security: remove all hardcoded paths, usernames, IPs, and chat IDs from tracked files

- start.sh: use dirname instead of hardcoded path
- src/zcode.js: remove hardcoded chat_id fallback
- src/utils/rtk.js: use 'rtk' from PATH instead of hardcoded binary path
- src/telegram-bot.ts: use process.cwd() instead of hardcoded path
- TELEGRAM_SETUP.md: replace token/chat_id with placeholders
- QUICKSTART.md: sanitize all references
- SERVICE_MAP.md: use relative paths instead of absolute

QUICKSTART.md

@@ -3,7 +3,7 @@
 ## ⚡ 30-Second Setup
 
 ```bash
-cd /home/uroma2/zcode-cli-x
+cd zcode-cli-x
 npm install
 node bin/zcode.js --bot
 ```
@@ -23,11 +23,11 @@ node bin/zcode.js --bot
 
 ## ⚙️ Configure .env
 
-Edit `/home/uroma2/zcode-cli-x/.env`:
+Edit `.env` in the project root:
 
 ```env
-ZAI_API_KEY=your_zai_api_key
-TELEGRAM_BOT_TOKEN=your_bot_token
+ZAI_API_KEY=***
+TELEGRAM_BOT_TOKEN=***
 TELEGRAM_ALLOWED_USERS=your_user_id
 ```
 
@@ -89,7 +89,7 @@ Bot: 🔧 Bug fixed in app.js...
 ## 🐛 Troubleshooting
 
 ### Bot not responding
-- Check logs: `tail -f /home/uroma2/zcode-cli-x/logs/zcode.log`
+- Check logs: `tail -f logs/zcode.log`
 - Verify Telegram token in .env
 - Check bot is enabled: `grep TELEGRAM_BOT_TOKEN .env`
 

