npm - @aquaclawai/aquarium - Versions diffs - 1.0.0 - Mend

@aquaclawai/aquarium 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (517) hide show

package/dist/agent-types/claude-code/index.d.ts +2 -0
package/dist/agent-types/claude-code/index.d.ts.map +1 -0
package/dist/agent-types/claude-code/index.js +2 -0
package/dist/agent-types/claude-code/index.js.map +1 -0
package/dist/agent-types/claude-code/manifest.d.ts +3 -0
package/dist/agent-types/claude-code/manifest.d.ts.map +1 -0
package/dist/agent-types/claude-code/manifest.js +45 -0
package/dist/agent-types/claude-code/manifest.js.map +1 -0
package/dist/agent-types/openclaw/adapter.d.ts +3 -0
package/dist/agent-types/openclaw/adapter.d.ts.map +1 -0
package/dist/agent-types/openclaw/adapter.js +714 -0
package/dist/agent-types/openclaw/adapter.js.map +1 -0
package/dist/agent-types/openclaw/gateway-rpc.d.ts +21 -0
package/dist/agent-types/openclaw/gateway-rpc.d.ts.map +1 -0
package/dist/agent-types/openclaw/gateway-rpc.js +202 -0
package/dist/agent-types/openclaw/gateway-rpc.js.map +1 -0
package/dist/agent-types/openclaw/index.d.ts +3 -0
package/dist/agent-types/openclaw/index.d.ts.map +1 -0
package/dist/agent-types/openclaw/index.js +3 -0
package/dist/agent-types/openclaw/index.js.map +1 -0
package/dist/agent-types/openclaw/manifest.d.ts +137 -0
package/dist/agent-types/openclaw/manifest.d.ts.map +1 -0
package/dist/agent-types/openclaw/manifest.js +191 -0
package/dist/agent-types/openclaw/manifest.js.map +1 -0
package/dist/agent-types/openclaw/provider-registry.d.ts +46 -0
package/dist/agent-types/openclaw/provider-registry.d.ts.map +1 -0
package/dist/agent-types/openclaw/provider-registry.js +108 -0
package/dist/agent-types/openclaw/provider-registry.js.map +1 -0
package/dist/agent-types/openclaw/reverse-adapter.d.ts +7 -0
package/dist/agent-types/openclaw/reverse-adapter.d.ts.map +1 -0
package/dist/agent-types/openclaw/reverse-adapter.js +528 -0
package/dist/agent-types/openclaw/reverse-adapter.js.map +1 -0
package/dist/agent-types/openclaw/security-profiles.d.ts +21 -0
package/dist/agent-types/openclaw/security-profiles.d.ts.map +1 -0
package/dist/agent-types/openclaw/security-profiles.js +251 -0
package/dist/agent-types/openclaw/security-profiles.js.map +1 -0
package/dist/agent-types/openclaw/workspace-templates.d.ts +2 -0
package/dist/agent-types/openclaw/workspace-templates.d.ts.map +1 -0
package/dist/agent-types/openclaw/workspace-templates.js +363 -0
package/dist/agent-types/openclaw/workspace-templates.js.map +1 -0
package/dist/agent-types/opencode/index.d.ts +2 -0
package/dist/agent-types/opencode/index.d.ts.map +1 -0
package/dist/agent-types/opencode/index.js +2 -0
package/dist/agent-types/opencode/index.js.map +1 -0
package/dist/agent-types/opencode/manifest.d.ts +3 -0
package/dist/agent-types/opencode/manifest.d.ts.map +1 -0
package/dist/agent-types/opencode/manifest.js +63 -0
package/dist/agent-types/opencode/manifest.js.map +1 -0
package/dist/agent-types/registry.d.ts +4 -0
package/dist/agent-types/registry.d.ts.map +1 -0
package/dist/agent-types/registry.js +24 -0
package/dist/agent-types/registry.js.map +1 -0
package/dist/agent-types/types.d.ts +169 -0
package/dist/agent-types/types.d.ts.map +1 -0
package/dist/agent-types/types.js +2 -0
package/dist/agent-types/types.js.map +1 -0
package/dist/cli.d.ts +3 -0
package/dist/cli.d.ts.map +1 -0
package/dist/cli.js +72 -0
package/dist/cli.js.map +1 -0
package/dist/config.d.ts +68 -0
package/dist/config.d.ts.map +1 -0
package/dist/config.js +98 -0
package/dist/config.js.map +1 -0
package/dist/db/adapter.d.ts +21 -0
package/dist/db/adapter.d.ts.map +1 -0
package/dist/db/adapter.js +11 -0
package/dist/db/adapter.js.map +1 -0
package/dist/db/index.d.ts +4 -0
package/dist/db/index.d.ts.map +1 -0
package/dist/db/index.js +5 -0
package/dist/db/index.js.map +1 -0
package/dist/db/knexfile.d.ts +5 -0
package/dist/db/knexfile.d.ts.map +1 -0
package/dist/db/knexfile.js +34 -0
package/dist/db/knexfile.js.map +1 -0
package/dist/db/migration-helpers.d.ts +45 -0
package/dist/db/migration-helpers.d.ts.map +1 -0
package/dist/db/migration-helpers.js +90 -0
package/dist/db/migration-helpers.js.map +1 -0
package/dist/db/migrations/001_initial.d.ts +4 -0
package/dist/db/migrations/001_initial.d.ts.map +1 -0
package/dist/db/migrations/001_initial.js +56 -0
package/dist/db/migrations/001_initial.js.map +1 -0
package/dist/db/migrations/002_instance_config.d.ts +4 -0
package/dist/db/migrations/002_instance_config.d.ts.map +1 -0
package/dist/db/migrations/002_instance_config.js +12 -0
package/dist/db/migrations/002_instance_config.js.map +1 -0
package/dist/db/migrations/003_instance_status_message.d.ts +4 -0
package/dist/db/migrations/003_instance_status_message.d.ts.map +1 -0
package/dist/db/migrations/003_instance_status_message.js +11 -0
package/dist/db/migrations/003_instance_status_message.js.map +1 -0
package/dist/db/migrations/004_templates.d.ts +4 -0
package/dist/db/migrations/004_templates.d.ts.map +1 -0
package/dist/db/migrations/004_templates.js +95 -0
package/dist/db/migrations/004_templates.js.map +1 -0
package/dist/db/migrations/005_group_chats.d.ts +4 -0
package/dist/db/migrations/005_group_chats.d.ts.map +1 -0
package/dist/db/migrations/005_group_chats.js +66 -0
package/dist/db/migrations/005_group_chats.js.map +1 -0
package/dist/db/migrations/006_template_setup.d.ts +4 -0
package/dist/db/migrations/006_template_setup.d.ts.map +1 -0
package/dist/db/migrations/006_template_setup.js +14 -0
package/dist/db/migrations/006_template_setup.js.map +1 -0
package/dist/db/migrations/007_group_chat_v2.d.ts +4 -0
package/dist/db/migrations/007_group_chat_v2.d.ts.map +1 -0
package/dist/db/migrations/007_group_chat_v2.js +59 -0
package/dist/db/migrations/007_group_chat_v2.js.map +1 -0
package/dist/db/migrations/008_default_provider_openrouter.d.ts +4 -0
package/dist/db/migrations/008_default_provider_openrouter.d.ts.map +1 -0
package/dist/db/migrations/008_default_provider_openrouter.js +33 -0
package/dist/db/migrations/008_default_provider_openrouter.js.map +1 -0
package/dist/db/migrations/009_opencode_default_provider_openrouter.d.ts +4 -0
package/dist/db/migrations/009_opencode_default_provider_openrouter.d.ts.map +1 -0
package/dist/db/migrations/009_opencode_default_provider_openrouter.js +33 -0
package/dist/db/migrations/009_opencode_default_provider_openrouter.js.map +1 -0
package/dist/db/migrations/010_fix_null_default_provider.d.ts +4 -0
package/dist/db/migrations/010_fix_null_default_provider.d.ts.map +1 -0
package/dist/db/migrations/010_fix_null_default_provider.js +24 -0
package/dist/db/migrations/010_fix_null_default_provider.js.map +1 -0
package/dist/db/migrations/011_snapshots.d.ts +4 -0
package/dist/db/migrations/011_snapshots.d.ts.map +1 -0
package/dist/db/migrations/011_snapshots.js +27 -0
package/dist/db/migrations/011_snapshots.js.map +1 -0
package/dist/db/migrations/013_official_templates.d.ts +4 -0
package/dist/db/migrations/013_official_templates.d.ts.map +1 -0
package/dist/db/migrations/013_official_templates.js +173 -0
package/dist/db/migrations/013_official_templates.js.map +1 -0
package/dist/db/migrations/014_notifications.d.ts +4 -0
package/dist/db/migrations/014_notifications.d.ts.map +1 -0
package/dist/db/migrations/014_notifications.js +45 -0
package/dist/db/migrations/014_notifications.js.map +1 -0
package/dist/db/migrations/015_security_profile.d.ts +4 -0
package/dist/db/migrations/015_security_profile.d.ts.map +1 -0
package/dist/db/migrations/015_security_profile.js +14 -0
package/dist/db/migrations/015_security_profile.js.map +1 -0
