@chrysb/alphaclaw 0.9.14 → 0.9.16

package/lib/public/js/components/agents-tab/agent-identity-section.js

@@ -116,7 +116,7 @@ export const AgentIdentitySection = ({
                   value=${form.emoji}
                   onInput=${(event) => updateField("emoji", event.target.value)}
                   class="w-full bg-field border border-border rounded-lg px-3 py-2 text-sm text-body outline-none focus:border-fg-muted"
-                  placeholder="Optional emoji"
+                  placeholder="Single emoji, e.g. ✨"
                 />
               </label>
               <label class="block space-y-1">

package/lib/public/js/components/file-tree.js

@@ -76,6 +76,16 @@ const collectFolderPaths = (node, folderPaths) => {
   );
 };
 
+const collectTruncatedExpandedFolderPaths = (node, expandedPaths, folderPaths) => {
+  if (!node || node.type !== "folder") return;
+  if (node.truncated && expandedPaths.has(node.path || "")) {
+    folderPaths.push(node.path || "");
+  }
+  (node.children || []).forEach((childNode) =>
+    collectTruncatedExpandedFolderPaths(childNode, expandedPaths, folderPaths),
+  );
+};
+
 const collectFilePaths = (node, filePaths) => {
   if (!node) return;
   if (node.type === "file") {
@@ -104,6 +114,19 @@ const removeTreePath = (node, targetPath) => {
   };
 };
 
+const replaceTreeNode = (node, nextNode) => {
+  if (!node || !nextNode) return node;
+  if (String(node.path || "") === String(nextNode.path || "")) return nextNode;
+  if (node.type !== "folder") return node;
+  const nextChildren = (node.children || []).map((childNode) =>
+    replaceTreeNode(childNode, nextNode),
+  );
+  return {
+    ...node,
+    children: nextChildren,
+  };
+};
+
 const filterTreeNode = (node, normalizedQuery) => {
   if (!node) return null;
   const query = String(normalizedQuery || "")
@@ -410,6 +433,7 @@ const TreeNode = ({
   onCreationConfirm,
   onCreationCancel,
   dragSourcePath = "",
+  loadingFolderPaths = new Set(),
 }) => {
   if (!node) return null;
   if (node.type === "file") {
@@ -471,6 +495,7 @@ const TreeNode = ({
 
