npm - @chrysb/alphaclaw - Versions diffs - 0.9.14 → 0.9.15 - Mend

@chrysb/alphaclaw 0.9.14 → 0.9.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/README.md +2 -1
package/bin/alphaclaw.js +53 -135
package/lib/cli/openclaw-config-restore.js +162 -0
package/lib/public/css/explorer.css +3 -1
package/lib/public/dist/app.bundle.js +474 -474
package/lib/public/js/components/agents-tab/agent-identity-section.js +1 -1
package/lib/public/js/components/general/use-general-tab.js +25 -8
package/lib/public/js/components/sidebar.js +2 -1
package/lib/public/js/lib/agent-identity.js +8 -0
package/lib/public/js/lib/api.js +7 -5
package/lib/server/routes/pairings.js +120 -8
package/lib/server/routes/system.js +104 -4
package/package.json +2 -2

package/lib/public/js/components/agents-tab/agent-identity-section.js CHANGED Viewed

@@ -116,7 +116,7 @@ export const AgentIdentitySection = ({
                   value=${form.emoji}
                   onInput=${(event) => updateField("emoji", event.target.value)}
                   class="w-full bg-field border border-border rounded-lg px-3 py-2 text-sm text-body outline-none focus:border-fg-muted"
-                  placeholder="Optional emoji"
+                  placeholder="Single emoji, e.g. ✨"
                 />
               </label>
               <label class="block space-y-1">

package/lib/public/js/components/general/use-general-tab.js CHANGED Viewed

@@ -218,15 +218,27 @@ export const useGeneralTab = ({
   };
   const handleDeviceApprove = async (id) => {
-    await approveDevice(id);
-    setTimeout(devicePoll.refresh, 500);
-    setTimeout(devicePoll.refresh, 2000);
+    try {
+      await approveDevice(id);
+      showToast("Device pairing approved", "success");
+      setTimeout(devicePoll.refresh, 500);
+      setTimeout(devicePoll.refresh, 2000);
+    } catch (err) {
+      showToast(err.message || "Could not approve device pairing", "error");
+      throw err;
+    }
   };
   const handleDeviceReject = async (id) => {
-    await rejectDevice(id);
-    setTimeout(devicePoll.refresh, 500);
-    setTimeout(devicePoll.refresh, 2000);
+    try {
+      await rejectDevice(id);
+      showToast("Device pairing rejected", "info");
+      setTimeout(devicePoll.refresh, 500);
+      setTimeout(devicePoll.refresh, 2000);
+    } catch (err) {
+      showToast(err.message || "Could not reject device pairing", "error");
+      throw err;
+    }
   };
   const handleWatchdogRepair = async () => {
@@ -252,10 +264,15 @@ export const useGeneralTab = ({
     setDashboardLoading(true);
     try {
       const data = await fetchDashboardUrl();
-      console.log("[dashboard] response:", JSON.stringify(data));
+      if (data.needsAuth) {
+        showToast(
+          "OpenClaw dashboard token is missing from the AlphaClaw server environment",
+          "warning",
+        );
+      }
       window.open(data.url || "/openclaw", "_blank");
     } catch (err) {
-      console.error("[dashboard] error:", err);
+      showToast(err.message || "Could not open OpenClaw dashboard", "error");
       window.open("/openclaw", "_blank");
     } finally {
       setDashboardLoading(false);

package/lib/public/js/components/sidebar.js CHANGED Viewed

@@ -33,6 +33,7 @@ import {
   getSessionDisplayLabel,
   getSessionRowKey,
 } from "../lib/session-keys.js";
+import { sanitizeAgentEmoji } from "../lib/agent-identity.js";
 import { ThemeToggle } from "./theme-toggle.js";
 const html = htm.bind(h);
@@ -91,7 +92,7 @@ const renderNavItem = ({ item, selectedNavId, onSelectNavItem }) => {
   `;
 };
-const getAgentIdentityEmoji = (agent) => String(agent?.identity?.emoji || "").trim();
+const getAgentIdentityEmoji = (agent) => sanitizeAgentEmoji(agent?.identity?.emoji);
 export const AppSidebar = ({
   mobileSidebarOpen = false,

