@clawchatsai/connector 0.0.87 → 0.0.89

package/dist/gateway-bridge.d.ts

@@ -32,6 +32,10 @@ export interface PluginConfig {
     };
     sessionSecret?: string;
     backupCodeHashes?: string[];
+    totpPending?: {
+        secret: string;
+        generatedAt: string;
+    };
 }
 export interface BridgeConfig {
     gatewayToken: string;

package/dist/index.js

@@ -11,10 +11,10 @@
  */
 import * as fs from 'node:fs';
 import * as http from 'node:http';
+import * as os from 'node:os';
 import * as path from 'node:path';
 import { SignalingClient } from './signaling-client.js';
 import { dispatchRpc } from './shim.js';
-import { checkForUpdates, performUpdate } from './updater.js';
 import { initAuth, handleAuthMessage, cleanupAuth } from './auth-handler.js';
 import { generateTotpSecret, verifyTotp, generateBackupCodes, buildOtpauthUri } from './totp.js';
 import { generateSessionSecret } from './session-token.js';
@@ -66,63 +66,58 @@ function saveConfig(config) {
 // ---------------------------------------------------------------------------
 // Service lifecycle
 // ---------------------------------------------------------------------------
+/**
+ * Detect musl libc (Alpine Linux) vs glibc.
+ * prebuildify/prebuild-install distinguishes linux vs linuxmusl.
+ */
+function detectLinuxLibc() {
+    try {
+        const ldd = fs.readFileSync('/usr/bin/ldd', 'utf8');
+        if (ldd.includes('musl'))
+            return 'musl';
+    }
+    catch { /* not found */ }
+    try {
+        if (fs.readdirSync('/lib').some((f) => f.startsWith('libc.musl')))
+            return 'musl';
+    }
+    catch { /* not found */ }
+    return 'glibc';
+}
+/**
+ * Returns the prebuild key for the current platform, matching the directory
+ * names we bundle under prebuilds/ (e.g. "linux-x64", "linuxmusl-arm64").
+ */
+function getPrebuildKey() {
+    const platform = process.platform;
+    const arch = process.arch;
+    if (platform === 'linux' && detectLinuxLibc() === 'musl')
+        return `linuxmusl-${arch}`;
+    return `${platform}-${arch}`;
+}
 async function ensureNativeModules(ctx) {
-    // OpenClaw installs plugins with --ignore-scripts, which skips native module compilation.
-    // Check if native modules are usable; if not, rebuild them automatically.
     const pluginDir = path.resolve(__dirname, '..');
-    const modules = [
-        { name: 'node-datachannel', binding: 'build/Release/node_datachannel.node', strategy: 'install-script' },
-    ];
-    const missing = modules.filter(m => !fs.existsSync(path.join(pluginDir, 'node_modules', m.name, m.binding)));
-    if (missing.length === 0)
-        return; // all built
-    ctx.logger.info(`Building native modules (first run): ${missing.map(m => m.name).join(', ')}...`);
-    const { execFileSync } = await import('node:child_process');
-    for (const mod of missing) {
-        try {
-            if (mod.strategy === 'install-script') {
-                // Packages using prebuild-install need their install script re-run (npm rebuild
-                // only triggers node-gyp, not prebuild-install). Run the install script directly
-                // from the package's directory.
-                const modDir = path.join(pluginDir, 'node_modules', mod.name);
-                const modPkg = JSON.parse(fs.readFileSync(path.join(modDir, 'package.json'), 'utf-8'));
-                const installCmd = modPkg.scripts?.install;
-                if (installCmd) {
-                    // Add local .bin dirs to PATH so prebuild-install and other local binaries resolve.
-                    // Check both the module's own node_modules/.bin (hoisted deps) and the plugin-level one.
-                    const localBin = [
-                        path.join(modDir, 'node_modules', '.bin'),
-                        path.join(pluginDir, 'node_modules', '.bin'),
-                    ].join(':');
-                    execFileSync('sh', ['-c', installCmd], {
