@chrysb/alphaclaw 0.4.6-beta.8 → 0.5.0

package/lib/server/commands.js

@@ -14,6 +14,7 @@ const createCommands = ({ gatewayEnv }) => {
       console.log(
         `[onboard] Running: ${cmd
           .replace(/ghp_[^\s"]+/g, "***")
+          .replace(/github_pat_[^\s"]+/g, "***")
           .replace(/sk-[^\s"]+/g, "***")
           .slice(0, 200)}`,
       );

package/lib/server/constants.js

@@ -193,7 +193,6 @@ const kKnownVars = [
     key: "GITHUB_TOKEN",
     label: "GitHub Access Token",
     group: "github",
-    hint: "Create one with repo scope at github.com/settings/tokens",
   },
   {
     key: "GITHUB_WORKSPACE_REPO",

package/lib/server/gateway.js

@@ -3,6 +3,7 @@ const { spawn, execSync } = require("child_process");
 const fs = require("fs");
 const net = require("net");
 const {
+  ALPHACLAW_DIR,
   OPENCLAW_DIR,
   GATEWAY_HOST,
   GATEWAY_PORT,
@@ -48,51 +49,25 @@ const gatewayEnv = () => ({
   XDG_CONFIG_HOME: OPENCLAW_DIR,
 });
 
-const hasOnboardingModelConfig = () => {
-  const configPath = `${OPENCLAW_DIR}/openclaw.json`;
-  if (!fs.existsSync(configPath)) return false;
-  try {
-    const config = JSON.parse(fs.readFileSync(configPath, "utf8"));
-    const primaryModel = String(
-      config?.agents?.defaults?.model?.primary || "",
-    ).trim();
-    return primaryModel.includes("/");
-  } catch {
-    return false;
-  }
-};
-
-const hasLegacyOnboardingArtifacts = () => fs.existsSync(kControlUiSkillPath);
-
 const writeOnboardingMarker = (reason) => {
-  try {
-    fs.mkdirSync(path.dirname(kOnboardingMarkerPath), { recursive: true });
-    fs.writeFileSync(
-      kOnboardingMarkerPath,
-      JSON.stringify(
-        {
-          onboarded: true,
-          reason: String(reason || "unknown"),
-          markedAt: new Date().toISOString(),
-        },
-        null,
-        2,
-      ),
-    );
-    return true;
-  } catch (err) {
-    console.error(`[alphaclaw] Failed to write onboarding marker: ${err.message}`);
-    return false;
-  }
+  fs.mkdirSync(ALPHACLAW_DIR, { recursive: true });
+  fs.writeFileSync(
+    kOnboardingMarkerPath,
+    JSON.stringify(
+      {
+        onboarded: true,
+        reason,
+        markedAt: new Date().toISOString(),
+      },
+      null,
+      2,
+    ),
+  );
 };
 
 const isOnboarded = () => {
   if (fs.existsSync(kOnboardingMarkerPath)) return true;
-  if (hasOnboardingModelConfig()) {
-    writeOnboardingMarker("config_primary_model");
-    return true;
-  }
-  if (hasLegacyOnboardingArtifacts()) {
+  if (fs.existsSync(kControlUiSkillPath)) {
     writeOnboardingMarker("legacy_artifact_backfill");
     return true;
   }

package/lib/server/onboarding/github.js

@@ -1,3 +1,12 @@
+const fs = require("fs");
+const os = require("os");
+const path = require("path");
+const crypto = require("crypto");
+const {
+  kImportTempPrefix,
+  isValidImportTempDir,
+} = require("./import/import-temp");
+
 const buildGithubHeaders = (githubToken) => ({
   Authorization: `token ${githubToken}`,
   "User-Agent": "openclaw-railway",
@@ -14,9 +23,18 @@ const parseGithubErrorMessage = async (response) => {
   return response.statusText || `HTTP ${response.status}`;
 };
 
