@chrysb/alphaclaw 0.5.1 → 0.5.3

package/lib/server/onboarding/index.js

@@ -12,6 +12,7 @@ const {
 } = require("./github");
 const {
   buildOnboardArgs,
+  writeManagedImportOpenclawConfig,
   writeSanitizedOpenclawConfig,
 } = require("./openclaw");
 const {
@@ -28,6 +29,7 @@ const { installGogCliSkill } = require("../gog-skill");
 
 const kPlaceholderEnvValue = "placeholder";
 const kEnvRefPattern = /\$\{([A-Z_][A-Z0-9_]*)\}/g;
+const kImportedPairingKeys = ["allowFrom", "groupAllowFrom"];
 
 const upsertEnvVar = (items, key, value) => {
   const normalizedKey = String(key || "").trim();
@@ -42,6 +44,65 @@ const upsertEnvVar = (items, key, value) => {
   return items;
 };
 
+const clearImportedChannelPairingState = (channelsRoot) => {
+  if (!channelsRoot || typeof channelsRoot !== "object") return false;
+  let changed = false;
+  for (const [channelKey, channelConfig] of Object.entries(channelsRoot)) {
+    if (!channelConfig || typeof channelConfig !== "object") continue;
+    if (
+      channelKey === "telegram" &&
+      Object.prototype.hasOwnProperty.call(channelConfig, "accounts")
+    ) {
+      delete channelConfig.accounts;
+      changed = true;
+    }
+    for (const pairingKey of kImportedPairingKeys) {
+      if (
+        Object.prototype.hasOwnProperty.call(channelConfig, pairingKey) &&
+        (!Array.isArray(channelConfig[pairingKey]) ||
+          channelConfig[pairingKey].length > 0)
+      ) {
+        channelConfig[pairingKey] = [];
+        changed = true;
+      }
+    }
+    if (
+      channelConfig.dmPolicy === "allowlist" &&
+      (!Array.isArray(channelConfig.allowFrom) ||
+        channelConfig.allowFrom.length === 0)
+    ) {
+      channelConfig.dmPolicy = "pairing";
+      changed = true;
+    }
+  }
+  return changed;
+};
+
+const clearImportedCredentialPairings = ({ fs, openclawDir }) => {
+  const credentialsDir = path.join(openclawDir, "credentials");
+  if (!fs.existsSync(credentialsDir)) return;
+  let entries = [];
+  try {
+    entries = fs.readdirSync(credentialsDir);
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    const fileName = typeof entry === "string" ? entry : entry?.name;
+    if (!fileName || !fileName.endsWith("-allowFrom.json")) continue;
+    const filePath = path.join(credentialsDir, fileName);
+    try {
+      const parsed = JSON.parse(fs.readFileSync(filePath, "utf8"));
+      if (!parsed || typeof parsed !== "object") continue;
+      if (Array.isArray(parsed.allowFrom) && parsed.allowFrom.length === 0) {
+        continue;
+      }
+      parsed.allowFrom = [];
+      fs.writeFileSync(filePath, JSON.stringify(parsed, null, 2));
+    } catch {}
+  }
+};
+
 const collectEnvRefs = (value, found = new Set()) => {
   if (typeof value === "string") {
     for (const match of value.matchAll(kEnvRefPattern)) {
@@ -62,6 +123,46 @@ const collectEnvRefs = (value, found = new Set()) => {
 const getEnvVarValue = (items, key) =>
   items.find((entry) => entry.key === key)?.value || "";
 