SERVICE_MAP.md

@@ -35,7 +35,7 @@ zcode(options)
 ### 1.1 `src/zcode.js`
 | Field | Value |
 |-------|-------|
-| **Path** | `/home/uroma2/zcode-cli-x/src/zcode.js` |
+| **Path** | `src/zcode.js` |
 | **Exported API** | `async function zcode(options)` |
 | **Init** | Called from `bin/zcode.js` via `import { zcode } from '../src/zcode.js'` |
 | **Options** | `{ bot: boolean, cli: boolean }` |
@@ -44,7 +44,7 @@ zcode(options)
 ### 1.2 `src/utils/env.js`
 | Field | Value |
 |-------|-------|
-| **Path** | `/home/uroma2/zcode-cli-x/src/utils/env.js` |
+| **Path** | `src/utils/env.js` |
 | **Exported API** | `function checkEnv()` |
 | **Returns** | `{ valid, missing, ZAI_API_KEY, GLM_BASE_URL, TELEGRAM_BOT_TOKEN, TELEGRAM_ALLOWED_USERS }` |
 | **Init** | `checkEnv()` — no constructor, stateless |
@@ -53,7 +53,7 @@ zcode(options)
 ### 1.3 `src/config/index.js`
 | Field | Value |
 |-------|-------|
-| **Path** | `/home/uroma2/zcode-cli-x/src/config/index.js` |
+| **Path** | `src/config/index.js` |
 | **Exported API** | `async function initConfig()` |
 | **Returns** | Config object: `{ api, telegram, tools, skills, agents, logging }` |
 | **Init** | `const config = await initConfig()` |
@@ -62,7 +62,7 @@ zcode(options)
 ### 1.4 `src/api/index.js`
 | Field | Value |
 |-------|-------|
-| **Path** | `/home/uroma2/zcode-cli-x/src/api/index.js` |
+| **Path** | `src/api/index.js` |
 | **Exported API** | `async function initAPI()` — returns `{ config, client }` |
 |  | `class ZAIProvider` — `constructor(api)`, `chat(messages, opts)`, `complete(prompt, opts)` |
 |  | `function createZAIProvider(api)` — factory |
@@ -73,7 +73,7 @@ zcode(options)
 ### 1.5 `src/tools/index.js`
 | Field | Value |
 |-------|-------|
-| **Path** | `/home/uroma2/zcode-cli-x/src/tools/index.js` |
+| **Path** | `src/tools/index.js` |
 | **Exported API** | `async function initTools()` — returns `tools[]` |
 |  | `class BashTool` — `.execute(command, options)` |
 |  | `class FileEditTool` — `.read(path)`, `.write(path, content)`, `.append(path, content)`, `.edit(path, oldText, newText)` |
@@ -85,7 +85,7 @@ zcode(options)
 ### 1.6 `src/skills/index.js`
 | Field | Value |
 |-------|-------|
-| **Path** | `/home/uroma2/zcode-cli-x/src/skills/index.js` |
+| **Path** | `src/skills/index.js` |
 | **Exported API** | `async function initSkills()` — returns `skills[]` of `{ name, description, version, category }` |
 | **Init** | `const skills = await initSkills()` |
 | **Sources** | (1) `.json`/`.js` files in `skills/` dir in CWD, (2) 5 built-in skills hardcoded |
@@ -94,7 +94,7 @@ zcode(options)
 ### 1.7 `src/agents/index.js`
 | Field | Value |
 |-------|-------|
-| **Path** | `/home/uroma2/zcode-cli-x/src/agents/index.js` |
+| **Path** | `src/agents/index.js` |
 | **Exported API** | `async function initAgents()` — returns `agents[]` of `{ id, name, description, capabilities, enabled }` |
 |  | `class AgentOrchestrator` — `constructor(agents)`, `execute(agentId, task, context)`, `getAgent(id)`, `listAgents()` |
 | **Init** | `const agents = await initAgents()` |
@@ -103,7 +103,7 @@ zcode(options)
 ### 1.8 `src/bot/index.js`
 | Field | Value |
 |-------|-------|
-| **Path** | `/home/uroma2/zcode-cli-x/src/bot/index.js` |
+| **Path** | `src/bot/index.js` |
 | **Exported API** | `async function initBot(config, api, tools, skills)` — returns `{ send, ws, waitForMessages, getConnections }` |
 | **Init** | `const bot = await import('./bot/index.js').then(m => m.initBot(config, api, tools, skills))` |
 | **Current state** | THIN: creates Express+WebSocket server, handles webhook POSTs, routes messages through ZAIProvider directly. Does NOT use tools/skills/agents params. |
@@ -112,7 +112,7 @@ zcode(options)
 ### 1.9 `src/utils/logger.js`
 | Field | Value |
 |-------|-------|
-| **Path** | `/home/uroma2/zcode-cli-x/src/utils/logger.js` |
+| **Path** | `src/utils/logger.js` |
 | **Exported API** | `export const logger` — winston logger instance |
 | **Init** | Import and use directly: `import { logger } from '../utils/logger.js'` |
 | **Features** | Console transport (colorized), optional file transport via `LOG_FILE` env var |
@@ -120,7 +120,7 @@ zcode(options)
 ### 1.10 `src/utils/rtk.js`
 | Field | Value |
 |-------|-------|
-| **Path** | `/home/uroma2/zcode-cli-x/src/utils/rtk.js` |
+| **Path** | `src/utils/rtk.js` |
 | **Exported API** | `class RTKIntegration` — `init()`, `isCommandSupported(cmd)`, `optimizeCommand(command, args)`, `getTrackingStats()`, `listSupportedCommands()` |
 |  | `function getRTK()` — singleton factory |
 | **Init** | `const rtk = getRTK(); await rtk.init()` |
@@ -135,7 +135,7 @@ These services exist in the Claude Code fork but are **not imported or used by t
 ### 2.1 Voice Service
 | Field | Value |
 |-------|-------|
-| **Path** | `/home/uroma2/zcode-cli-x/src/services/voice.ts` |
+| **Path** | `src/services/voice.ts` |
 | **Exported API** | `startRecording(fallbackToSoX?)`, `stopRecording()`, `checkRecordingAvailability()` (need full export list) |
 | **Init** | `import { startRecording, stopRecording } from '../services/voice.ts'` — no init, module-level state |
 | **Dependencies** | `audio-capture-napi` (native), falls back to SoX/arecord on Linux |
@@ -143,7 +143,7 @@ These services exist in the Claude Code fork but are **not imported or used by t
 ### 2.2 Cron Scheduler
 | Field | Value |
 |-------|-------|
-| **Path** | `/home/uroma2/zcode-cli-x/src/utils/cronScheduler.ts` |
+| **Path** | `src/utils/cronScheduler.ts` |
 | **Exported API** | `class CronScheduler` with options `{ onFire, isLoading, assistantMode }`, `start()`, `stop()` |
 |  | `isRecurringTaskAged(t, nowMs, maxAgeMs)` |
 |  | `getSchedulerCheckDelayMs(nextFireAtMs, nowMs, options)` |
@@ -153,7 +153,7 @@ These services exist in the Claude Code fork but are **not imported or used by t
 ### 2.3 MCP Validation
 | Field | Value |
 |-------|-------|
-| **Path** | `/home/uroma2/zcode-cli-x/src/utils/mcpValidation.ts` |
+| **Path** | `src/utils/mcpValidation.ts` |
 | **Exported API** | `getMaxMcpOutputTokens()`, `getContentSizeEstimate(content)`, `MCPToolResult` type |
 |  | Internal: `truncateContentBlocks(blocks, maxChars)`, `truncateString(content, maxChars)` |
 | **Init** | Import functions directly |
@@ -162,26 +162,26 @@ These services exist in the Claude Code fork but are **not imported or used by t
 ### 2.4 Memory System
 | Field | Value |
 |-------|-------|
-| **Path** | `/home/uroma2/zcode-cli-x/src/utils/memoryFileDetection.ts` |
-|  | `/home/uroma2/zcode-cli-x/src/memdir/memoryTypes.ts` |
-|  | `/home/uroma2/zcode-cli-x/src/memdir/memoryScan.ts` |
-|  | `/home/uroma2/zcode-cli-x/src/memdir/memoryAge.ts` |
+| **Path** | `src/utils/memoryFileDetection.ts` |
+|  | `src/memdir/memoryTypes.ts` |
+|  | `src/memdir/memoryScan.ts` |
+|  | `src/memdir/memoryAge.ts` |
 | **Exported API (memoryTypes.ts)** | `MEMORY_TYPES` (`['user', 'feedback', 'project', 'reference']`), `parseMemoryType(raw)` |
 |  | `TYPES_SECTION_COMBINED` (system prompt text), `TYPES_SECTION_PRIVATE` |
 
