@chrysb/alphaclaw 0.4.6-beta.8 → 0.4.6-beta.9

package/lib/server/onboarding/workspace.js

@@ -1,5 +1,9 @@
 const path = require("path");
-const { kSetupDir, OPENCLAW_DIR } = require("../constants");
+const {
+  kSetupDir,
+  OPENCLAW_DIR,
+  ENV_FILE_PATH,
+} = require("../constants");
 const { renderTopicRegistryMarkdown } = require("../topic-registry");
 const { readGoogleState } = require("../google-state");
 
@@ -71,11 +75,19 @@ const renderGoogleAccountsMarkdown = (fs) => {
 const syncBootstrapPromptFiles = ({ fs, workspaceDir, baseUrl }) => {
   try {
     const setupUiUrl = resolveSetupUiUrl(baseUrl);
-    const bootstrapDir = `${workspaceDir}/hooks/bootstrap`;
+    const bootstrapDir = path.join(workspaceDir, "hooks", "bootstrap");
     fs.mkdirSync(bootstrapDir, { recursive: true });
-    fs.copyFileSync(path.join(kSetupDir, "core-prompts", "AGENTS.md"), `${bootstrapDir}/AGENTS.md`);
 
-    const toolsTemplate = fs.readFileSync(path.join(kSetupDir, "core-prompts", "TOOLS.md"), "utf8");
+    // AlphaClaw-managed files are always overwritten (even during import)
+    fs.copyFileSync(
+      path.join(kSetupDir, "core-prompts", "AGENTS.md"),
+      path.join(bootstrapDir, "AGENTS.md"),
+    );
+
+    const toolsTemplate = fs.readFileSync(
+      path.join(kSetupDir, "core-prompts", "TOOLS.md"),
+      "utf8",
+    );
     let toolsContent = toolsTemplate.replace(
       /\{\{SETUP_UI_URL\}\}/g,
       setupUiUrl,
@@ -92,7 +104,7 @@ const syncBootstrapPromptFiles = ({ fs, workspaceDir, baseUrl }) => {
       toolsContent += googleAccountsSection;
     }
 
-    fs.writeFileSync(`${bootstrapDir}/TOOLS.md`, toolsContent);
+    fs.writeFileSync(path.join(bootstrapDir, "TOOLS.md"), toolsContent);
     console.log("[onboard] Bootstrap prompt files synced");
   } catch (e) {
     console.error("[onboard] Bootstrap prompt sync error:", e.message);
@@ -113,4 +125,24 @@ const installControlUiSkill = ({ fs, openclawDir, baseUrl }) => {
   }
 };
 
-module.exports = { installControlUiSkill, syncBootstrapPromptFiles };
+const ensureOpenclawRuntimeArtifacts = ({
+  fs,
+  openclawDir,
+  envFilePath = ENV_FILE_PATH,
+}) => {
+  try {
+    const openclawEnvLink = path.join(openclawDir, ".env");
+    if (!fs.existsSync(openclawEnvLink) && fs.existsSync(envFilePath)) {
+      fs.symlinkSync(envFilePath, openclawEnvLink);
+      console.log(`[alphaclaw] Symlinked ${openclawEnvLink} -> ${envFilePath}`);
+    }
+  } catch (e) {
+    console.log(`[alphaclaw] .env symlink skipped: ${e.message}`);
+  }
+};
+
+module.exports = {
+  ensureOpenclawRuntimeArtifacts,
+  installControlUiSkill,
+  syncBootstrapPromptFiles,
+};

package/lib/server/routes/onboarding.js

@@ -1,4 +1,20 @@
-const { createOnboardingService } = require("../onboarding");
+const {
+  createOnboardingService,
+  getImportedPlaceholderReview,
+} = require("../onboarding");
+const path = require("path");
+const { scanWorkspace } = require("../onboarding/import/import-scanner");
+const {
+  detectSecrets,
+  extractPreFillValues,
+} = require("../onboarding/import/secret-detector");
+const {
+  promoteCloneToTarget,
+  alignHookTransforms,
+  applySecretExtraction,
+  isValidTempDir,
+} = require("../onboarding/import/import-applier");
+const { cleanupTempClone } = require("../onboarding/github");
 