-const verifyGithubRepoForOnboarding = async ({ repoUrl, githubToken }) => {
+const isClassicPat = (token) => String(token || "").startsWith("ghp_");
+const isFineGrainedPat = (token) =>
+  String(token || "").startsWith("github_pat_");
+
+const verifyGithubRepoForOnboarding = async ({
+  repoUrl,
+  githubToken,
+  mode = "new",
+}) => {
   const ghHeaders = buildGithubHeaders(githubToken);
   const [repoOwner] = String(repoUrl || "").split("/", 1);
+  const isExisting = mode === "existing";
 
   try {
     const userRes = await fetch("https://api.github.com/user", {
@@ -30,25 +48,28 @@ const verifyGithubRepoForOnboarding = async ({ repoUrl, githubToken }) => {
         error: `Cannot verify GitHub token: ${details}`,
       };
     }
-    const oauthScopes = (userRes.headers?.get?.("x-oauth-scopes") || "")
-      .toLowerCase()
-      .split(",")
-      .map((s) => s.trim())
-      .filter(Boolean);
-    if (
-      oauthScopes.length > 0 &&
-      !oauthScopes.includes("repo") &&
-      !oauthScopes.includes("public_repo")
-    ) {
-      return {
-        ok: false,
-        status: 400,
-        error: `Your token needs the "repo" scope to create repositories. Current scopes: ${oauthScopes.join(", ")}`,
-      };
+    if (isClassicPat(githubToken)) {
+      const oauthScopes = (userRes.headers?.get?.("x-oauth-scopes") || "")
+        .toLowerCase()
+        .split(",")
+        .map((s) => s.trim())
+        .filter(Boolean);
+      if (
+        oauthScopes.length > 0 &&
+        !oauthScopes.includes("repo") &&
+        !oauthScopes.includes("public_repo")
+      ) {
+        return {
+          ok: false,
+          status: 400,
+          error: `Your token needs the "repo" scope. Current scopes: ${oauthScopes.join(", ")}`,
+        };
+      }
     }
     const authedUser = await userRes.json().catch(() => ({}));
     const authedLogin = String(authedUser?.login || "").trim();
     if (
+      !isExisting &&
       repoOwner &&
       authedLogin &&
       repoOwner.toLowerCase() !== authedLogin.toLowerCase()
@@ -56,7 +77,7 @@ const verifyGithubRepoForOnboarding = async ({ repoUrl, githubToken }) => {
       return {
         ok: false,
         status: 400,
-        error: `Workspace repo owner must match your token user "${authedLogin}"`,
+        error: `New workspace repo owner must match your token user "${authedLogin}"`,
       };
     }
 
@@ -64,6 +85,13 @@ const verifyGithubRepoForOnboarding = async ({ repoUrl, githubToken }) => {
       headers: ghHeaders,
     });
     if (checkRes.status === 404) {
+      if (isExisting) {
+        return {
+          ok: false,
+          status: 400,
+          error: `Repository "${repoUrl}" not found. Check the repo name and token permissions.`,
+        };
+      }
       return { ok: true, repoExists: false, repoIsEmpty: false };
     }
     if (checkRes.ok) {
@@ -75,10 +103,13 @@ const verifyGithubRepoForOnboarding = async ({ repoUrl, githubToken }) => {
         return { ok: true, repoExists: true, repoIsEmpty: true };
       }
       if (commitsRes.ok) {
+        if (isExisting) {
+          return { ok: true, repoExists: true, repoIsEmpty: false };
+        }
         return {
           ok: false,
           status: 400,
-          error: `Repository "${repoUrl}" already exists and is not empty.`,
+          error: `Repository "${repoUrl}" already exists and is not empty. Did you mean to use "Import existing setup"?`,
         };
       }
       const commitCheckDetails = await parseGithubErrorMessage(commitsRes);
@@ -90,6 +121,13 @@ const verifyGithubRepoForOnboarding = async ({ repoUrl, githubToken }) => {
     }
 
     const details = await parseGithubErrorMessage(checkRes);
+    if (isFineGrainedPat(githubToken) && checkRes.status === 403) {
+      return {
+        ok: false,
+        status: 400,
+        error: `Your fine-grained token needs Contents (read/write) and Metadata (read) permissions for "${repoUrl}".`,
+      };
+    }
     return {
       ok: false,
       status: 400,
@@ -150,4 +188,67 @@ const ensureGithubRepoAccessible = async ({
   }
 };
 
