@chrysb/alphaclaw 0.9.17 → 0.9.18

package/lib/server/login-throttle.js

@@ -11,6 +11,7 @@ const {
 } = require("./constants");
 
 const kGlobalStateKey = "global:login";
+const kLoginThrottleScope = "login";
 
 const createLoginAttemptState = (now) => ({
   attempts: 0,
@@ -48,8 +49,15 @@ const createMemoryLoginThrottleStore = () => {
   };
 };
 
-const getClientStateKey = (clientKey) =>
-  `client:${String(clientKey || "unknown")}`;
+const getClientStateKey = (clientKey, scope = kLoginThrottleScope) => {
+  const normalizedClientKey = String(clientKey || "unknown");
+  return scope === kLoginThrottleScope
+    ? `client:${normalizedClientKey}`
+    : `client:${scope}:${normalizedClientKey}`;
+};
+
+const getGlobalStateKey = (scope = kLoginThrottleScope) =>
+  scope === kLoginThrottleScope ? kGlobalStateKey : `global:${scope}`;
 
 const getOrCreateState = (store, stateKey, now) => {
   const existing = store.get(stateKey);
@@ -153,6 +161,16 @@ const chooseFailureResult = (...results) => {
 
 const createLoginThrottle = ({
   store = createMemoryLoginThrottleStore(),
+  scope = kLoginThrottleScope,
+  windowMs = kLoginWindowMs,
+  maxAttempts = kLoginMaxAttempts,
+  baseLockMs = kLoginBaseLockMs,
+  maxLockMs = kLoginMaxLockMs,
+  globalWindowMs = kLoginGlobalWindowMs,
+  globalMaxAttempts = kLoginGlobalMaxAttempts,
+  globalBaseLockMs = kLoginGlobalBaseLockMs,
+  globalMaxLockMs = kLoginGlobalMaxLockMs,
+  stateTtlMs = kLoginStateTtlMs,
 } = {}) => {
   const runExclusive =
     typeof store.runExclusive === "function"
@@ -161,13 +179,14 @@ const createLoginThrottle = ({
 
   const getOrCreateLoginAttemptState = (clientKey, now) =>
     runExclusive(() => {
-      const clientStateKey = getClientStateKey(clientKey);
+      const clientStateKey = getClientStateKey(clientKey, scope);
+      const globalStateKey = getGlobalStateKey(scope);
       return {
         clientKey,
         clientStateKey,
-        globalStateKey: kGlobalStateKey,
+        globalStateKey,
         client: getOrCreateState(store, clientStateKey, now),
-        global: getOrCreateState(store, kGlobalStateKey, now),
+        global: getOrCreateState(store, globalStateKey, now),
       };
     });
 
