@chrysb/alphaclaw 0.1.0

package/lib/server/onboarding/validation.js

@@ -0,0 +1,107 @@
+const validateOnboardingInput = ({ vars, modelKey, resolveModelProvider, hasCodexOauthProfile }) => {
+  const kMaxOnboardingVars = 64;
+  const kMaxEnvKeyLength = 128;
+  const kMaxEnvValueLength = 4096;
+  if (!Array.isArray(vars)) {
+    return { ok: false, status: 400, error: "Missing vars array" };
+  }
+  if (vars.length > kMaxOnboardingVars) {
+    return {
+      ok: false,
+      status: 400,
+      error: `Too many environment variables (max ${kMaxOnboardingVars})`,
+    };
+  }
+  if (!modelKey || typeof modelKey !== "string" || !modelKey.includes("/")) {
+    return { ok: false, status: 400, error: "A model selection is required" };
+  }
+
+  for (const entry of vars) {
+    const key = String(entry?.key || "");
+    const value = String(entry?.value || "");
+    if (!key) {
+      return { ok: false, status: 400, error: "Each variable must include a key" };
+    }
+    if (key.length > kMaxEnvKeyLength) {
+      return {
+        ok: false,
+        status: 400,
+        error: `Variable key is too long: ${key.slice(0, 32)}...`,
+      };
+    }
+    if (value.length > kMaxEnvValueLength) {
+      return {
+        ok: false,
+        status: 400,
+        error: `Value too long for ${key} (max ${kMaxEnvValueLength} chars)`,
+      };
+    }
+  }
+
+  const varMap = Object.fromEntries(vars.map((v) => [v.key, v.value]));
+  const githubToken = String(varMap.GITHUB_TOKEN || "");
+  const githubRepoInput = String(varMap.GITHUB_WORKSPACE_REPO || "").trim();
+  const selectedProvider = resolveModelProvider(modelKey);
+  const hasCodexOauth = hasCodexOauthProfile();
+  const hasAiByProvider = {
+    anthropic: !!(varMap.ANTHROPIC_API_KEY || varMap.ANTHROPIC_TOKEN),
+    openai: !!varMap.OPENAI_API_KEY,
+    "openai-codex": !!(hasCodexOauth || varMap.OPENAI_API_KEY),
+    google: !!varMap.GEMINI_API_KEY,
+  };
+  const hasAnyAi = !!(
+    varMap.ANTHROPIC_API_KEY ||
+    varMap.ANTHROPIC_TOKEN ||
+    varMap.OPENAI_API_KEY ||
+    varMap.GEMINI_API_KEY ||
+    hasCodexOauth
+  );
+  const hasAi =
+    selectedProvider in hasAiByProvider
+      ? hasAiByProvider[selectedProvider]
+      : hasAnyAi;
+  const hasGithub = !!(githubToken && githubRepoInput);
+  const hasChannel = !!(varMap.TELEGRAM_BOT_TOKEN || varMap.DISCORD_BOT_TOKEN);
+
+  if (!hasAi) {
+    if (selectedProvider === "openai-codex") {
+      return {
+        ok: false,
+        status: 400,
+        error: "Connect OpenAI Codex OAuth or provide OPENAI_API_KEY before continuing",
+      };
+    }
+    return {
+      ok: false,
+      status: 400,
+      error: `Missing credentials for selected provider "${selectedProvider}"`,
+    };
+  }
+  if (!hasGithub) {
+    return {
+      ok: false,
+      status: 400,
+      error: "GitHub token and workspace repo are required",
+    };
+  }
+  if (!hasChannel) {
+    return {
+      ok: false,
+      status: 400,
+      error: "At least one channel token is required",
+    };
+  }
+
+  return {
+    ok: true,
+    data: {
+      varMap,
+      githubToken,
+      githubRepoInput,
+      selectedProvider,
+      hasCodexOauth,
+    },
+  };
+};
+
+module.exports = { validateOnboardingInput };

package/lib/server/onboarding/workspace.js

@@ -0,0 +1,52 @@
+const path = require("path");
+const { kSetupDir } = require("../constants");
+
+const resolveSetupUiUrl = (baseUrl) => {
+  const normalizedBaseUrl = String(baseUrl || "").trim().replace(/\/+$/, "");
+  if (normalizedBaseUrl) return normalizedBaseUrl;
+
+  const railwayPublicDomain = String(process.env.RAILWAY_PUBLIC_DOMAIN || "").trim();