 const sanitizeOnboardingError = (error) => {
   const raw = [error?.stderr, error?.stdout, error?.message]
@@ -7,6 +23,7 @@ const sanitizeOnboardingError = (error) => {
   const redacted = String(raw || "Onboarding failed")
     .replace(/sk-[^\s"]+/g, "***")
     .replace(/ghp_[^\s"]+/g, "***")
+    .replace(/github_pat_[^\s"]+/g, "***")
     .replace(/(?:token|api[_-]?key)["'\s:=]+[^\s"']+/gi, (match) =>
       match.replace(/[^\s"':=]+$/g, "***"),
     );
@@ -65,6 +82,7 @@ const registerOnboardingRoutes = ({
   constants,
   shellCmd,
   gatewayEnv,
+  readEnvFile,
   writeEnvFile,
   reloadEnv,
   isOnboarded,
@@ -76,11 +94,17 @@ const registerOnboardingRoutes = ({
   getBaseUrl,
   startGateway,
 }) => {
+  // Keep mutating onboarding routes marker-gated so in-progress imports
+  // can promote files before the final completion marker is written.
+  const hasExplicitOnboardingMarker = () =>
+    fs.existsSync(constants.kOnboardingMarkerPath);
+
   const onboardingService = createOnboardingService({
     fs,
     constants,
     shellCmd,
     gatewayEnv,
+    readEnvFile,
     writeEnvFile,
     reloadEnv,
     resolveGithubRepoUrl,
@@ -92,20 +116,57 @@ const registerOnboardingRoutes = ({
     startGateway,
   });
 
+  const kEnvVarNamePattern = /^[A-Z_][A-Z0-9_]*$/;
+  const validateApprovedSecrets = ({ approvedSecrets = [], scannedSecrets = [] }) => {
+    if (!Array.isArray(approvedSecrets)) return { ok: true, secrets: [] };
+    const scannedByFingerprint = new Map(
+      scannedSecrets.map((secret) => [
+        [
+          String(secret?.configPath || ""),
+          String(secret?.file || ""),
+          String(secret?.value || ""),
+        ].join("\u0000"),
+        secret,
+      ]),
+    );
+    const secrets = [];
+    for (const approvedSecret of approvedSecrets) {
+      const fingerprint = [
+        String(approvedSecret?.configPath || ""),
+        String(approvedSecret?.file || ""),
+        String(approvedSecret?.value || ""),
+      ].join("\u0000");
+      const scannedSecret = scannedByFingerprint.get(fingerprint);
+      const envVarName = String(approvedSecret?.suggestedEnvVar || "").trim();
+      if (!scannedSecret || !envVarName || !kEnvVarNamePattern.test(envVarName)) {
+        return {
+          ok: false,
+          error: "Invalid approved secrets payload",
+        };
+      }
+      secrets.push({
+        ...scannedSecret,
+        suggestedEnvVar: envVarName,
+      });
+    }
+    return { ok: true, secrets };
+  };
+
   app.get("/api/onboard/status", (req, res) => {
-    res.json({ onboarded: isOnboarded() });
+    res.json({ onboarded: hasExplicitOnboardingMarker() });
   });
 
   app.post("/api/onboard", async (req, res) => {
-    if (isOnboarded())
+    if (hasExplicitOnboardingMarker())
       return res.json({ ok: false, error: "Already onboarded" });
 
     try {
-      const { vars, modelKey } = req.body;
+      const { vars, modelKey, importMode } = req.body;
       const result = await onboardingService.completeOnboarding({
         req,
         vars,
         modelKey,
+        importMode: !!importMode,
       });
       res.status(result.status).json(result.body);
     } catch (err) {
@@ -115,25 +176,25 @@ const registerOnboardingRoutes = ({
   });
 
   app.post("/api/onboard/github/verify", async (req, res) => {
-    if (isOnboarded()) {
+    if (hasExplicitOnboardingMarker()) {
       return res.json({ ok: false, error: "Already onboarded" });
     }
 
     try {
       const githubRepoInput = String(req.body?.repo || "").trim();
       const githubToken = String(req.body?.token || "").trim();
+      const mode = String(req.body?.mode || "new").trim();
       if (!githubRepoInput || !githubToken) {
-        return res
-          .status(400)
-          .json({
-            ok: false,
-            error: "GitHub token and workspace repo are required",
-          });
+        return res.status(400).json({
+          ok: false,
+          error: "GitHub token and workspace repo are required",
+        });
       }
 
