@agent-vm/openclaw-gateway 0.0.69 → 0.0.70

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/index.d.ts.map +1 -1
  2. package/dist/index.js +48 -21
  3. package/dist/index.js.map +1 -1
  4. package/package.json +4 -3
package/dist/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","names":[],"sources":["../src/openclaw-lifecycle.ts"],"mappings":";;;cA8aa,iBAAA,EAAmB,gBAAA"}
1
+ {"version":3,"file":"index.d.ts","names":[],"sources":["../src/openclaw-lifecycle.ts"],"mappings":";;;cA+da,iBAAA,EAAmB,gBAAA"}
package/dist/index.js CHANGED
@@ -1,6 +1,6 @@
1
1
  import { chmod, mkdir, readFile } from "node:fs/promises";
2
2
  import path from "node:path";
3
- import { buildGatewaySessionLabel, controllerVmHost, gatewayVmAllowedHosts, splitResolvedGatewaySecrets } from "@agent-vm/gateway-interface";
3
+ import { buildGatewaySessionLabel, controllerVmHost, gatewayVmAllowedHosts, mergeRuntimeGatewaySecrets, splitResolvedGatewaySecrets } from "@agent-vm/gateway-interface";
4
4
  import { writeFileAtomically } from "@agent-vm/gondolin-adapter";
5
5
  //#region src/openclaw-lifecycle.ts
6
6
  const effectiveOpenClawConfigFileName = "effective-openclaw.json";
@@ -13,8 +13,9 @@ const openClawRuntimeLogFileVmPath = `${agentVmLogsDirVmPath}/openclaw-YYYY-MM-D
13
13
  const openClawGatewayBootLogFileVmPath = `${agentVmLogsDirVmPath}/gateway-boot-latest.log`;
14
14
  const openClawShellEnvFilePath = "/etc/profile.d/openclaw-env.sh";
15
15
  const openClawRuntimeSecretsEnvFilePath = "/run/openclaw/secrets.env";
16
+ const openClawGatewayTokenEnvVar = "OPENCLAW_GATEWAY_TOKEN";
16
17
  const openClawGatewayTokenSecretRef = {
17
- id: "OPENCLAW_GATEWAY_TOKEN",
18
+ id: openClawGatewayTokenEnvVar,
18
19
  provider: "default",
19
20
  source: "env"
20
21
  };
@@ -28,7 +29,12 @@ function buildGatewayTcpHosts(zone, controllerPort, tcpPool) {
28
29
  return tcpHosts;
29
30
  }
30
31
  function buildOpenClawBootstrapCommand(zone, resolvedSecrets) {
31
- const { environmentSecrets } = splitResolvedGatewaySecrets(zone, resolvedSecrets);
32
+ const { environmentSecrets } = mergeRuntimeGatewaySecrets(splitAllowedOpenClawGatewaySecrets(zone, resolvedSecrets, "openclaw-bootstrap-raw-env-secrets"), {
33
+ logPrefix: "openclaw-bootstrap-runtime-secrets",
34
+ runtimeEnvironment: zone.runtimeEnvironment,
35
+ runtimeMediatedSecrets: zone.runtimeMediatedSecrets
36
+ });
37
+ assertAllowedOpenClawEnvironmentSecrets(zone, environmentSecrets, "openclaw-bootstrap-runtime-raw-env-secrets");
32
38
  const environmentLines = [
33
39
  "export OPENCLAW_HOME=/home/openclaw",
34
40
  `export OPENCLAW_CONFIG_PATH=${effectiveOpenClawConfigVmPath}`,
@@ -45,11 +51,15 @@ function buildOpenClawBootstrapCommand(zone, resolvedSecrets) {
45
51
  "export NODE_EXTRA_CA_CERTS=/run/gondolin/ca-certificates.crt",
46
52
  "export NODE_OPTIONS=--dns-result-order=ipv4first"
47
53
  ];
48
- const secretEnvironmentLines = Object.entries({
54
+ const secretEnvironmentNames = Object.entries({
49
55
  ...environmentSecrets,
50
56
  ...zone.runtimeEnvironment
51
- }).map(([secretName, secretValue]) => `export ${secretName}=${shellQuoteEnvSecretValue(secretName, secretValue)}`);
52
- const secretsFileCommand = secretEnvironmentLines.length === 0 ? `: > ${openClawRuntimeSecretsEnvFilePath} && ` : `printf '%s\\n' ${secretEnvironmentLines.map((line) => shellQuote(line)).join(" ")} > ${openClawRuntimeSecretsEnvFilePath} && `;
57
+ }).map(([secretName, secretValue]) => {
58
+ assertShellSafeEnvName(secretName);
59
+ assertShellProfileSafeSecretValue(secretName, secretValue);
60
+ return secretName;
61
+ });
62
+ const secretsFileCommand = secretEnvironmentNames.length === 0 ? `: > ${openClawRuntimeSecretsEnvFilePath} && ` : `{ ${secretEnvironmentNames.map(runtimeSecretExportCommand).join("; ")}; } > ${openClawRuntimeSecretsEnvFilePath} && `;
53
63
  const sshConfigCommand = `mkdir -p /root/.ssh /home/openclaw/.ssh && printf '%s\\n' ${["Host tool-*.vm.host", " AddressFamily inet"].map((line) => shellQuote(line)).join(" ")} > /root/.ssh/config && cp /root/.ssh/config /home/openclaw/.ssh/config && chown -R openclaw:openclaw /home/openclaw/.ssh && chmod 700 /root/.ssh /home/openclaw/.ssh && chmod 600 /root/.ssh/config /home/openclaw/.ssh/config && `;
54
64
  return `mkdir -p /root /etc/profile.d /run/openclaw /work/tmp /work/cache/npm /work/cache/pnpm/store /work/cache/pip /work/cache/uv && chown -R openclaw:openclaw /work && cat > ${openClawShellEnvFilePath} << 'ENVEOF'\n` + environmentLines.join("\n") + `
55
65
  ENVEOF
@@ -68,9 +78,28 @@ function includesShellUnsafeControlByte(value) {
68
78
  }
69
79
  return false;
70
80
  }
71
- function shellQuoteEnvSecretValue(secretName, value) {
81
+ function assertShellSafeEnvName(secretName) {
82
+ if (!/^[_A-Za-z][_0-9A-Za-z]*$/u.test(secretName)) throw new Error(`OpenClaw env-injected gateway secret '${secretName}' must be a shell-safe environment variable name.`);
83
+ }
84
+ function assertShellProfileSafeSecretValue(secretName, value) {
72
85
  if (includesShellUnsafeControlByte(value)) throw new Error(`OpenClaw env-injected gateway secret '${secretName}' must be a single-line value without control bytes. Use http-mediation for secrets that require structured transport.`);
73
- return shellQuote(value);
86
+ }
87
+ function runtimeSecretExportCommand(secretName) {
88
+ const runtimeSecretValue = `"\${${secretName}?missing runtime secret ${secretName}}"`;
89
+ return `: ${runtimeSecretValue} && printf '%s\\n' ${shellQuote(`export ${secretName}=${runtimeSecretValue}`)}`;
90
+ }
91
+ function assertAllowedOpenClawEnvironmentSecrets(zone, environmentSecrets, logPrefix) {
92
+ if (zone.gateway.type !== "openclaw") throw new Error(`OpenClaw lifecycle cannot build gateway type '${zone.gateway.type}'.`);
93
+ const allowedRawEnvSecrets = new Set([openClawGatewayTokenEnvVar, ...zone.gateway.rawEnvSecrets ?? []]);
94
+ for (const secretName of Object.keys(environmentSecrets)) {
95
+ if (allowedRawEnvSecrets.has(secretName)) continue;
96
+ throw new Error(`[${logPrefix}] OpenClaw env secret '${secretName}' must be listed in gateway.rawEnvSecrets or use injection 'http-mediation'.`);
97
+ }
98
+ }
99
+ function splitAllowedOpenClawGatewaySecrets(zone, resolvedSecrets, logPrefix) {
100
+ const splitSecrets = splitResolvedGatewaySecrets(zone, resolvedSecrets);
101
+ assertAllowedOpenClawEnvironmentSecrets(zone, splitSecrets.environmentSecrets, logPrefix);
102
+ return splitSecrets;
74
103
  }
75
104
  function isSourceAwareSecretReference(value) {
76
105
  if (typeof value !== "object" || value === null) return false;
@@ -102,11 +131,8 @@ function buildEffectiveSecretsConfig(parsedBaseConfig) {
102
131
  }
103
132
  };
104
133
  }
105
- function buildEffectiveMcpPortalPluginConfig(existingPluginConfig, runtimeConfig) {
106
- return {
107
- ...typeof existingPluginConfig.binPath === "string" ? { binPath: existingPluginConfig.binPath } : {},
108
- ...runtimeConfig
109
- };
134
+ function buildEffectiveMcpPortalPluginConfig(_existingPluginConfig, runtimeConfig) {
135
+ return { ...runtimeConfig };
110
136
  }
111
137
  function buildEffectivePluginsConfig(parsedBaseConfig, runtimePluginConfigs) {
112
138
  const existingPluginsConfig = isObjectRecord(parsedBaseConfig.plugins) ? parsedBaseConfig.plugins : {};
@@ -182,10 +208,7 @@ async function writeEffectiveOpenClawConfig(zone) {
182
208
  const rawBaseConfig = await readFile(zone.gateway.config, "utf8");
183
209
  const parsedBaseConfig = JSON.parse(rawBaseConfig);
184
210
  if (!isObjectRecord(parsedBaseConfig)) throw new Error(`OpenClaw config at '${zone.gateway.config}' must be a JSON object.`);
185
- const runtimePluginConfigs = {
186
- ...zone.mcp === void 0 ? {} : { "mcp-portal": { configDir: "/home/openclaw/.openclaw/config" } },
187
- ...zone.runtimePluginConfigs
188
- };
211
+ const runtimePluginConfigs = { ...zone.runtimePluginConfigs };
189
212
  const config = isObjectRecord(parsedBaseConfig.gateway) ? parsedBaseConfig.gateway : {};
190
213
  const existingAuthConfig = isObjectRecord(config.auth) ? config.auth : {};
191
214
  const effectiveConfig = {
@@ -234,7 +257,12 @@ const openclawLifecycle = {
234
257
  buildVmSpec({ controllerPort, gatewayCacheDir, projectNamespace, resolvedSecrets, runtimeDir, tcpPool, zone }) {
235
258
  if (zone.gateway.type !== "openclaw") throw new Error(`OpenClaw lifecycle cannot build gateway type '${zone.gateway.type}'.`);