+  if (railwayPublicDomain) {
+    return `https://${railwayPublicDomain}`;
+  }
+
+  const railwayStaticUrl = String(process.env.RAILWAY_STATIC_URL || "").trim().replace(
+    /\/+$/,
+    "",
+  );
+  if (railwayStaticUrl) return railwayStaticUrl;
+
+  return "http://localhost:3000";
+};
+
+const syncBootstrapPromptFiles = ({ fs, workspaceDir, baseUrl }) => {
+  try {
+    const bootstrapDir = `${workspaceDir}/hooks/bootstrap`;
+    fs.mkdirSync(bootstrapDir, { recursive: true });
+    fs.copyFileSync(path.join(kSetupDir, "core-prompts", "AGENTS.md"), `${bootstrapDir}/AGENTS.md`);
+    const toolsTemplate = fs.readFileSync(path.join(kSetupDir, "core-prompts", "TOOLS.md"), "utf8");
+    const toolsContent = toolsTemplate.replace(
+      /\{\{SETUP_UI_URL\}\}/g,
+      resolveSetupUiUrl(baseUrl),
+    );
+    fs.writeFileSync(`${bootstrapDir}/TOOLS.md`, toolsContent);
+    console.log("[onboard] Bootstrap prompt files synced");
+  } catch (e) {
+    console.error("[onboard] Bootstrap prompt sync error:", e.message);
+  }
+};
+
+const installControlUiSkill = ({ fs, openclawDir, baseUrl }) => {
+  try {
+    const skillDir = `${openclawDir}/skills/control-ui`;
+    fs.mkdirSync(skillDir, { recursive: true });
+    const skillTemplate = fs.readFileSync(path.join(kSetupDir, "skills", "control-ui", "SKILL.md"), "utf8");
+    const skillContent = skillTemplate.replace(/\{\{BASE_URL\}\}/g, baseUrl);
+    fs.writeFileSync(`${skillDir}/SKILL.md`, skillContent);
+    console.log(`[onboard] Control UI skill installed (${baseUrl})`);
+  } catch (e) {
+    console.error("[onboard] Skill install error:", e.message);
+  }
+};
+
+module.exports = { installControlUiSkill, syncBootstrapPromptFiles };

package/lib/server/openclaw-version.js

@@ -0,0 +1,179 @@
+const { exec, execSync } = require("child_process");
+const {
+  kVersionCacheTtlMs,
+  kLatestVersionCacheTtlMs,
+  kAppDir,
+} = require("./constants");
+const { normalizeOpenclawVersion } = require("./helpers");
+
+const createOpenclawVersionService = ({ gatewayEnv, restartGateway, isOnboarded }) => {
+  let kOpenclawVersionCache = { value: null, fetchedAt: 0 };
+  let kOpenclawUpdateStatusCache = {
+    latestVersion: null,
+    hasUpdate: false,
+    fetchedAt: 0,
+  };
+  let kOpenclawUpdateInProgress = false;
+
+  const readOpenclawVersion = () => {
+    const now = Date.now();
+    if (
+      kOpenclawVersionCache.value &&
+      now - kOpenclawVersionCache.fetchedAt < kVersionCacheTtlMs
+    ) {
+      return kOpenclawVersionCache.value;
+    }
+    try {
+      const raw = execSync("openclaw --version", {
+        env: gatewayEnv(),
+        timeout: 5000,
+        encoding: "utf8",
+      }).trim();
+      const version = normalizeOpenclawVersion(raw);
+      kOpenclawVersionCache = { value: version, fetchedAt: now };
+      return version;
+    } catch {
+      return kOpenclawVersionCache.value;
+    }
+  };
+
+  const readOpenclawUpdateStatus = ({ refresh = false } = {}) => {
+    const now = Date.now();
+    if (
+      !refresh &&
+      kOpenclawUpdateStatusCache.fetchedAt &&
+      now - kOpenclawUpdateStatusCache.fetchedAt < kLatestVersionCacheTtlMs
+    ) {
+      return {
+        latestVersion: kOpenclawUpdateStatusCache.latestVersion,
+        hasUpdate: kOpenclawUpdateStatusCache.hasUpdate,
+      };
+    }
+    try {
+      console.log("[wrapper] Running: openclaw update status --json");
+      const raw = execSync("openclaw update status --json", {
+        env: gatewayEnv(),
+        timeout: 8000,
+        encoding: "utf8",
+      }).trim();
+      const parsed = JSON.parse(raw);