   const folderPath = node.path || "";
   const isCollapsed = isSearchActive ? false : !expandedPaths.has(folderPath);
+  const isLoadingFolder = loadingFolderPaths.has(folderPath);
   const isFolderActive = selectedPath === folderPath;
   const isFolderLocked = folderPath && matchesBrowsePolicyPath(
     kLockedBrowsePaths,
@@ -484,7 +509,7 @@ const TreeNode = ({
         class=${`tree-folder ${isCollapsed ? "collapsed" : ""} ${isFolderActive ? "active" : ""} ${isDropTarget ? "is-drop-target" : ""}`.trim()}
         onclick=${() => {
           if (!folderPath) return;
-          onSetFolderExpanded(folderPath, isCollapsed);
+          onSetFolderExpanded(folderPath, isCollapsed, node);
           onSelectFolder(folderPath);
         }}
         oncontextmenu=${(e) => {
@@ -540,8 +565,9 @@ const TreeNode = ({
             event.preventDefault();
             event.stopPropagation();
             if (!folderPath) return;
-            onSetFolderExpanded(folderPath, isCollapsed);
+            onSetFolderExpanded(folderPath, isCollapsed, node);
           }}
+          disabled=${isLoadingFolder}
         >
           <span class="arrow">▼</span>
         </button>
@@ -587,6 +613,7 @@ const TreeNode = ({
               onCreationConfirm=${onCreationConfirm}
               onCreationCancel=${onCreationCancel}
               dragSourcePath=${dragSourcePath}
+              loadingFolderPaths=${loadingFolderPaths}
             />
           `,
         )}
@@ -623,6 +650,7 @@ const TreeNode = ({
               onCreationConfirm=${onCreationConfirm}
               onCreationCancel=${onCreationCancel}
               dragSourcePath=${dragSourcePath}
+              loadingFolderPaths=${loadingFolderPaths}
             />
           `,
         )}
@@ -650,6 +678,7 @@ export const FileTree = ({
   const [creatingType, setCreatingType] = useState("");
   const [contextMenu, setContextMenu] = useState(null);
   const [dragSourcePath, setDragSourcePath] = useState("");
+  const [loadingFolderPaths, setLoadingFolderPaths] = useState(new Set());
   const [selectedFolder, setSelectedFolder] = useState("");
   const effectiveSelectedPath = selectedFolder || selectedPath;
   const searchInputRef = useRef(null);
@@ -661,10 +690,31 @@ export const FileTree = ({
     try {
       const data = await fetchBrowseTree();
       const nextRoot = data.root || null;
-      const nextSignature = JSON.stringify(nextRoot || {});
+      const nextExpandedPaths =
+        expandedPaths instanceof Set ? expandedPaths : new Set();
+      let hydratedRoot = nextRoot;
+      const hydratedPaths = new Set();
+      while (true) {
+        const truncatedExpandedPaths = [];
+        collectTruncatedExpandedFolderPaths(
+          hydratedRoot,
+          nextExpandedPaths,
+          truncatedExpandedPaths,
+        );
+        const nextFolderPath = truncatedExpandedPaths.find(
+          (folderPath) => !hydratedPaths.has(folderPath),
+        );
+        if (!nextFolderPath) break;
+        hydratedPaths.add(nextFolderPath);
+        const subtreeData = await fetchBrowseTree({ path: nextFolderPath });
+        if (subtreeData.root) {
+          hydratedRoot = replaceTreeNode(hydratedRoot, subtreeData.root);
+        }
+      }
+      const nextSignature = JSON.stringify(hydratedRoot || {});
       if (treeSignatureRef.current !== nextSignature) {
         treeSignatureRef.current = nextSignature;
-        setTreeRoot(nextRoot);
+        setTreeRoot(hydratedRoot);
       }
       setExpandedPaths((previousPaths) =>
         previousPaths instanceof Set ? previousPaths : new Set(),
@@ -677,7 +727,7 @@ export const FileTree = ({
     } finally {
       if (showLoading) setLoading(false);
     }
-  }, []);
+  }, [expandedPaths]);
 
   useEffect(() => {
     loadTree({ showLoading: true });
@@ -834,7 +884,31 @@ export const FileTree = ({
     onPreviewFile("");
   }, [isSearchActive, filteredFilePaths, searchActivePath, onPreviewFile]);
 
-  const setFolderExpanded = (folderPath, nextExpanded) => {
+  const setFolderExpanded = async (folderPath, nextExpanded, node = null) => {
+    if (nextExpanded === true && node?.truncated) {
+      setLoadingFolderPaths((previousPaths) => {
+        const nextPaths =
+          previousPaths instanceof Set ? new Set(previousPaths) : new Set();
+        nextPaths.add(folderPath);
+        return nextPaths;
+      });
+      try {
+        const data = await fetchBrowseTree({ path: folderPath });
+        if (data.root) {
+          setTreeRoot((previousRoot) => replaceTreeNode(previousRoot, data.root));
+        }
+      } catch (loadError) {
+        showToast(loadError.message || "Could not load folder", "error");
+        return;
+      } finally {
+        setLoadingFolderPaths((previousPaths) => {
+          const nextPaths =
+            previousPaths instanceof Set ? new Set(previousPaths) : new Set();
+          nextPaths.delete(folderPath);
+          return nextPaths;
+        });
+      }
+    }
     setExpandedPaths((previousPaths) => {
       const nextPaths =
         previousPaths instanceof Set ? new Set(previousPaths) : new Set();
@@ -1210,6 +1284,7 @@ export const FileTree = ({
               onCreationConfirm=${confirmCreate}
               onCreationCancel=${cancelCreate}
               dragSourcePath=${dragSourcePath}
+              loadingFolderPaths=${loadingFolderPaths}
             />
           `,
         )}
@@ -1245,6 +1320,7 @@ export const FileTree = ({
               onCreationConfirm=${confirmCreate}
               onCreationCancel=${cancelCreate}
               dragSourcePath=${dragSourcePath}
+              loadingFolderPaths=${loadingFolderPaths}
             />
           `,
         )}