@@ -175,19 +194,19 @@ const createLoginThrottle = ({
     runExclusive(() => {
       const clientStateKey =
         stateBundle?.clientStateKey ||
-        getClientStateKey(stateBundle?.clientKey);
-      const globalStateKey = stateBundle?.globalStateKey || kGlobalStateKey;
+        getClientStateKey(stateBundle?.clientKey, scope);
+      const globalStateKey = stateBundle?.globalStateKey || getGlobalStateKey(scope);
       const clientResult = evaluateState({
         store,
         stateKey: clientStateKey,
         now,
-        windowMs: kLoginWindowMs,
+        windowMs,
       });
       const globalResult = evaluateState({
         store,
         stateKey: globalStateKey,
         now,
-        windowMs: kLoginGlobalWindowMs,
+        windowMs: globalWindowMs,
       });
       if (stateBundle) {
         stateBundle.client = clientResult.state;
@@ -200,25 +219,25 @@ const createLoginThrottle = ({
     runExclusive(() => {
       const clientStateKey =
         stateBundle?.clientStateKey ||
-        getClientStateKey(stateBundle?.clientKey);
-      const globalStateKey = stateBundle?.globalStateKey || kGlobalStateKey;
+        getClientStateKey(stateBundle?.clientKey, scope);
+      const globalStateKey = stateBundle?.globalStateKey || getGlobalStateKey(scope);
       const clientResult = recordStateFailure({
         store,
         stateKey: clientStateKey,
         now,
-        windowMs: kLoginWindowMs,
-        maxAttempts: kLoginMaxAttempts,
-        baseLockMs: kLoginBaseLockMs,
-        maxLockMs: kLoginMaxLockMs,
+        windowMs,
+        maxAttempts,
+        baseLockMs,
+        maxLockMs,
       });
       const globalResult = recordStateFailure({
         store,
         stateKey: globalStateKey,
         now,
-        windowMs: kLoginGlobalWindowMs,
-        maxAttempts: kLoginGlobalMaxAttempts,
-        baseLockMs: kLoginGlobalBaseLockMs,
-        maxLockMs: kLoginGlobalMaxLockMs,
+        windowMs: globalWindowMs,
+        maxAttempts: globalMaxAttempts,
+        baseLockMs: globalBaseLockMs,
+        maxLockMs: globalMaxLockMs,
       });
       if (stateBundle) {
         stateBundle.client = clientResult.state;
@@ -230,8 +249,8 @@ const createLoginThrottle = ({
   const recordLoginSuccess = (clientKey) => {
     if (!clientKey) return;
     runExclusive(() => {
-      store.delete(getClientStateKey(clientKey));
-      store.delete(kGlobalStateKey);
+      store.delete(getClientStateKey(clientKey, scope));
+      store.delete(getGlobalStateKey(scope));
     });
   };
 
@@ -245,7 +264,7 @@ const createLoginThrottle = ({
         }
         const state = normalizeState(rawState, now);
         if (state.lockUntil > now) continue;
-        if (now - state.lastSeenAt > kLoginStateTtlMs) {
+        if (now - state.lastSeenAt > stateTtlMs) {
           store.delete(stateKey);
         }
       }

package/lib/server/onboarding/openclaw.js

@@ -4,6 +4,7 @@ const {
   ensurePluginAllowed,
   ensureUsageTrackerPluginEntry,
 } = require("../usage-tracker-config");
+const { isOpenAiCompatApiEnabled } = require("../alphaclaw-config");
 
 const kDefaultToolsProfile = "full";
 const kBootstrapExtraFiles = [
@@ -133,16 +134,29 @@ const buildOnboardArgs = ({
   return onboardArgs;
 };
 
-const ensureManagedConfigShell = (cfg) => {
+const ensureManagedConfigShell = (cfg, { openAiCompatApiEnabled = false } = {}) => {
   if (!cfg.channels) cfg.channels = {};
   ensurePluginsShell(cfg);
   if (!cfg.commands) cfg.commands = {};
   if (!cfg.tools) cfg.tools = {};
+  if (!cfg.gateway) cfg.gateway = {};
   if (!cfg.hooks) cfg.hooks = {};
   if (!cfg.hooks.internal) cfg.hooks.internal = {};
   if (!cfg.hooks.internal.entries) cfg.hooks.internal.entries = {};
   cfg.commands.restart = true;
   cfg.tools.profile = kDefaultToolsProfile;
+  if (openAiCompatApiEnabled) {
+    if (!cfg.gateway.http) cfg.gateway.http = {};
+    if (!cfg.gateway.http.endpoints) cfg.gateway.http.endpoints = {};
+    cfg.gateway.http.endpoints.chatCompletions = {
+      ...(cfg.gateway.http.endpoints.chatCompletions || {}),
+      enabled: true,
+    };
+    cfg.gateway.http.endpoints.responses = {
+      ...(cfg.gateway.http.endpoints.responses || {}),
+      enabled: true,
+    };
+  }
   cfg.hooks.internal.enabled = true;
   cfg.hooks.internal.entries["bootstrap-extra-files"] = {
     ...(cfg.hooks.internal.entries["bootstrap-extra-files"] || {}),
@@ -224,7 +238,12 @@ const writeSanitizedOpenclawConfig = ({
 }) => {
   const configPath = `${openclawDir}/openclaw.json`;
   const cfg = JSON.parse(fs.readFileSync(configPath, "utf8"));
-  ensureManagedConfigShell(cfg);
+  ensureManagedConfigShell(cfg, {
+    openAiCompatApiEnabled: isOpenAiCompatApiEnabled({
+      fsModule: fs,
+      openclawDir,
+    }),
+  });
   applyFreshOnboardingChannels({
     cfg,
     varMap,
@@ -256,7 +275,12 @@ const writeManagedImportOpenclawConfig = ({
 }) => {
   const configPath = `${openclawDir}/openclaw.json`;
   const cfg = JSON.parse(fs.readFileSync(configPath, "utf8"));
-  ensureManagedConfigShell(cfg);
+  ensureManagedConfigShell(cfg, {
+    openAiCompatApiEnabled: isOpenAiCompatApiEnabled({
+      fsModule: fs,
+      openclawDir,
+    }),
+  });
 
