications.js';
-import { loadTriggers } from '../lib/triggers.js';
+import { getFireTriggers } from '../lib/triggers.js';
 import { verifyApiKey } from '../lib/db/api-keys.js';
 import { getConfig } from '../lib/config.js';
 import { parseOAuthState, exchangeCodeForToken } from '../lib/oauth/helper.js';
@@ -17,8 +20,6 @@ const _refreshLocks = new Map();
 // Bot token — resolved from DB/env, can be overridden by /telegram/register
 let telegramBotToken = null;
 
-// Cached trigger firing function (initialized on first request)
-let _fireTriggers = null;
 
 function getTelegramBotToken() {
   if (!telegramBotToken) {
@@ -27,13 +28,6 @@ function getTelegramBotToken() {
   return telegramBotToken;
 }
 
-function getFireTriggers() {
-  if (!_fireTriggers) {
-    const result = loadTriggers();
-    _fireTriggers = result.fireTriggers;
-  }
-  return _fireTriggers;
-}
 
 // Routes that have their own authentication
 const PUBLIC_ROUTES = ['/telegram/webhook', '/github/webhook', '/ping', '/oauth/callback'];
@@ -92,13 +86,14 @@ function extractAgentJobId(branchName) {
 
 async function handleCreateAgentJob(request) {
   const body = await request.json();
-  const { job } = body;
-  if (!job) return Response.json({ error: 'Missing job field' }, { status: 400 });
+  const { agent_job } = body;
+  if (!agent_job) return Response.json({ error: 'Missing agent_job field' }, { status: 400 });
 
   try {
-    const result = await createAgentJob(job, {
+    const result = await createAgentJob(agent_job, {
       llmModel: body.llm_model,
       agentBackend: body.agent_backend,
+      scope: body.scope,
     });
     return Response.json(result);
   } catch (err) {
@@ -113,8 +108,9 @@ async function handleGetAgentSecret(request) {
     return Response.json({ error: 'Forbidden' }, { status: 403 });
   }
 
-  const key = new URL(request.url).searchParams.get('key');
-  if (!key) return Response.json({ error: 'Missing key' }, { status: 400 });
+  const rawKey = new URL(request.url).searchParams.get('key');
+  if (!rawKey) return Response.json({ error: 'Missing key' }, { status: 400 });
+  const key = rawKey.toUpperCase();
 
   const { getAgentJobSecretRaw, setAgentJobSecret: saveSecret } = await import('../lib/db/config.js');
   const raw = getAgentJobSecretRaw(key);
@@ -166,6 +162,74 @@ async function handleGetAgentSecret(request) {
   return Response.json({ value: raw });
 }
 
+async function handleListUsers() {
+  const users = getAllUsers();
+  const enriched = users.map((u) => {
+    const channels = getVerifiedChannels(u.id).map((c) => c.channel);
+    return {
+      id: u.id,
+      email: u.email,
+      first_name: u.firstName,
+      last_name: u.lastName,
+      nickname: u.nickname,
+      role: u.role,
+      channels,
+    };
+  });
+  return Response.json({ users: enriched });
+}
+
+async function handleSendDm(request) {
+  let body;
+  try {
+    body = await request.json();
+  } catch {
+    return Response.json({ error: 'Invalid JSON body' }, { status: 400 });
+  }
+
+  const { user_id, message, channel } = body;
+  if (!user_id) return Response.json({ error: 'Missing user_id' }, { status: 400 });
+  if (!message || typeof message !== 'string') {
+    return Response.json({ error: 'Missing message' }, { status: 400 });
+  }
+
+  const user = getUserById(user_id);
+  if (!user) return Response.json({ error: 'User not found' }, { status: 404 });
+
+  const verified = getVerifiedChannels(user_id);
+  if (verified.length === 0) {
+    return Response.json({ error: 'User has no verified DM channels' }, { status: 409 });
+  }
+
+  // Pick channel: explicit name, or 'default' / omitted = first verified (Telegram preferred while it's the only impl).
+  const wantDefault = !channel || channel === 'default';
+  const target = wantDefault
+    ? (verified.find((c) => c.channel === 'telegram') || verified[0])
+    : verified.find((c) => c.channel === channel);
+
+  if (!target) {
+    return Response.json(
+      { error: `User has no verified ${channel} channel`, available: verified.map((c) => c.channel) },
+      { status: 409 }
+    );
+  }
+
+  if (target.channel === 'telegram') {
+    const botToken = getTelegramBotToken();
+    if (!botToken) return Response.json({ error: 'Telegram bot token not configured' }, { status: 500 });
+    const adapter = getTelegramAdapter(botToken);
+    try {
+      await adapter.sendResponse(target.channelChatId, message, { chatId: target.channelChatId });
+      return Response.json({ ok: true, channel: 'telegram', user_id });
+    } catch (err) {
+      console.error('Failed to send DM:', err);
+      return Response.json({ error: 'Failed to send DM' }, { status: 502 });
+    }
+  }
+
+  return Response.json({ error: `Channel "${target.channel}" not implemented` }, { status: 501 });
+}
+
 async function handleListAgentSecrets(request) {
   const record = verifyApiKey(request.headers.get('x-api-key'));
   if (record.type !== 'agent_job_api_key') {
@@ -209,29 +273,65 @@ async function handleTelegramWebhook(request) {
 }
 