+const syncApiKeyAuthProfilesFromEnvVars = (authProfiles, envVars = []) => {
+  if (!authProfiles?.getEnvVarForApiKeyProvider) return;
+  const providers = [
+    "anthropic",
+    "openai",
+    "google",
+    "opencode",
+    "openrouter",
+    "zai",
+    "vercel-ai-gateway",
+    "kilocode",
+    "xai",
+    "mistral",
+    "cerebras",
+    "moonshot",
+    "kimi-coding",
+    "volcengine",
+    "byteplus",
+    "synthetic",
+    "minimax",
+    "voyage",
+    "groq",
+    "deepgram",
+    "vllm",
+  ];
+  const envMap = new Map(
+    (envVars || []).map((entry) => [
+      String(entry?.key || "").trim(),
+      String(entry?.value || ""),
+    ]),
+  );
+  for (const provider of providers) {
+    const envKey = authProfiles.getEnvVarForApiKeyProvider(provider);
+    if (!envKey) continue;
+    const value = String(envMap.get(envKey) || "").trim();
+    if (!value || value === kPlaceholderEnvValue) continue;
+    authProfiles.upsertApiKeyProfileForEnvVar?.(provider, value);
+  }
+};
+
 const buildPlaceholderReview = ({
   referencedEnvVars,
   envVars = [],
@@ -115,6 +216,15 @@ const normalizeImportedConfig = ({ fs, openclawDir }) => {
       };
       changed = true;
     }
+    const currentWebhookToken = String(cfg?.hooks?.token || "").trim();
+    const expectedWebhookTokenRef = "${WEBHOOK_TOKEN}";
+    if (cfg.hooks && currentWebhookToken !== expectedWebhookTokenRef) {
+      cfg.hooks = {
+        ...(cfg.hooks || {}),
+        token: expectedWebhookTokenRef,
+      };
+      changed = true;
+    }
     if (
       cfg.hooks &&
       Object.prototype.hasOwnProperty.call(cfg.hooks, "transformsDir")
@@ -124,10 +234,19 @@ const normalizeImportedConfig = ({ fs, openclawDir }) => {
       cfg.hooks = nextHooks;
       changed = true;
     }
+    const configFileName = path.basename(configPath).toLowerCase();
+    const channelsRoot =
+      cfg.channels && typeof cfg.channels === "object"
+        ? cfg.channels
+        : configFileName.includes("channel")
+          ? cfg
+          : null;
+    changed = clearImportedChannelPairingState(channelsRoot) || changed;
     if (changed) {
       fs.writeFileSync(configPath, JSON.stringify(cfg, null, 2));
     }
   }
+  clearImportedCredentialPairings({ fs, openclawDir });
 };
 
 const getImportedConfigEnvRefs = ({ fs, openclawDir }) => {
@@ -269,6 +388,7 @@ const createOnboardingService = ({
     }
     writeEnvFile(varsToSave);
     reloadEnv();
+    syncApiKeyAuthProfilesFromEnvVars(authProfiles, varsToSave);
 
     const [, repoName] = repoUrl.split("/");
     const repoCheck = await ensureGithubRepoAccessible({
@@ -368,6 +488,12 @@ const createOnboardingService = ({
 
     if (!existingConfigPresent) {
       writeSanitizedOpenclawConfig({ fs, openclawDir: OPENCLAW_DIR, varMap });
+    } else if (importMode) {
+      writeManagedImportOpenclawConfig({
+        fs,
+        openclawDir: OPENCLAW_DIR,
+        varMap,
+      });
     }
     authProfiles?.syncConfigAuthReferencesForAgent?.();
     ensureGatewayProxyConfig(getBaseUrl(req));

package/lib/server/onboarding/openclaw.js

@@ -9,6 +9,10 @@ const kUsageTrackerPluginPath = path.resolve(
   "usage-tracker",
 );
 const kDefaultToolsProfile = "full";
+const kBootstrapExtraFiles = [
+  "hooks/bootstrap/AGENTS.md",
+  "hooks/bootstrap/TOOLS.md",
+];
 
 const buildOnboardArgs = ({
   varMap,
@@ -126,11 +130,16 @@ const buildOnboardArgs = ({
   return onboardArgs;
 };
 