236
259
  const configDirectory = path.dirname(path.resolve(zone.gateway.config));
237
- const { environmentSecrets, mediatedSecrets } = splitResolvedGatewaySecrets(zone, resolvedSecrets);
260
+ const { environmentSecrets, mediatedSecrets } = mergeRuntimeGatewaySecrets(splitAllowedOpenClawGatewaySecrets(zone, resolvedSecrets, "openclaw-vm-raw-env-secrets"), {
261
+ logPrefix: "openclaw-vm-runtime-secrets",
262
+ runtimeEnvironment: zone.runtimeEnvironment,
263
+ runtimeMediatedSecrets: zone.runtimeMediatedSecrets
264
+ });
265
+ assertAllowedOpenClawEnvironmentSecrets(zone, environmentSecrets, "openclaw-vm-runtime-raw-env-secrets");
238
266
  return {
239
267
  allowedHosts: gatewayVmAllowedHosts(zone.egressHosts),
240
268
  environment: {
@@ -253,10 +281,9 @@ const openclawLifecycle = {
253
281
  UV_CACHE_DIR: "/work/cache/uv",
254
282
  npm_config_cache: "/work/cache/npm",
255
283
  pnpm_config_store_dir: "/work/cache/pnpm/store",
256
- ...environmentSecrets,
257
- ...zone.runtimeEnvironment
284
+ ...environmentSecrets
258
285
  },
259
- mediatedSecrets,
286
+ mediatedSecrets: { ...mediatedSecrets },
260
287
  rootfsMode: "cow",
261
288
  sessionLabel: buildGatewaySessionLabel(projectNamespace, zone.id),
262
289
  tcpHosts: buildGatewayTcpHosts(zone, controllerPort, tcpPool),
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","names":["buildGatewaySessionLabelValue"],"sources":["../src/openclaw-lifecycle.ts"],"sourcesContent":["import { chmod, mkdir, readFile } from 'node:fs/promises';\nimport path from 'node:path';\n\nimport type {\n\tBuildGatewayVmSpecOptions,\n\tGatewayLifecycle,\n\tGatewayProcessSpec,\n\tGatewayZoneConfig,\n\tGatewayVmSpec,\n} from '@agent-vm/gateway-interface';\nimport {\n\tbuildGatewaySessionLabel as buildGatewaySessionLabelValue,\n\tcontrollerVmHost,\n\tgatewayVmAllowedHosts,\n\tsplitResolvedGatewaySecrets,\n} from '@agent-vm/gateway-interface';\nimport {\n\ttype SecretRef,\n\ttype SecretResolver,\n\twriteFileAtomically,\n} from '@agent-vm/gondolin-adapter';\n\nconst effectiveOpenClawConfigFileName = 'effective-openclaw.json';\nconst effectiveOpenClawConfigVmPath = `/home/openclaw/.openclaw/state/${effectiveOpenClawConfigFileName}`;\nconst openClawStateDirVmPath = '/home/openclaw/.openclaw/state';\nconst openClawCacheDirVmPath = '/home/openclaw/.openclaw/cache';\nconst openClawZoneFilesDirVmPath = '/zone';\nconst agentVmLogsDirVmPath = '/agent-vm/logs';\nconst openClawRuntimeLogFileVmPath = `${agentVmLogsDirVmPath}/openclaw-YYYY-MM-DD.log`;\nconst openClawGatewayBootLogFileVmPath = `${agentVmLogsDirVmPath}/gateway-boot-latest.log`;\nconst openClawShellEnvFilePath = '/etc/profile.d/openclaw-env.sh';\nconst openClawRuntimeSecretsEnvFilePath = '/run/openclaw/secrets.env';\nconst openClawGatewayTokenEnvVar = 'OPENCLAW_GATEWAY_TOKEN';\n\ninterface OpenClawSecretRef {\n\treadonly id: string;\n\treadonly provider: string;\n\treadonly source: 'env';\n}\n\nconst openClawGatewayTokenSecretRef: OpenClawSecretRef = {\n\tid: openClawGatewayTokenEnvVar,\n\tprovider: 'default',\n\tsource: 'env',\n};\n\nfunction isObjectRecord(value: unknown): value is Record<string, unknown> {\n\treturn typeof value === 'object' && value !== null && !Array.isArray(value);\n}\n\nfunction buildGatewayTcpHosts(\n\tzone: GatewayZoneConfig,\n\tcontrollerPort: number,\n\ttcpPool: { readonly basePort: number; readonly size: number },\n): Record<string, string> {\n\tconst tcpHosts: Record<string, string> = {\n\t\t[`${controllerVmHost}:18800`]: `127.0.0.1:${controllerPort}`,\n\t};\n\n\tfor (let slot = 0; slot < tcpPool.size; slot += 1) {\n\t\ttcpHosts[`tool-${slot}.vm.host:22`] = `127.0.0.1:${tcpPool.basePort + slot}`;\n\t}\n\n\tfor (const websocketHost of zone.websocketBypass) {\n\t\ttcpHosts[websocketHost] = websocketHost;\n\t}\n\n\treturn tcpHosts;\n}\n\nfunction buildOpenClawBootstrapCommand(\n\tzone: GatewayZoneConfig,\n\tresolvedSecrets: Record<string, string>,\n): string {\n\tconst { environmentSecrets } = splitResolvedGatewaySecrets(zone, resolvedSecrets);\n\tconst environmentLines = [\n\t\t'export OPENCLAW_HOME=/home/openclaw',\n\t\t`export OPENCLAW_CONFIG_PATH=${effectiveOpenClawConfigVmPath}`,\n\t\t`export OPENCLAW_STATE_DIR=${openClawStateDirVmPath}`,\n\t\t'export PNPM_HOME=/pnpm',\n\t\t'export PATH=/pnpm:$PATH',\n\t\t'export TMPDIR=/work/tmp',\n\t\t'export TMP=/work/tmp',\n\t\t'export TEMP=/work/tmp',\n\t\t'export npm_config_cache=/work/cache/npm',\n\t\t'export pnpm_config_store_dir=/work/cache/pnpm/store',\n\t\t'export PIP_CACHE_DIR=/work/cache/pip',\n\t\t'export UV_CACHE_DIR=/work/cache/uv',\n\t\t'export NODE_EXTRA_CA_CERTS=/run/gondolin/ca-certificates.crt',\n\t\t'export NODE_OPTIONS=--dns-result-order=ipv4first',\n\t];\n\tconst secretEnvironmentLines = Object.entries({\n\t\t...environmentSecrets,\n\t\t...zone.runtimeEnvironment,\n\t}).map(\n\t\t([secretName, secretValue]) =>\n\t\t\t`export ${secretName}=${shellQuoteEnvSecretValue(secretName, secretValue)}`,\n\t);\n\tconst secretsFileCommand =\n\t\tsecretEnvironmentLines.length === 0\n\t\t\t? `: > ${openClawRuntimeSecretsEnvFilePath} && `\n\t\t\t: `printf '%s\\\\n' ${secretEnvironmentLines.map((line) => shellQuote(line)).join(' ')} > ${openClawRuntimeSecretsEnvFilePath} && `;\n\tconst sshConfigLines = ['Host tool-*.vm.host', ' AddressFamily inet'];\n\tconst sshConfigCommand =\n\t\t`mkdir -p /root/.ssh /home/openclaw/.ssh && ` +\n\t\t`printf '%s\\\\n' ${sshConfigLines.map((line) => shellQuote(line)).join(' ')} > /root/.ssh/config && ` +\n\t\t'cp /root/.ssh/config /home/openclaw/.ssh/config && ' +\n\t\t'chown -R openclaw:openclaw /home/openclaw/.ssh && ' +\n\t\t'chmod 700 /root/.ssh /home/openclaw/.ssh && ' +\n\t\t'chmod 600 /root/.ssh/config /home/openclaw/.ssh/config && ';\n\n\treturn (\n\t\t`mkdir -p /root /etc/profile.d /run/openclaw /work/tmp /work/cache/npm /work/cache/pnpm/store /work/cache/pip /work/cache/uv && chown -R openclaw:openclaw /work && cat > ${openClawShellEnvFilePath} << 'ENVEOF'\\n` +\n\t\tenvironmentLines.join('\\n') +\n\t\t'\\nENVEOF\\n' +\n\t\t`chmod 644 ${openClawShellEnvFilePath} && ` +\n\t\tsecretsFileCommand +\n\t\t`chmod 600 ${openClawRuntimeSecretsEnvFilePath} && ` +\n\t\tsshConfigCommand +\n\t\t'touch /root/.bashrc && ' +\n\t\t`grep -qxF 'source ${openClawShellEnvFilePath}' /root/.bashrc || echo 'source ${openClawShellEnvFilePath}' >> /root/.bashrc && ` +\n\t\t'touch /root/.bash_profile && ' +\n\t\t\"grep -qxF 'source /root/.bashrc' /root/.bash_profile || echo 'source /root/.bashrc' >> /root/.bash_profile\"\n\t);\n}\n\nfunction getEffectiveOpenClawConfigHostPath(zone: GatewayZoneConfig): string {\n\treturn path.join(zone.gateway.stateDir, effectiveOpenClawConfigFileName);\n}\n\nfunction shellQuote(value: string): string {\n\treturn `'${value.replace(/'/gu, `'\\\\''`)}'`;\n}\n\nfunction includesShellUnsafeControlByte(value: string): boolean {\n\tfor (const character of value) {\n\t\tconst codePoint = character.codePointAt(0);\n\t\tif (codePoint !== undefined && (codePoint <= 0x1f || codePoint === 0x7f)) {\n\t\t\treturn true;\n\t\t}\n\t}\n\treturn false;\n}\n\nfunction shellQuoteEnvSecretValue(secretName: string, value: string): string {\n\tif (includesShellUnsafeControlByte(value)) {\n\t\tthrow new Error(\n\t\t\t`OpenClaw env-injected gateway secret '${secretName}' must be a single-line value without control bytes. Use http-mediation for secrets that require structured transport.`,\n\t\t);\n\t}\n\treturn shellQuote(value);\n}\n\ntype SourceAwareSecretReference =\n\t| {\n\t\t\treadonly source: 'environment';\n\t\t\treadonly envVar: string;\n\t }\n\t| {\n\t\t\treadonly source: '1password';\n\t\t\treadonly ref: string;\n\t };\n\nfunction isSourceAwareSecretReference(value: unknown): value is SourceAwareSecretReference {\n\tif (typeof value !== 'object' || value === null) {\n\t\treturn false;\n\t}\n\n\tif (!('source' in value) || typeof value.source !