@chrysb/alphaclaw 0.1.0

package/lib/server/helpers.js

@@ -0,0 +1,192 @@
+const fs = require("fs");
+const crypto = require("crypto");
+const {
+  CODEX_JWT_CLAIM_PATH,
+  kOnboardingModelProviders,
+  GOG_CREDENTIALS_PATH,
+} = require("./constants");
+
+const normalizeOpenclawVersion = (rawVersion) => {
+  if (!rawVersion) return null;
+  return String(rawVersion).trim().replace(/^openclaw\s*/i, "") || null;
+};
+
+const compareVersionParts = (a, b) => {
+  const aParts = String(a || "")
+    .split(".")
+    .map((part) => Number.parseInt(part, 10) || 0);
+  const bParts = String(b || "")
+    .split(".")
+    .map((part) => Number.parseInt(part, 10) || 0);
+  const maxParts = Math.max(aParts.length, bParts.length);
+  for (let i = 0; i < maxParts; i += 1) {
+    const aPart = aParts[i] ?? 0;
+    const bPart = bParts[i] ?? 0;
+    if (aPart > bPart) return 1;
+    if (aPart < bPart) return -1;
+  }
+  return 0;
+};
+
+const parseJsonFromNoisyOutput = (raw) => {
+  const text = String(raw || "");
+  const firstBrace = text.indexOf("{");
+  const lastBrace = text.lastIndexOf("}");
+  if (firstBrace === -1 || lastBrace === -1 || lastBrace <= firstBrace) {
+    return null;
+  }
+  try {
+    return JSON.parse(text.slice(firstBrace, lastBrace + 1));
+  } catch {
+    return null;
+  }
+};
+
+const parseJwtPayload = (token) => {
+  try {
+    const parts = String(token || "").split(".");
+    if (parts.length !== 3) return null;
+    return JSON.parse(Buffer.from(parts[1], "base64url").toString("utf8"));
+  } catch {
+    return null;
+  }
+};
+
+const getCodexAccountId = (accessToken) => {
+  const payload = parseJwtPayload(accessToken);
+  const auth = payload?.[CODEX_JWT_CLAIM_PATH];
+  const accountId = auth?.chatgpt_account_id;
+  return typeof accountId === "string" && accountId ? accountId : null;
+};
+
+const normalizeIp = (ip) => String(ip || "").replace(/^::ffff:/, "");
+
+const isTruthyEnvFlag = (value) =>
+  ["1", "true", "yes", "on"].includes(String(value || "").trim().toLowerCase());
+
+const getClientKey = (req) =>
+  normalizeIp(
+    req.ip || req.headers["x-forwarded-for"] || req.socket?.remoteAddress || "",
+  ) || "unknown";
+
+const resolveGithubRepoUrl = (repoInput) => {
+  const cleaned = String(repoInput || "")
+    .trim()
+    .replace(/^git@github\.com:/, "")
+    .replace(/^https:\/\/github\.com\//, "")
+    .replace(/\.git$/, "");
+  if (!cleaned) return "";
+  if (!cleaned.includes("/")) {
+    throw new Error('GITHUB_WORKSPACE_REPO must be in "owner/repo" format.');
+  }
+  return cleaned;
+};
+
+const createPkcePair = () => {
+  const verifier = crypto.randomBytes(48).toString("base64url");
+  const challenge = crypto
+    .createHash("sha256")
+    .update(verifier)
+    .digest("base64url");
+  return { verifier, challenge };
+};
+
+const resolveModelProvider = (modelKey) =>
+  String(modelKey || "").split("/")[0] || "";
+
+const parseCodexAuthorizationInput = (input) => {
+  const value = String(input || "").trim();
+  if (!value) return {};
+  try {
+    const url = new URL(value);
+    return {
+      code: url.searchParams.get("code") || "",
+      state: url.searchParams.get("state") || "",
