@agent-vm/openclaw-gateway 0.0.30 → 0.0.32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/dist/index.d.ts +40 -16
  2. package/dist/index.d.ts.map +1 -1
  3. package/dist/index.js +38 -9
  4. package/dist/index.js.map +1 -1
  5. package/package.json +3 -3
package/dist/index.d.ts CHANGED
@@ -5,6 +5,15 @@ type GatewayType = (typeof gatewayTypeValues)[number];
5
5
  //#endregion
6
6
  //#region ../gondolin-adapter/dist/index.d.ts
7
7
 
8
+ //#endregion
9
+ //#region src/pinned-realfs.d.ts
10
+ interface PinnedRealFsRoot {
11
+ readonly hostPath: string;
12
+ readonly realPath: string;
13
+ readonly fd: number;
14
+ readonly device: number;
15
+ readonly inode: number;
16
+ }
8
17
  //#endregion
9
18
  //#region src/types.d.ts
10
19
  interface SecretSpec {
@@ -28,6 +37,7 @@ interface SecretResolver {
28
37
  interface VfsMountSpec {
29
38
  readonly kind: 'realfs' | 'realfs-readonly' | 'memory' | 'shadow';
30
39
  readonly hostPath?: string;
40
+ readonly pinnedHostRoot?: PinnedRealFsRoot;
31
41
  readonly shadowConfig?: {
32
42
  readonly deny: readonly string[];
33
43
  readonly tmpfs: readonly string[];
@@ -90,28 +100,41 @@ interface GatewayAuthConfig {
90
100
  readonly setDefault?: boolean;
91
101
  }) => string;
92
102
  }
103
+ interface GatewayAuthProfilesRef {
104
+ readonly source: '1password' | 'environment';
105
+ }
106
+ interface OnePasswordGatewayAuthProfilesRef extends GatewayAuthProfilesRef {
107
+ readonly source: '1password';
108
+ readonly ref: string;
109
+ }
110
+ interface EnvironmentGatewayAuthProfilesRef extends GatewayAuthProfilesRef {
111
+ readonly source: 'environment';
112
+ readonly envVar: string;
113
+ }
114
+ interface GatewayZoneBaseGatewayConfig {
115
+ readonly type: GatewayType;
116
+ readonly memory: string;
117
+ readonly cpus: number;
118
+ readonly port: number;
119
+ readonly config: string;
120
+ readonly stateDir: string;
121
+ readonly authProfilesRef?: OnePasswordGatewayAuthProfilesRef | EnvironmentGatewayAuthProfilesRef | undefined;
122
+ }
123
+ interface OpenClawGatewayZoneGatewayConfig extends GatewayZoneBaseGatewayConfig {
124
+ readonly type: 'openclaw';
125
+ readonly zoneFilesDir: string;
126
+ }
127
+ interface WorkerGatewayZoneGatewayConfig extends GatewayZoneBaseGatewayConfig {
128
+ readonly type: 'worker';
129
+ }
130
+ type GatewayZoneGatewayConfig = OpenClawGatewayZoneGatewayConfig | WorkerGatewayZoneGatewayConfig;
93
131
  /**
94
132
  * Zone config as the lifecycle sees it.
95
133
  * Decoupled from SystemConfig — the controller maps into this shape.
96
134
  */
97
135
  interface GatewayZoneConfig {
98
136
  readonly id: string;
99
- readonly gateway: {
100
- readonly type: GatewayType;
101
- readonly memory: string;
102
- readonly cpus: number;
103
- readonly port: number;
104
- readonly config: string;
105
- readonly stateDir: string;
106
- readonly workspaceDir: string;
107
- readonly authProfilesRef?: {
108
- readonly source: '1password';
109
- readonly ref: string;
110
- } | {
111
- readonly source: 'environment';
112
- readonly envVar: string;
113
- } | undefined;
114
- };
137
+ readonly gateway: GatewayZoneGatewayConfig;
115
138
  readonly secrets: Record<string, {
116
139
  readonly source: '1password';
117
140
  readonly ref: string;
@@ -129,6 +152,7 @@ interface GatewayZoneConfig {
129
152
  }
130
153
  interface BuildGatewayVmSpecOptions {
131
154
  readonly controllerPort: number;
155
+ readonly gatewayCacheDir: string;
132
156
  readonly projectNamespace: string;
133
157
  readonly resolvedSecrets: Record<string, string>;
134
158
  readonly tcpPool: {
package/dist/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","names":["gatewayTypeValues","GatewayType","buildGatewaySessionLabel","buildToolSessionLabel","SecretSpec","SecretRef","SecretResolver","Promise","Record","VfsMountSpec","GatewayHealthCheck","GatewayProcessSpec","GatewayVmSpec","GatewayAuthConfig","GatewayZoneConfig","BuildGatewayVmSpecOptions","GatewayLifecycle","SplitResolvedGatewaySecretsResult","splitResolvedGatewaySecrets"],"sources":["../../gateway-interface/dist/index.d.ts","../src/openclaw-lifecycle.ts"],"sourcesContent":["//#region src/gateway-runtime-contract.d.ts\ndeclare const gatewayTypeValues: readonly [\"openclaw\", \"worker\"];\ntype GatewayType = (typeof gatewayTypeValues)[number];\ndeclare function buildGatewaySessionLabel(projectNamespace: string, zoneId: string): string;\ndeclare function buildToolSessionLabel(projectNamespace: string, zoneId: string, tcpSlot: number): string;\n//#endregion\n//#region ../gondolin-adapter/dist/index.d.ts\n\n//#endregion\n//#region src/types.d.ts\ninterface SecretSpec {\n readonly hosts: readonly string[];\n readonly value: string;\n}\ntype SecretRef = {\n readonly source: '1password';\n readonly ref: string;\n} | {\n readonly source: 'environment';\n readonly ref: string;\n};\n//#endregion\n//#region src/secret-resolver.d.ts\n\ninterface SecretResolver {\n resolve(ref: SecretRef): Promise<string>;\n resolveAll(refs: Record<string, SecretRef>): Promise<Record<string, string>>;\n}\ninterface VfsMountSpec {\n readonly kind: 'realfs' | 'realfs-readonly' | 'memory' | 'shadow';\n readonly hostPath?: string;\n readonly shadowConfig?: {\n readonly deny: readonly string[];\n readonly tmpfs: readonly string[];\n };\n}\n//#endregion\n//#region src/gateway-process-spec.d.ts\ntype GatewayHealthCheck = {\n readonly type: 'http';\n readonly port: number;\n readonly path: string;\n} | {\n readonly type: 'command';\n readonly command: string;\n};\n/**\n * Everything about the process running inside the VM.\n * Retained by the running gateway handle for logs, health, restart.\n */\ninterface GatewayProcessSpec {\n readonly bootstrapCommand: string;\n readonly startCommand: string;\n readonly healthCheck: GatewayHealthCheck;\n readonly guestListenPort: number;\n readonly logPath: string;\n}\n//#endregion\n//#region src/gateway-vm-spec.d.ts\n/**\n * Everything the controller needs to create the Gondolin VM.\n * Lifecycle implementations own the full Gondolin-facing contract.\n */\ninterface GatewayVmSpec {\n readonly environment: Record<string, string>;\n readonly vfsMounts: Record<string, VfsMountSpec>;\n readonly mediatedSecrets: Record<string, SecretSpec>;\n readonly tcpHosts: Record<string, string>;\n readonly allowedHosts: readonly string[];\n readonly rootfsMode: 'readonly' | 'memory' | 'cow';\n readonly sessionLabel: string;\n}\n//#endregion\n//#region src/gateway-lifecycle.d.ts\n/**\n * Describes how to run interactive auth for a gateway type.\n * Static property — available without a running VM.\n */\ninterface GatewayAuthConfig {\n /**\n * Shell command to list available auth providers inside the VM.\n * Should output one provider name per line to stdout.\n */\n readonly listProvidersCommand: string;\n /**\n * Build the shell command for interactive auth login.\n * The CLI passes this as the SSH remote command with -t (TTY).\n */\n readonly buildLoginCommand: (provider: string, options?: {\n readonly deviceCode?: boolean;\n readonly setDefault?: boolean;\n }) => string;\n}\n/**\n * Zone config as the lifecycle sees it.\n * Decoupled from SystemConfig the controller maps into this shape.