+      const latestVersion = normalizeOpenclawVersion(
+        parsed?.availability?.latestVersion || parsed?.update?.registry?.latestVersion,
+      );
+      const hasUpdate = !!parsed?.availability?.available;
+      kOpenclawUpdateStatusCache = {
+        latestVersion,
+        hasUpdate,
+        fetchedAt: now,
+      };
+      console.log(
+        `[wrapper] openclaw update status: hasUpdate=${hasUpdate} latest=${latestVersion || "unknown"}`,
+      );
+      return { latestVersion, hasUpdate };
+    } catch (err) {
+      console.log(
+        `[wrapper] openclaw update status error: ${(err.message || "unknown").slice(0, 200)}`,
+      );
+      throw new Error(err.message || "Failed to read OpenClaw update status");
+    }
+  };
+
+  const installLatestOpenclaw = () =>
+    new Promise((resolve, reject) => {
+      console.log("[wrapper] Running: npm install --omit=dev --no-save --package-lock=false openclaw@latest");
+      exec(
+        "npm install --omit=dev --no-save --package-lock=false openclaw@latest",
+        {
+          cwd: kAppDir,
+          env: {
+            ...process.env,
+            npm_config_update_notifier: "false",
+            npm_config_fund: "false",
+            npm_config_audit: "false",
+          },
+          timeout: 180000,
+        },
+        (err, stdout, stderr) => {
+          if (err) {
+            const message = String(stderr || err.message || "").trim();
+            console.log(`[wrapper] openclaw install error: ${message.slice(0, 200)}`);
+            return reject(new Error(message || "Failed to install openclaw@latest"));
+          }
+          if (stdout && stdout.trim()) {
+            console.log(`[wrapper] openclaw install stdout: ${stdout.trim().slice(0, 300)}`);
+          }
+          if (stderr && stderr.trim()) {
+            console.log(`[wrapper] openclaw install stderr: ${stderr.trim().slice(0, 300)}`);
+          }
+          console.log("[wrapper] openclaw install completed");
+          resolve({ stdout: stdout.trim(), stderr: stderr.trim() });
+        },
+      );
+    });
+
+  const getVersionStatus = async (refresh) => {
+    const currentVersion = readOpenclawVersion();
+    try {
+      const { latestVersion, hasUpdate } = readOpenclawUpdateStatus({ refresh });
+      return { ok: true, currentVersion, latestVersion, hasUpdate };
+    } catch (err) {
+      return {
+        ok: false,
+        currentVersion,
+        latestVersion: kOpenclawUpdateStatusCache.latestVersion,
+        hasUpdate: kOpenclawUpdateStatusCache.hasUpdate,
+        error: err.message || "Failed to fetch latest OpenClaw version",
+      };
+    }
+  };
+
+  const updateOpenclaw = async () => {
+    if (kOpenclawUpdateInProgress) {
+      return {
+        status: 409,
+        body: { ok: false, error: "OpenClaw update already in progress" },
+      };
+    }
+
+    kOpenclawUpdateInProgress = true;
+    const previousVersion = readOpenclawVersion();
+    try {
+      await installLatestOpenclaw();
+      kOpenclawVersionCache = { value: null, fetchedAt: 0 };
+      const currentVersion = readOpenclawVersion();
+      const { latestVersion, hasUpdate } = readOpenclawUpdateStatus({ refresh: true });
+      let restarted = false;
+      if (isOnboarded()) {
+        restartGateway();
+        restarted = true;
+      }
+      return {
+        status: 200,
+        body: {
+          ok: true,
+          previousVersion,
+          currentVersion,
+          latestVersion,
+          hasUpdate,
+          restarted,
+          updated: previousVersion !== currentVersion,
+        },
+      };
+    } catch (err) {
+      return {