-                        cwd: modDir,
-                        stdio: 'pipe',
-                        timeout: 120_000,
-                        env: { ...process.env, PATH: `${localBin}:${process.env.PATH ?? ''}`, npm_config_node_gyp: '' },
-                    });
-                }
-                else {
-                    // Fallback to rebuild if no install script found
-                    execFileSync('npm', ['rebuild', mod.name], {
-                        cwd: pluginDir,
-                        stdio: 'pipe',
-                        timeout: 120_000,
-                    });
-                }
-            }
-            else {
-                execFileSync('npm', ['rebuild', mod.name], {
-                    cwd: pluginDir,
-                    stdio: 'pipe',
-                    timeout: 120_000,
-                });
-            }
-            ctx.logger.info(`${mod.name} ready.`);
-        }
-        catch (e) {
-            ctx.logger.error(`Failed to build ${mod.name}: ${e.message}`);
-            ctx.logger.error(`Try manually: cd ~/.openclaw/extensions/connector && npm rebuild ${mod.name}`);
-        }
+    const targetPath = path.join(pluginDir, 'node_modules', 'node-datachannel', 'build', 'Release', 'node_datachannel.node');
+    // Already built — nothing to do.
+    if (fs.existsSync(targetPath))
+        return;
+    // Find the bundled prebuilt for this platform (shipped inside the npm package).
+    const prebuildKey = getPrebuildKey();
+    const prebuiltPath = path.join(pluginDir, 'prebuilds', prebuildKey, 'node_datachannel.node');
+    if (!fs.existsSync(prebuiltPath)) {
+        ctx.logger.error(`[clawchats] No prebuilt binary for ${prebuildKey}. ` +
+            `WebRTC will be unavailable. To fix manually: ` +
+            `cd ~/.openclaw/extensions/connector && npm rebuild node-datachannel`);
+        return;
+    }
+    ctx.logger.info(`[clawchats] Installing node-datachannel prebuilt for ${prebuildKey}...`);
+    try {
+        fs.mkdirSync(path.dirname(targetPath), { recursive: true });
+        fs.copyFileSync(prebuiltPath, targetPath);
+        ctx.logger.info('[clawchats] node-datachannel ready.');
+    }
+    catch (e) {
+        ctx.logger.error(`[clawchats] Failed to install prebuilt: ${e.message}`);
     }
 }
 const CLAWCHATS_MD_CONTENT = `# ClawChats — Inline File Delivery
@@ -171,23 +166,7 @@ async function startClawChats(ctx, api, mediaStash) {
             return;
         ctx.logger.info('Setup detected — connecting to ClawChats...');
     }
-    // 1. Check for updates
-    const update = await checkForUpdates();
-    if (update) {
-        ctx.logger.info(`Update available: ${update.current} → ${update.latest}`);
-        if (ctx._forceUpdate) {
-            try {
-                await performUpdate();
-                ctx.logger.info(`Updated to ${update.latest}. Requesting graceful restart...`);
-                api.runtime.requestRestart?.('clawchats update');
-                return; // will restart with new version
-            }
-            catch (e) {
-                ctx.logger.error(`Auto-update failed: ${e.message}`);
-            }
-        }
-    }
-    // 2. Resolve gateway token: runtime API → config file → error
+    // 1. Resolve gateway token: runtime API → config file → error
     const gwCfg = api.config;
     const gwAuth = gwCfg?.['gateway']?.['auth'];
     const gatewayToken = gwAuth?.['token'] || config.gatewayToken || '';
@@ -222,14 +201,38 @@ async function startClawChats(ctx, api, mediaStash) {
     const uploadsDir = path.join(ctx.stateDir, 'clawchats', 'uploads');
     _uploadsDir = uploadsDir;
     // Dynamic import of server.js (plain JS, no type declarations)
-    // @ts-expect-error — server.js is plain JS with no .d.ts
-    const serverModule = await import('../server.js');
+    // @ts-expect-error — server/index.js is plain JS with no .d.ts
+    const serverModule = await import('../server/index.js');