== 'string') {\n\t\treturn false;\n\t}\n\n\tif (value.source === 'environment') {\n\t\treturn 'envVar' in value && typeof value.envVar === 'string';\n\t}\n\n\tif (value.source === '1password') {\n\t\treturn 'ref' in value && typeof value.ref === 'string';\n\t}\n\n\treturn false;\n}\n\nfunction toSecretRef(secret: SourceAwareSecretReference): SecretRef {\n\treturn secret.source === 'environment'\n\t\t? {\n\t\t\t\tsource: 'environment',\n\t\t\t\tref: secret.envVar,\n\t\t\t}\n\t\t: {\n\t\t\t\tsource: '1password',\n\t\t\t\tref: secret.ref,\n\t\t\t};\n}\n\nfunction describeSecretReference(secret: SourceAwareSecretReference): string {\n\treturn secret.source === 'environment' ? secret.envVar : secret.ref;\n}\n\nfunction buildEffectiveSecretsConfig(\n\tparsedBaseConfig: Record<string, unknown>,\n): Record<string, unknown> {\n\tconst existingSecretsConfig = isObjectRecord(parsedBaseConfig.secrets)\n\t\t? parsedBaseConfig.secrets\n\t\t: {};\n\tconst existingProvidersConfig = isObjectRecord(existingSecretsConfig.providers)\n\t\t? existingSecretsConfig.providers\n\t\t: {};\n\n\treturn {\n\t\t...existingSecretsConfig,\n\t\tproviders: {\n\t\t\t...existingProvidersConfig,\n\t\t\tdefault: {\n\t\t\t\tsource: 'env',\n\t\t\t},\n\t\t},\n\t};\n}\n\nfunction buildEffectiveMcpPortalPluginConfig(\n\texistingPluginConfig: Record<string, unknown>,\n\truntimeConfig: Readonly<Record<string, unknown>>,\n): Record<string, unknown> {\n\tconst preservedConfig =\n\t\ttypeof existingPluginConfig.binPath === 'string'\n\t\t\t? { binPath: existingPluginConfig.binPath }\n\t\t\t: {};\n\treturn {\n\t\t...preservedConfig,\n\t\t...runtimeConfig,\n\t};\n}\n\nfunction buildEffectivePluginsConfig(\n\tparsedBaseConfig: Record<string, unknown>,\n\truntimePluginConfigs: Readonly<Record<string, Readonly<Record<string, unknown>>>> | undefined,\n): Record<string, unknown> {\n\tconst existingPluginsConfig = isObjectRecord(parsedBaseConfig.plugins)\n\t\t? parsedBaseConfig.plugins\n\t\t: {};\n\tconst existingEntriesConfig = isObjectRecord(existingPluginsConfig.entries)\n\t\t? existingPluginsConfig.entries\n\t\t: {};\n\tconst runtimeEntriesConfig = Object.fromEntries(\n\t\tObject.entries(runtimePluginConfigs ?? {}).map(([pluginId, runtimeConfig]) => {\n\t\t\tconst existingEntryConfig = isObjectRecord(existingEntriesConfig[pluginId])\n\t\t\t\t? existingEntriesConfig[pluginId]\n\t\t\t\t: {};\n\t\t\tconst existingPluginConfig = isObjectRecord(existingEntryConfig.config)\n\t\t\t\t? existingEntryConfig.config\n\t\t\t\t: {};\n\t\t\tconst config =\n\t\t\t\tpluginId === 'mcp-portal'\n\t\t\t\t\t? buildEffectiveMcpPortalPluginConfig(existingPluginConfig, runtimeConfig)\n\t\t\t\t\t: {\n\t\t\t\t\t\t\t...existingPluginConfig,\n\t\t\t\t\t\t\t...runtimeConfig,\n\t\t\t\t\t\t};\n\t\t\treturn [\n\t\t\t\tpluginId,\n\t\t\t\t{\n\t\t\t\t\t...existingEntryConfig,\n\t\t\t\t\tconfig,\n\t\t\t\t},\n\t\t\t] as const;\n\t\t}),\n\t);\n\n\treturn {\n\t\t...existingPluginsConfig,\n\t\tentries: {\n\t\t\t...existingEntriesConfig,\n\t\t\t...runtimeEntriesConfig,\n\t\t},\n\t};\n}\n\nfunction buildEffectiveMcpConfig(\n\tparsedBaseConfig: Record<string, unknown>,\n\truntimeMcpServers: Readonly<Record<string, unknown>> | undefined,\n): Record<string, unknown> {\n\tconst existingMcpConfig = isObjectRecord(parsedBaseConfig.mcp) ? parsedBaseConfig.mcp : {};\n\tconst existingServersConfig = isObjectRecord(existingMcpConfig.servers)\n\t\t? existingMcpConfig.servers\n\t\t: {};\n\treturn {\n\t\t...existingMcpConfig,\n\t\tservers: {\n\t\t\t...existingServersConfig,\n\t\t\t...runtimeMcpServers,\n\t\t},\n\t};\n}\n\nfunction buildEffectiveLoggingConfig(\n\tparsedBaseConfig: Record<string, unknown>,\n): Record<string, unknown> {\n\tconst existingLoggingConfig = isObjectRecord(parsedBaseConfig.logging)\n\t\t? parsedBaseConfig.logging\n\t\t: {};\n\n\treturn {\n\t\tfile: openClawRuntimeLogFileVmPath,\n\t\t...existingLoggingConfig,\n\t};\n}\n\nasync function writeAuthProfilesIfConfigured(\n\tzone: GatewayZoneConfig,\n\tsecretResolver: SecretResolver,\n): Promise<void> {\n\tconst authProfilesByAgent = {\n\t\t...(zone.gateway.authProfilesRef ? { main: zone.gateway.authProfilesRef } : {}),\n\t\t...(zone.gateway.type === 'openclaw' ? (zone.gateway.authProfilesByAgent ?? {}) : {}),\n\t};\n\n\tconst writeResults = await Promise.allSettled(\n\t\tObject.entries(authProfilesByAgent).map(async ([agentId, authProfilesSecretCandidate]) => {\n\t\t\tif (!isSourceAwareSecretReference(authProfilesSecretCandidate)) {\n\t\t\t\tthrow new Error(\n\t\t\t\t\t`Zone '${zone.id}' has an invalid auth profile shape for agent '${agentId}'.`,\n\t\t\t\t);\n\t\t\t}\n\t\t\tconst authProfilesSecret = authProfilesSecretCandidate;\n\n\t\t\ttry {\n\t\t\t\tconst authProfilesDirectory = path.join(zone.gateway.stateDir, 'agents', agentId, 'agent');\n\t\t\t\tawait mkdir(authProfilesDirectory, { recursive: true, mode: 0o700 });\n\t\t\t\tawait chmod(authProfilesDirectory, 0o700);\n\t\t\t\tconst authProfiles = await secretResolver.resolve(toSecretRef(authProfilesSecret));\n\t\t\t\tawait writeFileAtomically(\n\t\t\t\t\tpath.join(authProfilesDirectory, 'auth-profiles.json'),\n\t\t\t\t\tauthProfiles,\n\t\t\t\t\t{ mode: 0o600 },\n\t\t\t\t);\n\t\t\t} catch (error) {\n\t\t\t\tconst message = error instanceof Error ? error.message : String(error);\n\t\t\t\tthrow new Error(\n\t\t\t\t\t`Failed to write OpenClaw auth profiles for zone '${zone.id}' agent '${agentId}' from '${describeSecretReference(authProfilesSecret)}': ${message}`,\n\t\t\t\t\t{ cause: error },\n\t\t\t\t);\n\t\t\t}\n\t\t}),\n\t);\n\tconst writeErrors = writeResults\n\t\t.filter((result): result is PromiseRejectedResult => result.status === 'rejected')\n\t\t.map((result) =>\n\t\t\tresult.reason instanceof Error ? result.reason : new Error(String(result.reason)),\n\t\t);\n\tif (writeErrors.length > 0) {\n\t\tthrow new AggregateError(\n\t\t\twriteErrors,\n\t\t\t`Failed to write ${String(writeErrors.length)} OpenClaw auth profile file(s) for zone '${zone.id}'.`,\n\t\t);\n\t}\n}\n\nasync function writeEffectiveOpenClawConfig(zone: GatewayZoneConfig): Promise<void> {\n\tconst gatewayTokenSecret = zone.secrets.OPENCLAW_GATEWAY_TOKEN;\n\tif (!gatewayTokenSecret) {\n\t\tthrow new Error(\n\t\t\t`Zone '${zone.id}' secret 'OPENCLAW_GATEWAY_TOKEN' is missing. Add an explicit 1Password or environment reference such as 'op://agent-vm/${zone.id}-gateway-auth/password'.`,\n\t\t);\n\t}\n\tif (!isSourceAwareSecretReference(gatewayTokenSecret)) {\n\t\tthrow new Error(`Zone '${zone.id}' secret 'OPENCLAW_GATEWAY_TOKEN' has an invalid shape.`);\n\t}\n\n\ttry {\n\t\tif (gatewayTokenSecret.source === '1password' && !gatewayTokenSecret.ref) {\n\t\t\tthrow new Error(\n\t\t\t\t`Zone '${zone.id}' secret 'OPENCLAW_GATEWAY_TOKEN' is missing 'ref'. Add an explicit 1Password reference such as 'op://agent-vm/${zone.id}-gateway-auth/password'.`,\n\t\t\t);\n\t\t}\n\t\tif (gatewayTokenSecret.source === 'environment' && !gatewayTokenSecret.envVar) {\n\t\t\tthrow new Error(\n\t\t\t\t`Zone '${zone.id}' secret 'OPENCLAW_GATEWAY_TOKEN' is missing 'envVar'. Add an explicit environment variable name.`,\n\t\t\t);\n\t\t}\n\t\tconst rawBaseConfig = await readFile(zone.gateway.config, 'utf8');\n\t\tconst parsedBaseConfig: unknown = JSON.parse(rawBaseConfig);\n\t\tif (!isObjectRecord(parsedBaseConfig)) {\n\t\t\tthrow new Error(`OpenClaw config at '${zone.gateway.config}' must be a JSON object.`);\n\t\t}\n\t\tconst runtimePluginConfigs = {\n\t\t\t...(zone.mcp === undefined\n\t\t\t\t? {}\n\t\t\t\t: { 'mcp-portal': { configDir: '/home/openclaw/.openclaw/config' } }),\n\t\t\t...zone.runtimePluginConfigs,\n\t\t};\n\t\tconst config = isObjectRecord(parsedBaseConfig.gateway) ? parsedBaseConfig.gateway : {};\n\t\tconst existingAuthConfig = isObjectRecord(config.auth) ? config.auth : {};\n\t\tconst effectiveConfig = {\n\t\t\t...parsedBaseConfig,\n\t\t\tlogging: buildEffectiveLoggingConfig(parsedBaseConfig),\n\t\t\tgateway: {\n\t\t\t\t...config,\n\t\t\t\tauth: {\n\t\t\t\t\t...existingAuthConfig,\n\t\t\t\t\tmode: 'token',\n\t\t\t\t\ttoken: openClawGatewayTokenSecretRef,\n\t\t\t\t},\n\t\t\t},\n\t\t\tmeta: {\n\t\t\t\t...