@chrysb/alphaclaw 0.9.16 → 0.9.18

package/lib/server/routes/proxy.js

@@ -1,7 +1,202 @@
+const crypto = require("crypto");
+const http = require("http");
+const https = require("https");
+const { URL } = require("url");
+
+const kOpenAiCompatProxyPathPattern =
+  /^\/v1\/(?:chat\/completions|responses|embeddings|models(?:\/[^/?#]+)?)$/;
+const kHopByHopResponseHeaders = new Set([
+  "connection",
+  "keep-alive",
+  "proxy-authenticate",
+  "proxy-authorization",
+  "te",
+  "trailer",
+  "trailers",
+  "transfer-encoding",
+  "upgrade",
+]);
+// Strip these even though they're not hop-by-hop: an OpenAI-compatible client
+// (e.g. Sure's external assistant) has no business receiving cookies from the
+// gateway, and a stray Set-Cookie crossing the AlphaClaw boundary would be a
+// real leak.
+const kAlwaysStrippedResponseHeaders = new Set(["set-cookie"]);
+
+const extractBearerToken = (authorization) => {
+  const match = String(authorization || "").match(/^Bearer\s+(.+)$/i);
+  return match ? match[1].trim() : "";
+};
+
+const getApiAuthThrottleState = (authThrottle, req, now) => {
+  if (!authThrottle || typeof authThrottle.getOrCreateLoginAttemptState !== "function") {
+    return null;
+  }
+  const clientKey =
+    typeof authThrottle.getClientKey === "function"
+      ? authThrottle.getClientKey(req)
+      : req.ip || req.socket?.remoteAddress || "unknown";
+  return {
+    clientKey,
+    state: authThrottle.getOrCreateLoginAttemptState(clientKey, now),
+  };
+};
+
+const sendTooManyAuthAttempts = (res, retryAfterSec = 1) => {
+  const normalizedRetryAfterSec = Math.max(1, Math.ceil(Number(retryAfterSec) || 1));
+  res.set("Retry-After", String(normalizedRetryAfterSec));
+  return res.status(429).json({
+    error: "Too many attempts. Try again shortly.",
+    retryAfterSec: normalizedRetryAfterSec,
+  });
+};
+
+const timingSafeStringEqual = (left, right) => {
+  const leftBuffer = Buffer.from(String(left || ""), "utf8");
+  const rightBuffer = Buffer.from(String(right || ""), "utf8");
+  return (
+    leftBuffer.length === rightBuffer.length &&
+    crypto.timingSafeEqual(leftBuffer, rightBuffer)
+  );
+};
+
+const extractBodyBuffer = (req) => {
+  if (Buffer.isBuffer(req.body)) return req.body;
+  if (typeof req.body === "string") return Buffer.from(req.body, "utf8");
+  if (req.body && typeof req.body === "object") {
+    return Buffer.from(JSON.stringify(req.body), "utf8");
+  }
+  return Buffer.alloc(0);
+};
+
+const createGatewayProxyHeaders = ({ reqHeaders, bodyBuffer }) => {
+  const headers = { ...(reqHeaders || {}) };
+  delete headers.host;
+  delete headers.connection;
+  delete headers["content-length"];
+  delete headers["transfer-encoding"];
+  // Express has already parsed and (if gzip/deflate) inflated the body, so
+  // the bytes we reserialize are plain JSON. Forwarding the original
+  // Content-Encoding would tell the gateway to gunzip plain text and fail.
+  delete headers["content-encoding"];
+  delete headers.cookie;
+  if (bodyBuffer.length > 0) {
+    headers["content-length"] = String(bodyBuffer.length);
+    if (!headers["content-type"]) headers["content-type"] = "application/json";
+  }
+  return headers;
+};
+
+const proxyOpenAiCompatRequest = ({
+  req,
+  res,
+  getGatewayUrl,
+  getGatewayToken,
+  openAiCompatApiThrottle,
+}) => {
+  const now = Date.now();
+  const throttleState = getApiAuthThrottleState(
+    openAiCompatApiThrottle,
+    req,
+    now,
+  );
+  if (
+    throttleState &&
+    typeof openAiCompatApiThrottle.evaluateLoginThrottle === "function"
+  ) {
+    const throttle = openAiCompatApiThrottle.evaluateLoginThrottle(
+      throttleState.state,
+      now,
+    );
+    if (throttle.blocked) {
+      return sendTooManyAuthAttempts(res, throttle.retryAfterSec);
+    }
+  }
+
+  const bearerToken = extractBearerToken(req.headers.authorization);
+  const expectedGatewayToken = String(getGatewayToken?.() || "").trim();
+  if (
+    !bearerToken ||
+    !expectedGatewayToken ||
+    !timingSafeStringEqual(bearerToken, expectedGatewayToken)
+  ) {
+    if (
+      throttleState &&
+      typeof openAiCompatApiThrottle.recordLoginFailure === "function"
+    ) {
+      const failure = openAiCompatApiThrottle.recordLoginFailure(
+        throttleState.state,
+        now,
+      );
+      if (failure.locked) {
+        return sendTooManyAuthAttempts(res, failure.retryAfterSec);
+      }
+    }
+    return res.status(401).json({ error: "Unauthorized" });
+  }
+  if (
+    throttleState?.clientKey &&
+    typeof openAiCompatApiThrottle?.recordLoginSuccess === "function"
+  ) {
+    openAiCompatApiThrottle.recordLoginSuccess(throttleState.clientKey);
+  }
+
+  let gateway;
+  try {
+    gateway = new URL(getGatewayUrl());
+  } catch {
+    return res.status(502).json({ error: "Gateway unavailable" });
+  }
+
+  const bodyBuffer = extractBodyBuffer(req);
+  const protocolClient = gateway.protocol === "https:" ? https : http;
+  const headers = createGatewayProxyHeaders({
+    reqHeaders: req.headers,
+    bodyBuffer,
+  });
+  headers.authorization = `Bearer ${bearerToken}`;
+
+  const requestOptions = {
+    protocol: gateway.protocol,
+    hostname: gateway.hostname,
+    port: gateway.port,
+    method: req.method,
+    path: req.originalUrl || req.url,
+    headers,
+  };
+
+  const proxyReq = protocolClient.request(requestOptions, (proxyRes) => {
+    res.statusCode = proxyRes.statusCode || 502;
+    for (const [key, value] of Object.entries(proxyRes.headers || {})) {
+      if (value == null) continue;
+      const lowerKey = key.toLowerCase();
+      if (kHopByHopResponseHeaders.has(lowerKey)) continue;
+      if (kAlwaysStrippedResponseHeaders.has(lowerKey)) continue;
+      res.setHeader(key, value);
+    }
+    proxyRes.pipe(res);
+  });
+
+  proxyReq.on("error", () => {
+    if (!res.headersSent) {
+      res.status(502).json({ error: "Gateway unavailable" });
+    } else {
+      res.end();
+    }
+  });
+
+  if (bodyBuffer.length > 0) {
+    proxyReq.write(bodyBuffer);
+  }
+  proxyReq.end();
+};
+
 const registerProxyRoutes = ({
   app,
   proxy,
   getGatewayUrl,
+  getGatewayToken,
+  isOpenAiCompatApiEnabled = () => true,
+  openAiCompatApiThrottle = null,
   SETUP_API_PREFIXES,
   requireAuth,
   oauthCallbackMiddleware,
@@ -29,10 +224,33 @@ const registerProxyRoutes = ({
   app.all(kHooksPathPattern, webhookMiddleware);
   app.all(kWebhookPathPattern, webhookMiddleware);
 