-const writeSanitizedOpenclawConfig = ({ fs, openclawDir, varMap }) => {
-  const configPath = `${openclawDir}/openclaw.json`;
-  const cfg = JSON.parse(fs.readFileSync(configPath, "utf8"));
+const ensurePluginAllowed = (cfg, pluginKey) => {
+  if (!cfg.plugins.allow.includes(pluginKey)) {
+    cfg.plugins.allow.push(pluginKey);
+  }
+};
+
+const ensureManagedConfigShell = (cfg) => {
   if (!cfg.channels) cfg.channels = {};
   if (!cfg.plugins) cfg.plugins = {};
+  if (!Array.isArray(cfg.plugins.allow)) cfg.plugins.allow = [];
   if (!cfg.plugins.load) cfg.plugins.load = {};
   if (!Array.isArray(cfg.plugins.load.paths)) cfg.plugins.load.paths = [];
   if (!cfg.plugins.entries) cfg.plugins.entries = {};
@@ -145,9 +154,22 @@ const writeSanitizedOpenclawConfig = ({ fs, openclawDir, varMap }) => {
   cfg.hooks.internal.entries["bootstrap-extra-files"] = {
     ...(cfg.hooks.internal.entries["bootstrap-extra-files"] || {}),
     enabled: true,
-    paths: ["hooks/bootstrap/AGENTS.md", "hooks/bootstrap/TOOLS.md"],
+    paths: kBootstrapExtraFiles,
   };
+};
+
+const getSafeImportedDmPolicy = (channelConfig = {}) => {
+  if (
+    channelConfig?.dmPolicy === "allowlist" &&
+    (!Array.isArray(channelConfig?.allowFrom) ||
+      channelConfig.allowFrom.length === 0)
+  ) {
+    return "pairing";
+  }
+  return channelConfig?.dmPolicy || "pairing";
+};
 
+const applyFreshOnboardingChannels = ({ cfg, varMap }) => {
   if (varMap.TELEGRAM_BOT_TOKEN) {
     cfg.channels.telegram = {
       enabled: true,
@@ -156,6 +178,7 @@ const writeSanitizedOpenclawConfig = ({ fs, openclawDir, varMap }) => {
       groupPolicy: "allowlist",
     };
     cfg.plugins.entries.telegram = { enabled: true };
+    ensurePluginAllowed(cfg, "telegram");
     console.log("[onboard] Telegram configured");
   }
   if (varMap.DISCORD_BOT_TOKEN) {
@@ -166,12 +189,21 @@ const writeSanitizedOpenclawConfig = ({ fs, openclawDir, varMap }) => {
       groupPolicy: "allowlist",
     };
     cfg.plugins.entries.discord = { enabled: true };
+    ensurePluginAllowed(cfg, "discord");
     console.log("[onboard] Discord configured");
   }
   if (!cfg.plugins.load.paths.includes(kUsageTrackerPluginPath)) {
     cfg.plugins.load.paths.push(kUsageTrackerPluginPath);
   }
+  ensurePluginAllowed(cfg, "usage-tracker");
   cfg.plugins.entries["usage-tracker"] = { enabled: true };
+};
+
+const writeSanitizedOpenclawConfig = ({ fs, openclawDir, varMap }) => {
+  const configPath = `${openclawDir}/openclaw.json`;
+  const cfg = JSON.parse(fs.readFileSync(configPath, "utf8"));
+  ensureManagedConfigShell(cfg);
+  applyFreshOnboardingChannels({ cfg, varMap });
 
   let content = JSON.stringify(cfg, null, 2);
   const replacements = buildSecretReplacements(varMap, process.env);
@@ -192,4 +224,55 @@ const writeSanitizedOpenclawConfig = ({ fs, openclawDir, varMap }) => {
   console.log("[onboard] Config sanitized");
 };
 
-module.exports = { buildOnboardArgs, writeSanitizedOpenclawConfig };
+const writeManagedImportOpenclawConfig = ({ fs, openclawDir, varMap }) => {
+  const configPath = `${openclawDir}/openclaw.json`;
+  const cfg = JSON.parse(fs.readFileSync(configPath, "utf8"));
+  ensureManagedConfigShell(cfg);
+
+  if (!cfg.plugins.load.paths.includes(kUsageTrackerPluginPath)) {
+    cfg.plugins.load.paths.push(kUsageTrackerPluginPath);
+  }
+  ensurePluginAllowed(cfg, "usage-tracker");
+  cfg.plugins.entries["usage-tracker"] = {
+    ...(cfg.plugins.entries["usage-tracker"] || {}),
+    enabled: true,
+  };
+
+  if (varMap.TELEGRAM_BOT_TOKEN) {
+    cfg.channels.telegram = {
+      ...(cfg.channels.telegram || {}),
+      enabled: true,
+      botToken: "${TELEGRAM_BOT_TOKEN}",
+      dmPolicy: getSafeImportedDmPolicy(cfg.channels.telegram),
+      groupPolicy: cfg.channels.telegram?.groupPolicy || "allowlist",
+    };
+    cfg.plugins.entries.telegram = {
+      ...(cfg.plugins.entries.telegram || {}),
+      enabled: true,
+    };
+    ensurePluginAllowed(cfg, "telegram");
+  }
+
+  if (varMap.DISCORD_BOT_TOKEN) {
+    cfg.channels.discord = {
+      ...(cfg.channels.discord || {}),
+      enabled: true,
+      token: "${DISCORD_BOT_TOKEN}",
+      dmPolicy: getSafeImportedDmPolicy(cfg.channels.discord),
+      groupPolicy: cfg.channels.discord?.groupPolicy || "allowlist",
+    };
+    cfg.plugins.entries.discord = {
+      ...(cfg.plugins.entries.discord || {}),
+      enabled: true,
+    };
+    ensurePluginAllowed(cfg, "discord");
+  }
+
+  fs.writeFileSync(configPath, JSON.stringify(cfg, null, 2));
+};
+
+module.exports = {
+  buildOnboardArgs,
+  writeManagedImportOpenclawConfig,
+  writeSanitizedOpenclawConfig,
+};