\n */\ninterface GatewayZoneConfig {\n readonly id: string;\n readonly gateway: {\n readonly type: GatewayType;\n readonly memory: string;\n readonly cpus: number;\n readonly port: number;\n readonly config: string;\n readonly stateDir: string;\n readonly workspaceDir: string;\n readonly authProfilesRef?: {\n readonly source: '1password';\n readonly ref: string;\n } | {\n readonly source: 'environment';\n readonly envVar: string;\n } | undefined;\n };\n readonly secrets: Record<string, {\n readonly source: '1password';\n readonly ref: string;\n readonly injection: 'env' | 'http-mediation';\n readonly hosts?: readonly string[] | undefined;\n } | {\n readonly source: 'environment';\n readonly envVar: string;\n readonly injection: 'env' | 'http-mediation';\n readonly hosts?: readonly string[] | undefined;\n }>;\n readonly allowedHosts: readonly string[];\n readonly websocketBypass: readonly string[];\n readonly toolProfile?: string;\n}\ninterface BuildGatewayVmSpecOptions {\n readonly controllerPort: number;\n readonly projectNamespace: string;\n readonly resolvedSecrets: Record<string, string>;\n readonly tcpPool: {\n readonly basePort: number;\n readonly size: number;\n };\n readonly zone: GatewayZoneConfig;\n}\ninterface GatewayLifecycle {\n /**\n * How to run interactive auth for this gateway type.\n * Absent means the gateway type does not support interactive auth.\n */\n readonly authConfig?: GatewayAuthConfig | undefined;\n /**\n * Build the full VM spec — everything Gondolin needs to create the VM.\n * Pure data assembly — no side effects.\n */\n buildVmSpec(options: BuildGatewayVmSpecOptions): GatewayVmSpec;\n /**\n * Build the process spec — everything about startup, health, and logging.\n * Pure data assembly — no side effects.\n */\n buildProcessSpec(zone: GatewayZoneConfig, resolvedSecrets: Record<string, string>): GatewayProcessSpec;\n /**\n * Optional hook to prepare host-side state before the VM boots.\n * Example: writing auth-profiles.json from 1Password.\n */\n prepareHostState?(zone: GatewayZoneConfig, secretResolver: SecretResolver): Promise<void>;\n}\n//#endregion\n//#region src/split-resolved-gateway-secrets.d.ts\ninterface SplitResolvedGatewaySecretsResult {\n readonly environmentSecrets: Record<string, string>;\n readonly mediatedSecrets: Record<string, SecretSpec>;\n}\ndeclare function splitResolvedGatewaySecrets(zone: GatewayZoneConfig, resolvedSecrets: Record<string, string>): SplitResolvedGatewaySecretsResult;\n//#endregion\nexport { type BuildGatewayVmSpecOptions, type GatewayAuthConfig, type GatewayHealthCheck, type GatewayLifecycle, type GatewayProcessSpec, type GatewayType, type GatewayVmSpec, type GatewayZoneConfig, type SplitResolvedGatewaySecretsResult, buildGatewaySessionLabel, buildToolSessionLabel, gatewayTypeValues, splitResolvedGatewaySecrets };\n//# sourceMappingURL=index.d.ts.map"],"mappings":";;cACcA,iBAAkD,EAAA,SAAA,CAAA,UAAA,EAAA,QAAA,CAAA;AAAA,KAC3DC,WAAAA,GAAW,CAAA,OAAWD,iBAAAA,CAAAA,CAAAA,MAAiB,CAAA;AAY9B;;;;;UAJJI,UAAAA,CAgB6CI;EAARD,SAAAA,KAAAA,EAAAA,SAAAA,MAAAA,EAAAA;EAAO,SAAA,KAAA,EAAA,MAAA;AAAA;AAEhC,KAdjBF,SAAAA,GAwBAK;EAAkB,SAYbC,MAAAA,EAAAA,WAAkB;EAGc,SAUhCC,GAAAA,EAAAA,MAAa;CACCJ,GAAAA;EACaC,SAAAA,MAAAA,EAAAA,aAAAA;EAAfD,SAAAA,GAAAA,EAAAA,MAAAA;CACqBJ;;;;AAChB,UA3CjBE,cAAAA,CAsDiB;EAAA,OAmBjBQ,CAAAA,GAAAA,EAxEKT,SAwEY,CAAA,EAxEAE,OAwEA,CAAA,MAGRN,CAAAA;EAeO,UAehBc,CAAAA,IAAAA,EAxGSP,MAwGTO,CAAAA,MAAyB,EAxGDV,SAwGC,CAGPG,CAAAA,EA3GmBD,OAgH9BO,CAhHsCN,MAgHtCM,CAAAA,MAAAA,EAAiB,MAAA,CAAA,CAAA;AAAA;UA9GxBL,YAAAA,CAqHcI;EAKDE,SAAAA,IAAAA,EAAAA,QAAAA,GAAAA,iBAAAA,GAAAA,QAAAA,GAAAA,QAAAA;EAA4BH,SAAAA,QAAAA,CAAAA,EAAAA,MAAAA;EAK1BE,SAAAA,YAAAA,CAAAA,EAAAA;IAAoCN,SAAAA,IAAAA,EAAAA,SAAAA,MAAAA,EAAAA;IAAyBG,SAAAA,KAAAA,EAAAA,SAAAA,MAAAA,EAAAA;EAK5DG,CAAAA;;;;KA1HrBJ,kBAAAA;;;ECoLL,SAAa,IAAA,EAAA,MAAA;;;;;;;;;UDxKHC,kBAAAA;;;wBAGcD;;;;;;;;;;UAUdE,aAAAA;wBACcJ;sBACFA,eAAeC;4BACTD,eAAeJ;qBACtBI;;;;;;;;;;;UAWXK,iBAAAA;;;;;;;;;;;;;;;;;;;UAmBAC,iBAAAA;;;mBAGSb;;;;;;;;;;;;;;;oBAeCO;;;;;;;;;;;;;;;UAeVO,yBAAAA;;;4BAGkBP;;;;;iBAKXM;;UAEPE,gBAAAA;;;;;wBAKcH;;;;;uBAKDE,4BAA4BH;;;;;yBAK1BE,oCAAoCN,yBAAyBG;;;;;0BAK5DG,mCAAmCR,iBAAiBC;;;;;;AA/JhEP,cCyND,iBDzNmD,ECyNhC,gBDzNgC"}
1
+ {"version":3,"file":"index.d.ts","names":["gatewayTypeValues","GatewayType","buildGatewaySessionLabel","buildToolSessionLabel","PinnedRealFsRoot","SecretSpec","SecretRef","SecretResolver","Promise","Record","VfsMountSpec","GatewayHealthCheck","GatewayProcessSpec","GatewayVmSpec","GatewayAuthConfig","GatewayAuthProfilesRef","OnePasswordGatewayAuthProfilesRef","EnvironmentGatewayAuthProfilesRef","GatewayZoneBaseGatewayConfig","OpenClawGatewayZoneGatewayConfig","WorkerGatewayZoneGatewayConfig","GatewayZoneGatewayConfig","GatewayZoneConfig","BuildGatewayVmSpecOptions","GatewayLifecycle","SplitResolvedGatewaySecretsResult","splitResolvedGatewaySecrets"],"sources":["../../gateway-interface/dist/index.d.ts","../src/openclaw-lifecycle.ts"],"sourcesContent":["//#region src/gateway-runtime-contract.d.ts\ndeclare const gatewayTypeValues: readonly [\"openclaw\", \"worker\"];\ntype GatewayType = (typeof gatewayTypeValues)[number];\ndeclare function buildGatewaySessionLabel(projectNamespace: string, zoneId: string): string;\ndeclare function buildToolSessionLabel(projectNamespace: string, zoneId: string, tcpSlot: number): string;\n//#endregion\n//#region ../gondolin-adapter/dist/index.d.ts\n\n//#endregion\n//#region src/pinned-realfs.d.ts\ninterface PinnedRealFsRoot {\n readonly hostPath: string;\n readonly realPath: string;\n readonly fd: number;\n readonly device: number;\n readonly inode: number;\n}\n//#endregion\n//#region src/types.d.ts\ninterface SecretSpec {\n readonly hosts: readonly string[];\n readonly value: string;\n}\ntype SecretRef = {\n readonly source: '1password';\n readonly ref: string;\n} | {\n readonly source: 'environment';\n readonly ref: string;\n};\n//#endregion\n//#region src/secret-resolver.d.ts\n\ninterface SecretResolver {\n resolve(ref: SecretRef): Promise<string>;\n resolveAll(refs: Record<string, SecretRef>): Promise<Record<string, string>>;\n}\ninterface VfsMountSpec {\n readonly kind: 'realfs' | 'realfs-readonly' | 'memory' | 'shadow';\n readonly hostPath?: string;\n readonly pinnedHostRoot?: PinnedRealFsRoot;\n readonly shadowConfig?: {\n readonly deny: readonly string[];\n readonly tmpfs: readonly string[];\n };\n}\n//#endregion\n//#region src/gateway-process-spec.d.ts\ntype GatewayHealthCheck = {\n readonly type: 'http';\n readonly port: number;\n readonly path: string;\n} | {\n readonly type: 'command';\n readonly command: string;\n};\n/**\n * Everything about the process running inside the VM.\n * Retained by the running gateway handle for logs, health, restart.\n */\ninterface GatewayProcessSpec {\n readonly bootstrapCommand: string;\n readonly startCommand: string;\n readonly healthCheck: GatewayHealthCheck;\n readonly guestListenPort: number;\n readonly logPath: string;\n}\n//#endregion\n//#region src/gateway-vm-spec.d.ts\n/**\n * Everything the controller needs to create the Gondolin VM.\n * Lifecycle implementations own the full Gondolin-facing contract.\n */\ninterface GatewayVmSpec {\n readonly environment: Record<string, string>;\n readonly vfsMounts: Record<string, VfsMountSpec>;\n readonly mediatedSecrets: Record<string, SecretSpec>;\n readonly tcpHosts: Record<string, string>;\n readonly allowedHosts: readonly string[];\n readonly rootfsMode: 'readonly' | 'memory' | 'cow';\n readonly sessionLabel: string;\n}\n//#endregion\n//#region src/gateway-lifecycle.d.ts\n/**\n * Describes how to run interactive auth for a gateway type.