@chrysb/alphaclaw 0.2.2 → 0.3.0

package/lib/public/js/components/welcome.js

@@ -355,6 +355,7 @@ export const Welcome = ({ onComplete }) => {
 
   const goBack = () => {
     if (isSetupStep) return;
+    setError(null);
     setStep((prev) => Math.max(0, prev - 1));
   };
   const goBackFromSetupError = () => {
@@ -364,9 +365,9 @@ export const Welcome = ({ onComplete }) => {
 
   const goNext = async () => {
     if (!activeGroup || !currentGroupValid) return;
+    setError(null);
     if (activeGroup.id === "github") {
       setGithubStepLoading(true);
-      setError(null);
       try {
         const result = await verifyGithubOnboardingRepo(
           vals.GITHUB_WORKSPACE_REPO,

package/lib/public/js/lib/api.js

@@ -64,7 +64,47 @@ export async function disconnectGoogle() {
 
 export async function restartGateway() {
   const res = await authFetch('/api/gateway/restart', { method: 'POST' });
-  return res.json();
+  return parseJsonOrThrow(res, 'Could not restart gateway');
+}
+
+export async function fetchRestartStatus() {
+  const res = await authFetch('/api/restart-status');
+  return parseJsonOrThrow(res, 'Could not load restart status');
+}
+
+export async function fetchWatchdogStatus() {
+  const res = await authFetch('/api/watchdog/status');
+  return parseJsonOrThrow(res, 'Could not load watchdog status');
+}
+
+export async function fetchWatchdogEvents(limit = 20) {
+  const res = await authFetch(`/api/watchdog/events?limit=${encodeURIComponent(String(limit))}`);
+  return parseJsonOrThrow(res, 'Could not load watchdog events');
+}
+
+export async function fetchWatchdogLogs(tail = 65536) {
+  const res = await authFetch(`/api/watchdog/logs?tail=${encodeURIComponent(String(tail))}`);
+  if (!res.ok) throw new Error('Could not load watchdog logs');
+  return res.text();
+}
+
+export async function triggerWatchdogRepair() {
+  const res = await authFetch('/api/watchdog/repair', { method: 'POST' });
+  return parseJsonOrThrow(res, 'Could not trigger watchdog repair');
+}
+
+export async function fetchWatchdogSettings() {
+  const res = await authFetch('/api/watchdog/settings');
+  return parseJsonOrThrow(res, 'Could not load watchdog settings');
+}
+
+export async function updateWatchdogSettings(settings) {
+  const res = await authFetch('/api/watchdog/settings', {
+    method: 'PUT',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(settings || {}),
+  });
+  return parseJsonOrThrow(res, 'Could not update watchdog settings');
 }
 
 export async function fetchDashboardUrl() {
@@ -237,3 +277,64 @@ export async function saveEnvVars(vars) {
   }
   return data;
 }
+
+const parseJsonOrThrow = async (res, fallbackError) => {
+  const text = await res.text();
+  let data;
+  try {
+    data = text ? JSON.parse(text) : {};
+  } catch {
+    throw new Error(text || fallbackError);
+  }
+  if (!res.ok || data?.ok === false) {
+    throw new Error(data.error || text || `HTTP ${res.status}`);
+  }
+  return data;
+};
+
+export async function fetchWebhooks() {
+  const res = await authFetch('/api/webhooks');
+  return parseJsonOrThrow(res, 'Could not load webhooks');
+}
+
+export async function fetchWebhookDetail(name) {
+  const res = await authFetch(`/api/webhooks/${encodeURIComponent(name)}`);
+  return parseJsonOrThrow(res, 'Could not load webhook detail');
+}
+
+export async function createWebhook(name) {
+  const res = await authFetch('/api/webhooks', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ name }),
+  });
+  return parseJsonOrThrow(res, 'Could not create webhook');
+}
+
+export async function deleteWebhook(name, { deleteTransformDir = false } = {}) {
+  const res = await authFetch(`/api/webhooks/${encodeURIComponent(name)}`, {
+    method: 'DELETE',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ deleteTransformDir: !!deleteTransformDir }),
+  });
+  return parseJsonOrThrow(res, 'Could not delete webhook');
+}
+
+export async function fetchWebhookRequests(name, { limit = 50, offset = 0, status = 'all' } = {}) {
+  const params = new URLSearchParams({
+    limit: String(limit),
+    offset: String(offset),
+    status: String(status || 'all'),
+  });
+  const res = await authFetch(
+    `/api/webhooks/${encodeURIComponent(name)}/requests?${params.toString()}`,
+  );
+  return parseJsonOrThrow(res, 'Could not load webhook requests');
+}
+
+export async function fetchWebhookRequest(name, id) {
+  const res = await authFetch(
+    `/api/webhooks/${encodeURIComponent(name)}/requests/${encodeURIComponent(String(id))}`,
+  );
+  return parseJsonOrThrow(res, 'Could not load webhook request');
+}

