@chrysb/alphaclaw 0.1.20 → 0.1.21

package/lib/public/login.html

@@ -67,6 +67,10 @@
       </form>
     </div>
     <script>
+      try {
+        window.localStorage?.clear?.();
+      } catch {}
+
       const formEl = document.getElementById("login-form");
       const passwordEl = document.getElementById("password");
       const submitButtonEl = document.getElementById("submit-btn");

package/lib/server/routes/auth.js

@@ -1,10 +1,44 @@
 const crypto = require("crypto");
-const path = require("path");
 const { kLoginCleanupIntervalMs } = require("../constants");
 
 const registerAuthRoutes = ({ app, loginThrottle }) => {
   const SETUP_PASSWORD = process.env.SETUP_PASSWORD || "";
-  const kAuthTokens = new Set();
+  const kSessionTtlMs = 7 * 24 * 60 * 60 * 1000;
+
+  const signSessionPayload = (payload) =>
+    crypto.createHmac("sha256", SETUP_PASSWORD).update(payload).digest("base64url");
+
+  const createSessionToken = () => {
+    const now = Date.now();
+    const payload = Buffer.from(
+      JSON.stringify({
+        iat: now,
+        exp: now + kSessionTtlMs,
+        nonce: crypto.randomBytes(16).toString("hex"),
+      }),
+    ).toString("base64url");
+    const signature = signSessionPayload(payload);
+    return `${payload}.${signature}`;
+  };
+
+  const verifySessionToken = (token) => {
+    if (!SETUP_PASSWORD || !token || typeof token !== "string") return false;
+    const parts = token.split(".");
+    if (parts.length !== 2) return false;
+    const [payload, signature] = parts;
+    if (!payload || !signature) return false;
+    const expectedSignature = signSessionPayload(payload);
+    const expectedBuffer = Buffer.from(expectedSignature);
+    const signatureBuffer = Buffer.from(signature);
+    if (expectedBuffer.length !== signatureBuffer.length) return false;
+    if (!crypto.timingSafeEqual(expectedBuffer, signatureBuffer)) return false;
+    try {
+      const parsed = JSON.parse(Buffer.from(payload, "base64url").toString("utf8"));
+      return Number.isFinite(parsed?.exp) && parsed.exp > Date.now();
+    } catch {
+      return false;
+    }
+  };
 
   const cookieParser = (req) => {
     const cookies = {};
@@ -43,12 +77,12 @@ const registerAuthRoutes = ({ app, loginThrottle }) => {
       return res.status(401).json({ ok: false, error: "Invalid credentials" });
     }
     loginThrottle.recordLoginSuccess(clientKey);
-    const token = crypto.randomBytes(32).toString("hex");
-    kAuthTokens.add(token);
+    const token = createSessionToken();
     res.cookie("setup_token", token, {
       httpOnly: true,
       sameSite: "lax",
       path: "/",
+      maxAge: kSessionTtlMs,
     });
     res.json({ ok: true });
   });
@@ -57,24 +91,42 @@ const registerAuthRoutes = ({ app, loginThrottle }) => {
     loginThrottle.cleanupLoginAttemptStates();
   }, kLoginCleanupIntervalMs).unref();
 
+  const isAuthorizedRequest = (req) => {
+    if (!SETUP_PASSWORD) return true;
+    const requestPath = req.path || "";
+    if (requestPath.startsWith("/auth/google/callback")) return true;
+    if (requestPath.startsWith("/auth/codex/callback")) return true;
+    const cookies = cookieParser(req);
+    const query = req.query || {};
+    const token = cookies.setup_token || query.token;
+    return verifySessionToken(token);
+  };
+
   const requireAuth = (req, res, next) => {
     if (!SETUP_PASSWORD) return next();
     if (req.path.startsWith("/auth/google/callback")) return next();
     if (req.path.startsWith("/auth/codex/callback")) return next();
-    const cookies = cookieParser(req);
-    const token = cookies.setup_token || req.query.token;
-    if (token && kAuthTokens.has(token)) return next();
+    if (isAuthorizedRequest(req)) return next();
     if (req.path.startsWith("/api/")) {
       return res.status(401).json({ error: "Unauthorized" });
     }
-    return res.sendFile(path.join(__dirname, "..", "..", "public", "login.html"));
+    return res.redirect("/login.html");
   };
 