-module.exports = { ensureGithubRepoAccessible, verifyGithubRepoForOnboarding };
+const cloneRepoToTemp = async ({ repoUrl, githubToken, shellCmd }) => {
+  const tempId = crypto.randomUUID().slice(0, 8);
+  const tempDir = path.join(os.tmpdir(), `${kImportTempPrefix}${tempId}`);
+  const askPassPath = path.join(
+    os.tmpdir(),
+    `alphaclaw-import-askpass-${tempId}.sh`,
+  );
+
+  try {
+    fs.writeFileSync(
+      askPassPath,
+      [
+        "#!/bin/sh",
+        'case "$1" in',
+        '  *Username*) printf "%s\\n" "x-access-token" ;;',
+        '  *) printf "%s\\n" "$ALPHACLAW_GITHUB_TOKEN" ;;',
+        "esac",
+        "",
+      ].join("\n"),
+      { mode: 0o700 },
+    );
+    await shellCmd(
+      `git clone --depth=1 "https://github.com/${repoUrl}.git" "${tempDir}"`,
+      {
+        timeout: 60000,
+        env: {
+          ...process.env,
+          GIT_ASKPASS: askPassPath,
+          GIT_TERMINAL_PROMPT: "0",
+          ALPHACLAW_GITHUB_TOKEN: githubToken,
+        },
+      },
+    );
+    console.log(`[onboard] Cloned ${repoUrl} to ${tempDir}`);
+    return { ok: true, tempDir };
+  } catch (e) {
+    return {
+      ok: false,
+      error: `Failed to clone repo: ${e.message}`,
+    };
+  } finally {
+    try {
+      fs.rmSync(askPassPath, { force: true });
+    } catch {}
+  }
+};
+
+const cleanupTempClone = (tempDir) => {
+  try {
+    if (isValidImportTempDir(tempDir)) {
+      fs.rmSync(tempDir, { recursive: true, force: true });
+      console.log(`[onboard] Cleaned up temp clone ${tempDir}`);
+    }
+  } catch (e) {
+    console.error(`[onboard] Temp cleanup error: ${e.message}`);
+  }
+};
+
+module.exports = {
+  ensureGithubRepoAccessible,
+  verifyGithubRepoForOnboarding,
+  cloneRepoToTemp,
+  cleanupTempClone,
+};