(isObjectRecord(parsedBaseConfig.meta) ? parsedBaseConfig.meta : {}),\n\t\t\t\tlastTouchedAt: new Date().toISOString(),\n\t\t\t\tlastTouchedVersion: 'agent-vm',\n\t\t\t},\n\t\t\tmcp: buildEffectiveMcpConfig(parsedBaseConfig, zone.runtimeMcpServers),\n\t\t\tplugins: buildEffectivePluginsConfig(parsedBaseConfig, runtimePluginConfigs),\n\t\t\tsecrets: buildEffectiveSecretsConfig(parsedBaseConfig),\n\t\t};\n\t\tconst effectiveConfigPath = getEffectiveOpenClawConfigHostPath(zone);\n\t\tawait mkdir(zone.gateway.stateDir, { recursive: true, mode: 0o700 });\n\t\tawait chmod(zone.gateway.stateDir, 0o700);\n\t\tawait writeFileAtomically(\n\t\t\teffectiveConfigPath,\n\t\t\t`${JSON.stringify(effectiveConfig, null, 2)}\\n`,\n\t\t\t{ mode: 0o600 },\n\t\t);\n\t} catch (error) {\n\t\tconst message = error instanceof Error ? error.message : String(error);\n\t\tthrow new Error(\n\t\t\t`Failed to write effective OpenClaw config for zone '${zone.id}' from '${zone.gateway.config}' using secret '${describeSecretReference(gatewayTokenSecret)}': ${message}`,\n\t\t\t{ cause: error },\n\t\t);\n\t}\n}\n\nexport const openclawLifecycle: GatewayLifecycle = {\n\tauthConfig: {\n\t\tlistProvidersCommand: 'openclaw models auth list --format plain 2>/dev/null || echo \"\"',\n\t\tbuildLoginCommand: (\n\t\t\tprovider: string,\n\t\t\toptions: {\n\t\t\t\treadonly agentId?: string;\n\t\t\t\treadonly deviceCode?: boolean;\n\t\t\t\treadonly setDefault?: boolean;\n\t\t\t} = {},\n\t\t): string =>\n\t\t\t[\n\t\t\t\t'openclaw models auth',\n\t\t\t\t...(options.agentId ? [`--agent ${shellQuote(options.agentId)}`] : []),\n\t\t\t\t`login --provider ${shellQuote(provider)}`,\n\t\t\t\t...(options.deviceCode === true ? ['--device-code'] : []),\n\t\t\t\t...(options.setDefault === true ? ['--set-default'] : []),\n\t\t\t].join(' '),\n\t},\n\n\tbuildVmSpec({\n\t\tcontrollerPort,\n\t\tgatewayCacheDir,\n\t\tprojectNamespace,\n\t\tresolvedSecrets,\n\t\truntimeDir,\n\t\ttcpPool,\n\t\tzone,\n\t}: BuildGatewayVmSpecOptions): GatewayVmSpec {\n\t\tif (zone.gateway.type !== 'openclaw') {\n\t\t\tthrow new Error(`OpenClaw lifecycle cannot build gateway type '${zone.gateway.type}'.`);\n\t\t}\n\t\tconst configDirectory = path.dirname(path.resolve(zone.gateway.config));\n\t\tconst { environmentSecrets, mediatedSecrets } = splitResolvedGatewaySecrets(\n\t\t\tzone,\n\t\t\tresolvedSecrets,\n\t\t);\n\n\t\treturn {\n\t\t\tallowedHosts: gatewayVmAllowedHosts(zone.egressHosts),\n\t\t\tenvironment: {\n\t\t\t\tHOME: '/home/openclaw',\n\t\t\t\tNODE_EXTRA_CA_CERTS: '/run/gondolin/ca-certificates.crt',\n\t\t\t\tNODE_OPTIONS: '--dns-result-order=ipv4first',\n\t\t\t\tOPENCLAW_CONFIG_PATH: effectiveOpenClawConfigVmPath,\n\t\t\t\tOPENCLAW_HOME: '/home/openclaw',\n\t\t\t\tOPENCLAW_STATE_DIR: openClawStateDirVmPath,\n\t\t\t\tPATH: `/pnpm:${process.env.PATH ?? ''}`,\n\t\t\t\tPIP_CACHE_DIR: '/work/cache/pip',\n\t\t\t\tPNPM_HOME: '/pnpm',\n\t\t\t\tTEMP: '/work/tmp',\n\t\t\t\tTMP: '/work/tmp',\n\t\t\t\tTMPDIR: '/work/tmp',\n\t\t\t\tUV_CACHE_DIR: '/work/cache/uv',\n\t\t\t\tnpm_config_cache: '/work/cache/npm',\n\t\t\t\tpnpm_config_store_dir: '/work/cache/pnpm/store',\n\t\t\t\t...environmentSecrets,\n\t\t\t\t...zone.runtimeEnvironment,\n\t\t\t},\n\t\t\tmediatedSecrets,\n\t\t\trootfsMode: 'cow',\n\t\t\tsessionLabel: buildGatewaySessionLabelValue(projectNamespace, zone.id),\n\t\t\ttcpHosts: buildGatewayTcpHosts(zone, controllerPort, tcpPool),\n\t\t\tvfsMounts: {\n\t\t\t\t'/home/openclaw/.openclaw/config': {\n\t\t\t\t\thostPath: configDirectory,\n\t\t\t\t\tkind: 'realfs',\n\t\t\t\t},\n\t\t\t\t[openClawCacheDirVmPath]: {\n\t\t\t\t\thostPath: gatewayCacheDir,\n\t\t\t\t\tkind: 'realfs',\n\t\t\t\t},\n\t\t\t\t'/home/openclaw/.openclaw/state': {\n\t\t\t\t\thostPath: zone.gateway.stateDir,\n\t\t\t\t\tkind: 'realfs',\n\t\t\t\t},\n\t\t\t\t[openClawZoneFilesDirVmPath]: {\n\t\t\t\t\thostPath: zone.gateway.zoneFilesDir,\n\t\t\t\t\tkind: 'realfs',\n\t\t\t\t},\n\t\t\t\t[agentVmLogsDirVmPath]: {\n\t\t\t\t\thostPath: path.join(runtimeDir, 'zones', zone.id, 'logs'),\n\t\t\t\t\tkind: 'realfs',\n\t\t\t\t},\n\t\t\t},\n\t\t};\n\t},\n\n\tbuildProcessSpec(\n\t\tzone: GatewayZoneConfig,\n\t\tresolvedSecrets: Record<string, string>,\n\t): GatewayProcessSpec {\n\t\treturn {\n\t\t\tbootstrapCommand: buildOpenClawBootstrapCommand(zone, resolvedSecrets),\n\t\t\tstartCommand: `set -a && . ${openClawRuntimeSecretsEnvFilePath} && set +a && cd /home/openclaw && nohup openclaw gateway --port 18789 > ${openClawGatewayBootLogFileVmPath} 2>&1 &`,\n\t\t\thealthCheck: {\n\t\t\t\ttype: 'http',\n\t\t\t\tport: 18789,\n\t\t\t\tpath: '/readyz',\n\t\t\t},\n\t\t\tguestListenPort: 18789,\n\t\t\tlogPath: openClawGatewayBootLogFileVmPath,\n\t\t};\n\t},\n\n\tasync prepareHostState(zone: GatewayZoneConfig, secretResolver: SecretResolver): Promise<void> {\n\t\tawait writeEffectiveOpenClawConfig(zone);\n\t\tawait writeAuthProfilesIfConfigured(zone, secretResolver);\n\t},\n};\n"],"mappings":";;;;;AAsBA,MAAM,kCAAkC;AACxC,MAAM,gCAAgC,kCAAkC;AACxE,MAAM,yBAAyB;AAC/B,MAAM,yBAAyB;AAC/B,MAAM,6BAA6B;AACnC,MAAM,uBAAuB;AAC7B,MAAM,+BAA+B,GAAG,qBAAqB;AAC7D,MAAM,mCAAmC,GAAG,qBAAqB;AACjE,MAAM,2BAA2B;AACjC,MAAM,oCAAoC;AAS1C,MAAM,gCAAmD;CACxD,IAAI;CACJ,UAAU;CACV,QAAQ;CACR;AAED,SAAS,eAAe,OAAkD;CACzE,OAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,CAAC,MAAM,QAAQ,MAAM;;AAG5E,SAAS,qBACR,MACA,gBACA,SACyB;CACzB,MAAM,WAAmC,GACvC,GAAG,iBAAiB,UAAU,aAAa,kBAC5C;CAED,KAAK,IAAI,OAAO,GAAG,OAAO,QAAQ,MAAM,QAAQ,GAC/C,SAAS,QAAQ,KAAK,gBAAgB,aAAa,QAAQ,WAAW;CAGvE,KAAK,MAAM,iBAAiB,KAAK,iBAChC,SAAS,iBAAiB;CAG3B,OAAO;;AAGR,SAAS,8BACR,MACA,iBACS;CACT,MAAM,EAAE,uBAAuB,4BAA4B,MAAM,gBAAgB;CACjF,MAAM,mBAAmB;EACxB;EACA,+BAA+B;EAC/B,6BAA6B;EAC7B;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;CACD,MAAM,yBAAyB,OAAO,QAAQ;EAC7C,GAAG;EACH,GAAG,KAAK;EACR,CAAC,CAAC,KACD,CAAC,YAAY,iBACb,UAAU,WAAW,GAAG,yBAAyB,YAAY,YAAY,GAC1E;CACD,MAAM,qBACL,uBAAuB,WAAW,IAC/B,OAAO,kCAAkC,QACzC,kBAAkB,uBAAuB,KAAK,SAAS,WAAW,KAAK,CAAC,CAAC,KAAK,IAAI,CAAC,KAAK,kCAAkC;CAE9H,MAAM,mBACL,6DACkB,CAHK,uBAAuB,uBAGd,CAAC,KAAK,SAAS,WAAW,KAAK,CAAC,CAAC,KAAK,IAAI,CAAC;CAM5E,OACC,4KAA4K,yBAAyB,kBACrM,iBAAiB,KAAK,KAAK,GAC3B;;YACa,yBAAyB,QACtC,qBACA,aAAa,kCAAkC,QAC/C,mBACA,4CACqB,yBAAyB,kCAAkC,yBAAyB;;AAM3G,SAAS,mCAAmC,MAAiC;CAC5E,OAAO,KAAK,KAAK,KAAK,QAAQ,UAAU,gCAAgC;;AAGzE,SAAS,WAAW,OAAuB;CAC1C,OAAO,IAAI,MAAM,QAAQ,OAAO,QAAQ,CAAC;;AAG1C,SAAS,+BAA+B,OAAwB;CAC/D,KAAK,MAAM,aAAa,OAAO;EAC9B,MAAM,YAAY,UAAU,YAAY,EAAE;EAC1C,IAAI,cAAc,KAAA,MAAc,aAAa,MAAQ,cAAc,MAClE,OAAO;;CAGT,OAAO;;AAGR,SAAS,yBAAyB,YAAoB,OAAuB;CAC5E,IAAI,+BAA+B,MAAM,EACxC,MAAM,IAAI,MACT,yCAAyC,WAAW,wHACpD;CAEF,OAAO,WAAW,MAAM;;AAazB,SAAS,6BAA6B,OAAqD;CAC1F,IAAI,OAAO,UAAU,YAAY,UAAU,MAC1C,OAAO;CAGR,IAAI,EAAE,YAAY,UAAU,OAAO,MAAM,WAAW,UACnD,OAAO;CAGR,IAAI,MAAM,WAAW,eACpB,OAAO,YAAY,SAAS,OAAO,MAAM,WAAW;CAGrD,IAAI,MAAM,WAAW,aACpB,OAAO,SAAS,SAAS,OAAO,MAAM,QAAQ;CAG/C,OAAO;;AAGR,SAAS,YAAY,QAA+C;CACnE,OAAO,OAAO,WAAW,gBACtB;EACA,QAAQ;EACR,KAAK,OAAO;EACZ,GACA;EACA,QAAQ;EACR,KAAK,OAAO;EACZ;;AAGJ,SAAS,wBAAwB,QAA4C;CAC5E,OAAO,OAAO,WAAW,gBAAgB,OAAO,SAAS,OAAO;;AAGjE,SAAS,4BACR,kBAC0B;CAC1B,MAAM,wBAAwB,eAAe,iBAAiB,QAAQ,GACnE,iBAAiB,UACjB,EAAE;CACL,MAAM,0BAA0B,eAAe,sBAAsB,UAAU,GAC5E,sBAAsB,YACtB,EAAE;CAEL,OAAO;EACN,GAAG;EACH,WAAW;GACV,GAAG;GACH,SAAS,EACR,QAAQ,OACR;GACD;EACD;;AAGF,SAAS,oCACR,sBACA,eAC0B;CAK1B,OAAO;EACN,GAJA,OAAO,qBAAqB,YAAY,WACrC,EAAE,SAAS,qBAAqB,SAAS,GACzC,EAAE;EAGL,GAAG;EACH;;AAGF,SAAS,4BACR,kBACA,sBAC0B;CAC1B,MAAM,wBAAwB,eAAe,iBAAiB,QAAQ,GACnE,iBAAiB,UACjB,EAAE;CACL,MAAM,wBAAwB,eAAe,sBAAsB,QAAQ,GACxE,sBAAsB,UACtB,EAAE;CACL,MAAM,uBAAuB,OAAO,YACnC,OAAO,QAAQ,wBAAwB,EAAE,CAAC,CAAC,KAAK,CAAC,UAAU,mBAAmB;EAC7E,MAAM,sBAAsB,eAAe,sBAAsB,UAAU,GACxE,sBAAsB,YACtB,EAAE;EACL,MAAM,uBAAuB,eAAe,oBAAoB,OAAO,GACpE,oBAAoB,SACpB,EAAE;EACL,MAAM,SACL,aAAa,eACV,oCAAoC,sBAAsB,cAAc,GACxE;GACA,GAAG;GACH,GAAG;GACH;EACJ,OAAO,CACN,UACA;GACC,GAAG;GACH;GACA,CACD;GACA,CACF;CAED,OAAO;EACN,GAAG;EACH,SAAS;GACR,GAAG;GACH,GAAG;GACH;EACD;;AAGF,SAAS,wBACR,kBACA,mBAC0B;CAC1B,MAAM,oBAAoB,eAAe,iBAAiB,IAAI,GAAG,iBAAiB,MAAM,EAAE;CAC1F,MAAM,wBAAwB,eAAe,kBAAkB,QAAQ,GACpE,kBAAkB,UAClB,EAAE;CACL,OAAO;EACN,GAAG;EACH,SAAS;GACR,GAAG;GACH,GAAG;GACH;EACD;;AAGF,SAAS,4BACR,kBAC0B;CAK1B,OAAO;EACN,MAAM;EACN,GAN6B,eAAe,iBAAiB,QAAQ,GACnE,iBAAiB,UACjB,EAAE;EAKJ;;AAGF,eAAe,8BACd,MACA,gBACgB;CAChB,MAAM,sBAAsB;EAC3B,GAAI,KAAK,QAAQ,kBAAkB,EAAE,MAAM,KAAK,QAAQ,iBAAiB,GAAG,EAAE;EAC9E,GAAI,KAAK,QAAQ,SAAS,aAAc,KAAK,QAAQ,uBAAuB,EAAE,GAAI,EAAE;EACpF;CA8BD,MAAM,eAAc,MA5BO,QAAQ,WAClC,OAAO,QAAQ,oBAAoB,CAAC,IAAI,OAAO,CAAC,SAAS,iCAAiC;EACzF,IAAI,CAAC,6BAA6B,4BAA4B,EAC7D,MAAM,IAAI,MACT,SAAS,KAAK,GAAG,iDAAiD,QAAQ,IAC1E;EAEF,MAAM,qBAAqB;EAE3B,IAAI;GACH,MAAM,wBAAwB,KAAK,KAAK,KAAK,QAAQ,UAAU,UAAU,SAAS,QAAQ;GAC1F,MAAM,MAAM,uBAAuB;IAAE,WAAW;IAAM,MAAM;IAAO,CAAC;GACpE,MAAM,MAAM,uBAAuB,IAAM;GACzC,MAAM,eAAe,MAAM,eAAe,QAAQ,YAAY,mBAAmB,CAAC;GAClF,MAAM,oBACL,KAAK,KAAK,uBAAuB,qBAAqB,EACtD,cACA,EAAE,MAAM,KAAO,CACf;WACO,OAAO;GACf,MAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM;GACtE,MAAM,IAAI,MACT,oDAAoD,KAAK,GAAG,WAAW,QAAQ,UAAU,wBAAwB,mBAAmB,CAAC,KAAK,WAC1I,EAAE,OAAO,OAAO,CAChB;;GAED,CACF,EAEC,QAAQ,WAA4C,OAAO,WAAW,WAAW,CACjF,KAAK,WACL,OAAO,kBAAkB,QAAQ,OAAO,SAAS,IAAI,MAAM,OAAO,OAAO,OAAO,CAAC,CACjF;CACF,IAAI,YAAY,SAAS,GACxB,MAAM,IAAI,eACT,aACA,mBAAmB,OAAO,YAAY,OAAO,CAAC,2CAA2C,KAAK,GAAG,IACjG;;AAIH,eAAe,6BAA6B,MAAwC;CACnF,MAAM,qBAAqB,KAAK,QAAQ;CACxC,IAAI,CAAC,oBACJ,MAAM,IAAI,MACT,SAAS,KAAK,GAAG,0HAA0H,KAAK,GAAG,0BACnJ;CAEF,IAAI,CAAC,6BAA6B,mBAAmB,EACpD,MAAM,IAAI,MAAM,SAAS,KAAK,GAAG,yDAAyD;CAG3F,IAAI;EACH,IAAI,mBAAmB,WAAW,eAAe,CAAC,mBAAmB,KACpE,MAAM,IAAI,MACT,SAAS,KAAK,GAAG,iHAAiH,KAAK,GAAG,0BAC1I;EAEF,IAAI,mBAAmB,WAAW,iBAAiB,CAAC,mBAAmB,QACtE,MAAM,IAAI,MACT,SAAS,KAAK,GAAG,mGACjB;EAEF,MAAM,gBAAgB,MAAM,SAAS,KAAK,QAAQ,QAAQ,OAAO;EACjE,MAAM,mBAA4B,KAAK,MAAM,cAAc;EAC3D,IAAI,CAAC,eAAe,iBAAiB,EACpC,MAAM,IAAI,MAAM,uBAAuB,KAAK,QAAQ,OAAO,0BAA0B;EAEtF,MAAM,uBAAuB;GAC5B,GAAI,KAAK,QAAQ,KAAA,IACd,EAAE,GACF,EAAE,cAAc,EAAE,WAAW,mCAAmC,EAAE;GACrE,GAAG,KAAK;GACR;EACD,MAAM,SAAS,eAAe,iBAAiB,QAAQ,GAAG,iBAAiB,UAAU,EAAE;EACvF,MAAM,qBAAqB,eAAe,OAAO,KAAK,GAAG,OAAO,OAAO,EAAE;EACzE,MAAM,kBAAkB;GACvB,GAAG;GACH,SAAS,4BAA4B,iBAAiB;GACtD,SAAS;IACR,GAAG;IACH,MAAM;KACL,GAAG;KACH,MAAM;KACN,OAAO;KACP;IACD;GACD,MAAM;IACL,GAAI,eAAe,iBAAiB,KAAK,GAAG,iBAAiB,OAAO,EAAE;IACtE,gCAAe,IAAI,MAAM,EAAC,aAAa;IACvC,oBAAoB;IACpB;GACD,KAAK,wBAAwB,kBAAkB,KAAK,kBAAkB;GACtE,SAAS,4BAA4B,kBAAkB,qBAAqB;GAC5E,SAAS,4BAA4B,iBAAiB;GACtD;EACD,MAAM,sBAAsB,mCAAmC,KAAK;EACpE,MAAM,MAAM,KAAK,QAAQ,UAAU;GAAE,WAAW;GAAM,MAAM;GAAO,CAAC;EACpE,MAAM,MAAM,KAAK,QAAQ,UAAU,IAAM;EACzC,MAAM,oBACL,qBACA,GAAG,KAAK,UAAU,iBAAiB,MAAM,EAAE,CAAC,KAC5C,EAAE,MAAM,KAAO,CACf;UACO,OAAO;EACf,MAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM;EACtE,MAAM,IAAI,MACT,uDAAuD,KAAK,GAAG,UAAU,KAAK,QAAQ,OAAO,kBAAkB,wBAAwB,mBAAmB,CAAC,KAAK,WAChK,EAAE,OAAO,OAAO,CAChB;;;AAIH,MAAa,oBAAsC;CAClD,YAAY;EACX,sBAAsB;EACtB,oBACC,UACA,UAII,EAAE,KAEN;GACC;GACA,GAAI,QAAQ,UAAU,CAAC,WAAW,WAAW,QAAQ,QAAQ,GAAG,GAAG,EAAE;GACrE,oBAAoB,WAAW,SAAS;GACxC,GAAI,QAAQ,eAAe,OAAO,CAAC,gBAAgB,GAAG,EAAE;GACxD,GAAI,QAAQ,eAAe,OAAO,CAAC,gBAAgB,GAAG,EAAE;GACxD,CAAC,KAAK,IAAI;EACZ;CAED,YAAY,EACX,gBACA,iBACA,kBACA,iBACA,YACA,SACA,QAC4C;EAC5C,IAAI,KAAK,QAAQ,SAAS,YACzB,MAAM,IAAI,MAAM,iDAAiD,KAAK,QAAQ,KAAK,IAAI;EAExF,MAAM,kBAAkB,KAAK,QAAQ,KAAK,QAAQ,KAAK,QAAQ,OAAO,CAAC;EACvE,MAAM,EAAE,oBAAoB,oBAAoB,4BAC/C,MACA,gBACA;EAED,OAAO;GACN,cAAc,sBAAsB,KAAK,YAAY;GACrD,aAAa;IACZ,MAAM;IACN,qBAAqB;IACrB,cAAc;IACd,sBAAsB;IACtB,eAAe;IACf,oBAAoB;IACpB,MAAM,SAAS,QAAQ,IAAI,QAAQ;IACnC,eAAe;IACf,WAAW;IACX,MAAM;IACN,KAAK;IACL,QAAQ;IACR,cAAc;IACd,kBAAkB;IAClB,uBAAuB;IACvB,GAAG;IACH,GAAG,KAAK;IACR;GACD;GACA,YAAY;GACZ,cAAcA,yBAA8B,kBAAkB,KAAK,GAAG;GACtE,UAAU,qBAAqB,MAAM,gBAAgB,QAAQ;GAC7D,WAAW;IACV,mCAAmC;KAClC,UAAU;KACV,MAAM;KACN;KACA,yBAAyB;KACzB,UAAU;KACV,MAAM;KACN;IACD,kCAAkC;KACjC,UAAU,KAAK,QAAQ;KACvB,MAAM;KACN;KACA,6BAA6B;KAC7B,UAAU,KAAK,QAAQ;KACvB,MAAM;KACN;KACA,uBAAuB;KACvB,UAAU,KAAK,KAAK,YAAY,SAAS,KAAK,IAAI,OAAO;KACzD,MAAM;KACN;IACD;GACD;;CAGF,iBACC,MACA,iBACqB;EACrB,OAAO;GACN,kBAAkB,8BAA8B,MAAM,gBAAgB;GACtE,cAAc,eAAe,kCAAkC,2EAA2E,iCAAiC;GAC3K,aAAa;IACZ,MAAM;IACN,MAAM;IACN,MAAM;IACN;GACD,iBAAiB;GACjB,SAAS;GACT;;CAGF,MAAM,iBAAiB,MAAyB,gBAA+C;EAC9F,MAAM,6BAA6B,KAAK;EACxC,MAAM,8BAA8B,MAAM,eAAe;;CAE1D"}
1
+ {"version":3,"file":"index.js","names":["buildGatewaySessionLabelValue"],"sources":["../src/openclaw-lifecycle.ts"],"sourcesContent":["import { chmod, mkdir, readFile } from 'node:fs/promises';\nimport path from 'node:path';\n\nimport type {\n\tBuildGatewayVmSpecOptions,\n\tGatewayLifecycle,\n\tGatewayProcessSpec,\n\tGatewayZoneConfig,\n\tGatewayVmSpec,\n\tSplitResolvedGatewaySecretsResult,\n} from '@agent-vm/gateway-interface';\nimport {\n\tbuildGatewaySessionLabel as buildGatewaySessionLabelValue,\n\tcontrollerVmHost,\n\tgatewayVmAllowedHosts,\n\tmergeRuntimeGatewaySecrets,\n\tsplitResolvedGatewaySecrets,\n} from '@agent-vm/gateway-interface';\nimport { writeFileAtomically } from '@agent-vm/gondolin-adapter';\nimport type { SecretRef, SecretResolver } from '@agent-vm/secrets';\n\nconst effectiveOpenClawConfigFileName = 'effective-openclaw.json';\nconst effectiveOpenClawConfigVmPath = `/home/openclaw/.openclaw/state/${effectiveOpenClawConfigFileName}`;\nconst openClawStateDirVmPath = '/home/openclaw/.openclaw/state';\nconst openClawCacheDirVmPath = '/home/openclaw/.openclaw/cache';\nconst openClawZoneFilesDirVmPath = '/zone';\nconst agentVmLogsDirVmPath = '/agent-vm/logs';\nconst openClawRuntimeLogFileVmPath = `${agentVmLogsDirVmPath}/openclaw-YYYY-MM-DD.log`;\nconst openClawGatewayBootLogFileVmPath = `${agentVmLogsDirVmPath}/gateway-boot-latest.log`;\nconst openClawShellEnvFilePath = '/etc/profile.d/openclaw-env.sh';\nconst openClawRuntimeSecretsEnvFilePath = '/run/openclaw/secrets.env';\nconst openClawGatewayTokenEnvVar = 'OPENCLAW_GATEWAY_TOKEN';\n\ninterface OpenClawSecretRef {\n\treadonly id: string;\n\treadonly provider: string;\n\treadonly source: 'env';\n}\n\nconst openClawGatewayTokenSecretRef: OpenClawSecretRef = {\n\tid: openClawGatewayTokenEnvVar,\n\tprovider: 'default',\n\tsource: 'env',\n};\n\nfunction isObjectRecord(value: unknown): value is Record<string, unknown> {\n\treturn typeof value === 'object' && value !== null && !Array.isArray(value);\n}\n\nfunction buildGatewayTcpHosts(\n\tzone: GatewayZoneConfig,\n\tcontrollerPort: number,\n\ttcpPool: { readonly basePort: number; readonly size: number },\n): Record<string, string> {\n\tconst tcpHosts: Record<string, string> = {\n\t\t[`${controllerVmHost}:18800`]: `127.0.0.1:${controllerPort}`,\n\t};\n\n\tfor (let slot = 0; slot < tcpPool.size; slot += 1) {\n\t\ttcpHosts[`tool-${slot}.vm.host:22`] = `127.0.0.1:${tcpPool.basePort + slot}`;\n\t}\n\n\tfor (const websocketHost of zone.websocketBypass) {\n\t\ttcpHosts[websocketHost] = websocketHost;\n\t}\n\n\treturn tcpHosts;\n}\n\nfunction buildOpenClawBootstrapCommand(\n\tzone: GatewayZoneConfig,\n\tresolvedSecrets: Record<string, string>,\n): string {\n\tconst { environmentSecrets } = mergeRuntimeGatewaySecrets(\n\t\tsplitAllowedOpenClawGatewaySecrets(zone, resolvedSecrets, 'openclaw-bootstrap-raw-env-secrets'),\n\t\t{\n\t\t\tlogPrefix: 'openclaw-bootstrap-runtime-secrets',\n\t\t\truntimeEnvironment: zone.runtimeEnvironment,\n\t\t\truntimeMediatedSecrets: zone.runtimeMediatedSecrets,\n\t\t},\n\t);\n\tassertAllowedOpenClawEnvironmentSecrets(\n\t\tzone,\n\t\tenvironmentSecrets,\n\t\t'openclaw-bootstrap-runtime-raw-env-secrets',\n\t);\n\tconst environmentLines = [\n\t\t'export OPENCLAW_HOME=/home/openclaw',\n\t\t`export OPENCLAW_CONFIG_PATH=${effectiveOpenClawConfigVmPath}`,\n\t\t`export OPENCLAW_STATE_DIR=${openClawStateDirVmPath}`,\n\t\t'export PNPM_HOME=/pnpm',\n\t\t'export PATH=/pnpm:$PATH',\n\t\t'export TMPDIR=/work/tmp',\n\t\t'export TMP=/work/tmp',\n\t\t'export TEMP=/work/tmp',\n\t\t'export npm_config_cache=/work/cache/npm',\n\t\t'export pnpm_config_store_dir=/work/cache/pnpm/store',\n\t\t'export PIP_CACHE_DIR=/work/cache/pip',\n\t\t'export UV_CACHE_DIR=/work/cache/uv',\n\t\t'export NODE_EXTRA_CA_CERTS=/run/gondolin/ca-certificates.crt',\n\t\t'export NODE_OPTIONS=--dns-result-order=ipv4first',\n\t];\n\tconst secretEnvironmentNames = Object.entries({\n\t\t...environmentSecrets,\n\t\t...zone.runtimeEnvironment,\n\t}).map(([secretName, secretValue]) => {\n\t\tassertShellSafeEnvName(secretName);\n\t\tassertShellProfileSafeSecretValue(secretName, secretValue);\n\t\treturn secretName;\n\t});\n\tconst secretsFileCommand =\n\t\tsecretEnvironmentNames.length === 0\n\t\t\t? `: > ${openClawRuntimeSecretsEnvFilePath} && `\n\t\t\t: `{ ${secretEnvironmentNames.map(runtimeSecretExportCommand).join('; ')}; } > ${openClawRuntimeSecretsEnvFilePath} && `;\n\tconst sshConfigLines = ['Host tool-*.vm.host', ' AddressFamily inet'];\n\tconst sshConfigCommand =\n\t\t`mkdir -p /root/.ssh /home/openclaw/.ssh && ` +\n\t\t`printf '%s\\\\n' ${sshConfigLines.map((line) => shellQuote(line)).join(' ')} > /root/.ssh/config && ` +\n\t\t'cp /root/.ssh/config /home/openclaw/.ssh/config && ' +\n\t\t'chown -R openclaw:openclaw /home/openclaw/.ssh && ' +\n\t\t'chmod 700 /root/.ssh /home/openclaw/.ssh && ' +\n\t\t'chmod 600 /root/.ssh/config /home/openclaw/.ssh/config && ';\n\n\treturn (\n\t\t`mkdir -p /root /etc/profile.d /run/openclaw /work/tmp /work/cache/npm /work/cache/pnpm/store /work/cache/pip /work/cache/uv && chown -R openclaw:openclaw /work && cat > ${openClawShellEnvFilePath} << 'ENVEOF'\\n` +\n\t\tenvironmentLines.join('\\n') +\n\t\t'\\nENVEOF\\n' +\n\t\t`chmod 644 ${openClawShellEnvFilePath} && ` +\n\t\tsecretsFileCommand +\n\t\t`chmod 600 ${openClawRuntimeSecretsEnvFilePath} && ` +\n\t\tsshConfigCommand +\n\t\t'touch /root/.bashrc && ' +\n\t\t`grep -qxF 'source ${openClawShellEnvFilePath}' /root/.bashrc || echo 'source ${openClawShellEnvFilePath}' >> /root/.bashrc && ` +\n\t\t'touch /root/.bash_profile && ' +\n\t\t\"grep -qxF 'source /root/.bashrc' /root/.bash_profile || echo 'source /root/.bashrc' >> /root/.bash_profile\"\n\t);\n}\n\nfunction getEffectiveOpenClawConfigHostPath(zone: GatewayZoneConfig): string {\n\treturn path.join(zone.gateway.stateDir, effectiveOpenClawConfigFileName);\n}\n\nfunction shellQuote(value: string): string {\n\treturn `'${value.replace(/'/gu, `'\\\\''`)}'`;\n}\n\nfunction includesShellUnsafeControlByte(value: string): boolean {\n\tfor (const character of value) {\n\t\tconst codePoint = character.codePointAt(0);\n\t\tif (codePoint !