+    };
+  } catch {}
+  if (value.includes("#")) {
+    const [code, state] = value.split("#", 2);
+    return { code: code || "", state: state || "" };
+  }
+  if (value.includes("code=")) {
+    const params = new URLSearchParams(value);
+    return {
+      code: params.get("code") || "",
+      state: params.get("state") || "",
+    };
+  }
+  return { code: value, state: "" };
+};
+
+const normalizeOnboardingModels = (models) => {
+  const deduped = new Map();
+  for (const model of models || []) {
+    if (!model?.key || typeof model.key !== "string") continue;
+    const provider = resolveModelProvider(model.key);
+    if (!kOnboardingModelProviders.has(provider)) continue;
+    if (!deduped.has(model.key)) {
+      deduped.set(model.key, {
+        key: model.key,
+        provider,
+        label: model.name || model.key,
+      });
+    }
+  }
+  return Array.from(deduped.values()).sort((a, b) =>
+    a.key.localeCompare(b.key),
+  );
+};
+
+const getBaseUrl = (req) => {
+  const proto = req.headers["x-forwarded-proto"] || req.protocol || "https";
+  const host = req.headers["x-forwarded-host"] || req.headers.host;
+  return `${proto}://${host}`;
+};
+
+const getApiEnableUrl = (svc, projectId) => {
+  const apiMap = {
+    gmail: "gmail.googleapis.com",
+    calendar: "calendar-json.googleapis.com",
+    tasks: "tasks.googleapis.com",
+    docs: "docs.googleapis.com",
+    meet: "meet.googleapis.com",
+    drive: "drive.googleapis.com",
+    contacts: "people.googleapis.com",
+    sheets: "sheets.googleapis.com",
+  };
+  const api = apiMap[svc] || "";
+  const project = projectId ? `?project=${projectId}` : "";
+  return `https://console.developers.google.com/apis/api/${api}/overview${project}`;
+};
+
+const readGoogleCredentials = () => {
+  try {
+    const c = JSON.parse(fs.readFileSync(GOG_CREDENTIALS_PATH, "utf8"));
+    return {
+      clientId: c.web?.client_id || c.installed?.client_id || c.client_id || null,
+      clientSecret:
+        c.web?.client_secret || c.installed?.client_secret || c.client_secret || null,
+    };
+  } catch {
+    return { clientId: null, clientSecret: null };
+  }
+};
+
+module.exports = {
+  normalizeOpenclawVersion,
+  compareVersionParts,
+  parseJsonFromNoisyOutput,
+  parseJwtPayload,
+  getCodexAccountId,
+  normalizeIp,
+  isTruthyEnvFlag,
+  getClientKey,
+  resolveGithubRepoUrl,
+  createPkcePair,
+  resolveModelProvider,
+  parseCodexAuthorizationInput,
+  normalizeOnboardingModels,
+  getBaseUrl,
+  getApiEnableUrl,
+  readGoogleCredentials,
+};

package/lib/server/login-throttle.js

@@ -0,0 +1,86 @@
+const { kLoginWindowMs, kLoginMaxAttempts, kLoginBaseLockMs, kLoginMaxLockMs, kLoginStateTtlMs } = require("./constants");
+
+const createLoginThrottle = () => {
+  const kLoginAttemptStates = new Map();
+
+  const getOrCreateLoginAttemptState = (clientKey, now) => {
+    const existing = kLoginAttemptStates.get(clientKey);
+    if (existing) {
+      existing.lastSeenAt = now;
+      return existing;
+    }
+    const next = {
+      attempts: 0,
+      windowStart: now,
+      lockUntil: 0,
+      failStreak: 0,
+      lastSeenAt: now,
+    };
+    kLoginAttemptStates.set(clientKey, next);