package/lib/server/onboarding/import/import-applier.js

@@ -0,0 +1,321 @@
+const path = require("path");
+const { isValidImportTempDir } = require("./import-temp");
+const {
+  normalizeHookPath,
+  normalizeTransformModulePath,
+} = require("./import-config");
+
+const kEnvVarNamePattern = /^[A-Z_][A-Z0-9_]*$/;
+
+const isValidTempDir = (tempDir) => isValidImportTempDir(tempDir);
+
+const kTransformsRoot = path.join("hooks", "transforms");
+const kTransformsBackupRoot = path.join(kTransformsRoot, "_backup");
+
+const kReplaceableBootstrapPaths = [
+  ".env",
+  ".alphaclaw",
+  "gogcli",
+  path.join("workspace", "hooks", "bootstrap"),
+  path.join("skills", "control-ui"),
+  path.join("skills", "gog-cli"),
+];
+
+const removeIfExists = (fs, targetPath) => {
+  try {
+    if (fs.existsSync(targetPath)) {
+      fs.rmSync(targetPath, { recursive: true, force: true });
+    }
+  } catch {}
+};
+
+const removeEmptyParents = (fs, rootDir, targetPath) => {
+  let current = path.dirname(targetPath);
+  while (current.startsWith(rootDir) && current !== rootDir) {
+    try {
+      const entries = fs.readdirSync(current);
+      if (entries.length > 0) break;
+      fs.rmSync(current, { recursive: true, force: true });
+      current = path.dirname(current);
+    } catch {
+      break;
+    }
+  }
+};
+
+const cleanupBootstrapArtifacts = (fs, openclawDir) => {
+  for (const relPath of kReplaceableBootstrapPaths) {
+    const absolutePath = path.join(openclawDir, relPath);
+    removeIfExists(fs, absolutePath);
+    removeEmptyParents(fs, openclawDir, absolutePath);
+  }
+};
+
+const promoteCloneToTarget = ({
+  fs,
+  tempDir,
+  targetDir,
+  sourceSubdir = "",
+  cleanupBootstrap = false,
+}) => {
+  if (!isValidTempDir(tempDir)) {
+    return { ok: false, error: "Invalid temp directory" };
+  }
+
+  const sourceDir = sourceSubdir ? path.join(tempDir, sourceSubdir) : tempDir;
+
+  try {
+    if (!fs.existsSync(sourceDir)) {
+      return { ok: false, error: "Import source directory not found" };
+    }
+    if (fs.existsSync(targetDir)) {
+      if (cleanupBootstrap) {
+        cleanupBootstrapArtifacts(fs, targetDir);
+      }
+      const existingEntries = fs.readdirSync(targetDir);
+      if (existingEntries.length > 0) {
+        return {
+          ok: false,
+          error: "Import target directory already exists and is not empty",
+        };
+      }
+      fs.rmSync(targetDir, { recursive: true, force: true });
+    }
+    fs.mkdirSync(path.dirname(targetDir), { recursive: true });
+    fs.renameSync(sourceDir, targetDir);
+    if (sourceDir !== tempDir) {
+      fs.rmSync(tempDir, { recursive: true, force: true });
+    }
+    console.log(`[import] Promoted ${sourceDir} to ${targetDir}`);
+    return { ok: true };
+  } catch (e) {
+    // Cross-device rename falls back to copy
+    if (e.code === "EXDEV") {
+      try {
+        copyDirRecursive(fs, sourceDir, targetDir);
+        fs.rmSync(tempDir, { recursive: true, force: true });
+        console.log(
+          `[import] Copied ${sourceDir} to ${targetDir} (cross-device)`,
+        );
+        return { ok: true };
+      } catch (copyErr) {
+        return { ok: false, error: `Failed to copy clone: ${copyErr.message}` };
+      }
+    }
+    return { ok: false, error: `Failed to promote clone: ${e.message}` };
+  }
+};
+
+const copyDirRecursive = (fs, src, dest) => {
+  fs.mkdirSync(dest, { recursive: true });
+  const entries = fs.readdirSync(src, { withFileTypes: true });
+  for (const entry of entries) {
+    const srcPath = path.join(src, entry.name);
+    const destPath = path.join(dest, entry.name);
+    if (entry.isDirectory()) {
+      copyDirRecursive(fs, srcPath, destPath);
+    } else {
+      fs.copyFileSync(srcPath, destPath);
+    }
+  }
+};
+
+const toPosixPath = (value) => String(value || "").replace(/\\/g, "/");
+const ensureRelativeImportPath = (value) => {
+  const normalized = toPosixPath(value);
+  if (normalized.startsWith(".")) return normalized;
+  return `./${normalized}`;
+};
+const pathExists = (fs, targetPath) => {
+  try {
+    return fs.existsSync(targetPath);
+  } catch {
+    return false;
+  }
+};
+
+const resolveExtractionTargetPath = (baseDir, file) => {
+  const relativeFile = String(file || "").trim();
+  if (!relativeFile || path.isAbsolute(relativeFile)) return "";
+  const resolvedBaseDir = path.resolve(baseDir);
+  const resolvedFilePath = path.resolve(resolvedBaseDir, relativeFile);
+  if (
+    resolvedFilePath !== resolvedBaseDir &&
+    !resolvedFilePath.startsWith(`${resolvedBaseDir}${path.sep}`)
+  ) {
+    return "";
+  }
+  return resolvedFilePath;
+};
+const movePath = (fs, src, dest) => {
+  fs.mkdirSync(path.dirname(dest), { recursive: true });
+  try {
+    fs.renameSync(src, dest);
+    return;
+  } catch (error) {
+    if (error?.code !== "EXDEV") throw error;
+  }
+  const stats = fs.statSync(src);
+  if (stats.isDirectory()) {
+    copyDirRecursive(fs, src, dest);
+    fs.rmSync(src, { recursive: true, force: true });
+    return;
+  }
+  fs.copyFileSync(src, dest);
