@chrysb/alphaclaw 0.1.24 → 0.2.0

package/lib/public/js/lib/model-config.js

@@ -134,6 +134,8 @@ export const kProviderOrder = [
   "deepgram",
 ];
 
+export const kCoreProviders = new Set(["anthropic", "openai", "google"]);
+
 export const kProviderFeatures = {
   anthropic: ["Agent Model"],
   openai: ["Agent Model", "Embeddings", "Audio"],

package/lib/server/constants.js

@@ -264,6 +264,7 @@ const SETUP_API_PREFIXES = [
   "/api/openclaw",
   "/api/devices",
   "/api/sync-cron",
+  "/api/telegram",
 ];
 
 module.exports = {

package/lib/server/helpers.js

@@ -63,6 +63,8 @@ const normalizeIp = (ip) => String(ip || "").replace(/^::ffff:/, "");
 
 const isTruthyEnvFlag = (value) =>
   ["1", "true", "yes", "on"].includes(String(value || "").trim().toLowerCase());
+const isDebugEnabled = () =>
+  isTruthyEnvFlag(process.env.ALPHACLAW_DEBUG) || isTruthyEnvFlag(process.env.DEBUG);
 
 const getClientKey = (req) =>
   normalizeIp(
@@ -172,6 +174,33 @@ const readGoogleCredentials = () => {
   }
 };
 
+const kSecretKeyMatchers = [
+  /(?:^|_)TOKEN(?:$|_)/i,
+  /(?:^|_)API_KEY(?:$|_)/i,
+  /(?:^|_)PASSWORD(?:$|_)/i,
+  /(?:^|_)SECRET(?:$|_)/i,
+  /(?:^|_)PRIVATE_KEY(?:$|_)/i,
+];
+
+const isSensitiveKey = (key) =>
+  kSecretKeyMatchers.some((matcher) => matcher.test(String(key || "")));
+
+const buildSecretReplacements = (...sources) => {
+  const replacements = [];
+  const seen = new Set();
+  for (const source of sources) {
+    for (const [rawKey, rawValue] of Object.entries(source || {})) {
+      const key = String(rawKey || "").trim();
+      const value = String(rawValue || "");
+      if (!key || !value || !isSensitiveKey(key)) continue;
+      if (seen.has(value)) continue;
+      seen.add(value);
+      replacements.push([value, `\${${key}}`]);
+    }
+  }
+  return replacements.sort((a, b) => b[0].length - a[0].length);
+};
+
 module.exports = {
   normalizeOpenclawVersion,
   compareVersionParts,
@@ -180,6 +209,7 @@ module.exports = {
   getCodexAccountId,
   normalizeIp,
   isTruthyEnvFlag,
+  isDebugEnabled,
   getClientKey,
   resolveGithubRepoUrl,
   createPkcePair,
@@ -189,4 +219,6 @@ module.exports = {
   getBaseUrl,
   getApiEnableUrl,
   readGoogleCredentials,
+  isSensitiveKey,
+  buildSecretReplacements,
 };

package/lib/server/onboarding/github.js

@@ -1,5 +1,4 @@
-const ensureGithubRepoAccessible = async ({ repoUrl, repoName, remoteUrl, githubToken }) => {
-  void remoteUrl;
+const ensureGithubRepoAccessible = async ({ repoUrl, repoName, githubToken }) => {
   const ghHeaders = {
     Authorization: `token ${githubToken}`,
     "User-Agent": "openclaw-railway",

package/lib/server/onboarding/index.js

@@ -5,7 +5,6 @@ const { ensureGithubRepoAccessible } = require("./github");
 const { buildOnboardArgs, writeSanitizedOpenclawConfig } = require("./openclaw");
 const { installControlUiSkill, syncBootstrapPromptFiles } = require("./workspace");
 const { installHourlyGitSyncScript, installHourlyGitSyncCron } = require("./cron");
-const { isTruthyEnvFlag } = require("../helpers");
 
 const createOnboardingService = ({
   fs,
@@ -43,12 +42,11 @@ const createOnboardingService = ({
     writeEnvFile(varsToSave);
     reloadEnv();
 
-    const remoteUrl = `https://${githubToken}@github.com/${repoUrl}.git`;
+    const remoteUrl = `https://github.com/${repoUrl}.git`;
     const [, repoName] = repoUrl.split("/");
     const repoCheck = await ensureGithubRepoAccessible({
       repoUrl,
       repoName,
-      remoteUrl,
       githubToken,
     });
     if (!repoCheck.ok) {
@@ -103,11 +101,15 @@ const createOnboardingService = ({
 
     installControlUiSkill({ fs, openclawDir: OPENCLAW_DIR, baseUrl: getBaseUrl(req) });
 
