@botcord/daemon 0.2.35 → 0.2.37

package/src/openclaw-discovery.ts

@@ -525,5 +525,5 @@ export function openclawDiscoveryConfigEnabled(cfg: DaemonConfig): boolean {
 }
 
 export function openclawAutoProvisionEnabled(cfg: DaemonConfig): boolean {
-  return cfg.openclawDiscovery?.autoProvision !== false;
+  return cfg.openclawDiscovery?.autoProvision === true;
 }

package/src/provision.ts

@@ -4,7 +4,7 @@
  * side effects (register agent, write credentials, load route, add/remove
  * gateway channel) and return an ack payload.
  */
-import { existsSync, readdirSync, readFileSync, rmSync, unlinkSync } from "node:fs";
+import { existsSync, lstatSync, readdirSync, readFileSync, rmSync, statSync, unlinkSync } from "node:fs";
 import { homedir } from "node:os";
 import path from "node:path";
 import {
@@ -56,6 +56,8 @@ import {
   ensureAgentWorkspace,
 } from "./agent-workspace.js";
 import { detectRuntimes, getAdapterModule } from "./adapters/runtimes.js";
+import { createGatewayControl } from "./gateway-control.js";
+import type { LoginSessionStore } from "./gateway/channels/login-session.js";
 import {
   hermesProfileHomeDir,
   isValidHermesProfileName,
@@ -114,6 +116,12 @@ export interface ProvisionerOptions {
    * the next restart.
    */
   onAgentInstalled?: OnAgentInstalledHook;
+  /**
+   * Optional shared login-session store for the third-party gateway login
+   * frames. Tests inject a stub clock; production lets `createGatewayControl`
+   * spin up a default in-memory store.
+   */
+  loginSessions?: LoginSessionStore;
 }
 
 /** The value a frame handler returns (minus the `id` which the channel fills in). */
@@ -131,6 +139,10 @@ export function createProvisioner(opts: ProvisionerOptions): (
   const register = opts.register ?? BotCordClient.register;
   const policyResolver = opts.policyResolver;
   const onAgentInstalled = opts.onAgentInstalled;
+  const gatewayControl = createGatewayControl({
+    gateway,
+    ...(opts.loginSessions ? { loginSessions: opts.loginSessions } : {}),
+  });
 
   return async (frame: ControlFrame): Promise<AckBody> => {
     daemonLog.debug("provision.dispatch", { type: frame.type, id: frame.id });
@@ -310,6 +322,72 @@ export function createProvisioner(opts: ProvisionerOptions): (
         return { ok: true, result: snapshot };
       }
 
+      case CONTROL_FRAME_TYPES.LIST_GATEWAYS:
+        return gatewayControl.handleList();
+
+      case CONTROL_FRAME_TYPES.UPSERT_GATEWAY: {
+        const v = validateGatewayParams(frame.params, {
+          required: ["id", "type", "accountId"],
+        });
+        if (!v.ok) return v.ack;
+        return gatewayControl.handleUpsert(
+          v.params as unknown as Parameters<typeof gatewayControl.handleUpsert>[0],
+        );
+      }
+
+      case CONTROL_FRAME_TYPES.REMOVE_GATEWAY: {
+        const v = validateGatewayParams(frame.params, { required: ["id"] });
+        if (!v.ok) return v.ack;
+        return gatewayControl.handleRemove(
+          v.params as unknown as Parameters<typeof gatewayControl.handleRemove>[0],
+        );
+      }
+
+      case CONTROL_FRAME_TYPES.TEST_GATEWAY: {
+        const v = validateGatewayParams(frame.params, { required: ["id"] });
+        if (!v.ok) return v.ack;
+        return gatewayControl.handleTest(
+          v.params as unknown as Parameters<typeof gatewayControl.handleTest>[0],
+        );
+      }
+
+      case CONTROL_FRAME_TYPES.GATEWAY_LOGIN_START: {
+        const v = validateGatewayParams(frame.params, {
+          required: ["provider", "accountId"],
+        });
+        if (!v.ok) return v.ack;
+        return gatewayControl.handleLoginStart(
+          v.params as unknown as Parameters<typeof gatewayControl.handleLoginStart>[0],
+        );
+      }
+
+      case CONTROL_FRAME_TYPES.GATEWAY_LOGIN_STATUS: {
+        const v = validateGatewayParams(frame.params, {
+          required: ["provider", "loginId"],
+        });
+        if (!v.ok) return v.ack;
+        return gatewayControl.handleLoginStatus(
+          v.params as unknown as Parameters<typeof gatewayControl.handleLoginStatus>[0],
+        );
+      }
+
+      case "list_agent_files": {
+        const params = (frame.params ?? {}) as unknown as ListAgentFilesParams;
+        if (!params.agentId) {
+          return {
+            ok: false,
+            error: { code: "bad_params", message: "list_agent_files requires params.agentId" },
+          };
+        }
+        const result = listAgentRuntimeFiles(params);
+        daemonLog.debug("list_agent_files", {
+          agentId: params.agentId,
+          fileId: params.fileId ?? null,
+          count: result.files.length,
+        });
+        return { ok: true, result };
+      }
+
       default:
         daemonLog.warn("provision.dispatch: unknown frame type", {
           type: frame.type,
@@ -323,6 +401,42 @@ export function createProvisioner(opts: ProvisionerOptions): (
   };
 }
 