+    // Read env vars here (plugin host) so server/ bundle stays process.env-free.
+    const memoryEnv = {
+        provider: process.env.MEMORY_PROVIDER,
+        host: process.env.MEMORY_HOST || process.env.QDRANT_HOST,
+        port: process.env.MEMORY_PORT || process.env.QDRANT_PORT,
+        collection: process.env.MEMORY_COLLECTION || process.env.QDRANT_COLLECTION,
+        pgUrl: process.env.MEMORY_PG_URL,
+        qdrantUrl: process.env.QDRANT_URL,
+    };
+    // Filter out undefined values so discoverMemoryConfig only overrides what's set.
+    const memoryEnvFiltered = Object.fromEntries(Object.entries(memoryEnv).filter(([, v]) => v !== undefined && v !== ''));
     app = serverModule.createApp({
         dataDir,
         uploadsDir,
-        gatewayUrl: 'ws://localhost:18789',
-        authToken: '', // P2P: DataChannel is the auth boundary (signaling authenticates both sides)
+        port: parseInt(process.env.PORT || '3001', 10),
+        gatewayUrl: process.env.GATEWAY_WS_URL || 'ws://localhost:18789',
+        authToken: process.env.CLAWCHATS_AUTH_TOKEN || '', // P2P: DataChannel is the auth boundary
         gatewayToken, // For WS auth to local OpenClaw gateway
+        openaiApiKey: (() => {
+            // Resolve OpenAI API key: openclaw config → env var
+            try {
+                const oc = JSON.parse(fs.readFileSync(path.join(os.homedir(), '.openclaw', 'openclaw.json'), 'utf8'));
+                const fromConfig = oc?.skills?.entries?.['openai-whisper-api']?.apiKey;
+                if (fromConfig)
+                    return fromConfig;
+            }
+            catch { /* ok */ }
+            return process.env.OPENAI_API_KEY || null;
+        })(),
+        memoryEnv: memoryEnvFiltered,
         mediaStash, // Shared Map populated by after_tool_call hook (captures MEDIA: paths from exec)
     });
     // 4. Connect createApp's gateway client (handles persistence + event relay)
@@ -263,17 +266,6 @@ async function startClawChats(ctx, api, mediaStash) {
         ctx.logger.error(`Signaling auth rejected: ${reason}`);
     });
     // version-rejected listener removed — version check is now client-side
-    signaling.on('force-update', async (targetVersion) => {
-        ctx.logger.info(`Force update to ${targetVersion} requested`);
-        try {
-            await performUpdate();
-            ctx.logger.info('Update complete, requesting restart');
-            api.runtime.requestRestart?.('forced update');
-        }
-        catch (e) {
-            ctx.logger.error(`Force update failed: ${e.message}`);
-        }
-    });
     signaling.on('account-suspended', (reason) => {
         ctx.logger.error(`Account suspended: ${reason}`);
         broadcastToClients({ type: 'account-suspended', reason });
@@ -760,7 +752,7 @@ function formatStatus() {
 // ---------------------------------------------------------------------------
 // CLI handlers
 // ---------------------------------------------------------------------------
-async function handleSetup(token) {
+async function handleSetup(token, options = {}) {
     // Decode base64 token
     let tokenData;
     try {
@@ -850,21 +842,36 @@ async function handleSetup(token) {
                 fs.mkdirSync(dataDir, { recursive: true });
                 fs.mkdirSync(uploadsDir, { recursive: true });
                 ws.close();
-                // Enroll TOTP (interactive — single readline for the whole flow)
-                const totpOk = await enrollTotp(config);
-                if (!totpOk) {
+                if (options.skipTotp) {
+                    // Agent-driven flow: skip interactive TOTP enrollment.
+                    // User will run setup-totp + verify-totp separately.
+                    console.log('');
+                    console.log('  ✅ Setup complete!');
+                    console.log('');
+                    console.log('  2FA setup pending. Run these commands to enable it:');