\n * Static property — available without a running VM.\n */\ninterface GatewayAuthConfig {\n /**\n * Shell command to list available auth providers inside the VM.\n * Should output one provider name per line to stdout.\n */\n readonly listProvidersCommand: string;\n /**\n * Build the shell command for interactive auth login.\n * The CLI passes this as the SSH remote command with -t (TTY).\n */\n readonly buildLoginCommand: (provider: string, options?: {\n readonly deviceCode?: boolean;\n readonly setDefault?: boolean;\n }) => string;\n}\ninterface GatewayAuthProfilesRef {\n readonly source: '1password' | 'environment';\n}\ninterface OnePasswordGatewayAuthProfilesRef extends GatewayAuthProfilesRef {\n readonly source: '1password';\n readonly ref: string;\n}\ninterface EnvironmentGatewayAuthProfilesRef extends GatewayAuthProfilesRef {\n readonly source: 'environment';\n readonly envVar: string;\n}\ninterface GatewayZoneBaseGatewayConfig {\n readonly type: GatewayType;\n readonly memory: string;\n readonly cpus: number;\n readonly port: number;\n readonly config: string;\n readonly stateDir: string;\n readonly authProfilesRef?: OnePasswordGatewayAuthProfilesRef | EnvironmentGatewayAuthProfilesRef | undefined;\n}\ninterface OpenClawGatewayZoneGatewayConfig extends GatewayZoneBaseGatewayConfig {\n readonly type: 'openclaw';\n readonly zoneFilesDir: string;\n}\ninterface WorkerGatewayZoneGatewayConfig extends GatewayZoneBaseGatewayConfig {\n readonly type: 'worker';\n}\ntype GatewayZoneGatewayConfig = OpenClawGatewayZoneGatewayConfig | WorkerGatewayZoneGatewayConfig;\n/**\n * Zone config as the lifecycle sees it.\n * Decoupled from SystemConfig — the controller maps into this shape.\n */\ninterface GatewayZoneConfig {\n readonly id: string;\n readonly gateway: GatewayZoneGatewayConfig;\n readonly secrets: Record<string, {\n readonly source: '1password';\n readonly ref: string;\n readonly injection: 'env' | 'http-mediation';\n readonly hosts?: readonly string[] | undefined;\n } | {\n readonly source: 'environment';\n readonly envVar: string;\n readonly injection: 'env' | 'http-mediation';\n readonly hosts?: readonly string[] | undefined;\n }>;\n readonly allowedHosts: readonly string[];\n readonly websocketBypass: readonly string[];\n readonly toolProfile?: string;\n}\ninterface BuildGatewayVmSpecOptions {\n readonly controllerPort: number;\n readonly gatewayCacheDir: string;\n readonly projectNamespace: string;\n readonly resolvedSecrets: Record<string, string>;\n readonly tcpPool: {\n readonly basePort: number;\n readonly size: number;\n };\n readonly zone: GatewayZoneConfig;\n}\ninterface GatewayLifecycle {\n /**\n * How to run interactive auth for this gateway type.\n * Absent means the gateway type does not support interactive auth.\n */\n readonly authConfig?: GatewayAuthConfig | undefined;\n /**\n * Build the full VM spec — everything Gondolin needs to create the VM.\n * Pure data assembly — no side effects.\n */\n buildVmSpec(options: BuildGatewayVmSpecOptions): GatewayVmSpec;\n /**\n * Build the process spec — everything about startup, health, and logging.\n * Pure data assembly — no side effects.\n */\n buildProcessSpec(zone: GatewayZoneConfig, resolvedSecrets: Record<string, string>): GatewayProcessSpec;\n /**\n * Optional hook to prepare host-side state before the VM boots.\n * Example: writing auth-profiles.json from 1Password.\n */\n prepareHostState?(zone: GatewayZoneConfig, secretResolver: SecretResolver): Promise<void>;\n}\n//#endregion\n//#region src/split-resolved-gateway-secrets.d.ts\ninterface SplitResolvedGatewaySecretsResult {\n readonly environmentSecrets: Record<string, string>;\n readonly mediatedSecrets: Record<string, SecretSpec>;\n}\ndeclare function splitResolvedGatewaySecrets(zone: GatewayZoneConfig, resolvedSecrets: Record<string, string>): SplitResolvedGatewaySecretsResult;\n//#endregion\nexport { type BuildGatewayVmSpecOptions, type GatewayAuthConfig, type GatewayHealthCheck, type GatewayLifecycle, type GatewayProcessSpec, type GatewayType, type GatewayVmSpec, type GatewayZoneConfig, type SplitResolvedGatewaySecretsResult, buildGatewaySessionLabel, buildToolSessionLabel, gatewayTypeValues, splitResolvedGatewaySecrets };\n//# sourceMappingURL=index.d.ts.map"],"mappings":";;cACcA,iBAAkD,EAAA,SAAA,CAAA,UAAA,EAAA,QAAA,CAAA;AAAA,KAC3DC,WAAAA,GAAW,CAAA,OAAWD,iBAAAA,CAAAA,CAAAA,MAAiB,CAAA;AAiBxB;AAIN;;;;UAbJI,gBAAAA,CAyBSK;EAAoCA,SAAAA,QAAAA,EAAAA,MAAAA;EAARD,SAAAA,QAAAA,EAAAA,MAAAA;EAAO,SAAA,EAAA,EAAA,MAAA;EAAA,SAE5CE,MAAAA,EAAY,MAAA;EAGsB,SAQvCC,KAAAA,EAAAA,MAAAA;AAAkB;AAemB;;UA5ChCN,UAAAA,CAwD2BK;EAAfD,SAAAA,KAAAA,EAAAA,SAAAA,MAAAA,EAAAA;EACqBJ,SAAAA,KAAAA,EAAAA,MAAAA;;KArDtCC,SAAAA,GAsDgBG;EAAM,SAAA,MAAA,EAAA,WAAA;EAAA,SAWjBK,GAAAA,EAAAA,MAAAA;AAAiB,CAAA,GAejBC;EAAsB,SAGtBC,MAAAA,EAAAA,aAAAA;EAAgE,SAIhEC,GAAAA,EAAAA,MAAAA;AAAgE,CAAA;;;;UA7EhEV,cAAAA,CAwFwF;EAAA,OAExFY,CAAAA,GAAAA,EAzFKb,SAyFLa,CAAAA,EAzFiBX,OAyFjBW,CAAAA,MAAgC,CAAA;EAAqC,UAIrEC,CAAAA,IAAAA,EA5FSX,MA4FTW,CAAAA,MAAAA,EA5FwBd,SA4FM,CAAA,CAAA,EA5FOE,OA4FEU,CA5FMT,MA4FNS,CAAAA,MAAAA,EAAAA,MAAAA,CAAAA,CAA4B;AAAA;AAGoB,UA7FvFR,YAAAA,CAkGAY;EAGgB,SAehBC,IAAAA,EAAAA,QAAAA,GAAAA,iBAIkBd,GAAAA,QAKXa,GAAAA,QAAAA;EAAiB,SAExBE,QAAAA,CAAAA,EAAAA,MAAgB;EAKFV,SAAAA,cAAAA,CAAAA,EAjIIV,gBAiIJU;EAKDS,SAAAA,YAAAA,CAAAA,EAAAA;IAA4BV,SAAAA,IAAAA,EAAAA,SAAAA,MAAAA,EAAAA;IAK1BS,SAAAA,KAAAA,EAAAA,SAAAA,MAAAA,EAAAA;EAAoCb,CAAAA;;;;KAnIxDE,kBAAAA,GAwIyEH;EAAO,SAAA,IAAA,EAAA,MAAA;;;;ECmDrF,SAAa,IAAA,EAAA,SAiGZ;;;;;;;UDhRSI,kBAAAA;;;wBAGcD;;;;;;;;;;UAUdE,aAAAA;wBACcJ;sBACFA,eAAeC;4BACTD,eAAeJ;qBACtBI;;;;;;;;;;;UAWXK,iBAAAA;;;;;;;;;;;;;;;UAeAC,sBAAAA;;;UAGAC,iCAAAA,SAA0CD;;;;UAI1CE,iCAAAA,SAA0CF;;;;UAI1CG,4BAAAA;iBACOjB;;;;;;6BAMYe,oCAAoCC;;UAEvDE,gCAAAA,SAAyCD;;;;UAIzCE,8BAAAA,SAAuCF;;;KAG5CG,wBAAAA,GAA2BF,mCAAmCC;;;;;UAKzDE,iBAAAA;;oBAEUD;oBACAZ;;;;;;;;;;;;;;;UAeVc,yBAAAA;;;;4BAIkBd;;;;;iBAKXa;;UAEPE,gBAAAA;;;;;wBAKcV;;;;;uBAKDS,4BAA4BV;;;;;yBAK1BS,oCAAoCb,yBAAyBG;;;;;0BAK5DU,mCAAmCf,iBAAiBC;;;;;;AAvLhER,cC0OD,iBD1OmD,EC0OhC,gBD1OgC"}
package/dist/index.js CHANGED
@@ -6,6 +6,10 @@ import { writeFileAtomically } from "@agent-vm/gondolin-adapter";
6
6
  //#region src/openclaw-lifecycle.ts
7
7
  const effectiveOpenClawConfigFileName = "effective-openclaw.json";
8
8
  const effectiveOpenClawConfigVmPath = `/home/openclaw/.openclaw/state/${effectiveOpenClawConfigFileName}`;
9
+ const openClawStateDirVmPath = "/home/openclaw/.openclaw/state";
10
+ const openClawCacheDirVmPath = "/home/openclaw/.openclaw/cache";
11
+ const openClawZoneFilesDirVmPath = "/home/openclaw/zone-files";
12
+ const openClawPluginStageDirVmPath = "/opt/openclaw/plugin-runtime-deps";
9
13
  const openClawShellEnvFilePath = "/etc/profile.d/openclaw-env.sh";
10
14
  function isObjectRecord(value) {
11
15
  return typeof value === "object" && value !== null && !Array.isArray(value);
@@ -20,10 +24,18 @@ function buildOpenClawBootstrapCommand(_zone, _resolvedSecrets) {
20
24
  const environmentLines = [
21
25
  "export OPENCLAW_HOME=/home/openclaw",
22
26
  `export OPENCLAW_CONFIG_PATH=${effectiveOpenClawConfigVmPath}`,
23
- "export OPENCLAW_STATE_DIR=/home/openclaw/.openclaw/state",