+  app.get("/api/auth/status", (req, res) => {
+    res.json({ authEnabled: !!SETUP_PASSWORD });
+  });
+
+  app.post("/api/auth/logout", (req, res) => {
+    res.clearCookie("setup_token", { path: "/" });
+    res.json({ ok: true });
+  });
+
   app.use("/setup", requireAuth);
   app.use("/api", requireAuth);
   app.use("/auth", requireAuth);
 
-  return { requireAuth };
+  return { requireAuth, isAuthorizedRequest };
 };
 
 module.exports = { registerAuthRoutes };

package/lib/server/routes/google.js

@@ -63,7 +63,6 @@ const registerGoogleRoutes = ({
       services,
       activeScopes,
     };
-    console.log(`[alphaclaw] Google status: ${JSON.stringify(status)}`);
     res.json(status);
   });
 

package/lib/server/routes/proxy.js

@@ -1,13 +1,13 @@
-const registerProxyRoutes = ({ app, proxy, SETUP_API_PREFIXES }) => {
-  app.all("/openclaw", (req, res) => {
+const registerProxyRoutes = ({ app, proxy, SETUP_API_PREFIXES, requireAuth }) => {
+  app.all("/openclaw", requireAuth, (req, res) => {
     req.url = "/";
     proxy.web(req, res);
   });
-  app.all("/openclaw/*", (req, res) => {
+  app.all("/openclaw/*", requireAuth, (req, res) => {
     req.url = req.url.replace(/^\/openclaw/, "");
     proxy.web(req, res);
   });
-  app.all("/assets/*", (req, res) => proxy.web(req, res));
+  app.all("/assets/*", requireAuth, (req, res) => proxy.web(req, res));
 
   app.all("/webhook/*", (req, res) => {
     if (!req.headers.authorization && req.query.token) {

package/lib/server/routes/system.js

@@ -18,7 +18,20 @@ const registerSystemRoutes = ({
   OPENCLAW_DIR,
 }) => {
   let envRestartPending = false;
-  const kEnvVarsHiddenFromEnvarsTab = new Set(["GITHUB_WORKSPACE_REPO"]);
+  const kEnvVarsReservedForUserInput = new Set([
+    "GITHUB_WORKSPACE_REPO",
+    "GOG_KEYRING_PASSWORD",
+    "ALPHACLAW_ROOT_DIR",
+    "OPENCLAW_HOME",
+    "OPENCLAW_CONFIG_PATH",
+    "XDG_CONFIG_HOME",
+  ]);
+  const kReservedUserEnvVarKeys = Array.from(
+    new Set([...kSystemVars, ...kEnvVarsReservedForUserInput]),
+  );
+  const isReservedUserEnvVar = (key) =>
+    kSystemVars.has(key)
+    || kEnvVarsReservedForUserInput.has(key);
   const kSystemCronPath = "/etc/cron.d/openclaw-hourly-sync";
   const kSystemCronConfigPath = `${OPENCLAW_DIR}/cron/system-sync.json`;
   const kSystemCronScriptPath = `${OPENCLAW_DIR}/hourly-git-sync.sh`;
@@ -72,7 +85,7 @@ const registerSystemRoutes = ({
     const merged = [];
 
     for (const def of kKnownVars) {
-      if (kEnvVarsHiddenFromEnvarsTab.has(def.key)) continue;
+      if (isReservedUserEnvVar(def.key)) continue;
       const fileEntry = fileVars.find((v) => v.key === def.key);
       const value = fileEntry?.value || "";
       merged.push({
@@ -87,7 +100,7 @@ const registerSystemRoutes = ({
     }
 
     for (const v of fileVars) {
-      if (kKnownKeys.has(v.key) || kSystemVars.has(v.key)) continue;
+      if (kKnownKeys.has(v.key) || isReservedUserEnvVar(v.key)) continue;
       merged.push({
         key: v.key,
         value: v.value,
@@ -99,7 +112,11 @@ const registerSystemRoutes = ({
       });
     }
 
-    res.json({ vars: merged, restartRequired: envRestartPending && isOnboarded() });
+    res.json({
+      vars: merged,
+      reservedKeys: kReservedUserEnvVarKeys,
+      restartRequired: envRestartPending && isOnboarded(),
+    });
   });
 
   app.put("/api/env", (req, res) => {
@@ -108,14 +125,22 @@ const registerSystemRoutes = ({
       return res.status(400).json({ ok: false, error: "Missing vars array" });
     }
 