package/lib/public/js/lib/model-config.js

@@ -1,8 +1,3 @@
-import { h } from "https://esm.sh/preact";
-import htm from "https://esm.sh/htm";
-
-const html = htm.bind(h);
-
 export const getModelProvider = (modelKey) => String(modelKey || "").split("/")[0] || "";
 
 export const getAuthProviderFromModelProvider = (provider) =>

package/lib/public/login.html

@@ -8,6 +8,7 @@
       href="https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@300;400;500;600;700&display=swap"
       rel="stylesheet"
     />
+    <link rel="icon" type="image/svg+xml" href="./img/logo.svg" />
     <link rel="stylesheet" href="./css/theme.css" />
     <script src="https://cdn.tailwindcss.com"></script>
     <script>

package/lib/public/setup.html

@@ -5,6 +5,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>alphaclaw</title>
   <link href="https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@300;400;500;600;700&display=swap" rel="stylesheet">
+  <link rel="icon" type="image/svg+xml" href="./img/logo.svg">
   <link rel="stylesheet" href="./css/theme.css">
   <link rel="stylesheet" href="./css/shell.css">
   <script src="https://cdn.tailwindcss.com"></script>

package/lib/server/alphaclaw-version.js

@@ -88,9 +88,11 @@ const createAlphaclawVersionService = () => {
       latestVersion !== currentVersion
     );
     kUpdateStatusCache = { latestVersion, hasUpdate, fetchedAt: Date.now() };
-    console.log(
-      `[alphaclaw] alphaclaw update status: hasUpdate=${hasUpdate} current=${currentVersion} latest=${latestVersion || "unknown"}`,
-    );
+    if (hasUpdate) {
+      console.log(
+        `[alphaclaw] alphaclaw update available: current=${currentVersion} latest=${latestVersion || "unknown"}`,
+      );
+    }
     return { latestVersion, hasUpdate };
   };
 

package/lib/server/constants.js

@@ -115,6 +115,28 @@ const kLatestVersionCacheTtlMs = 10 * 60 * 1000;
 const kOpenclawRegistryUrl = "https://registry.npmjs.org/openclaw";
 const kAlphaclawRegistryUrl = "https://registry.npmjs.org/@chrysb%2falphaclaw";
 const kAppDir = kNpmPackageRoot;
+const kMaxPayloadBytes = parsePositiveIntEnv(process.env.WEBHOOK_LOG_MAX_BYTES, 50 * 1024);
+const kWebhookPruneDays = parsePositiveIntEnv(process.env.WEBHOOK_LOG_RETENTION_DAYS, 30);
+const kWatchdogCheckIntervalMs =
+  parsePositiveIntEnv(process.env.WATCHDOG_CHECK_INTERVAL, 120) * 1000;
+const kWatchdogMaxRepairAttempts = parsePositiveIntEnv(
+  process.env.WATCHDOG_MAX_REPAIR_ATTEMPTS,
+  2,
+);
+const kWatchdogCrashLoopWindowMs =
+  parsePositiveIntEnv(process.env.WATCHDOG_CRASH_LOOP_WINDOW, 300) * 1000;
+const kWatchdogCrashLoopThreshold = parsePositiveIntEnv(
+  process.env.WATCHDOG_CRASH_LOOP_THRESHOLD,
+  3,
+);
+const kWatchdogLogRetentionDays = parsePositiveIntEnv(
+  process.env.WATCHDOG_LOG_RETENTION_DAYS,
+  30,
+);
+const kLogMaxBytes = parsePositiveIntEnv(
+  process.env.LOG_MAX_BYTES,
+  2 * 1024 * 1024,
+);
 
 const kSystemVars = new Set([
   "WEBHOOK_TOKEN",
@@ -258,6 +280,7 @@ const SETUP_API_PREFIXES = [
   "/api/codex",
   "/api/models",
   "/api/gateway",
+  "/api/restart-status",
   "/api/onboard",
   "/api/env",
   "/api/auth",
@@ -265,6 +288,8 @@ const SETUP_API_PREFIXES = [
   "/api/devices",
   "/api/sync-cron",
   "/api/telegram",
+  "/api/webhooks",
+  "/api/watchdog",
 ];
 