 ### 2.5 Context Compression (Compact)
 | Field | Value |
 |-------|-------|
-| **Path** | `/home/uroma2/zcode-cli-x/src/services/compact/compact.ts` (1706 lines) |
-|  | `/home/uroma2/zcode-cli-x/src/services/compact/cachedMicrocompact.ts` |
-|  | `/home/uroma2/zcode-cli-x/src/services/compact/apiMicrocompact.ts` |
-|  | `/home/uroma2/zcode-cli-x/src/services/compact/compactWarningState.ts` |
+| **Path** | `src/services/compact/compact.ts` (1706 lines) |
+|  | `src/services/compact/cachedMicrocompact.ts` |
+|  | `src/services/compact/apiMicrocompact.ts` |
+|  | `src/services/compact/compactWarningState.ts` |
 | **Init** | Deeply integrated into the main loop (`main.tsx`/`query.ts`). Not standalone. |
 
 ### 2.6 Tool Orchestration
 | Field | Value |
 |-------|-------|
-| **Path** | `/home/uroma2/zcode-cli-x/src/services/tools/toolOrchestration.ts` |
+| **Path** | `src/services/tools/toolOrchestration.ts` |
 | **Exported API** | `runTools(toolUseMessages, assistantMessages, canUseTool, toolUseContext)` — async generator |
 |  | `DEFAULT_MAX_TOOL_USE_CONCURRENCY`, `getMaxToolUseConcurrency()` |
 | **Dependencies** | `toolExecution.ts`, `toolConcurrency.ts`, `StreamingToolExecutor.ts`, `toolHooks.ts` |
@@ -189,7 +189,7 @@ These services exist in the Claude Code fork but are **not imported or used by t
 ### 2.7 Team Memory Sync
 | Field | Value |
 |-------|-------|
-| **Path** | `/home/uroma2/zcode-cli-x/src/services/teamMemorySync/index.ts` |
+| **Path** | `src/services/teamMemorySync/index.ts` |
 | **Exported API** | Sync service for team memory files between local FS and server API |
 | **Dependencies** | Axios, OAuth, git remote, secret scanner |
 

TELEGRAM_SETUP.md

@@ -6,10 +6,10 @@ Your zCode CLI X Telegram bot is now **live and running 24/7**!
 