27
+ `export OPENCLAW_STATE_DIR=${openClawStateDirVmPath}`,
28
+ `export OPENCLAW_PLUGIN_STAGE_DIR=${openClawPluginStageDirVmPath}`,
29
+ "export TMPDIR=/work/tmp",
30
+ "export TMP=/work/tmp",
31
+ "export TEMP=/work/tmp",
32
+ "export npm_config_cache=/work/cache/npm",
33
+ "export pnpm_config_store_dir=/work/cache/pnpm/store",
34
+ "export PIP_CACHE_DIR=/work/cache/pip",
35
+ "export UV_CACHE_DIR=/work/cache/uv",
24
36
  "export NODE_EXTRA_CA_CERTS=/run/gondolin/ca-certificates.crt"
25
37
  ];
26
- return `mkdir -p /root /etc/profile.d && cat > ${openClawShellEnvFilePath} << ENVEOF\n` + environmentLines.join("\n") + `
38
+ return `mkdir -p /root /etc/profile.d /work/tmp /work/cache/npm /work/cache/pnpm/store /work/cache/pip /work/cache/uv && cat > ${openClawShellEnvFilePath} << ENVEOF\n` + environmentLines.join("\n") + `
27
39
  ENVEOF
28
40
  chmod 644 ${openClawShellEnvFilePath} && touch /root/.bashrc && grep -qxF 'source ${openClawShellEnvFilePath}' /root/.bashrc || echo 'source ${openClawShellEnvFilePath}' >> /root/.bashrc && touch /root/.bash_profile && grep -qxF 'source /root/.bashrc' /root/.bash_profile || echo 'source /root/.bashrc' >> /root/.bash_profile`;
29
41
  }
@@ -93,6 +105,11 @@ async function writeEffectiveOpenClawConfig(zone, secretResolver) {
93
105
  mode: "token",
94
106
  token: gatewayToken
95
107
  }
108
+ },
109
+ meta: {
110
+ ...isObjectRecord(parsedBaseConfig.meta) ? parsedBaseConfig.meta : {},
111
+ lastTouchedAt: (/* @__PURE__ */ new Date()).toISOString(),
112
+ lastTouchedVersion: "agent-vm"
96
113
  }
97
114
  };
98
115
  const effectiveConfigPath = getEffectiveOpenClawConfigHostPath(zone);
@@ -116,7 +133,8 @@ const openclawLifecycle = {
116
133
  ...options.setDefault === true ? ["--set-default"] : []
117
134
  ].join(" ")
118
135
  },
119
- buildVmSpec({ controllerPort, projectNamespace, resolvedSecrets, tcpPool, zone }) {
136
+ buildVmSpec({ controllerPort, gatewayCacheDir, projectNamespace, resolvedSecrets, tcpPool, zone }) {
137
+ if (zone.gateway.type !== "openclaw") throw new Error(`OpenClaw lifecycle cannot build gateway type '${zone.gateway.type}'.`);
120
138
  const configDirectory = path.dirname(path.resolve(zone.gateway.config));
121
139
  const { environmentSecrets, mediatedSecrets } = splitResolvedGatewaySecrets(zone, resolvedSecrets);
122
140
  const { OPENCLAW_GATEWAY_TOKEN: _gatewayToken,...environmentSecretsWithoutGatewayToken } = environmentSecrets;
@@ -127,7 +145,15 @@ const openclawLifecycle = {
127
145
  NODE_EXTRA_CA_CERTS: "/run/gondolin/ca-certificates.crt",
128
146
  OPENCLAW_CONFIG_PATH: effectiveOpenClawConfigVmPath,
129
147
  OPENCLAW_HOME: "/home/openclaw",
130
- OPENCLAW_STATE_DIR: "/home/openclaw/.openclaw/state",
148
+ OPENCLAW_PLUGIN_STAGE_DIR: openClawPluginStageDirVmPath,
149
+ OPENCLAW_STATE_DIR: openClawStateDirVmPath,
150
+ PIP_CACHE_DIR: "/work/cache/pip",
151
+ TEMP: "/work/tmp",
152
+ TMP: "/work/tmp",
153
+ TMPDIR: "/work/tmp",
154
+ UV_CACHE_DIR: "/work/cache/uv",
155
+ npm_config_cache: "/work/cache/npm",
156
+ pnpm_config_store_dir: "/work/cache/pnpm/store",
131
157
  ...environmentSecretsWithoutGatewayToken
132
158
  },
133
159
  mediatedSecrets,
@@ -139,12 +165,16 @@ const openclawLifecycle = {
139
165
  hostPath: configDirectory,
140
166
  kind: "realfs"
141
167
  },
168
+ [openClawCacheDirVmPath]: {
169
+ hostPath: gatewayCacheDir,
170
+ kind: "realfs"
171
+ },
142
172
  "/home/openclaw/.openclaw/state": {
143
173
  hostPath: zone.gateway.stateDir,
144
174
  kind: "realfs"
145
175
  },
146
- "/home/openclaw/workspace": {
147
- hostPath: zone.gateway.workspaceDir,
176
+ [openClawZoneFilesDirVmPath]: {
177
+ hostPath: zone.gateway.zoneFilesDir,
148
178
  kind: "realfs"
149
179
  }
150
180
  }
@@ -155,9 +185,8 @@ const openclawLifecycle = {
155
185
  bootstrapCommand: buildOpenClawBootstrapCommand(zone, resolvedSecrets),
156
186
  startCommand: "cd /home/openclaw && nohup openclaw gateway --port 18789 > /tmp/openclaw.log 2>&1 &",
157
187
  healthCheck: {
158
- type: "http",
159
- port: 18789,
160
- path: "/"
188
+ type: "command",
189
+ command: `grep -q 'ready (' /tmp/openclaw.log`
161
190
  },
162
191
  guestListenPort: 18789,
163
192
  logPath: "/tmp/openclaw.log"
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","names":["tcpHosts: Record<string, string>","authProfilesSecretCandidate: unknown","parsedBaseConfig: unknown","openclawLifecycle: GatewayLifecycle","buildGatewaySessionLabelValue"],"sources":["../src/openclaw-lifecycle.ts"],"sourcesContent":["import fs from 'node:fs/promises';\nimport path from 'node:path';\n\nimport type {\n\tBuildGatewayVmSpecOptions,\n\tGatewayLifecycle,\n\tGatewayProcessSpec,\n\tGatewayZoneConfig,\n\tGatewayVmSpec,\n} from '@agent-vm/gateway-interface';\nimport {\n\tbuildGatewaySessionLabel as buildGatewaySessionLabelValue,\n\tsplitResolvedGatewaySecrets,\n} from '@agent-vm/gateway-interface';\nimport {\n\ttype SecretRef,\n\ttype SecretResolver,\n\twriteFileAtomically,\n} from '@agent-vm/gondolin-adapter';\n\nconst effectiveOpenClawConfigFileName = 'effective-openclaw.json';\nconst effectiveOpenClawConfigVmPath = `/home/openclaw/.openclaw/state/${effectiveOpenClawConfigFileName}`;\nconst openClawShellEnvFilePath = '/etc/profile.d/openclaw-env.sh';\n\nfunction isObjectRecord(value: unknown): value is Record<string, unknown> {\n\treturn typeof value === 'object' && value !== null && !Array.isArray(value);\n}\n\nfunction buildGatewayTcpHosts(\n\tzone: GatewayZoneConfig,\n\tcontrollerPort: number,\n\ttcpPool: { readonly basePort: number; readonly size: number },\n): Record<string, string> {\n\tconst tcpHosts: Record<string, string> = {\n\t\t'controller.vm.host:18800': `127.0.0.1:${controllerPort}`,\n\t};\n\n\tfor (let slot = 0; slot < tcpPool.size; slot += 1) {\n\t\ttcpHosts[`tool-${slot}.vm.host:22`] = `127.0.0.1:${tcpPool.basePort + slot}`;\n\t}\n\n\tfor (const websocketHost of zone.websocketBypass) {\n\t\ttcpHosts[websocketHost] = websocketHost;\n\t}\n\n\treturn tcpHosts;\n}\n\nfunction buildOpenClawBootstrapCommand(\n\t_zone: GatewayZoneConfig,\n\t_resolvedSecrets: Record<string, string>,\n): string {\n\tconst environmentLines = [\n\t\t'export OPENCLAW_HOME=/home/openclaw',\n\t\t`export OPENCLAW_CONFIG_PATH=${effectiveOpenClawConfigVmPath}`,\n\t\t'export OPENCLAW_STATE_DIR=/home/openclaw/.openclaw/state',\n\t\t'export NODE_EXTRA_CA_CERTS=/run/gondolin/ca-certificates.crt',\n\t];\n\n\treturn (\n\t\t`mkdir -p /root /etc/profile.d && cat > ${openClawShellEnvFilePath} << ENVEOF\\n` +\n\t\tenvironmentLines.join('\\n') +\n\t\t'\\nENVEOF\\n' +\n\t\t`chmod 644 ${openClawShellEnvFilePath} && ` +\n\t\t'touch /root/.bashrc && ' +\n\t\t`grep -qxF 'source ${openClawShellEnvFilePath}' /root/.bashrc || echo 'source ${openClawShellEnvFilePath}' >> /root/.bashrc && ` +\n\t\t'touch /root/.bash_profile && ' +\n\t\t\"grep -qxF 'source /root/.bashrc' /root/.bash_profile || echo 'source /root/.bashrc' >> /root/.bash_profile\"\n\t);\n}\n\nfunction getEffectiveOpenClawConfigHostPath(zone: GatewayZoneConfig): string {\n\treturn path.join(zone.gateway.stateDir, effectiveOpenClawConfigFileName);\n}\n\nfunction shellQuote(value: string): string {\n\treturn `'${value.replace(/'/gu, `'\\\\''`)}'`;\n}\n\ntype SourceAwareSecretReference =\n\t| {\n\t\t\treadonly source: 'environment';\n\t\t\treadonly envVar: string;\n\t }\n\t| {\n\t\t\treadonly source: '1password';\n\t\t\treadonly ref: string;\n\t };\n\nfunction isSourceAwareSecretReference(value: unknown): value is SourceAwareSecretReference {\n\tif (typeof value !