From d7107e162f8b4995a01bbeea166523ed1715d994 Mon Sep 17 00:00:00 2001 From: admin Date: Tue, 5 May 2026 14:30:57 +0000 Subject: [PATCH] security: remove all hardcoded paths, usernames, IPs, and chat IDs from tracked files - start.sh: use dirname instead of hardcoded path - src/zcode.js: remove hardcoded chat_id fallback - src/utils/rtk.js: use 'rtk' from PATH instead of hardcoded binary path - src/telegram-bot.ts: use process.cwd() instead of hardcoded path - TELEGRAM_SETUP.md: replace token/chat_id with placeholders - QUICKSTART.md: sanitize all references - SERVICE_MAP.md: use relative paths instead of absolute --- QUICKSTART.md | 10 +++++----- SERVICE_MAP.md | 46 ++++++++++++++++++++++----------------------- TELEGRAM_SETUP.md | 16 ++++++++-------- src/telegram-bot.ts | 2 +- src/utils/rtk.js | 2 +- src/zcode.js | 3 ++- start.sh | 2 +- 7 files changed, 41 insertions(+), 40 deletions(-) diff --git a/QUICKSTART.md b/QUICKSTART.md index 82ea77ed..4e223983 100644 --- a/QUICKSTART.md +++ b/QUICKSTART.md @@ -3,7 +3,7 @@ ## ⚡ 30-Second Setup ```bash -cd /home/uroma2/zcode-cli-x +cd zcode-cli-x npm install node bin/zcode.js --bot ``` @@ -23,11 +23,11 @@ node bin/zcode.js --bot ## ⚙️ Configure .env -Edit `/home/uroma2/zcode-cli-x/.env`: +Edit `.env` in the project root: ```env -ZAI_API_KEY=your_zai_api_key -TELEGRAM_BOT_TOKEN=your_bot_token +ZAI_API_KEY=*** +TELEGRAM_BOT_TOKEN=*** TELEGRAM_ALLOWED_USERS=your_user_id ``` @@ -89,7 +89,7 @@ Bot: 🔧 Bug fixed in app.js... ## 🐛 Troubleshooting ### Bot not responding -- Check logs: `tail -f /home/uroma2/zcode-cli-x/logs/zcode.log` +- Check logs: `tail -f logs/zcode.log` - Verify Telegram token in .env - Check bot is enabled: `grep TELEGRAM_BOT_TOKEN .env` diff --git a/SERVICE_MAP.md b/SERVICE_MAP.md index 9f8b8f24..95f1e76b 100644 --- a/SERVICE_MAP.md +++ b/SERVICE_MAP.md @@ -35,7 +35,7 @@ zcode(options) ### 1.1 `src/zcode.js` | Field | Value | |-------|-------| -| **Path** | `/home/uroma2/zcode-cli-x/src/zcode.js` | +| **Path** | `src/zcode.js` | | **Exported API** | `async function zcode(options)` | | **Init** | Called from `bin/zcode.js` via `import { zcode } from '../src/zcode.js'` | | **Options** | `{ bot: boolean, cli: boolean }` | @@ -44,7 +44,7 @@ zcode(options) ### 1.2 `src/utils/env.js` | Field | Value | |-------|-------| -| **Path** | `/home/uroma2/zcode-cli-x/src/utils/env.js` | +| **Path** | `src/utils/env.js` | | **Exported API** | `function checkEnv()` | | **Returns** | `{ valid, missing, ZAI_API_KEY, GLM_BASE_URL, TELEGRAM_BOT_TOKEN, TELEGRAM_ALLOWED_USERS }` | | **Init** | `checkEnv()` — no constructor, stateless | @@ -53,7 +53,7 @@ zcode(options) ### 1.3 `src/config/index.js` | Field | Value | |-------|-------| -| **Path** | `/home/uroma2/zcode-cli-x/src/config/index.js` | +| **Path** | `src/config/index.js` | | **Exported API** | `async function initConfig()` | | **Returns** | Config object: `{ api, telegram, tools, skills, agents, logging }` | | **Init** | `const config = await initConfig()` | @@ -62,7 +62,7 @@ zcode(options) ### 1.4 `src/api/index.js` | Field | Value | |-------|-------| -| **Path** | `/home/uroma2/zcode-cli-x/src/api/index.js` | +| **Path** | `src/api/index.js` | | **Exported API** | `async function initAPI()` — returns `{ config, client }` | | | `class ZAIProvider` — `constructor(api)`, `chat(messages, opts)`, `complete(prompt, opts)` | | | `function createZAIProvider(api)` — factory | @@ -73,7 +73,7 @@ zcode(options) ### 1.5 `src/tools/index.js` | Field | Value | |-------|-------| -| **Path** | `/home/uroma2/zcode-cli-x/src/tools/index.js` | +| **Path** | `src/tools/index.js` | | **Exported API** | `async function initTools()` — returns `tools[]` | | | `class BashTool` — `.execute(command, options)` | | | `class FileEditTool` — `.read(path)`, `.write(path, content)`, `.append(path, content)`, `.edit(path, oldText, newText)` | @@ -85,7 +85,7 @@ zcode(options) ### 1.6 `src/skills/index.js` | Field | Value | |-------|-------| -| **Path** | `/home/uroma2/zcode-cli-x/src/skills/index.js` | +| **Path** | `src/skills/index.js` | | **Exported API** | `async function initSkills()` — returns `skills[]` of `{ name, description, version, category }` | | **Init** | `const skills = await initSkills()` | | **Sources** | (1) `.json`/`.js` files in `skills/` dir in CWD, (2) 5 built-in skills hardcoded | @@ -94,7 +94,7 @@ zcode(options) ### 1.7 `src/agents/index.js` | Field | Value | |-------|-------| -| **Path** | `/home/uroma2/zcode-cli-x/src/agents/index.js` | +| **Path** | `src/agents/index.js` | | **Exported API** | `async function initAgents()` — returns `agents[]` of `{ id, name, description, capabilities, enabled }` | | | `class AgentOrchestrator` — `constructor(agents)`, `execute(agentId, task, context)`, `getAgent(id)`, `listAgents()` | | **Init** | `const agents = await initAgents()` | @@ -103,7 +103,7 @@ zcode(options) ### 1.8 `src/bot/index.js` | Field | Value | |-------|-------| -| **Path** | `/home/uroma2/zcode-cli-x/src/bot/index.js` | +| **Path** | `src/bot/index.js` | | **Exported API** | `async function initBot(config, api, tools, skills)` — returns `{ send, ws, waitForMessages, getConnections }` | | **Init** | `const bot = await import('./bot/index.js').then(m => m.initBot(config, api, tools, skills))` | | **Current state** | THIN: creates Express+WebSocket server, handles webhook POSTs, routes messages through ZAIProvider directly. Does NOT use tools/skills/agents params. | @@ -112,7 +112,7 @@ zcode(options) ### 1.9 `src/utils/logger.js` | Field | Value | |-------|-------| -| **Path** | `/home/uroma2/zcode-cli-x/src/utils/logger.js` | +| **Path** | `src/utils/logger.js` | | **Exported API** | `export const logger` — winston logger instance | | **Init** | Import and use directly: `import { logger } from '../utils/logger.js'` | | **Features** | Console transport (colorized), optional file transport via `LOG_FILE` env var | @@ -120,7 +120,7 @@ zcode(options) ### 1.10 `src/utils/rtk.js` | Field | Value | |-------|-------| -| **Path** | `/home/uroma2/zcode-cli-x/src/utils/rtk.js` | +| **Path** | `src/utils/rtk.js` | | **Exported API** | `class RTKIntegration` — `init()`, `isCommandSupported(cmd)`, `optimizeCommand(command, args)`, `getTrackingStats()`, `listSupportedCommands()` | | | `function getRTK()` — singleton factory | | **Init** | `const rtk = getRTK(); await rtk.init()` | @@ -135,7 +135,7 @@ These services exist in the Claude Code fork but are **not imported or used by t ### 2.1 Voice Service | Field | Value | |-------|-------| -| **Path** | `/home/uroma2/zcode-cli-x/src/services/voice.ts` | +| **Path** | `src/services/voice.ts` | | **Exported API** | `startRecording(fallbackToSoX?)