 module.exports = {
@@ -303,6 +328,14 @@ module.exports = {
   kOpenclawRegistryUrl,
   kAlphaclawRegistryUrl,
   kAppDir,
+  kMaxPayloadBytes,
+  kWebhookPruneDays,
+  kWatchdogCheckIntervalMs,
+  kWatchdogMaxRepairAttempts,
+  kWatchdogCrashLoopWindowMs,
+  kWatchdogCrashLoopThreshold,
+  kWatchdogLogRetentionDays,
+  kLogMaxBytes,
   kSystemVars,
   kKnownVars,
   kKnownKeys,

package/lib/server/discord-api.js

@@ -0,0 +1,48 @@
+const kDiscordApiBase = "https://discord.com/api/v10";
+
+const createDiscordApi = (getToken) => {
+  const call = async (path, { method = "GET", body } = {}) => {
+    const token = typeof getToken === "function" ? getToken() : getToken;
+    if (!token) throw new Error("DISCORD_BOT_TOKEN is not set");
+    const res = await fetch(`${kDiscordApiBase}${path}`, {
+      method,
+      headers: {
+        Authorization: `Bot ${token}`,
+        "Content-Type": "application/json",
+      },
+      ...(body != null ? { body: JSON.stringify(body) } : {}),
+    });
+    const data = await res.json().catch(() => ({}));
+    if (!res.ok) {
+      const err = new Error(data?.message || `Discord API error: ${method} ${path}`);
+      err.discordStatusCode = res.status;
+      throw err;
+    }
+    return data;
+  };
+
+  const createDmChannel = (userId) =>
+    call("/users/@me/channels", {
+      method: "POST",
+      body: { recipient_id: String(userId || "") },
+    });
+
+  const sendMessage = (channelId, content) =>
+    call(`/channels/${channelId}/messages`, {
+      method: "POST",
+      body: { content: String(content || "") },
+    });
+
+  const sendDirectMessage = async (userId, content) => {
+    const channel = await createDmChannel(userId);
+    return sendMessage(channel?.id, content);
+  };
+
+  return {
+    createDmChannel,
+    sendMessage,
+    sendDirectMessage,
+  };
+};
+
+module.exports = { createDiscordApi };

package/lib/server/gateway.js

@@ -4,6 +4,31 @@ const net = require("net");
 const { OPENCLAW_DIR, GATEWAY_HOST, GATEWAY_PORT, kChannelDefs, kRootDir } = require("./constants");
 
 let gatewayChild = null;
+let gatewayExitHandler = null;
+let gatewayLaunchHandler = null;
+const kGatewayStderrTailLines = 50;
+let gatewayStderrTail = [];
+const expectedExitPids = new Set();
+
+const appendStderrTail = (chunk) => {
+  const text = Buffer.isBuffer(chunk) ? chunk.toString("utf8") : String(chunk ?? "");
+  for (const line of text.split("\n")) {
+    const trimmed = line.trimEnd();
+    if (!trimmed) continue;
+    gatewayStderrTail.push(trimmed);
+  }
+  if (gatewayStderrTail.length > kGatewayStderrTailLines) {
+    gatewayStderrTail = gatewayStderrTail.slice(-kGatewayStderrTailLines);
+  }
+};
+
+const setGatewayExitHandler = (handler) => {
+  gatewayExitHandler = typeof handler === "function" ? handler : null;
+};
+
+const setGatewayLaunchHandler = (handler) => {
+  gatewayLaunchHandler = typeof handler === "function" ? handler : null;
+};
 