-    const filtered = vars.filter(
-      (v) =>
-        !kSystemVars.has(v.key) &&
-        !kEnvVarsHiddenFromEnvarsTab.has(v.key),
-    );
-    const existingLockedVars = readEnvFile().filter((v) =>
-      kEnvVarsHiddenFromEnvarsTab.has(v.key),
+    const blockedKeys = Array.from(
+      new Set(
+        vars
+          .map((v) => String(v?.key || "").trim())
+          .filter((key) => key && isReservedUserEnvVar(key)),
+      ),
     );
+    if (blockedKeys.length) {
+      return res.status(400).json({
+        ok: false,
+        error: `Reserved environment variables cannot be edited: ${blockedKeys.join(", ")}`,
+      });
+    }
+
+    const filtered = vars.filter((v) => !isReservedUserEnvVar(v.key));
+    const existingLockedVars = readEnvFile().filter((v) => isReservedUserEnvVar(v.key));
     const nextEnvVars = [...filtered, ...existingLockedVars];
     syncChannelConfig(nextEnvVars, "remove");
     writeEnvFile(nextEnvVars);

package/lib/server.js

@@ -79,7 +79,10 @@ const openclawVersionService = createOpenclawVersionService({
 });
 const alphaclawVersionService = createAlphaclawVersionService();
 
-const { requireAuth } = registerAuthRoutes({ app, loginThrottle });
+const { requireAuth, isAuthorizedRequest } = registerAuthRoutes({
+  app,
+  loginThrottle,
+});
 app.use(express.static(path.join(__dirname, "public")));
 
 registerPageRoutes({ app, requireAuth, isGatewayRunning });
@@ -143,10 +146,25 @@ registerGoogleRoutes({
   getApiEnableUrl,
   constants,
 });
-registerProxyRoutes({ app, proxy, SETUP_API_PREFIXES });
+registerProxyRoutes({ app, proxy, SETUP_API_PREFIXES, requireAuth });
 
 const server = http.createServer(app);
 server.on("upgrade", (req, socket, head) => {
+  const requestUrl = new URL(req.url || "/", `http://${req.headers.host || "localhost"}`);
+  if (requestUrl.pathname.startsWith("/openclaw")) {
+    const upgradeReq = {
+      ...req,
+      path: requestUrl.pathname,
+      query: Object.fromEntries(requestUrl.searchParams.entries()),
+    };
+    if (!isAuthorizedRequest(upgradeReq)) {
+      socket.write(
+        "HTTP/1.1 401 Unauthorized\r\nContent-Type: text/plain\r\nConnection: close\r\n\r\nUnauthorized",
+      );
+      socket.destroy();
+      return;
+    }
+  }
   proxy.ws(req, socket, head);
 });
 

package/lib/setup/core-prompts/AGENTS.md

@@ -10,6 +10,17 @@ Always explain:
 
 Then WAIT for the user's approval.
 
+### Plan Before You Build
+
+Before diving into implementation, share your plan when the work is **significant**. Significance isn't about line count — a single high-impact change can be just as significant as a multi-step refactor. Ask yourself:
+
+- Could this break existing behavior or introduce subtle bugs?
+- Does it touch critical paths, shared state, or external integrations?
+- Are there multiple valid approaches worth weighing?
+- Would reverting this be painful?
+
+If any of these apply, outline your approach first — what you intend to do, in what order, and any trade-offs you see — then **wait for the user's sign-off** before proceeding. For straightforward, low-risk tasks, just get it done.
+
 ### Show Your Work (IMPORTANT)
 
 Mandatory: Anytime you add, edit, or remove files/resources, end your message with a **Changes committed** summary.

