@chrysb/alphaclaw 0.8.3 → 0.8.4

package/lib/server/routes/nodes.js

@@ -1,7 +1,10 @@
-const path = require("path");
 const crypto = require("crypto");
 const { parseJsonObjectFromNoisyOutput } = require("../utils/json");
 const { quoteShellArg } = require("../utils/shell");
+const {
+  readExecApprovalsConfig,
+  writeExecApprovalsConfig,
+} = require("../exec-defaults-config");
 
 const kAllowedExecHosts = new Set(["gateway", "node"]);
 const kAllowedExecSecurity = new Set(["deny", "allowlist", "full"]);
@@ -81,23 +84,6 @@ const parseNodeBrowserStatus = (stdout) => {
   return decodedResult && typeof decodedResult === "object" ? decodedResult : null;
 };
 
-const readExecApprovalsFile = ({ fsModule, openclawDir }) => {
-  const filePath = path.join(openclawDir, "exec-approvals.json");
-  try {
-    const raw = fsModule.readFileSync(filePath, "utf8");
-    const parsed = JSON.parse(raw);
-    return parsed && typeof parsed === "object" ? parsed : { version: 1 };
-  } catch {
-    return { version: 1 };
-  }
-};
-
-const writeExecApprovalsFile = ({ fsModule, openclawDir, file }) => {
-  const filePath = path.join(openclawDir, "exec-approvals.json");
-  fsModule.mkdirSync(path.dirname(filePath), { recursive: true });
-  fsModule.writeFileSync(filePath, JSON.stringify(file, null, 2) + "\n", "utf8");
-};
-
 const ensureWildcardAgent = (file) => {
   const agents = file.agents && typeof file.agents === "object" ? file.agents : {};
   const wildcard =
@@ -372,7 +358,7 @@ const registerNodeRoutes = ({
 
   app.get("/api/nodes/exec-approvals", (_req, res) => {
     const approvals = ensureWildcardAgent(
-      readExecApprovalsFile({ fsModule, openclawDir }),
+      readExecApprovalsConfig({ fsModule, openclawDir }),
     );
     const allowlist = approvals?.agents?.["*"]?.allowlist || [];
     return res.json({
@@ -388,7 +374,7 @@ const registerNodeRoutes = ({
       return res.status(400).json({ ok: false, error: "pattern is required" });
     }
     const approvals = ensureWildcardAgent(
-      readExecApprovalsFile({ fsModule, openclawDir }),
+      readExecApprovalsConfig({ fsModule, openclawDir }),
     );
     const allowlist = approvals.agents["*"].allowlist;
     const existing = allowlist.find(
@@ -403,7 +389,7 @@ const registerNodeRoutes = ({
       lastUsedAt: Date.now(),
     };
     approvals.agents["*"].allowlist = [...allowlist, entry];
-    writeExecApprovalsFile({ fsModule, openclawDir, file: approvals });
+    writeExecApprovalsConfig({ fsModule, openclawDir, file: approvals });
     return res.json({ ok: true, entry });
   });
 
@@ -413,7 +399,7 @@ const registerNodeRoutes = ({
       return res.status(400).json({ ok: false, error: "id is required" });
     }
     const approvals = ensureWildcardAgent(
-      readExecApprovalsFile({ fsModule, openclawDir }),
+      readExecApprovalsConfig({ fsModule, openclawDir }),
     );
     const allowlist = approvals.agents["*"].allowlist;
     const nextAllowlist = allowlist.filter((entry) => String(entry?.id || "") !== id);
@@ -421,7 +407,7 @@ const registerNodeRoutes = ({
       return res.status(404).json({ ok: false, error: "Allowlist entry not found" });
     }
     approvals.agents["*"].allowlist = nextAllowlist;
-    writeExecApprovalsFile({ fsModule, openclawDir, file: approvals });
+    writeExecApprovalsConfig({ fsModule, openclawDir, file: approvals });
     return res.json({ ok: true });
   });
 };