 const gatewayEnv = () => ({
   ...process.env,
@@ -52,19 +77,50 @@ const runGatewayCmd = (cmd) => {
 const launchGatewayProcess = () => {
   if (gatewayChild && gatewayChild.exitCode === null && !gatewayChild.killed) {
     console.log("[alphaclaw] Managed gateway process already running — skipping launch");
-    return;
+    return gatewayChild;
   }
+  gatewayStderrTail = [];
   const child = spawn("openclaw", ["gateway", "run"], {
     env: gatewayEnv(),
     stdio: ["pipe", "pipe", "pipe"],
   });
   gatewayChild = child;
+  if (gatewayLaunchHandler) {
+    try {
+      gatewayLaunchHandler({
+        pid: child.pid,
+        startedAt: Date.now(),
+      });
+    } catch (err) {
+      console.error(`[alphaclaw] Gateway launch handler error: ${err.message}`);
+    }
+  }
   child.stdout.on("data", (d) => process.stdout.write(`[gateway] ${d}`));
-  child.stderr.on("data", (d) => process.stderr.write(`[gateway] ${d}`));
-  child.on("exit", (code) => {
-    console.log(`[alphaclaw] Gateway launcher exited with code ${code}`);
+  child.stderr.on("data", (d) => {
+    appendStderrTail(d);
+    process.stderr.write(`[gateway] ${d}`);
+  });
+  child.on("exit", (code, signal) => {
+    const expectedExit = expectedExitPids.has(child.pid);
+    expectedExitPids.delete(child.pid);
+    console.log(
+      `[alphaclaw] Gateway launcher exited with code ${code}${signal ? ` signal ${signal}` : ""}`,
+    );
+    if (gatewayExitHandler) {
+      try {
+        gatewayExitHandler({
+          code,
+          signal,
+          expectedExit,
+          stderrTail: gatewayStderrTail.slice(-kGatewayStderrTailLines),
+        });
+      } catch (err) {
+        console.error(`[alphaclaw] Gateway exit handler error: ${err.message}`);
+      }
+    }
     if (gatewayChild === child) gatewayChild = null;
   });
+  return child;
 };
 
 const startGateway = async () => {
@@ -85,6 +141,7 @@ const restartGateway = (reloadEnv) => {
   if (gatewayChild && gatewayChild.exitCode === null && !gatewayChild.killed) {
     console.log("[alphaclaw] Stopping managed gateway process...");
     try {
+      expectedExitPids.add(gatewayChild.pid);
       gatewayChild.kill("SIGTERM");
       gatewayChild = null;
     } catch (e) {
@@ -252,6 +309,9 @@ module.exports = {
   gatewayEnv,
   isOnboarded,
   isGatewayRunning,
+  launchGatewayProcess,
+  setGatewayExitHandler,
+  setGatewayLaunchHandler,
   runGatewayCmd,
   startGateway,
   restartGateway,

package/lib/server/log-writer.js

@@ -0,0 +1,102 @@
+const fs = require("fs");
+const path = require("path");
+
+let logPath = "";
+let linesSinceSizeCheck = 0;
+let lastSizeCheckAtMs = 0;
+
+const kTruncateCheckEveryLines = 25;
+const kTruncateCheckMinIntervalMs = 2000;
+
+const shouldCheckTruncate = () => {
+  linesSinceSizeCheck += 1;
+  const now = Date.now();
+  if (
+    linesSinceSizeCheck >= kTruncateCheckEveryLines ||
+    now - lastSizeCheckAtMs >= kTruncateCheckMinIntervalMs
+  ) {
+    linesSinceSizeCheck = 0;
+    lastSizeCheckAtMs = now;
+    return true;
+  }
+  return false;
+};
+
+const appendLine = (line, maxBytes) => {
+  if (!logPath) return;
+  const prefixed = /^\d{4}-\d{2}-\d{2}T/.test(line)
+    ? line
+    : `${new Date().toISOString()} ${line}`;
+  fs.appendFileSync(logPath, prefixed.endsWith("\n") ? prefixed : `${prefixed}\n`);
+  if (shouldCheckTruncate()) truncateIfNeeded(maxBytes);
+};
+
+const truncateIfNeeded = (maxBytes) => {
+  try {
+    const stat = fs.statSync(logPath);
+    if (stat.size <= maxBytes) return;
+    const keepBytes = Math.floor(maxBytes / 2);
+    const fd = fs.openSync(logPath, "r");
+    const buffer = Buffer.alloc(keepBytes);
+    const startPos = Math.max(0, stat.size - keepBytes);
+    const bytesRead = fs.readSync(fd, buffer, 0, keepBytes, startPos);
+    fs.closeSync(fd);
+    const chunk = buffer.subarray(0, bytesRead).toString("utf8");
+    const firstNewLine = chunk.indexOf("\n");
+    const safeChunk = firstNewLine === -1 ? chunk : chunk.slice(firstNewLine + 1);
+    fs.writeFileSync(logPath, safeChunk, "utf8");
+  } catch (err) {
+    console.error(`[alphaclaw] log truncate error: ${err.message}`);
+  }
+};
+
+const initLogWriter = ({ rootDir, maxBytes }) => {
+  const logsDir = path.join(rootDir, "logs");
+  fs.mkdirSync(logsDir, { recursive: true });
+  logPath = path.join(logsDir, "process.log");
+  if (!fs.existsSync(logPath)) fs.writeFileSync(logPath, "", "utf8");
+  linesSinceSizeCheck = 0;
+  lastSizeCheckAtMs = Date.now();
+
+  const stdoutWrite = process.stdout.write.bind(process.stdout);
+  const stderrWrite = process.stderr.write.bind(process.stderr);
+
+  process.stdout.write = (chunk, encoding, cb) => {
+    const text = Buffer.isBuffer(chunk) ? chunk.toString("utf8") : String(chunk ?? "");
+    for (const line of text.split("\n")) {
+      if (!line) continue;
+      appendLine(line, maxBytes);
+    }
+    return stdoutWrite(chunk, encoding, cb);
+  };
+
+  process.stderr.write = (chunk, encoding, cb) => {
+    const text = Buffer.isBuffer(chunk) ? chunk.toString("utf8") : String(chunk ?? "");
+    for (const line of text.split("\n")) {
+      if (!line) continue;
+      appendLine(line, maxBytes);
+    }
+    return stderrWrite(chunk, encoding, cb);
+  };
+};
+
+const getLogPath = () => logPath;
+
+const readLogTail = (tailBytes = 65536) => {
+  if (!logPath || !fs.existsSync(logPath)) return "";
+  const stat = fs.statSync(logPath);
+  const readBytes = Math.max(1024, Number.parseInt(String(tailBytes || 65536), 10) || 65536);
+  const startPos = Math.max(0, stat.size - readBytes);
+  const len = stat.size - startPos;
+  const fd = fs.openSync(logPath, "r");
+  const buffer = Buffer.alloc(len);
+  fs.readSync(fd, buffer, 0, len, startPos);
+  fs.closeSync(fd);
+  return buffer.toString("utf8");
+};
+
+module.exports = {
+  initLogWriter,
+  getLogPath,
+  readLogTail,
+};