package/lib/public/js/lib/agent-identity.js ADDED Viewed

@@ -0,0 +1,8 @@
+const kNonEmojiPattern = /[A-Za-z0-9:]/;
+export const sanitizeAgentEmoji = (rawEmoji) => {
+  const trimmed = String(rawEmoji ?? "").trim();
+  if (!trimmed) return "";
+  if (kNonEmojiPattern.test(trimmed)) return "";
+  return trimmed;
+};

package/lib/public/js/lib/api.js CHANGED Viewed

@@ -466,7 +466,7 @@ export async function updateWatchdogSettings(settings) {
 export async function fetchDashboardUrl() {
   const res = await authFetch("/api/gateway/dashboard");
-  return res.json();
+  return parseJsonOrThrow(res, "Could not load dashboard URL");
 }
 export async function fetchAlphaclawVersion(refresh = false) {
@@ -682,13 +682,15 @@ export async function fetchDevicePairings() {
 }
 export async function approveDevice(id) {
-  const res = await authFetch(`/api/devices/${id}/approve`, { method: "POST" });
-  return res.json();
+  const safeId = encodeURIComponent(String(id || ""));
+  const res = await authFetch(`/api/devices/${safeId}/approve`, { method: "POST" });
+  return parseJsonOrThrow(res, "Could not approve device");
 }
 export async function rejectDevice(id) {
-  const res = await authFetch(`/api/devices/${id}/reject`, { method: "POST" });
-  return res.json();
+  const safeId = encodeURIComponent(String(id || ""));
+  const res = await authFetch(`/api/devices/${safeId}/reject`, { method: "POST" });
+  return parseJsonOrThrow(res, "Could not reject device");
 }
 export const fetchNodesStatus = async () => {