 /**
- * Process a normalized message through the AI layer with channel UX.
- * Message persistence is handled centrally by the AI layer.
+ * Resolve the incoming channel message to a user, dispatch any slash command,
+ * and otherwise stream the message through the AI layer using the user's
+ * active session.
  */
 async function processChannelMessage(adapter, normalized) {
-  await adapter.acknowledge(normalized.metadata);
-  const stopIndicator = adapter.startProcessingIndicator(normalized.metadata);
+  const { channel, channelChatId, metadata } = normalized;
+  const binding = getByChannelChatId(channel, channelChatId);
+
+  // Unbound chat → only /verify is accepted; everything else is silently ignored.
+  if (!binding || !binding.verifiedAt) {
+    const result = await dispatchPreAuthCommand(normalized, { channel, channelChatId });
+    if (result?.handled) {
+      await adapter.sendResponse(channelChatId, result.reply, metadata);
+    }
+    return;
+  }
+
+  const ctx = { channel, channelChatId, userId: binding.userId };
+
+  // Post-auth slash commands short-circuit the AI path.
+  const cmd = await dispatchCommand(normalized, ctx);
+  if (cmd?.handled) {
+    await adapter.sendResponse(channelChatId, cmd.reply, metadata);
+    return;
+  }
+
+  await adapter.acknowledge(metadata);
+  const stopIndicator = adapter.startProcessingIndicator(metadata);
 
   try {
-    const response = await chat(
-      normalized.threadId,
-      normalized.text,
-      normalized.attachments,
-      { userId: 'telegram', chatTitle: 'Telegram' }
-    );
-    await adapter.sendResponse(normalized.threadId, response, normalized.metadata);
+    let threadId = binding.activeThreadId;
+    if (!threadId) {
+      threadId = randomUUID();
+      setActiveThread(binding.userId, channel, threadId);
+    }
+
+    const envRepo = process.env.GH_OWNER && process.env.GH_REPO
+      ? `${process.env.GH_OWNER}/${process.env.GH_REPO}`
+      : '';
+    const streamOptions = {
+      userId: binding.userId,
+      chatTitle: 'Telegram',
+      repo: envRepo,
+      branch: 'main',
+      codeMode: false,
+      codeModeType: 'code',
+    };
+
+    if (adapter.streamChatResponse) {
+      const chunks = chatStream(threadId, normalized.text, normalized.attachments, streamOptions);
+      await adapter.streamChatResponse(channelChatId, chunks);
+    } else {
+      const response = await chat(threadId, normalized.text, normalized.attachments, streamOptions);
+      await adapter.sendResponse(channelChatId, response, metadata);
+    }
   } catch (err) {
     console.error('Failed to process message with AI:', err);
     await adapter
-      .sendResponse(
-        normalized.threadId,
-        'Sorry, I encountered an error processing your message.',
-        normalized.metadata
-      )
+      .sendResponse(channelChatId, 'Sorry, I encountered an error processing your message.', metadata)
       .catch(() => {});
   } finally {
     stopIndicator();
@@ -398,6 +498,7 @@ async function POST(request) {
   // Route to handler
   switch (routePath) {
     case '/create-agent-job':     return handleCreateAgentJob(request);
+    case '/send-dm':              return handleSendDm(request);
     case '/telegram/webhook':   return handleTelegramWebhook(request);
     case '/telegram/register':  return handleTelegramRegister(request);
     case '/github/webhook':     return handleGithubWebhook(request);
@@ -418,6 +519,7 @@ async function GET(request) {
     case '/agent-jobs/status':  return handleAgentJobStatus(request);
     case '/get-agent-job-secret':     return handleGetAgentSecret(request);
     case '/agent-job-list-secrets':  return handleListAgentSecrets(request);
+    case '/users':              return handleListUsers();
     case '/oauth/callback':     return handleOAuthCallback(request);
     default:                    return Response.json({ error: 'Not found' }, { status: 404 });
   }