+        status: 500,
+        body: { ok: false, error: err.message || "Failed to update OpenClaw" },
+      };
+    } finally {
+      kOpenclawUpdateInProgress = false;
+    }
+  };
+
+  return {
+    readOpenclawVersion,
+    getVersionStatus,
+    updateOpenclaw,
+  };
+};
+
+module.exports = { createOpenclawVersionService };

package/lib/server/routes/auth.js

@@ -0,0 +1,80 @@
+const crypto = require("crypto");
+const path = require("path");
+const { kLoginCleanupIntervalMs } = require("../constants");
+
+const registerAuthRoutes = ({ app, loginThrottle }) => {
+  const SETUP_PASSWORD = process.env.SETUP_PASSWORD || "";
+  const kAuthTokens = new Set();
+
+  const cookieParser = (req) => {
+    const cookies = {};
+    (req.headers.cookie || "").split(";").forEach((c) => {
+      const [k, ...v] = c.trim().split("=");
+      if (k) cookies[k] = v.join("=");
+    });
+    return cookies;
+  };
+
+  app.post("/api/auth/login", (req, res) => {
+    if (!SETUP_PASSWORD) return res.json({ ok: true });
+    const now = Date.now();
+    const clientKey = loginThrottle.getClientKey(req);
+    const state = loginThrottle.getOrCreateLoginAttemptState(clientKey, now);
+    const throttle = loginThrottle.evaluateLoginThrottle(state, now);
+    if (throttle.blocked) {
+      res.set("Retry-After", String(throttle.retryAfterSec));
+      return res.status(429).json({
+        ok: false,
+        error: "Too many attempts. Try again shortly.",
+        retryAfterSec: throttle.retryAfterSec,
+      });
+    }
+    if (req.body.password !== SETUP_PASSWORD) {
+      const failure = loginThrottle.recordLoginFailure(state, now);
+      if (failure.locked) {
+        const retryAfterSec = Math.max(1, Math.ceil(failure.lockMs / 1000));
+        res.set("Retry-After", String(retryAfterSec));
+        return res.status(429).json({
+          ok: false,
+          error: "Too many attempts. Try again shortly.",
+          retryAfterSec,
+        });
+      }
+      return res.status(401).json({ ok: false, error: "Invalid credentials" });
+    }
+    loginThrottle.recordLoginSuccess(clientKey);
+    const token = crypto.randomBytes(32).toString("hex");
+    kAuthTokens.add(token);
+    res.cookie("setup_token", token, {
+      httpOnly: true,
+      sameSite: "lax",
+      path: "/",
+    });
+    res.json({ ok: true });
+  });
+
+  setInterval(() => {
+    loginThrottle.cleanupLoginAttemptStates();
+  }, kLoginCleanupIntervalMs).unref();
+
+  const requireAuth = (req, res, next) => {
+    if (!SETUP_PASSWORD) return next();
+    if (req.path.startsWith("/auth/google/callback")) return next();
+    if (req.path.startsWith("/auth/codex/callback")) return next();
+    const cookies = cookieParser(req);
+    const token = cookies.setup_token || req.query.token;
+    if (token && kAuthTokens.has(token)) return next();
+    if (req.path.startsWith("/api/")) {
+      return res.status(401).json({ error: "Unauthorized" });
+    }
+    return res.sendFile(path.join(__dirname, "..", "..", "public", "login.html"));
+  };
+
+  app.use("/setup", requireAuth);
+  app.use("/api", requireAuth);
+  app.use("/auth", requireAuth);
+
+  return { requireAuth };
+};
+
+module.exports = { registerAuthRoutes };

package/lib/server/routes/codex.js

@@ -0,0 +1,204 @@
+const crypto = require("crypto");
+const {
+  CODEX_OAUTH_REDIRECT_URI,
+  CODEX_OAUTH_AUTHORIZE_URL,
+  CODEX_OAUTH_CLIENT_ID,
+  CODEX_OAUTH_SCOPE,
+  CODEX_OAUTH_TOKEN_URL,
+  kCodexOauthStateTtlMs,
+} = require("../constants");
+
+const createCodexOauthState = () => {
+  const kCodexOauthStates = new Map();
+
+  const cleanupCodexOauthStates = () => {
