@chrysb/alphaclaw 0.9.0-beta.7 → 0.9.1-beta.0

package/lib/server/constants.js

@@ -176,6 +176,11 @@ const kSystemVars = new Set([
   "OPENCLAW_GATEWAY_TOKEN",
   "SETUP_PASSWORD",
   "PORT",
+  "ALPHACLAW_DEPLOYMENT_PROVIDER",
+  "ALPHACLAW_MANAGED_UPDATE_URL",
+  "ALPHACLAW_MANAGED_UPDATE_TOKEN",
+  "ALPHACLAW_TEMPLATE_REPO_URL",
+  "ALPHACLAW_TEMPLATE_BRANCH",
   "WATCHDOG_AUTO_REPAIR",
   "WATCHDOG_NOTIFICATIONS_DISABLED",
 ]);

package/lib/server/db/webhooks/index.js

@@ -10,6 +10,7 @@ let pruneTimer = null;
 const kDefaultRequestLimit = 50;
 const kMaxRequestLimit = 200;
 const kPruneIntervalMs = 12 * 60 * 60 * 1000;
+const kHealthSummaryWindow = 25;
 
 const ensureDb = () => {
   if (!db) throw new Error("Webhooks DB not initialized");
@@ -202,22 +203,61 @@ const getHookSummaries = () => {
   const database = ensureDb();
   const rows = database
     .prepare(`
+      WITH ranked_requests AS (
+        SELECT
+          hook_name,
+          created_at,
+          gateway_status,
+          ROW_NUMBER() OVER (
+            PARTITION BY hook_name
+            ORDER BY created_at DESC, id DESC
+          ) AS row_num
+        FROM webhook_requests
+      ),
+      overall_counts AS (
+        SELECT
+          hook_name,
+          MAX(created_at) AS last_received,
+          COUNT(*) AS total_count,
+          SUM(CASE WHEN gateway_status >= 200 AND gateway_status < 300 THEN 1 ELSE 0 END) AS success_count,
+          SUM(CASE WHEN gateway_status IS NULL OR gateway_status < 200 OR gateway_status >= 300 THEN 1 ELSE 0 END) AS error_count
+        FROM webhook_requests
+        GROUP BY hook_name
+      ),
+      recent_counts AS (
+        SELECT
+          hook_name,
+          COUNT(*) AS recent_total_count,
+          SUM(CASE WHEN gateway_status >= 200 AND gateway_status < 300 THEN 1 ELSE 0 END) AS recent_success_count,
+          SUM(CASE WHEN gateway_status IS NULL OR gateway_status < 200 OR gateway_status >= 300 THEN 1 ELSE 0 END) AS recent_error_count
+        FROM ranked_requests
+        WHERE row_num <= $health_window
+        GROUP BY hook_name
+      )
       SELECT
-        hook_name,
-        MAX(created_at) AS last_received,
-        COUNT(*) AS total_count,
-        SUM(CASE WHEN gateway_status >= 200 AND gateway_status < 300 THEN 1 ELSE 0 END) AS success_count,
-        SUM(CASE WHEN gateway_status IS NULL OR gateway_status < 200 OR gateway_status >= 300 THEN 1 ELSE 0 END) AS error_count
-      FROM webhook_requests
-      GROUP BY hook_name
+        overall_counts.hook_name,
+        overall_counts.last_received,
+        overall_counts.total_count,
+        overall_counts.success_count,
+        overall_counts.error_count,
+        COALESCE(recent_counts.recent_total_count, 0) AS recent_total_count,
+        COALESCE(recent_counts.recent_success_count, 0) AS recent_success_count,
+        COALESCE(recent_counts.recent_error_count, 0) AS recent_error_count
+      FROM overall_counts
+      LEFT JOIN recent_counts
+        ON recent_counts.hook_name = overall_counts.hook_name
     `)
-    .all();
+    .all({ $health_window: kHealthSummaryWindow });
   return rows.map((row) => ({
     hookName: row.hook_name,
     lastReceived: row.last_received || null,
     totalCount: Number(row.total_count || 0),
     successCount: Number(row.success_count || 0),
     errorCount: Number(row.error_count || 0),
+    recentTotalCount: Number(row.recent_total_count || 0),
+    recentSuccessCount: Number(row.recent_success_count || 0),
+    recentErrorCount: Number(row.recent_error_count || 0),
+    healthWindowSize: kHealthSummaryWindow,
   }));
 };
 