package/bin/CLAUDE.md

@@ -8,20 +8,23 @@ Entry point: `cli.js` (invoked via `npx thepopebot <command>`).
 |---------|---------|
 | `init [--no-managed] [--no-install]` | Scaffold project from templates, sync managed files, create `.env`, install deps |
 | `setup` | Run interactive setup wizard (see `setup/CLAUDE.md`) |
-| `setup-telegram` | Reconfigure Telegram webhook |
+| `setup-ssl` | Configure SSL with Let's Encrypt wildcard cert |
 | `upgrade [@beta\|version]` | Upgrade package, run init, rebuild, commit, push, restart Docker |
 | `reset [file]` | Restore a template file to defaults |
+| `reset-all` | Nuclear reset — restore entire project to fresh init state |
+| `audit` | Show project state vs. package templates (modified / missing / unknown) |
 | `diff [file]` | Show diff between user file and package template |
 | `reset-auth` | Regenerate `AUTH_SECRET` (invalidates all sessions) |
-| `set-var <KEY> [VALUE]` | Set GitHub repository variable |
+| `set-var <KEY> [VALUE]` | Set GitHub repository variable (also reads piped stdin) |
 | `user:password <email>` | Change user password |
-| `sync <path>` | Dev helper — sync local package to test install |
+| `sync <path>` | Dev helper — pack, build, upload local package to test install |
+| `sync --fast <path>` | Fast variant — copy source into the running container and rebuild `.next` only |
 
 ## Managed Paths System
 
 `managed-paths.js` defines files auto-synced by `init`. These are overwritten on every init/upgrade — users should not edit them.
 
-**Managed paths**: `.github/workflows/`, `docker-compose.yml`, `.dockerignore`, `.gitignore`, `agent-job/CLAUDE.md`, `event-handler/CLAUDE.md`, `skills/CLAUDE.md`.
+**Managed paths**: `.github/workflows/`, `docker-compose.yml`, `.dockerignore`, `.gitignore`.
 
 `isManaged(relPath)` — returns true if a path is managed (exact match or directory prefix).
 

package/bin/cli.js

@@ -53,7 +53,6 @@ Commands:
   upgrade|update [@beta|version]    Upgrade thepopebot (install, init, build, commit, push)
   setup                             Run interactive setup wizard
   setup-ssl                         Configure SSL with Let's Encrypt wildcard cert
-  setup-telegram                    Reconfigure Telegram webhook
   reset-auth                        Regenerate AUTH_SECRET (invalidates all sessions)
   reset [file]                      Restore a template file (or list available templates)
   reset-all                         Nuclear reset — restore entire project to fresh init state
@@ -86,12 +85,12 @@ function getTemplateFiles(templatesDir) {
   return files;
 }
 
-async function init() {
+async function init(options = {}) {
   let cwd = process.cwd();
   const packageDir = path.join(__dirname, '..');
   const templatesDir = path.join(packageDir, 'templates');
-  const noManaged = args.includes('--no-managed');
-  const noInstall = args.includes('--no-install');
+  const noManaged = options.noManaged ?? args.includes('--no-managed');
+  const noInstall = options.noInstall ?? args.includes('--no-install');
 
   // Guard: warn if the directory is not empty (unless it's an existing thepopebot project)
   const entries = fs.readdirSync(cwd);
@@ -256,7 +255,6 @@ async function init() {
       type: 'module',
       scripts: {
         setup: 'thepopebot setup',
-        'setup-telegram': 'thepopebot setup-telegram',
         'reset-auth': 'thepopebot reset-auth',
       },
       dependencies: {
@@ -277,33 +275,23 @@ async function init() {
     }
   }
 
