@chrysb/alphaclaw 0.9.9 → 0.9.11

package/lib/server/routes/pairings.js

@@ -2,12 +2,14 @@ const fs = require("fs");
 const path = require("path");
 const { OPENCLAW_DIR } = require("../constants");
 const { buildManagedPaths } = require("../internal-files-migration");
+const { readOpenclawConfig } = require("../openclaw-config");
 const { parseJsonObjectFromNoisyOutput } = require("../utils/json");
 const { quoteShellArg } = require("../utils/shell");
 
 const kAllowedPairingChannels = new Set(["telegram", "discord", "slack", "whatsapp"]);
 const kSafePairingArgPattern = /^[\w\-:.]+$/;
 const kDevicesListCliTimeoutMs = 5000;
+const kPairingRequestTtlMs = 60 * 60 * 1000;
 const quoteCliArg = (value) => quoteShellArg(value, { strategy: "single" });
 
 const resolvePairingStorePath = ({ openclawDir, channel }) =>
@@ -23,6 +25,77 @@ const readPairingStore = ({ fsModule, filePath }) => {
   }
 };
 
+const normalizePairingCode = (value) =>
+  String(value || "")
+    .trim()
+    .toUpperCase();
+
+const normalizePairingAccountId = (value) => String(value || "").trim() || "default";
+
+const parseTimestampMs = (value) => {
+  const parsed = Date.parse(String(value || "").trim());
+  return Number.isFinite(parsed) ? parsed : null;
+};
+
+const mapPairingStoreEntry = ({ entry, channel, nowMs = Date.now() }) => {
+  const code = normalizePairingCode(entry?.code || entry?.pairingCode);
+  if (!code) return null;
+  const createdAt = String(entry?.createdAt || "").trim();
+  const createdAtMs = parseTimestampMs(createdAt);
+  if (!createdAtMs || nowMs - createdAtMs > kPairingRequestTtlMs) {
+    return null;
+  }
+  return {
+    id: code,
+    code,
+    channel: String(channel || "").trim(),
+    accountId: normalizePairingAccountId(entry?.meta?.accountId || entry?.accountId),
+    requesterId: String(entry?.id || entry?.requesterId || "").trim(),
+    createdAt,
+  };
+};
+
+const readPendingPairingsFromStore = ({ fsModule, openclawDir, channel, nowMs = Date.now() }) => {
+  const filePath = resolvePairingStorePath({ openclawDir, channel });
+  return readPairingStore({ fsModule, filePath })
+    .map((entry) => mapPairingStoreEntry({ entry, channel, nowMs }))
+    .filter(Boolean);
+};
+
+const mergePendingPairings = (...lists) => {
+  const merged = [];
+  const seen = new Map();
+  for (const list of lists) {
+    for (const entry of Array.isArray(list) ? list : []) {
+      const code = normalizePairingCode(entry?.code || entry?.id);
+      const channel = String(entry?.channel || "").trim();
+      if (!code || !channel) continue;
+      const accountId = normalizePairingAccountId(entry?.accountId);
+      const key = `${channel}\u0000${accountId}\u0000${code}`;
+      const current = seen.get(key);
+      if (!current) {
+        const nextEntry = {
+          ...entry,
+          id: code,
+          code,
+          channel,
+          accountId,
+        };
+        seen.set(key, nextEntry);
+        merged.push(nextEntry);
+        continue;
+      }
+      if (!current.requesterId && entry?.requesterId) {
+        current.requesterId = String(entry.requesterId).trim();
+      }
+      if (!current.createdAt && entry?.createdAt) {
+        current.createdAt = String(entry.createdAt).trim();
+      }
+    }
+  }
+  return merged;
+};
+
 const writePairingStore = ({ fsModule, filePath, requests }) => {
   fsModule.mkdirSync(path.dirname(filePath), { recursive: true });
   fsModule.writeFileSync(filePath, JSON.stringify({ version: 1, requests }, null, 2));
@@ -64,8 +137,9 @@ const removeAccountRequestsFromPairingStore = ({ fsModule, openclawDir, channel,
 };
 