package/lib/server/exec-defaults-config.js

@@ -0,0 +1,163 @@
+const fs = require("fs");
+const path = require("path");
+const {
+  readOpenclawConfig,
+  resolveOpenclawConfigPath,
+  writeOpenclawConfig,
+} = require("./openclaw-config");
+
+const kManagedExecApprovalsDefaults = Object.freeze({
+  security: "full",
+  ask: "off",
+  askFallback: "full",
+});
+
+const kManagedOpenclawExecDefaults = Object.freeze({
+  security: "full",
+  strictInlineEval: false,
+});
+
+const resolveExecApprovalsConfigPath = ({ openclawDir }) =>
+  path.join(openclawDir, "exec-approvals.json");
+
+const readExecApprovalsConfig = ({
+  fsModule = fs,
+  openclawDir,
+  fallback = { version: 1 },
+} = {}) => {
+  const filePath = resolveExecApprovalsConfigPath({ openclawDir });
+  try {
+    const parsed = JSON.parse(fsModule.readFileSync(filePath, "utf8"));
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed)
+      ? parsed
+      : fallback;
+  } catch {
+    return fallback;
+  }
+};
+
+const writeExecApprovalsConfig = ({
+  fsModule = fs,
+  openclawDir,
+  file = {},
+  spacing = 2,
+} = {}) => {
+  const filePath = resolveExecApprovalsConfigPath({ openclawDir });
+  fsModule.mkdirSync(path.dirname(filePath), { recursive: true });
+  fsModule.writeFileSync(filePath, JSON.stringify(file, null, spacing) + "\n", "utf8");
+  return filePath;
+};
+
+const hasOwn = (obj, key) =>
+  !!obj && typeof obj === "object" && Object.prototype.hasOwnProperty.call(obj, key);
+
+const ensureManagedExecApprovalsDefaults = (rawFile = {}) => {
+  const file =
+    rawFile && typeof rawFile === "object" && !Array.isArray(rawFile) ? rawFile : {};
+  const before = JSON.stringify(file);
+  const defaults =
+    file.defaults && typeof file.defaults === "object" && !Array.isArray(file.defaults)
+      ? file.defaults
+      : null;
+  const hasNonEmptyDefaults = !!defaults && Object.keys(defaults).length > 0;
+  if (!hasNonEmptyDefaults) {
+    if (!Number.isInteger(file.version)) file.version = 1;
+    file.defaults = {
+      security: kManagedExecApprovalsDefaults.security,
+      ask: kManagedExecApprovalsDefaults.ask,
+      askFallback: kManagedExecApprovalsDefaults.askFallback,
+    };
+    if (!file.agents || typeof file.agents !== "object" || Array.isArray(file.agents)) {
+      file.agents = {};
+    }
+  }
+  return {
+    file,
+    changed: JSON.stringify(file) !== before,
+  };
+};
+
+const ensureManagedOpenclawExecDefaults = (rawConfig = {}) => {
+  const config =
+    rawConfig && typeof rawConfig === "object" && !Array.isArray(rawConfig) ? rawConfig : {};
+  const before = JSON.stringify(config);
+  if (!config.tools || typeof config.tools !== "object" || Array.isArray(config.tools)) {
+    config.tools = {};
+  }
+  if (!hasOwn(config.tools, "exec")) {
+    config.tools.exec = {
+      security: kManagedOpenclawExecDefaults.security,
+      strictInlineEval: kManagedOpenclawExecDefaults.strictInlineEval,
+    };
+  }
+  return {
+    config,
+    changed: JSON.stringify(config) !== before,
+  };
+};
+
+const ensureManagedExecDefaults = ({ fsModule = fs, openclawDir } = {}) => {
+  let openclawChanged = false;
+  let approvalsChanged = false;
+
+  const openclawConfigPath = resolveOpenclawConfigPath({ openclawDir });
+  const openclawExists =
+    typeof fsModule.existsSync === "function" ? fsModule.existsSync(openclawConfigPath) : null;
+  if (openclawExists !== false) {
+    const cfg = readOpenclawConfig({
+      fsModule,
+      openclawDir,
+      fallback: openclawExists === true ? null : {},
+    });
+    if (cfg && typeof cfg === "object" && !Array.isArray(cfg)) {
+      const ensuredConfig = ensureManagedOpenclawExecDefaults(cfg);
+      if (ensuredConfig.changed) {
+        writeOpenclawConfig({
+          fsModule,
+          openclawDir,
+          config: ensuredConfig.config,
+          spacing: 2,
+        });
+        openclawChanged = true;
+      }
+    }
+  }
+
+  const approvalsPath = resolveExecApprovalsConfigPath({ openclawDir });
+  const approvalsExists =
+    typeof fsModule.existsSync === "function" ? fsModule.existsSync(approvalsPath) : null;
+  const approvals = readExecApprovalsConfig({
+    fsModule,
+    openclawDir,
+    fallback: approvalsExists === true ? null : { version: 1 },
+  });
+  if (approvals && typeof approvals === "object" && !Array.isArray(approvals)) {
+    const ensuredApprovals = ensureManagedExecApprovalsDefaults(approvals);
+    if (ensuredApprovals.changed || approvalsExists === false) {
+      writeExecApprovalsConfig({
+        fsModule,
+        openclawDir,
+        file: ensuredApprovals.file,
+        spacing: 2,
+      });
+      approvalsChanged = true;
+    }
+  }
+
+  return {
+    changed: openclawChanged || approvalsChanged,
+    openclawChanged,
+    approvalsChanged,
+  };
+};
+
+module.exports = {
+  kManagedExecApprovalsDefaults,
+  kManagedOpenclawExecDefaults,
+  resolveExecApprovalsConfigPath,
+  readExecApprovalsConfig,
+  writeExecApprovalsConfig,
+  ensureManagedExecApprovalsDefaults,
+  ensureManagedOpenclawExecDefaults,
+  ensureManagedExecDefaults,
+};