package/lib/server/routes/pairings.js CHANGED Viewed

@@ -10,8 +10,88 @@ const kAllowedPairingChannels = new Set(["telegram", "discord", "slack", "whatsa
 const kSafePairingArgPattern = /^[\w\-:.]+$/;
 const kDevicesListCliTimeoutMs = 5000;
 const kPairingRequestTtlMs = 60 * 60 * 1000;
+const kDeviceApprovalCallerScopes = [
+  "operator.admin",
+  "operator.read",
+  "operator.write",
+  "operator.approvals",
+  "operator.pairing",
+  "operator.talk.secrets",
+];
 const quoteCliArg = (value) => quoteShellArg(value, { strategy: "single" });
+let deviceBootstrapModulePromise = null;
+const loadDeviceBootstrapModule = async () => {
+  deviceBootstrapModulePromise ||= import("openclaw/plugin-sdk/device-bootstrap");
+  return deviceBootstrapModulePromise;
+};
+const defaultApproveDevicePairingDirect = async (requestId, options, baseDir) => {
+  const mod = await loadDeviceBootstrapModule();
+  if (typeof mod.approveDevicePairing !== "function") {
+    throw new Error("OpenClaw device approval helper is unavailable");
+  }
+  return mod.approveDevicePairing(requestId, options, baseDir);
+};
+const formatDevicePairingForbiddenMessage = (result) => {
+  switch (result?.reason) {
+    case "caller-scopes-required":
+      return `missing scope: ${result.scope || "callerScopes-required"}`;
+    case "caller-missing-scope":
+      return `missing scope: ${result.scope || "unknown"}`;
+    case "scope-outside-requested-roles":
+      return `invalid scope for requested roles: ${result.scope || "unknown"}`;
+    case "bootstrap-role-not-allowed":
+      return `bootstrap profile does not allow role: ${result.role || "unknown"}`;
+    case "bootstrap-scope-not-allowed":
+      return `bootstrap profile does not allow scope: ${result.scope || "unknown"}`;
+    default:
+      return "Device pairing approval forbidden";
+  }
+};
+const redactApprovedDevice = (device) => {
+  if (!device || typeof device !== "object") return null;
+  const safeDevice = { ...device };
+  delete safeDevice.publicKey;
+  delete safeDevice.tokens;
+  return safeDevice;
+};
+const normalizeDeviceApprovalResult = (approval, requestId) => {
+  if (approval?.status === "approved") {
+    return {
+      ok: true,
+      requestId: approval.requestId || requestId,
+      device: redactApprovedDevice(approval.device),
+    };
+  }
+  if (approval?.status === "forbidden") {
+    return {
+      ok: false,
+      statusCode: 403,
+      error: formatDevicePairingForbiddenMessage(approval),
+    };
+  }
+  return {
+    ok: false,
+    statusCode: 404,
+    error: "Device pairing request not found",
+  };
+};
+const toHttpDeviceApprovalPayload = (result) => {
+  const { statusCode, ...payload } = result || {};
+  return payload;
+};
+const isValidDeviceRequestId = (value) => {
+  const requestId = String(value || "").trim();
+  return Boolean(requestId && kSafePairingArgPattern.test(requestId));
+};
 const resolvePairingStorePath = ({ openclawDir, channel }) =>
   path.join(openclawDir, "credentials", `${String(channel).trim().toLowerCase()}-pairing.json`);
@@ -136,7 +216,14 @@ const removeAccountRequestsFromPairingStore = ({ fsModule, openclawDir, channel,
   }
 };
-const registerPairingRoutes = ({ app, clawCmd, isOnboarded, fsModule = fs, openclawDir = OPENCLAW_DIR }) => {