== undefined && (codePoint <= 0x1f || codePoint === 0x7f)) {\n\t\t\treturn true;\n\t\t}\n\t}\n\treturn false;\n}\n\nfunction assertShellSafeEnvName(secretName: string): void {\n\tif (!/^[_A-Za-z][_0-9A-Za-z]*$/u.test(secretName)) {\n\t\tthrow new Error(\n\t\t\t`OpenClaw env-injected gateway secret '${secretName}' must be a shell-safe environment variable name.`,\n\t\t);\n\t}\n}\n\nfunction assertShellProfileSafeSecretValue(secretName: string, value: string): void {\n\tif (includesShellUnsafeControlByte(value)) {\n\t\tthrow new Error(\n\t\t\t`OpenClaw env-injected gateway secret '${secretName}' must be a single-line value without control bytes. Use http-mediation for secrets that require structured transport.`,\n\t\t);\n\t}\n}\n\nfunction runtimeSecretExportCommand(secretName: string): string {\n\tconst runtimeSecretValue = `\"\\${${secretName}?missing runtime secret ${secretName}}\"`;\n\tconst exportLine = `export ${secretName}=${runtimeSecretValue}`;\n\treturn `: ${runtimeSecretValue} && printf '%s\\\\n' ${shellQuote(exportLine)}`;\n}\n\nfunction assertAllowedOpenClawEnvironmentSecrets(\n\tzone: GatewayZoneConfig,\n\tenvironmentSecrets: Readonly<Record<string, string>>,\n\tlogPrefix: string,\n): void {\n\tif (zone.gateway.type !== 'openclaw') {\n\t\tthrow new Error(`OpenClaw lifecycle cannot build gateway type '${zone.gateway.type}'.`);\n\t}\n\tconst allowedRawEnvSecrets = new Set([\n\t\topenClawGatewayTokenEnvVar,\n\t\t...(zone.gateway.rawEnvSecrets ?? []),\n\t]);\n\tfor (const secretName of Object.keys(environmentSecrets)) {\n\t\tif (allowedRawEnvSecrets.has(secretName)) {\n\t\t\tcontinue;\n\t\t}\n\t\tthrow new Error(\n\t\t\t`[${logPrefix}] OpenClaw env secret '${secretName}' must be listed in gateway.rawEnvSecrets or use injection 'http-mediation'.`,\n\t\t);\n\t}\n}\n\nfunction splitAllowedOpenClawGatewaySecrets(\n\tzone: GatewayZoneConfig,\n\tresolvedSecrets: Record<string, string>,\n\tlogPrefix: string,\n): SplitResolvedGatewaySecretsResult {\n\tconst splitSecrets = splitResolvedGatewaySecrets(zone, resolvedSecrets);\n\tassertAllowedOpenClawEnvironmentSecrets(zone, splitSecrets.environmentSecrets, logPrefix);\n\treturn splitSecrets;\n}\n\ntype SourceAwareSecretReference =\n\t| {\n\t\t\treadonly source: 'environment';\n\t\t\treadonly envVar: string;\n\t }\n\t| {\n\t\t\treadonly source: '1password';\n\t\t\treadonly ref: string;\n\t };\n\nfunction isSourceAwareSecretReference(value: unknown): value is SourceAwareSecretReference {\n\tif (typeof value !== 'object' || value === null) {\n\t\treturn false;\n\t}\n\n\tif (!('source' in value) || typeof value.source !== 'string') {\n\t\treturn false;\n\t}\n\n\tif (value.source === 'environment') {\n\t\treturn 'envVar' in value && typeof value.envVar === 'string';\n\t}\n\n\tif (value.source === '1password') {\n\t\treturn 'ref' in value && typeof value.ref === 'string';\n\t}\n\n\treturn false;\n}\n\nfunction toSecretRef(secret: SourceAwareSecretReference): SecretRef {\n\treturn secret.source === 'environment'\n\t\t? {\n\t\t\t\tsource: 'environment',\n\t\t\t\tref: secret.envVar,\n\t\t\t}\n\t\t: {\n\t\t\t\tsource: '1password',\n\t\t\t\tref: secret.ref,\n\t\t\t};\n}\n\nfunction describeSecretReference(secret: SourceAwareSecretReference): string {\n\treturn secret.source === 'environment' ? secret.envVar : secret.ref;\n}\n\nfunction buildEffectiveSecretsConfig(\n\tparsedBaseConfig: Record<string, unknown>,\n): Record<string, unknown> {\n\tconst existingSecretsConfig = isObjectRecord(parsedBaseConfig.secrets)\n\t\t? parsedBaseConfig.secrets\n\t\t: {};\n\tconst existingProvidersConfig = isObjectRecord(existingSecretsConfig.providers)\n\t\t? existingSecretsConfig.providers\n\t\t: {};\n\n\treturn {\n\t\t...existingSecretsConfig,\n\t\tproviders: {\n\t\t\t...existingProvidersConfig,\n\t\t\tdefault: {\n\t\t\t\tsource: 'env',\n\t\t\t},\n\t\t},\n\t};\n}\n\nfunction buildEffectiveMcpPortalPluginConfig(\n\t_existingPluginConfig: Record<string, unknown>,\n\truntimeConfig: Readonly<Record<string, unknown>>,\n): Record<string, unknown> {\n\treturn {\n\t\t...runtimeConfig,\n\t};\n}\n\nfunction buildEffectivePluginsConfig(\n\tparsedBaseConfig: Record<string, unknown>,\n\truntimePluginConfigs: Readonly<Record<string, Readonly<Record<string, unknown>>>> | undefined,\n): Record<string, unknown> {\n\tconst existingPluginsConfig = isObjectRecord(parsedBaseConfig.plugins)\n\t\t? parsedBaseConfig.plugins\n\t\t: {};\n\tconst existingEntriesConfig = isObjectRecord(existingPluginsConfig.entries)\n\t\t? existingPluginsConfig.entries\n\t\t: {};\n\tconst runtimeEntriesConfig = Object.fromEntries(\n\t\tObject.entries(runtimePluginConfigs ?? {}).map(([pluginId, runtimeConfig]) => {\n\t\t\tconst existingEntryConfig = isObjectRecord(existingEntriesConfig[pluginId])\n\t\t\t\t? existingEntriesConfig[pluginId]\n\t\t\t\t: {};\n\t\t\tconst existingPluginConfig = isObjectRecord(existingEntryConfig.config)\n\t\t\t\t? existingEntryConfig.config\n\t\t\t\t: {};\n\t\t\tconst config =\n\t\t\t\tpluginId === 'mcp-portal'\n\t\t\t\t\t? buildEffectiveMcpPortalPluginConfig(existingPluginConfig, runtimeConfig)\n\t\t\t\t\t: {\n\t\t\t\t\t\t\t...existingPluginConfig,\n\t\t\t\t\t\t\t...runtimeConfig,\n\t\t\t\t\t\t};\n\t\t\treturn [\n\t\t\t\tpluginId,\n\t\t\t\t{\n\t\t\t\t\t...existingEntryConfig,\n\t\t\t\t\tconfig,\n\t\t\t\t},\n\t\t\t] as const;\n\t\t}),\n\t);\n\n\treturn {\n\t\t...existingPluginsConfig,\n\t\tentries: {\n\t\t\t...existingEntriesConfig,\n\t\t\t...runtimeEntriesConfig,\n\t\t},\n\t};\n}\n\nfunction buildEffectiveMcpConfig(\n\tparsedBaseConfig: Record<string, unknown>,\n\truntimeMcpServers: Readonly<Record<string, unknown>> | undefined,\n): Record<string, unknown> {\n\tconst existingMcpConfig = isObjectRecord(parsedBaseConfig.mcp) ? parsedBaseConfig.mcp : {};\n\tconst existingServersConfig = isObjectRecord(existingMcpConfig.servers)\n\t\t? existingMcpConfig.servers\n\t\t: {};\n\treturn {\n\t\t...existingMcpConfig,\n\t\tservers: {\n\t\t\t...existingServersConfig,\n\t\t\t...runtimeMcpServers,\n\t\t},\n\t};\n}\n\nfunction buildEffectiveLoggingConfig(\n\tparsedBaseConfig: Record<string, unknown>,\n): Record<string, unknown> {\n\tconst existingLoggingConfig = isObjectRecord(parsedBaseConfig.logging)\n\t\t? parsedBaseConfig.logging\n\t\t: {};\n\n\treturn {\n\t\tfile: openClawRuntimeLogFileVmPath,\n\t\t...existingLoggingConfig,\n\t};\n}\n\nasync function writeAuthProfilesIfConfigured(\n\tzone: GatewayZoneConfig,\n\tsecretResolver: SecretResolver,\n): Promise<void> {\n\tconst authProfilesByAgent = {\n\t\t...(zone.gateway.authProfilesRef ? { main: zone.gateway.authProfilesRef } : {}),\n\t\t...(zone.gateway.type === 'openclaw' ? (zone.gateway.authProfilesByAgent ?? {}) : {}),\n\t};\n\n\tconst writeResults = await Promise.allSettled(\n\t\tObject.entries(authProfilesByAgent).map(async ([agentId, authProfilesSecretCandidate]) => {\n\t\t\tif (!isSourceAwareSecretReference(authProfilesSecretCandidate)) {\n\t\t\t\tthrow new Error(\n\t\t\t\t\t`Zone '${zone.id}' has an invalid auth profile shape for agent '${agentId}'.