+  app.all(kOpenAiCompatProxyPathPattern, (req, res) => {
+    if (!isOpenAiCompatApiEnabled()) {
+      return res.status(404).json({ error: "Not found" });
+    }
+    return proxyOpenAiCompatRequest({
+      req,
+      res,
+      getGatewayUrl,
+      getGatewayToken,
+      openAiCompatApiThrottle,
+    });
+  });
+
   app.all(kApiPathPattern, (req, res, next) => {
     if (SETUP_API_PREFIXES.some((p) => req.path.startsWith(p))) return next();
     proxy.web(req, res, { target: getGatewayUrl() });
   });
 };
 
-module.exports = { registerProxyRoutes };
+module.exports = {
+  kOpenAiCompatProxyPathPattern,
+  registerProxyRoutes,
+  // Exported for tests.
+  __testing: {
+    createGatewayProxyHeaders,
+    extractBearerToken,
+    kHopByHopResponseHeaders,
+    kAlwaysStrippedResponseHeaders,
+  },
+};

package/lib/server/routes/system.js

@@ -1,5 +1,9 @@
 const { buildManagedPaths } = require("../internal-files-migration");
 const { readOpenclawConfig } = require("../openclaw-config");
+const {
+  readAlphaclawConfig,
+  updateOpenAiCompatApiFeature,
+} = require("../alphaclaw-config");
 const https = require("https");
 