+    const now = Date.now();
+    for (const [state, value] of kCodexOauthStates.entries()) {
+      if (!value || now - value.createdAt > kCodexOauthStateTtlMs) {
+        kCodexOauthStates.delete(state);
+      }
+    }
+  };
+
+  return { kCodexOauthStates, cleanupCodexOauthStates };
+};
+
+const registerCodexRoutes = ({
+  app,
+  createPkcePair,
+  parseCodexAuthorizationInput,
+  getCodexAccountId,
+  authProfiles,
+}) => {
+  const { kCodexOauthStates, cleanupCodexOauthStates } = createCodexOauthState();
+
+  app.get("/api/codex/status", (req, res) => {
+    const profile = authProfiles.getCodexProfile();
+    if (!profile) return res.json({ connected: false });
+    res.json({
+      connected: true,
+      profileId: profile.profileId,
+      accountId: profile.accountId || null,
+      expires: typeof profile.expires === "number" ? profile.expires : null,
+    });
+  });
+
+  app.get("/auth/codex/start", (req, res) => {
+    try {
+      cleanupCodexOauthStates();
+      const redirectUri = CODEX_OAUTH_REDIRECT_URI;
+      const { verifier, challenge } = createPkcePair();
+      const state = crypto.randomBytes(16).toString("hex");
+      kCodexOauthStates.set(state, { verifier, redirectUri, createdAt: Date.now() });
+
+      const authUrl = new URL(CODEX_OAUTH_AUTHORIZE_URL);
+      authUrl.searchParams.set("response_type", "code");
+      authUrl.searchParams.set("client_id", CODEX_OAUTH_CLIENT_ID);
+      authUrl.searchParams.set("redirect_uri", redirectUri);
+      authUrl.searchParams.set("scope", CODEX_OAUTH_SCOPE);
+      authUrl.searchParams.set("code_challenge", challenge);
+      authUrl.searchParams.set("code_challenge_method", "S256");
+      authUrl.searchParams.set("state", state);
+      authUrl.searchParams.set("id_token_add_organizations", "true");
+      authUrl.searchParams.set("codex_cli_simplified_flow", "true");
+      // Keep this aligned with OpenClaw's own Codex OAuth flow.
+      authUrl.searchParams.set("originator", "pi");
+      res.redirect(authUrl.toString());
+    } catch (err) {
+      console.error("[codex] Failed to start OAuth flow:", err);
+      res.redirect("/setup?codex=error&message=" + encodeURIComponent(err.message));
+    }
+  });
+
+  app.get("/auth/codex/callback", async (req, res) => {
+    const { code, error, state } = req.query;
+    if (error) {
+      return res.send(`<!DOCTYPE html><html><body><script>
+      window.opener?.postMessage({ codex: 'error', message: '${String(error).replace(/'/g, "\\'")}' }, '*');
+      window.close();
+    </script><p>Codex auth failed. You can close this window.</p></body></html>`);
+    }
+    if (!code || !state) {
+      return res.send(`<!DOCTYPE html><html><body><script>
+      window.opener?.postMessage({ codex: 'error', message: 'Missing OAuth state/code' }, '*');
+      window.close();
+    </script><p>Missing OAuth state/code. You can close this window.</p></body></html>`);
+    }
+
+    cleanupCodexOauthStates();
+    const oauthState = kCodexOauthStates.get(String(state));
+    kCodexOauthStates.delete(String(state));
+    if (!oauthState) {
+      return res.send(`<!DOCTYPE html><html><body><script>
+      window.opener?.postMessage({ codex: 'error', message: 'State mismatch or expired login attempt' }, '*');
+      window.close();
+    </script><p>State mismatch. You can close this window.</p></body></html>`);
+    }
+
+    try {
+      const tokenRes = await fetch(CODEX_OAUTH_TOKEN_URL, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+          grant_type: "authorization_code",
+          client_id: CODEX_OAUTH_CLIENT_ID,
+          code: String(code),