package/lib/public/js/components/general/use-general-tab.js

@@ -218,15 +218,27 @@ export const useGeneralTab = ({
   };
 
   const handleDeviceApprove = async (id) => {
-    await approveDevice(id);
-    setTimeout(devicePoll.refresh, 500);
-    setTimeout(devicePoll.refresh, 2000);
+    try {
+      await approveDevice(id);
+      showToast("Device pairing approved", "success");
+      setTimeout(devicePoll.refresh, 500);
+      setTimeout(devicePoll.refresh, 2000);
+    } catch (err) {
+      showToast(err.message || "Could not approve device pairing", "error");
+      throw err;
+    }
   };
 
   const handleDeviceReject = async (id) => {
-    await rejectDevice(id);
-    setTimeout(devicePoll.refresh, 500);
-    setTimeout(devicePoll.refresh, 2000);
+    try {
+      await rejectDevice(id);
+      showToast("Device pairing rejected", "info");
+      setTimeout(devicePoll.refresh, 500);
+      setTimeout(devicePoll.refresh, 2000);
+    } catch (err) {
+      showToast(err.message || "Could not reject device pairing", "error");
+      throw err;
+    }
   };
 
   const handleWatchdogRepair = async () => {
@@ -252,10 +264,15 @@ export const useGeneralTab = ({
     setDashboardLoading(true);
     try {
       const data = await fetchDashboardUrl();
-      console.log("[dashboard] response:", JSON.stringify(data));
+      if (data.needsAuth) {
+        showToast(
+          "OpenClaw dashboard token is missing from the AlphaClaw server environment",
+          "warning",
+        );
+      }
       window.open(data.url || "/openclaw", "_blank");
     } catch (err) {
-      console.error("[dashboard] error:", err);
+      showToast(err.message || "Could not open OpenClaw dashboard", "error");
       window.open("/openclaw", "_blank");
     } finally {
       setDashboardLoading(false);

package/lib/public/js/components/sidebar.js

@@ -33,6 +33,7 @@ import {
   getSessionDisplayLabel,
   getSessionRowKey,
 } from "../lib/session-keys.js";
+import { sanitizeAgentEmoji } from "../lib/agent-identity.js";
 import { ThemeToggle } from "./theme-toggle.js";
 
 const html = htm.bind(h);
@@ -91,7 +92,7 @@ const renderNavItem = ({ item, selectedNavId, onSelectNavItem }) => {
   `;
 };
 
-const getAgentIdentityEmoji = (agent) => String(agent?.identity?.emoji || "").trim();
+const getAgentIdentityEmoji = (agent) => sanitizeAgentEmoji(agent?.identity?.emoji);
 
 export const AppSidebar = ({
   mobileSidebarOpen = false,

package/lib/public/js/lib/agent-identity.js

@@ -0,0 +1,8 @@
+const kNonEmojiPattern = /[A-Za-z0-9:]/;
+
+export const sanitizeAgentEmoji = (rawEmoji) => {
+  const trimmed = String(rawEmoji ?? "").trim();
+  if (!trimmed) return "";
+  if (kNonEmojiPattern.test(trimmed)) return "";
+  return trimmed;
+};

package/lib/public/js/lib/api.js

@@ -466,7 +466,7 @@ export async function updateWatchdogSettings(settings) {
 
 export async function fetchDashboardUrl() {
   const res = await authFetch("/api/gateway/dashboard");
-  return res.json();
+  return parseJsonOrThrow(res, "Could not load dashboard URL");
 }
 
 export async function fetchAlphaclawVersion(refresh = false) {
@@ -682,13 +682,15 @@ export async function fetchDevicePairings() {
 }
 
 export async function approveDevice(id) {
-  const res = await authFetch(`/api/devices/${id}/approve`, { method: "POST" });
-  return res.json();
+  const safeId = encodeURIComponent(String(id || ""));
+  const res = await authFetch(`/api/devices/${safeId}/approve`, { method: "POST" });
+  return parseJsonOrThrow(res, "Could not approve device");
 }
 