package/dist/db/migrations/016_template_security.d.ts +4 -0
package/dist/db/migrations/016_template_security.d.ts.map +1 -0
package/dist/db/migrations/016_template_security.js +12 -0
package/dist/db/migrations/016_template_security.js.map +1 -0
package/dist/db/migrations/017_auth_events.d.ts +4 -0
package/dist/db/migrations/017_auth_events.d.ts.map +1 -0
package/dist/db/migrations/017_auth_events.js +19 -0
package/dist/db/migrations/017_auth_events.js.map +1 -0
package/dist/db/migrations/018_skill_market.d.ts +4 -0
package/dist/db/migrations/018_skill_market.d.ts.map +1 -0
package/dist/db/migrations/018_skill_market.js +21 -0
package/dist/db/migrations/018_skill_market.js.map +1 -0
package/dist/db/migrations/019_credential_audit_log.d.ts +4 -0
package/dist/db/migrations/019_credential_audit_log.d.ts.map +1 -0
package/dist/db/migrations/019_credential_audit_log.js +19 -0
package/dist/db/migrations/019_credential_audit_log.js.map +1 -0
package/dist/db/migrations/020_template_security_score.d.ts +4 -0
package/dist/db/migrations/020_template_security_score.d.ts.map +1 -0
package/dist/db/migrations/020_template_security_score.js +31 -0
package/dist/db/migrations/020_template_security_score.js.map +1 -0
package/dist/db/migrations/021_credential_enhancements.d.ts +4 -0
package/dist/db/migrations/021_credential_enhancements.d.ts.map +1 -0
package/dist/db/migrations/021_credential_enhancements.js +15 -0
package/dist/db/migrations/021_credential_enhancements.js.map +1 -0
package/dist/db/migrations/021_user_roles.d.ts +4 -0
package/dist/db/migrations/021_user_roles.d.ts.map +1 -0
package/dist/db/migrations/021_user_roles.js +11 -0
package/dist/db/migrations/021_user_roles.js.map +1 -0
package/dist/db/migrations/022_config_hash.d.ts +4 -0
package/dist/db/migrations/022_config_hash.d.ts.map +1 -0
package/dist/db/migrations/022_config_hash.js +11 -0
package/dist/db/migrations/022_config_hash.js.map +1 -0
package/dist/db/migrations/023_account_security.d.ts +4 -0
package/dist/db/migrations/023_account_security.d.ts.map +1 -0
package/dist/db/migrations/023_account_security.js +22 -0
package/dist/db/migrations/023_account_security.js.map +1 -0
package/dist/db/migrations/024_wizard_configs.d.ts +4 -0
package/dist/db/migrations/024_wizard_configs.d.ts.map +1 -0
package/dist/db/migrations/024_wizard_configs.js +165 -0
package/dist/db/migrations/024_wizard_configs.js.map +1 -0
package/dist/db/migrations/025_auth_dual_mode.d.ts +4 -0
package/dist/db/migrations/025_auth_dual_mode.d.ts.map +1 -0
package/dist/db/migrations/025_auth_dual_mode.js +19 -0
package/dist/db/migrations/025_auth_dual_mode.js.map +1 -0
package/dist/db/migrations/027_add_avatar_to_instances.d.ts +4 -0
package/dist/db/migrations/027_add_avatar_to_instances.d.ts.map +1 -0
package/dist/db/migrations/027_add_avatar_to_instances.js +11 -0
package/dist/db/migrations/027_add_avatar_to_instances.js.map +1 -0
package/dist/db/migrations/027_add_clerk_id.d.ts +4 -0
package/dist/db/migrations/027_add_clerk_id.d.ts.map +1 -0
package/dist/db/migrations/027_add_clerk_id.js +11 -0
package/dist/db/migrations/027_add_clerk_id.js.map +1 -0
package/dist/db/migrations/028_template_plugin_dependencies.d.ts +4 -0
package/dist/db/migrations/028_template_plugin_dependencies.d.ts.map +1 -0
package/dist/db/migrations/028_template_plugin_dependencies.js +18 -0
package/dist/db/migrations/028_template_plugin_dependencies.js.map +1 -0
package/dist/db/migrations/029_remap_orphan_config_keys.d.ts +21 -0
package/dist/db/migrations/029_remap_orphan_config_keys.d.ts.map +1 -0
package/dist/db/migrations/029_remap_orphan_config_keys.js +63 -0
package/dist/db/migrations/029_remap_orphan_config_keys.js.map +1 -0
package/dist/db/migrations/030_extend_notification_types.d.ts +4 -0
package/dist/db/migrations/030_extend_notification_types.d.ts.map +1 -0
package/dist/db/migrations/030_extend_notification_types.js +10 -0
package/dist/db/migrations/030_extend_notification_types.js.map +1 -0
package/dist/db/migrations/031_default_security_profile_developer.d.ts +9 -0
package/dist/db/migrations/031_default_security_profile_developer.d.ts.map +1 -0
package/dist/db/migrations/031_default_security_profile_developer.js +22 -0
package/dist/db/migrations/031_default_security_profile_developer.js.map +1 -0
package/dist/db/migrations/032_geo_template.d.ts +4 -0
package/dist/db/migrations/032_geo_template.d.ts.map +1 -0
package/dist/db/migrations/032_geo_template.js +133 -0
package/dist/db/migrations/032_geo_template.js.map +1 -0
package/dist/db/migrations/033_jinko_travel_template.d.ts +4 -0
package/dist/db/migrations/033_jinko_travel_template.d.ts.map +1 -0
package/dist/db/migrations/033_jinko_travel_template.js +126 -0
package/dist/db/migrations/033_jinko_travel_template.js.map +1 -0
package/dist/db/postgres-adapter.d.ts +13 -0
package/dist/db/postgres-adapter.d.ts.map +1 -0
package/dist/db/postgres-adapter.js +27 -0
package/dist/db/postgres-adapter.js.map +1 -0
package/dist/db/run-migrations.d.ts +2 -0
package/dist/db/run-migrations.d.ts.map +1 -0
package/dist/db/run-migrations.js +26 -0
package/dist/db/run-migrations.js.map +1 -0
package/dist/db/sqlite-adapter.d.ts +13 -0
package/dist/db/sqlite-adapter.d.ts.map +1 -0
package/dist/db/sqlite-adapter.js +29 -0
package/dist/db/sqlite-adapter.js.map +1 -0
package/dist/ee/litellm/litellm-key-manager.d.ts +16 -0
package/dist/ee/litellm/litellm-key-manager.d.ts.map +1 -0
package/dist/ee/litellm/litellm-key-manager.js +16 -0
package/dist/ee/litellm/litellm-key-manager.js.map +1 -0
package/dist/ee/litellm/litellm-model-seeder.d.ts +6 -0
package/dist/ee/litellm/litellm-model-seeder.d.ts.map +1 -0
package/dist/ee/litellm/litellm-model-seeder.js +6 -0
package/dist/ee/litellm/litellm-model-seeder.js.map +1 -0
package/dist/index.ce.d.ts +2 -0
package/dist/index.ce.d.ts.map +1 -0
package/dist/index.ce.js +12 -0
package/dist/index.ce.js.map +1 -0
package/dist/middleware/auth.d.ts +30 -0
package/dist/middleware/auth.d.ts.map +1 -0
package/dist/middleware/auth.js +86 -0
package/dist/middleware/auth.js.map +1 -0
package/dist/middleware/dynamic-middleware.d.ts +7 -0
package/dist/middleware/dynamic-middleware.d.ts.map +1 -0
package/dist/middleware/dynamic-middleware.js +46 -0
package/dist/middleware/dynamic-middleware.js.map +1 -0
package/dist/middleware/log-redaction.d.ts +2 -0
package/dist/middleware/log-redaction.d.ts.map +1 -0
package/dist/middleware/log-redaction.js +56 -0
package/dist/middleware/log-redaction.js.map +1 -0
package/dist/routes/admin.d.ts +3 -0
package/dist/routes/admin.d.ts.map +1 -0
package/dist/routes/admin.js +491 -0
package/dist/routes/admin.js.map +1 -0
package/dist/routes/agent-types.d.ts +3 -0
package/dist/routes/agent-types.d.ts.map +1 -0
package/dist/routes/agent-types.js +85 -0
package/dist/routes/agent-types.js.map +1 -0
package/dist/routes/auth.d.ts +3 -0
package/dist/routes/auth.d.ts.map +1 -0
package/dist/routes/auth.js +242 -0
package/dist/routes/auth.js.map +1 -0
package/dist/routes/channels.d.ts +3 -0
package/dist/routes/channels.d.ts.map +1 -0
package/dist/routes/channels.js +527 -0
package/dist/routes/channels.js.map +1 -0
package/dist/routes/credentials.d.ts +3 -0
package/dist/routes/credentials.d.ts.map +1 -0
package/dist/routes/credentials.js +81 -0
package/dist/routes/credentials.js.map +1 -0
package/dist/routes/dashboard.d.ts +3 -0
package/dist/routes/dashboard.d.ts.map +1 -0
package/dist/routes/dashboard.js +75 -0
package/dist/routes/dashboard.js.map +1 -0
package/dist/routes/exec-approval.d.ts +3 -0
package/dist/routes/exec-approval.d.ts.map +1 -0
package/dist/routes/exec-approval.js +60 -0
package/dist/routes/exec-approval.js.map +1 -0