+                    console.log('    openclaw clawchats setup-totp');
+                    console.log('    openclaw clawchats verify-totp <6-digit-code>');
+                    console.log('');
+                    console.log('  Then restart:  openclaw gateway restart');
+                    console.log('');
+                }
+                else {
+                    // Interactive (human) flow: enroll TOTP now.
+                    const totpOk = await enrollTotp(config);
+                    if (!totpOk) {
+                        console.log('');
+                        console.log('  ⚠️  TOTP not configured. You can set it up later with: openclaw clawchats reauth');
+                        console.log('  ClawChats will not allow browser connections until 2FA is enabled.');
+                    }
+                    console.log('  ✅ Setup complete!');
                     console.log('');
-                    console.log('  ⚠️  TOTP not configured. You can set it up later with: openclaw clawchats reauth');
-                    console.log('  ClawChats will not allow browser connections until 2FA is enabled.');
+                    console.log('  Next steps:');
+                    console.log('  1. Restart your gateway:   openclaw gateway restart');
+                    console.log('     (or: systemctl --user restart openclaw-gateway)');
+                    console.log('  2. Open ClawChats:         https://app.clawchats.ai');
+                    console.log('');
+                    console.log('  The gateway will connect automatically after restart.');
                 }
-                console.log('  ✅ Setup complete!');
-                console.log('');
-                console.log('  Next steps:');
-                console.log('  1. Restart your gateway:   openclaw gateway restart');
-                console.log('     (or: systemctl --user restart openclaw-gateway)');
-                console.log('  2. Open ClawChats:         https://app.clawchats.ai');
-                console.log('');
-                console.log('  The gateway will connect automatically after restart.');
                 resolve();
             }
             else if (msg.type === 'setup-error') {
@@ -993,6 +1000,105 @@ async function handleShowTotp() {
     console.log('  3. When prompted for a TOTP secret, paste the value above');
     console.log('');
 }
+// ---------------------------------------------------------------------------
+// Agent-driven TOTP setup (setup-totp + verify-totp)
+// ---------------------------------------------------------------------------
+async function handleSetupTotp() {
+    const config = loadConfig();
+    if (!config) {
+        console.error('ClawChats not configured. Run: openclaw clawchats setup <token> --skip-totp');
+        return;
+    }
+    if (config.schemaVersion >= 2 && config.totp) {
+        console.error('TOTP already active. Use: openclaw clawchats reauth to reset.');
+        return;
+    }
+    // Idempotency: reuse pending secret if generated within the last 24 hours.
+    // Prevents stale-secret issues when the agent retries or the user reruns the command.
+    const PENDING_TTL_MS = 24 * 60 * 60 * 1000;
+    let totpSecret;
+    const existing = config.totpPending;
+    if (existing?.secret && existing.generatedAt) {
+        const age = Date.now() - new Date(existing.generatedAt).getTime();
+        if (age < PENDING_TTL_MS) {
+            totpSecret = existing.secret;
+        }
+        else {
+            // Expired — generate a fresh one
+            totpSecret = generateTotpSecret();
+            config.totpPending = { secret: totpSecret, generatedAt: new Date().toISOString() };
+            saveConfig(config);
+        }
+    }
+    else {
+        totpSecret = generateTotpSecret();
+        config.totpPending = { secret: totpSecret, generatedAt: new Date().toISOString() };
+        saveConfig(config);
+    }