   ensureUsageTrackerPluginEntry(cfg);
 

package/lib/server/routes/proxy.js

@@ -1,7 +1,202 @@
+const crypto = require("crypto");
+const http = require("http");
+const https = require("https");
+const { URL } = require("url");
+
+const kOpenAiCompatProxyPathPattern =
+  /^\/v1\/(?:chat\/completions|responses|embeddings|models(?:\/[^/?#]+)?)$/;
+const kHopByHopResponseHeaders = new Set([
+  "connection",
+  "keep-alive",
+  "proxy-authenticate",
+  "proxy-authorization",
+  "te",
+  "trailer",
+  "trailers",
+  "transfer-encoding",
+  "upgrade",
+]);
+// Strip these even though they're not hop-by-hop: an OpenAI-compatible client
+// (e.g. Sure's external assistant) has no business receiving cookies from the
+// gateway, and a stray Set-Cookie crossing the AlphaClaw boundary would be a
+// real leak.
+const kAlwaysStrippedResponseHeaders = new Set(["set-cookie"]);
+
+const extractBearerToken = (authorization) => {
+  const match = String(authorization || "").match(/^Bearer\s+(.+)$/i);
+  return match ? match[1].trim() : "";
+};
+
+const getApiAuthThrottleState = (authThrottle, req, now) => {
+  if (!authThrottle || typeof authThrottle.getOrCreateLoginAttemptState !== "function") {
+    return null;
+  }
+  const clientKey =
+    typeof authThrottle.getClientKey === "function"
+      ? authThrottle.getClientKey(req)
+      : req.ip || req.socket?.remoteAddress || "unknown";
+  return {
+    clientKey,
+    state: authThrottle.getOrCreateLoginAttemptState(clientKey, now),
+  };
+};
+
+const sendTooManyAuthAttempts = (res, retryAfterSec = 1) => {
+  const normalizedRetryAfterSec = Math.max(1, Math.ceil(Number(retryAfterSec) || 1));
+  res.set("Retry-After", String(normalizedRetryAfterSec));
+  return res.status(429).json({
+    error: "Too many attempts. Try again shortly.",
+    retryAfterSec: normalizedRetryAfterSec,
+  });
+};
+
+const timingSafeStringEqual = (left, right) => {
+  const leftBuffer = Buffer.from(String(left || ""), "utf8");
+  const rightBuffer = Buffer.from(String(right || ""), "utf8");
+  return (
+    leftBuffer.length === rightBuffer.length &&
+    crypto.timingSafeEqual(leftBuffer, rightBuffer)
+  );
+};
+
+const extractBodyBuffer = (req) => {
+  if (Buffer.isBuffer(req.body)) return req.body;
+  if (typeof req.body === "string") return Buffer.from(req.body, "utf8");
+  if (req.body && typeof req.body === "object") {
+    return Buffer.from(JSON.stringify(req.body), "utf8");
+  }
+  return Buffer.alloc(0);
+};
+
+const createGatewayProxyHeaders = ({ reqHeaders, bodyBuffer }) => {
+  const headers = { ...(reqHeaders || {}) };
+  delete headers.host;
+  delete headers.connection;
+  delete headers["content-length"];
+  delete headers["transfer-encoding"];
+  // Express has already parsed and (if gzip/deflate) inflated the body, so
+  // the bytes we reserialize are plain JSON. Forwarding the original
+  // Content-Encoding would tell the gateway to gunzip plain text and fail.
+  delete headers["content-encoding"];
+  delete headers.cookie;
+  if (bodyBuffer.length > 0) {
+    headers["content-length"] = String(bodyBuffer.length);
+    if (!headers["content-type"]) headers["content-type"] = "application/json";
+  }
+  return headers;
+};
+
+const proxyOpenAiCompatRequest = ({