package/lib/server/startup.js

@@ -1,4 +1,5 @@
 const runOnboardedBootSequence = ({
+  ensureManagedExecDefaults,
   ensureUsageTrackerPluginConfig,
   doSyncPromptFiles,
   reloadEnv,
@@ -10,6 +11,13 @@ const runOnboardedBootSequence = ({
   watchdog,
   gmailWatchService,
 }) => {
+  try {
+    ensureManagedExecDefaults();
+  } catch (error) {
+    console.error(
+      `[alphaclaw] Failed to ensure managed exec defaults on boot: ${error.message}`,
+    );
+  }
   try {
     ensureUsageTrackerPluginConfig();
   } catch (error) {

package/lib/server/watchdog-notify.js

@@ -1,35 +1,95 @@
 const fs = require("fs");
 const path = require("path");
 const { OPENCLAW_DIR } = require("./constants");
+const { createSlackApi } = require("./slack-api");
 
-const getPairedIds = (channel) => {
+const kSlackBotEnvKey = "SLACK_BOT_TOKEN";
+
+const normalizeAccountId = (value) =>
+  String(value || "").trim().toLowerCase() || "default";
+
+const resolveCredentialPairingAccountId = ({ channel, fileName }) => {
+  const prefix = `${String(channel || "").trim().toLowerCase()}-`;
+  const suffix = "-allowFrom.json";
+  const rawFileName = String(fileName || "").trim();
+  if (!rawFileName.startsWith(prefix) || !rawFileName.endsWith(suffix)) {
+    return "";
+  }
+  return normalizeAccountId(rawFileName.slice(prefix.length, -suffix.length));
+};
+
+const deriveSlackBotEnvKey = (accountId = "default") => {
+  const normalizedAccountId = normalizeAccountId(accountId);
+  if (normalizedAccountId === "default") return kSlackBotEnvKey;
+  return `${kSlackBotEnvKey}_${normalizedAccountId.replace(/-/g, "_").toUpperCase()}`;
+};
+
+const getPairedTargetsByAccount = ({
+  channel,
+  fsImpl = fs,
+  openclawDir = OPENCLAW_DIR,
+}) => {
   const safeChannel = String(channel || "").trim().toLowerCase();
-  if (!safeChannel) return [];
-  const credentialsDir = path.join(OPENCLAW_DIR, "credentials");
-  if (!fs.existsSync(credentialsDir)) return [];
-  const ids = new Set();
+  if (!safeChannel) return new Map();
+  const credentialsDir = path.join(openclawDir, "credentials");
+  if (!fsImpl.existsSync(credentialsDir)) return new Map();
+  const idsByAccount = new Map();
   try {
-    const files = fs
+    const files = fsImpl
       .readdirSync(credentialsDir)
       .filter(
         (fileName) =>
           fileName.startsWith(`${safeChannel}-`) && fileName.endsWith("-allowFrom.json"),
       );
     for (const fileName of files) {
+      const accountId = resolveCredentialPairingAccountId({
+        channel: safeChannel,
+        fileName,
+      });
+      if (!accountId) continue;
       const filePath = path.join(credentialsDir, fileName);
-      const raw = fs.readFileSync(filePath, "utf8");
+      const raw = fsImpl.readFileSync(filePath, "utf8");
       const parsed = JSON.parse(raw);
       const allowFrom = Array.isArray(parsed?.allowFrom) ? parsed.allowFrom : [];
+      const ids =
+        idsByAccount.get(accountId) instanceof Set
+          ? idsByAccount.get(accountId)
+          : new Set();
       for (const id of allowFrom) {
         if (id == null) continue;
         const value = String(id).trim();
         if (!value) continue;
         ids.add(value);
       }
+      idsByAccount.set(accountId, ids);
     }
   } catch (err) {
     console.error(`[watchdog] could not resolve ${safeChannel} allowFrom IDs: ${err.message}`);
   }
+  return new Map(
+    Array.from(idsByAccount.entries()).map(([accountId, ids]) => [
+      accountId,
+      Array.from(ids),
+    ]),
+  );
+};
+
+const getPairedIds = ({
+  channel,
+  fsImpl = fs,
+  openclawDir = OPENCLAW_DIR,
+}) => {
+  const ids = new Set();
+  const idsByAccount = getPairedTargetsByAccount({
+    channel,
+    fsImpl,
+    openclawDir,
+  });
+  for (const accountIds of idsByAccount.values()) {
+    for (const id of accountIds) {
+      ids.add(id);
+    }
+  }
   return Array.from(ids);
 };
 