-  // Create default skill activation symlinks
-  const defaultSkills = [];
-  const activeDir = path.join(cwd, 'skills', 'active');
-  fs.mkdirSync(activeDir, { recursive: true });
-  for (const skill of defaultSkills) {
-    const symlink = path.join(activeDir, skill);
-    if (!fs.existsSync(symlink)) {
-      createDirLink(`../library/${skill}`, symlink);
-      console.log(`  Created skills/active/${skill} → ../library/${skill}`);
+  // Create agent skill bridge symlinks (point to ../skills)
+  const skillBridges = [
+    { dir: '.pi', name: 'Pi' },
+    { dir: '.claude', name: 'Claude' },
+    { dir: '.codex', name: 'Codex' },
+    { dir: '.gemini', name: 'Gemini' },
+    { dir: '.kimi', name: 'Kimi' },
+  ];
+  for (const { dir, name } of skillBridges) {
+    const link = path.join(cwd, dir, 'skills');
+    if (!fs.existsSync(link)) {
+      fs.mkdirSync(path.dirname(link), { recursive: true });
+      createDirLink('../skills', link);
+      console.log(`  Created ${dir}/skills → ../skills`);
     }
   }
 
-  // Create .pi/skills → ../skills/active symlink
-  const piSkillsLink = path.join(cwd, '.pi', 'skills');
-  if (!fs.existsSync(piSkillsLink)) {
-    fs.mkdirSync(path.dirname(piSkillsLink), { recursive: true });
-    createDirLink('../skills/active', piSkillsLink);
-    console.log('  Created .pi/skills → ../skills/active');
-  }
-
-  // Create .claude/skills → ../skills/active symlink
-  const claudeSkillsLink = path.join(cwd, '.claude', 'skills');
-  if (!fs.existsSync(claudeSkillsLink)) {
-    fs.mkdirSync(path.dirname(claudeSkillsLink), { recursive: true });
-    createDirLink('../skills/active', claudeSkillsLink);
-    console.log('  Created .claude/skills → ../skills/active');
-  }
 
   // Report backed-up files
   if (backedUp.length > 0) {
@@ -656,8 +644,12 @@ const PROTECTED_PATHS = [
   'package.json',
   'docker-compose.custom.yml',
   '.claude/',
+  '.codex/',
+  '.gemini/',
+  '.kimi/',
   '.pi/',
   'skills/',
+  'agents/',
   'node_modules/',
 ];
 
@@ -749,10 +741,10 @@ async function resetAll() {
 
   console.log(`\n  Moved ${filesToMove.length} file(s) to .backups/${ts}/`);
 
-  // Run init to rebuild from templates
+  // Run init to rebuild from templates (call directly to use the same package version)
   console.log('\n  Running init to rebuild project...\n');
   try {
-    execSync('npx thepopebot init --no-install', { stdio: 'inherit', cwd });
+    await init({ noInstall: true });
   } catch {
     console.error('\n  Init failed. Your backup is at .backups/' + ts + '/\n');
     process.exit(1);
@@ -789,15 +781,6 @@ function setupSsl() {
   }
 }
 
-function setupTelegram() {
-  const setupScript = path.join(__dirname, '..', 'setup', 'setup-telegram.mjs');
-  try {
-    execFileSync(process.execPath, [setupScript], { stdio: 'inherit', cwd: process.cwd() });
-  } catch {
-    process.exit(1);
-  }
-}
-
 async function resetAuth() {
   const { randomBytes } = await import('crypto');
   const { updateEnvVariable } = await import(path.join(__dirname, '..', 'setup', 'lib', 'auth.mjs'));
@@ -1072,9 +1055,6 @@ switch (command) {
   case 'setup-ssl':
     setupSsl();
     break;
-  case 'setup-telegram':
-    setupTelegram();
-    break;
   case 'reset-auth':
     await resetAuth();
     break;