       const result = await onboardingService.verifyGithubSetup({
         githubRepoInput,
         githubToken,
+        mode,
         resolveGithubRepoUrl,
       });
       if (!result.ok) {
@@ -141,7 +202,12 @@ const registerOnboardingRoutes = ({
           .status(result.status || 400)
           .json({ ok: false, error: result.error });
       }
-      return res.json({ ok: true });
+      return res.json({
+        ok: true,
+        repoExists: result.repoExists || false,
+        repoIsEmpty: result.repoIsEmpty || false,
+        tempDir: result.tempDir || null,
+      });
     } catch (err) {
       console.error("[onboard] GitHub verify error:", err);
       return res
@@ -149,6 +215,209 @@ const registerOnboardingRoutes = ({
         .json({ ok: false, error: sanitizeOnboardingError(err) });
     }
   });
+  app.post("/api/onboard/import/scan", async (req, res) => {
+    if (hasExplicitOnboardingMarker()) {
+      return res.json({ ok: false, error: "Already onboarded" });
+    }
+
+    try {
+      const tempDir = String(req.body?.tempDir || "").trim();
+      if (!tempDir || !isValidTempDir(tempDir)) {
+        return res
+          .status(400)
+          .json({ ok: false, error: "Invalid temp directory" });
+      }
+      if (!fs.existsSync(tempDir)) {
+        return res
+          .status(400)
+          .json({ ok: false, error: "Temp directory not found" });
+      }
+
+      const scan = scanWorkspace({ fs, baseDir: tempDir });
+      if (!scan.sourceLayout?.supported) {
+        cleanupTempClone(tempDir);
+        return res.status(400).json({
+          ok: false,
+          error: scan.sourceLayout?.error || "Unsupported import source layout",
+        });
+      }
+
+      const secrets = detectSecrets({
+        fs,
+        baseDir: tempDir,
+        configFiles: scan.gatewayConfig.files,
+        envFiles: scan.envFiles.files,
+      });
+      const preFill = extractPreFillValues({
+        fs,
+        baseDir: tempDir,
+        configFiles: scan.gatewayConfig.files,
+      });
+
+      return res.json({ ok: true, ...scan, secrets, preFill });
+    } catch (err) {
+      console.error("[onboard] Import scan error:", err);
+      return res
+        .status(500)
+        .json({ ok: false, error: sanitizeOnboardingError(err) });
+    }
+  });
+
+  app.post("/api/onboard/import/apply", async (req, res) => {
+    if (hasExplicitOnboardingMarker()) {
+      return res.json({ ok: false, error: "Already onboarded" });
+    }
+
+    try {
+      const tempDir = String(req.body?.tempDir || "").trim();
+      const approvedSecrets = Array.isArray(req.body?.approvedSecrets)
+        ? req.body.approvedSecrets
+        : [];
+      const skipSecretExtraction = !!req.body?.skipSecretExtraction;
+      const githubToken = String(req.body?.githubToken || "").trim();
+      const githubRepoInput = String(req.body?.githubRepo || "").trim();
+
+      if (!tempDir || !isValidTempDir(tempDir)) {
+        return res
+          .status(400)
+          .json({ ok: false, error: "Invalid temp directory" });
+      }
+      if (!fs.existsSync(tempDir)) {
+        return res
+          .status(400)
+          .json({ ok: false, error: "Temp directory not found" });
+      }
+
+      const scan = scanWorkspace({ fs, baseDir: tempDir });
+      if (!scan.sourceLayout?.supported) {
+        cleanupTempClone(tempDir);
+        return res.status(400).json({
+          ok: false,
+          error: scan.sourceLayout?.error || "Unsupported import source layout",
+        });
+      }
+
+      let envVars = [];
+      const scannedSecrets = detectSecrets({
+        fs,
+        baseDir: tempDir,
+        configFiles: scan.gatewayConfig.files,
+        envFiles: scan.envFiles.files,
+      });
+      const approvedSecretValidation = validateApprovedSecrets({
+        approvedSecrets,
+        scannedSecrets,
+      });
+      if (!approvedSecretValidation.ok) {
+        return res.status(400).json({
+          ok: false,
+          error: approvedSecretValidation.error,
+        });
+      }
+      if (!skipSecretExtraction && approvedSecrets.length > 0) {
+        const extraction = applySecretExtraction({
+          fs,
+          baseDir: tempDir,
+          approvedSecrets: approvedSecretValidation.secrets,
+        });
+        envVars = extraction.envVars;
+      }
+
+      const configFiles = ["openclaw.json"].filter((f) =>
+        fs.existsSync(path.join(tempDir, f)),
+      );
+      const transformAlignment = alignHookTransforms({
+        fs,
+        baseDir: tempDir,
+        configFiles,
+      });
+
+      const preFill = extractPreFillValues({
+        fs,
+        baseDir: tempDir,
+        configFiles,
+      });
+
+      const promoteTargetDir =
+        scan.sourceLayout.kind === "workspace-only"
+          ? constants.WORKSPACE_DIR
+          : constants.OPENCLAW_DIR;
+      const promoteResult = promoteCloneToTarget({
+        fs,
+        tempDir,
+        targetDir: promoteTargetDir,
+        sourceSubdir: scan.sourceLayout.promoteSourceSubdir || "",
+        cleanupBootstrap: scan.sourceLayout.kind === "full-openclaw-root",
+      });
+      if (!promoteResult.ok) {
+        return res.status(500).json({ ok: false, error: promoteResult.error });
+      }
+
+      const existing = typeof readEnvFile === "function" ? readEnvFile() : [];
+      const merged = [...existing];
+      if (githubToken) {
+        const tokenIdx = merged.findIndex((v) => v.key === "GITHUB_TOKEN");
+        if (tokenIdx >= 0) {
+          merged[tokenIdx] = { key: "GITHUB_TOKEN", value: githubToken };
+        } else {
+          merged.push({ key: "GITHUB_TOKEN", value: githubToken });
+        }
+      }
+      if (githubRepoInput) {
+        const normalizedRepo = resolveGithubRepoUrl(githubRepoInput);
+        const repoIdx = merged.findIndex(
+          (v) => v.key === "GITHUB_WORKSPACE_REPO",
+        );
+        if (repoIdx >= 0) {
+          merged[repoIdx] = {
+            key: "GITHUB_WORKSPACE_REPO",
+            value: normalizedRepo,
+          };
+        } else {
+          merged.push({
+            key: "GITHUB_WORKSPACE_REPO",
+            value: normalizedRepo,
+          });
+        }
+      }
+      for (const newVar of envVars) {
+        const idx = merged.findIndex((v) => v.key === newVar.key);
+        if (idx >= 0) {
+          merged[idx] = newVar;
+        } else {
+          merged.push(newVar);
+        }
+      }
+      if (githubToken || githubRepoInput || envVars.length > 0) {
+        writeEnvFile(merged);
+        reloadEnv();
+      }
+      const systemVars =
+        constants.kSystemVars instanceof Set ? constants.kSystemVars : new Set();
+      const placeholderReview = getImportedPlaceholderReview({
+        fs,
+        openclawDir: constants.OPENCLAW_DIR,
+        envVars: merged,
+        systemVars,
+        normalizeConfig: true,
+      });
+
+      return res.json({
+        ok: true,
+        preFill,
+        placeholderReview,
+        sourceLayout: scan.sourceLayout,
+        envVarsImported: envVars.length,
+        transformsAligned: transformAlignment.alignedCount,
+      });
+    } catch (err) {
+      console.error("[onboard] Import apply error:", err);
+      cleanupTempClone(req.body?.tempDir);
+      return res
+        .status(500)
+        .json({ ok: false, error: sanitizeOnboardingError(err) });
+    }
+  });
 };
 
