@elvatis_com/openclaw-cli-bridge-elvatis 0.2.0

package/index.ts

@@ -0,0 +1,160 @@
+/**
+ * openclaw-cli-bridge-elvatis — index.ts
+ *
+ * Phase 1 (auth bridge): registers openai-codex provider using tokens from
+ *   ~/.codex/auth.json (Codex CLI is already logged in — no re-login needed).
+ *
+ * Phase 2 (request bridge): starts a local OpenAI-compatible HTTP proxy server
+ *   and configures OpenClaw's vllm provider to route through it. Model calls
+ *   are handled by the Gemini CLI and Claude Code CLI subprocesses.
+ *
+ * Provider / model naming:
+ *   vllm/cli-gemini/gemini-2.5-pro  → `gemini -m gemini-2.5-pro -p "<prompt>"`
+ *   vllm/cli-claude/claude-opus-4-6 → `claude -p -m claude-opus-4-6 --output-format text "<prompt>"`
+ */
+
+import type {
+  OpenClawPluginApi,
+  ProviderAuthContext,
+  ProviderAuthResult,
+} from "openclaw/plugin-sdk";
+import { buildOauthProviderAuthResult } from "openclaw/plugin-sdk";
+import {
+  DEFAULT_CODEX_AUTH_PATH,
+  DEFAULT_MODEL as CODEX_DEFAULT_MODEL,
+  readCodexCredentials,
+} from "./src/codex-auth.js";
+import { startProxyServer } from "./src/proxy-server.js";
+import { patchOpencllawConfig } from "./src/config-patcher.js";
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Plugin config type
+// ──────────────────────────────────────────────────────────────────────────────
+interface CliPluginConfig {
+  // Phase 1: auth bridge
+  codexAuthPath?: string;
+  enableCodex?: boolean;
+  // Phase 2: request proxy
+  enableProxy?: boolean;
+  proxyPort?: number;
+  proxyApiKey?: string;
+  proxyTimeoutMs?: number;
+}
+
+const DEFAULT_PROXY_PORT = 31337;
+const DEFAULT_PROXY_API_KEY = "cli-bridge";
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Plugin definition
+// ──────────────────────────────────────────────────────────────────────────────
+const plugin = {
+  id: "openclaw-cli-bridge-elvatis",
+  name: "OpenClaw CLI Bridge",
+  version: "0.2.0",
+  description:
+    "Phase 1: openai-codex auth bridge (reads ~/.codex/auth.json). " +
+    "Phase 2: HTTP proxy server routing model calls through gemini/claude CLIs.",
+
+  register(api: OpenClawPluginApi) {
+    const cfg = (api.pluginConfig ?? {}) as CliPluginConfig;
+    const enableCodex = cfg.enableCodex ?? true;
+    const enableProxy = cfg.enableProxy ?? true;
+    const port = cfg.proxyPort ?? DEFAULT_PROXY_PORT;
+    const apiKey = cfg.proxyApiKey ?? DEFAULT_PROXY_API_KEY;
+    const timeoutMs = cfg.proxyTimeoutMs ?? 120_000;
+    const codexAuthPath = cfg.codexAuthPath ?? DEFAULT_CODEX_AUTH_PATH;
+
+    // ── Phase 1: openai-codex auth bridge ─────────────────────────────────────
+    if (enableCodex) {
+      api.registerProvider({
+        id: "openai-codex",
+        label: "OpenAI Codex (CLI bridge)",
+        docsPath: "/providers/openai",
+        aliases: ["codex-cli"],
+
+        auth: [
+          {
+            id: "codex-cli-oauth",
+            label: "Codex CLI (existing login)",
+            hint: "Reads OAuth tokens from ~/.codex/auth.json — no re-login needed",
+            kind: "oauth",
+
+            run: async (ctx: ProviderAuthContext): Promise<ProviderAuthResult> => {
+              const spin = ctx.prompter.progress("Reading Codex CLI credentials…");
+              try {
+                const creds = await readCodexCredentials(codexAuthPath);
+                spin.stop("Codex CLI credentials loaded");
+
+                return buildOauthProviderAuthResult({
+                  providerId: "openai-codex",
+                  defaultModel: CODEX_DEFAULT_MODEL,
+                  access: creds.accessToken,
+                  refresh: creds.refreshToken,
+                  expires: creds.expiresAt,
+                  email: creds.email,
+                  notes: [
+                    `Auth read from: ${codexAuthPath}`,
+                    "If calls fail, run 'codex login' to refresh, then re-run auth.",
+                  ],
+                });
+              } catch (err) {
+                spin.stop("Failed to read Codex credentials");
+                throw err;
+              }
+            },
+          },
+        ],
+
+        refreshOAuth: async (cred) => {
+          try {
+            const fresh = await readCodexCredentials(codexAuthPath);
+            return {
+              ...cred,
+              access: fresh.accessToken,
+              refresh: fresh.refreshToken ?? cred.refresh,
+              expires: fresh.expiresAt ?? cred.expires,
+            };
+          } catch {
+            return cred;
+          }
+        },
+      });
+
+      api.logger.info("[cli-bridge] openai-codex provider registered (Codex CLI auth bridge)");
+    }
+
+    // ── Phase 2: CLI request proxy ─────────────────────────────────────────────
+    if (enableProxy) {
+      startProxyServer({
+        port,
+        apiKey,
+        timeoutMs,
+        log: (msg) => api.logger.info(msg),
+        warn: (msg) => api.logger.warn(msg),
+      })
+        .then(() => {
+          api.logger.info(
+            `[cli-bridge] proxy ready — vllm/cli-gemini/* and vllm/cli-claude/* available`
+          );
+
+          // Auto-patch openclaw.json with vllm provider config (once)
+          const result = patchOpencllawConfig(port);
+          if (result.patched) {
+            api.logger.info(
+              `[cli-bridge] openclaw.json patched with vllm provider. ` +
+                `Restart gateway to activate cli-gemini/* and cli-claude/* models.`
+            );
+          } else {
+            api.logger.info(`[cli-bridge] config check: ${result.reason}`);
+          }
+        })
+        .catch((err: Error) => {
+          api.logger.warn(
+            `[cli-bridge] proxy server failed to start on port ${port}: ${err.message}`
+          );
+        });
+    }
+  },
+};
+
+export default plugin;