== 'object' || value === null) {\n\t\treturn false;\n\t}\n\n\tif (!('source' in value) || typeof value.source !== 'string') {\n\t\treturn false;\n\t}\n\n\tif (value.source === 'environment') {\n\t\treturn 'envVar' in value && typeof value.envVar === 'string';\n\t}\n\n\tif (value.source === '1password') {\n\t\treturn 'ref' in value && typeof value.ref === 'string';\n\t}\n\n\treturn false;\n}\n\nfunction toSecretRef(secret: SourceAwareSecretReference): SecretRef {\n\treturn secret.source === 'environment'\n\t\t? {\n\t\t\t\tsource: 'environment',\n\t\t\t\tref: secret.envVar,\n\t\t\t}\n\t\t: {\n\t\t\t\tsource: '1password',\n\t\t\t\tref: secret.ref,\n\t\t\t};\n}\n\nfunction describeSecretReference(secret: SourceAwareSecretReference): string {\n\treturn secret.source === 'environment' ? secret.envVar : secret.ref;\n}\n\nasync function writeAuthProfilesIfConfigured(\n\tzone: GatewayZoneConfig,\n\tsecretResolver: SecretResolver,\n): Promise<void> {\n\tconst authProfilesSecretCandidate: unknown = zone.gateway.authProfilesRef;\n\tif (authProfilesSecretCandidate === undefined) {\n\t\treturn;\n\t}\n\tif (!isSourceAwareSecretReference(authProfilesSecretCandidate)) {\n\t\tthrow new Error(`Zone '${zone.id}' has an invalid authProfilesRef shape.`);\n\t}\n\tconst authProfilesSecret = authProfilesSecretCandidate;\n\n\ttry {\n\t\tconst authProfilesDirectory = path.join(zone.gateway.stateDir, 'agents', 'main', 'agent');\n\t\tawait fs.mkdir(authProfilesDirectory, { recursive: true, mode: 0o700 });\n\t\tawait fs.chmod(authProfilesDirectory, 0o700);\n\t\tconst authProfiles = await secretResolver.resolve(toSecretRef(authProfilesSecret));\n\t\tawait writeFileAtomically(\n\t\t\tpath.join(authProfilesDirectory, 'auth-profiles.json'),\n\t\t\tauthProfiles,\n\t\t\t{ mode: 0o600 },\n\t\t);\n\t} catch (error) {\n\t\tconst message = error instanceof Error ? error.message : String(error);\n\t\tthrow new Error(\n\t\t\t`Failed to write OpenClaw auth profiles for zone '${zone.id}' from '${describeSecretReference(authProfilesSecret)}': ${message}`,\n\t\t\t{ cause: error },\n\t\t);\n\t}\n}\n\nasync function writeEffectiveOpenClawConfig(\n\tzone: GatewayZoneConfig,\n\tsecretResolver: SecretResolver,\n): Promise<void> {\n\tconst gatewayTokenSecret = zone.secrets.OPENCLAW_GATEWAY_TOKEN;\n\tif (!gatewayTokenSecret) {\n\t\tthrow new Error(\n\t\t\t`Zone '${zone.id}' secret 'OPENCLAW_GATEWAY_TOKEN' is missing. Add an explicit 1Password or environment reference such as 'op://agent-vm/${zone.id}-gateway-auth/password'.`,\n\t\t);\n\t}\n\tif (!isSourceAwareSecretReference(gatewayTokenSecret)) {\n\t\tthrow new Error(`Zone '${zone.id}' secret 'OPENCLAW_GATEWAY_TOKEN' has an invalid shape.`);\n\t}\n\n\ttry {\n\t\tif (gatewayTokenSecret.source === '1password' && !gatewayTokenSecret.ref) {\n\t\t\tthrow new Error(\n\t\t\t\t`Zone '${zone.id}' secret 'OPENCLAW_GATEWAY_TOKEN' is missing 'ref'. Add an explicit 1Password reference such as 'op://agent-vm/${zone.id}-gateway-auth/password'.`,\n\t\t\t);\n\t\t}\n\t\tif (gatewayTokenSecret.source === 'environment' && !gatewayTokenSecret.envVar) {\n\t\t\tthrow new Error(\n\t\t\t\t`Zone '${zone.id}' secret 'OPENCLAW_GATEWAY_TOKEN' is missing 'envVar'. Add an explicit environment variable name.`,\n\t\t\t);\n\t\t}\n\t\tconst gatewayToken = await secretResolver.resolve(toSecretRef(gatewayTokenSecret));\n\t\tconst rawBaseConfig = await fs.readFile(zone.gateway.config, 'utf8');\n\t\tconst parsedBaseConfig: unknown = JSON.parse(rawBaseConfig);\n\t\tif (!isObjectRecord(parsedBaseConfig)) {\n\t\t\tthrow new Error(`OpenClaw config at '${zone.gateway.config}' must be a JSON object.`);\n\t\t}\n\t\tconst config = isObjectRecord(parsedBaseConfig.gateway) ? parsedBaseConfig.gateway : {};\n\t\tconst existingAuthConfig = isObjectRecord(config.auth) ? config.auth : {};\n\t\tconst effectiveConfig = {\n\t\t\t...parsedBaseConfig,\n\t\t\tgateway: {\n\t\t\t\t...config,\n\t\t\t\tauth: {\n\t\t\t\t\t...existingAuthConfig,\n\t\t\t\t\tmode: 'token',\n\t\t\t\t\ttoken: gatewayToken,\n\t\t\t\t},\n\t\t\t},\n\t\t};\n\t\tconst effectiveConfigPath = getEffectiveOpenClawConfigHostPath(zone);\n\t\tawait fs.mkdir(zone.gateway.stateDir, { recursive: true, mode: 0o700 });\n\t\tawait fs.chmod(zone.gateway.stateDir, 0o700);\n\t\tawait writeFileAtomically(\n\t\t\teffectiveConfigPath,\n\t\t\t`${JSON.stringify(effectiveConfig, null, 2)}\\n`,\n\t\t\t{ mode: 0o600 },\n\t\t);\n\t} catch (error) {\n\t\tconst message = error instanceof Error ? error.message : String(error);\n\t\tthrow new Error(\n\t\t\t`Failed to write effective OpenClaw config for zone '${zone.id}' from '${zone.gateway.config}' using secret '${describeSecretReference(gatewayTokenSecret)}': ${message}`,\n\t\t\t{ cause: error },\n\t\t);\n\t}\n}\n\nexport const openclawLifecycle: GatewayLifecycle = {\n\tauthConfig: {\n\t\tlistProvidersCommand: 'openclaw models auth list --format plain 2>/dev/null || echo \"\"',\n\t\tbuildLoginCommand: (\n\t\t\tprovider: string,\n\t\t\toptions: { readonly deviceCode?: boolean; readonly setDefault?: boolean } = {},\n\t\t): string =>\n\t\t\t[\n\t\t\t\t`openclaw models auth login --provider ${shellQuote(provider)}`,\n\t\t\t\t...(options.deviceCode === true ? ['--device-code'] : []),\n\t\t\t\t...(options.setDefault === true ? ['--set-default'] : []),\n\t\t\t].join(' '),\n\t},\n\n\tbuildVmSpec({\n\t\tcontrollerPort,\n\t\tprojectNamespace,\n\t\tresolvedSecrets,\n\t\ttcpPool,\n\t\tzone,\n\t}: BuildGatewayVmSpecOptions): GatewayVmSpec {\n\t\tconst configDirectory = path.dirname(path.resolve(zone.gateway.config));\n\t\tconst { environmentSecrets, mediatedSecrets } = splitResolvedGatewaySecrets(\n\t\t\tzone,\n\t\t\tresolvedSecrets,\n\t\t);\n\t\tconst { OPENCLAW_GATEWAY_TOKEN: _gatewayToken, ...environmentSecretsWithoutGatewayToken } =\n\t\t\tenvironmentSecrets;\n\n\t\treturn {\n\t\t\tallowedHosts: [...zone.allowedHosts],\n\t\t\tenvironment: {\n\t\t\t\tHOME: '/home/openclaw',\n\t\t\t\tNODE_EXTRA_CA_CERTS: '/run/gondolin/ca-certificates.crt',\n\t\t\t\tOPENCLAW_CONFIG_PATH: effectiveOpenClawConfigVmPath,\n\t\t\t\tOPENCLAW_HOME: '/home/openclaw',\n\t\t\t\tOPENCLAW_STATE_DIR: '/home/openclaw/.openclaw/state',\n\t\t\t\t...environmentSecretsWithoutGatewayToken,\n\t\t\t},\n\t\t\tmediatedSecrets,\n\t\t\trootfsMode: 'cow',\n\t\t\tsessionLabel: buildGatewaySessionLabelValue(projectNamespace, zone.id),\n\t\t\ttcpHosts: buildGatewayTcpHosts(zone, controllerPort, tcpPool),\n\t\t\tvfsMounts: {\n\t\t\t\t'/home/openclaw/.openclaw/config': {\n\t\t\t\t\thostPath: configDirectory,\n\t\t\t\t\tkind: 'realfs',\n\t\t\t\t},\n\t\t\t\t'/home/openclaw/.openclaw/state': {\n\t\t\t\t\thostPath: zone.gateway.stateDir,\n\t\t\t\t\tkind: 'realfs',\n\t\t\t\t},\n\t\t\t\t'/home/openclaw/workspace': {\n\t\t\t\t\thostPath: zone.gateway.workspaceDir,\n\t\t\t\t\tkind: 'realfs',\n\t\t\t\t},\n\t\t\t},\n\t\t};\n\t},\n\n\tbuildProcessSpec(\n\t\tzone: GatewayZoneConfig,\n\t\tresolvedSecrets: Record<string, string>,\n\t): GatewayProcessSpec {\n\t\treturn {\n\t\t\tbootstrapCommand: buildOpenClawBootstrapCommand(zone, resolvedSecrets),\n\t\t\tstartCommand:\n\t\t\t\t'cd /home/openclaw && nohup openclaw gateway --port 18789 > /tmp/openclaw.log 2>&1 &',\n\t\t\thealthCheck: { type: 'http', port: 18789, path: '/' },\n\t\t\tguestListenPort: 18789,\n\t\t\tlogPath: '/tmp/openclaw.log',\n\t\t};\n\t},\n\n\tasync prepareHostState(zone: GatewayZoneConfig, secretResolver: SecretResolver): Promise<void> {\n\t\tawait writeEffectiveOpenClawConfig(zone, secretResolver);\n\t\tawait writeAuthProfilesIfConfigured(zone, secretResolver);\n\t},\n};\n"],"mappings":";;;;;;AAoBA,MAAM,kCAAkC;AACxC,MAAM,gCAAgC,kCAAkC;AACxE,MAAM,2BAA2B;AAEjC,SAAS,eAAe,OAAkD;AACzE,QAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,CAAC,MAAM,QAAQ,MAAM;;AAG5E,SAAS,qBACR,MACA,gBACA,SACyB;CACzB,MAAMA,WAAmC,EACxC,4BAA4B,aAAa,kBACzC;AAED,MAAK,IAAI,OAAO,GAAG,OAAO,QAAQ,MAAM,QAAQ,EAC/C,UAAS,QAAQ,KAAK,gBAAgB,aAAa,QAAQ,WAAW;AAGvE,MAAK,MAAM,iBAAiB,KAAK,gBAChC,UAAS,iBAAiB;AAG3B,QAAO;;AAGR,SAAS,8BACR,OACA,kBACS;CACT,MAAM,mBAAmB;EACxB;EACA,+BAA+B;EAC/B;EACA;EACA;AAED,QACC,0CAA0C,yBAAyB,gBACnE,iBAAiB,KAAK,KAAK,GAC3B;;YACa,yBAAyB,+CAEjB,yBAAyB,kCAAkC,yBAAyB;;AAM3G,SAAS,mCAAmC,MAAiC;AAC5E,QAAO,KAAK,KAAK,KAAK,QAAQ,UAAU,gCAAgC;;AAGzE,SAAS,WAAW,OAAuB;AAC1C,QAAO,IAAI,MAAM,QAAQ,OAAO,QAAQ,CAAC;;AAa1C,SAAS,6BAA6B,OAAqD;AAC1F,KAAI,OAAO,UAAU,YAAY,UAAU,KAC1C,QAAO;AAGR,KAAI,EAAE,YAAY,UAAU,OAAO,MAAM,WAAW,SACnD,QAAO;AAGR,KAAI,MAAM,WAAW,cACpB,QAAO,YAAY,SAAS,OAAO,MAAM,WAAW;AAGrD,KAAI,MAAM,WAAW,YACpB,QAAO,SAAS,SAAS,OAAO,MAAM,QAAQ;AAG/C,QAAO;;AAGR,SAAS,YAAY,QAA+C;AACnE,QAAO,OAAO,WAAW,gBACtB;EACA,QAAQ;EACR,KAAK,OAAO;EACZ,GACA;EACA,QAAQ;EACR,KAAK,OAAO;EACZ;;AAGJ,SAAS,wBAAwB,QAA4C;AAC5E,QAAO,OAAO,WAAW,gBAAgB,OAAO,SAAS,OAAO;;AAGjE,eAAe,8BACd,MACA,gBACgB;CAChB,MAAMC,8BAAuC,KAAK,QAAQ;AAC1D,KAAI,gCAAgC,OACnC;AAED,KAAI,CAAC,6BAA6B,4BAA4B,CAC7D,OAAM,IAAI,MAAM,SAAS,KAAK,GAAG,yCAAyC;CAE3E,MAAM,qBAAqB;AAE3B,KAAI;EACH,MAAM,wBAAwB,KAAK,KAAK,KAAK,QAAQ,UAAU,UAAU,QAAQ,QAAQ;AACzF,QAAM,GAAG,MAAM,uBAAuB;GAAE,WAAW;GAAM,MAAM;GAAO,CAAC;AACvE,QAAM,GAAG,MAAM,uBAAuB,IAAM;EAC5C,MAAM,eAAe,MAAM,eAAe,QAAQ,YAAY,mBAAmB,CAAC;AAClF,QAAM,oBACL,KAAK,KAAK,uBAAuB,qBAAqB,EACtD,cACA,EAAE,MAAM,KAAO,CACf;UACO,OAAO;EACf,MAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM;AACtE,QAAM,IAAI,MACT,oDAAoD,KAAK,GAAG,UAAU,wBAAwB,mBAAmB,CAAC,KAAK,WACvH,EAAE,OAAO,OAAO,CAChB;;;AAIH,eAAe,6BACd,MACA,gBACgB;CAChB,MAAM,qBAAqB,KAAK,QAAQ;AACxC,KAAI,CAAC,mBACJ,OAAM,IAAI,MACT,SAAS,KAAK,GAAG,0HAA0H,KAAK,GAAG,0BACnJ;AAEF,KAAI,CAAC,6BAA6B,mBAAmB,CACpD,OAAM,IAAI,MAAM,SAAS,KAAK,GAAG,yDAAyD;AAG3F,KAAI;AACH,MAAI,mBAAmB,WAAW,eAAe,CAAC,mBAAmB,IACpE,OAAM,IAAI,MACT,SAAS,KAAK,GAAG,iHAAiH,KAAK,GAAG,0BAC1I;AAEF,MAAI,mBAAmB,WAAW,iBAAiB,CAAC,mBAAmB,OACtE,OAAM,IAAI,MACT,SAAS,KAAK,GAAG,mGACjB;EAEF,MAAM,eAAe,MAAM,eAAe,QAAQ,YAAY,mBAAmB,CAAC;EAClF,MAAM,gBAAgB,MAAM,GAAG,SAAS,KAAK,QAAQ,QAAQ,OAAO;EACpE,MAAMC,mBAA4B,KAAK,MAAM,cAAc;AAC3D,MAAI,CAAC,eAAe,iBAAiB,CACpC,OAAM,IAAI,MAAM,uBAAuB,KAAK,QAAQ,OAAO,0BAA0B;EAEtF,MAAM,SAAS,eAAe,iBAAiB,QAAQ,GAAG,iBAAiB,UAAU,EAAE;EACvF,MAAM,qBAAqB,eAAe,OAAO,KAAK,GAAG,OAAO,OAAO,EAAE;EACzE,MAAM,kBAAkB;GACvB,GAAG;GACH,SAAS;IACR,GAAG;IACH,MAAM;KACL,GAAG;KACH,MAAM;KACN,OAAO;KACP;IACD;GACD;EACD,MAAM,sBAAsB,mCAAmC,KAAK;AACpE,QAAM,GAAG,MAAM,KAAK,QAAQ,UAAU;GAAE,WAAW;GAAM,MAAM;GAAO,CAAC;AACvE,QAAM,GAAG,MAAM,KAAK,QAAQ,UAAU,IAAM;AAC5C,QAAM,oBACL,qBACA,GAAG,KAAK,UAAU,iBAAiB,MAAM,EAAE,CAAC,KAC5C,EAAE,MAAM,KAAO,CACf;UACO,OAAO;EACf,MAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM;AACtE,QAAM,IAAI,MACT,uDAAuD,KAAK,GAAG,UAAU,KAAK,QAAQ,OAAO,kBAAkB,wBAAwB,mBAAmB,CAAC,KAAK,WAChK,EAAE,OAAO,OAAO,CAChB;;;AAIH,MAAaC,oBAAsC;CAClD,YAAY;EACX,sBAAsB;EACtB,oBACC,UACA,UAA4E,EAAE,KAE9E;GACC,yCAAyC,WAAW,SAAS;GAC7D,GAAI,QAAQ,eAAe,OAAO,CAAC,gBAAgB,GAAG,EAAE;GACxD,GAAI,QAAQ,eAAe,OAAO,CAAC,gBAAgB,GAAG,EAAE;GACxD,CAAC,KAAK,IAAI;EACZ;CAED,YAAY,EACX,gBACA,kBACA,iBACA,SACA,QAC4C;EAC5C,MAAM,kBAAkB,KAAK,QAAQ,KAAK,QAAQ,KAAK,QAAQ,OAAO,CAAC;EACvE,MAAM,EAAE,oBAAoB,oBAAoB,4BAC/C,MACA,gBACA;EACD,MAAM,EAAE,wBAAwB,cAAe,GAAG,0CACjD;AAED,SAAO;GACN,cAAc,CAAC,GAAG,KAAK,aAAa;GACpC,aAAa;IACZ,MAAM;IACN,qBAAqB;IACrB,sBAAsB;IACtB,eAAe;IACf,oBAAoB;IACpB,GAAG;IACH;GACD;GACA,YAAY;GACZ,cAAcC,yBAA8B,kBAAkB,KAAK,GAAG;GACtE,UAAU,qBAAqB,MAAM,gBAAgB,QAAQ;GAC7D,WAAW;IACV,mCAAmC;KAClC,UAAU;KACV,MAAM;KACN;IACD,kCAAkC;KACjC,UAAU,KAAK,QAAQ;KACvB,MAAM;KACN;IACD,4BAA4B;KAC3B,UAAU,KAAK,QAAQ;KACvB,MAAM;KACN;IACD;GACD;;CAGF,iBACC,MACA,iBACqB;AACrB,SAAO;GACN,kBAAkB,8BAA8B,MAAM,gBAAgB;GACtE,cACC;GACD,aAAa;IAAE,MAAM;IAAQ,MAAM;IAAO,MAAM;IAAK;GACrD,iBAAiB;GACjB,SAAS;GACT;;CAGF,MAAM,iBAAiB,MAAyB,gBAA+C;AAC9F,QAAM,6BAA6B,MAAM,eAAe;AACxD,QAAM,8BAA8B,MAAM,eAAe;;CAE1D"}
1
+ {"version":3,"file":"index.js","names":["tcpHosts: Record<string, string>","authProfilesSecretCandidate: unknown","parsedBaseConfig: unknown","openclawLifecycle: GatewayLifecycle","buildGatewaySessionLabelValue"],"sources":["../src/openclaw-lifecycle.ts"],"sourcesContent":["import fs from 'node:fs/promises';\nimport path from 'node:path';\n\nimport type {\n\tBuildGatewayVmSpecOptions,\n\tGatewayLifecycle,\n\tGatewayProcessSpec,\n\tGatewayZoneConfig,\n\tGatewayVmSpec,\n} from '@agent-vm/gateway-interface';\nimport {\n\tbuildGatewaySessionLabel as buildGatewaySessionLabelValue,\n\tsplitResolvedGatewaySecrets,\n} from '@agent-vm/gateway-interface';\nimport {\n\ttype SecretRef,\n\ttype SecretResolver,\n\twriteFileAtomically,\n} from '@agent-vm/gondolin-adapter';\n\nconst effectiveOpenClawConfigFileName = 'effective-openclaw.json';\nconst effectiveOpenClawConfigVmPath = `/home/openclaw/.openclaw/state/${effectiveOpenClawConfigFileName}`;\nconst openClawStateDirVmPath = '/home/openclaw/.openclaw/state';\nconst openClawCacheDirVmPath = '/home/openclaw/.openclaw/cache';\nconst openClawZoneFilesDirVmPath = '/home/openclaw/zone-files';\nconst openClawPluginStageDirVmPath = '/opt/openclaw/plugin-runtime-deps';\nconst openClawShellEnvFilePath = '/etc/profile.d/openclaw-env.sh';\n\nfunction isObjectRecord(value: unknown): value is Record<string, unknown> {\n\treturn typeof value === 'object' && value !== null && !Array.isArray(value);\n}\n\nfunction buildGatewayTcpHosts(\n\tzone: GatewayZoneConfig,\n\tcontrollerPort: number,\n\ttcpPool: { readonly basePort: number; readonly size: number },\n): Record<string, string> {\n\tconst tcpHosts: Record<string, string> = {\n\t\t'controller.vm.host:18800': `127.0.0.1:${controllerPort}`,\n\t};\n\n\tfor (let slot = 0; slot < tcpPool.size; slot += 1) {\n\t\ttcpHosts[`tool-${slot}.vm.host:22`] = `127.0.0.1:${tcpPool.basePort + slot}`;\n\t}\n\n\tfor (const websocketHost of zone.websocketBypass) {\n\t\ttcpHosts[websocketHost] = websocketHost;\n\t}\n\n\treturn tcpHosts;\n}\n\nfunction buildOpenClawBootstrapCommand(\n\t_zone: GatewayZoneConfig,\n\t_resolvedSecrets: Record<string, string>,\n): string {\n\tconst environmentLines = [\n\t\t'export OPENCLAW_HOME=/home/openclaw',\n\t\t`export OPENCLAW_CONFIG_PATH=${effectiveOpenClawConfigVmPath}`,\n\t\t`export OPENCLAW_STATE_DIR=${openClawStateDirVmPath}`,\n\t\t`export OPENCLAW_PLUGIN_STAGE_DIR=${openClawPluginStageDirVmPath}`,\n\t\t'export TMPDIR=/work/tmp',\n\t\t'export TMP=/work/tmp',\n\t\t'export TEMP=/work/tmp',\n\t\t'export npm_config_cache=/work/cache/npm',\n\t\t'export pnpm_config_store_dir=/work/cache/pnpm/store',\n\t\t'export PIP_CACHE_DIR=/work/cache/pip',\n\t\t'export UV_CACHE_DIR=/work/cache/uv',\n\t\t'export NODE_EXTRA_CA_CERTS=/run/gondolin/ca-certificates.crt',\n\t];\n\n\treturn (\n\t\t`mkdir -p /root /etc/profile.d /work/tmp /work/cache/npm /work/cache/pnpm/store /work/cache/pip /work/cache/uv && cat > ${openClawShellEnvFilePath} << ENVEOF\\n` +\n\t\tenvironmentLines.join('\\n') +\n\t\t'\\nENVEOF\\n' +\n\t\t`chmod 644 ${openClawShellEnvFilePath} && ` +\n\t\t'touch /root/.bashrc && ' +\n\t\t`grep -qxF 'source ${openClawShellEnvFilePath}' /root/.bashrc || echo 'source ${openClawShellEnvFilePath}' >> /root/.bashrc && ` +\n\t\t'touch /root/.bash_profile && ' +\n\t\t\"grep -qxF 'source /root/.bashrc' /root/.bash_profile || echo 'source /root/.bashrc' >> /root/.bash_profile\"\n\t);\n}\n\nfunction getEffectiveOpenClawConfigHostPath(zone: GatewayZoneConfig): string {\n\treturn path.join(zone.gateway.stateDir, effectiveOpenClawConfigFileName);\n}\n\nfunction shellQuote(value: string): string {\n\treturn `'${value.replace(/'/gu, `'\\\\''`)}'`;\n}\n\ntype SourceAwareSecretReference =\n\t| {\n\t\t\treadonly source: 'environment';\n\t\t\treadonly envVar: string;\n\t }\n\t| {\n\t\t\treadonly source: '1password';\n\t\t\treadonly ref: string;\n\t };\n\nfunction isSourceAwareSecretReference(value: unknown): value is SourceAwareSecretReference {\n\tif (typeof value !== 'object' || value === null) {\n\t\treturn false;\n\t}\n\n\tif (!('source' in value) || typeof value.source !== 'string') {\n\t\treturn false;\n\t}\n\n\tif (value.source === 'environment') {\n\t\treturn 'envVar' in value && typeof value.envVar === 'string';\n\t}\n\n\tif (value.source === '1password') {\n\t\treturn 'ref' in value && typeof value.ref === 'string';\n\t}\n\n\treturn false;\n}\n\nfunction toSecretRef(secret: SourceAwareSecretReference): SecretRef {\n\treturn secret.source === 'environment'\n\t\t? {\n\t\t\t\tsource: 'environment',\n\t\t\t\tref: secret.envVar,\n\t\t\t}\n\t\t: {\n\t\t\t\tsource: '1password',\n\t\t\t\tref: secret.ref,\n\t\t\t};\n}\n\nfunction describeSecretReference(secret: SourceAwareSecretReference): string {\n\treturn secret.source === 'environment' ? secret.envVar : secret.ref;\n}\n\nasync function writeAuthProfilesIfConfigured(\n\tzone: GatewayZoneConfig,\n\tsecretResolver: SecretResolver,\n): Promise<void> {\n\tconst authProfilesSecretCandidate: unknown = zone.gateway.authProfilesRef;\n\tif (authProfilesSecretCandidate === undefined) {\n\t\treturn;\n\t}\n\tif (!isSourceAwareSecretReference(authProfilesSecretCandidate)) {\n\t\tthrow new Error(`Zone '${zone.id}' has an invalid authProfilesRef shape.`);\n\t}\n\tconst authProfilesSecret = authProfilesSecretCandidate;\n\n\ttry {\n\t\tconst authProfilesDirectory = path.join(zone.gateway.stateDir, 'agents', 'main', 'agent');\n\t\tawait fs.mkdir(authProfilesDirectory, { recursive: true, mode: 0o700 });\n\t\tawait fs.chmod(authProfilesDirectory, 0o700);\n\t\tconst authProfiles = await secretResolver.resolve(toSecretRef(authProfilesSecret));\n\t\tawait writeFileAtomically(\n\t\t\tpath.join(authProfilesDirectory, 'auth-profiles.json'),\n\t\t\tauthProfiles,\n\t\t\t{ mode: 0o600 },\n\t\t);\n\t} catch (error) {\n\t\tconst message = error instanceof Error ? error.message : String(error);\n\t\tthrow new Error(\n\t\t\t`Failed to write OpenClaw auth profiles for zone '${zone.id}' from '${describeSecretReference(authProfilesSecret)}': ${message}`,\n\t\t\t{ cause: error },\n\t\t);\n\t}\n}\n\nasync function writeEffectiveOpenClawConfig(\n\tzone: GatewayZoneConfig,\n\tsecretResolver: SecretResolver,\n): Promise<void> {\n\tconst gatewayTokenSecret = zone.secrets.OPENCLAW_GATEWAY_TOKEN;\n\tif (!gatewayTokenSecret) {\n\t\tthrow new Error(\n\t\t\t`Zone '${zone.id}' secret 'OPENCLAW_GATEWAY_TOKEN' is missing. Add an explicit 1Password or environment reference such as 'op://agent-vm/${zone.id}-gateway-auth/password'.`,\n\t\t);\n\t}\n\tif (!isSourceAwareSecretReference(gatewayTokenSecret)) {\n\t\tthrow new Error(`Zone '${zone.id}' secret 'OPENCLAW_GATEWAY_TOKEN' has an invalid shape.`);\n\t}\n\n\ttry {\n\t\tif (gatewayTokenSecret.source === '1password' && !gatewayTokenSecret.ref) {\n\t\t\tthrow new Error(\n\t\t\t\t`Zone '${zone.id}' secret 'OPENCLAW_GATEWAY_TOKEN' is missing 'ref'. Add an explicit 1Password reference such as 'op://agent-vm/${zone.id}-gateway-auth/password'.`,\n\t\t\t);\n\t\t}\n\t\tif (gatewayTokenSecret.source === 'environment' && !gatewayTokenSecret.envVar) {\n\t\t\tthrow new Error(\n\t\t\t\t`Zone '${zone.id}' secret 'OPENCLAW_GATEWAY_TOKEN' is missing 'envVar'. Add an explicit environment variable name.`,\n\t\t\t);\n\t\t}\n\t\tconst gatewayToken = await secretResolver.resolve(toSecretRef(gatewayTokenSecret));\n\t\tconst rawBaseConfig = await fs.readFile(zone.gateway.config, 'utf8');\n\t\tconst parsedBaseConfig: unknown = JSON.parse(rawBaseConfig);\n\t\tif (!isObjectRecord(parsedBaseConfig)) {\n\t\t\tthrow new Error(`OpenClaw config at '${zone.gateway.config}' must be a JSON object.`);\n\t\t}\n\t\tconst config = isObjectRecord(parsedBaseConfig.gateway) ? parsedBaseConfig.gateway : {};\n\t\tconst existingAuthConfig = isObjectRecord(config.auth) ? config.auth : {};\n\t\tconst effectiveConfig = {\n\t\t\t...parsedBaseConfig,\n\t\t\tgateway: {\n\t\t\t\t...config,\n\t\t\t\tauth: {\n\t\t\t\t\t...existingAuthConfig,\n\t\t\t\t\tmode: 'token',\n\t\t\t\t\ttoken: gatewayToken,\n\t\t\t\t},\n\t\t\t},\n\t\t\tmeta: {\n\t\t\t\t...(isObjectRecord(parsedBaseConfig.meta) ? parsedBaseConfig.meta : {}),\n\t\t\t\tlastTouchedAt: new Date().toISOString(),\n\t\t\t\tlastTouchedVersion: 'agent-vm',\n\t\t\t},\n\t\t};\n\t\tconst effectiveConfigPath = getEffectiveOpenClawConfigHostPath(zone);\n\t\tawait fs.mkdir(zone.gateway.stateDir, { recursive: true, mode: 0o700 });\n\t\tawait fs.chmod(zone.gateway.stateDir, 0o700);\n\t\tawait writeFileAtomically(\n\t\t\teffectiveConfigPath,\n\t\t\t`${JSON.stringify(effectiveConfig, null, 2)}\\n`,\n\t\t\t{ mode: 0o600 },\n\t\t);\n\t} catch (error) {\n\t\tconst message = error instanceof Error ? error.message : String(error);\n\t\tthrow new Error(\n\t\t\t`Failed to write effective OpenClaw config for zone '${zone.id}' from '${zone.gateway.config}' using secret '${describeSecretReference(gatewayTokenSecret)}': ${message}`,\n\t\t\t{ cause: error },\n\t\t);\n\t}\n}\n\nexport const openclawLifecycle: GatewayLifecycle = {\n\tauthConfig: {\n\t\tlistProvidersCommand: 'openclaw models auth list --format plain 2>/dev/null || echo \"\"',\n\t\tbuildLoginCommand: (\n\t\t\tprovider: string,\n\t\t\toptions: { readonly deviceCode?: boolean; readonly setDefault?: boolean } = {},\n\t\t): string =>\n\t\t\t[\n\t\t\t\t`openclaw models auth login --provider ${shellQuote(provider)}`,\n\t\t\t\t...(options.deviceCode === true ? ['--device-code'] : []),\n\t\t\t\t...(options.setDefault === true ? ['--set-default'] : []),\n\t\t\t].join(' '),\n\t},\n\n\tbuildVmSpec({\n\t\tcontrollerPort,\n\t\tgatewayCacheDir,\n\t\tprojectNamespace,\n\t\tresolvedSecrets,\n\t\ttcpPool,\n\t\tzone,\n\t}: BuildGatewayVmSpecOptions): GatewayVmSpec {\n\t\tif (zone.gateway.type !== 'openclaw') {\n\t\t\tthrow new Error(`OpenClaw lifecycle cannot build gateway type '${zone.gateway.type}'.