package/lib/server/gateway.js

@@ -45,6 +45,7 @@ const gatewayEnv = () => ({
   ...process.env,
   OPENCLAW_HOME: kRootDir,
   OPENCLAW_CONFIG_PATH: `${OPENCLAW_DIR}/openclaw.json`,
+  OPENCLAW_STATE_DIR: OPENCLAW_DIR,
   XDG_CONFIG_HOME: OPENCLAW_DIR,
 });
 

package/lib/server/init/register-server-routes.js

@@ -17,7 +17,6 @@ const { registerDoctorRoutes } = require("../routes/doctor");
 const { registerAgentRoutes } = require("../routes/agents");
 const { registerCronRoutes } = require("../routes/cron");
 const { registerNodeRoutes } = require("../routes/nodes");
-const { registerMcpRoutes } = require("../routes/mcp");
 const {
   createOauthCallbackMiddleware,
 } = require("../oauth-callback-middleware");
@@ -250,13 +249,6 @@ const registerServerRoutes = ({
     gatewayToken: constants.GATEWAY_TOKEN,
     fsModule: fs,
   });
-  registerMcpRoutes({
-    app,
-    requireAuth,
-    constants,
-    gatewayEnv,
-    openclawDir: constants.OPENCLAW_DIR,
-  });
   registerProxyRoutes({
     app,
     proxy,

package/lib/server/init/server-lifecycle.js

@@ -3,6 +3,7 @@ const startServerLifecycle = ({
   PORT,
   isOnboarded,
   runOnboardedBootSequence,
+  ensureManagedExecDefaults,
   ensureUsageTrackerPluginConfig,
   doSyncPromptFiles,
   reloadEnv,
@@ -18,6 +19,7 @@ const startServerLifecycle = ({
     console.log(`[alphaclaw] Express listening on :${PORT}`);
     if (isOnboarded()) {
       runOnboardedBootSequence({
+        ensureManagedExecDefaults,
         ensureUsageTrackerPluginConfig,
         doSyncPromptFiles,
         reloadEnv,