+    return next;
+  };
+
+  const evaluateLoginThrottle = (state, now) => {
+    if (!state) return { blocked: false, retryAfterSec: 0 };
+    if (state.lockUntil > now) {
+      return {
+        blocked: true,
+        retryAfterSec: Math.max(1, Math.ceil((state.lockUntil - now) / 1000)),
+      };
+    }
+    if (now - state.windowStart >= kLoginWindowMs) {
+      state.attempts = 0;
+      state.windowStart = now;
+    }
+    return { blocked: false, retryAfterSec: 0 };
+  };
+
+  const recordLoginFailure = (state, now) => {
+    if (!state) return { lockMs: 0, locked: false };
+    if (now - state.windowStart >= kLoginWindowMs) {
+      state.attempts = 0;
+      state.windowStart = now;
+    }
+    state.attempts += 1;
+    state.lastSeenAt = now;
+    if (state.attempts < kLoginMaxAttempts) {
+      return { lockMs: 0, locked: false };
+    }
+    state.failStreak += 1;
+    state.attempts = 0;
+    state.windowStart = now;
+    const lockMultiplier = Math.max(1, 2 ** (state.failStreak - 1));
+    const lockMs = Math.min(kLoginBaseLockMs * lockMultiplier, kLoginMaxLockMs);
+    state.lockUntil = now + lockMs;
+    return { lockMs, locked: true };
+  };
+
+  const recordLoginSuccess = (clientKey) => {
+    if (!clientKey) return;
+    kLoginAttemptStates.delete(clientKey);
+  };
+
+  const cleanupLoginAttemptStates = () => {
+    const now = Date.now();
+    for (const [key, state] of kLoginAttemptStates.entries()) {
+      if (!state) {
+        kLoginAttemptStates.delete(key);
+        continue;
+      }
+      if (state.lockUntil > now) continue;
+      if (now - state.lastSeenAt > kLoginStateTtlMs) {
+        kLoginAttemptStates.delete(key);
+      }
+    }
+  };
+
+  return {
+    getOrCreateLoginAttemptState,
+    evaluateLoginThrottle,
+    recordLoginFailure,
+    recordLoginSuccess,
+    cleanupLoginAttemptStates,
+  };
+};
+
+module.exports = { createLoginThrottle };

package/lib/server/onboarding/cron.js

@@ -0,0 +1,51 @@
+const path = require("path");
+const { kSetupDir } = require("../constants");
+
+const kHourlyGitSyncTemplatePath = path.join(kSetupDir, "hourly-git-sync.sh");
+const kSystemCronPath = "/etc/cron.d/openclaw-hourly-sync";
+const kSystemCronConfigDir = "cron";
+const kSystemCronConfigFile = "system-sync.json";
+const kDefaultSystemCronSchedule = "0 * * * *";
+
+const buildSystemCronFile = ({ schedule, scriptPath }) =>
+  [
+    "SHELL=/bin/bash",
+    "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+    `${schedule} root bash "${scriptPath}" >> /var/log/openclaw-hourly-sync.log 2>&1`,
+    "",
+  ].join("\n");
+
+const installHourlyGitSyncScript = ({ fs, openclawDir }) => {
+  try {
+    const scriptPath = `${openclawDir}/hourly-git-sync.sh`;
+    const hourlyGitSyncScript = fs.readFileSync(kHourlyGitSyncTemplatePath, "utf8");
+    fs.writeFileSync(scriptPath, hourlyGitSyncScript, { mode: 0o755 });
+    console.log("[onboard] Installed deterministic hourly git sync script");
+  } catch (e) {
+    console.error("[onboard] Hourly git sync script install error:", e.message);
+  }
+};
+
+const installHourlyGitSyncCron = async ({ fs, openclawDir }) => {
+  try {
