feat: integrate push notifications and Firebase support

- Added Firebase Cloud Messaging (FCM) integration for push notifications.
- Updated .gitignore to exclude Firebase service account keys.
- Enhanced iOS and Android configurations to support push notifications.
- Implemented push notification handling in the service worker for web.
- Added API routes for managing push notification tokens.
- Updated environment variables for Firebase messaging configuration.
- Improved app initialization to register for remote notifications and handle foreground/background states.

Author: Daniel-Robbins

.githooks/pre-commit

@@ -0,0 +1,14 @@
+#!/bin/sh
+#
+# Pre-commit hook: scan staged changes for secrets using Gitleaks.
+# Setup: git config core.hooksPath .githooks
+#
+
+if ! command -v gitleaks >/dev/null 2>&1; then
+  echo "⚠️  gitleaks not found — skipping secret scan"
+  echo "   Install: brew install gitleaks"
+  echo "   https://github.com/gitleaks/gitleaks#installing"
+  exit 0
+fi
+
+gitleaks git --pre-commit --staged --redact --verbose

.github/workflows/secret-scan.yml

@@ -0,0 +1,19 @@
+name: Secret Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  gitleaks:
+    name: Gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -47,3 +47,6 @@ ios/DerivedData/
 
 # Apple Sign in with Apple private keys
 *.p8
+
+# Firebase service account keys
+*-firebase-adminsdk-*.json

.gitleaks.toml

@@ -0,0 +1,28 @@
+# Gitleaks configuration for BotsChat
+# https://github.com/gitleaks/gitleaks
+
+title = "BotsChat Secret Scanning"
+
+[allowlist]
+description = "Known public client-side keys and build artifacts"
+paths = [
+  '''package-lock\.json''',
+  '''node_modules/''',
+  '''\.wrangler/''',
+  # Build output contains inlined client-side config — not secrets
+  '''dist/''',
+]
+regexTarget = "line"
+regexes = [
+  # Firebase client-side config (public by design — restricted by Firebase Security Rules and domain allowlists)
+  '''VITE_FIREBASE_API_KEY''',
+  '''VITE_FIREBASE_AUTH_DOMAIN''',
+  '''VITE_FIREBASE_PROJECT_ID''',
+  '''VITE_FIREBASE_MESSAGING_SENDER_ID''',
+  '''VITE_FIREBASE_APP_ID''',
+  '''VITE_FIREBASE_VAPID_KEY''',
+  # Google OAuth client IDs (public — not secrets)
+  '''VITE_GOOGLE_.*_CLIENT_ID''',
+  # Google Analytics measurement ID (public)
+  '''VITE_GA_MEASUREMENT_ID''',
+]