package/openclaw.plugin.json

@@ -0,0 +1,37 @@
+{
+  "id": "openclaw-cli-bridge-elvatis",
+  "name": "OpenClaw CLI Bridge",
+  "version": "0.2.0",
+  "description": "Phase 1: openai-codex auth bridge. Phase 2: local HTTP proxy routing model calls through gemini/claude CLIs (vllm provider).",
+  "providers": ["openai-codex"],
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {
+      "codexAuthPath": {
+        "type": "string",
+        "description": "Path to ~/.codex/auth.json (default: auto)"
+      },
+      "enableCodex": {
+        "type": "boolean",
+        "description": "Register openai-codex provider from Codex CLI auth (default: true)"
+      },
+      "enableProxy": {
+        "type": "boolean",
+        "description": "Start the local CLI proxy server for gemini/claude (default: true)"
+      },
+      "proxyPort": {
+        "type": "number",
+        "description": "Port for the local CLI proxy server (default: 31337)"
+      },
+      "proxyApiKey": {
+        "type": "string",
+        "description": "API key the vllm provider uses to auth with the proxy (default: cli-bridge)"
+      },
+      "proxyTimeoutMs": {
+        "type": "number",
+        "description": "Max time to wait for a CLI response in ms (default: 120000)"
+      }
+    }
+  }
+}

package/package.json

@@ -0,0 +1,17 @@
+{
+  "name": "@elvatis_com/openclaw-cli-bridge-elvatis",
+  "version": "0.2.0",
+  "description": "Bridges gemini, claude, and codex CLI tools as OpenClaw model providers. Reads existing CLI auth without re-login.",
+  "type": "module",
+  "scripts": {
+    "build": "tsc",
+    "typecheck": "tsc -p tsconfig.check.json",
+    "test": "vitest run",
+    "ci": "npm run typecheck && npm run test"
+  },
+  "devDependencies": {
+    "@types/node": "^25.3.2",
+    "typescript": "^5.9.3",
+    "vitest": "^4.0.18"
+  }
+}