+// W8: hand-written runtime validator for the third-party gateway frame
+// params. Rejects malformed payloads with a structured `bad_params` ack
+// before they hit the per-handler logic, so an attacker can't smuggle a
+// non-object `params` (e.g. `null`, an array, a string) through the type
+// cast and trigger a downstream `TypeError` we don't surface.
+type GatewayParamAck = { ok: false; error: { code: string; message: string } };
+type ValidateResult =
+  | { ok: true; params: Record<string, unknown> }
+  | { ok: false; ack: GatewayParamAck };
+
+function validateGatewayParams(
+  raw: unknown,
+  spec: { required: ReadonlyArray<string> },
+): ValidateResult {
+  if (raw === null || typeof raw !== "object" || Array.isArray(raw)) {
+    return {
+      ok: false,
+      ack: { ok: false, error: { code: "bad_params", message: "params must be an object" } },
+    };
+  }
+  const params = raw as Record<string, unknown>;
+  for (const key of spec.required) {
+    const v = params[key];
+    if (typeof v !== "string" || v.length === 0) {
+      return {
+        ok: false,
+        ack: {
+          ok: false,
+          error: { code: "bad_params", message: `params.${key} must be a non-empty string` },
+        },
+      };
+    }
+  }
+  return { ok: true, params };
+}
+
 interface ProvisionedAgent {
   agentId: string;
   hubUrl: string;
@@ -337,6 +451,192 @@ interface ProvisionCtx {
 
 const openclawProvisionLocks = new Map<string, Promise<unknown>>();
 