 const registerSystemRoutes = ({
@@ -26,11 +30,13 @@ const registerSystemRoutes = ({
   authProfiles,
   watchdog,
   doctorService,
+  ensureGatewayProxyConfig,
+  getBaseUrl,
 }) => {
   let envRestartPending = false;
   let openclawSecretRuntimePromise = null;
   const kManagedChannelTokenPattern =
-    /^(?:TELEGRAM_BOT_TOKEN|DISCORD_BOT_TOKEN|SLACK_BOT_TOKEN|SLACK_APP_TOKEN)(?:_[A-Z0-9_]+)?$/;
+    /^(?:TELEGRAM_BOT_TOKEN|DISCORD_BOT_TOKEN|SLACK_BOT_TOKEN|SLACK_APP_TOKEN|WHATSAPP_OWNER_NUMBER)(?:_[A-Z0-9_]+)?$/;
   const kEnvVarsReservedForUserInput = new Set([
     "GITHUB_WORKSPACE_REPO",
     "GOG_KEYRING_PASSWORD",
@@ -590,6 +596,10 @@ const registerSystemRoutes = ({
       repo,
       openclawVersion,
       alphaclawVersion,
+      alphaclaw: readAlphaclawConfig({
+        fsModule: fs,
+        openclawDir: OPENCLAW_DIR,
+      }),
       syncCron: getSystemCronStatus(),
     };
   };
@@ -668,6 +678,57 @@ const registerSystemRoutes = ({
     res.json({ ok: true, syncCron: status });
   });
 
+  app.get("/api/alphaclaw/config", (req, res) => {
+    res.json({
+      ok: true,
+      config: readAlphaclawConfig({
+        fsModule: fs,
+        openclawDir: OPENCLAW_DIR,
+      }),
+    });
+  });
+
+  app.put("/api/alphaclaw/config/features/openai-compat-api", async (req, res) => {
+    const { enabled } = req.body || {};
+    if (typeof enabled !== "boolean") {
+      return res
+        .status(400)
+        .json({ ok: false, error: "enabled must be a boolean" });
+    }
+
+    try {
+      const { config, changed } = updateOpenAiCompatApiFeature({
+        fsModule: fs,
+        openclawDir: OPENCLAW_DIR,
+        enabled,
+      });
+      let gatewayConfigChanged = false;
+      if (enabled && isOnboarded() && typeof ensureGatewayProxyConfig === "function") {
+        gatewayConfigChanged = ensureGatewayProxyConfig(getBaseUrl?.(req));
+        if (gatewayConfigChanged && restartRequiredState?.markRequired) {
+          restartRequiredState.markRequired("openai_compat_api_enabled");
+        }
+      }
+      const snapshot =
+        typeof restartRequiredState?.getSnapshot === "function"
+          ? await restartRequiredState.getSnapshot()
+          : null;
+      res.json({
+        ok: true,
+        changed,
+        gatewayConfigChanged,
+        config,
+        restartRequired:
+          Boolean(snapshot?.restartRequired) || (envRestartPending && isOnboarded()),
+      });
+    } catch (err) {
+      res.status(500).json({
+        ok: false,
+        error: err.message || "Could not update AlphaClaw config",
+      });
+    }
+  });
+
   app.get("/api/alphaclaw/version", async (req, res) => {
     const refresh = String(req.query.refresh || "") === "1";
     const status = await alphaclawVersionService.getVersionStatus(refresh);
@@ -838,7 +899,7 @@ const registerSystemRoutes = ({
     }
     restartRequiredState.markRestartInProgress();
     try {
-      restartGateway();
+      await restartGateway();
       envRestartPending = false;
       restartRequiredState.clearRequired();
       restartRequiredState.markRestartComplete();

package/lib/server/usage-tracker-config.js

@@ -8,6 +8,8 @@ const kUsageTrackerPluginPath = path.resolve(
   "usage-tracker",
 );
 const kConversationAccessHookPolicyKey = "allowConversationAccess";
+const kChannelPluginIds = ["telegram", "discord", "slack", "whatsapp"];
+const kDefaultDiscordGroupPolicy = "disabled";
 
 const ensurePluginsShell = (cfg = {}) => {
   if (!cfg.plugins || typeof cfg.plugins !== "object") cfg.plugins = {};
@@ -70,13 +72,58 @@ const ensureUsageTrackerPluginEntry = (cfg = {}) => {
   return JSON.stringify(cfg) !== before;
 };
 