package/lib/server/model-catalog-cache.js

@@ -0,0 +1,251 @@
+const fs = require("fs");
+const path = require("path");
+const { ALPHACLAW_DIR, kFallbackOnboardingModels } = require("./constants");
+
+const kModelCatalogCacheVersion = 1;
+const kModelCatalogRefreshBackoffMs = 30 * 1000;
+const kDefaultCachePath = path.join(ALPHACLAW_DIR, "cache", "model-catalog.json");
+
+const createResponse = ({
+  source = "fallback",
+  fetchedAt = null,
+  stale = false,
+  refreshing = false,
+  models = [],
+} = {}) => ({
+  ok: true,
+  source,
+  fetchedAt,
+  stale,
+  refreshing,
+  models,
+});
+
+const normalizeCachedModels = ({
+  models,
+  normalizeOnboardingModels = (items) => items,
+} = {}) =>
+  normalizeOnboardingModels(
+    (Array.isArray(models) ? models : []).map((model) => ({
+      key: model?.key,
+      name: model?.label || model?.name || model?.key,
+    })),
+  );
+
+const normalizeCacheEntry = ({
+  raw,
+  normalizeOnboardingModels = (items) => items,
+} = {}) => {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) return null;
+  const fetchedAt = Number(raw.fetchedAt || 0);
+  const models = normalizeCachedModels({
+    models: raw.models,
+    normalizeOnboardingModels,
+  });
+  if (!Number.isFinite(fetchedAt) || fetchedAt <= 0 || models.length === 0) {
+    return null;
+  }
+  return {
+    version: kModelCatalogCacheVersion,
+    fetchedAt,
+    models,
+  };
+};
+
+const createModelCatalogCache = ({
+  fsModule = fs,
+  pathModule = path,
+  shellCmd,
+  gatewayEnv = () => ({}),
+  parseJsonFromNoisyOutput = () => ({}),
+  normalizeOnboardingModels = (items) => items,
+  fallbackModels = kFallbackOnboardingModels,
+  cachePath = kDefaultCachePath,
+  refreshBackoffMs = kModelCatalogRefreshBackoffMs,
+  now = () => Date.now(),
+  setTimeoutFn = setTimeout,
+  clearTimeoutFn = clearTimeout,
+  logger = console,
+} = {}) => {
+  let cacheLoaded = false;
+  let memoryCache = null;
+  let cacheIsStale = false;
+  let refreshPromise = null;
+  let retryTimer = null;
+  let backoffUntilMs = 0;
+
+  const clearRetryTimer = () => {
+    if (!retryTimer) return;
+    clearTimeoutFn(retryTimer);
+    retryTimer = null;
+  };
+
+  const isRefreshPending = () => !!refreshPromise || !!retryTimer;
+
+  const setCacheEntry = (entry, { fresh = false } = {}) => {
+    memoryCache = entry;
+    cacheLoaded = true;
+    cacheIsStale = !fresh;
+    backoffUntilMs = 0;
+    clearRetryTimer();
+    return memoryCache;
+  };
+
+  const readDiskCache = () => {
+    if (cacheLoaded) return memoryCache;
+    cacheLoaded = true;
+    try {
+      const raw = JSON.parse(fsModule.readFileSync(cachePath, "utf8"));
+      const entry = normalizeCacheEntry({
+        raw,
+        normalizeOnboardingModels,
+      });
+      if (!entry) return null;
+      memoryCache = entry;
+      cacheIsStale = true;
+      return memoryCache;
+    } catch {
+      memoryCache = null;
+      cacheIsStale = false;
+      return null;
+    }
+  };
+
+  const writeDiskCache = (entry) => {
+    fsModule.mkdirSync(pathModule.dirname(cachePath), { recursive: true });
+    fsModule.writeFileSync(
+      cachePath,
+      `${JSON.stringify(entry, null, 2)}\n`,
+      "utf8",
+    );
+  };
+
+  const loadFreshCatalog = async () => {
+    const output = await shellCmd("openclaw models list --all --json", {
+      env: gatewayEnv(),
+      timeout: 30000,