package/dist/routes/group-chats.d.ts +3 -0
package/dist/routes/group-chats.d.ts.map +1 -0
package/dist/routes/group-chats.js +190 -0
package/dist/routes/group-chats.js.map +1 -0
package/dist/routes/instance-files.d.ts +3 -0
package/dist/routes/instance-files.d.ts.map +1 -0
package/dist/routes/instance-files.js +255 -0
package/dist/routes/instance-files.js.map +1 -0
package/dist/routes/instance-proxy.d.ts +40 -0
package/dist/routes/instance-proxy.d.ts.map +1 -0
package/dist/routes/instance-proxy.js +318 -0
package/dist/routes/instance-proxy.js.map +1 -0
package/dist/routes/instances.d.ts +3 -0
package/dist/routes/instances.d.ts.map +1 -0
package/dist/routes/instances.js +325 -0
package/dist/routes/instances.js.map +1 -0
package/dist/routes/metadata.d.ts +3 -0
package/dist/routes/metadata.d.ts.map +1 -0
package/dist/routes/metadata.js +13 -0
package/dist/routes/metadata.js.map +1 -0
package/dist/routes/notifications.d.ts +3 -0
package/dist/routes/notifications.d.ts.map +1 -0
package/dist/routes/notifications.js +104 -0
package/dist/routes/notifications.js.map +1 -0
package/dist/routes/oauth.d.ts +3 -0
package/dist/routes/oauth.d.ts.map +1 -0
package/dist/routes/oauth.js +516 -0
package/dist/routes/oauth.js.map +1 -0
package/dist/routes/rpc-proxy.d.ts +3 -0
package/dist/routes/rpc-proxy.d.ts.map +1 -0
package/dist/routes/rpc-proxy.js +116 -0
package/dist/routes/rpc-proxy.js.map +1 -0
package/dist/routes/security.d.ts +3 -0
package/dist/routes/security.d.ts.map +1 -0
package/dist/routes/security.js +43 -0
package/dist/routes/security.js.map +1 -0
package/dist/routes/skills.d.ts +3 -0
package/dist/routes/skills.d.ts.map +1 -0
package/dist/routes/skills.js +48 -0
package/dist/routes/skills.js.map +1 -0
package/dist/routes/snapshots.d.ts +3 -0
package/dist/routes/snapshots.d.ts.map +1 -0
package/dist/routes/snapshots.js +99 -0
package/dist/routes/snapshots.js.map +1 -0
package/dist/routes/system-config.d.ts +3 -0
package/dist/routes/system-config.d.ts.map +1 -0
package/dist/routes/system-config.js +75 -0
package/dist/routes/system-config.js.map +1 -0
package/dist/routes/templates.d.ts +3 -0
package/dist/routes/templates.d.ts.map +1 -0
package/dist/routes/templates.js +256 -0
package/dist/routes/templates.js.map +1 -0
package/dist/routes/ui-proxy.d.ts +3 -0
package/dist/routes/ui-proxy.d.ts.map +1 -0
package/dist/routes/ui-proxy.js +90 -0
package/dist/routes/ui-proxy.js.map +1 -0
package/dist/routes/user-credentials.d.ts +3 -0
package/dist/routes/user-credentials.d.ts.map +1 -0
package/dist/routes/user-credentials.js +85 -0
package/dist/routes/user-credentials.js.map +1 -0
package/dist/routes/users.d.ts +3 -0
package/dist/routes/users.d.ts.map +1 -0
package/dist/routes/users.js +30 -0
package/dist/routes/users.js.map +1 -0
package/dist/runtime/docker.d.ts +37 -0
package/dist/runtime/docker.d.ts.map +1 -0
package/dist/runtime/docker.js +612 -0
package/dist/runtime/docker.js.map +1 -0
package/dist/runtime/factory.d.ts +4 -0
package/dist/runtime/factory.d.ts.map +1 -0
package/dist/runtime/factory.js +21 -0
package/dist/runtime/factory.js.map +1 -0
package/dist/runtime/kubernetes.d.ts +34 -0
package/dist/runtime/kubernetes.d.ts.map +1 -0
package/dist/runtime/kubernetes.js +513 -0
package/dist/runtime/kubernetes.js.map +1 -0
package/dist/runtime/types.d.ts +81 -0
package/dist/runtime/types.d.ts.map +1 -0
package/dist/runtime/types.js +2 -0
package/dist/runtime/types.js.map +1 -0
package/dist/server-core.d.ts +26 -0
package/dist/server-core.d.ts.map +1 -0
package/dist/server-core.js +184 -0
package/dist/server-core.js.map +1 -0
package/dist/services/config-diff.d.ts +6 -0
package/dist/services/config-diff.d.ts.map +1 -0
package/dist/services/config-diff.js +85 -0
package/dist/services/config-diff.js.map +1 -0
package/dist/services/config-field-meta.d.ts +22 -0
package/dist/services/config-field-meta.d.ts.map +1 -0
package/dist/services/config-field-meta.js +177 -0
package/dist/services/config-field-meta.js.map +1 -0
package/dist/services/config-validator.d.ts +8 -0
package/dist/services/config-validator.d.ts.map +1 -0
package/dist/services/config-validator.js +59 -0
package/dist/services/config-validator.js.map +1 -0
package/dist/services/credential-audit.d.ts +13 -0
package/dist/services/credential-audit.d.ts.map +1 -0
package/dist/services/credential-audit.js +18 -0
package/dist/services/credential-audit.js.map +1 -0
package/dist/services/credential-store.d.ts +28 -0
package/dist/services/credential-store.d.ts.map +1 -0
package/dist/services/credential-store.js +99 -0
package/dist/services/credential-store.js.map +1 -0
package/dist/services/dlp-scanner.d.ts +9 -0
package/dist/services/dlp-scanner.d.ts.map +1 -0
package/dist/services/dlp-scanner.js +90 -0
package/dist/services/dlp-scanner.js.map +1 -0
package/dist/services/gateway-event-relay.d.ts +53 -0
package/dist/services/gateway-event-relay.d.ts.map +1 -0
package/dist/services/gateway-event-relay.js +519 -0
package/dist/services/gateway-event-relay.js.map +1 -0
package/dist/services/group-chat-manager.d.ts +17 -0
package/dist/services/group-chat-manager.d.ts.map +1 -0
package/dist/services/group-chat-manager.js +613 -0
package/dist/services/group-chat-manager.js.map +1 -0
package/dist/services/health-monitor.d.ts +3 -0
package/dist/services/health-monitor.d.ts.map +1 -0
package/dist/services/health-monitor.js +342 -0
package/dist/services/health-monitor.js.map +1 -0
package/dist/services/instance-manager.d.ts +20 -0
package/dist/services/instance-manager.d.ts.map +1 -0
package/dist/services/instance-manager.js +833 -0
package/dist/services/instance-manager.js.map +1 -0
package/dist/services/metadata-store.d.ts +3 -0
package/dist/services/metadata-store.d.ts.map +1 -0
package/dist/services/metadata-store.js +34 -0
package/dist/services/metadata-store.js.map +1 -0
package/dist/services/notification-store.d.ts +24 -0
package/dist/services/notification-store.d.ts.map +1 -0
package/dist/services/notification-store.js +216 -0
package/dist/services/notification-store.js.map +1 -0
package/dist/services/openrouter-models.d.ts +13 -0
package/dist/services/openrouter-models.d.ts.map +1 -0
package/dist/services/openrouter-models.js +46 -0
package/dist/services/openrouter-models.js.map +1 -0
package/dist/services/output-filter.d.ts +8 -0
package/dist/services/output-filter.d.ts.map +1 -0
package/dist/services/output-filter.js +230 -0
package/dist/services/output-filter.js.map +1 -0
package/dist/services/prompt-guard.d.ts +6 -0
package/dist/services/prompt-guard.d.ts.map +1 -0
package/dist/services/prompt-guard.js +165 -0
package/dist/services/prompt-guard.js.map +1 -0
package/dist/services/security-event-service.d.ts +11 -0
package/dist/services/security-event-service.d.ts.map +1 -0
package/dist/services/security-event-service.js +201 -0
package/dist/services/security-event-service.js.map +1 -0
package/dist/services/snapshot-store.d.ts +21 -0
package/dist/services/snapshot-store.d.ts.map +1 -0
package/dist/services/snapshot-store.js +330 -0
package/dist/services/snapshot-store.js.map +1 -0
package/dist/services/system-config.d.ts +15 -0
package/dist/services/system-config.d.ts.map +1 -0
package/dist/services/system-config.js +80 -0
package/dist/services/system-config.js.map +1 -0
package/dist/services/template-file-format.d.ts +32 -0
package/dist/services/template-file-format.d.ts.map +1 -0
package/dist/services/template-file-format.js +125 -0
package/dist/services/template-file-format.js.map +1 -0
package/dist/services/template-store.d.ts +21 -0
package/dist/services/template-store.d.ts.map +1 -0
package/dist/services/template-store.js +701 -0