 export async function rejectDevice(id) {
-  const res = await authFetch(`/api/devices/${id}/reject`, { method: "POST" });
-  return res.json();
+  const safeId = encodeURIComponent(String(id || ""));
+  const res = await authFetch(`/api/devices/${safeId}/reject`, { method: "POST" });
+  return parseJsonOrThrow(res, "Could not reject device");
 }
 
 export const fetchNodesStatus = async () => {
@@ -1243,8 +1245,11 @@ export async function fetchWebhookRequest(name, id) {
   return parseJsonOrThrow(res, "Could not load webhook request");
 }
 
-export const fetchBrowseTree = async (depth = 10) => {
+export const fetchBrowseTree = async (options = {}) => {
+  const { depth = 3, path = "" } =
+    typeof options === "number" ? { depth: options, path: "" } : options;
   const params = new URLSearchParams({ depth: String(depth) });
+  if (path) params.set("path", String(path));
   const res = await authFetch(`/api/browse/tree?${params.toString()}`);
   return parseJsonOrThrow(res, "Could not load file tree");
 };

package/lib/server/routes/browse/constants.js

@@ -1,4 +1,5 @@
-const kDefaultTreeDepth = 10;
+const kDefaultTreeDepth = 3;
+const kMaxTreeDepth = 3;
 const kIgnoredDirectoryNames = new Set([
   ".git",
   ".alphaclaw",
@@ -42,6 +43,7 @@ const kSqliteTablePageSize = 50;
 
 module.exports = {
   kDefaultTreeDepth,
+  kMaxTreeDepth,
   kIgnoredDirectoryNames,
   kImageMimeTypeByExtension,
   kCommitHistoryLimit,

package/lib/server/routes/browse/index.js

@@ -2,6 +2,7 @@ const path = require("path");
 const { kLockedBrowsePaths, kProtectedBrowsePaths } = require("../../constants");
 const {
   kDefaultTreeDepth,
+  kMaxTreeDepth,
   kIgnoredDirectoryNames,
   kCommitHistoryLimit,
 } = require("./constants");
@@ -34,6 +35,16 @@ const registerBrowseRoutes = ({ app, fs, kRootDir }) => {
     fs.mkdirSync(kRootResolved, { recursive: true });
   }
 
+  const readVisibleDirectoryEntries = (absolutePath) =>
+    fs
+      .readdirSync(absolutePath, { withFileTypes: true })
+      .filter((entry) => {
+        if (entry.isDirectory() && kIgnoredDirectoryNames.has(entry.name)) {
+          return false;
+        }
+        return entry.isDirectory() || entry.isFile();
+      });
+
   const buildTreeNode = (absolutePath, depthRemaining) => {
     const stats = fs.statSync(absolutePath);
     const nodeName = path.basename(absolutePath);
@@ -44,17 +55,17 @@ const registerBrowseRoutes = ({ app, fs, kRootDir }) => {
     }
 
     if (depthRemaining <= 0) {
-      return { type: "folder", name: nodeName, path: nodePath, children: [] };
+      const hasMoreChildren = readVisibleDirectoryEntries(absolutePath).length > 0;
+      return {
+        type: "folder",
+        name: nodeName,
+        path: nodePath,
+        children: [],
+        truncated: hasMoreChildren,
+      };
     }
 
-    const children = fs
-      .readdirSync(absolutePath, { withFileTypes: true })
-      .filter((entry) => {
-        if (entry.isDirectory() && kIgnoredDirectoryNames.has(entry.name)) {
-          return false;
-        }
-        return entry.isDirectory() || entry.isFile();
-      })
+    const children = readVisibleDirectoryEntries(absolutePath)
       .map((entry) =>
         buildTreeNode(path.join(absolutePath, entry.name), depthRemaining - 1),
       )
@@ -70,12 +81,29 @@ const registerBrowseRoutes = ({ app, fs, kRootDir }) => {
 