+    const formatted = totpSecret.match(/.{1,4}/g)?.join(' ') || totpSecret;
+    const setupUrl = `${config.serverUrl.replace('wss://', 'https://').replace(/\/ws\/?$/, '')}/totp-setup#${totpSecret}`;
+    console.log('');
+    console.log('  🔐 ClawChats Two-Factor Authentication Setup');
+    console.log('');
+    console.log('  Open this URL to scan the QR code with your authenticator app:');
+    console.log(`  ${setupUrl}`);
+    console.log('');
+    console.log(`  Or enter manually: ${formatted}`);
+    console.log('');
+    console.log('  Once added, verify with:');
+    console.log('    openclaw clawchats verify-totp <6-digit-code>');
+    console.log('');
+}
+async function handleVerifyTotp(code) {
+    const config = loadConfig();
+    if (!config) {
+        console.error('ClawChats not configured. Run: openclaw clawchats setup <token> --skip-totp');
+        return;
+    }
+    if (config.schemaVersion >= 2 && config.totp) {
+        console.error('TOTP already active. Use: openclaw clawchats reauth to reset.');
+        return;
+    }
+    if (!config.totpPending?.secret) {
+        console.error('No pending TOTP secret. Run: openclaw clawchats setup-totp first.');
+        return;
+    }
+    const step = verifyTotp(code.trim(), config.totpPending.secret, 0);
+    if (step < 0) {
+        console.error('  ❌ Invalid code. Make sure you scanned the correct QR code and try again.');
+        console.error('     Run: openclaw clawchats verify-totp <new-code>');
+        process.exit(1);
+    }
+    // Generate backup codes
+    const { codes, hashes } = generateBackupCodes();
+    console.log('');
+    console.log('  🔑 Backup codes (save these somewhere safe — one-time use):');
+    for (const backupCode of codes) {
+        console.log(`     ${backupCode}`);
+    }
+    console.log('');
+    console.log('  ⚠️  These codes will NOT be shown again.');
+    // Generate session secret and finalize config
+    const sessionSecret = generateSessionSecret();
+    config.totp = {
+        secret: config.totpPending.secret,
+        algorithm: 'SHA1',
+        digits: 6,
+        period: 30,
+        enabledAt: new Date().toISOString(),
+    };
+    config.sessionSecret = sessionSecret;
+    config.backupCodeHashes = hashes;
+    config.schemaVersion = 2;
+    delete config.totpPending;
+    saveConfig(config);
+    console.log('');
+    console.log('  ✅ Two-factor authentication enabled!');
+    console.log('');
+    console.log('  Restart the gateway to apply:');
+    console.log('    openclaw gateway restart');
+    console.log('');
+}
 async function handleReauth() {
     const config = loadConfig();
     if (!config) {
@@ -1178,11 +1284,17 @@ const plugin = {
         api.registerCli((ctx) => {
             const cmd = ctx.program.command('clawchats');
             cmd.command('setup <token>')
-                .description('Set up ClawChats with a setup token')
-                .action((token) => handleSetup(String(token)));
+                .description('Set up ClawChats with a setup token (use --skip-totp for agent-driven installs)')
+                .action((token) => handleSetup(String(token), { skipTotp: process.argv.includes('--skip-totp') }));
             cmd.command('status')
                 .description('Show ClawChats connection status')
                 .action(() => handleStatus());
+            cmd.command('setup-totp')
+                .description('Generate TOTP QR code for agent-driven 2FA setup (run after setup --skip-totp)')
+                .action(() => handleSetupTotp());
+            cmd.command('verify-totp <code>')
+                .description('Verify TOTP code and finalize 2FA setup (agent-driven flow)')
+                .action((code) => handleVerifyTotp(String(code)));
             cmd.command('reauth')
                 .description('Reset two-factor authentication (new TOTP secret + invalidate sessions)')
                 .action(() => handleReauth());