package/lib/server/onboarding/github.js

@@ -30,6 +30,22 @@ const verifyGithubRepoForOnboarding = async ({ repoUrl, githubToken }) => {
         error: `Cannot verify GitHub token: ${details}`,
       };
     }
+    const oauthScopes = (userRes.headers?.get?.("x-oauth-scopes") || "")
+      .toLowerCase()
+      .split(",")
+      .map((s) => s.trim())
+      .filter(Boolean);
+    if (
+      oauthScopes.length > 0 &&
+      !oauthScopes.includes("repo") &&
+      !oauthScopes.includes("public_repo")
+    ) {
+      return {
+        ok: false,
+        status: 400,
+        error: `Your token needs the "repo" scope to create repositories. Current scopes: ${oauthScopes.join(", ")}`,
+      };
+    }
     const authedUser = await userRes.json().catch(() => ({}));
     const authedLogin = String(authedUser?.login || "").trim();
     if (
@@ -98,10 +114,14 @@ const ensureGithubRepoAccessible = async ({
     });
     if (!createRes.ok) {
       const details = await parseGithubErrorMessage(createRes);
+      const hint =
+        createRes.status === 404 || createRes.status === 403
+          ? ' Ensure your token is a classic PAT with the "repo" scope.'
+          : "";
       return {
         ok: false,
         status: 400,
-        error: `Failed to create repo: ${details}`,
+        error: `Failed to create repo: ${details}.${hint}`,
       };
     }
     console.log(`[onboard] Repo ${repoUrl} created`);

package/lib/server/openclaw-version.js

@@ -57,7 +57,6 @@ const createOpenclawVersionService = ({
       };
     }
     try {
-      console.log("[alphaclaw] Running: openclaw update status --json");
       const raw = execSync("openclaw update status --json", {
         env: gatewayEnv(),
         timeout: 8000,
@@ -74,13 +73,10 @@ const createOpenclawVersionService = ({
         hasUpdate,
         fetchedAt: now,
       };
-      console.log(
-        `[alphaclaw] openclaw update status: hasUpdate=${hasUpdate} latest=${latestVersion || "unknown"}`,
-      );
       return { latestVersion, hasUpdate };
     } catch (err) {
-      console.log(
-        `[alphaclaw] openclaw update status error: ${(err.message || "unknown").slice(0, 200)}`,
+      console.error(
+        `[alphaclaw] openclaw update status error: ${err.message || "unknown error"}`,
       );
       throw new Error(err.message || "Failed to read OpenClaw update status");
     }