`, `stopRecording()`, `checkRecordingAvailability()` (need full export list) | | **Init** | `import { startRecording, stopRecording } from '../services/voice.ts'` — no init, module-level state | | **Dependencies** | `audio-capture-napi` (native), falls back to SoX/arecord on Linux | @@ -143,7 +143,7 @@ These services exist in the Claude Code fork but are **not imported or used by t ### 2.2 Cron Scheduler | Field | Value | |-------|-------| -| **Path** | `/home/uroma2/zcode-cli-x/src/utils/cronScheduler.ts` | +| **Path** | `src/utils/cronScheduler.ts` | | **Exported API** | `class CronScheduler` with options `{ onFire, isLoading, assistantMode }`, `start()`, `stop()` | | | `isRecurringTaskAged(t, nowMs, maxAgeMs)` | | | `getSchedulerCheckDelayMs(nextFireAtMs, nowMs, options)` | @@ -153,7 +153,7 @@ These services exist in the Claude Code fork but are **not imported or used by t ### 2.3 MCP Validation | Field | Value | |-------|-------| -| **Path** | `/home/uroma2/zcode-cli-x/src/utils/mcpValidation.ts` | +| **Path** | `src/utils/mcpValidation.ts` | | **Exported API** | `getMaxMcpOutputTokens()`, `getContentSizeEstimate(content)`, `MCPToolResult` type | | | Internal: `truncateContentBlocks(blocks, maxChars)`, `truncateString(content, maxChars)` | | **Init** | Import functions directly | @@ -162,26 +162,26 @@ These services exist in the Claude Code fork but are **not imported or used by t ### 2.4 Memory System | Field | Value | |-------|-------| -| **Path** | `/home/uroma2/zcode-cli-x/src/utils/memoryFileDetection.ts` | -| | `/home/uroma2/zcode-cli-x/src/memdir/memoryTypes.ts` | -| | `/home/uroma2/zcode-cli-x/src/memdir/memoryScan.ts` | -| | `/home/uroma2/zcode-cli-x/src/memdir/memoryAge.ts` | +| **Path** | `src/utils/memoryFileDetection.ts` | +| | `src/memdir/memoryTypes.ts` | +| | `src/memdir/memoryScan.ts` | +| | `src/memdir/memoryAge.ts` | | **Exported API (memoryTypes.ts)** | `MEMORY_TYPES` (`['user', 'feedback', 'project', 'reference']`), `parseMemoryType(raw)` | | | `TYPES_SECTION_COMBINED` (system prompt text), `TYPES_SECTION_PRIVATE` | ### 2.5 Context Compression (Compact) | Field | Value | |-------|-------| -| **Path** | `/home/uroma2/zcode-cli-x/src/services/compact/compact.ts` (1706 lines) | -| | `/home/uroma2/zcode-cli-x/src/services/compact/cachedMicrocompact.ts` | -| | `/home/uroma2/zcode-cli-x/src/services/compact/apiMicrocompact.ts` | -| | `/home/uroma2/zcode-cli-x/src/services/compact/compactWarningState.ts` | +| **Path** | `src/services/compact/compact.ts` (1706 lines) | +| | `src/services/compact/cachedMicrocompact.ts` | +| | `src/services/compact/apiMicrocompact.ts` | +| | `src/services/compact/compactWarningState.ts` | | **Init** | Deeply integrated into the main loop (`main.tsx`/`query.ts`). Not standalone. | ### 2.6 Tool Orchestration | Field | Value | |-------|-------| -| **Path** | `/home/uroma2/zcode-cli-x/src/services/tools/toolOrchestration.ts` | +| **Path** | `src/services/tools/toolOrchestration.ts` | | **Exported API** | `runTools(toolUseMessages, assistantMessages, canUseTool, toolUseContext)` — async generator | | | `DEFAULT_MAX_TOOL_USE_CONCURRENCY`, `getMaxToolUseConcurrency()` | | **Dependencies** | `toolExecution.ts`, `toolConcurrency.ts`, `StreamingToolExecutor.ts`, `toolHooks.ts` | @@ -189,7 +189,7 @@ These services exist in the Claude Code fork but are **not imported or used by t ### 2.7 Team Memory Sync | Field | Value | |-------|-------| -| **Path** | `/home/uroma2/zcode-cli-x/src/services/teamMemorySync/index.ts` | +| **Path** | `src/services/teamMemorySync/index.ts` | | **Exported API** | Sync service for team memory files between