`,\n\t\t\t\t);\n\t\t\t}\n\t\t\tconst authProfilesSecret = authProfilesSecretCandidate;\n\n\t\t\ttry {\n\t\t\t\tconst authProfilesDirectory = path.join(zone.gateway.stateDir, 'agents', agentId, 'agent');\n\t\t\t\tawait mkdir(authProfilesDirectory, { recursive: true, mode: 0o700 });\n\t\t\t\tawait chmod(authProfilesDirectory, 0o700);\n\t\t\t\tconst authProfiles = await secretResolver.resolve(toSecretRef(authProfilesSecret));\n\t\t\t\tawait writeFileAtomically(\n\t\t\t\t\tpath.join(authProfilesDirectory, 'auth-profiles.json'),\n\t\t\t\t\tauthProfiles,\n\t\t\t\t\t{ mode: 0o600 },\n\t\t\t\t);\n\t\t\t} catch (error) {\n\t\t\t\tconst message = error instanceof Error ? error.message : String(error);\n\t\t\t\tthrow new Error(\n\t\t\t\t\t`Failed to write OpenClaw auth profiles for zone '${zone.id}' agent '${agentId}' from '${describeSecretReference(authProfilesSecret)}': ${message}`,\n\t\t\t\t\t{ cause: error },\n\t\t\t\t);\n\t\t\t}\n\t\t}),\n\t);\n\tconst writeErrors = writeResults\n\t\t.filter((result): result is PromiseRejectedResult => result.status === 'rejected')\n\t\t.map((result) =>\n\t\t\tresult.reason instanceof Error ? result.reason : new Error(String(result.reason)),\n\t\t);\n\tif (writeErrors.length > 0) {\n\t\tthrow new AggregateError(\n\t\t\twriteErrors,\n\t\t\t`Failed to write ${String(writeErrors.length)} OpenClaw auth profile file(s) for zone '${zone.id}'.`,\n\t\t);\n\t}\n}\n\nasync function writeEffectiveOpenClawConfig(zone: GatewayZoneConfig): Promise<void> {\n\tconst gatewayTokenSecret = zone.secrets.OPENCLAW_GATEWAY_TOKEN;\n\tif (!gatewayTokenSecret) {\n\t\tthrow new Error(\n\t\t\t`Zone '${zone.id}' secret 'OPENCLAW_GATEWAY_TOKEN' is missing. Add an explicit 1Password or environment reference such as 'op://agent-vm/${zone.id}-gateway-auth/password'.`,\n\t\t);\n\t}\n\tif (!isSourceAwareSecretReference(gatewayTokenSecret)) {\n\t\tthrow new Error(`Zone '${zone.id}' secret 'OPENCLAW_GATEWAY_TOKEN' has an invalid shape.`);\n\t}\n\n\ttry {\n\t\tif (gatewayTokenSecret.source === '1password' && !gatewayTokenSecret.ref) {\n\t\t\tthrow new Error(\n\t\t\t\t`Zone '${zone.id}' secret 'OPENCLAW_GATEWAY_TOKEN' is missing 'ref'. Add an explicit 1Password reference such as 'op://agent-vm/${zone.id}-gateway-auth/password'.`,\n\t\t\t);\n\t\t}\n\t\tif (gatewayTokenSecret.source === 'environment' && !gatewayTokenSecret.envVar) {\n\t\t\tthrow new Error(\n\t\t\t\t`Zone '${zone.id}' secret 'OPENCLAW_GATEWAY_TOKEN' is missing 'envVar'. Add an explicit environment variable name.`,\n\t\t\t);\n\t\t}\n\t\tconst rawBaseConfig = await readFile(zone.gateway.config, 'utf8');\n\t\tconst parsedBaseConfig: unknown = JSON.parse(rawBaseConfig);\n\t\tif (!isObjectRecord(parsedBaseConfig)) {\n\t\t\tthrow new Error(`OpenClaw config at '${zone.gateway.config}' must be a JSON object.`);\n\t\t}\n\t\tconst runtimePluginConfigs = {\n\t\t\t...zone.runtimePluginConfigs,\n\t\t};\n\t\tconst config = isObjectRecord(parsedBaseConfig.gateway) ? parsedBaseConfig.gateway : {};\n\t\tconst existingAuthConfig = isObjectRecord(config.auth) ? config.auth : {};\n\t\tconst effectiveConfig = {\n\t\t\t...parsedBaseConfig,\n\t\t\tlogging: buildEffectiveLoggingConfig(parsedBaseConfig),\n\t\t\tgateway: {\n\t\t\t\t...config,\n\t\t\t\tauth: {\n\t\t\t\t\t...existingAuthConfig,\n\t\t\t\t\tmode: 'token',\n\t\t\t\t\ttoken: openClawGatewayTokenSecretRef,\n\t\t\t\t},\n\t\t\t},\n\t\t\tmeta: {\n\t\t\t\t...(isObjectRecord(parsedBaseConfig.meta) ? parsedBaseConfig.meta : {}),\n\t\t\t\tlastTouchedAt: new Date().toISOString(),\n\t\t\t\tlastTouchedVersion: 'agent-vm',\n\t\t\t},\n\t\t\tmcp: buildEffectiveMcpConfig(parsedBaseConfig, zone.runtimeMcpServers),\n\t\t\tplugins: buildEffectivePluginsConfig(parsedBaseConfig, runtimePluginConfigs),\n\t\t\tsecrets: buildEffectiveSecretsConfig(parsedBaseConfig),\n\t\t};\n\t\tconst effectiveConfigPath = getEffectiveOpenClawConfigHostPath(zone);\n\t\tawait mkdir(zone.gateway.stateDir, { recursive: true, mode: 0o700 });\n\t\tawait chmod(zone.gateway.stateDir, 0o700);\n\t\tawait writeFileAtomically(\n\t\t\teffectiveConfigPath,\n\t\t\t`${JSON.stringify(effectiveConfig, null, 2)}\\n`,\n\t\t\t{ mode: 0o600 },\n\t\t);\n\t} catch (error) {\n\t\tconst message = error instanceof Error ? error.message : String(error);\n\t\tthrow new Error(\n\t\t\t`Failed to write effective OpenClaw config for zone '${zone.id}' from '${zone.gateway.config}' using secret '${describeSecretReference(gatewayTokenSecret)}': ${message}`,\n\t\t\t{ cause: error },\n\t\t);\n\t}\n}\n\nexport const openclawLifecycle: GatewayLifecycle = {\n\tauthConfig: {\n\t\tlistProvidersCommand: 'openclaw models auth list --format plain 2>/dev/null || echo \"\"',\n\t\tbuildLoginCommand: (\n\t\t\tprovider: string,\n\t\t\toptions: {\n\t\t\t\treadonly agentId?: string;\n\t\t\t\treadonly deviceCode?: boolean;\n\t\t\t\treadonly setDefault?: boolean;\n\t\t\t} = {},\n\t\t): string =>\n\t\t\t[\n\t\t\t\t'openclaw models auth',\n\t\t\t\t...(options.agentId ? [`--agent ${shellQuote(options.agentId)}`] : []),\n\t\t\t\t`login --provider ${shellQuote(provider)}`,\n\t\t\t\t...(options.deviceCode === true ? ['--device-code'] : []),\n\t\t\t\t...(options.setDefault === true ? ['--set-default'] : []),\n\t\t\t].join(' '),\n\t},\n\n\tbuildVmSpec({\n\t\tcontrollerPort,\n\t\tgatewayCacheDir,\n\t\tprojectNamespace,\n\t\tresolvedSecrets,\n\t\truntimeDir,\n\t\ttcpPool,\n\t\tzone,\n\t}: BuildGatewayVmSpecOptions): GatewayVmSpec {\n\t\tif (zone.gateway.type !== 'openclaw') {\n\t\t\tthrow new Error(`OpenClaw lifecycle cannot build gateway type '${zone.gateway.type}'.`);\n\t\t}\n\t\tconst configDirectory = path.dirname(path.resolve(zone.gateway.config));\n\t\tconst { environmentSecrets, mediatedSecrets } = mergeRuntimeGatewaySecrets(\n\t\t\tsplitAllowedOpenClawGatewaySecrets(zone, resolvedSecrets, 'openclaw-vm-raw-env-secrets'),\n\t\t\t{\n\t\t\t\tlogPrefix: 'openclaw-vm-runtime-secrets',\n\t\t\t\truntimeEnvironment: zone.runtimeEnvironment,\n\t\t\t\truntimeMediatedSecrets: zone.runtimeMediatedSecrets,\n\t\t\t},\n\t\t);\n\t\tassertAllowedOpenClawEnvironmentSecrets(\n\t\t\tzone,\n\t\t\tenvironmentSecrets,\n\t\t\t'openclaw-vm-runtime-raw-env-secrets',\n\t\t);\n\n\t\treturn {\n\t\t\tallowedHosts: gatewayVmAllowedHosts(zone.egressHosts),\n\t\t\tenvironment: {\n\t\t\t\tHOME: '/home/openclaw',\n\t\t\t\tNODE_EXTRA_CA_CERTS: '/run/gondolin/ca-certificates.crt',\n\t\t\t\tNODE_OPTIONS: '--dns-result-order=ipv4first',\n\t\t\t\tOPENCLAW_CONFIG_PATH: effectiveOpenClawConfigVmPath,\n\t\t\t\tOPENCLAW_HOME: '/home/openclaw',\n\t\t\t\tOPENCLAW_STATE_DIR: openClawStateDirVmPath,\n\t\t\t\tPATH: `/pnpm:${process.env.PATH ?? ''}`,\n\t\t\t\tPIP_CACHE_DIR: '/work/cache/pip',\n\t\t\t\tPNPM_HOME: '/pnpm',\n\t\t\t\tTEMP: '/work/tmp',\n\t\t\t\tTMP: '/work/tmp',\n\t\t\t\tTMPDIR: '/work/tmp',\n\t\t\t\tUV_CACHE_DIR: '/work/cache/uv',\n\t\t\t\tnpm_config_cache: '/work/cache/npm',\n\t\t\t\tpnpm_config_store_dir: '/work/cache/pnpm/store',\n\t\t\t\t...environmentSecrets,\n\t\t\t},\n\t\t\tmediatedSecrets: {\n\t\t\t\t...mediatedSecrets,\n\t\t\t},\n\t\t\trootfsMode: 'cow',\n\t\t\tsessionLabel: buildGatewaySessionLabelValue(projectNamespace, zone.id),\n\t\t\ttcpHosts: buildGatewayTcpHosts(zone, controllerPort, tcpPool),\n\t\t\tvfsMounts: {\n\t\t\t\t'/home/openclaw/.openclaw/config': {\n\t\t\t\t\thostPath: configDirectory,\n\t\t\t\t\tkind: 'realfs',\n\t\t\t\t},\n\t\t\t\t[openClawCacheDirVmPath]: {\n\t\t\t\t\thostPath: gatewayCacheDir,\n\t\t\t\t\tkind: 'realfs',\n\t\t\t\t},\n\t\t\t\t'/home/openclaw/.openclaw/state': {\n\t\t\t\t\thostPath: zone.gateway.stateDir,\n\t\t\t\t\tkind: 'realfs',\n\t\t\t\t},\n\t\t\t\t[openClawZoneFilesDirVmPath]: {\n\t\t\t\t\thostPath: zone.gateway.zoneFilesDir,\n\t\t\t\t\tkind: 'realfs',\n\t\t\t\t},\n\t\t\t\t[agentVmLogsDirVmPath]: {\n\t\t\t\t\thostPath: path.join(runtimeDir, 'zones', zone.id, 'logs'),\n\t\t\t\t\tkind: 'realfs',\n\t\t\t\t},\n\t\t\t},\n\t\t};\n\t},\n\n\tbuildProcessSpec(\n\t\tzone: GatewayZoneConfig,\n\t\tresolvedSecrets: Record<string, string>,\n\t): GatewayProcessSpec {\n\t\treturn {\n\t\t\tbootstrapCommand: buildOpenClawBootstrapCommand(zone, resolvedSecrets),\n\t\t\tstartCommand: `set -a && . ${openClawRuntimeSecretsEnvFilePath} && set +a && cd /home/openclaw && nohup openclaw gateway --port 18789 > ${openClawGatewayBootLogFileVmPath} 2>&1 &`,\n\t\t\thealthCheck: {\n\t\t\t\ttype: 'http',\n\t\t\t\tport: 18789,\n\t\t\t\tpath: '/readyz',\n\t\t\t},\n\t\t\tguestListenPort: 18789,\n\t\t\tlogPath: openClawGatewayBootLogFileVmPath,\n\t\t};\n\t},\n\n\tasync prepareHostState(zone: GatewayZoneConfig, secretResolver: SecretResolver): Promise<void> {\n\t\tawait writeEffectiveOpenClawConfig(zone);\n\t\tawait