 module.exports = { registerOnboardingRoutes };

package/lib/server.js

@@ -88,9 +88,13 @@ const {
   createRestartRequiredState,
 } = require("./server/restart-required-state");
 const {
+  ensureOpenclawRuntimeArtifacts,
   installControlUiSkill,
   syncBootstrapPromptFiles,
 } = require("./server/onboarding/workspace");
+const {
+  cleanupStaleImportTempDirs,
+} = require("./server/onboarding/import/import-temp");
 const {
   migrateManagedInternalFiles,
 } = require("./server/internal-files-migration");
@@ -122,6 +126,7 @@ const { PORT, GATEWAY_URL, kTrustProxyHops, SETUP_API_PREFIXES } = constants;
 
 startEnvWatcher();
 attachGatewaySignalHandlers();
+cleanupStaleImportTempDirs();
 migrateManagedInternalFiles({
   fs,
   openclawDir: constants.OPENCLAW_DIR,
@@ -214,6 +219,7 @@ registerOnboardingRoutes({
   constants,
   shellCmd,
   gatewayEnv,
+  readEnvFile,
   writeEnvFile,
   reloadEnv,
   isOnboarded,
@@ -317,6 +323,10 @@ setGatewayExitHandler((payload) => watchdog.onGatewayExit(payload));
 setGatewayLaunchHandler((payload) => watchdog.onGatewayLaunch(payload));
 const doSyncPromptFiles = () => {
   const setupUiUrl = resolveSetupUrl();
+  ensureOpenclawRuntimeArtifacts({
+    fs,
+    openclawDir: constants.OPENCLAW_DIR,
+  });
   syncBootstrapPromptFiles({
     fs,
     workspaceDir: constants.WORKSPACE_DIR,
@@ -329,7 +339,6 @@ const doSyncPromptFiles = () => {
   });
   installGogCliSkill({ fs, openclawDir: constants.OPENCLAW_DIR });
 };
-doSyncPromptFiles();
 registerTelegramRoutes({
   app,
   telegramApi,
@@ -403,8 +412,8 @@ server.on("upgrade", (req, socket, head) => {
 
 server.listen(PORT, "0.0.0.0", () => {
   console.log(`[alphaclaw] Express listening on :${PORT}`);
-  doSyncPromptFiles();
   if (isOnboarded()) {
+    doSyncPromptFiles();
     reloadEnv();
     syncChannelConfig(readEnvFile());
     ensureGatewayProxyConfig(null);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chrysb/alphaclaw",
-  "version": "0.4.6-beta.8",
+  "version": "0.4.6-beta.9",
   "publishConfig": {
     "access": "public"
   },