package/lib/server/routes/onboarding.js

@@ -12,6 +12,7 @@ const {
   promoteCloneToTarget,
   alignHookTransforms,
   applySecretExtraction,
+  canonicalizeConfigEnvRefs,
   isValidTempDir,
 } = require("../onboarding/import/import-applier");
 const { cleanupTempClone } = require("../onboarding/github");
@@ -322,10 +323,17 @@ const registerOnboardingRoutes = ({
         });
         envVars = extraction.envVars;
       }
+      const canonicalization = canonicalizeConfigEnvRefs({
+        fs,
+        baseDir: tempDir,
+        configFiles: scan.gatewayConfig.files,
+        envVars,
+      });
+      envVars = canonicalization.envVars;
 
-      const configFiles = ["openclaw.json"].filter((f) =>
-        fs.existsSync(path.join(tempDir, f)),
-      );
+      const configFiles = Array.isArray(scan.gatewayConfig?.files)
+        ? scan.gatewayConfig.files
+        : ["openclaw.json"].filter((f) => fs.existsSync(path.join(tempDir, f)));
       const transformAlignment = alignHookTransforms({
         fs,
         baseDir: tempDir,
@@ -408,6 +416,7 @@ const registerOnboardingRoutes = ({
         placeholderReview,
         sourceLayout: scan.sourceLayout,
         envVarsImported: envVars.length,
+        canonicalizedEnvRefs: canonicalization.rewrittenRefs,
         transformsAligned: transformAlignment.alignedCount,
       });
     } catch (err) {

package/lib/server/routes/proxy.js

@@ -1,6 +1,7 @@
 const registerProxyRoutes = ({
   app,
   proxy,
+  getGatewayUrl,
   SETUP_API_PREFIXES,
   requireAuth,
   webhookMiddleware,
@@ -13,20 +14,22 @@ const registerProxyRoutes = ({
 
   app.all("/openclaw", requireAuth, (req, res) => {
     req.url = "/";
-    proxy.web(req, res);
+    proxy.web(req, res, { target: getGatewayUrl() });
   });
   app.all(kOpenClawPathPattern, requireAuth, (req, res) => {
     req.url = req.url.replace(/^\/openclaw/, "");
-    proxy.web(req, res);
+    proxy.web(req, res, { target: getGatewayUrl() });
   });
-  app.all(kAssetsPathPattern, requireAuth, (req, res) => proxy.web(req, res));
+  app.all(kAssetsPathPattern, requireAuth, (req, res) =>
+    proxy.web(req, res, { target: getGatewayUrl() }),
+  );
 
   app.all(kHooksPathPattern, webhookMiddleware);
   app.all(kWebhookPathPattern, webhookMiddleware);
 
   app.all(kApiPathPattern, (req, res) => {
     if (SETUP_API_PREFIXES.some((p) => req.path.startsWith(p))) return;
-    proxy.web(req, res);
+    proxy.web(req, res, { target: getGatewayUrl() });
   });
 };
 