   app.get("/api/browse/tree", (req, res) => {
     const depthValue = Number.parseInt(String(req.query.depth || ""), 10);
-    const depth =
+    const requestedDepth =
       Number.isFinite(depthValue) && depthValue > 0
         ? depthValue
         : kDefaultTreeDepth;
+    const depth = Math.min(requestedDepth, kMaxTreeDepth);
+    const requestedPath = String(req.query.path || "").trim();
     try {
-      const tree = buildTreeNode(kRootResolved, depth);
+      const resolvedPath = requestedPath
+        ? resolveSafePath(
+            requestedPath,
+            kRootResolved,
+            kRootWithSep,
+            kRootDisplayName,
+          )
+        : { ok: true, absolutePath: kRootResolved };
+      if (!resolvedPath.ok) {
+        return res.status(400).json({ ok: false, error: resolvedPath.error });
+      }
+      const stats = fs.statSync(resolvedPath.absolutePath);
+      if (!stats.isDirectory()) {
+        return res.status(400).json({ ok: false, error: "Path is not a folder" });
+      }
+      const tree = buildTreeNode(resolvedPath.absolutePath, depth);
       return res.json({ ok: true, root: tree });
     } catch (error) {
       return res.status(500).json({

package/lib/server/routes/pairings.js

@@ -10,8 +10,88 @@ const kAllowedPairingChannels = new Set(["telegram", "discord", "slack", "whatsa
 const kSafePairingArgPattern = /^[\w\-:.]+$/;
 const kDevicesListCliTimeoutMs = 5000;
 const kPairingRequestTtlMs = 60 * 60 * 1000;
+const kDeviceApprovalCallerScopes = [
+  "operator.admin",
+  "operator.read",
+  "operator.write",
+  "operator.approvals",
+  "operator.pairing",
+  "operator.talk.secrets",
+];
 const quoteCliArg = (value) => quoteShellArg(value, { strategy: "single" });
 
+let deviceBootstrapModulePromise = null;
+
+const loadDeviceBootstrapModule = async () => {
+  deviceBootstrapModulePromise ||= import("openclaw/plugin-sdk/device-bootstrap");
+  return deviceBootstrapModulePromise;
+};
+
+const defaultApproveDevicePairingDirect = async (requestId, options, baseDir) => {
+  const mod = await loadDeviceBootstrapModule();
+  if (typeof mod.approveDevicePairing !== "function") {
+    throw new Error("OpenClaw device approval helper is unavailable");
+  }
+  return mod.approveDevicePairing(requestId, options, baseDir);
+};
+
+const formatDevicePairingForbiddenMessage = (result) => {
+  switch (result?.reason) {
+    case "caller-scopes-required":
+      return `missing scope: ${result.scope || "callerScopes-required"}`;
+    case "caller-missing-scope":
+      return `missing scope: ${result.scope || "unknown"}`;
+    case "scope-outside-requested-roles":
+      return `invalid scope for requested roles: ${result.scope || "unknown"}`;
+    case "bootstrap-role-not-allowed":
+      return `bootstrap profile does not allow role: ${result.role || "unknown"}`;
+    case "bootstrap-scope-not-allowed":
+      return `bootstrap profile does not allow scope: ${result.scope || "unknown"}`;
+    default:
+      return "Device pairing approval forbidden";
+  }
+};
+
+const redactApprovedDevice = (device) => {
+  if (!device || typeof device !== "object") return null;
+  const safeDevice = { ...device };
+  delete safeDevice.publicKey;
+  delete safeDevice.tokens;
+  return safeDevice;
+};
+
+const normalizeDeviceApprovalResult = (approval, requestId) => {
+  if (approval?.status === "approved") {
+    return {
+      ok: true,
+      requestId: approval.requestId || requestId,
+      device: redactApprovedDevice(approval.device),
+    };
+  }
+  if (approval?.status === "forbidden") {
+    return {
+      ok: false,
+      statusCode: 403,
+      error: formatDevicePairingForbiddenMessage(approval),
+    };
+  }
+  return {
+    ok: false,
+    statusCode: 404,
+    error: "Device pairing request not found",
+  };
+};
+
+const toHttpDeviceApprovalPayload = (result) => {
+  const { statusCode, ...payload } = result || {};
+  return payload;
+};
+
+const isValidDeviceRequestId = (value) => {
+  const requestId = String(value || "").trim();
+  return Boolean(requestId && kSafePairingArgPattern.test(requestId));
+};
+
 const resolvePairingStorePath = ({ openclawDir, channel }) =>
   path.join(openclawDir, "credentials", `${String(channel).trim().toLowerCase()}-pairing.json`);
 