+  req,
+  res,
+  getGatewayUrl,
+  getGatewayToken,
+  openAiCompatApiThrottle,
+}) => {
+  const now = Date.now();
+  const throttleState = getApiAuthThrottleState(
+    openAiCompatApiThrottle,
+    req,
+    now,
+  );
+  if (
+    throttleState &&
+    typeof openAiCompatApiThrottle.evaluateLoginThrottle === "function"
+  ) {
+    const throttle = openAiCompatApiThrottle.evaluateLoginThrottle(
+      throttleState.state,
+      now,
+    );
+    if (throttle.blocked) {
+      return sendTooManyAuthAttempts(res, throttle.retryAfterSec);
+    }
+  }
+
+  const bearerToken = extractBearerToken(req.headers.authorization);
+  const expectedGatewayToken = String(getGatewayToken?.() || "").trim();
+  if (
+    !bearerToken ||
+    !expectedGatewayToken ||
+    !timingSafeStringEqual(bearerToken, expectedGatewayToken)
+  ) {
+    if (
+      throttleState &&
+      typeof openAiCompatApiThrottle.recordLoginFailure === "function"
+    ) {
+      const failure = openAiCompatApiThrottle.recordLoginFailure(
+        throttleState.state,
+        now,
+      );
+      if (failure.locked) {
+        return sendTooManyAuthAttempts(res, failure.retryAfterSec);
+      }
+    }
+    return res.status(401).json({ error: "Unauthorized" });
+  }
+  if (
+    throttleState?.clientKey &&
+    typeof openAiCompatApiThrottle?.recordLoginSuccess === "function"
+  ) {
+    openAiCompatApiThrottle.recordLoginSuccess(throttleState.clientKey);
+  }
+
+  let gateway;
+  try {
+    gateway = new URL(getGatewayUrl());
+  } catch {
+    return res.status(502).json({ error: "Gateway unavailable" });
+  }
+
+  const bodyBuffer = extractBodyBuffer(req);
+  const protocolClient = gateway.protocol === "https:" ? https : http;
+  const headers = createGatewayProxyHeaders({
+    reqHeaders: req.headers,
+    bodyBuffer,
+  });
+  headers.authorization = `Bearer ${bearerToken}`;
+
+  const requestOptions = {
+    protocol: gateway.protocol,
+    hostname: gateway.hostname,
+    port: gateway.port,
+    method: req.method,
+    path: req.originalUrl || req.url,
+    headers,
+  };
+
+  const proxyReq = protocolClient.request(requestOptions, (proxyRes) => {
+    res.statusCode = proxyRes.statusCode || 502;
+    for (const [key, value] of Object.entries(proxyRes.headers || {})) {
+      if (value == null) continue;
+      const lowerKey = key.toLowerCase();
+      if (kHopByHopResponseHeaders.has(lowerKey)) continue;
+      if (kAlwaysStrippedResponseHeaders.has(lowerKey)) continue;
+      res.setHeader(key, value);
+    }
+    proxyRes.pipe(res);
+  });
+
+  proxyReq.on("error", () => {
+    if (!res.headersSent) {
+      res.status(502).json({ error: "Gateway unavailable" });
+    } else {
+      res.end();
+    }
+  });
+
+  if (bodyBuffer.length > 0) {
+    proxyReq.write(bodyBuffer);
+  }
+  proxyReq.end();
+};
+
 const registerProxyRoutes = ({
   app,
   proxy,
   getGatewayUrl,
+  getGatewayToken,
+  isOpenAiCompatApiEnabled = () => true,
+  openAiCompatApiThrottle = null,
   SETUP_API_PREFIXES,
   requireAuth,
   oauthCallbackMiddleware,
@@ -29,10 +224,33 @@ const registerProxyRoutes = ({
   app.all(kHooksPathPattern, webhookMiddleware);
   app.all(kWebhookPathPattern, webhookMiddleware);
 