package/lib/setup/core-prompts/TOOLS.md

@@ -1,3 +1,25 @@
+## AlphaClaw Harness
+
+AlphaClaw is the setup and management harness that runs alongside OpenClaw. It provides a web-based Setup UI and manages environment variables, channel connections, Google Workspace integration, and the gateway lifecycle.
+
+AlphaClaw UI: `{{SETUP_UI_URL}}`
+
+### Tabs
+
+| Tab     | URL                        | What it manages                                                                                                                                         |
+| ------- | -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| General | `{{SETUP_UI_URL}}#general` | Gateway status & restart, channel health (Telegram/Discord), pending pairings, Google Workspace connection, repo auto-sync schedule, OpenClaw dashboard |
+| Models  | `{{SETUP_UI_URL}}#models`  | AI provider credentials (Anthropic, OpenAI, Google), Codex OAuth                                                                                        |
+| Envars  | `{{SETUP_UI_URL}}#envars`  | View/edit/add environment variables (saved to `/data/.env`), gateway restart to apply changes                                                           |
+
+### Environment variables
+
+Changes to env vars are made through the **Envars** tab (`{{SETUP_UI_URL}}#envars`). After saving, a gateway restart may be required to pick up the changes — the UI prompts for this automatically. Do not edit `/data/.env` directly; use the Setup UI so changes are validated and the gateway restart is handled.
+
+### Google Workspace
+
+Google Workspace is connected via the **General** tab (`{{SETUP_UI_URL}}#general`). The user provides OAuth client credentials from Google Cloud Console, then authorizes access to the services they need (Gmail, Calendar, Drive, Sheets, Docs, Tasks, Contacts, Meet).
+
 ## Git Discipline
 
 **Commit and push after every set of changes.** Your entire .openclaw directory (config, cron, workspace) is version controlled. This is how your work survives container restarts.
@@ -9,10 +31,6 @@ cd /data/.openclaw && git add -A && git commit -m "description" && git push
 Never force push. Always pull before pushing if there might be remote changes.
 After pushing, include a link to the commit using the abbreviated hash: [abc1234](https://github.com/owner/repo/commit/abc1234) format. No backticks.
 
-## Setup UI
-
-Web-based setup UI URL: `{{SETUP_UI_URL}}`
-
 ## Telegram Formatting
 
 - **Links:** Use markdown syntax `[text](URL)` — HTML `<a href>` does NOT render

package/lib/setup/skills/control-ui/SKILL.md

@@ -13,25 +13,25 @@ There is a web-based Setup UI at `{{BASE_URL}}`. The **user** manages runtime co
 
 When the user needs to add a new API key, token, or any env var:
 
-> You can add that in your Setup UI → **Envars** tab: {{BASE_URL}}
+> You can add that in your Setup UI → **Envars** tab: {{BASE_URL}}#envars
 
 ### Connecting a new channel (Telegram, Discord)
 
-> Add your bot token in the Setup UI → **Envars** tab, then approve the pairing request in the **General** tab.
+> Add your bot token in the Setup UI → **Envars** tab ({{BASE_URL}}#envars), then approve the pairing request in the **General** tab ({{BASE_URL}}#general).
 
 ### Approving or rejecting pairings
 
 When a user asks about pairing their Telegram or Discord account:
 
-> Open the Setup UI → **General** tab. Pending pairing requests appear automatically — click **Approve** or **Reject**.
+> Open the Setup UI → **General** tab ({{BASE_URL}}#general). Pending pairing requests appear automatically — click **Approve** or **Reject**.
 
 ### Connecting OpenAI Codex OAuth
 
-> Connect or reconnect Codex OAuth from the Setup UI → **Models** tab. Click **Connect Codex OAuth** and follow the popup flow.
+> Connect or reconnect Codex OAuth from the Setup UI → **Models** tab ({{BASE_URL}}#models). Click **Connect Codex OAuth** and follow the popup flow.
 
 ### Connecting Google Workspace
 
-> Set up Google Workspace from the Setup UI → **General** tab (Google section). You'll need your OAuth client credentials from Google Cloud Console.
+> Set up Google Workspace from the Setup UI → **General** tab ({{BASE_URL}}#general, Google section). You'll need your OAuth client credentials from Google Cloud Console.
 
 Supported Google services (user selects which to enable during OAuth):
 
@@ -65,6 +65,6 @@ Config lives at `/data/.openclaw/gogcli/`.
 
 This is a reference so you know what's available — not an invitation to call these endpoints.
 
-- **General tab**: Gateway status/restart, OpenClaw version + update, channel health, pending pairings, Google Workspace
-- **Models tab**: Primary model selection, provider credentials, Codex OAuth
-- **Envars tab**: View/edit/add environment variables, save to `/data/.env`
+- **General tab** (`{{BASE_URL}}#general`): Gateway status/restart, OpenClaw version + update, channel health, pending pairings, Google Workspace
+- **Models tab** (`{{BASE_URL}}#models`): Primary model selection, provider credentials, Codex OAuth
+- **Envars tab** (`{{BASE_URL}}#envars`): View/edit/add environment variables, save to `/data/.env`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chrysb/alphaclaw",
-  "version": "0.1.20",
+  "version": "0.1.21",
   "publishConfig": {
     "access": "public"
   },