@@ -136,7 +216,14 @@ const removeAccountRequestsFromPairingStore = ({ fsModule, openclawDir, channel,
   }
 };
 
-const registerPairingRoutes = ({ app, clawCmd, isOnboarded, fsModule = fs, openclawDir = OPENCLAW_DIR }) => {
+const registerPairingRoutes = ({
+  app,
+  clawCmd,
+  isOnboarded,
+  fsModule = fs,
+  openclawDir = OPENCLAW_DIR,
+  approveDevicePairingDirect = defaultApproveDevicePairingDirect,
+}) => {
   let pairingCache = { pending: [], ts: 0, ttlMs: 0 };
   const kPairingCacheTtlMs = 10000;
   const kEmptyPairingCacheTtlMs = 1000;
@@ -157,6 +244,23 @@ const registerPairingRoutes = ({ app, clawCmd, isOnboarded, fsModule = fs, openc
     );
   };
 
+  const approveDeviceRequestWithAdminScope = async (requestId) => {
+    try {
+      const approval = await approveDevicePairingDirect(
+        requestId,
+        { callerScopes: kDeviceApprovalCallerScopes },
+        openclawDir,
+      );
+      return normalizeDeviceApprovalResult(approval, requestId);
+    } catch (error) {
+      return {
+        ok: false,
+        statusCode: 500,
+        error: error?.message || "Could not approve device pairing",
+      };
+    }
+  };
+
   const parsePendingPairings = (stdout, channel) => {
     const parsed = parseJsonObjectFromNoisyOutput(stdout) || {};
     const requestLists = [
@@ -320,15 +424,13 @@ const registerPairingRoutes = ({ app, clawCmd, isOnboarded, fsModule = fs, openc
         const firstCliPendingId = firstCliPending?.requestId || firstCliPending?.id;
         if (firstCliPendingId) {
           console.log(`[alphaclaw] Auto-approving first CLI device request: ${firstCliPendingId}`);
-          const approveResult = await clawCmd(`devices approve ${firstCliPendingId}`, {
-            quiet: true,
-          });
+          const approveResult = await approveDeviceRequestWithAdminScope(firstCliPendingId);
           if (approveResult.ok) {
             writeCliAutoApproveMarker();
             autoApprovedRequestId = String(firstCliPendingId);
           } else {
             console.log(
-              `[alphaclaw] CLI auto-approve failed: ${(approveResult.stderr || "").slice(0, 200)}`,
+              `[alphaclaw] CLI auto-approve failed: ${(approveResult.error || "").slice(0, 200)}`,
             );
           }
         }
@@ -353,13 +455,23 @@ const registerPairingRoutes = ({ app, clawCmd, isOnboarded, fsModule = fs, openc
   });
 
   app.post("/api/devices/:id/approve", async (req, res) => {
-    const result = await clawCmd(`devices approve ${req.params.id}`);
+    const requestId = String(req.params.id || "").trim();
+    if (!isValidDeviceRequestId(requestId)) {
+      return res.status(400).json({ ok: false, error: "Invalid device request id" });
+    }
+    const result = await approveDeviceRequestWithAdminScope(requestId);
     devicePairingCache.ts = 0;
-    res.json(result);
+    res
+      .status(result.ok ? 200 : result.statusCode || 500)
+      .json(toHttpDeviceApprovalPayload(result));
   });
 
   app.post("/api/devices/:id/reject", async (req, res) => {
-    const result = await clawCmd(`devices reject ${req.params.id}`);
+    const requestId = String(req.params.id || "").trim();
+    if (!isValidDeviceRequestId(requestId)) {
+      return res.status(400).json({ ok: false, error: "Invalid device request id" });
+    }
+    const result = await clawCmd(`devices reject ${quoteCliArg(requestId)}`);
     devicePairingCache.ts = 0;
     res.json(result);
   });