+const RUNTIME_FILE_READ_CAP_BYTES = 128 * 1024;
+
+interface ListAgentFilesParams {
+  agentId: string;
+  fileId?: string;
+}
+
+interface AgentRuntimeFile {
+  id: string;
+  name: string;
+  scope: "workspace" | "hermes" | "openclaw";
+  runtime?: string;
+  profile?: string;
+  size?: number;
+  mtimeMs?: number;
+  content?: string;
+  truncated?: boolean;
+  error?: string;
+}
+
+interface ListAgentFilesResult {
+  agentId: string;
+  runtime?: string;
+  files: AgentRuntimeFile[];
+}
+
+interface RuntimeFileCandidate {
+  id: string;
+  name: string;
+  scope: AgentRuntimeFile["scope"];
+  root: string;
+  relativePath: string;
+  runtime?: string;
+  profile?: string;
+}
+
+function listAgentRuntimeFiles(params: ListAgentFilesParams): ListAgentFilesResult {
+  const agentId = params.agentId;
+  const credentials = loadStoredCredentials(defaultCredentialsFile(agentId));
+  const candidates = runtimeFileCandidates(credentials);
+  const selected = params.fileId
+    ? candidates.filter((candidate) => candidate.id === params.fileId)
+    : candidates;
+  return {
+    agentId,
+    ...(credentials.runtime ? { runtime: credentials.runtime } : {}),
+    files: selected.map(readRuntimeFileCandidate).filter(Boolean) as AgentRuntimeFile[],
+  };
+}
+
+function runtimeFileCandidates(credentials: StoredBotCordCredentials): RuntimeFileCandidate[] {
+  const agentId = credentials.agentId;
+  const runtime = credentials.runtime;
+  const out: RuntimeFileCandidate[] = [];
+
+  addWorkspaceFiles(out, agentId, runtime);
+
+  if (runtime === "hermes-agent") {
+    addHermesFiles(out, credentials);
+  }
+  if (runtime === "openclaw-acp") {
+    addOpenclawFiles(out, credentials);
+  }
+
+  return out;
+}
+
+function addWorkspaceFiles(
+  out: RuntimeFileCandidate[],
+  agentId: string,
+  runtime?: string,
+): void {
+  const root = agentWorkspaceDir(agentId);
+  for (const file of ["AGENTS.md", "CLAUDE.md", "identity.md", "memory.md", "task.md"]) {
+    out.push({
+      id: `workspace:${file}`,
+      name: `workspace/${file}`,
+      scope: "workspace",
+      root,
+      relativePath: file,
+      ...(runtime ? { runtime } : {}),
+    });
+  }
+}
+
+function addHermesFiles(
+  out: RuntimeFileCandidate[],
+  credentials: StoredBotCordCredentials,
+): void {
+  if (credentials.hermesProfile) {
+    const profile = credentials.hermesProfile;
+    const root = hermesProfileHomeDir(profile);
+    for (const file of ["SOUL.md", "AGENTS.md", "memories/MEMORY.md"]) {
+      out.push({
+        id: `hermes-profile:${profile}:${file}`,
+        name: `hermes/${profile}/${file}`,
+        scope: "hermes",
+        root,
+        relativePath: file,
+        runtime: "hermes-agent",
+        profile,
+      });
+    }
+  } else {
+    const root = path.join(agentHomeDir(credentials.agentId), "hermes-home");
+    for (const file of ["SOUL.md", "AGENTS.md", "memories/MEMORY.md"]) {
+      out.push({
+        id: `hermes-home:${file}`,
+        name: `hermes-home/${file}`,
+        scope: "hermes",
+        root,
+        relativePath: file,
+        runtime: "hermes-agent",
+      });
+    }
+  }
+
+  out.push({
+    id: "hermes-workspace:AGENTS.md",
+    name: "hermes-workspace/AGENTS.md",
+    scope: "hermes",
+    root: path.join(agentHomeDir(credentials.agentId), "hermes-workspace"),
+    relativePath: "AGENTS.md",
+    runtime: "hermes-agent",
+    ...(credentials.hermesProfile ? { profile: credentials.hermesProfile } : {}),
+  });
+}
+
+function addOpenclawFiles(
+  out: RuntimeFileCandidate[],
+  credentials: StoredBotCordCredentials,
+): void {
+  if (!credentials.openclawAgent) return;
+  const local = readLocalOpenclawAgents();
+  if (!local) return;
+  const profile = local.find((entry) => entry.id === credentials.openclawAgent);
+  if (!profile?.workspace) return;
+  for (const file of ["SOUL.md", "MEMORY.md", "AGENTS.md"]) {
+    out.push({
+      id: `openclaw:${credentials.openclawAgent}:${file}`,
+      name: `openclaw/${credentials.openclawAgent}/${file}`,