@@ -38,18 +98,30 @@ const formatDiscordMessage = (message) =>
 
 /**
  * Track thread state for Slack notifications
- * Key: userId, Value: { threadTs, lastEvent }
+ * Key: accountId:userId, Value: { threadTs, lastEvent }
  */
 const slackThreads = new Map();
 
-const createWatchdogNotifier = ({ telegramApi, discordApi, slackApi }) => {
+const createWatchdogNotifier = ({
+  telegramApi,
+  discordApi,
+  slackApi,
+  readEnvFile = () => [],
+  createSlackApi: createSlackApiFactory = createSlackApi,
+  fsImpl = fs,
+  openclawDir = OPENCLAW_DIR,
+}) => {
   const notify = async (message, opts = {}) => {
     const summary = {
       telegram: { sent: 0, failed: 0, skipped: false, targets: 0 },
       discord: { sent: 0, failed: 0, skipped: false, targets: 0 },
       slack: { sent: 0, failed: 0, skipped: false, targets: 0 },
     };
-    const telegramTargets = getPairedIds("telegram");
+    const telegramTargets = getPairedIds({
+      channel: "telegram",
+      fsImpl,
+      openclawDir,
+    });
     summary.telegram.targets = telegramTargets.length;
     if (!telegramApi?.sendMessage || !process.env.TELEGRAM_BOT_TOKEN || telegramTargets.length === 0) {
       summary.telegram.skipped = true;
@@ -67,7 +139,11 @@ const createWatchdogNotifier = ({ telegramApi, discordApi, slackApi }) => {
       }
     }
 
-    const discordTargets = getPairedIds("discord");
+    const discordTargets = getPairedIds({
+      channel: "discord",
+      fsImpl,
+      openclawDir,
+    });
     summary.discord.targets = discordTargets.length;
     if (!discordApi?.sendDirectMessage || !process.env.DISCORD_BOT_TOKEN || discordTargets.length === 0) {
       summary.discord.skipped = true;
@@ -85,61 +161,102 @@ const createWatchdogNotifier = ({ telegramApi, discordApi, slackApi }) => {
     }
 
     // Enhanced Slack notifications with threading and reactions
-    const slackTargets = getPairedIds("slack");
-    summary.slack.targets = slackTargets.length;
-    if (!slackApi?.postMessage || !process.env.SLACK_BOT_TOKEN || slackTargets.length === 0) {
+    const slackTargetsByAccount = getPairedTargetsByAccount({
+      channel: "slack",
+      fsImpl,
+      openclawDir,
+    });
+    summary.slack.targets = Array.from(slackTargetsByAccount.values()).reduce(
+      (total, targets) => total + targets.length,
+      0,
+    );
+    if (summary.slack.targets === 0) {
       summary.slack.skipped = true;
     } else {
       const eventType = opts.eventType || "info"; // crash, recovery, health, info
-      
-      for (const userId of slackTargets) {
-        try {
-          let threadTs = null;
-          let shouldCreateNewThread = true;
-
-          // Check if we have an active thread for this user
-          const existingThread = slackThreads.get(userId);
-          if (existingThread && existingThread.lastEvent === "crash" && eventType === "recovery") {
-            // Recovery message goes in the crash thread
-            threadTs = existingThread.threadTs;
-            shouldCreateNewThread = false;
+      const envVars = typeof readEnvFile === "function" ? readEnvFile() : [];
+
+      const envMap = new Map(
+        (Array.isArray(envVars) ? envVars : [])
+          .map((entry) => [
+            String(entry?.key || "").trim(),
+            String(entry?.value || "").trim(),
+          ])
+          .filter(([key]) => key),
+      );
+
+      for (const [accountId, slackTargets] of slackTargetsByAccount.entries()) {
+        if (!slackTargets.length) continue;
+        const envKey = deriveSlackBotEnvKey(accountId);
+        const botToken = String(envMap.get(envKey) || process.env[envKey] || "").trim();
+        if (!botToken) {
+          summary.slack.failed += slackTargets.length;
+          for (const userId of slackTargets) {
+            console.error(
+              `[watchdog] slack notification failed for ${accountId}/${userId}: missing ${envKey}`,
+            );
           }
+          continue;
+        }
 