package/lib/server/restart-required-state.js

@@ -0,0 +1,86 @@
+const createRestartRequiredState = ({ isGatewayRunning }) => {
+  const state = {
+    restartRequired: false,
+    restartInProgress: false,
+    sawGatewayDownSincePending: false,
+    updatedAt: Date.now(),
+    reason: "",
+  };
+
+  const touch = () => {
+    state.updatedAt = Date.now();
+  };
+
+  const markRequired = (reason = "config_changed") => {
+    state.restartRequired = true;
+    state.reason = reason;
+    state.sawGatewayDownSincePending = false;
+    touch();
+  };
+
+  const markRestartInProgress = () => {
+    state.restartInProgress = true;
+    touch();
+  };
+
+  const markRestartComplete = () => {
+    state.restartInProgress = false;
+    touch();
+  };
+
+  const clearRequired = () => {
+    state.restartRequired = false;
+    state.reason = "";
+    state.sawGatewayDownSincePending = false;
+    touch();
+  };
+
+  const checkAndClearIfRecovered = async () => {
+    const gatewayRunning = await isGatewayRunning();
+    if (state.restartRequired && !state.restartInProgress) {
+      if (!gatewayRunning) {
+        state.sawGatewayDownSincePending = true;
+        touch();
+      } else if (state.sawGatewayDownSincePending) {
+        clearRequired();
+      }
+    }
+    return gatewayRunning;
+  };
+
+  const getSnapshot = async () => {
+    const gatewayRunning = await checkAndClearIfRecovered();
+    return {
+      restartRequired: state.restartRequired,
+      restartInProgress: state.restartInProgress,
+      gatewayRunning,
+      updatedAt: state.updatedAt,
+    };
+  };
+
+  return {
+    markRequired,
+    markRestartInProgress,
+    markRestartComplete,
+    clearRequired,
+    getSnapshot,
+  };
+};
+
+const waitForGatewayRunning = async ({
+  isGatewayRunning,
+  timeoutMs = 25000,
+  intervalMs = 400,
+}) => {
+  const deadline = Date.now() + timeoutMs;
+  while (Date.now() < deadline) {
+    if (await isGatewayRunning()) return true;
+    await new Promise((resolve) => setTimeout(resolve, intervalMs));
+  }
+  return isGatewayRunning();
+};
+
+module.exports = {
+  createRestartRequiredState,
+  waitForGatewayRunning,
+};

package/lib/server/routes/auth.js

@@ -7,7 +7,10 @@ const registerAuthRoutes = ({ app, loginThrottle }) => {
   const kSessionTtlMs = 7 * 24 * 60 * 60 * 1000;
 
   const signSessionPayload = (payload) =>
-    crypto.createHmac("sha256", SETUP_PASSWORD).update(payload).digest("base64url");
+    crypto
+      .createHmac("sha256", SETUP_PASSWORD)
+      .update(payload)
+      .digest("base64url");
 
   const createSessionToken = () => {
     const now = Date.now();
@@ -34,7 +37,9 @@ const registerAuthRoutes = ({ app, loginThrottle }) => {
     if (expectedBuffer.length !== signatureBuffer.length) return false;
     if (!crypto.timingSafeEqual(expectedBuffer, signatureBuffer)) return false;
     try {
-      const parsed = JSON.parse(Buffer.from(payload, "base64url").toString("utf8"));
+      const parsed = JSON.parse(
+        Buffer.from(payload, "base64url").toString("utf8"),
+      );
       return Number.isFinite(parsed?.exp) && parsed.exp > Date.now();
     } catch {
       return false;
@@ -110,7 +115,7 @@ const registerAuthRoutes = ({ app, loginThrottle }) => {
 
   const requireAuth = (req, res, next) => {
     if (kAuthMisconfigured) {
-      if (req.path.startsWith("/api/")) {
+      if (req.originalUrl.startsWith("/api/")) {
         return res.status(503).json({
           error:
             "Server misconfigured: SETUP_PASSWORD is missing. Set it in your deployment environment variables and restart.",
@@ -125,7 +130,7 @@ const registerAuthRoutes = ({ app, loginThrottle }) => {
     if (req.path.startsWith("/auth/google/callback")) return next();
     if (req.path.startsWith("/auth/codex/callback")) return next();
     if (isAuthorizedRequest(req)) return next();
-    if (req.path.startsWith("/api/")) {
+    if (req.originalUrl.startsWith("/api/")) {
       return res.status(401).json({ error: "Unauthorized" });
     }
     return res.redirect("/login.html");