+    });
+    const parsed = parseJsonFromNoisyOutput(output);
+    const models = normalizeOnboardingModels(parsed?.models || []);
+    if (models.length === 0) {
+      throw new Error("No models found");
+    }
+    const entry = {
+      version: kModelCatalogCacheVersion,
+      fetchedAt: now(),
+      models,
+    };
+    writeDiskCache(entry);
+    setCacheEntry(entry, { fresh: true });
+    return entry;
+  };
+
+  const scheduleRetry = () => {
+    if (!memoryCache || retryTimer) return;
+    const delayMs = Math.max(backoffUntilMs - now(), 0);
+    retryTimer = setTimeoutFn(() => {
+      retryTimer = null;
+      if (!memoryCache || !cacheIsStale || refreshPromise) return;
+      void startBackgroundRefresh();
+    }, delayMs);
+    if (typeof retryTimer?.unref === "function") retryTimer.unref();
+  };
+
+  const handleRefreshFailure = (err) => {
+    if (memoryCache) {
+      cacheIsStale = true;
+      backoffUntilMs = now() + refreshBackoffMs;
+      scheduleRetry();
+      logger.error?.(
+        `[models] Failed to refresh cached models: ${err.message || String(err)}`,
+      );
+      return;
+    }
+    logger.error?.(
+      `[models] Failed to load dynamic models: ${err.message || String(err)}`,
+    );
+  };
+
+  const startBackgroundRefresh = () => {
+    readDiskCache();
+    if (!memoryCache) return null;
+    if (refreshPromise) return refreshPromise;
+    if (retryTimer) return null;
+    if (backoffUntilMs > now()) {
+      scheduleRetry();
+      return null;
+    }
+    refreshPromise = Promise.resolve()
+      .then(() => loadFreshCatalog())
+      .catch((err) => {
+        handleRefreshFailure(err);
+        return null;
+      })
+      .finally(() => {
+        refreshPromise = null;
+      });
+    return refreshPromise;
+  };
+
+  return {
+    async getCatalogResponse() {
+      readDiskCache();
+      if (memoryCache && !cacheIsStale) {
+        return createResponse({
+          source: "openclaw",
+          fetchedAt: memoryCache.fetchedAt,
+          stale: false,
+          refreshing: false,
+          models: memoryCache.models,
+        });
+      }
+      if (memoryCache) {
+        startBackgroundRefresh();
+        return createResponse({
+          source: "cache",
+          fetchedAt: memoryCache.fetchedAt,
+          stale: true,
+          refreshing: isRefreshPending(),
+          models: memoryCache.models,
+        });
+      }
+      try {
+        const freshEntry = await loadFreshCatalog();
+        return createResponse({
+          source: "openclaw",
+          fetchedAt: freshEntry.fetchedAt,
+          stale: false,
+          refreshing: false,
+          models: freshEntry.models,
+        });
+      } catch (err) {
+        handleRefreshFailure(err);
+        return createResponse({
+          source: "fallback",
+          fetchedAt: null,
+          stale: false,
+          refreshing: false,
+          models: fallbackModels,
+        });
+      }
+    },
+
+    markStale() {
+      readDiskCache();
+      if (!memoryCache) return;
+      cacheIsStale = true;
+      backoffUntilMs = 0;
+      clearRetryTimer();
+    },
+  };
+};
+
+module.exports = {
+  createModelCatalogCache,
+  createResponse,
+  normalizeCachedModels,
+  normalizeCacheEntry,
+  kModelCatalogCacheVersion,
+  kModelCatalogRefreshBackoffMs,
+  kDefaultCachePath,
+};