package/dist/services/template-store.js.map +1 -0
package/dist/services/user-credential-store.d.ts +20 -0
package/dist/services/user-credential-store.d.ts.map +1 -0
package/dist/services/user-credential-store.js +243 -0
package/dist/services/user-credential-store.js.map +1 -0
package/dist/services/wizard-config-store.d.ts +38 -0
package/dist/services/wizard-config-store.d.ts.map +1 -0
package/dist/services/wizard-config-store.js +70 -0
package/dist/services/wizard-config-store.js.map +1 -0
package/dist/web-dist/assets/AdminPage-BrAU67Dg.js +1 -0
package/dist/web-dist/assets/AgentAvatar-BKJckc1W.js +1 -0
package/dist/web-dist/assets/AgentAvatar-Cq-M5jMd.css +1 -0
package/dist/web-dist/assets/AppLayout-Bf0v_2wK.css +1 -0
package/dist/web-dist/assets/AppLayout-DXgV0atq.js +1 -0
package/dist/web-dist/assets/AssistantChatPage-uVLgKLay.js +6 -0
package/dist/web-dist/assets/AssistantEditPage-Bab1X-DA.js +1 -0
package/dist/web-dist/assets/AssistantVersionsPage-BQRw3BUF.js +1 -0
package/dist/web-dist/assets/AvatarPicker-DmnkD8Rb.js +1 -0
package/dist/web-dist/assets/AvatarPicker-LHUepNFa.css +1 -0
package/dist/web-dist/assets/CeAuthProvider-38_x9VGA.js +1 -0
package/dist/web-dist/assets/ChatHubPage-2l4cKq0x.css +1 -0
package/dist/web-dist/assets/ChatHubPage-B2WduoUM.js +1 -0
package/dist/web-dist/assets/ChatTab-CHpjEu8M.js +6 -0
package/dist/web-dist/assets/CreateWizardPage-DFEQ3VX3.js +47 -0
package/dist/web-dist/assets/CreateWizardPage-IqNXDOER.css +1 -0
package/dist/web-dist/assets/CredentialsPage-CDeXpnLG.js +1 -0
package/dist/web-dist/assets/CredentialsPage-aI4kLoJD.css +1 -0
package/dist/web-dist/assets/DocsAboutPage-CMbxiw1u.js +26 -0
package/dist/web-dist/assets/DocsChannelsPage-CtmKYKK_.js +1 -0
package/dist/web-dist/assets/DocsGettingStartedPage-CpM7o8sw.js +1 -0
package/dist/web-dist/assets/DocsGroupChatsPage-7w-RVSJR.js +1 -0
package/dist/web-dist/assets/DocsHomePage-BGEU5xBg.js +1 -0
package/dist/web-dist/assets/DocsInstancesPage-Sewnw_x7.js +1 -0
package/dist/web-dist/assets/DocsLayout-S7-ONZwP.js +1 -0
package/dist/web-dist/assets/DocsProvidersPage-MeWneL5K.js +1 -0
package/dist/web-dist/assets/DocsSkillsPage-CzsHPXxE.js +1 -0
package/dist/web-dist/assets/DocsTemplatesPage-BXASAEoO.js +1 -0
package/dist/web-dist/assets/DocsWorkspacePage-qYNeK_YS.js +24 -0
package/dist/web-dist/assets/ExportWizardPage-BhNvovbU.js +3 -0
package/dist/web-dist/assets/ExportWizardPage-Cp-KSYUy.css +1 -0
package/dist/web-dist/assets/GoogleOAuthCallback-CBvLawe2.js +1 -0
package/dist/web-dist/assets/GroupChatPage-rMfhmtsX.js +1 -0
package/dist/web-dist/assets/GroupChatsListPage-BOwxHFfA.js +1 -0
package/dist/web-dist/assets/InstancePage-BBL68DKB.js +1 -0
package/dist/web-dist/assets/InstancePage-CzysRY40.css +1 -0
package/dist/web-dist/assets/MyAssistantsPage-B808ZfHg.css +1 -0
package/dist/web-dist/assets/MyAssistantsPage-q3-hNMth.js +1 -0
package/dist/web-dist/assets/ProfilePage-Dx8YdU59.js +1 -0
package/dist/web-dist/assets/ProfilePage-JMOkUDx7.css +1 -0
package/dist/web-dist/assets/SessionDrawer-Ba7pbZDJ.css +1 -0
package/dist/web-dist/assets/SessionDrawer-CXzEQAfF.js +1 -0
package/dist/web-dist/assets/SystemConfigPage-4dvxADwi.js +1 -0
package/dist/web-dist/assets/SystemConfigPage-DRqVfLGt.css +1 -0
package/dist/web-dist/assets/TemplatesPage-DqXuG-Gy.css +1 -0
package/dist/web-dist/assets/TemplatesPage-HMS__ODO.js +1 -0
package/dist/web-dist/assets/TestLoginPage-xVQL0lYP.js +1 -0
package/dist/web-dist/assets/ThemeToggle-DymKEYXG.js +1 -0
package/dist/web-dist/assets/WorkbenchPage-Bymo4SSt.css +1 -0
package/dist/web-dist/assets/WorkbenchPage-ST3hVrbL.js +33 -0
package/dist/web-dist/assets/api-B5psysvQ.js +1 -0
package/dist/web-dist/assets/clock-dRyRszad.js +1 -0
package/dist/web-dist/assets/createLucideIcon-DiGX-lN4.js +1 -0
package/dist/web-dist/assets/group-chat-9BaA9G_8.css +1 -0
package/dist/web-dist/assets/index-BqzqZJ96.js +26 -0
package/dist/web-dist/assets/index-DyrDN1Of.css +1 -0
package/dist/web-dist/assets/index-wWimwgy7.js +1 -0
package/dist/web-dist/assets/provider-display-BgrE7u33.js +1 -0
package/dist/web-dist/assets/types-1lNWpzYk.js +57 -0
package/dist/web-dist/assets/types-B6ttO-6G.css +1 -0
package/dist/web-dist/assets/useTranslation-B-8kenfJ.js +1 -0
package/dist/web-dist/assets/zap-CVBnETFW.js +1 -0
package/dist/web-dist/index.html +31 -0
package/dist/web-dist/vite.svg +1 -0
package/dist/ws/index.d.ts +7 -0
package/dist/ws/index.d.ts.map +1 -0
package/dist/ws/index.js +112 -0
package/dist/ws/index.js.map +1 -0
package/package.json +54 -0

package/dist/services/instance-manager.js ADDED Viewed

@@ -0,0 +1,833 @@
+import { randomUUID, createHash } from 'crypto';
+import { db } from '../db/index.js';
+import { config } from '../config.js';
+import { getAgentType } from '../agent-types/registry.js';
+import { getRuntimeEngine } from '../runtime/factory.js';
+import { getDecryptedCredentials } from './credential-store.js';
+import { broadcast } from '../ws/index.js';
+import { connectGateway, disconnectGateway } from './gateway-event-relay.js';
+import { validateConfigPatch } from './config-validator.js';
+import { litellmKeyManager } from '../ee/litellm/litellm-key-manager.js';
+import { safeAutoSnapshot } from './snapshot-store.js';
+import { buildCredentialIndex, clearCredentialIndex, buildWorkspaceContentIndex, clearWorkspaceContentIndex } from './output-filter.js';
+import { preloadDlpConfig, evictDlpConfig } from './gateway-event-relay.js';
+import { scanContent } from './dlp-scanner.js';
+import { createNotification } from './notification-store.js';
+// ── helpers ──
+function computeConfigHash(configFiles) {
+    const openclawJson = configFiles.get('openclaw.json');
+    if (!openclawJson)
+        return null;
+    return createHash('sha256').update(openclawJson).digest('hex');
+}
+function toInstance(row) {
+    const rawConfig = row.config;
+    let config = {};
+    if (typeof rawConfig === 'string') {
+        try {
+            config = JSON.parse(rawConfig);
+        }
+        catch {
+            config = {};
+        }
+    }
+    else if (rawConfig && typeof rawConfig === 'object') {
+        config = rawConfig;
+    }
+    return {
+        id: row.id,
+        userId: row.user_id,
+        name: row.name,
+        agentType: row.agent_type,
+        imageTag: row.image_tag,
+        status: row.status,
+        statusMessage: row.status_message || null,
+        deploymentTarget: row.deployment_target,
+        runtimeId: row.runtime_id || null,
+        controlEndpoint: row.control_endpoint || null,
+        authToken: row.auth_token,
+        config,
+        templateId: row.template_id || null,
+        templateVersion: row.template_version || null,
+        billingMode: row.billing_mode || undefined,
+        securityProfile: row.security_profile || 'standard',
+        proxyKeyId: row.proxy_key_id || null,
+        litellmKeyHash: row.litellm_key_hash || null,
+        avatar: row.avatar || null,
+        createdAt: String(row.created_at),
+        updatedAt: String(row.updated_at),
+    };
+}
+async function updateStatus(id, status, extra = {}, statusMessage) {
+    await db('instances').where({ id }).update({ status, status_message: statusMessage ?? null, updated_at: db.fn.now(), ...extra });
+    broadcast(id, { type: 'instance:status', instanceId: id, payload: { status, statusMessage: statusMessage ?? null } });
+}
+async function addEvent(instanceId, eventType, metadata = {}) {
+    await db('instance_events').insert({ instance_id: instanceId, event_type: eventType, metadata: JSON.stringify(metadata) });
+}