+    const scriptPath = `${openclawDir}/hourly-git-sync.sh`;
+    const configDir = `${openclawDir}/${kSystemCronConfigDir}`;
+    const configPath = `${configDir}/${kSystemCronConfigFile}`;
+    const config = { enabled: true, schedule: kDefaultSystemCronSchedule };
+    fs.mkdirSync(configDir, { recursive: true });
+    fs.writeFileSync(configPath, JSON.stringify(config, null, 2));
+
+    const cronContent = buildSystemCronFile({
+      schedule: config.schedule,
+      scriptPath,
+    });
+    fs.writeFileSync(kSystemCronPath, cronContent, { mode: 0o644 });
+    console.log(`[onboard] Installed system cron job at ${kSystemCronPath} (${configPath})`);
+    return true;
+  } catch (e) {
+    console.error("[onboard] System cron install error:", e.message);
+    return false;
+  }
+};
+
+module.exports = { installHourlyGitSyncScript, installHourlyGitSyncCron };

package/lib/server/onboarding/github.js

@@ -0,0 +1,49 @@
+const ensureGithubRepoAccessible = async ({ repoUrl, repoName, remoteUrl, githubToken }) => {
+  void remoteUrl;
+  const ghHeaders = {
+    Authorization: `token ${githubToken}`,
+    "User-Agent": "openclaw-railway",
+    Accept: "application/vnd.github+json",
+  };
+
+  try {
+    const checkRes = await fetch(`https://api.github.com/repos/${repoUrl}`, {
+      headers: ghHeaders,
+    });
+
+    if (checkRes.status === 404) {
+      console.log(`[onboard] Creating repo ${repoUrl}...`);
+      const createRes = await fetch("https://api.github.com/user/repos", {
+        method: "POST",
+        headers: { ...ghHeaders, "Content-Type": "application/json" },
+        body: JSON.stringify({
+          name: repoName,
+          private: true,
+          auto_init: false,
+        }),
+      });
+      if (!createRes.ok) {
+        const err = await createRes.json().catch(() => ({}));
+        return {
+          ok: false,
+          status: 400,
+          error: `Failed to create repo: ${err.message || createRes.statusText}`,
+        };
+      }
+      console.log(`[onboard] Repo ${repoUrl} created`);
+      return { ok: true };
+    }
+
+    if (checkRes.ok) return { ok: true };
+
+    return {
+      ok: false,
+      status: 400,
+      error: `Cannot access repo "${repoUrl}" — check your token has the "repo" scope`,
+    };
+  } catch (e) {
+    return { ok: false, status: 400, error: `GitHub error: ${e.message}` };
+  }
+};
+
+module.exports = { ensureGithubRepoAccessible };

package/lib/server/onboarding/index.js

@@ -0,0 +1,127 @@
+const path = require("path");
+const { kSetupDir, kRootDir } = require("../constants");
+const { validateOnboardingInput } = require("./validation");
+const { ensureGithubRepoAccessible } = require("./github");
+const { buildOnboardArgs, writeSanitizedOpenclawConfig } = require("./openclaw");
+const { installControlUiSkill, syncBootstrapPromptFiles } = require("./workspace");
+const { installHourlyGitSyncScript, installHourlyGitSyncCron } = require("./cron");
+const { isTruthyEnvFlag } = require("../helpers");
+
+const createOnboardingService = ({
+  fs,
+  constants,
+  shellCmd,
+  gatewayEnv,
+  writeEnvFile,
+  reloadEnv,
+  resolveGithubRepoUrl,
+  resolveModelProvider,