+      scope: "openclaw",
+      root: profile.workspace,
+      relativePath: file,
+      runtime: "openclaw-acp",
+      profile: credentials.openclawAgent,
+    });
+  }
+}
+
+function readRuntimeFileCandidate(candidate: RuntimeFileCandidate): AgentRuntimeFile | null {
+  const resolved = path.resolve(candidate.root, candidate.relativePath);
+  const root = path.resolve(candidate.root);
+  if (resolved !== root && !resolved.startsWith(root + path.sep)) {
+    return null;
+  }
+
+  const base: AgentRuntimeFile = {
+    id: candidate.id,
+    name: candidate.name,
+    scope: candidate.scope,
+    ...(candidate.runtime ? { runtime: candidate.runtime } : {}),
+    ...(candidate.profile ? { profile: candidate.profile } : {}),
+  };
+
+  try {
+    const lst = lstatSync(resolved);
+    if (lst.isSymbolicLink() || !lst.isFile()) return null;
+    const st = statSync(resolved);
+    base.size = st.size;
+    base.mtimeMs = st.mtimeMs;
+    if (st.size > RUNTIME_FILE_READ_CAP_BYTES) {
+      base.truncated = true;
+      return base;
+    }
+    base.content = readFileSync(resolved, "utf8");
+    return base;
+  } catch (err) {
+    if ((err as NodeJS.ErrnoException).code === "ENOENT") return null;
+    return {
+      ...base,
+      error: err instanceof Error ? err.message : String(err),
+    };
+  }
+}
+
 async function provisionAgent(
   params: ProvisionAgentParams,
   ctx: ProvisionCtx,
@@ -1556,10 +1856,15 @@ function readLocalOpenclawAgents(): Array<{
 }> | null {
   try {
     const file = path.join(homedir(), ".openclaw", "openclaw.json");
-    if (!existsSync(file)) return [{ id: "default" }];
+    if (!existsSync(file)) return readLocalOpenclawAgentDirs() ?? [{ id: "default" }];
     const cfg = JSON.parse(readFileSync(file, "utf8")) as any;
     const list = Array.isArray(cfg?.agents?.list) ? cfg.agents.list : [];
-    const defaultId = typeof cfg?.agents?.defaults?.id === "string" ? cfg.agents.defaults.id : "default";
+    const explicitDefaultId =
+      typeof cfg?.agents?.defaults?.id === "string" && cfg.agents.defaults.id
+        ? cfg.agents.defaults.id
+        : null;
+    const dirAgents = readLocalOpenclawAgentDirs();
+    const defaultId = explicitDefaultId ?? (list.length === 0 && !dirAgents ? "default" : null);
     const seen = new Set<string>();
     const out: Array<{ id: string; name?: string; workspace?: string; model?: { name?: string; provider?: string } }> = [];
     const push = (raw: any, fallbackId?: string): void => {
@@ -1581,15 +1886,41 @@ function readLocalOpenclawAgents(): Array<{
       }
       out.push(row);
     };
-    // Default agent first so it surfaces at the top of the dropdown.
-    push({ id: defaultId, workspace: cfg?.agents?.defaults?.workspace, model: cfg?.agents?.defaults?.model }, defaultId);
+    // Explicit default agent first so it surfaces at the top of the dropdown.
+    if (defaultId) push({ id: defaultId, workspace: cfg?.agents?.defaults?.workspace, model: cfg?.agents?.defaults?.model }, defaultId);
     for (const entry of list) push(entry);
+    for (const entry of dirAgents ?? []) push(entry);
     return out;
   } catch {
     return null;
   }
 }
 
+function readLocalOpenclawAgentDirs(): Array<{
+  id: string;
+  workspace?: string;
+}> | null {
+  try {
+    const dir = path.join(homedir(), ".openclaw", "agents");
+    if (!existsSync(dir)) return null;
+    const agents = readdirSync(dir, { withFileTypes: true })
+      .filter((entry) => entry.isDirectory() && entry.name.length > 0)
+      .map((entry) => ({
+        id: entry.name,
+        workspace: path.join(dir, entry.name),
+      }));
+    if (agents.length === 0) return null;
+    agents.sort((a, b) => {
+      if (a.id === "main") return -1;
+      if (b.id === "main") return 1;
+      return a.id.localeCompare(b.id);
+    });
+    return agents;
+  } catch {
+    return null;
+  }
+}
+
 function resolveOpenclawIdentityName(
   agentId: string,
   workspace?: string,