package/src/cli-runner.ts

@@ -0,0 +1,193 @@
+/**
+ * cli-runner.ts
+ *
+ * Spawns CLI subprocesses (gemini, claude) and captures their output.
+ * Input: OpenAI-format messages → formatted prompt string → CLI stdout.
+ */
+
+import { spawn } from "node:child_process";
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Message formatting
+// ──────────────────────────────────────────────────────────────────────────────
+
+export interface ChatMessage {
+  role: "system" | "user" | "assistant";
+  content: string;
+}
+
+/**
+ * Convert OpenAI messages to a single flat prompt string.
+ * Both Gemini and Claude CLIs accept a plain text prompt.
+ */
+export function formatPrompt(messages: ChatMessage[]): string {
+  if (messages.length === 0) return "";
+
+  // If it's just a single user message, send it directly — no wrapping.
+  if (messages.length === 1 && messages[0].role === "user") {
+    return messages[0].content;
+  }
+
+  return messages
+    .map((m) => {
+      switch (m.role) {
+        case "system":
+          return `[System]\n${m.content}`;
+        case "assistant":
+          return `[Assistant]\n${m.content}`;
+        case "user":
+        default:
+          return `[User]\n${m.content}`;
+      }
+    })
+    .join("\n\n");
+}
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Core subprocess runner
+// ──────────────────────────────────────────────────────────────────────────────
+
+export interface CliRunResult {
+  stdout: string;
+  stderr: string;
+  exitCode: number;
+}
+
+export function runCli(
+  cmd: string,
+  args: string[],
+  timeoutMs = 120_000
+): Promise<CliRunResult> {
+  return new Promise((resolve, reject) => {
+    const proc = spawn(cmd, args, {
+      timeout: timeoutMs,
+      env: { ...process.env, NO_COLOR: "1" }, // strip ANSI codes from output
+    });
+
+    let stdout = "";
+    let stderr = "";
+
+    // Important: some CLIs (notably Claude Code) keep waiting for stdin EOF
+    // even when prompt is provided as an argument. Close stdin immediately.
+    proc.stdin.end();
+
+    proc.stdout.on("data", (d: Buffer) => {
+      stdout += d.toString();
+    });
+    proc.stderr.on("data", (d: Buffer) => {
+      stderr += d.toString();
+    });
+
+    proc.on("close", (code) => {
+      resolve({ stdout: stdout.trim(), stderr: stderr.trim(), exitCode: code ?? 0 });
+    });
+
+    proc.on("error", (err) => {
+      reject(new Error(`Failed to spawn '${cmd}': ${err.message}`));
+    });
+  });
+}
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Gemini CLI
+// ──────────────────────────────────────────────────────────────────────────────
+
+/**
+ * Run: gemini -m <modelId> -p "<prompt>"
+ * Strips the model prefix ("cli-gemini/gemini-2.5-pro" → "gemini-2.5-pro").
+ */
+export async function runGemini(
+  prompt: string,
+  modelId: string,
+  timeoutMs: number
+): Promise<string> {
+  const model = stripPrefix(modelId);
+  const args = ["-m", model, "-p", prompt];
+  const result = await runCli("gemini", args, timeoutMs);
+
+  if (result.exitCode !== 0 && result.stdout.length === 0) {
+    throw new Error(
+      `gemini exited ${result.exitCode}: ${result.stderr || "(no output)"}`
+    );
+  }
+
+  return result.stdout || result.stderr; // gemini sometimes writes to stderr
+}
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Claude Code CLI
+// ──────────────────────────────────────────────────────────────────────────────
+
+/**
+ * Run: claude -p --output-format text -m <modelId> "<prompt>"
+ * Strips the model prefix ("cli-claude/claude-opus-4-6" → "claude-opus-4-6").
+ */
+export async function runClaude(
+  prompt: string,
+  modelId: string,
+  timeoutMs: number
+): Promise<string> {
+  const model = stripPrefix(modelId);
+  const args = [
+    "-p",
+    "--output-format",
+    "text",
+    "--permission-mode",
+    "plan",
+    "--tools",
+    "",
+    "--model",
+    model,
+    prompt,
+  ];
+  const result = await runCli("claude", args, timeoutMs);
+
+  if (result.exitCode !== 0 && result.stdout.length === 0) {
+    throw new Error(
+      `claude exited ${result.exitCode}: ${result.stderr || "(no output)"}`
+    );
+  }
+
+  return result.stdout;
+}
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Router
+// ──────────────────────────────────────────────────────────────────────────────
+
+/**
+ * Route a chat completion request to the right CLI based on the model name.
+ * Model naming convention:
+ *   cli-gemini/<id>  → gemini CLI
+ *   cli-claude/<id>  → claude CLI
+ */
+export async function routeToCliRunner(
+  model: string,
+  messages: ChatMessage[],
+  timeoutMs: number
+): Promise<string> {
+  const prompt = formatPrompt(messages);
+
+  if (model.startsWith("cli-gemini/")) {
+    return runGemini(prompt, model, timeoutMs);
+  }
+
+  if (model.startsWith("cli-claude/")) {
+    return runClaude(prompt, model, timeoutMs);
+  }
+
+  throw new Error(
+    `Unknown CLI bridge model: "${model}". ` +
+      `Use "cli-gemini/<model>" or "cli-claude/<model>".`
+  );
+}
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Helpers
+// ──────────────────────────────────────────────────────────────────────────────
+
+/** Strip the "cli-gemini/" or "cli-claude/" prefix from a model ID. */
+function stripPrefix(modelId: string): string {
+  const slash = modelId.indexOf("/");
+  return slash === -1 ? modelId : modelId.slice(slash + 1);
+}