+export async function addSecurityEvent(instanceId, result) {
+    await addEvent(instanceId, 'security:prompt_injection_detected', {
+        severity: result.maxSeverity,
+        matchCount: result.matches.length,
+        categories: [...new Set(result.matches.map(m => m.category))],
+        patternIds: result.matches.map(m => m.patternId),
+        durationMs: result.durationMs,
+    });
+}
+export async function addOutputFilterEvent(instanceId, result) {
+    await addEvent(instanceId, 'security:output_filtered', {
+        mode: result.mode,
+        matchCount: result.matches.length,
+        categories: [...new Set(result.matches.map(m => m.category))],
+        durationMs: result.durationMs,
+    });
+}
+function buildSpec(instance, manifest, env) {
+    // Agent-type-specific image overrides via env vars (e.g. OPENCLAW_IMAGE=openclaw-gateway:2026.3.2-p1)
+    const imageOverride = instance.agentType === 'openclaw' ? config.docker.openclawImage : '';
+    // If imageTag contains ':' it's a custom image reference (e.g. "openclaw-gateway-clawra:2026.2.12-p1")
+    // used by templates that require a specialised Docker image.
+    const isCustomImage = instance.imageTag.includes(':');
+    const image = imageOverride
+        ? imageOverride
+        : isCustomImage
+            ? instance.imageTag
+            : manifest.image.registry
+                ? `${manifest.image.registry}${manifest.image.repository}:${instance.imageTag}`
+                : `${manifest.image.repository}:${instance.imageTag}`;
+    const containerName = `${instance.agentType}-${instance.id.slice(0, 8)}`;
+    return {
+        name: containerName,
+        image,
+        ports: manifest.ports.map(p => ({ name: p.name, containerPort: p.containerPort, protocol: p.protocol })),
+        env: Object.fromEntries(Object.entries(env).filter(([_, v]) => v !== undefined)),
+        secrets: {},
+        volumes: manifest.volumes.map(v => ({ name: v.name, mountPath: v.mountPath, size: v.defaultSize })),
+        resources: manifest.resources,
+        securityContext: manifest.securityContext,
+        healthCheck: manifest.healthCheck?.type === 'http' || manifest.healthCheck?.type === 'tcp'
+            ? { type: manifest.healthCheck.type, port: manifest.healthCheck.port, path: manifest.healthCheck.path, initialDelaySeconds: manifest.healthCheck.initialDelaySeconds, periodSeconds: manifest.healthCheck.periodSeconds }
+            : undefined,
+        labels: {
+            'platform.io/agent-type': instance.agentType,
+            'platform.io/instance-id': instance.id,
+            'platform.io/user-id': instance.userId,
+        },
+    };
+}
+// ── public API ──
+export async function createInstance(userId, req) {
+    const { manifest } = getAgentType(req.agentType);
+    const imageTag = req.imageTag || manifest.image.defaultTag;
+    const deploymentTarget = req.deploymentTarget || config.defaultDeploymentTarget;
+    const authToken = randomUUID();
+    const [row] = await db('instances')
+        .insert({
+        user_id: userId,
+        name: req.name,
+        agent_type: req.agentType,
+        image_tag: imageTag,
+        deployment_target: deploymentTarget,
+        billing_mode: req.billingMode === 'byok' ? 'byok' : 'platform',
+        security_profile: req.securityProfile || 'standard',
+        auth_token: authToken,
+        config: JSON.stringify(req.config || {}),
+        avatar: req.avatar || null,
+    })
+        .returning('*');
+    const instance = toInstance(row);
+    await addEvent(instance.id, 'created');
+    return instance;
+}
+const WORKSPACE_FILE_KEYS = [
+    { key: 'agentsmd', filename: 'workspace/AGENTS.md' },
+    { key: 'soulmd', filename: 'workspace/SOUL.md' },
+    { key: 'identitymd', filename: 'workspace/IDENTITY.md' },
+    { key: 'usermd', filename: 'workspace/USER.md' },
+    { key: 'toolsmd', filename: 'workspace/TOOLS.md' },
+    { key: 'bootstrapmd', filename: 'workspace/BOOTSTRAP.md' },
+    { key: 'heartbeatmd', filename: 'workspace/HEARTBEAT.md' },
+    { key: 'memorymd', filename: 'workspace/MEMORY.md' },
+];
+export async function syncWorkspaceFromContainer(instanceId) {
+    const row = await db('instances').where({ id: instanceId }).first();
+    if (!row)
+        return;
+    const instance = toInstance(row);
+    if (!instance.runtimeId || instance.status !== 'running')
+        return;
+    try {
+        const { manifest } = getAgentType(instance.agentType);
+        const engine = getRuntimeEngine(instance.deploymentTarget);
+        if (!engine.readFile)
+            return;
+        const volumeMountPath = manifest.volumes[0]?.mountPath || '/home/node/.openclaw';
+        const currentConfig = (instance.config || {});
+        let changed = false;
+        for (const wf of WORKSPACE_FILE_KEYS) {
+            try {
+                const content = await engine.readFile(instance.runtimeId, `${volumeMountPath}/${wf.filename}`);
+                if (content !== null && content !== currentConfig[wf.key]) {
+                    currentConfig[wf.key] = content;
+                    changed = true;
+                }
+            }
+            catch {
+                // skip — file may not exist yet
+            }
+        }
+        if (changed) {
+            await db('instances').where({ id: instanceId }).update({ config: JSON.stringify(currentConfig), updated_at: db.fn.now() });
+        }
+        // DLP scan workspace files for leaked secrets
+        for (const wf of WORKSPACE_FILE_KEYS) {
+            const fileContent = currentConfig[wf.key];
+            if (typeof fileContent !== 'string' || !fileContent)
+                continue;
+            const findings = scanContent(fileContent, wf.filename);
+            if (findings.length > 0) {
+                const findingSummary = findings.map(f => `${f.patternName} (line ${f.lineNumber})`).join(', ');
+                await addEvent(instanceId, 'security:dlp_alert', {
+                    filename: wf.filename,
+                    findingCount: findings.length,
+                    patterns: findings.map(f => ({ pattern: f.patternName, line: f.lineNumber, redacted: f.redacted })),
+                });
+                await createNotification({
+                    userId: instance.userId,
+                    instanceId,
+                    type: 'dlp_alert',
+                    severity: 'warn',
+                    title: `Potential secret detected in ${wf.filename}`,
+                    body: `DLP scan found ${findings.length} potential secret(s): ${findingSummary}`,
+                });
+                console.warn(`[syncWorkspace] DLP alert for ${instanceId}: ${findingSummary}`);
+            }
+        }
+    }
+    catch (err) {
+        console.error(`[syncWorkspace] Failed for ${instanceId}:`, err);
+    }
+}
+export async function reseedConfigFiles(instanceId) {
+    const row = await db('instances').where({ id: instanceId }).first();
+    if (!row)
+        return;
+    const instance = toInstance(row);
+    if (!instance.runtimeId || instance.status !== 'running')
+        return;
+    try {
+        const { manifest, adapter } = getAgentType(instance.agentType);
+        const engine = getRuntimeEngine(instance.deploymentTarget);
+        if (!adapter?.seedConfig || !engine.writeFiles)
+            return;
+        const creds = await getDecryptedCredentials(instanceId);
+        const userConfig = instance.config || {};
+        // Platform-mode: the LiteLLM virtual key is only available at startup
+        // (it's generated by litellm-key-manager and not persisted in the DB).