+  hasCodexOauthProfile,
+  ensureGatewayProxyConfig,
+  getBaseUrl,
+  startGateway,
+}) => {
+  const { OPENCLAW_DIR, WORKSPACE_DIR } = constants;
+
+  const completeOnboarding = async ({ req, vars, modelKey }) => {
+    const validation = validateOnboardingInput({
+      vars,
+      modelKey,
+      resolveModelProvider,
+      hasCodexOauthProfile,
+    });
+    if (!validation.ok) {
+      return { status: validation.status, body: { ok: false, error: validation.error } };
+    }
+
+    const { varMap, githubToken, githubRepoInput, selectedProvider, hasCodexOauth } =
+      validation.data;
+
+    const repoUrl = resolveGithubRepoUrl(githubRepoInput);
+    const varsToSave = [...vars.filter((v) => v.value && v.key !== "GITHUB_WORKSPACE_REPO")];
+    varsToSave.push({ key: "GITHUB_WORKSPACE_REPO", value: repoUrl });
+    writeEnvFile(varsToSave);
+    reloadEnv();
+
+    const remoteUrl = `https://${githubToken}@github.com/${repoUrl}.git`;
+    const [, repoName] = repoUrl.split("/");
+    const repoCheck = await ensureGithubRepoAccessible({
+      repoUrl,
+      repoName,
+      remoteUrl,
+      githubToken,
+    });
+    if (!repoCheck.ok) {
+      return { status: repoCheck.status, body: { ok: false, error: repoCheck.error } };
+    }
+
+    fs.mkdirSync(OPENCLAW_DIR, { recursive: true });
+    fs.mkdirSync(WORKSPACE_DIR, { recursive: true });
+    syncBootstrapPromptFiles({ fs, workspaceDir: WORKSPACE_DIR, baseUrl: getBaseUrl(req) });
+
+    if (!fs.existsSync(`${OPENCLAW_DIR}/.git`)) {
+      await shellCmd(
+        `cd ${OPENCLAW_DIR} && git init -b main && git remote add origin "${remoteUrl}" && git config user.email "agent@openclaw.ai" && git config user.name "OpenClaw Agent"`,
+      );
+      console.log("[onboard] Git initialized");
+    }
+
+    if (!fs.existsSync(`${OPENCLAW_DIR}/.gitignore`)) {
+      fs.copyFileSync(path.join(kSetupDir, "gitignore"), `${OPENCLAW_DIR}/.gitignore`);
+    }
+
+    const onboardArgs = buildOnboardArgs({
+      varMap,
+      selectedProvider,
+      hasCodexOauth,
+      workspaceDir: WORKSPACE_DIR,
+    });
+    console.log(
+      `[onboard] Running: openclaw onboard ${onboardArgs.join(" ").replace(/sk-[^\s]+/g, "***")}`,
+    );
+    await shellCmd(`openclaw onboard ${onboardArgs.map((a) => `"${a}"`).join(" ")}`, {
+      env: {
+        ...process.env,
+        OPENCLAW_HOME: kRootDir,
+        OPENCLAW_CONFIG_PATH: `${OPENCLAW_DIR}/openclaw.json`,
+      },
+      timeout: 120000,
+    });
+    console.log("[onboard] Onboard complete");
+
+    await shellCmd(`openclaw models set "${modelKey}"`, {
+      env: gatewayEnv(),
+      timeout: 30000,
+    }).catch((e) => {
+      console.error("[onboard] Failed to set model:", e.message);
+      throw new Error(`Onboarding completed but failed to set model "${modelKey}"`);
+    });
+
+    try {
+      fs.rmSync(`${WORKSPACE_DIR}/.git`, { recursive: true, force: true });
+    } catch {}
+
+    writeSanitizedOpenclawConfig({ fs, openclawDir: OPENCLAW_DIR, varMap });
+    ensureGatewayProxyConfig(getBaseUrl(req));
+
+    installControlUiSkill({ fs, openclawDir: OPENCLAW_DIR, baseUrl: getBaseUrl(req) });
+