+  app.all(kOpenAiCompatProxyPathPattern, (req, res) => {
+    if (!isOpenAiCompatApiEnabled()) {
+      return res.status(404).json({ error: "Not found" });
+    }
+    return proxyOpenAiCompatRequest({
+      req,
+      res,
+      getGatewayUrl,
+      getGatewayToken,
+      openAiCompatApiThrottle,
+    });
+  });
+
   app.all(kApiPathPattern, (req, res, next) => {
     if (SETUP_API_PREFIXES.some((p) => req.path.startsWith(p))) return next();
     proxy.web(req, res, { target: getGatewayUrl() });
   });
 };
 
-module.exports = { registerProxyRoutes };
+module.exports = {
+  kOpenAiCompatProxyPathPattern,
+  registerProxyRoutes,
+  // Exported for tests.
+  __testing: {
+    createGatewayProxyHeaders,
+    extractBearerToken,
+    kHopByHopResponseHeaders,
+    kAlwaysStrippedResponseHeaders,
+  },
+};

package/lib/server/routes/system.js

@@ -1,5 +1,9 @@
 const { buildManagedPaths } = require("../internal-files-migration");
 const { readOpenclawConfig } = require("../openclaw-config");
+const {
+  readAlphaclawConfig,
+  updateOpenAiCompatApiFeature,
+} = require("../alphaclaw-config");
 const https = require("https");
 
 const registerSystemRoutes = ({
@@ -26,6 +30,8 @@ const registerSystemRoutes = ({
   authProfiles,
   watchdog,
   doctorService,
+  ensureGatewayProxyConfig,
+  getBaseUrl,
 }) => {
   let envRestartPending = false;
   let openclawSecretRuntimePromise = null;
@@ -590,6 +596,10 @@ const registerSystemRoutes = ({
       repo,
       openclawVersion,
       alphaclawVersion,
+      alphaclaw: readAlphaclawConfig({
+        fsModule: fs,
+        openclawDir: OPENCLAW_DIR,
+      }),
       syncCron: getSystemCronStatus(),
     };
   };
@@ -668,6 +678,57 @@ const registerSystemRoutes = ({
     res.json({ ok: true, syncCron: status });
   });
 
+  app.get("/api/alphaclaw/config", (req, res) => {
+    res.json({
+      ok: true,
+      config: readAlphaclawConfig({
+        fsModule: fs,
+        openclawDir: OPENCLAW_DIR,
+      }),
+    });
+  });
+
+  app.put("/api/alphaclaw/config/features/openai-compat-api", async (req, res) => {
+    const { enabled } = req.body || {};
+    if (typeof enabled !== "boolean") {
+      return res
+        .status(400)
+        .json({ ok: false, error: "enabled must be a boolean" });
+    }
+
+    try {
+      const { config, changed } = updateOpenAiCompatApiFeature({
+        fsModule: fs,
+        openclawDir: OPENCLAW_DIR,
+        enabled,
+      });
+      let gatewayConfigChanged = false;
+      if (enabled && isOnboarded() && typeof ensureGatewayProxyConfig === "function") {
+        gatewayConfigChanged = ensureGatewayProxyConfig(getBaseUrl?.(req));
+        if (gatewayConfigChanged && restartRequiredState?.markRequired) {
+          restartRequiredState.markRequired("openai_compat_api_enabled");
+        }
+      }
+      const snapshot =
+        typeof restartRequiredState?.getSnapshot === "function"
+          ? await restartRequiredState.getSnapshot()
+          : null;
+      res.json({
+        ok: true,
+        changed,
+        gatewayConfigChanged,
+        config,
+        restartRequired:
+          Boolean(snapshot?.restartRequired) || (envRestartPending && isOnboarded()),
+      });
+    } catch (err) {
+      res.status(500).json({
+        ok: false,
+        error: err.message || "Could not update AlphaClaw config",
+      });
+    }
+  });
+
   app.get("/api/alphaclaw/version", async (req, res) => {
     const refresh = String(req.query.refresh || "") === "1";
     const status = await alphaclawVersionService.getVersionStatus(refresh);