package/src/codex-auth.ts

@@ -0,0 +1,90 @@
+/**
+ * codex-auth.ts
+ *
+ * Reads OAuth credentials stored by the Codex CLI (~/.codex/auth.json)
+ * and bridges them into OpenClaw's openai-codex provider registration.
+ *
+ * The Codex CLI manages its own token lifecycle (auto-refresh). This module
+ * reads the stored tokens on demand and re-reads on OAuth refresh to pick up
+ * any token the Codex CLI has renewed since last read.
+ */
+
+import { readFile } from "node:fs/promises";
+import { homedir } from "node:os";
+import { join } from "node:path";
+
+export const DEFAULT_CODEX_AUTH_PATH = join(homedir(), ".codex", "auth.json");
+export const DEFAULT_MODEL = "openai-codex/gpt-5.2";
+
+/** Subset of ~/.codex/auth.json we care about */
+interface CodexAuthFile {
+  auth_mode: string;
+  OPENAI_API_KEY?: string | null;
+  tokens?: {
+    access_token?: string;
+    refresh_token?: string;
+    id_token?: string;
+    account_id?: string;
+  };
+  last_refresh?: string;
+}
+
+export interface CodexCredentials {
+  accessToken: string;
+  refreshToken: string | null;
+  /** approximate expiry epoch-ms — Codex tokens typically last ~1h */
+  expiresAt: number | null;
+  email: string | null;
+}
+
+/**
+ * Read and validate credentials from the Codex auth file.
+ * Throws if the file is missing, unreadable, or contains no usable token.
+ */
+export async function readCodexCredentials(
+  authPath: string = DEFAULT_CODEX_AUTH_PATH
+): Promise<CodexCredentials> {
+  let raw: string;
+  try {
+    raw = await readFile(authPath, "utf8");
+  } catch (err) {
+    throw new Error(
+      `Cannot read Codex auth file at ${authPath}. ` +
+        `Run 'codex login' first, then retry. (${(err as Error).message})`
+    );
+  }
+
+  let parsed: CodexAuthFile;
+  try {
+    parsed = JSON.parse(raw) as CodexAuthFile;
+  } catch {
+    throw new Error(`Codex auth file at ${authPath} is not valid JSON.`);
+  }
+
+  // Prefer OAuth access_token; fall back to API key stored by --with-api-key login
+  const accessToken =
+    parsed.tokens?.access_token ?? parsed.OPENAI_API_KEY ?? null;
+
+  if (!accessToken) {
+    throw new Error(
+      `No access token found in ${authPath}. ` +
+        `Run 'codex login' and sign in with your ChatGPT account, then retry.`
+    );
+  }
+
+  // Estimate expiry: last_refresh + 3600s (typical ChatGPT token lifetime)
+  let expiresAt: number | null = null;
+  if (parsed.last_refresh) {
+    const refreshedAt = Date.parse(parsed.last_refresh);
+    if (!isNaN(refreshedAt)) {
+      expiresAt = refreshedAt + 3600 * 1000;
+    }
+  }
+
+  return {
+    accessToken,
+    refreshToken: parsed.tokens?.refresh_token ?? null,
+    expiresAt,
+    email: null, // Codex auth.json doesn't expose email directly
+  };
+}