+const registerPairingRoutes = ({
+  app,
+  clawCmd,
+  isOnboarded,
+  fsModule = fs,
+  openclawDir = OPENCLAW_DIR,
+  approveDevicePairingDirect = defaultApproveDevicePairingDirect,
+}) => {
   let pairingCache = { pending: [], ts: 0, ttlMs: 0 };
   const kPairingCacheTtlMs = 10000;
   const kEmptyPairingCacheTtlMs = 1000;
@@ -157,6 +244,23 @@ const registerPairingRoutes = ({ app, clawCmd, isOnboarded, fsModule = fs, openc
     );
   };
+  const approveDeviceRequestWithAdminScope = async (requestId) => {
+    try {
+      const approval = await approveDevicePairingDirect(
+        requestId,
+        { callerScopes: kDeviceApprovalCallerScopes },
+        openclawDir,
+      );
+      return normalizeDeviceApprovalResult(approval, requestId);
+    } catch (error) {
+      return {
+        ok: false,
+        statusCode: 500,
+        error: error?.message || "Could not approve device pairing",
+      };
+    }
+  };
   const parsePendingPairings = (stdout, channel) => {
     const parsed = parseJsonObjectFromNoisyOutput(stdout) || {};
     const requestLists = [
@@ -320,15 +424,13 @@ const registerPairingRoutes = ({ app, clawCmd, isOnboarded, fsModule = fs, openc
         const firstCliPendingId = firstCliPending?.requestId || firstCliPending?.id;
         if (firstCliPendingId) {
           console.log(`[alphaclaw] Auto-approving first CLI device request: ${firstCliPendingId}`);
-          const approveResult = await clawCmd(`devices approve ${firstCliPendingId}`, {
-            quiet: true,
-          });
+          const approveResult = await approveDeviceRequestWithAdminScope(firstCliPendingId);
           if (approveResult.ok) {
             writeCliAutoApproveMarker();
             autoApprovedRequestId = String(firstCliPendingId);
           } else {
             console.log(
-              `[alphaclaw] CLI auto-approve failed: ${(approveResult.stderr || "").slice(0, 200)}`,
+              `[alphaclaw] CLI auto-approve failed: ${(approveResult.error || "").slice(0, 200)}`,
             );
           }
         }
@@ -353,13 +455,23 @@ const registerPairingRoutes = ({ app, clawCmd, isOnboarded, fsModule = fs, openc
   });
   app.post("/api/devices/:id/approve", async (req, res) => {
-    const result = await clawCmd(`devices approve ${req.params.id}`);
+    const requestId = String(req.params.id || "").trim();
+    if (!isValidDeviceRequestId(requestId)) {
+      return res.status(400).json({ ok: false, error: "Invalid device request id" });
+    }
+    const result = await approveDeviceRequestWithAdminScope(requestId);
     devicePairingCache.ts = 0;
-    res.json(result);
+    res
+      .status(result.ok ? 200 : result.statusCode || 500)
+      .json(toHttpDeviceApprovalPayload(result));
   });
   app.post("/api/devices/:id/reject", async (req, res) => {
-    const result = await clawCmd(`devices reject ${req.params.id}`);
+    const requestId = String(req.params.id || "").trim();
+    if (!isValidDeviceRequestId(requestId)) {
+      return res.status(400).json({ ok: false, error: "Invalid device request id" });
+    }
+    const result = await clawCmd(`devices reject ${quoteCliArg(requestId)}`);
     devicePairingCache.ts = 0;
     res.json(result);
   });