package/lib/server.js

@@ -148,6 +148,9 @@ const {
 const {
   ensureOpenclawStartupEnv,
 } = require("./server/openclaw-runtime-env");
+const {
+  isOpenAiCompatApiEnabled,
+} = require("./server/alphaclaw-config");
 
 const { PORT, kTrustProxyHops, SETUP_API_PREFIXES } = constants;
 
@@ -165,6 +168,18 @@ const app = express();
 app.set("trust proxy", kTrustProxyHops);
 app.use(["/webhook", "/hooks"], express.raw({ type: "*/*", limit: "5mb" }));
 app.use("/gmail-pubsub", express.raw({ type: "*/*", limit: "5mb" }));
+const openAiCompatJsonParser = express.json({ limit: "50mb" });
+const isOpenAiCompatApiCurrentlyEnabled = () =>
+  isOpenAiCompatApiEnabled({
+    fsModule: fs,
+    openclawDir: constants.OPENCLAW_DIR,
+  });
+app.use("/v1", (req, res, next) => {
+  if (!isOpenAiCompatApiCurrentlyEnabled()) {
+    return res.status(404).json({ error: "Not found" });
+  }
+  return openAiCompatJsonParser(req, res, next);
+});
 app.use(express.json({ limit: "5mb" }));
 
 const proxy = httpProxy.createProxyServer({
@@ -190,8 +205,25 @@ const agentsService = createAgentsService({
   restartGateway: () => restartGatewayWithReload(reloadEnv),
   clawCmd,
 });
+const loginThrottleStore = createLoginThrottleStore();
 const loginThrottle = {
-  ...createLoginThrottle({ store: createLoginThrottleStore() }),
+  ...createLoginThrottle({ store: loginThrottleStore }),
+  getClientKey,
+};
+const openAiCompatApiThrottle = {
+  ...createLoginThrottle({
+    store: loginThrottleStore,
+    scope: "openai-compat-api",
+    windowMs: constants.kOpenAiCompatApiRateWindowMs,
+    maxAttempts: constants.kOpenAiCompatApiRateMaxAttempts,
+    baseLockMs: constants.kOpenAiCompatApiRateBaseLockMs,
+    maxLockMs: constants.kOpenAiCompatApiRateMaxLockMs,
+    globalWindowMs: constants.kOpenAiCompatApiRateGlobalWindowMs,
+    globalMaxAttempts: constants.kOpenAiCompatApiRateGlobalMaxAttempts,
+    globalBaseLockMs: constants.kOpenAiCompatApiRateGlobalBaseLockMs,
+    globalMaxLockMs: constants.kOpenAiCompatApiRateGlobalMaxLockMs,
+    stateTtlMs: constants.kOpenAiCompatApiRateStateTtlMs,
+  }),
   getClientKey,
 };
 const resolveSetupUrl = () =>
@@ -318,6 +350,8 @@ const {
   resolveGithubRepoUrl,
   resolveModelProvider,
   ensureGatewayProxyConfig,
+  isOpenAiCompatApiEnabled: isOpenAiCompatApiCurrentlyEnabled,
+  openAiCompatApiThrottle,
   getBaseUrl,
   startGateway,
   ensureManagedExecDefaults: () =>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chrysb/alphaclaw",
-  "version": "0.9.17",
+  "version": "0.9.18",
   "publishConfig": {
     "access": "public"
   },