+        // During reseed, recover it from the on-disk auth-profiles.json so that
+        // seedConfig can produce a correct litellm-routed openclaw.json instead
+        // of falling back to the BYOK/openrouter code path.
+        let litellmKey;
+        if (instance.billingMode === 'platform' && engine.readFile) {
+            try {
+                const volumeMountPath = manifest.volumes[0]?.mountPath || '/home/node/.openclaw';
+                const raw = await engine.readFile(instance.runtimeId, `${volumeMountPath}/auth-profiles.json`);
+                if (raw) {
+                    const parsed = JSON.parse(raw);
+                    const litellmProfile = parsed.profiles?.['litellm:default'];
+                    if (litellmProfile) {
+                        // For images that use secretRef, the actual key lives in the
+                        // container env var — seedConfig only needs a truthy value to
+                        // enter the platform code path (it writes keyRef, not the raw key).
+                        litellmKey = litellmProfile.apiKey || (litellmProfile.keyRef ? 'secret-ref-placeholder' : undefined);
+                    }
+                }
+            }
+            catch {
+                // Can't read auth-profiles.json — litellmKey stays undefined,
+                // seedConfig will fall back to BYOK path.
+            }
+        }
+        const configFiles = await adapter.seedConfig({ instance, userConfig, credentials: creds, litellmKey });
+        if (configFiles.size === 0)
+            return;
+        const volumeMountPath = manifest.volumes[0]?.mountPath || '/home/node/.openclaw';
+        let filesToWrite = configFiles;
+        if (adapter.categorizeConfigFiles) {
+            const { alwaysOverwrite } = adapter.categorizeConfigFiles(configFiles);
+            filesToWrite = alwaysOverwrite;
+        }
+        if (filesToWrite.size > 0) {
+            await engine.writeFiles(instance.runtimeId, volumeMountPath, filesToWrite);
+            console.log(`[reseedConfig] Re-seeded ${filesToWrite.size} config file(s) for ${instanceId}`);
+        }
+        // Read back the on-disk openclaw.json to compute the hash.
+        // The gateway may normalise the file after we write it (e.g. inject
+        // plugins.load.paths), so hashing our in-memory version can drift.
+        let configHash = null;
+        if (engine.readFile) {
+            try {
+                await new Promise(r => setTimeout(r, 3000));
+                const diskContent = await engine.readFile(instance.runtimeId, `${volumeMountPath}/openclaw.json`);
+                if (diskContent) {
+                    configHash = createHash('sha256').update(diskContent).digest('hex');
+                }
+            }
+            catch {
+                configHash = computeConfigHash(configFiles);
+            }
+        }
+        else {
+            configHash = computeConfigHash(configFiles);
+        }
+        if (configHash) {
+            await db('instances').where({ id: instanceId }).update({ config_hash: configHash });
+        }
+        // Refresh workspace content index with final seeded content (CIT-182)
+        const seededWorkspaceFiles = {};
+        for (const [path, content] of configFiles) {
+            if (path.startsWith('workspace/') && content.length > 0) {
+                seededWorkspaceFiles[path] = content;
+            }
+        }
+        if (Object.keys(seededWorkspaceFiles).length > 0) {
+            buildWorkspaceContentIndex(instanceId, seededWorkspaceFiles);
+        }
+    }
+    catch (err) {
+        console.error(`[reseedConfig] Failed for ${instanceId}:`, err);
+    }
+}
+export async function cloneInstance(sourceId, userId) {
+    const source = await getInstance(sourceId, userId);
+    if (!source)
+        throw new Error('Instance not found');
+    const authToken = randomUUID();
+    // Deep copy config but strip runtime-specific keys
+    const sourceConfig = (source.config && typeof source.config === 'object')
+        ? JSON.parse(JSON.stringify(source.config))
+        : {};
+    delete sourceConfig.__setupCommands;
+    const [row] = await db('instances')
+        .insert({
+        user_id: userId,
+        name: `Clone of ${source.name}`,
+        agent_type: source.agentType,
+        image_tag: source.imageTag,
+        deployment_target: source.deploymentTarget,
+        billing_mode: source.billingMode || 'platform',
+        security_profile: source.securityProfile || 'standard',
+        auth_token: authToken,
+        config: JSON.stringify(sourceConfig),
+    })
+        .returning('*');
+    const cloned = toInstance(row);
+    await addEvent(cloned.id, 'cloned', { sourceInstanceId: sourceId });
+    return cloned;
+}
+export async function getInstance(id, userId) {
+    const row = await db('instances').where({ id, user_id: userId }).first();
+    return row ? toInstance(row) : null;
+}
+export async function listInstances(userId) {
+    const rows = await db('instances').where({ user_id: userId }).orderBy('created_at', 'desc');
+    return rows.map(toInstance);
+}
+export async function updateSecurityProfile(id, userId, profile) {
+    const instance = await getInstance(id, userId);
+    if (!instance)
+        throw new Error('Instance not found');
+    await db('instances').where({ id, user_id: userId })
+        .update({ security_profile: profile, updated_at: db.fn.now() });
+    const updated = await getInstance(id, userId);
+    if (!updated)
+        throw new Error('Instance not found after update');
+    if (updated.status === 'running') {
+        await reseedConfigFiles(id);
+        const { adapter } = getAgentType(updated.agentType);
+        if (adapter?.translateRPC && updated.controlEndpoint) {
+            try {
+                const cfg = await adapter.translateRPC({
+                    method: 'config.get',
+                    params: {},
+                    endpoint: updated.controlEndpoint,
+                    token: updated.authToken,
+                    instanceId: id,
+                });
+                if (cfg?.hash) {
+                    // Gateway 2026.3.13+ expects { raw: <full JSON string> }
+                    const engine2 = getRuntimeEngine(updated.deploymentTarget);
+                    const { manifest: m2 } = getAgentType(updated.agentType);
+                    let rawConfig;
+                    if (engine2.readFile && updated.runtimeId) {
+                        const volPath = m2.volumes[0]?.mountPath || '/home/node/.openclaw';
+                        try {
+                            rawConfig = await engine2.readFile(updated.runtimeId, `${volPath}/openclaw.json`);
+                        }
+                        catch { /* fallback */ }
+                    }
+                    await adapter.translateRPC({
+                        method: 'config.patch',
+                        params: {
+                            ...(rawConfig ? { raw: rawConfig } : { patch: {} }),
+                            baseHash: cfg.hash,
+                            note: `Platform: security profile → ${profile}`,
+                            restartDelayMs: 2000,
+                        },
+                        endpoint: updated.controlEndpoint,
+                        token: updated.authToken,
+                        instanceId: id,
+                    });
+                }
+            }
+            catch (err) {
+                console.error(`[security-profile] config.patch failed for ${id}:`, err);
+            }
+        }
+    }
+    return updated;
+}
+export async function startInstance(id, userId) {
+    const instance = await getInstance(id, userId);
+    if (!instance)
+        throw new Error('Instance not found');
+    if (instance.status !== 'created' && instance.status !== 'stopped' && instance.status !== 'error') {
+        throw new Error(`Cannot start instance in state: ${instance.status}`);
+    }
+    await updateStatus(id, 'starting');
+    await addEvent(id, 'starting');
+    // Run the heavy provisioning work in the background so the HTTP response
+    // returns immediately.  The frontend already tracks status via WebSocket.
+    startInstanceAsync(id, userId, instance).catch(() => {
+        // errors handled inside — this catch prevents unhandled-rejection noise
+    });
+    return (await getInstance(id, userId));
+}
+async function startInstanceAsync(id, userId, instance) {
+    const { manifest, adapter } = getAgentType(instance.agentType);
+    const engine = getRuntimeEngine(instance.deploymentTarget);
+    let litellmKey;
+    try {
+        const creds = await getDecryptedCredentials(id);
+        buildCredentialIndex(id, creds.map(c => c.value));
+        preloadDlpConfig(id, instance.securityProfile ?? 'standard');
+        // Platform Mode: create LiteLLM virtual key for this instance.