package/bin/docker-build.js

@@ -1,19 +1,32 @@
 #!/usr/bin/env node
 
 /**
- * Build all Docker images locally (in parallel).
+ * Build all Docker images locally.
  *
  * Usage:
- *   npm run docker:build            # build all images in parallel
- *   npm run docker:build -- --image event-handler   # build one image
+ *   npm run docker:build            # build everything
+ *   npm run docker:build -- --image event-handler   # build one (deps built first)
  *
  * Reads the version from package.json and tags each image as:
  *   stephengpope/thepopebot:{image}-{version}
  *
- * The coding-agent images use a two-stage build: a shared base image
- * (Dockerfile) is built first, then each agent-specific Dockerfile
- * extends it. The base is tagged as coding-agent-base-{version} and
- * is NOT pushed — it's only used locally as a build dependency.
+ * Image hierarchy:
+ *
+ *   thepopebot-base                           ← Ubuntu + Node + locale + Chromium + playwright + user
+ *     ├── coding-agent-base                   ← + tmux, ttyd, scripts, entrypoint
+ *     │     ├── coding-agent-claude-code      ← + per-agent CLI
+ *     │     ├── coding-agent-pi-coding-agent
+ *     │     └── ... (one per agent)
+ *     └── event-handler                       ← + pm2, gosu, Next.js, server.js
+ *
+ * Build order:
+ *   1. thepopebot-base
+ *   2. coding-agent-base + event-handler in parallel
+ *   3. all coding-agent variants in parallel
+ *
+ * Base images are tagged both versioned and unversioned (no version) so child
+ * Dockerfiles can `FROM thepopebot-base` / `FROM coding-agent-base` without a
+ * build-arg for local development.
  */
 
 import { spawn } from 'child_process';
@@ -28,14 +41,21 @@ const pkg = JSON.parse(readFileSync(path.join(ROOT, 'package.json'), 'utf8'));
 const VERSION = pkg.version;
 const REPO = 'stephengpope/thepopebot';
 
-// Base image built first — all coding-agent images depend on it
-const BASE_IMAGE = {
+// Built first — everything depends on this.
+const THEPOPEBOT_BASE = {
+  name: 'thepopebot-base',
+  context: 'docker/base',
+  dockerfile: 'docker/base/Dockerfile',
+};
+
+// Built second — depends on thepopebot-base.
+const CODING_AGENT_BASE = {
   name: 'coding-agent-base',
   context: 'docker/coding-agent',
   dockerfile: 'docker/coding-agent/Dockerfile',
 };
 
-// Agent-specific images (extend the base)
+// Built third — depend on coding-agent-base.
 const CODING_AGENTS = [
   {
     name: 'coding-agent-claude-code',
@@ -69,16 +89,14 @@ const CODING_AGENTS = [
   },
 ];
 
-// Non-coding-agent images (independent, built in parallel)
-const OTHER_IMAGES = [
-  {
-    name: 'event-handler',
-    context: '.',
-    dockerfile: 'docker/event-handler/Dockerfile',
-  },
-];
+// Built second — depends on thepopebot-base. Built in parallel with coding-agent-base.
+const EVENT_HANDLER = {
+  name: 'event-handler',
+  context: '.',
+  dockerfile: 'docker/event-handler/Dockerfile',
+};
 
-const ALL_IMAGES = [BASE_IMAGE, ...CODING_AGENTS, ...OTHER_IMAGES];
+const ALL_IMAGES = [THEPOPEBOT_BASE, CODING_AGENT_BASE, ...CODING_AGENTS, EVENT_HANDLER];
 
 // Parse --image flag
 const filterArg = process.argv.find((_, i, a) => a[i - 1] === '--image');
@@ -101,11 +119,14 @@ function buildImage(img) {
   console.log(`  ${label}  building — ${tag}`);
 
   return new Promise((resolve, reject) => {
-    // Tag base image as both versioned and unversioned (agent Dockerfiles use FROM coding-agent-base)
     const args = ['build', '-t', tag, '-f', dockerfile];
-    if (img.name === 'coding-agent-base') {
-      args.push('-t', 'coding-agent-base');
+
+    // Base images get an unversioned tag too so child Dockerfiles can
+    // `FROM thepopebot-base` / `FROM coding-agent-base` without a build-arg.
+    if (img.name === 'thepopebot-base' || img.name === 'coding-agent-base') {
+      args.push('-t', img.name);
     }
+
     args.push(context);
 