local FS and server API | | **Dependencies** | Axios, OAuth, git remote, secret scanner | diff --git a/TELEGRAM_SETUP.md b/TELEGRAM_SETUP.md index 77111748..7385eb96 100644 --- a/TELEGRAM_SETUP.md +++ b/TELEGRAM_SETUP.md @@ -6,10 +6,10 @@ Your zCode CLI X Telegram bot is now **live and running 24/7**! ## 📊 Current Configuration -- **Bot Token**: `8745650761:AAFX1almFpesJYOCWkqsJL7UWfiVab_eYwQ` -- **Allowed Users**: `6352861167` -- **API**: Z.AI GLM-5.1 (7 models available) -- **Port**: 3001 +- **Bot Token**: Configured via `.env` (`TELEGRAM_BOT_TOKEN`) +- **Allowed Users**: Configured via `.env` (`TELEGRAM_ALLOWED_USERS`) +- **API**: Z.AI GLM-5.1 (Coding Plan) +- **Port**: Configured via `ZCODE_PORT` (default: 3001) - **Service**: systemd (auto-start on boot) ## 🚀 How to Use @@ -17,7 +17,7 @@ Your zCode CLI X Telegram bot is now **live and running 24/7**! ### Via Telegram 1. Open Telegram -2. Search for your bot (name not set yet) +2. Search for your bot 3. Send `/start` to initialize 4. Start chatting! @@ -28,7 +28,7 @@ Your zCode CLI X Telegram bot is now **live and running 24/7**! sudo systemctl status zcode # View logs -tail -f /home/uroma2/zcode-cli-x/logs/zcode.log +tail -f logs/zcode.log # Restart service sudo systemctl restart zcode @@ -49,12 +49,12 @@ Webhook is **configured and active**. To receive real messages: 2. Set the webhook URL: ```bash curl -F "url=https://your-domain.com/telegram/webhook" \ - "https://api.telegram.org/bot8745650761:AAFX1almFpesJYOCWkqsJL7UWfiVab_eYwQ/setWebhook" + "https://api.telegram.org/bot/setWebhook" ``` 3. Verify webhook: ```bash - curl "https://api.telegram.org/bot8745650761:AAFX1almFpesJYOCWkqsJL7UWfiVab_eYwQ/getWebhookInfo" + curl "https://api.telegram.org/bot/getWebhookInfo" ``` ## 🛠️ Available Commands diff --git a/src/telegram-bot.ts b/src/telegram-bot.ts index e135c659..e42750dd 100644 --- a/src/telegram-bot.ts +++ b/src/telegram-bot.ts @@ -136,7 +136,7 @@ class TelegramBot { const { spawn } = await import('child_process'); const childProcess = spawn('node', ['dist/cli.mjs', '--print', text], { - cwd: '/home/uroma2/zcode-cli-x', + cwd: process.cwd(), env: { ...process.env, TELEGRAM_USER_ID: String(userId), diff --git a/src/utils/rtk.js b/src/utils/rtk.js index 4ea8c7e7..7049ea61 100644 --- a/src/utils/rtk.js +++ b/src/utils/rtk.js @@ -6,7 +6,7 @@ import { logger } from './logger.js'; */ export class RTKIntegration { constructor() { - this.rtkPath = process.env.RTK_PATH || '/home/uroma2/.local/bin/rtk'; + this.rtkPath = process.env.RTK_PATH || 'rtk'; this.enabled = false; this.version = null; } diff --git a/src/zcode.js b/src/zcode.js index a3421e4f..0a54ab95 100644 --- a/src/zcode.js +++ b/src/zcode.js @@ -42,7 +42,8 @@ export async function zcode(options) { bot = await botModule.initBot(config, api, tools, skills, agents); if (bot) { deliveryTargets.set('telegram', bot.send); - registerChannel('telegram', (msg) => bot.send(env.TELEGRAM_ALLOWED_USERS?.split(',')[0] || '6352861167', msg)); + const defaultChat = env.TELEGRAM_ALLOWED_USERS?.split(',')[0]; + if (defaultChat) registerChannel('telegram', (msg) => bot.send(defaultChat, msg)); logger.info('✓ Telegram bot initialized'); } } diff --git a/start.sh b/start.sh index a7f99513..67ea43d1 100755 --- a/start.sh +++ b/start.sh @@ -1,7 +1,7 @@ #!/bin/bash # Startup script for zCode CLI X -cd /home/uroma2/zcode-cli-x +cd "$(dirname "$0")" # Check if .env exists if [ ! -f ".env" ]; then