`);\n\t\t}\n\t\tconst configDirectory = path.dirname(path.resolve(zone.gateway.config));\n\t\tconst { environmentSecrets, mediatedSecrets } = splitResolvedGatewaySecrets(\n\t\t\tzone,\n\t\t\tresolvedSecrets,\n\t\t);\n\t\tconst { OPENCLAW_GATEWAY_TOKEN: _gatewayToken, ...environmentSecretsWithoutGatewayToken } =\n\t\t\tenvironmentSecrets;\n\n\t\treturn {\n\t\t\tallowedHosts: [...zone.allowedHosts],\n\t\t\tenvironment: {\n\t\t\t\tHOME: '/home/openclaw',\n\t\t\t\tNODE_EXTRA_CA_CERTS: '/run/gondolin/ca-certificates.crt',\n\t\t\t\tOPENCLAW_CONFIG_PATH: effectiveOpenClawConfigVmPath,\n\t\t\t\tOPENCLAW_HOME: '/home/openclaw',\n\t\t\t\tOPENCLAW_PLUGIN_STAGE_DIR: openClawPluginStageDirVmPath,\n\t\t\t\tOPENCLAW_STATE_DIR: openClawStateDirVmPath,\n\t\t\t\tPIP_CACHE_DIR: '/work/cache/pip',\n\t\t\t\tTEMP: '/work/tmp',\n\t\t\t\tTMP: '/work/tmp',\n\t\t\t\tTMPDIR: '/work/tmp',\n\t\t\t\tUV_CACHE_DIR: '/work/cache/uv',\n\t\t\t\tnpm_config_cache: '/work/cache/npm',\n\t\t\t\tpnpm_config_store_dir: '/work/cache/pnpm/store',\n\t\t\t\t...environmentSecretsWithoutGatewayToken,\n\t\t\t},\n\t\t\tmediatedSecrets,\n\t\t\trootfsMode: 'cow',\n\t\t\tsessionLabel: buildGatewaySessionLabelValue(projectNamespace, zone.id),\n\t\t\ttcpHosts: buildGatewayTcpHosts(zone, controllerPort, tcpPool),\n\t\t\tvfsMounts: {\n\t\t\t\t'/home/openclaw/.openclaw/config': {\n\t\t\t\t\thostPath: configDirectory,\n\t\t\t\t\tkind: 'realfs',\n\t\t\t\t},\n\t\t\t\t[openClawCacheDirVmPath]: {\n\t\t\t\t\thostPath: gatewayCacheDir,\n\t\t\t\t\tkind: 'realfs',\n\t\t\t\t},\n\t\t\t\t'/home/openclaw/.openclaw/state': {\n\t\t\t\t\thostPath: zone.gateway.stateDir,\n\t\t\t\t\tkind: 'realfs',\n\t\t\t\t},\n\t\t\t\t[openClawZoneFilesDirVmPath]: {\n\t\t\t\t\thostPath: zone.gateway.zoneFilesDir,\n\t\t\t\t\tkind: 'realfs',\n\t\t\t\t},\n\t\t\t},\n\t\t};\n\t},\n\n\tbuildProcessSpec(\n\t\tzone: GatewayZoneConfig,\n\t\tresolvedSecrets: Record<string, string>,\n\t): GatewayProcessSpec {\n\t\treturn {\n\t\t\tbootstrapCommand: buildOpenClawBootstrapCommand(zone, resolvedSecrets),\n\t\t\tstartCommand:\n\t\t\t\t'cd /home/openclaw && nohup openclaw gateway --port 18789 > /tmp/openclaw.log 2>&1 &',\n\t\t\thealthCheck: {\n\t\t\t\ttype: 'command',\n\t\t\t\tcommand: `grep -q 'ready (' /tmp/openclaw.log`,\n\t\t\t},\n\t\t\tguestListenPort: 18789,\n\t\t\tlogPath: '/tmp/openclaw.log',\n\t\t};\n\t},\n\n\tasync prepareHostState(zone: GatewayZoneConfig, secretResolver: SecretResolver): Promise<void> {\n\t\tawait writeEffectiveOpenClawConfig(zone, secretResolver);\n\t\tawait writeAuthProfilesIfConfigured(zone, secretResolver);\n\t},\n};\n"],"mappings":";;;;;;AAoBA,MAAM,kCAAkC;AACxC,MAAM,gCAAgC,kCAAkC;AACxE,MAAM,yBAAyB;AAC/B,MAAM,yBAAyB;AAC/B,MAAM,6BAA6B;AACnC,MAAM,+BAA+B;AACrC,MAAM,2BAA2B;AAEjC,SAAS,eAAe,OAAkD;AACzE,QAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,CAAC,MAAM,QAAQ,MAAM;;AAG5E,SAAS,qBACR,MACA,gBACA,SACyB;CACzB,MAAMA,WAAmC,EACxC,4BAA4B,aAAa,kBACzC;AAED,MAAK,IAAI,OAAO,GAAG,OAAO,QAAQ,MAAM,QAAQ,EAC/C,UAAS,QAAQ,KAAK,gBAAgB,aAAa,QAAQ,WAAW;AAGvE,MAAK,MAAM,iBAAiB,KAAK,gBAChC,UAAS,iBAAiB;AAG3B,QAAO;;AAGR,SAAS,8BACR,OACA,kBACS;CACT,MAAM,mBAAmB;EACxB;EACA,+BAA+B;EAC/B,6BAA6B;EAC7B,oCAAoC;EACpC;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;AAED,QACC,0HAA0H,yBAAyB,gBACnJ,iBAAiB,KAAK,KAAK,GAC3B;;YACa,yBAAyB,+CAEjB,yBAAyB,kCAAkC,yBAAyB;;AAM3G,SAAS,mCAAmC,MAAiC;AAC5E,QAAO,KAAK,KAAK,KAAK,QAAQ,UAAU,gCAAgC;;AAGzE,SAAS,WAAW,OAAuB;AAC1C,QAAO,IAAI,MAAM,QAAQ,OAAO,QAAQ,CAAC;;AAa1C,SAAS,6BAA6B,OAAqD;AAC1F,KAAI,OAAO,UAAU,YAAY,UAAU,KAC1C,QAAO;AAGR,KAAI,EAAE,YAAY,UAAU,OAAO,MAAM,WAAW,SACnD,QAAO;AAGR,KAAI,MAAM,WAAW,cACpB,QAAO,YAAY,SAAS,OAAO,MAAM,WAAW;AAGrD,KAAI,MAAM,WAAW,YACpB,QAAO,SAAS,SAAS,OAAO,MAAM,QAAQ;AAG/C,QAAO;;AAGR,SAAS,YAAY,QAA+C;AACnE,QAAO,OAAO,WAAW,gBACtB;EACA,QAAQ;EACR,KAAK,OAAO;EACZ,GACA;EACA,QAAQ;EACR,KAAK,OAAO;EACZ;;AAGJ,SAAS,wBAAwB,QAA4C;AAC5E,QAAO,OAAO,WAAW,gBAAgB,OAAO,SAAS,OAAO;;AAGjE,eAAe,8BACd,MACA,gBACgB;CAChB,MAAMC,8BAAuC,KAAK,QAAQ;AAC1D,KAAI,gCAAgC,OACnC;AAED,KAAI,CAAC,6BAA6B,4BAA4B,CAC7D,OAAM,IAAI,MAAM,SAAS,KAAK,GAAG,yCAAyC;CAE3E,MAAM,qBAAqB;AAE3B,KAAI;EACH,MAAM,wBAAwB,KAAK,KAAK,KAAK,QAAQ,UAAU,UAAU,QAAQ,QAAQ;AACzF,QAAM,GAAG,MAAM,uBAAuB;GAAE,WAAW;GAAM,MAAM;GAAO,CAAC;AACvE,QAAM,GAAG,MAAM,uBAAuB,IAAM;EAC5C,MAAM,eAAe,MAAM,eAAe,QAAQ,YAAY,mBAAmB,CAAC;AAClF,QAAM,oBACL,KAAK,KAAK,uBAAuB,qBAAqB,EACtD,cACA,EAAE,MAAM,KAAO,CACf;UACO,OAAO;EACf,MAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM;AACtE,QAAM,IAAI,MACT,oDAAoD,KAAK,GAAG,UAAU,wBAAwB,mBAAmB,CAAC,KAAK,WACvH,EAAE,OAAO,OAAO,CAChB;;;AAIH,eAAe,6BACd,MACA,gBACgB;CAChB,MAAM,qBAAqB,KAAK,QAAQ;AACxC,KAAI,CAAC,mBACJ,OAAM,IAAI,MACT,SAAS,KAAK,GAAG,0HAA0H,KAAK,GAAG,0BACnJ;AAEF,KAAI,CAAC,6BAA6B,mBAAmB,CACpD,OAAM,IAAI,MAAM,SAAS,KAAK,GAAG,yDAAyD;AAG3F,KAAI;AACH,MAAI,mBAAmB,WAAW,eAAe,CAAC,mBAAmB,IACpE,OAAM,IAAI,MACT,SAAS,KAAK,GAAG,iHAAiH,KAAK,GAAG,0BAC1I;AAEF,MAAI,mBAAmB,WAAW,iBAAiB,CAAC,mBAAmB,OACtE,OAAM,IAAI,MACT,SAAS,KAAK,GAAG,mGACjB;EAEF,MAAM,eAAe,MAAM,eAAe,QAAQ,YAAY,mBAAmB,CAAC;EAClF,MAAM,gBAAgB,MAAM,GAAG,SAAS,KAAK,QAAQ,QAAQ,OAAO;EACpE,MAAMC,mBAA4B,KAAK,MAAM,cAAc;AAC3D,MAAI,CAAC,eAAe,iBAAiB,CACpC,OAAM,IAAI,MAAM,uBAAuB,KAAK,QAAQ,OAAO,0BAA0B;EAEtF,MAAM,SAAS,eAAe,iBAAiB,QAAQ,GAAG,iBAAiB,UAAU,EAAE;EACvF,MAAM,qBAAqB,eAAe,OAAO,KAAK,GAAG,OAAO,OAAO,EAAE;EACzE,MAAM,kBAAkB;GACvB,GAAG;GACH,SAAS;IACR,GAAG;IACH,MAAM;KACL,GAAG;KACH,MAAM;KACN,OAAO;KACP;IACD;GACD,MAAM;IACL,GAAI,eAAe,iBAAiB,KAAK,GAAG,iBAAiB,OAAO,EAAE;IACtE,gCAAe,IAAI,MAAM,EAAC,aAAa;IACvC,oBAAoB;IACpB;GACD;EACD,MAAM,sBAAsB,mCAAmC,KAAK;AACpE,QAAM,GAAG,MAAM,KAAK,QAAQ,UAAU;GAAE,WAAW;GAAM,MAAM;GAAO,CAAC;AACvE,QAAM,GAAG,MAAM,KAAK,QAAQ,UAAU,IAAM;AAC5C,QAAM,oBACL,qBACA,GAAG,KAAK,UAAU,iBAAiB,MAAM,EAAE,CAAC,KAC5C,EAAE,MAAM,KAAO,CACf;UACO,OAAO;EACf,MAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM;AACtE,QAAM,IAAI,MACT,uDAAuD,KAAK,GAAG,UAAU,KAAK,QAAQ,OAAO,kBAAkB,wBAAwB,mBAAmB,CAAC,KAAK,WAChK,EAAE,OAAO,OAAO,CAChB;;;AAIH,MAAaC,oBAAsC;CAClD,YAAY;EACX,sBAAsB;EACtB,oBACC,UACA,UAA4E,EAAE,KAE9E;GACC,yCAAyC,WAAW,SAAS;GAC7D,GAAI,QAAQ,eAAe,OAAO,CAAC,gBAAgB,GAAG,EAAE;GACxD,GAAI,QAAQ,eAAe,OAAO,CAAC,gBAAgB,GAAG,EAAE;GACxD,CAAC,KAAK,IAAI;EACZ;CAED,YAAY,EACX,gBACA,iBACA,kBACA,iBACA,SACA,QAC4C;AAC5C,MAAI,KAAK,QAAQ,SAAS,WACzB,OAAM,IAAI,MAAM,iDAAiD,KAAK,QAAQ,KAAK,IAAI;EAExF,MAAM,kBAAkB,KAAK,QAAQ,KAAK,QAAQ,KAAK,QAAQ,OAAO,CAAC;EACvE,MAAM,EAAE,oBAAoB,oBAAoB,4BAC/C,MACA,gBACA;EACD,MAAM,EAAE,wBAAwB,cAAe,GAAG,0CACjD;AAED,SAAO;GACN,cAAc,CAAC,GAAG,KAAK,aAAa;GACpC,aAAa;IACZ,MAAM;IACN,qBAAqB;IACrB,sBAAsB;IACtB,eAAe;IACf,2BAA2B;IAC3B,oBAAoB;IACpB,eAAe;IACf,MAAM;IACN,KAAK;IACL,QAAQ;IACR,cAAc;IACd,kBAAkB;IAClB,uBAAuB;IACvB,GAAG;IACH;GACD;GACA,YAAY;GACZ,cAAcC,yBAA8B,kBAAkB,KAAK,GAAG;GACtE,UAAU,qBAAqB,MAAM,gBAAgB,QAAQ;GAC7D,WAAW;IACV,mCAAmC;KAClC,UAAU;KACV,MAAM;KACN;KACA,yBAAyB;KACzB,UAAU;KACV,MAAM;KACN;IACD,kCAAkC;KACjC,UAAU,KAAK,QAAQ;KACvB,MAAM;KACN;KACA,6BAA6B;KAC7B,UAAU,KAAK,QAAQ;KACvB,MAAM;KACN;IACD;GACD;;CAGF,iBACC,MACA,iBACqB;AACrB,SAAO;GACN,kBAAkB,8BAA8B,MAAM,gBAAgB;GACtE,cACC;GACD,aAAa;IACZ,MAAM;IACN,SAAS;IACT;GACD,iBAAiB;GACjB,SAAS;GACT;;CAGF,MAAM,iBAAiB,MAAyB,gBAA+C;AAC9F,QAAM,6BAA6B,MAAM,eAAe;AACxD,QAAM,8BAA8B,MAAM,eAAe;;CAE1D"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@agent-vm/openclaw-gateway",
3
- "version": "0.0.30",
3
+ "version": "0.0.32",
4
4
  "description": "OpenClaw gateway lifecycle running inside a Gondolin VM.",
5
5
  "homepage": "https://github.com/ShravanSunder/agent-vm#readme",
6
6
  "bugs": {
@@ -29,8 +29,8 @@
29
29
  "access": "public"
30
30
  },
31
31
  "dependencies": {
32
- "@agent-vm/gateway-interface": "0.0.30",
33
- "@agent-vm/gondolin-adapter": "0.0.30"
32
+ "@agent-vm/gateway-interface": "0.0.32",
33
+ "@agent-vm/gondolin-adapter": "0.0.32"
34
34
  },
35
35
  "scripts": {
36
36
  "build": "tsdown",