+    const shouldForcePush = isTruthyEnvFlag(process.env.OPENCLAW_DEBUG_FORCE_PUSH);
+    const pushArgs = shouldForcePush ? "-u --force" : "-u";
+    await shellCmd(
+      `cd ${OPENCLAW_DIR} && git add -A && git commit -m "initial setup" && git push ${pushArgs} origin main`,
+      { timeout: 30000 },
+    ).catch((e) => console.error("[onboard] Git push error:", e.message));
+    console.log("[onboard] Initial state committed and pushed");
+
+    installHourlyGitSyncScript({ fs, openclawDir: OPENCLAW_DIR });
+    await installHourlyGitSyncCron({ fs, openclawDir: OPENCLAW_DIR });
+
+    startGateway();
+    return { status: 200, body: { ok: true } };
+  };
+
+  return { completeOnboarding };
+};
+
+module.exports = { createOnboardingService };

package/lib/server/onboarding/openclaw.js

@@ -0,0 +1,171 @@
+const buildOnboardArgs = ({ varMap, selectedProvider, hasCodexOauth, workspaceDir }) => {
+  const onboardArgs = [
+    "--non-interactive",
+    "--accept-risk",
+    "--flow",
+    "quickstart",
+    "--gateway-bind",
+    "loopback",
+    "--gateway-port",
+    "18789",
+    "--gateway-auth",
+    "token",
+    "--gateway-token",
+    varMap.OPENCLAW_GATEWAY_TOKEN || process.env.OPENCLAW_GATEWAY_TOKEN || "",
+    "--no-install-daemon",
+    "--skip-health",
+    "--workspace",
+    workspaceDir,
+  ];
+
+  if (
+    selectedProvider === "openai-codex" &&
+    (varMap.OPENAI_API_KEY || process.env.OPENAI_API_KEY)
+  ) {
+    onboardArgs.push(
+      "--auth-choice",
+      "openai-api-key",
+      "--openai-api-key",
+      varMap.OPENAI_API_KEY || process.env.OPENAI_API_KEY,
+    );
+  } else if (selectedProvider === "openai-codex" && hasCodexOauth) {
+    onboardArgs.push("--auth-choice", "skip");
+  } else if (
+    (selectedProvider === "anthropic" || !selectedProvider) &&
+    (varMap.ANTHROPIC_TOKEN || process.env.ANTHROPIC_TOKEN)
+  ) {
+    onboardArgs.push(
+      "--auth-choice",
+      "token",
+      "--token-provider",
+      "anthropic",
+      "--token",
+      varMap.ANTHROPIC_TOKEN || process.env.ANTHROPIC_TOKEN,
+    );
+  } else if (
+    (selectedProvider === "anthropic" || !selectedProvider) &&
+    (varMap.ANTHROPIC_API_KEY || process.env.ANTHROPIC_API_KEY)
+  ) {
+    onboardArgs.push(
+      "--auth-choice",
+      "apiKey",
+      "--anthropic-api-key",
+      varMap.ANTHROPIC_API_KEY || process.env.ANTHROPIC_API_KEY,
+    );
+  } else if (
+    (selectedProvider === "openai" || !selectedProvider) &&
+    (varMap.OPENAI_API_KEY || process.env.OPENAI_API_KEY)
+  ) {
+    onboardArgs.push(
+      "--auth-choice",
+      "openai-api-key",
+      "--openai-api-key",
+      varMap.OPENAI_API_KEY || process.env.OPENAI_API_KEY,
+    );
+  } else if (
+    (selectedProvider === "google" || !selectedProvider) &&
+    (varMap.GEMINI_API_KEY || process.env.GEMINI_API_KEY)
+  ) {
+    onboardArgs.push(
+      "--auth-choice",
+      "gemini-api-key",
+      "--gemini-api-key",
+      varMap.GEMINI_API_KEY || process.env.GEMINI_API_KEY,
+    );
+  } else if (varMap.ANTHROPIC_TOKEN || process.env.ANTHROPIC_TOKEN) {
+    onboardArgs.push(
+      "--auth-choice",
+      "token",
+      "--token-provider",
+      "anthropic",
+      "--token",