package/src/config-patcher.ts

@@ -0,0 +1,137 @@
+/**
+ * config-patcher.ts
+ *
+ * Patches ~/.openclaw/openclaw.json to add the vllm provider config
+ * pointing at our local CLI proxy server.
+ *
+ * Only patches if the cli-bridge models are not already present.
+ * Always backs up + validates before writing.
+ */
+
+import fs from "node:fs";
+import path from "node:path";
+import { homedir } from "node:os";
+import { CLI_MODELS } from "./proxy-server.js";
+
+const CONFIG_PATH = path.join(homedir(), ".openclaw", "openclaw.json");
+const BACKUPS_DIR = path.join(homedir(), ".openclaw", "backups");
+const CLI_BRIDGE_API_KEY = "cli-bridge";
+
+export interface PatchResult {
+  patched: boolean;
+  reason: string;
+}
+
+/**
+ * Ensure the vllm provider entry in openclaw.json includes CLI bridge models.
+ * Returns {patched: false} if already up to date.
+ */
+export function patchOpencllawConfig(port: number): PatchResult {
+  let raw: string;
+  try {
+    raw = fs.readFileSync(CONFIG_PATH, "utf-8");
+  } catch (err) {
+    return { patched: false, reason: `Cannot read config: ${(err as Error).message}` };
+  }
+
+  let cfg: Record<string, unknown>;
+  try {
+    cfg = JSON.parse(raw) as Record<string, unknown>;
+  } catch {
+    return { patched: false, reason: "Config is not valid JSON — skipping patch." };
+  }
+
+  // Check if already patched (both provider models + agent allowlist)
+  const models = (cfg as any)?.models?.providers?.vllm?.models;
+  const hasBridgeProviderModels =
+    Array.isArray(models) &&
+    models.some((m: any) => typeof m?.id === "string" && m.id.startsWith("cli-"));
+
+  const allowedModels = (cfg as any)?.agents?.defaults?.models ?? {};
+  const hasBridgeAllowlist =
+    !!allowedModels["vllm/cli-gemini/gemini-2.5-pro"] ||
+    !!allowedModels["vllm/cli-claude/claude-sonnet-4-6"];
+
+  if (hasBridgeProviderModels && hasBridgeAllowlist) {
+    return { patched: false, reason: "vllm provider + agent allowlist already include cli-bridge models." };
+  }
+
+  // Backup
+  try {
+    fs.mkdirSync(BACKUPS_DIR, { recursive: true });
+    const ts = new Date().toISOString().replace(/[:.]/g, "-").slice(0, 19) + "Z";
+    const backupPath = path.join(BACKUPS_DIR, `openclaw.json.${ts}.bak`);
+    fs.copyFileSync(CONFIG_PATH, backupPath);
+  } catch {
+    // Non-fatal — proceed without backup
+  }
+
+  // Build vllm model list
+  const vllmModels = CLI_MODELS.map((m) => ({
+    id: m.id,
+    name: m.name,
+    reasoning: false,
+    input: ["text"],
+    cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+    contextWindow: m.contextWindow,
+    maxTokens: m.maxTokens,
+  }));
+
+  // Merge into config
+  const cfgAny = cfg as any;
+  cfgAny.models = cfgAny.models ?? {};
+  cfgAny.models.providers = cfgAny.models.providers ?? {};
+
+  const existingVllm = cfgAny.models.providers.vllm ?? {};
+  const existingModels: unknown[] = Array.isArray(existingVllm.models)
+    ? existingVllm.models
+    : [];
+
+  // Merge: keep non-cli-bridge models, add/replace cli-bridge models
+  const mergedModels = [
+    ...existingModels.filter(
+      (m: any) => typeof m?.id === "string" && !m.id.startsWith("cli-")
+    ),
+    ...vllmModels,
+  ];
+
+  cfgAny.models.providers.vllm = {
+    ...existingVllm,
+    baseUrl: `http://127.0.0.1:${port}/v1`,
+    apiKey: CLI_BRIDGE_API_KEY,
+    api: "openai-completions",
+    models: mergedModels,
+  };
+
+  // Also whitelist the full provider/model refs in agents.defaults.models
+  // so session model switching and allow checks accept them.
+  cfgAny.agents = cfgAny.agents ?? {};
+  cfgAny.agents.defaults = cfgAny.agents.defaults ?? {};
+  cfgAny.agents.defaults.models = cfgAny.agents.defaults.models ?? {};
+
+  for (const m of vllmModels) {
+    const ref = `vllm/${m.id}`;
+    if (!cfgAny.agents.defaults.models[ref]) {
+      cfgAny.agents.defaults.models[ref] = {
+        alias: m.id.replace(/\//g, "-")
+      };
+    }
+  }
+
+  // Validate JSON before writing
+  let newRaw: string;
+  try {
+    newRaw = JSON.stringify(cfg, null, 2);
+    JSON.parse(newRaw); // validate
+  } catch {
+    return { patched: false, reason: "Failed to serialize patched config." };
+  }
+
+  // Write
+  try {
+    fs.writeFileSync(CONFIG_PATH, newRaw, "utf-8");
+    return { patched: true, reason: `vllm provider configured at http://127.0.0.1:${port}/v1` };
+  } catch (err) {
+    return { patched: false, reason: `Cannot write config: ${(err as Error).message}` };
+  }
+}