+        // This MUST succeed — without a valid key the adapter falls back to
+        // BYOK mode which produces a broken config (no provider credentials).
+        if (instance.billingMode === 'platform') {
+            const userRow = await db('users').where('id', userId).select('email').first();
+            if (!userRow?.email) {
+                throw new Error('Platform billing requires a user email for LiteLLM key generation');
+            }
+            const result = await litellmKeyManager.createKeyForInstance({
+                instanceId: id,
+                userId,
+                userEmail: userRow.email,
+            });
+            litellmKey = result.virtualKey;
+        }
+        let env = {};
+        if (adapter?.resolveEnv) {
+            env = await adapter.resolveEnv({ instance, credentials: creds, litellmKey });
+        }
+        // Build spec
+        const spec = buildSpec(instance, manifest, env);
+        // Start container
+        const result = await engine.start(spec);
+        // Record runtime info immediately so the health monitor can track it
+        const controlEndpoint = result.endpoints[manifest.ports[0]?.name] || null;
+        await updateStatus(id, 'starting', {
+            runtime_id: result.runtimeId,
+            control_endpoint: controlEndpoint,
+        }, 'Provisioning pod...');
+        // Seed config files into running container
+        const userConfig = instance.config || {};
+        if (adapter?.seedConfig && engine.writeFiles) {
+            await updateStatus(id, 'starting', {}, 'Waiting for pod ready...');
+            const configFiles = await adapter.seedConfig({ instance, userConfig, credentials: creds, litellmKey });
+            if (configFiles.size > 0) {
+                const volumeMountPath = manifest.volumes[0]?.mountPath || '/home/node/.openclaw';
+                let filesToWrite = configFiles;
+                if (adapter.categorizeConfigFiles && engine.listFiles) {
+                    const { alwaysOverwrite, seedIfAbsent } = adapter.categorizeConfigFiles(configFiles);
+                    const existingFiles = await engine.listFiles(result.runtimeId, `${volumeMountPath}/workspace`).catch(() => []);
+                    filesToWrite = new Map(alwaysOverwrite);
+                    for (const [path, content] of seedIfAbsent) {
+                        const filename = path.split('/').pop() || path;
+                        if (!existingFiles.includes(filename)) {
+                            filesToWrite.set(path, content);
+                        }
+                    }
+                }
+                if (filesToWrite.size > 0) {
+                    await updateStatus(id, 'starting', {}, 'Seeding config files...');
+                    await engine.writeFiles(result.runtimeId, volumeMountPath, filesToWrite);
+                }
+                // Store SHA-256 hash of openclaw.json for integrity verification
+                const configHash = computeConfigHash(configFiles);
+                if (configHash) {
+                    await db('instances').where({ id }).update({ config_hash: configHash });
+                }
+                // Build workspace content index from final seeded files (CIT-182:
+                // must use post-seedConfig content so injected security paragraphs are indexed)
+                const seededWorkspaceFiles = {};
+                for (const [path, content] of configFiles) {
+                    if (path.startsWith('workspace/') && content.length > 0) {
+                        seededWorkspaceFiles[path] = content;
+                    }
+                }
+                buildWorkspaceContentIndex(id, seededWorkspaceFiles);
+            }
+        }
+        // Execute template setup commands inside the container
+        const setupCommands = userConfig.__setupCommands;
+        if (setupCommands && setupCommands.length > 0 && engine.exec) {
+            await updateStatus(id, 'starting', {}, 'Running setup commands...');
+            for (const cmd of setupCommands) {
+                try {
+                    const execResult = await engine.exec(result.runtimeId, cmd.command, {
+                        workDir: cmd.workDir,
+                        timeout: cmd.timeout,
+                    });
+                    if (execResult.exitCode !== 0) {
+                        console.warn(`[startInstance] Setup command failed (exit ${execResult.exitCode}): ${cmd.command.join(' ')}`, execResult.stderr);
+                    }
+                }
+                catch (err) {
+                    console.warn(`[startInstance] Setup command error: ${cmd.command.join(' ')}`, err);
+                }
+            }
+        }
+        // K8s pods take minutes to become ready; health monitor transitions starting→running
+        const isK8s = instance.deploymentTarget === 'kubernetes';
+        if (!isK8s) {
+            await updateStatus(id, 'running', {});
+        }
+        await addEvent(id, 'started', { runtimeId: result.runtimeId });
+        // Eagerly establish persistent gateway connection (don't wait for 10s poll)
+        if (controlEndpoint && instance.authToken) {
+            connectGateway(id, controlEndpoint, instance.authToken);
+        }
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        console.error(`[startInstance] Failed for ${id}:`, message);
+        await updateStatus(id, 'error');
+        await addEvent(id, 'error', { message });
+        clearCredentialIndex(id);
+        clearWorkspaceContentIndex(id);
+        evictDlpConfig(id);
+        if (litellmKey && instance.billingMode === 'platform') {
+            try {
+                await litellmKeyManager.revokeKeyForInstance(id);
+            }
+            catch (revokeErr) {
+                console.warn('[startInstance] Failed to revoke LiteLLM key during error cleanup:', revokeErr);
+            }
+        }
+    }
+}
+export async function stopInstance(id, userId) {
+    const instance = await getInstance(id, userId);
+    if (!instance)
+        throw new Error('Instance not found');
+    if (instance.status !== 'running' && instance.status !== 'starting' && instance.status !== 'error') {
+        throw new Error(`Cannot stop instance in state: ${instance.status}`);
+    }
+    await updateStatus(id, 'stopping');
+    stopInstanceAsync(id, userId, instance).catch(() => { });
+    return (await getInstance(id, userId));
+}
+async function stopInstanceAsync(id, userId, instance) {
+    disconnectGateway(id);
+    clearCredentialIndex(id);
+    clearWorkspaceContentIndex(id);
+    evictDlpConfig(id);
+    const engine = getRuntimeEngine(instance.deploymentTarget);
+    try {
+        if (instance.runtimeId) {
+            await engine.stop(instance.runtimeId);
+            await engine.delete(instance.runtimeId);
+        }
+        await updateStatus(id, 'stopped', { runtime_id: null, control_endpoint: null });
+        await addEvent(id, 'stopped');
+        // Platform Mode: revoke LiteLLM virtual key
+        if (instance.billingMode === 'platform') {
+            try {
+                await litellmKeyManager.revokeKeyForInstance(id);
+            }
+            catch (err) {
+                console.warn(`[stopInstance] LiteLLM key revocation failed for ${id}:`, err);
+            }
+        }
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        console.error(`[stopInstance] Failed for ${id}:`, message);
+        await updateStatus(id, 'error');
+        await addEvent(id, 'error', { message });
+    }
+}
+export async function restartInstance(id, userId) {
+    const instance = await getInstance(id, userId);
+    if (!instance)
+        throw new Error('Instance not found');
+    await safeAutoSnapshot(id, userId, '重启实例');
+    if (instance.status === 'running' || instance.status === 'starting' || instance.status === 'error') {
+        // Stop synchronously so we don't start a new pod while the old one is still running
+        const engine = getRuntimeEngine(instance.deploymentTarget);
+        try {
+            if (instance.runtimeId) {
+                await engine.stop(instance.runtimeId);
+                await engine.delete(instance.runtimeId);
+            }
+            await updateStatus(instance.id, 'stopped', { runtime_id: null, control_endpoint: null });
+        }
+        catch {
+            // best effort — proceed to start anyway
+        }
+    }
+    return startInstance(id, userId);
+}
+export async function updateInstanceConfig(id, userId, config) {
+    const instance = await getInstance(id, userId);
+    if (!instance)
+        throw new Error('Instance not found');
+    const changedFiles = Object.keys(config).join(', ');
+    await safeAutoSnapshot(id, userId, '修改配置: ' + changedFiles);
+    const patch = { config: JSON.stringify(config), updated_at: db.fn.now() };
+    // Sync platform-level fields from config JSONB to their dedicated columns
+    if (config.billingMode === 'platform' || config.billingMode === 'byok') {
+        patch.billing_mode = config.billingMode;
+    }
+    // Sync agentName to the instance name column so dashboard reflects the updated name
+    if (typeof config.agentName === 'string' && config.agentName.trim()) {
+        patch.name = config.agentName;
+    }
+    await db('instances').where({ id }).update(patch);
+    return (await getInstance(id, userId));
+}
+// ── config.patch hot-reload ──
+function deepMerge(target, source) {
+    const result = { ...target };
+    for (const key of Object.keys(source)) {
+        if (source[key] && typeof source[key] === 'object' && !Array.isArray(source[key]) &&
+            result[key] && typeof result[key] === 'object' && !Array.isArray(result[key])) {
+            result[key] = deepMerge(result[key], source[key]);
+        }
+        else {
+            result[key] = source[key];
+        }
+    }
+    return result;
+}
+export async function patchGatewayConfig(instanceId, userId, configPatch, note) {
+    // 1. DB-first: fetch instance, deep-merge config, persist
+    const instance = await getInstance(instanceId, userId);
+    if (!instance)
+        throw new Error('Instance not found');
+    await safeAutoSnapshot(instanceId, userId, '修改 Gateway 配置');
+    const mergedConfig = deepMerge((instance.config || {}), configPatch);
+    // Validate merged config against gateway schema before persisting to DB
+    const fetchSchema = async () => {
+        if (instance.status !== 'running' || !instance.controlEndpoint)
+            return null;
+        try {
+            const { adapter } = getAgentType(instance.agentType);
+            if (!adapter?.translateRPC)
+                return null;
+            const result = await adapter.translateRPC({
+                method: 'config.schema',
+                params: {},
+                endpoint: instance.controlEndpoint,
+                token: instance.authToken,
+                instanceId,
+            });
+            return result?.schema ?? null;
+        }
+        catch {
+            return null;
+        }
+    };
+    const validation = await validateConfigPatch(instanceId, mergedConfig, fetchSchema, { skipFullSchemaValidation: true });
+    if (!validation.valid) {
+        throw new Error('Config validation failed: ' + (validation.errors?.join('; ') ?? 'Unknown error'));
+    }
+    await updateInstanceConfig(instanceId, userId, mergedConfig);
+    // 2. Gateway push (only if running)
+    if (instance.status !== 'running' || !instance.controlEndpoint) {
+        return;
+    }
+    try {
+        const { adapter } = getAgentType(instance.agentType);
+        if (!adapter?.translateRPC)
+            return;
+        const endpoint = instance.controlEndpoint;
+        const token = instance.authToken;
+        const MAX_RETRIES = 3;
+        for (let attempt = 1; attempt <= MAX_RETRIES; attempt++) {
+            // Fetch current config hash
+            const cfgResult = await adapter.translateRPC({
+                method: 'config.get',
+                params: {},
+                endpoint,
+                token,
+                instanceId,
+            });
+            const baseHash = cfgResult?.hash;
+            // Gateway 2026.3.13+ expects { raw: <full JSON string> } instead of { patch: <object> }.