package/lib/server/onboarding/github.js

@@ -63,6 +63,56 @@ const repoContainsOnlyBoilerplate = async (repoUrl, ghHeaders) => {
   }
 };
 
+const getNextGithubPageUrl = (linkHeader = "") => {
+  const nextLink = String(linkHeader || "")
+    .split(",")
+    .map((entry) => entry.trim())
+    .find((entry) => entry.endsWith('rel="next"'));
+  const match = nextLink?.match(/<([^>]+)>/);
+  return match?.[1] || "";
+};
+
+const findOwnedRepoByName = async ({
+  repoUrl,
+  repoOwner,
+  repoName,
+  viewerLogin,
+  ghHeaders,
+}) => {
+  if (
+    !repoOwner ||
+    !repoName ||
+    !viewerLogin ||
+    repoOwner.toLowerCase() !== viewerLogin.toLowerCase()
+  ) {
+    return null;
+  }
+
+  let nextUrl =
+    "https://api.github.com/user/repos?affiliation=owner&per_page=100&page=1";
+  const normalizedRepoUrl = String(repoUrl || "").trim().toLowerCase();
+  const normalizedRepoName = String(repoName || "").trim().toLowerCase();
+
+  while (nextUrl) {
+    const res = await fetch(nextUrl, { headers: ghHeaders });
+    if (!res.ok) return null;
+
+    const repos = await res.json();
+    if (!Array.isArray(repos)) return null;
+
+    const existingRepo = repos.find((repo) => {
+      const fullName = String(repo?.full_name || "").trim().toLowerCase();
+      const name = String(repo?.name || "").trim().toLowerCase();
+      return fullName === normalizedRepoUrl || name === normalizedRepoName;
+    });
+    if (existingRepo) return existingRepo;
+
+    nextUrl = getNextGithubPageUrl(res.headers?.get?.("link"));
+  }
+
+  return null;
+};
+
 const isClassicPat = (token) => String(token || "").startsWith("ghp_");
 const isFineGrainedPat = (token) =>
   String(token || "").startsWith("github_pat_");
@@ -73,8 +123,9 @@ const verifyGithubRepoForOnboarding = async ({
   mode = "new",
 }) => {
   const ghHeaders = buildGithubHeaders(githubToken);
-  const [repoOwner] = String(repoUrl || "").split("/", 1);
+  const [repoOwner = "", repoName = ""] = String(repoUrl || "").split("/");
   const isExisting = mode === "existing";
+  let viewerLogin = "";
 
   try {
     const userRes = await fetch("https://api.github.com/user", {
@@ -106,12 +157,29 @@ const verifyGithubRepoForOnboarding = async ({
         };
       }
     }
-    await userRes.json().catch(() => ({}));
+    const userPayload = await userRes.json().catch(() => ({}));
+    viewerLogin = String(userPayload?.login || "").trim();
 
     const checkRes = await fetch(`https://api.github.com/repos/${repoUrl}`, {
       headers: ghHeaders,
     });
     if (checkRes.status === 404) {
+      const hiddenOwnedRepo = await findOwnedRepoByName({
+        repoUrl,
+        repoOwner,
+        repoName,
+        viewerLogin,
+        ghHeaders,
+      });
+      if (hiddenOwnedRepo) {
+        return {
+          ok: false,
+          status: 400,
+          error:
+            `Repository "${repoUrl}" already exists, but this token cannot inspect it. ` +
+            "Choose a different repo name or use a token that can access that repo.",
+        };
+      }
       if (isExisting) {
         return {
           ok: false,
@@ -205,6 +273,19 @@ const ensureGithubRepoAccessible = async ({
     });
     if (!createRes.ok) {
       const details = await parseGithubErrorMessage(createRes);
+      if (
+        String(details || "")
+          .toLowerCase()
+          .includes("name already exists on this account")
+      ) {
+        return {
+          ok: false,
+          status: 400,
+          error:
+            `Repository "${repoUrl}" already exists. ` +
+            "Choose a different repo name or use a token that can access that repo.",
+        };
+      }
       const hint =
         createRes.status === 404 || createRes.status === 403
           ? ' Ensure your token is a classic PAT with the "repo" scope.'

package/lib/server/onboarding/index.js

@@ -25,6 +25,7 @@ const {
 } = require("./cron");
 const { migrateManagedInternalFiles } = require("../internal-files-migration");
 const { installGogCliSkill } = require("../gog-skill");
+const { ensureManagedExecDefaults } = require("../exec-defaults-config");
 
 const kPlaceholderEnvValue = "placeholder";
 const kEnvRefPattern = /\$\{([A-Z_][A-Z0-9_]*)\}/g;
@@ -494,6 +495,8 @@ const createOnboardingService = ({
             ...process.env,
             OPENCLAW_HOME: kRootDir,
             OPENCLAW_CONFIG_PATH: `${OPENCLAW_DIR}/openclaw.json`,
+            OPENCLAW_STATE_DIR: OPENCLAW_DIR,
+            XDG_CONFIG_HOME: OPENCLAW_DIR,
           },
           timeout: 120000,
         },
@@ -529,6 +532,10 @@ const createOnboardingService = ({
       });
     }
     authProfiles?.syncConfigAuthReferencesForAgent?.();
+    ensureManagedExecDefaults({
+      fsModule: fs,
+      openclawDir: OPENCLAW_DIR,
+    });
 
     installGogCliSkill({ fs, openclawDir: OPENCLAW_DIR });