writeAuthProfilesIfConfigured(zone, secretResolver);\n\t},\n};\n"],"mappings":";;;;;AAqBA,MAAM,kCAAkC;AACxC,MAAM,gCAAgC,kCAAkC;AACxE,MAAM,yBAAyB;AAC/B,MAAM,yBAAyB;AAC/B,MAAM,6BAA6B;AACnC,MAAM,uBAAuB;AAC7B,MAAM,+BAA+B,GAAG,qBAAqB;AAC7D,MAAM,mCAAmC,GAAG,qBAAqB;AACjE,MAAM,2BAA2B;AACjC,MAAM,oCAAoC;AAC1C,MAAM,6BAA6B;AAQnC,MAAM,gCAAmD;CACxD,IAAI;CACJ,UAAU;CACV,QAAQ;CACR;AAED,SAAS,eAAe,OAAkD;CACzE,OAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,CAAC,MAAM,QAAQ,MAAM;;AAG5E,SAAS,qBACR,MACA,gBACA,SACyB;CACzB,MAAM,WAAmC,GACvC,GAAG,iBAAiB,UAAU,aAAa,kBAC5C;CAED,KAAK,IAAI,OAAO,GAAG,OAAO,QAAQ,MAAM,QAAQ,GAC/C,SAAS,QAAQ,KAAK,gBAAgB,aAAa,QAAQ,WAAW;CAGvE,KAAK,MAAM,iBAAiB,KAAK,iBAChC,SAAS,iBAAiB;CAG3B,OAAO;;AAGR,SAAS,8BACR,MACA,iBACS;CACT,MAAM,EAAE,uBAAuB,2BAC9B,mCAAmC,MAAM,iBAAiB,qCAAqC,EAC/F;EACC,WAAW;EACX,oBAAoB,KAAK;EACzB,wBAAwB,KAAK;EAC7B,CACD;CACD,wCACC,MACA,oBACA,6CACA;CACD,MAAM,mBAAmB;EACxB;EACA,+BAA+B;EAC/B,6BAA6B;EAC7B;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;CACD,MAAM,yBAAyB,OAAO,QAAQ;EAC7C,GAAG;EACH,GAAG,KAAK;EACR,CAAC,CAAC,KAAK,CAAC,YAAY,iBAAiB;EACrC,uBAAuB,WAAW;EAClC,kCAAkC,YAAY,YAAY;EAC1D,OAAO;GACN;CACF,MAAM,qBACL,uBAAuB,WAAW,IAC/B,OAAO,kCAAkC,QACzC,KAAK,uBAAuB,IAAI,2BAA2B,CAAC,KAAK,KAAK,CAAC,QAAQ,kCAAkC;CAErH,MAAM,mBACL,6DACkB,CAHK,uBAAuB,uBAGd,CAAC,KAAK,SAAS,WAAW,KAAK,CAAC,CAAC,KAAK,IAAI,CAAC;CAM5E,OACC,4KAA4K,yBAAyB,kBACrM,iBAAiB,KAAK,KAAK,GAC3B;;YACa,yBAAyB,QACtC,qBACA,aAAa,kCAAkC,QAC/C,mBACA,4CACqB,yBAAyB,kCAAkC,yBAAyB;;AAM3G,SAAS,mCAAmC,MAAiC;CAC5E,OAAO,KAAK,KAAK,KAAK,QAAQ,UAAU,gCAAgC;;AAGzE,SAAS,WAAW,OAAuB;CAC1C,OAAO,IAAI,MAAM,QAAQ,OAAO,QAAQ,CAAC;;AAG1C,SAAS,+BAA+B,OAAwB;CAC/D,KAAK,MAAM,aAAa,OAAO;EAC9B,MAAM,YAAY,UAAU,YAAY,EAAE;EAC1C,IAAI,cAAc,KAAA,MAAc,aAAa,MAAQ,cAAc,MAClE,OAAO;;CAGT,OAAO;;AAGR,SAAS,uBAAuB,YAA0B;CACzD,IAAI,CAAC,4BAA4B,KAAK,WAAW,EAChD,MAAM,IAAI,MACT,yCAAyC,WAAW,mDACpD;;AAIH,SAAS,kCAAkC,YAAoB,OAAqB;CACnF,IAAI,+BAA+B,MAAM,EACxC,MAAM,IAAI,MACT,yCAAyC,WAAW,wHACpD;;AAIH,SAAS,2BAA2B,YAA4B;CAC/D,MAAM,qBAAqB,OAAO,WAAW,0BAA0B,WAAW;CAElF,OAAO,KAAK,mBAAmB,qBAAqB,WAAW,UADlC,WAAW,GAAG,qBAC+B;;AAG3E,SAAS,wCACR,MACA,oBACA,WACO;CACP,IAAI,KAAK,QAAQ,SAAS,YACzB,MAAM,IAAI,MAAM,iDAAiD,KAAK,QAAQ,KAAK,IAAI;CAExF,MAAM,uBAAuB,IAAI,IAAI,CACpC,4BACA,GAAI,KAAK,QAAQ,iBAAiB,EAAE,CACpC,CAAC;CACF,KAAK,MAAM,cAAc,OAAO,KAAK,mBAAmB,EAAE;EACzD,IAAI,qBAAqB,IAAI,WAAW,EACvC;EAED,MAAM,IAAI,MACT,IAAI,UAAU,yBAAyB,WAAW,8EAClD;;;AAIH,SAAS,mCACR,MACA,iBACA,WACoC;CACpC,MAAM,eAAe,4BAA4B,MAAM,gBAAgB;CACvE,wCAAwC,MAAM,aAAa,oBAAoB,UAAU;CACzF,OAAO;;AAaR,SAAS,6BAA6B,OAAqD;CAC1F,IAAI,OAAO,UAAU,YAAY,UAAU,MAC1C,OAAO;CAGR,IAAI,EAAE,YAAY,UAAU,OAAO,MAAM,WAAW,UACnD,OAAO;CAGR,IAAI,MAAM,WAAW,eACpB,OAAO,YAAY,SAAS,OAAO,MAAM,WAAW;CAGrD,IAAI,MAAM,WAAW,aACpB,OAAO,SAAS,SAAS,OAAO,MAAM,QAAQ;CAG/C,OAAO;;AAGR,SAAS,YAAY,QAA+C;CACnE,OAAO,OAAO,WAAW,gBACtB;EACA,QAAQ;EACR,KAAK,OAAO;EACZ,GACA;EACA,QAAQ;EACR,KAAK,OAAO;EACZ;;AAGJ,SAAS,wBAAwB,QAA4C;CAC5E,OAAO,OAAO,WAAW,gBAAgB,OAAO,SAAS,OAAO;;AAGjE,SAAS,4BACR,kBAC0B;CAC1B,MAAM,wBAAwB,eAAe,iBAAiB,QAAQ,GACnE,iBAAiB,UACjB,EAAE;CACL,MAAM,0BAA0B,eAAe,sBAAsB,UAAU,GAC5E,sBAAsB,YACtB,EAAE;CAEL,OAAO;EACN,GAAG;EACH,WAAW;GACV,GAAG;GACH,SAAS,EACR,QAAQ,OACR;GACD;EACD;;AAGF,SAAS,oCACR,uBACA,eAC0B;CAC1B,OAAO,EACN,GAAG,eACH;;AAGF,SAAS,4BACR,kBACA,sBAC0B;CAC1B,MAAM,wBAAwB,eAAe,iBAAiB,QAAQ,GACnE,iBAAiB,UACjB,EAAE;CACL,MAAM,wBAAwB,eAAe,sBAAsB,QAAQ,GACxE,sBAAsB,UACtB,EAAE;CACL,MAAM,uBAAuB,OAAO,YACnC,OAAO,QAAQ,wBAAwB,EAAE,CAAC,CAAC,KAAK,CAAC,UAAU,mBAAmB;EAC7E,MAAM,sBAAsB,eAAe,sBAAsB,UAAU,GACxE,sBAAsB,YACtB,EAAE;EACL,MAAM,uBAAuB,eAAe,oBAAoB,OAAO,GACpE,oBAAoB,SACpB,EAAE;EACL,MAAM,SACL,aAAa,eACV,oCAAoC,sBAAsB,cAAc,GACxE;GACA,GAAG;GACH,GAAG;GACH;EACJ,OAAO,CACN,UACA;GACC,GAAG;GACH;GACA,CACD;GACA,CACF;CAED,OAAO;EACN,GAAG;EACH,SAAS;GACR,GAAG;GACH,GAAG;GACH;EACD;;AAGF,SAAS,wBACR,kBACA,mBAC0B;CAC1B,MAAM,oBAAoB,eAAe,iBAAiB,IAAI,GAAG,iBAAiB,MAAM,EAAE;CAC1F,MAAM,wBAAwB,eAAe,kBAAkB,QAAQ,GACpE,kBAAkB,UAClB,EAAE;CACL,OAAO;EACN,GAAG;EACH,SAAS;GACR,GAAG;GACH,GAAG;GACH;EACD;;AAGF,SAAS,4BACR,kBAC0B;CAK1B,OAAO;EACN,MAAM;EACN,GAN6B,eAAe,iBAAiB,QAAQ,GACnE,iBAAiB,UACjB,EAAE;EAKJ;;AAGF,eAAe,8BACd,MACA,gBACgB;CAChB,MAAM,sBAAsB;EAC3B,GAAI,KAAK,QAAQ,kBAAkB,EAAE,MAAM,KAAK,QAAQ,iBAAiB,GAAG,EAAE;EAC9E,GAAI,KAAK,QAAQ,SAAS,aAAc,KAAK,QAAQ,uBAAuB,EAAE,GAAI,EAAE;EACpF;CA8BD,MAAM,eAAc,MA5BO,QAAQ,WAClC,OAAO,QAAQ,oBAAoB,CAAC,IAAI,OAAO,CAAC,SAAS,iCAAiC;EACzF,IAAI,CAAC,6BAA6B,4BAA4B,EAC7D,MAAM,IAAI,MACT,SAAS,KAAK,GAAG,iDAAiD,QAAQ,IAC1E;EAEF,MAAM,qBAAqB;EAE3B,IAAI;GACH,MAAM,wBAAwB,KAAK,KAAK,KAAK,QAAQ,UAAU,UAAU,SAAS,QAAQ;GAC1F,MAAM,MAAM,uBAAuB;IAAE,WAAW;IAAM,MAAM;IAAO,CAAC;GACpE,MAAM,MAAM,uBAAuB,IAAM;GACzC,MAAM,eAAe,MAAM,eAAe,QAAQ,YAAY,mBAAmB,CAAC;GAClF,MAAM,oBACL,KAAK,KAAK,uBAAuB,qBAAqB,EACtD,cACA,EAAE,MAAM,KAAO,CACf;WACO,OAAO;GACf,MAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM;GACtE,MAAM,IAAI,MACT,oDAAoD,KAAK,GAAG,WAAW,QAAQ,UAAU,wBAAwB,mBAAmB,CAAC,KAAK,WAC1I,EAAE,OAAO,OAAO,CAChB;;GAED,CACF,EAEC,QAAQ,WAA4C,OAAO,WAAW,WAAW,CACjF,KAAK,WACL,OAAO,kBAAkB,QAAQ,OAAO,SAAS,IAAI,MAAM,OAAO,OAAO,OAAO,CAAC,CACjF;CACF,IAAI,YAAY,SAAS,GACxB,MAAM,IAAI,eACT,aACA,mBAAmB,OAAO,YAAY,OAAO,CAAC,2CAA2C,KAAK,GAAG,IACjG;;AAIH,eAAe,6BAA6B,MAAwC;CACnF,MAAM,qBAAqB,KAAK,QAAQ;CACxC,IAAI,CAAC,oBACJ,MAAM,IAAI,MACT,SAAS,KAAK,GAAG,0HAA0H,KAAK,GAAG,0BACnJ;CAEF,IAAI,CAAC,6BAA6B,mBAAmB,EACpD,MAAM,IAAI,MAAM,SAAS,KAAK,GAAG,yDAAyD;CAG3F,IAAI;EACH,IAAI,mBAAmB,WAAW,eAAe,CAAC,mBAAmB,KACpE,MAAM,IAAI,MACT,SAAS,KAAK,GAAG,iHAAiH,KAAK,GAAG,0BAC1I;EAEF,IAAI,mBAAmB,WAAW,iBAAiB,CAAC,mBAAmB,QACtE,MAAM,IAAI,MACT,SAAS,KAAK,GAAG,mGACjB;EAEF,MAAM,gBAAgB,MAAM,SAAS,KAAK,QAAQ,QAAQ,OAAO;EACjE,MAAM,mBAA4B,KAAK,MAAM,cAAc;EAC3D,IAAI,CAAC,eAAe,iBAAiB,EACpC,MAAM,IAAI,MAAM,uBAAuB,KAAK,QAAQ,OAAO,0BAA0B;EAEtF,MAAM,uBAAuB,EAC5B,GAAG,KAAK,sBACR;EACD,MAAM,SAAS,eAAe,iBAAiB,QAAQ,GAAG,iBAAiB,UAAU,EAAE;EACvF,MAAM,qBAAqB,eAAe,OAAO,KAAK,GAAG,OAAO,OAAO,EAAE;EACzE,MAAM,kBAAkB;GACvB,GAAG;GACH,SAAS,4BAA4B,iBAAiB;GACtD,SAAS;IACR,GAAG;IACH,MAAM;KACL,GAAG;KACH,MAAM;KACN,OAAO;KACP;IACD;GACD,MAAM;IACL,GAAI,eAAe,iBAAiB,KAAK,GAAG,iBAAiB,OAAO,EAAE;IACtE,gCAAe,IAAI,MAAM,EAAC,aAAa;IACvC,oBAAoB;IACpB;GACD,KAAK,wBAAwB,kBAAkB,KAAK,kBAAkB;GACtE,SAAS,4BAA4B,kBAAkB,qBAAqB;GAC5E,SAAS,4BAA4B,iBAAiB;GACtD;EACD,MAAM,sBAAsB,mCAAmC,KAAK;EACpE,MAAM,MAAM,KAAK,QAAQ,UAAU;GAAE,WAAW;GAAM,MAAM;GAAO,CAAC;EACpE,MAAM,MAAM,KAAK,QAAQ,UAAU,IAAM;EACzC,MAAM,oBACL,qBACA,GAAG,KAAK,UAAU,iBAAiB,MAAM,EAAE,CAAC,KAC5C,EAAE,MAAM,KAAO,CACf;UACO,OAAO;EACf,MAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM;EACtE,MAAM,IAAI,MACT,uDAAuD,KAAK,GAAG,UAAU,KAAK,QAAQ,OAAO,kBAAkB,wBAAwB,mBAAmB,CAAC,KAAK,WAChK,EAAE,OAAO,OAAO,CAChB;;;AAIH,MAAa,oBAAsC;CAClD,YAAY;EACX,sBAAsB;EACtB,oBACC,UACA,UAII,EAAE,KAEN;GACC;GACA,GAAI,QAAQ,UAAU,CAAC,WAAW,WAAW,QAAQ,QAAQ,GAAG,GAAG,EAAE;GACrE,oBAAoB,WAAW,SAAS;GACxC,GAAI,QAAQ,eAAe,OAAO,CAAC,gBAAgB,GAAG,EAAE;GACxD,GAAI,QAAQ,eAAe,OAAO,CAAC,gBAAgB,GAAG,EAAE;GACxD,CAAC,KAAK,IAAI;EACZ;CAED,YAAY,EACX,gBACA,iBACA,kBACA,iBACA,YACA,SACA,QAC4C;EAC5C,IAAI,KAAK,QAAQ,SAAS,YACzB,MAAM,IAAI,MAAM,iDAAiD,KAAK,QAAQ,KAAK,IAAI;EAExF,MAAM,kBAAkB,KAAK,QAAQ,KAAK,QAAQ,KAAK,QAAQ,OAAO,CAAC;EACvE,MAAM,EAAE,oBAAoB,oBAAoB,2BAC/C,mCAAmC,MAAM,iBAAiB,8BAA8B,EACxF;GACC,WAAW;GACX,oBAAoB,KAAK;GACzB,wBAAwB,KAAK;GAC7B,CACD;EACD,wCACC,MACA,oBACA,sCACA;EAED,OAAO;GACN,cAAc,sBAAsB,KAAK,YAAY;GACrD,aAAa;IACZ,MAAM;IACN,qBAAqB;IACrB,cAAc;IACd,sBAAsB;IACtB,eAAe;IACf,oBAAoB;IACpB,MAAM,SAAS,QAAQ,IAAI,QAAQ;IACnC,eAAe;IACf,WAAW;IACX,MAAM;IACN,KAAK;IACL,QAAQ;IACR,cAAc;IACd,kBAAkB;IAClB,uBAAuB;IACvB,GAAG;IACH;GACD,iBAAiB,EAChB,GAAG,iBACH;GACD,YAAY;GACZ,cAAcA,yBAA8B,kBAAkB,KAAK,GAAG;GACtE,UAAU,qBAAqB,MAAM,gBAAgB,QAAQ;GAC7D,WAAW;IACV,mCAAmC;KAClC,UAAU;KACV,MAAM;KACN;KACA,yBAAyB;KACzB,UAAU;KACV,MAAM;KACN;IACD,kCAAkC;KACjC,UAAU,KAAK,QAAQ;KACvB,MAAM;KACN;KACA,6BAA6B;KAC7B,UAAU,KAAK,QAAQ;KACvB,MAAM;KACN;KACA,uBAAuB;KACvB,UAAU,KAAK,KAAK,YAAY,SAAS,KAAK,IAAI,OAAO;KACzD,MAAM;KACN;IACD;GACD;;CAGF,iBACC,MACA,iBACqB;EACrB,OAAO;GACN,kBAAkB,8BAA8B,MAAM,gBAAgB;GACtE,cAAc,eAAe,kCAAkC,2EAA2E,iCAAiC;GAC3K,aAAa;IACZ,MAAM;IACN,MAAM;IACN,MAAM;IACN;GACD,iBAAiB;GACjB,SAAS;GACT;;CAGF,MAAM,iBAAiB,MAAyB,gBAA+C;EAC9F,MAAM,6BAA6B,KAAK;EACxC,MAAM,8BAA8B,MAAM,eAAe;;CAE1D"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@agent-vm/openclaw-gateway",
3
- "version": "0.0.69",
3
+ "version": "0.0.70",
4
4
  "description": "OpenClaw gateway lifecycle running inside a Gondolin VM.",
5
5
  "homepage": "https://github.com/ShravanSunder/agent-vm#readme",
6
6
  "bugs": {
@@ -29,8 +29,9 @@
29
29
  "access": "public"
30
30
  },
31
31
  "dependencies": {
32
- "@agent-vm/gateway-interface": "0.0.69",
33
- "@agent-vm/gondolin-adapter": "0.0.69"
32
+ "@agent-vm/secrets": "0.0.70",
33
+ "@agent-vm/gateway-interface": "0.0.70",
34
+ "@agent-vm/gondolin-adapter": "0.0.70"
34
35
  },
35
36
  "scripts": {
36
37
  "build": "tsdown",