-          // Send message (in thread if continuing conversation)
-          const result = await slackApi.postMessage(userId, String(message || ""), {
-            thread_ts: threadTs,
-            mrkdwn: true,
-          });
+        const accountSlackApi =
+          accountId === "default" &&
+          slackApi?.postMessage &&
+          botToken === String(process.env.SLACK_BOT_TOKEN || "").trim()
+            ? slackApi
+            : createSlackApiFactory(() => botToken);
+
+        for (const userId of slackTargets) {
+          try {
+            let threadTs = null;
+            let shouldCreateNewThread = true;
+            const threadKey = `${accountId}:${userId}`;
+
+            const existingThread = slackThreads.get(threadKey);
+            if (existingThread && existingThread.lastEvent === "crash" && eventType === "recovery") {
+              threadTs = existingThread.threadTs;
+              shouldCreateNewThread = false;
+            }
 
-          // Store thread for future related messages
-          if (shouldCreateNewThread && result.ts) {
-            slackThreads.set(userId, {
-              threadTs: result.ts,
-              lastEvent: eventType,
+            const result = await accountSlackApi.postMessage(userId, String(message || ""), {
+              thread_ts: threadTs,
+              mrkdwn: true,
             });
-          }
 
-          // Add reactions based on event type
-          // Use result.channel (the actual conversation/DM ID) instead of userId
-          if (result.ts && result.channel && slackApi.addReaction) {
-            try {
-              if (eventType === "crash") {
-                await slackApi.addReaction(result.channel, result.ts, "x");
-              } else if (eventType === "recovery") {
-                await slackApi.addReaction(result.channel, result.ts, "white_check_mark");
-              } else if (eventType === "health") {
-                await slackApi.addReaction(result.channel, result.ts, "heart");
+            if (shouldCreateNewThread && result.ts) {
+              slackThreads.set(threadKey, {
+                threadTs: result.ts,
+                lastEvent: eventType,
+              });
+            }
+
+            if (result.ts && result.channel && accountSlackApi.addReaction) {
+              try {
+                if (eventType === "crash") {
+                  await accountSlackApi.addReaction(result.channel, result.ts, "x");
+                } else if (eventType === "recovery") {
+                  await accountSlackApi.addReaction(
+                    result.channel,
+                    result.ts,
+                    "white_check_mark",
+                  );
+                } else if (eventType === "health") {
+                  await accountSlackApi.addReaction(result.channel, result.ts, "heart");
+                }
+              } catch (reactionErr) {
+                console.error(
+                  `[watchdog] slack reaction failed for ${accountId}/${userId}: ${reactionErr.message}`,
+                );
               }
-            } catch (reactionErr) {
-              // Reactions are nice-to-have, don't fail the whole notification
-              console.error(`[watchdog] slack reaction failed for ${userId}: ${reactionErr.message}`);
             }
-          }
 