 const registerPairingRoutes = ({ app, clawCmd, isOnboarded, fsModule = fs, openclawDir = OPENCLAW_DIR }) => {
-  let pairingCache = { pending: [], ts: 0 };
-  const PAIRING_CACHE_TTL = 10000;
+  let pairingCache = { pending: [], ts: 0, ttlMs: 0 };
+  const kPairingCacheTtlMs = 10000;
+  const kEmptyPairingCacheTtlMs = 1000;
   const {
     cliDeviceAutoApprovedPath: kCliAutoApproveMarkerPath,
     internalDir: kManagedFilesDir,
@@ -107,34 +181,50 @@ const registerPairingRoutes = ({ app, clawCmd, isOnboarded, fsModule = fs, openc
   };
 
   app.get("/api/pairings", async (req, res) => {
-    if (Date.now() - pairingCache.ts < PAIRING_CACHE_TTL) {
+    if (Date.now() - pairingCache.ts < Number(pairingCache.ttlMs || 0)) {
       return res.json({ pending: pairingCache.pending });
     }
 
     const pending = [];
     const channels = ["telegram", "discord", "slack", "whatsapp"];
+    const config = readOpenclawConfig({
+      fsModule,
+      openclawDir,
+      fallback: {},
+    });
 
     for (const ch of channels) {
-      try {
-        const config = JSON.parse(
-          fsModule.readFileSync(`${openclawDir}/openclaw.json`, "utf8"),
-        );
-        if (!config.channels?.[ch]?.enabled) continue;
-      } catch {
-        continue;
-      }
+      const pendingFromStore = readPendingPairingsFromStore({
+        fsModule,
+        openclawDir,
+        channel: ch,
+      });
+      const isEnabledInConfig = config.channels?.[ch]?.enabled === true;
+      if (!isEnabledInConfig && pendingFromStore.length === 0) continue;
 
       const result = await clawCmd(`pairing list --channel ${ch} --json`, { quiet: true });
-      if (result.ok && result.stdout) {
+      const rawOutput = [result.stdout, result.stderr].filter(Boolean).join("\n");
+      if (rawOutput) {
         try {
-          pending.push(...parsePendingPairings(result.stdout, ch));
+          pending.push(
+            ...mergePendingPairings(
+              parsePendingPairings(rawOutput, ch),
+              pendingFromStore,
+            ),
+          );
         } catch {
-          // Ignore malformed output for a single channel and keep the rest of the response.
+          pending.push(...pendingFromStore);
         }
+        continue;
       }
+      pending.push(...pendingFromStore);
     }
 
-    pairingCache = { pending, ts: Date.now() };
+    pairingCache = {
+      pending,
+      ts: Date.now(),
+      ttlMs: pending.length > 0 ? kPairingCacheTtlMs : kEmptyPairingCacheTtlMs,
+    };
     res.json({ pending });
   });
 
@@ -166,6 +256,7 @@ const registerPairingRoutes = ({ app, clawCmd, isOnboarded, fsModule = fs, openc
       ? `pairing approve --channel ${quoteCliArg(channel)} --account ${quoteCliArg(accountId)} ${quoteCliArg(pairingId)}`
       : `pairing approve ${quoteCliArg(channel)} ${quoteCliArg(pairingId)}`;
     const result = await clawCmd(approveCmd);
+    pairingCache.ts = 0;
     res.json(result);
   });
 

package/lib/server/usage-tracker-config.js

@@ -7,6 +7,7 @@ const kUsageTrackerPluginPath = path.resolve(
   "plugin",
   "usage-tracker",
 );
+const kConversationAccessHookPolicyKey = "allowConversationAccess";
 
 const ensurePluginsShell = (cfg = {}) => {
   if (!cfg.plugins || typeof cfg.plugins !== "object") cfg.plugins = {};
@@ -29,19 +30,43 @@ const ensurePluginAllowed = ({ cfg = {}, pluginKey = "" }) => {
   }
 };
 