+      varMap.ANTHROPIC_TOKEN || process.env.ANTHROPIC_TOKEN,
+    );
+  } else if (varMap.ANTHROPIC_API_KEY || process.env.ANTHROPIC_API_KEY) {
+    onboardArgs.push(
+      "--auth-choice",
+      "apiKey",
+      "--anthropic-api-key",
+      varMap.ANTHROPIC_API_KEY || process.env.ANTHROPIC_API_KEY,
+    );
+  } else if (varMap.OPENAI_API_KEY || process.env.OPENAI_API_KEY) {
+    onboardArgs.push(
+      "--auth-choice",
+      "openai-api-key",
+      "--openai-api-key",
+      varMap.OPENAI_API_KEY || process.env.OPENAI_API_KEY,
+    );
+  } else if (varMap.GEMINI_API_KEY || process.env.GEMINI_API_KEY) {
+    onboardArgs.push(
+      "--auth-choice",
+      "gemini-api-key",
+      "--gemini-api-key",
+      varMap.GEMINI_API_KEY || process.env.GEMINI_API_KEY,
+    );
+  } else if (hasCodexOauth) {
+    onboardArgs.push("--auth-choice", "skip");
+  }
+
+  return onboardArgs;
+};
+
+const writeSanitizedOpenclawConfig = ({ fs, openclawDir, varMap }) => {
+  const configPath = `${openclawDir}/openclaw.json`;
+  const cfg = JSON.parse(fs.readFileSync(configPath, "utf8"));
+  if (!cfg.channels) cfg.channels = {};
+  if (!cfg.plugins) cfg.plugins = {};
+  if (!cfg.plugins.entries) cfg.plugins.entries = {};
+  if (!cfg.commands) cfg.commands = {};
+  if (!cfg.hooks) cfg.hooks = {};
+  if (!cfg.hooks.internal) cfg.hooks.internal = {};
+  if (!cfg.hooks.internal.entries) cfg.hooks.internal.entries = {};
+  cfg.commands.restart = true;
+  cfg.hooks.internal.enabled = true;
+  cfg.hooks.internal.entries["bootstrap-extra-files"] = {
+    ...(cfg.hooks.internal.entries["bootstrap-extra-files"] || {}),
+    enabled: true,
+    paths: ["hooks/bootstrap/AGENTS.md", "hooks/bootstrap/TOOLS.md"],
+  };
+
+  if (varMap.TELEGRAM_BOT_TOKEN) {
+    cfg.channels.telegram = {
+      enabled: true,
+      botToken: varMap.TELEGRAM_BOT_TOKEN,
+      dmPolicy: "pairing",
+      groupPolicy: "allowlist",
+    };
+    cfg.plugins.entries.telegram = { enabled: true };
+    console.log("[onboard] Telegram configured");
+  }
+  if (varMap.DISCORD_BOT_TOKEN) {
+    cfg.channels.discord = {
+      enabled: true,
+      token: varMap.DISCORD_BOT_TOKEN,
+      dmPolicy: "pairing",
+      groupPolicy: "allowlist",
+    };
+    cfg.plugins.entries.discord = { enabled: true };
+    console.log("[onboard] Discord configured");
+  }
+
+  let content = JSON.stringify(cfg, null, 2);
+  const replacements = [
+    [process.env.OPENCLAW_GATEWAY_TOKEN, "${OPENCLAW_GATEWAY_TOKEN}"],
+    [varMap.ANTHROPIC_API_KEY, "${ANTHROPIC_API_KEY}"],
+    [varMap.ANTHROPIC_TOKEN, "${ANTHROPIC_TOKEN}"],
+    [varMap.TELEGRAM_BOT_TOKEN, "${TELEGRAM_BOT_TOKEN}"],
+    [varMap.DISCORD_BOT_TOKEN, "${DISCORD_BOT_TOKEN}"],
+    [varMap.OPENAI_API_KEY, "${OPENAI_API_KEY}"],
+    [varMap.GEMINI_API_KEY, "${GEMINI_API_KEY}"],
+    [varMap.BRAVE_API_KEY, "${BRAVE_API_KEY}"],
+  ];
+  for (const [secret, envRef] of replacements) {
+    if (secret && secret.length > 8) {
+      content = content.split(secret).join(envRef);
+    }
+  }
+  fs.writeFileSync(configPath, content);
+  console.log("[onboard] Config sanitized");
+};
+
+module.exports = { buildOnboardArgs, writeSanitizedOpenclawConfig };