CLAUDE.md

@@ -0,0 +1,192 @@
+# BotsChat
+
+A full-stack messaging application built on Cloudflare Workers. Connects to self-hosted OpenClaw AI assistant instances via WebSocket, providing end-to-end encrypted AI chat and scheduled task management.
+
+- Production: https://console.botschat.app
+- GitHub: https://github.com/botschat-app/botsChat
+
+## Project Structure
+
+```
+botsChat/
+├── packages/
+│   ├── api/           # Cloudflare Worker API (Hono + D1 + R2 + DO)
+│   ├── web/           # React SPA frontend (Vite)
+│   ├── plugin/        # OpenClaw plugin (WebSocket client)
+│   └── e2e-crypto/    # E2E encryption library (PBKDF2 + AES-GCM)
+├── migrations/        # D1 database migration files
+├── scripts/           # Dev scripts (dev.sh, mock-openclaw.mjs)
+├── tests/             # Test scripts
+├── ios/               # Capacitor iOS shell
+├── android/           # Capacitor Android shell
+└── wrangler.toml      # Cloudflare Workers configuration
+```
+
+## Cloudflare Resources
+
+| Resource | Binding |
+|----------|---------|
+| D1 Database | `DB` → `botschat-db` |
+| R2 Bucket | `MEDIA` → `botschat-media` |
+| Durable Object | `CONNECTION_DO` → `ConnectionDO` |
+
+## Architecture Principles
+
+### Data Ownership
+
+| Owner | Storage | Examples |
+|-------|---------|----------|
+| **BotsChat** | D1 | Task names, channel IDs, user info, message records |
+| **OpenClaw** | OpenClaw CronService | Schedule, instructions, model, job run status |
+
+Key rules:
+- OpenClaw-owned data must be fetched in real time; never cache copies in D1 or DO Storage
+- D1 only stores BotsChat's own metadata (task↔channel associations, user info)
+- When OpenClaw data is needed, request it via DO → plugin WebSocket (`task.scan.request` → `task.scan.result`)
+
+### Interacting with OpenClaw
+
+All CronService mutations must go through the OpenClaw CLI (`openclaw cron add/edit/rm`). Never directly read/write `~/.openclaw/cron/jobs.json`.
+
+Notes:
+- `openclaw cron edit` for isolated sessions requires the `--message` flag
+- `openclaw cron add` requires the `--name` flag
+- On macOS, all CLI commands need `/opt/homebrew/bin` in `env.PATH`
+
+### ID Generation
+
+- BotsChat entity IDs: prefixed (`tsk_xxx`, `ch_xxx`, `u_xxx`), generated by BotsChat
+- OpenClaw cron job IDs: UUID format, generated by OpenClaw, returned via `task.schedule.ack`
+
+### ConnectionDO
+
+`ConnectionDO` is the WebSocket relay hub (one instance per user):
+- Holds the OpenClaw plugin WebSocket (tag: `"openclaw"`)
+- Holds browser session WebSocket(s) (tag: `"browser:<sessionId>"`)
+- Relays messages bidirectionally (OpenClaw ↔ browser)
+- Persists messages to D1
+- Uses the Hibernation API for zero-cost idle connections
+
+## Local Development
+
+### Quick Start
+
+```bash
+./scripts/dev.sh          # Full dev env: build + migrate + server + mock AI + open browser
+./scripts/dev.sh reset    # Wipe local DB → re-migrate → start full dev env
+./scripts/dev.sh server   # Server only (no mock, no browser)
+./scripts/dev.sh mock     # Start Mock OpenClaw standalone (foreground)
+./scripts/dev.sh migrate  # Only run D1 migrations
+./scripts/dev.sh build    # Only build web frontend
+```
+
+No env vars needed — `dev.sh` auto-generates `DEV_AUTH_SECRET`, starts mock AI in background, and opens browser with auto-login + E2E.
+
+### Manual Start
+
+```bash
+npm run build -w packages/web
+npx wrangler dev --config wrangler.toml --ip 0.0.0.0 \
+  --var ENVIRONMENT:development \
+  --var DEV_AUTH_SECRET:any-secret-string
+```
+
+### D1 Migrations
+
+```bash
+npx wrangler d1 migrations apply botschat-db --local        # Apply migrations
+rm -rf .wrangler/state && npx wrangler d1 migrations apply botschat-db --local  # Full reset
+```
+
+### Authentication
+
+- **Production**: Google / GitHub OAuth only
+- **Local dev**: `ENVIRONMENT=development` enables email registration; `DEV_AUTH_SECRET` enables the `/api/dev-auth/login` endpoint
+
+### Browser Auto-Login (Local Dev)
+
+```
+http://localhost:8787/?dev_token=<DEV_AUTH_SECRET>&dev_user=<userId>&dev_e2e=<e2e_password>
+```
+
+Parameters: `dev_token` (required), `dev_user` (optional, defaults to `dev-test-user`), `dev_e2e` (optional, auto-sets E2E password).
+
+## Mock OpenClaw (Local Testing)
+
+`scripts/mock-openclaw.mjs` is a zero-dependency Node.js WebSocket client that simulates the OpenClaw plugin protocol, enabling full BotsChat testing without deploying a real OpenClaw instance.
+
+### Quick Start
+
+```bash
+# Terminal 1: start the server
+./scripts/dev.sh
+
+# Terminal 2: start mock (auto-creates a pairing token)
+./scripts/dev.sh mock
+```
+
+### Manual Start
+
+```bash
+node scripts/mock-openclaw.mjs --token <your_pairing_token>
+```
+
+### Options
+
+| Flag | Default | Description |
+|------|---------|-------------|
+| `--token <pat>` | (required) | Pairing token |
+| `--url <url>` | `http://localhost:8787` | Server URL |
+| `--agents <list>` | `main` | Comma-separated agent IDs |
+| `--delay <ms>` | `300` | Reply delay (simulates thinking) |
+| `--stream` | `false` | Enable streaming replies (chunk by chunk) |
+| `--model <name>` | `mock/echo-1.0` | Default model name |
+
+### Mock Behavior
+
+| Incoming Message | Response |
+|-----------------|----------|
+| `user.message` | Echoes back as `agent.text`: "Mock reply: {text}" |
+| `user.media` | Acknowledges media receipt |
+| `user.command` | Acknowledges command |
+| `user.action` | Acknowledges A2UI interaction |
+| `task.scan.request` | Returns empty task list |
+| `models.request` | Returns 4 mock models |
+| `task.schedule` | `task.schedule.ack` confirmation |
+| `task.run` | Simulates 2-second execution + `job.update` |
+| `settings.defaultModel` | `defaultModel.updated` confirmation |
+| `ping` | `pong` |
+
+## Testing
+
+```bash
+./tests/media-api-test.sh              # 17 API tests
+node tests/media-ws-test.mjs           # 9 WebSocket tests
+node tests/media-browser-test.mjs      # Browser test data prep
+npm test -w packages/e2e-crypto        # E2E crypto unit tests
+```
+
+## Deployment
+
+```bash
+npm run build -w packages/web
+npx wrangler deploy --config wrangler.toml
+npx wrangler d1 migrations apply botschat-db --remote
+```
+
+Production uses `ENVIRONMENT=production` (OAuth only). Secrets are set via `wrangler secret put`.
+
+## Debugging Tips
+
+- **Port conflict**: `lsof -ti:8787 | xargs kill -9`
+- **D1 schema error**: `rm -rf .wrangler/state` → re-migrate
+- **Plugin WS URL**: `cloudUrl` must be `http://...`; the plugin auto-converts to `ws://`
+- **Blank screen after login**: Hard refresh (`Cmd+Shift+R`) or clear localStorage
+
+## UI Design
+
+See `.cursor/rules/design-guideline.md` for the full specification. Key principles:
+- Three-column layout (Icon Rail + Sidebar + Main Content + optional Detail Panel)
+- Dark/light dual themes via CSS variables
+- Flat message rows (not bubbles) for information density
+- Sidebar always uses dark/brand background; only Main Content follows theme