+  fs.rmSync(src, { force: true });
+};
+const buildTransformShim = (targetImportPath) =>
+  [
+    `export { default } from ${JSON.stringify(targetImportPath)};`,
+    `export * from ${JSON.stringify(targetImportPath)};`,
+    "",
+  ].join("\n");
+
+const alignHookTransforms = ({ fs, baseDir, configFiles = [] }) => {
+  const movedRoots = new Map();
+  let alignedCount = 0;
+
+  for (const configFile of configFiles) {
+    const fullConfigPath = path.join(baseDir, configFile);
+    let cfg = null;
+    try {
+      cfg = JSON.parse(fs.readFileSync(fullConfigPath, "utf8"));
+    } catch {
+      continue;
+    }
+    const mappings = Array.isArray(cfg?.hooks?.mappings)
+      ? cfg.hooks.mappings
+      : [];
+    let changed = false;
+
+    mappings.forEach((mapping, index) => {
+      const hookPath = normalizeHookPath(mapping?.match?.path);
+      const actualModule = normalizeTransformModulePath(
+        mapping?.transform?.module,
+      );
+      if (!hookPath || !actualModule) return;
+
+      const expectedModule = `${hookPath}/${hookPath}-transform.mjs`;
+      if (actualModule === expectedModule) return;
+
+      const actualRelativePath = path.join(kTransformsRoot, actualModule);
+      const expectedRelativePath = path.join(kTransformsRoot, expectedModule);
+      const actualAbsolutePath = path.join(baseDir, actualRelativePath);
+      const expectedAbsolutePath = path.join(baseDir, expectedRelativePath);
+      if (!pathExists(fs, actualAbsolutePath)) return;
+
+      const actualParts = actualModule.split("/").filter(Boolean);
+      const sourceRootRelativePath =
+        actualParts.length > 1
+          ? path.join(kTransformsRoot, actualParts[0])
+          : actualRelativePath;
+      const sourceRootAbsolutePath = path.join(baseDir, sourceRootRelativePath);
+      const backupRootRelativePath = path.join(
+        kTransformsBackupRoot,
+        sourceRootRelativePath.slice(kTransformsRoot.length + 1),
+      );
+      const backupRootAbsolutePath = path.join(baseDir, backupRootRelativePath);
+
+      if (!movedRoots.has(sourceRootAbsolutePath)) {
+        if (
+          !pathExists(fs, backupRootAbsolutePath) &&
+          pathExists(fs, sourceRootAbsolutePath)
+        ) {
+          movePath(fs, sourceRootAbsolutePath, backupRootAbsolutePath);
+        }
+        movedRoots.set(sourceRootAbsolutePath, backupRootAbsolutePath);
+      }
+
+      const backupActualAbsolutePath = path.join(
+        movedRoots.get(sourceRootAbsolutePath),
+        path.relative(sourceRootAbsolutePath, actualAbsolutePath),
+      );
+
+      fs.mkdirSync(path.dirname(expectedAbsolutePath), { recursive: true });
+      const shimImportPath = ensureRelativeImportPath(
+        path.relative(
+          path.dirname(expectedAbsolutePath),
+          backupActualAbsolutePath,
+        ),
+      );
+      fs.writeFileSync(
+        expectedAbsolutePath,
+        buildTransformShim(shimImportPath),
+      );
+
+      mappings[index] = {
+        ...mapping,
+        transform: {
+          ...(mapping?.transform || {}),
+          module: expectedModule,
+        },
+      };
+      changed = true;
+      alignedCount += 1;
+    });
+
+    if (changed) {
+      fs.writeFileSync(fullConfigPath, JSON.stringify(cfg, null, 2));
+    }
+  }
+
+  return { alignedCount };
+};
+
+const applySecretExtraction = ({ fs, baseDir, approvedSecrets }) => {
+  const envVars = [];
+  const rewriteMap = new Map();
+
+  for (const secret of approvedSecrets) {
+    const envVar = String(secret.suggestedEnvVar || "").trim();
+    const value = String(secret.value || "").trim();
+    if (!envVar || !value || !kEnvVarNamePattern.test(envVar)) continue;
+
+    envVars.push({ key: envVar, value });
+
+    if (secret.file && !secret.file.startsWith(".env")) {
+      const fullPath = resolveExtractionTargetPath(baseDir, secret.file);
+      if (!fullPath) continue;
+      if (!rewriteMap.has(fullPath)) {
+        rewriteMap.set(fullPath, []);
+      }
+      rewriteMap.get(fullPath).push({
+        value,
+        envRef: `\${${envVar}}`,
+        relativeFile: secret.file,
+      });
+    }
+  }
+
+  for (const [fullPath, replacements] of rewriteMap) {
+    try {
+      let content = fs.readFileSync(fullPath, "utf8");
+      const sorted = [...replacements].sort(
+        (a, b) => b.value.length - a.value.length,
+      );
+      for (const { value, envRef } of sorted) {
+        const secretJson = JSON.stringify(value);
+        const envRefJson = JSON.stringify(envRef);
+        content = content.replace(
+          new RegExp(secretJson.replace(/[-/\\^$*+?.()|[\]{}]/g, "\\$&"), "g"),
+          envRefJson,
+        );
+      }
+      fs.writeFileSync(fullPath, content);
+      console.log(
+        `[import] Rewrote secrets in ${replacements[0]?.relativeFile || fullPath}`,
+      );
+    } catch (e) {
+      console.error(`[import] Rewrite error for ${fullPath}: ${e.message}`);
+    }
+  }
+
+  return { envVars };
+};
+
+module.exports = {
+  promoteCloneToTarget,
+  alignHookTransforms,
+  applySecretExtraction,
+  isValidTempDir,
+};