+const hasDiscordGuildAllowlist = (discordConfig = {}) => {
+  const guilds = discordConfig.guilds;
+  return !!guilds && typeof guilds === "object" && Object.keys(guilds).length > 0;
+};
+
+const reconcileDiscordGroupPolicy = (cfg = {}) => {
+  const discord = cfg.channels?.discord;
+  if (!discord || typeof discord !== "object" || discord.enabled === false) {
+    return false;
+  }
+  if (hasDiscordGuildAllowlist(discord)) return false;
+  if (discord.groupPolicy !== "allowlist") return false;
+  discord.groupPolicy = kDefaultDiscordGroupPolicy;
+  return true;
+};
+
+const reconcileEnabledChannelPlugins = (cfg = {}) => {
+  ensurePluginsShell(cfg);
+  let changed = false;
+  for (const pluginKey of kChannelPluginIds) {
+    const channelConfig = cfg.channels?.[pluginKey];
+    if (!channelConfig || typeof channelConfig !== "object") continue;
+    if (channelConfig.enabled !== true) continue;
+    const allowBefore = cfg.plugins.allow.length;
+    ensurePluginAllowed({ cfg, pluginKey });
+    if (cfg.plugins.allow.length > allowBefore) changed = true;
+    const existingEntry = cfg.plugins.entries[pluginKey];
+    if (!existingEntry || existingEntry.enabled !== true) {
+      cfg.plugins.entries[pluginKey] = {
+        ...(existingEntry && typeof existingEntry === "object" ? existingEntry : {}),
+        enabled: true,
+      };
+      changed = true;
+    }
+  }
+  return changed;
+};
+
+const reconcileManagedPluginConfig = (cfg = {}) => {
+  let changed = ensureUsageTrackerPluginEntry(cfg);
+  if (reconcileEnabledChannelPlugins(cfg)) changed = true;
+  if (reconcileDiscordGroupPolicy(cfg)) changed = true;
+  return changed;
+};
+
 const ensureUsageTrackerPluginConfig = ({ fsModule, openclawDir }) => {
   const cfg = readOpenclawConfig({
     fsModule,
     openclawDir,
     fallback: {},
   });
-  const changed = ensureUsageTrackerPluginEntry(cfg);
+  const changed = reconcileManagedPluginConfig(cfg);
   if (!changed) return false;
   writeOpenclawConfig({
     fsModule,
@@ -89,8 +136,12 @@ const ensureUsageTrackerPluginConfig = ({ fsModule, openclawDir }) => {
 
 module.exports = {
   kUsageTrackerPluginPath,
+  kDefaultDiscordGroupPolicy,
   ensurePluginsShell,
   ensurePluginAllowed,
   ensureUsageTrackerPluginEntry,
+  reconcileDiscordGroupPolicy,
+  reconcileEnabledChannelPlugins,
+  reconcileManagedPluginConfig,
   ensureUsageTrackerPluginConfig,
 };

package/lib/server.js

@@ -65,6 +65,10 @@ const {
   getDoctorCard,
   updateDoctorCardStatus,
 } = require("./server/db/doctor");
+const {
+  initAuthDb,
+  createLoginThrottleStore,
+} = require("./server/db/auth");
 const { createWebhookMiddleware } = require("./server/webhook-middleware");
 const {
   readEnvFile,
@@ -144,6 +148,9 @@ const {
 const {
   ensureOpenclawStartupEnv,
 } = require("./server/openclaw-runtime-env");
+const {
+  isOpenAiCompatApiEnabled,
+} = require("./server/alphaclaw-config");
 
 const { PORT, kTrustProxyHops, SETUP_API_PREFIXES } = constants;
 
@@ -161,6 +168,18 @@ const app = express();
 app.set("trust proxy", kTrustProxyHops);
 app.use(["/webhook", "/hooks"], express.raw({ type: "*/*", limit: "5mb" }));
 app.use("/gmail-pubsub", express.raw({ type: "*/*", limit: "5mb" }));
+const openAiCompatJsonParser = express.json({ limit: "50mb" });
+const isOpenAiCompatApiCurrentlyEnabled = () =>
+  isOpenAiCompatApiEnabled({
+    fsModule: fs,
+    openclawDir: constants.OPENCLAW_DIR,
+  });
+app.use("/v1", (req, res, next) => {
+  if (!isOpenAiCompatApiCurrentlyEnabled()) {
+    return res.status(404).json({ error: "Not found" });
+  }
+  return openAiCompatJsonParser(req, res, next);
+});
 app.use(express.json({ limit: "5mb" }));
 