package/package.json

@@ -1,15 +1,15 @@
 {
   "name": "@clawchatsai/connector",
-  "version": "0.0.87",
+  "version": "0.0.89",
   "type": "module",
   "description": "ClawChats OpenClaw plugin — P2P tunnel + local API bridge",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "files": [
     "dist",
-    "server.js",
     "server/",
-    "openclaw.plugin.json"
+    "openclaw.plugin.json",
+    "prebuilds/"
   ],
   "publishConfig": {
     "access": "public"
@@ -18,7 +18,6 @@
     "node": ">=22.5.0"
   },
   "scripts": {
-    "prebuild": "node esbuild.config.mjs",
     "build": "tsc",
     "dev": "tsc --watch",
     "prepublishOnly": "npm run build"

package/server/config.js

@@ -23,13 +23,14 @@ export function parseConfigField(field) {
   return null;
 }
 
-// Auth token: env var → config.js → empty (open/unauthenticated mode)
-export const AUTH_TOKEN = process.env.CLAWCHATS_AUTH_TOKEN || parseConfigField('authToken') || '';
+// Auth token: config.js → empty (open/unauthenticated mode)
+// Note: CLAWCHATS_AUTH_TOKEN env var is read by the plugin host (src/index.ts) and passed via createApp().
+export const AUTH_TOKEN = parseConfigField('authToken') || '';
 
 // Gateway WebSocket URL — uses the internal/local gateway address, NOT config.js gatewayUrl
 // (that's the browser's external-facing URL and would cause a routing loop through Caddy)
+// Note: GATEWAY_WS_URL env var is read by the plugin host (src/index.ts) and passed via createApp().
 export function discoverGatewayWsUrl() {
-  if (process.env.GATEWAY_WS_URL) return process.env.GATEWAY_WS_URL;
   for (const cfgPath of [path.join(HOME, '.openclaw', 'openclaw.json'), '/etc/openclaw/openclaw.json']) {
     try {
       const raw = JSON.parse(fs.readFileSync(cfgPath, 'utf8'));
@@ -43,8 +44,8 @@ export function discoverGatewayWsUrl() {
 export const GATEWAY_WS_URL = discoverGatewayWsUrl();
 
 // Sessions directory — where OpenClaw stores session .jsonl files
+// Note: OPENCLAW_SESSIONS_DIR env var is read by the plugin host (src/index.ts) and passed via createApp().
 export const OPENCLAW_SESSIONS_DIR =
-  process.env.OPENCLAW_SESSIONS_DIR ||
   parseConfigField('sessionsDir') ||
   path.join(HOME, '.openclaw', 'agents', 'main', 'sessions');
 

package/server/controllers/agents.js

@@ -0,0 +1,20 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import os from 'node:os';
+import { send } from '../util/http.js';
+
+/**
+ * List available OpenClaw agents.
+ * Keeps fs.readdirSync out of the HTTP router (server/index.js).
+ */
+export function handleAgents(req, res) {
+  try {
+    const agentsDir = path.join(os.homedir(), '.openclaw', 'agents');
+    const agents = fs.readdirSync(agentsDir, { withFileTypes: true })
+      .filter(e => e.isDirectory())
+      .map(e => e.name);
+    send(res, 200, { agents });
+  } catch {
+    send(res, 200, { agents: ['main'] });
+  }
+}

package/server/controllers/settings.js

@@ -0,0 +1,28 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { send } from '../util/http.js';
+
+/**
+ * Factory that returns settings GET/PUT handlers bound to a specific settings file path.
+ * Keeps file I/O out of the HTTP router (server/index.js).
+ */
+export function createSettingsHandlers(settingsFile) {
+  function handleGetSettings(req, res) {
+    try {
+      send(res, 200, fs.existsSync(settingsFile)
+        ? JSON.parse(fs.readFileSync(settingsFile, 'utf8'))
+        : {});
+    } catch {
+      send(res, 200, {});
+    }
+  }
+
+  async function handleSaveSettings(req, res, parseBody) {
+    const body = await parseBody(req);
+    fs.mkdirSync(path.dirname(settingsFile), { recursive: true });
+    fs.writeFileSync(settingsFile, JSON.stringify(body, null, 2));
+    send(res, 200, { ok: true });
+  }
+
+  return { handleGetSettings, handleSaveSettings };
+}