+          code_verifier: oauthState.verifier,
+          redirect_uri: oauthState.redirectUri,
+        }),
+      });
+      const json = await tokenRes.json().catch(() => ({}));
+      if (
+        !tokenRes.ok ||
+        !json.access_token ||
+        !json.refresh_token ||
+        typeof json.expires_in !== "number"
+      ) {
+        throw new Error(`Token exchange failed (${tokenRes.status})`);
+      }
+
+      const access = String(json.access_token);
+      const refresh = String(json.refresh_token);
+      const expires = Date.now() + Number(json.expires_in) * 1000;
+      const accountId = getCodexAccountId(access);
+
+      authProfiles.upsertCodexProfile({ access, refresh, expires, accountId });
+
+      return res.send(`<!DOCTYPE html><html><body><script>
+      window.opener?.postMessage({ codex: 'success' }, '*');
+      window.close();
+    </script><p>Codex connected. You can close this window.</p></body></html>`);
+    } catch (err) {
+      console.error("[codex] OAuth callback error:", err);
+      return res.send(`<!DOCTYPE html><html><body><script>
+      window.opener?.postMessage({ codex: 'error', message: '${String(err.message || "OAuth error").replace(/'/g, "\\'")}' }, '*');
+      window.close();
+    </script><p>Error: ${String(err.message || "OAuth error")}. You can close this window.</p></body></html>`);
+    }
+  });
+
+  app.post("/api/codex/exchange", async (req, res) => {
+    try {
+      cleanupCodexOauthStates();
+      const { input } = req.body || {};
+      const parsed = parseCodexAuthorizationInput(input);
+      const code = String(parsed.code || "");
+      const state = String(parsed.state || "");
+      if (!code || !state) {
+        return res.status(400).json({
+          ok: false,
+          error: "Missing code/state. Paste the full redirect URL from your browser address bar.",
+        });
+      }
+      const oauthState = kCodexOauthStates.get(state);
+      if (!oauthState) {
+        return res.status(400).json({
+          ok: false,
+          error: "OAuth state expired or invalid. Start Codex OAuth again.",
+        });
+      }
+      kCodexOauthStates.delete(state);
+      const tokenRes = await fetch(CODEX_OAUTH_TOKEN_URL, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+          grant_type: "authorization_code",
+          client_id: CODEX_OAUTH_CLIENT_ID,
+          code,
+          code_verifier: oauthState.verifier,
+          redirect_uri: oauthState.redirectUri,
+        }),
+      });
+      const json = await tokenRes.json().catch(() => ({}));
+      if (
+        !tokenRes.ok ||
+        !json.access_token ||
+        !json.refresh_token ||
+        typeof json.expires_in !== "number"
+      ) {
+        return res.status(400).json({
+          ok: false,
+          error: `Token exchange failed (${tokenRes.status})`,
+        });
+      }
+      const access = String(json.access_token);
+      const refresh = String(json.refresh_token);
+      const expires = Date.now() + Number(json.expires_in) * 1000;
+      const accountId = getCodexAccountId(access);
+      authProfiles.upsertCodexProfile({ access, refresh, expires, accountId });
+      return res.json({ ok: true });
+    } catch (err) {
+      console.error("[codex] Manual exchange error:", err);
+      return res
+        .status(500)
+        .json({ ok: false, error: err.message || "Codex OAuth exchange failed" });
+    }
+  });
+
+  app.post("/api/codex/disconnect", (req, res) => {
+    const changed = authProfiles.removeCodexProfiles();
+    res.json({ ok: true, changed });
+  });
+};
+
+module.exports = { registerCodexRoutes };