 const proxy = httpProxy.createProxyServer({
@@ -186,7 +205,27 @@ const agentsService = createAgentsService({
   restartGateway: () => restartGatewayWithReload(reloadEnv),
   clawCmd,
 });
-const loginThrottle = { ...createLoginThrottle(), getClientKey };
+const loginThrottleStore = createLoginThrottleStore();
+const loginThrottle = {
+  ...createLoginThrottle({ store: loginThrottleStore }),
+  getClientKey,
+};
+const openAiCompatApiThrottle = {
+  ...createLoginThrottle({
+    store: loginThrottleStore,
+    scope: "openai-compat-api",
+    windowMs: constants.kOpenAiCompatApiRateWindowMs,
+    maxAttempts: constants.kOpenAiCompatApiRateMaxAttempts,
+    baseLockMs: constants.kOpenAiCompatApiRateBaseLockMs,
+    maxLockMs: constants.kOpenAiCompatApiRateMaxLockMs,
+    globalWindowMs: constants.kOpenAiCompatApiRateGlobalWindowMs,
+    globalMaxAttempts: constants.kOpenAiCompatApiRateGlobalMaxAttempts,
+    globalBaseLockMs: constants.kOpenAiCompatApiRateGlobalBaseLockMs,
+    globalMaxLockMs: constants.kOpenAiCompatApiRateGlobalMaxLockMs,
+    stateTtlMs: constants.kOpenAiCompatApiRateStateTtlMs,
+  }),
+  getClientKey,
+};
 const resolveSetupUrl = () =>
   resolveSetupUiUrl(
     process.env.ALPHACLAW_SETUP_URL ||
@@ -219,6 +258,7 @@ const cronService = createCronService({
 app.use(express.static(path.join(__dirname, "public")));
 initializeServerDatabases({
   constants,
+  initAuthDb,
   initWebhooksDb,
   initWatchdogDb,
   initUsageDb,
@@ -286,7 +326,11 @@ const doSyncPromptFiles = () => {
   });
   installGogCliSkill({ fs, openclawDir: constants.OPENCLAW_DIR });
 };
-const { isAuthorizedRequest, gmailWatchService } = registerServerRoutes({
+const {
+  isAuthorizedRequest,
+  gmailWatchService,
+  runOnboardedBootSequence: runOnboardedBoot,
+} = registerServerRoutes({
   app,
   fs,
   constants,
@@ -306,8 +350,21 @@ const { isAuthorizedRequest, gmailWatchService } = registerServerRoutes({
   resolveGithubRepoUrl,
   resolveModelProvider,
   ensureGatewayProxyConfig,
+  isOpenAiCompatApiEnabled: isOpenAiCompatApiCurrentlyEnabled,
+  openAiCompatApiThrottle,
   getBaseUrl,
   startGateway,
+  ensureManagedExecDefaults: () =>
+    ensureManagedExecDefaults({
+      fsModule: fs,
+      openclawDir: constants.OPENCLAW_DIR,
+    }),
+  ensureUsageTrackerPluginConfig: () =>
+    ensureUsageTrackerPluginConfig({
+      fsModule: fs,
+      openclawDir: constants.OPENCLAW_DIR,
+    }),
+  resolveSetupUrl,
   syncChannelConfig,
   getChannelStatus,
   openclawVersionService,
@@ -393,26 +450,7 @@ startServerLifecycle({
   server,
   PORT,
   isOnboarded,
-  runOnboardedBootSequence,
-  ensureManagedExecDefaults: () =>
-    ensureManagedExecDefaults({
-      fsModule: fs,
-      openclawDir: constants.OPENCLAW_DIR,
-    }),
-  ensureUsageTrackerPluginConfig: () =>
-    ensureUsageTrackerPluginConfig({
-      fsModule: fs,
-      openclawDir: constants.OPENCLAW_DIR,
-    }),
-  doSyncPromptFiles,
-  reloadEnv,
-  syncChannelConfig,
-  readEnvFile,
-  ensureGatewayProxyConfig,
-  resolveSetupUrl,
-  startGateway,
-  watchdog,
-  gmailWatchService,
+  runOnboardedBootSequence: runOnboardedBoot,
 });
 registerServerShutdown({
   gmailWatchService,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chrysb/alphaclaw",
-  "version": "0.9.16",
+  "version": "0.9.18",
   "publishConfig": {
     "access": "public"
   },
@@ -33,7 +33,7 @@
   "dependencies": {
     "express": "^4.21.0",
     "http-proxy": "^1.18.1",
-    "openclaw": "2026.5.6",
+    "openclaw": "2026.5.28",
     "ws": "^8.19.0"
   },
   "devDependencies": {