package/lib/server/routes/system.js CHANGED Viewed

@@ -28,6 +28,7 @@ const registerSystemRoutes = ({
   doctorService,
 }) => {
   let envRestartPending = false;
+  let openclawSecretRuntimePromise = null;
   const kManagedChannelTokenPattern =
     /^(?:TELEGRAM_BOT_TOKEN|DISCORD_BOT_TOKEN|SLACK_BOT_TOKEN|SLACK_APP_TOKEN)(?:_[A-Z0-9_]+)?$/;
   const kEnvVarsReservedForUserInput = new Set([
@@ -92,6 +93,97 @@ const registerSystemRoutes = ({
     }
     return null;
   };
+  const getEnvFileValue = (key) =>
+    (typeof readEnvFile === "function" ? readEnvFile() : []).find(
+      (entry) => entry?.key === key,
+    )?.value;
+  const normalizeSecretValue = (value) => {
+    if (typeof value !== "string") return "";
+    const trimmed = String(value || "").trim();
+    if (trimmed.length >= 2) {
+      const first = trimmed[0];
+      const last = trimmed[trimmed.length - 1];
+      if ((first === '"' && last === '"') || (first === "'" && last === "'")) {
+        return trimmed.slice(1, -1).trim();
+      }
+    }
+    return trimmed;
+  };
+  const getEnvObject = () => {
+    const env = { ...process.env };
+    for (const entry of typeof readEnvFile === "function" ? readEnvFile() : []) {
+      const key = String(entry?.key || "").trim();
+      if (!key) continue;
+      if (!normalizeSecretValue(env[key])) {
+        env[key] = normalizeSecretValue(entry?.value);
+      }
+    }
+    return env;
+  };
+  const loadOpenclawSecretRuntime = async () => {
+    openclawSecretRuntimePromise ||= Promise.all([
+      import("openclaw/plugin-sdk/secret-input"),
+      import("openclaw/plugin-sdk/runtime-secret-resolution"),
+    ]).then(([secretInput, runtimeSecretResolution]) => ({
+      coerceSecretRef: secretInput.coerceSecretRef,
+      resolveSecretRefValues: runtimeSecretResolution.resolveSecretRefValues,
+    }));
+    return openclawSecretRuntimePromise;
+  };
+  const resolveSecretRefToken = async ({ config, value, env }) => {
+    try {
+      const { coerceSecretRef, resolveSecretRefValues } =
+        await loadOpenclawSecretRuntime();
+      const ref = coerceSecretRef(value, config?.secrets?.defaults);
+      if (!ref) return "";
+      const resolved = await resolveSecretRefValues([ref], { config, env });
+      const refKey = `${ref.source}:${ref.provider}:${ref.id}`;
+      return normalizeSecretValue(resolved.get(refKey));
+    } catch {
+      return "";
+    }
+  };
+  const resolveEnvReference = (value) => {
+    const match = String(value || "").trim().match(/^\$\{([A-Z_][A-Z0-9_]*)\}$/);
+    if (!match) return "";
+    const envKey = match[1];
+    const envValue = process.env[envKey] || getEnvFileValue(envKey);
+    return normalizeSecretValue(envValue);
+  };
+  const getDashboardTokenFromConfig = async () => {
+    const config = readOpenclawConfig({
+      fsModule: fs,
+      openclawDir: OPENCLAW_DIR,
+      fallback: {},
+    });
+    const env = getEnvObject();
+    const configuredToken = config?.gateway?.auth?.token;
+    const resolvedSecretRefToken = await resolveSecretRefToken({
+      config,
+      value: configuredToken,
+      env,
+    });
+    if (resolvedSecretRefToken) return resolvedSecretRefToken;
+    if (typeof configuredToken === "string" && configuredToken.trim()) {
+      const trimmedToken = normalizeSecretValue(configuredToken);
+      if (/^\$\{[A-Z_][A-Z0-9_]*\}$/.test(trimmedToken)) {
+        return resolveEnvReference(trimmedToken);
+      }
+      return trimmedToken;
+    }
+    return normalizeSecretValue(env.OPENCLAW_GATEWAY_TOKEN);
+  };
+  const buildDashboardUrl = (token) =>
+    token ? `/openclaw/#token=${encodeURIComponent(token)}` : "/openclaw";
+  const extractDashboardTokenFromOutput = (stdout) => {
+    const tokenMatch = String(stdout || "").match(/[#?&]token=([^\s&#]+)/);
+    if (!tokenMatch) return "";
+    try {
+      return decodeURIComponent(tokenMatch[1]);
+    } catch {
+      return tokenMatch[1];
+    }
+  };
   const getRawSessionKey = (sessionRow = {}) =>
     String(sessionRow?.key || sessionRow?.sessionKey || sessionRow?.id || "").trim();
   const getRawSessionsFromPayload = (payload) => {
@@ -692,14 +784,22 @@ const registerSystemRoutes = ({
   app.get("/api/gateway/dashboard", async (req, res) => {
     if (!isOnboarded()) return res.json({ ok: false, url: "/openclaw" });
+    const token = await getDashboardTokenFromConfig();
+    if (token) {
+      return res.json({
+        ok: true,
+        url: buildDashboardUrl(token),
+        source: "config",
+      });
+    }
     const result = await clawCmd("dashboard --no-open");
     if (result.ok && result.stdout) {
-      const tokenMatch = result.stdout.match(/#token=([a-zA-Z0-9]+)/);
-      if (tokenMatch) {
-        return res.json({ ok: true, url: `/openclaw/#token=${tokenMatch[1]}` });
+      const cliToken = extractDashboardTokenFromOutput(result.stdout);
+      if (cliToken) {
+        return res.json({ ok: true, url: buildDashboardUrl(cliToken) });
       }
     }
-    res.json({ ok: true, url: "/openclaw" });
+    res.json({ ok: true, url: "/openclaw", needsAuth: true });
   });
   app.get("/api/restart-status", async (req, res) => {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@chrysb/alphaclaw",
-  "version": "0.9.14",
+  "version": "0.9.15",
   "publishConfig": {
     "access": "public"
   },
@@ -33,7 +33,7 @@
   "dependencies": {
     "express": "^4.21.0",
     "http-proxy": "^1.18.1",
-    "openclaw": "2026.5.2",
+    "openclaw": "2026.5.6",
     "ws": "^8.19.0"
   },
   "devDependencies": {