package/lib/server/routes/system.js

@@ -111,10 +111,24 @@ const registerSystemRoutes = ({
       "anthropic",
       "openai",
       "google",
+      "opencode",
+      "openrouter",
+      "zai",
+      "vercel-ai-gateway",
+      "kilocode",
+      "xai",
       "mistral",
+      "cerebras",
+      "moonshot",
+      "kimi-coding",
+      "volcengine",
+      "byteplus",
+      "synthetic",
+      "minimax",
       "voyage",
       "groq",
       "deepgram",
+      "vllm",
     ];
     for (const provider of providers) {
       const envKey = authProfiles.getEnvVarForApiKeyProvider?.(provider);

package/lib/server/webhook-middleware.js

@@ -122,11 +122,10 @@ const buildGmailDedupedBodyBuffer = ({ parsedBody, filteredMessages }) => {
 
 const createWebhookMiddleware = ({
   gatewayUrl,
+  getGatewayUrl,
   insertRequest,
   maxPayloadBytes = 50 * 1024,
 }) => {
-  const gateway = new URL(gatewayUrl);
-  const protocolClient = gateway.protocol === "https:" ? https : http;
   const gmailSeenMessageIds = new Map();
   let lastGmailDedupeCleanupAt = 0;
 
@@ -141,6 +140,10 @@ const createWebhookMiddleware = ({
   };
 
   return (req, res) => {
+    const resolvedGatewayUrl =
+      typeof getGatewayUrl === "function" ? getGatewayUrl() : gatewayUrl;
+    const gateway = new URL(resolvedGatewayUrl);
+    const protocolClient = gateway.protocol === "https:" ? https : http;
     const inboundUrl = new URL(req.url, `http://${req.headers.host || "localhost"}`);
     let tokenFromQuery = "";
     if (!req.headers.authorization && inboundUrl.searchParams.has("token")) {

package/lib/server.js

@@ -67,6 +67,7 @@ const {
 } = require("./server/env");
 const {
   gatewayEnv,
+  getGatewayUrl,
   isOnboarded,
   isGatewayRunning,
   startGateway,
@@ -122,7 +123,7 @@ const { registerUsageRoutes } = require("./server/routes/usage");
 const { registerGmailRoutes } = require("./server/routes/gmail");
 const { registerDoctorRoutes } = require("./server/routes/doctor");
 
-const { PORT, GATEWAY_URL, kTrustProxyHops, SETUP_API_PREFIXES } = constants;
+const { PORT, kTrustProxyHops, SETUP_API_PREFIXES } = constants;
 
 startEnvWatcher();
 attachGatewaySignalHandlers();
@@ -139,7 +140,7 @@ app.use("/gmail-pubsub", express.raw({ type: "*/*", limit: "5mb" }));
 app.use(express.json({ limit: "5mb" }));
 
 const proxy = httpProxy.createProxyServer({
-  target: GATEWAY_URL,
+  target: getGatewayUrl(),
   ws: true,
   changeOrigin: true,
 });
@@ -196,7 +197,7 @@ initDoctorDb({
   rootDir: constants.kRootDir,
 });
 const webhookMiddleware = createWebhookMiddleware({
-  gatewayUrl: constants.GATEWAY_URL,
+  getGatewayUrl,
   insertRequest,
   maxPayloadBytes: constants.kMaxPayloadBytes,
 });
@@ -382,6 +383,7 @@ registerDoctorRoutes({
 registerProxyRoutes({
   app,
   proxy,
+  getGatewayUrl,
   SETUP_API_PREFIXES,
   requireAuth,
   webhookMiddleware,
@@ -407,7 +409,7 @@ server.on("upgrade", (req, socket, head) => {
       return;
     }
   }
-  proxy.ws(req, socket, head);
+  proxy.ws(req, socket, head, { target: getGatewayUrl() });
 });
 
 server.listen(PORT, "0.0.0.0", () => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chrysb/alphaclaw",
-  "version": "0.5.1",
+  "version": "0.5.3",
   "publishConfig": {
     "access": "public"
   },
@@ -31,7 +31,7 @@
   "dependencies": {
     "express": "^4.21.0",
     "http-proxy": "^1.18.1",
-    "openclaw": "2026.3.2"
+    "openclaw": "2026.3.7"
   },
   "devDependencies": {
     "@vitest/coverage-v8": "^4.0.18",