package/lib/server/onboarding/import/import-config.js

@@ -0,0 +1,69 @@
+const path = require("path");
+
+const normalizeHookPath = (value) =>
+  String(value || "")
+    .trim()
+    .replace(/^\/+/, "");
+
+const normalizeTransformModulePath = (value) =>
+  String(value || "")
+    .trim()
+    .replace(/^\/+/, "")
+    .replace(/^hooks\/transforms\/+/, "");
+
+const resolveConfigIncludes = ({ fs, absoluteConfigPath }) => {
+  const includes = [];
+  try {
+    const raw = fs.readFileSync(absoluteConfigPath, "utf8");
+    const cfg = JSON.parse(raw);
+    const walk = (entry) => {
+      if (!entry || typeof entry !== "object") return;
+      for (const [key, value] of Object.entries(entry)) {
+        if (key === "$include" && typeof value === "string" && value.trim()) {
+          includes.push(value.trim());
+          continue;
+        }
+        walk(value);
+      }
+    };
+    walk(cfg);
+  } catch {}
+  return includes;
+};
+
+const resolveImportedConfigPaths = ({ fs, openclawDir }) => {
+  const discovered = new Set();
+  const queue = [path.join(openclawDir, "openclaw.json")].filter((configPath) =>
+    fs.existsSync(configPath),
+  );
+
+  while (queue.length > 0) {
+    const absoluteConfigPath = queue.shift();
+    if (!absoluteConfigPath || discovered.has(absoluteConfigPath)) continue;
+    if (!fs.existsSync(absoluteConfigPath)) continue;
+    discovered.add(absoluteConfigPath);
+
+    const includes = resolveConfigIncludes({ fs, absoluteConfigPath });
+    for (const includePath of includes) {
+      const candidatePaths = [
+        path.join(openclawDir, includePath),
+        path.join(path.dirname(absoluteConfigPath), includePath),
+      ];
+      for (const candidatePath of candidatePaths) {
+        if (fs.existsSync(candidatePath) && !discovered.has(candidatePath)) {
+          queue.push(candidatePath);
+          break;
+        }
+      }
+    }
+  }
+
+  return [...discovered];
+};
+
+module.exports = {
+  normalizeHookPath,
+  normalizeTransformModulePath,
+  resolveConfigIncludes,
+  resolveImportedConfigPaths,
+};