package/server/controllers/static.js

@@ -0,0 +1,56 @@
+import fs from 'node:fs';
+import path from 'node:path';
+
+const MIME = {
+  '.html': 'text/html',
+  '.js':   'text/javascript',
+  '.css':  'text/css',
+  '.json': 'application/json',
+  '.ico':  'image/x-icon',
+  '.png':  'image/png',
+  '.svg':  'image/svg+xml',
+  '.gif':  'image/gif',
+  '.webp': 'image/webp',
+};
+
+const STATIC_MAP = {
+  '/':            'index.html',
+  '/index.html':  'index.html',
+  '/app.js':      'app.js',
+  '/style.css':   'style.css',
+  '/error-handler.js': 'error-handler.js',
+  '/manifest.json': 'manifest.json',
+  '/favicon.ico': 'favicon.ico',
+};
+
+/**
+ * Serve static files from pluginDir.
+ * Returns true if the request was handled, false if it should fall through.
+ * Keeps fs.createReadStream out of the HTTP router (server/index.js).
+ */
+export function handleStatic(req, res, pluginDir) {
+  const urlPath = (req.url || '/').split('?')[0];
+  const fileName = STATIC_MAP[urlPath];
+  const isAllowed =
+    fileName ||
+    urlPath.startsWith('/icons/') ||
+    urlPath.startsWith('/lib/') ||
+    urlPath.startsWith('/frontend/') ||
+    urlPath.startsWith('/emoji/') ||
+    urlPath === '/config.js';
+
+  if (!isAllowed) return false;
+
+  const staticPath = path.join(pluginDir, fileName || urlPath.slice(1));
+  if (!fs.existsSync(staticPath) || !fs.statSync(staticPath).isFile()) return false;
+
+  const ext  = path.extname(staticPath).toLowerCase();
+  const stat = fs.statSync(staticPath);
+  res.writeHead(200, {
+    'Content-Type':   MIME[ext] || 'application/octet-stream',
+    'Content-Length': stat.size,
+    'Cache-Control':  ext === '.html' ? 'no-cache' : 'public, max-age=3600',
+  });
+  fs.createReadStream(staticPath).pipe(res);
+  return true;
+}

package/server/controllers/transcribe.js

@@ -1,9 +1,6 @@
-import fs from 'node:fs';
-import path from 'node:path';
-import os from 'node:os';
 import { send } from '../util/http.js';
 
-export async function handleTranscribe(req, res) {
+export async function handleTranscribe(req, res, opts = {}) {
   try {
     const chunks = [];
     for await (const chunk of req) chunks.push(chunk);
@@ -12,12 +9,8 @@ export async function handleTranscribe(req, res) {
     if (audioBuffer.length === 0) return send(res, 400, { error: 'No audio data' });
     if (audioBuffer.length > 25 * 1024 * 1024) return send(res, 400, { error: 'Audio too large (max 25MB)' });
 
-    let apiKey;
-    try {
-      const ocConfig = JSON.parse(fs.readFileSync(path.join(os.homedir(), '.openclaw', 'openclaw.json'), 'utf8'));
-      apiKey = ocConfig?.skills?.entries?.['openai-whisper-api']?.apiKey;
-    } catch { /* ok */ }
-    if (!apiKey) apiKey = process.env.OPENAI_API_KEY;
+    // API key is resolved by the plugin host (src/index.ts) and passed via opts.openaiApiKey.
+    const apiKey = opts.openaiApiKey;
     if (!apiKey) return send(res, 500, { error: 'No OpenAI API key configured' });
 
     const contentType = req.headers['content-type'] || 'audio/webm';