-          summary.slack.sent += 1;
-        } catch (err) {
-          summary.slack.failed += 1;
-          console.error(`[watchdog] slack notification failed for ${userId}: ${err.message}`);
+            summary.slack.sent += 1;
+          } catch (err) {
+            summary.slack.failed += 1;
+            console.error(
+              `[watchdog] slack notification failed for ${accountId}/${userId}: ${err.message}`,
+            );
+          }
         }
       }
     }

package/lib/server.js

@@ -138,6 +138,9 @@ const {
 const {
   ensureUsageTrackerPluginConfig,
 } = require("./server/usage-tracker-config");
+const {
+  ensureManagedExecDefaults,
+} = require("./server/exec-defaults-config");
 
 const { PORT, kTrustProxyHops, SETUP_API_PREFIXES } = constants;
 
@@ -223,7 +226,12 @@ const webhookMiddleware = createWebhookMiddleware({
 const telegramApi = createTelegramApi(() => process.env.TELEGRAM_BOT_TOKEN);
 const discordApi = createDiscordApi(() => process.env.DISCORD_BOT_TOKEN);
 const slackApi = createSlackApi(() => process.env.SLACK_BOT_TOKEN);
-const watchdogNotifier = createWatchdogNotifier({ telegramApi, discordApi, slackApi });
+const watchdogNotifier = createWatchdogNotifier({
+  telegramApi,
+  discordApi,
+  slackApi,
+  readEnvFile,
+});
 const watchdog = createWatchdog({
   clawCmd,
   launchGatewayProcess,
@@ -379,6 +387,11 @@ startServerLifecycle({
   PORT,
   isOnboarded,
   runOnboardedBootSequence,
+  ensureManagedExecDefaults: () =>
+    ensureManagedExecDefaults({
+      fsModule: fs,
+      openclawDir: constants.OPENCLAW_DIR,
+    }),
   ensureUsageTrackerPluginConfig: () =>
     ensureUsageTrackerPluginConfig({
       fsModule: fs,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chrysb/alphaclaw",
-  "version": "0.8.3",
+  "version": "0.8.4",
   "publishConfig": {
     "access": "public"
   },
@@ -36,7 +36,7 @@
   "dependencies": {
     "express": "^4.21.0",
     "http-proxy": "^1.18.1",
-    "openclaw": "2026.3.28",
+    "openclaw": "2026.4.1",
     "patch-package": "^8.0.1",
     "ws": "^8.19.0"
   },

package/patches/openclaw+2026.4.1.patch

@@ -0,0 +1,13 @@
+diff --git a/node_modules/openclaw/dist/gateway-cli-6Ksv5U_O.js b/node_modules/openclaw/dist/gateway-cli-6Ksv5U_O.js
+index 4c742cee..bb87239b 100644
+--- a/node_modules/openclaw/dist/gateway-cli-6Ksv5U_O.js
++++ b/node_modules/openclaw/dist/gateway-cli-6Ksv5U_O.js
+@@ -26669,7 +26669,7 @@ function attachGatewayWsMessageHandler(params) {
+ 					close(1008, truncateCloseReason(authMessage));
+ 				};
+ 				const clearUnboundScopes = () => {
+-					if (scopes.length > 0) {
++					if (scopes.length > 0 && !sharedAuthOk) {
+ 						scopes = [];
+ 						connectParams.scopes = scopes;
+ 					}

package/patches/openclaw+2026.3.28.patch

@@ -1,13 +0,0 @@
-diff --git a/node_modules/openclaw/dist/gateway-cli-DlnlX7IW.js b/node_modules/openclaw/dist/gateway-cli-DlnlX7IW.js
-index ca48b932..c12478c4 100644
---- a/node_modules/openclaw/dist/gateway-cli-DlnlX7IW.js
-+++ b/node_modules/openclaw/dist/gateway-cli-DlnlX7IW.js
-@@ -25935,7 +25935,7 @@ function attachGatewayWsMessageHandler(params) {
- 					close(1008, truncateCloseReason(authMessage));
- 				};
- 				const clearUnboundScopes = () => {
--					if (scopes.length > 0) {
-+					if (scopes.length > 0 && !sharedAuthOk) {
- 						scopes = [];
- 						connectParams.scopes = scopes;
- 					}