+            // Re-seed config files to disk first, then read the full config to send as raw.
+            await reseedConfigFiles(instanceId);
+            // Read the seeded config file content
+            const { manifest: m2, adapter: a2 } = getAgentType(instance.agentType);
+            const engine2 = getRuntimeEngine(instance.deploymentTarget);
+            let rawConfig;
+            if (a2?.seedConfig && engine2.readFile && instance.runtimeId) {
+                const volumeMountPath = m2.volumes[0]?.mountPath || '/home/node/.openclaw';
+                try {
+                    rawConfig = await engine2.readFile(instance.runtimeId, `${volumeMountPath}/openclaw.json`);
+                }
+                catch { /* fallback: send without raw */ }
+            }
+            try {
+                await adapter.translateRPC({
+                    method: 'config.patch',
+                    params: {
+                        ...(rawConfig ? { raw: rawConfig } : { patch: configPatch }),
+                        baseHash,
+                        note: note || 'Platform config update',
+                        restartDelayMs: 2000,
+                    },
+                    endpoint,
+                    token,
+                    instanceId,
+                });
+                console.log(`[config-patch] Pushed config.patch for ${instanceId}`);
+                return;
+            }
+            catch (patchErr) {
+                const errMsg = patchErr instanceof Error ? patchErr.message : String(patchErr);
+                if ((errMsg.includes('config changed') || errMsg.includes('CONFLICT')) && attempt < MAX_RETRIES) {
+                    console.warn(`[config-patch] baseHash conflict for ${instanceId}, retrying (${attempt}/${MAX_RETRIES})`);
+                    continue;
+                }
+                throw patchErr;
+            }
+        }
+    }
+    catch (err) {
+        // Gateway push failure is non-critical -- DB is already updated.
+        // Config will be picked up on next reseedConfigFiles.
+        console.error(`[config-patch] Gateway push failed for ${instanceId}:`, err);
+    }
+}
+export async function deleteInstance(id, userId, purge = false) {
+    const instance = await getInstance(id, userId);
+    if (!instance)
+        throw new Error('Instance not found');
+    disconnectGateway(id);
+    clearCredentialIndex(id);
+    clearWorkspaceContentIndex(id);
+    evictDlpConfig(id);
+    const engine = getRuntimeEngine(instance.deploymentTarget);
+    if (instance.runtimeId) {
+        try {
+            if (purge) {
+                await engine.purge(instance.runtimeId);
+            }
+            else {
+                await engine.stop(instance.runtimeId);
+                await engine.delete(instance.runtimeId);
+            }
+        }
+        catch {
+            // Best effort cleanup
+        }
+    }
+    await addEvent(id, purge ? 'purged' : 'deleted');
+    await db('instances').where({ id, user_id: userId }).delete();
+}
+export async function getInstanceEvents(id, userId, eventType) {
+    const instance = await getInstance(id, userId);
+    if (!instance)
+        throw new Error('Instance not found');
+    let query = db('instance_events').where({ instance_id: id });
+    if (eventType) {
+        query = query.where('event_type', eventType);
+    }
+    const rows = await query.orderBy('created_at', 'desc').limit(100);
+    return rows.map((row) => ({
+        id: row.id,
+        instanceId: row.instance_id,
+        eventType: row.event_type,
+        metadata: (typeof row.metadata === 'string' ? JSON.parse(row.metadata) : row.metadata ?? {}),
+        createdAt: row.created_at.toISOString(),
+    }));
+}
+export async function reconcileInstances() {
+    const activeInstances = await db('instances').whereIn('status', ['running', 'starting']);
+    for (const row of activeInstances) {
+        const instance = toInstance(row);
+        if (!instance.runtimeId) {
+            await updateStatus(instance.id, 'stopped', { runtime_id: null, control_endpoint: null });
+            continue;
+        }
+        try {
+            const engine = getRuntimeEngine(instance.deploymentTarget);
+            const status = await engine.getStatus(instance.runtimeId);
+            if (status.phase === 'running') {
+                await engine.ensureLiteLLMConnected?.(instance.id);
+            }
+            else if (status.phase === 'stopped' || status.phase === 'not_found') {
+                await updateStatus(instance.id, 'stopped', { runtime_id: null, control_endpoint: null });
+            }
+            else if (status.phase === 'error') {
+                await updateStatus(instance.id, 'error');
+            }
+        }
+        catch {
+            await updateStatus(instance.id, 'error');
+        }
+    }
+}
+export async function verifyLiveStatus(instance) {
+    if (instance.status !== 'running' && instance.status !== 'starting') {
+        return instance;
+    }
+    if (!instance.runtimeId) {
+        return instance;
+    }
+    try {
+        const engine = getRuntimeEngine(instance.deploymentTarget);
+        const runtimeStatus = await engine.getStatus(instance.runtimeId);
+        if (runtimeStatus.phase === 'running') {
+            if (instance.status === 'running')
+                return instance;
+            if (instance.status === 'starting') {
+                await updateStatus(instance.id, 'running');
+                return { ...instance, status: 'running', statusMessage: null };
+            }
+        }
+        if (runtimeStatus.phase === 'starting') {
+            const statusMessage = runtimeStatus.message || 'Starting...';
+            if (instance.status !== 'starting' || instance.statusMessage !== statusMessage) {
+                await updateStatus(instance.id, 'starting', {}, statusMessage);
+            }
+            return { ...instance, status: 'starting', statusMessage };
+        }
+        if (runtimeStatus.phase === 'stopped' || runtimeStatus.phase === 'not_found') {
+            await updateStatus(instance.id, 'stopped', { runtime_id: null, control_endpoint: null });
+            return { ...instance, status: 'stopped', runtimeId: null, controlEndpoint: null, statusMessage: null };
+        }
+        if (runtimeStatus.phase === 'error') {
+            const statusMessage = runtimeStatus.message || null;
+            await updateStatus(instance.id, 'error', {}, statusMessage ?? undefined);
+            return { ...instance, status: 'error', statusMessage };
+        }
+    }
+    catch (err) {
+        console.error(`[verifyLiveStatus] Runtime check failed for ${instance.id}:`, err);
+    }
+    return instance;
+}
+//# sourceMappingURL=instance-manager.js.map