+const buildUsageTrackerHookPolicy = ({ existingHooks = {} } = {}) => {
+  const hooks = {};
+  if (typeof existingHooks.allowPromptInjection === "boolean") {
+    hooks.allowPromptInjection = existingHooks.allowPromptInjection;
+  }
+  hooks[kConversationAccessHookPolicyKey] = true;
+  return hooks;
+};
+
 const ensureUsageTrackerPluginEntry = (cfg = {}) => {
   const before = JSON.stringify(cfg);
   ensurePluginAllowed({ cfg, pluginKey: "usage-tracker" });
   if (!cfg.plugins.load.paths.includes(kUsageTrackerPluginPath)) {
     cfg.plugins.load.paths.push(kUsageTrackerPluginPath);
   }
-  cfg.plugins.entries["usage-tracker"] = {
-    ...(cfg.plugins.entries["usage-tracker"] &&
+  const existingEntry =
+    cfg.plugins.entries["usage-tracker"] &&
     typeof cfg.plugins.entries["usage-tracker"] === "object"
       ? cfg.plugins.entries["usage-tracker"]
-      : {}),
+      : {};
+  const existingHooks =
+    existingEntry.hooks && typeof existingEntry.hooks === "object"
+      ? existingEntry.hooks
+      : {};
+  const hooks = buildUsageTrackerHookPolicy({
+    existingHooks,
+  });
+  const nextEntry = {
+    ...existingEntry,
     enabled: true,
   };
+  if (Object.keys(hooks).length > 0) {
+    nextEntry.hooks = hooks;
+  } else {
+    delete nextEntry.hooks;
+  }
+  cfg.plugins.entries["usage-tracker"] = nextEntry;
   return JSON.stringify(cfg) !== before;
 };
 

package/lib/server/utils/command-output.js

@@ -0,0 +1,11 @@
+const getCommandOutputCandidates = (error) => {
+  const stdout = String(error?.stdout || "").trim();
+  const stderr = String(error?.stderr || "").trim();
+  const combined = [stdout, stderr].filter(Boolean).join("\n").trim();
+
+  return [...new Set([combined, stdout, stderr].filter(Boolean))];
+};
+
+module.exports = {
+  getCommandOutputCandidates,
+};

package/lib/server.js

@@ -141,12 +141,16 @@ const {
 const {
   ensureManagedExecDefaults,
 } = require("./server/exec-defaults-config");
+const {
+  ensureOpenclawStartupEnv,
+} = require("./server/openclaw-runtime-env");
 
 const { PORT, kTrustProxyHops, SETUP_API_PREFIXES } = constants;
 
 initializeServerRuntime({
   fs,
   constants,
+  ensureOpenclawStartupEnv,
   startEnvWatcher,
   attachGatewaySignalHandlers,
   cleanupStaleImportTempDirs,

package/lib/setup/gitignore

@@ -18,5 +18,7 @@ db/**
 !hooks/transforms/**
 !cron/
 !cron/jobs.json
+# OpenClaw 2026.4.20+: runtime execution state (job definitions stay in cron/jobs.json).
+cron/jobs-state.json
 !openclaw.json
 !.gitignore

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chrysb/alphaclaw",
-  "version": "0.9.9",
+  "version": "0.9.11",
   "publishConfig": {
     "access": "public"
   },
@@ -36,7 +36,7 @@
   "dependencies": {
     "express": "^4.21.0",
     "http-proxy": "^1.18.1",
-    "openclaw": "2026.4.15",
+    "openclaw": "2026.4.23",
     "patch-package": "^8.0.1",
     "ws": "^8.19.0"
   },