 ## 📊 Current Configuration
 
-- **Bot Token**: `8745650761:AAFX1almFpesJYOCWkqsJL7UWfiVab_eYwQ`
-- **Allowed Users**: `6352861167`
-- **API**: Z.AI GLM-5.1 (7 models available)
-- **Port**: 3001
+- **Bot Token**: Configured via `.env` (`TELEGRAM_BOT_TOKEN`)
+- **Allowed Users**: Configured via `.env` (`TELEGRAM_ALLOWED_USERS`)
+- **API**: Z.AI GLM-5.1 (Coding Plan)
+- **Port**: Configured via `ZCODE_PORT` (default: 3001)
 - **Service**: systemd (auto-start on boot)
 
 ## 🚀 How to Use
@@ -17,7 +17,7 @@ Your zCode CLI X Telegram bot is now **live and running 24/7**!
 ### Via Telegram
 
 1. Open Telegram
-2. Search for your bot (name not set yet)
+2. Search for your bot
 3. Send `/start` to initialize
 4. Start chatting!
 
@@ -28,7 +28,7 @@ Your zCode CLI X Telegram bot is now **live and running 24/7**!
 sudo systemctl status zcode
 
 # View logs
-tail -f /home/uroma2/zcode-cli-x/logs/zcode.log
+tail -f logs/zcode.log
 
 # Restart service
 sudo systemctl restart zcode
@@ -49,12 +49,12 @@ Webhook is **configured and active**. To receive real messages:
 2. Set the webhook URL:
    ```bash
    curl -F "url=https://your-domain.com/telegram/webhook" \
-     "https://api.telegram.org/bot8745650761:AAFX1almFpesJYOCWkqsJL7UWfiVab_eYwQ/setWebhook"
+     "https://api.telegram.org/bot<YOUR_TOKEN>/setWebhook"
    ```
 
 3. Verify webhook:
    ```bash
-   curl "https://api.telegram.org/bot8745650761:AAFX1almFpesJYOCWkqsJL7UWfiVab_eYwQ/getWebhookInfo"
+   curl "https://api.telegram.org/bot<YOUR_TOKEN>/getWebhookInfo"
    ```
 
 ## 🛠️ Available Commands

src/telegram-bot.ts

@@ -136,7 +136,7 @@ class TelegramBot {
       const { spawn } = await import('child_process');
 
       const childProcess = spawn('node', ['dist/cli.mjs', '--print', text], {
-        cwd: '/home/uroma2/zcode-cli-x',
+        cwd: process.cwd(),
         env: {
           ...process.env,
           TELEGRAM_USER_ID: String(userId),

src/utils/rtk.js

@@ -6,7 +6,7 @@ import { logger } from './logger.js';
  */
 export class RTKIntegration {
   constructor() {
-    this.rtkPath = process.env.RTK_PATH || '/home/uroma2/.local/bin/rtk';
+    this.rtkPath = process.env.RTK_PATH || 'rtk';
     this.enabled = false;
     this.version = null;
   }

src/zcode.js

@@ -42,7 +42,8 @@ export async function zcode(options) {
     bot = await botModule.initBot(config, api, tools, skills, agents);
     if (bot) {
       deliveryTargets.set('telegram', bot.send);
-      registerChannel('telegram', (msg) => bot.send(env.TELEGRAM_ALLOWED_USERS?.split(',')[0] || '6352861167', msg));
+      const defaultChat = env.TELEGRAM_ALLOWED_USERS?.split(',')[0];
+      if (defaultChat) registerChannel('telegram', (msg) => bot.send(defaultChat, msg));
       logger.info('✓ Telegram bot initialized');
     }
   }

start.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 # Startup script for zCode CLI X
 
-cd /home/uroma2/zcode-cli-x
+cd "$(dirname "$0")"
 
 # Check if .env exists
 if [ ! -f ".env" ]; then