-    const shouldForcePush = isTruthyEnvFlag(process.env.OPENCLAW_DEBUG_FORCE_PUSH);
-    const pushArgs = shouldForcePush ? "-u --force" : "-u";
     await shellCmd(
-      `cd ${OPENCLAW_DIR} && git add -A && git commit -m "initial setup" && git push ${pushArgs} origin main`,
-      { timeout: 30000 },
+      `alphaclaw git-sync -m "initial setup"`,
+      {
+        timeout: 30000,
+        env: {
+          ...process.env,
+          GITHUB_TOKEN: githubToken,
+        },
+      },
     ).catch((e) => console.error("[onboard] Git push error:", e.message));
     console.log("[onboard] Initial state committed and pushed");
 

package/lib/server/onboarding/openclaw.js

@@ -1,3 +1,5 @@
+const { buildSecretReplacements } = require("../helpers");
+
 const buildOnboardArgs = ({ varMap, selectedProvider, hasCodexOauth, workspaceDir }) => {
   const onboardArgs = [
     "--non-interactive",
@@ -149,18 +151,9 @@ const writeSanitizedOpenclawConfig = ({ fs, openclawDir, varMap }) => {
   }
 
   let content = JSON.stringify(cfg, null, 2);
-  const replacements = [
-    [process.env.OPENCLAW_GATEWAY_TOKEN, "${OPENCLAW_GATEWAY_TOKEN}"],
-    [varMap.ANTHROPIC_API_KEY, "${ANTHROPIC_API_KEY}"],
-    [varMap.ANTHROPIC_TOKEN, "${ANTHROPIC_TOKEN}"],
-    [varMap.TELEGRAM_BOT_TOKEN, "${TELEGRAM_BOT_TOKEN}"],
-    [varMap.DISCORD_BOT_TOKEN, "${DISCORD_BOT_TOKEN}"],
-    [varMap.OPENAI_API_KEY, "${OPENAI_API_KEY}"],
-    [varMap.GEMINI_API_KEY, "${GEMINI_API_KEY}"],
-    [varMap.BRAVE_API_KEY, "${BRAVE_API_KEY}"],
-  ];
+  const replacements = buildSecretReplacements(varMap, process.env);
   for (const [secret, envRef] of replacements) {
-    if (secret && secret.length > 8) {
+    if (secret) {
       content = content.split(secret).join(envRef);
     }
   }

package/lib/server/onboarding/workspace.js

@@ -1,5 +1,6 @@
 const path = require("path");
-const { kSetupDir } = require("../constants");
+const { kSetupDir, OPENCLAW_DIR } = require("../constants");
+const { renderTopicRegistryMarkdown } = require("../topic-registry");
 
 const resolveSetupUiUrl = (baseUrl) => {
   const normalizedBaseUrl = String(baseUrl || "").trim().replace(/\/+$/, "");
@@ -19,16 +20,38 @@ const resolveSetupUiUrl = (baseUrl) => {
   return "http://localhost:3000";
 };
 
+// Single assembly point for TOOLS.md: template + topic registry.
+// Idempotent — always rebuilds from source so deploys never clobber topic data.
+const isTelegramWorkspaceEnabled = (fs) => {
+  try {
+    const configPath = `${OPENCLAW_DIR}/openclaw.json`;
+    const cfg = JSON.parse(fs.readFileSync(configPath, "utf8"));
+    return Object.keys(cfg.channels?.telegram?.groups || {}).length > 0;
+  } catch {
+    return false;
+  }
+};
+
 const syncBootstrapPromptFiles = ({ fs, workspaceDir, baseUrl }) => {
   try {
+    const setupUiUrl = resolveSetupUiUrl(baseUrl);
     const bootstrapDir = `${workspaceDir}/hooks/bootstrap`;
     fs.mkdirSync(bootstrapDir, { recursive: true });
     fs.copyFileSync(path.join(kSetupDir, "core-prompts", "AGENTS.md"), `${bootstrapDir}/AGENTS.md`);
+
     const toolsTemplate = fs.readFileSync(path.join(kSetupDir, "core-prompts", "TOOLS.md"), "utf8");
-    const toolsContent = toolsTemplate.replace(
+    let toolsContent = toolsTemplate.replace(
       /\{\{SETUP_UI_URL\}\}/g,
-      resolveSetupUiUrl(baseUrl),
+      setupUiUrl,
     );
+
+    const topicSection = renderTopicRegistryMarkdown({
+      includeSyncGuidance: isTelegramWorkspaceEnabled(fs),
+    });
+    if (topicSection) {
+      toolsContent += topicSection;
+    }
+
     fs.writeFileSync(`${bootstrapDir}/TOOLS.md`, toolsContent);
     console.log("[onboard] Bootstrap prompt files synced");
   } catch (e) {