package/patches/openclaw+2026.4.23.patch

@@ -0,0 +1,63 @@
+diff --git a/node_modules/openclaw/dist/plugin-sdk/src/config/zod-schema.d.ts b/node_modules/openclaw/dist/plugin-sdk/src/config/zod-schema.d.ts
+index 8964b19..2285c33 100644
+--- a/node_modules/openclaw/dist/plugin-sdk/src/config/zod-schema.d.ts
++++ b/node_modules/openclaw/dist/plugin-sdk/src/config/zod-schema.d.ts
+@@ -4171,6 +4171,7 @@ export declare const OpenClawSchema: z.ZodObject<{
+             enabled: z.ZodOptional<z.ZodBoolean>;
+             hooks: z.ZodOptional<z.ZodObject<{
+                 allowPromptInjection: z.ZodOptional<z.ZodBoolean>;
++                allowConversationAccess: z.ZodOptional<z.ZodBoolean>;
+             }, z.core.$strict>>;
+             subagent: z.ZodOptional<z.ZodObject<{
+                 allowModelOverride: z.ZodOptional<z.ZodBoolean>;
+diff --git a/node_modules/openclaw/dist/runtime-schema-Dgzy-2rz.js b/node_modules/openclaw/dist/runtime-schema-Dgzy-2rz.js
+index eaaaab6..9847a80 100644
+--- a/node_modules/openclaw/dist/runtime-schema-Dgzy-2rz.js
++++ b/node_modules/openclaw/dist/runtime-schema-Dgzy-2rz.js
+@@ -19939,5 +19939,12 @@ const GENERATED_BASE_CONFIG_SCHEMA = {
+-									properties: { allowPromptInjection: {
+-										type: "boolean",
+-										title: "Allow Prompt Injection Hooks",
+-										description: "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior."
+-									} },
++									properties: {
++										allowPromptInjection: {
++											type: "boolean",
++											title: "Allow Prompt Injection Hooks",
++											description: "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior."
++										},
++										allowConversationAccess: {
++											type: "boolean",
++											title: "Allow Conversation Access Hooks",
++											description: "Explicitly allows a non-bundled plugin to receive conversation content in typed hooks. Keep false unless the plugin is trusted to inspect conversation data."
++										}
++									},
+@@ -24760,0 +24761,5 @@ const GENERATED_BASE_CONFIG_SCHEMA = {
++		"plugins.entries.*.hooks.allowConversationAccess": {
++			label: "Allow Conversation Access Hooks",
++			help: "Explicitly allows a non-bundled plugin to receive conversation content in typed hooks. Keep false unless the plugin is trusted to inspect conversation data.",
++			tags: ["access"]
++		},
+diff --git a/node_modules/openclaw/dist/server.impl-DhtU4okW.js b/node_modules/openclaw/dist/server.impl-DhtU4okW.js
+index 93890d3..7b3c701 100644
+--- a/node_modules/openclaw/dist/server.impl-DhtU4okW.js
++++ b/node_modules/openclaw/dist/server.impl-DhtU4okW.js
+@@ -11165,7 +11165,7 @@ function attachGatewayWsMessageHandler(params) {
+ 					close(1008, truncateCloseReason(authMessage));
+ 				};
+ 				const clearUnboundScopes = () => {
+-					if (scopes.length > 0) {
++					if (scopes.length > 0 && !sharedAuthOk) {
+ 						scopes = [];
+ 						connectParams.scopes = scopes;
+ 					}
+diff --git a/node_modules/openclaw/dist/zod-schema-BhKK4qYw.js b/node_modules/openclaw/dist/zod-schema-BhKK4qYw.js
+index 1dc871e..6803778 100644
+--- a/node_modules/openclaw/dist/zod-schema-BhKK4qYw.js
++++ b/node_modules/openclaw/dist/zod-schema-BhKK4qYw.js
+@@ -775 +775,4 @@ const PluginEntrySchema = z.object({
+-	hooks: z.object({ allowPromptInjection: z.boolean().optional() }).strict().optional(),
++	hooks: z.object({
++		allowPromptInjection: z.boolean().optional(),
++		allowConversationAccess: z.boolean().optional()
++	}).strict().optional(),

package/patches/openclaw+2026.4.15.patch

@@ -1,13 +0,0 @@
-diff --git a/node_modules/openclaw/dist/server.impl-GQ72oJBa.js b/node_modules/openclaw/dist/server.impl-GQ72oJBa.js
-index 70c273a..04a6d54 100644
---- a/node_modules/openclaw/dist/server.impl-GQ72oJBa.js
-+++ b/node_modules/openclaw/dist/server.impl-GQ72oJBa.js
-@@ -22362,7 +22362,7 @@ function attachGatewayWsMessageHandler(params) {
- 					close(1008, truncateCloseReason(authMessage));
- 				};
- 				const clearUnboundScopes = () => {
--					if (scopes.length > 0) {
-+					if (scopes.length > 0 && !sharedAuthOk) {
- 						scopes = [];
- 						connectParams.scopes = scopes;
- 					}