     const proc = spawn(
@@ -172,50 +193,56 @@ function buildImage(img) {
   });
 }
 
-// Build logic: base first, then agents + others in parallel
 async function run() {
   if (filterArg) {
-    // Single image build
-    if (filterArg === BASE_IMAGE.name) {
+    // Single image build — build dependency chain too.
+    if (filterArg === THEPOPEBOT_BASE.name) {
       console.log(`Building 1 image — version ${VERSION}\n`);
-      await buildImage(BASE_IMAGE);
-    } else {
-      const isCodingAgent = CODING_AGENTS.some(img => img.name === filterArg);
-      if (isCodingAgent) {
-        // Need base first
-        console.log(`Building base + 1 agent image — version ${VERSION}\n`);
-        await buildImage(BASE_IMAGE);
-        const agent = CODING_AGENTS.find(img => img.name === filterArg);
-        await buildImage(agent);
-      } else {
-        console.log(`Building 1 image — version ${VERSION}\n`);
-        const img = OTHER_IMAGES.find(img => img.name === filterArg);
-        await buildImage(img);
-      }
+      await buildImage(THEPOPEBOT_BASE);
+    } else if (filterArg === CODING_AGENT_BASE.name) {
+      console.log(`Building 2 images — version ${VERSION}\n`);
+      await buildImage(THEPOPEBOT_BASE);
+      await buildImage(CODING_AGENT_BASE);
+    } else if (filterArg === EVENT_HANDLER.name) {
+      console.log(`Building 2 images — version ${VERSION}\n`);
+      await buildImage(THEPOPEBOT_BASE);
+      await buildImage(EVENT_HANDLER);
+    } else if (CODING_AGENTS.some(img => img.name === filterArg)) {
+      console.log(`Building 3 images — version ${VERSION}\n`);
+      await buildImage(THEPOPEBOT_BASE);
+      await buildImage(CODING_AGENT_BASE);
+      const agent = CODING_AGENTS.find(img => img.name === filterArg);
+      await buildImage(agent);
     }
-    console.log('\n1/1 images built successfully.');
+    console.log('\ndone.');
     return;
   }
 
-  // Full build: base first, then everything else in parallel
+  // Full build: thepopebot-base → (coding-agent-base + event-handler in parallel) → variants
   const totalCount = ALL_IMAGES.length;
-  console.log(`Building ${totalCount} images (base first, then parallel) — version ${VERSION}\n`);
+  console.log(`Building ${totalCount} images — version ${VERSION}\n`);
 
-  // Step 1: Build base
-  await buildImage(BASE_IMAGE);
+  // Step 1: thepopebot-base
+  await buildImage(THEPOPEBOT_BASE);
 
-  // Step 2: Build all agents + other images in parallel
-  const parallel = [...CODING_AGENTS, ...OTHER_IMAGES];
-  const results = await Promise.allSettled(parallel.map(buildImage));
+  // Step 2: coding-agent-base and event-handler in parallel (both extend thepopebot-base)
+  const tier2 = await Promise.allSettled([CODING_AGENT_BASE, EVENT_HANDLER].map(buildImage));
+  const tier2Failed = tier2.filter(r => r.status === 'rejected');
+  if (tier2Failed.length > 0) {
+    console.error(`Tier 2 failed: ${tier2Failed.map(r => r.reason.message).join(', ')}`);
+    process.exit(1);
+  }
 
-  const failed = results.filter((r) => r.status === 'rejected');
-  const succeeded = results.filter((r) => r.status === 'fulfilled');
+  // Step 3: all coding-agent variants in parallel
+  const tier3 = await Promise.allSettled(CODING_AGENTS.map(buildImage));
+  const tier3Failed = tier3.filter(r => r.status === 'rejected');
+  const tier3Succeeded = tier3.filter(r => r.status === 'fulfilled');
 
-  // +1 for the base image
-  console.log(`\n${succeeded.length + 1}/${totalCount} images built successfully.`);
+  const succeededCount = 1 + 2 + tier3Succeeded.length;
+  console.log(`\n${succeededCount}/${totalCount} images built successfully.`);
 
-  if (failed.length > 0) {
-    console.error(`${failed.length} failed: ${failed.map((r) => r.reason.message).join(', ')}`);
+  if (tier3Failed.length > 0) {
+    console.error(`${tier3Failed.length} failed: ${tier3Failed.map(r => r.reason.message).join(', ')}`);
     process.exit(1);
   }
 }