package/lib/server/routes/auth.js

@@ -2,7 +2,8 @@ const crypto = require("crypto");
 const { kLoginCleanupIntervalMs } = require("../constants");
 
 const registerAuthRoutes = ({ app, loginThrottle }) => {
-  const SETUP_PASSWORD = process.env.SETUP_PASSWORD || "";
+  const SETUP_PASSWORD = String(process.env.SETUP_PASSWORD || "").trim();
+  const kAuthMisconfigured = !SETUP_PASSWORD;
   const kSessionTtlMs = 7 * 24 * 60 * 60 * 1000;
 
   const signSessionPayload = (payload) =>
@@ -50,7 +51,13 @@ const registerAuthRoutes = ({ app, loginThrottle }) => {
   };
 
   app.post("/api/auth/login", (req, res) => {
-    if (!SETUP_PASSWORD) return res.json({ ok: true });
+    if (kAuthMisconfigured) {
+      return res.status(503).json({
+        ok: false,
+        error:
+          "Server misconfigured: SETUP_PASSWORD is missing. Set it in your deployment environment variables and restart.",
+      });
+    }
     const now = Date.now();
     const clientKey = loginThrottle.getClientKey(req);
     const state = loginThrottle.getOrCreateLoginAttemptState(clientKey, now);
@@ -92,18 +99,29 @@ const registerAuthRoutes = ({ app, loginThrottle }) => {
   }, kLoginCleanupIntervalMs).unref();
 
   const isAuthorizedRequest = (req) => {
-    if (!SETUP_PASSWORD) return true;
+    if (kAuthMisconfigured) return false;
     const requestPath = req.path || "";
     if (requestPath.startsWith("/auth/google/callback")) return true;
     if (requestPath.startsWith("/auth/codex/callback")) return true;
     const cookies = cookieParser(req);
-    const query = req.query || {};
-    const token = cookies.setup_token || query.token;
+    const token = cookies.setup_token;
     return verifySessionToken(token);
   };
 
   const requireAuth = (req, res, next) => {
-    if (!SETUP_PASSWORD) return next();
+    if (kAuthMisconfigured) {
+      if (req.path.startsWith("/api/")) {
+        return res.status(503).json({
+          error:
+            "Server misconfigured: SETUP_PASSWORD is missing. Set it in your deployment environment variables and restart.",
+        });
+      }
+      return res
+        .status(503)
+        .send(
+          "Setup auth is not configured. Set SETUP_PASSWORD in your deployment environment and restart.",
+        );
+    }
     if (req.path.startsWith("/auth/google/callback")) return next();
     if (req.path.startsWith("/auth/codex/callback")) return next();
     if (isAuthorizedRequest(req)) return next();

package/lib/server/routes/proxy.js

@@ -3,13 +3,13 @@ const registerProxyRoutes = ({ app, proxy, SETUP_API_PREFIXES, requireAuth }) =>
     req.url = "/";
     proxy.web(req, res);
   });
-  app.all("/openclaw/*", requireAuth, (req, res) => {
+  app.all("/openclaw/*path", requireAuth, (req, res) => {
     req.url = req.url.replace(/^\/openclaw/, "");
     proxy.web(req, res);
   });
-  app.all("/assets/*", requireAuth, (req, res) => proxy.web(req, res));
+  app.all("/assets/*path", requireAuth, (req, res) => proxy.web(req, res));
 
-  app.all("/webhook/*", (req, res) => {
+  app.all("/webhook/*path", (req, res) => {
     if (!req.headers.authorization && req.query.token) {
       req.headers.authorization = `Bearer ${req.query.token}`;
       delete req.query.token;
@@ -20,7 +20,7 @@ const registerProxyRoutes = ({ app, proxy, SETUP_API_PREFIXES, requireAuth }) =>
     proxy.web(req, res);
   });
 
-  app.all("/api/*", (req, res) => {
+  app.all("/api/*path", (req, res) => {
     if (SETUP_API_PREFIXES.some((p) => req.path.startsWith(p))) return;
     proxy.web(req, res);
   });