@elvatis_com/openclaw-cli-bridge-elvatis 2.0.0 → 2.1.1

package/SECURITY.md

@@ -0,0 +1,17 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you believe you have found a security vulnerability in this project, please report it responsibly:
+
+1. **Do not open a public issue.** Instead, send an email to **security@elvatis.com** with:
+   - A clear description of the vulnerability
+   - Steps to reproduce
+   - Expected and actual behavior
+   - Any PoC code or attachments (zip) if safe to share
+
+2. We will acknowledge receipt within **48 hours** and provide a timeline for fixes.
+
+3. Do not publicly disclose the issue until we have had a reasonable time to address it.
+
+We appreciate responsible disclosure.

package/index.ts

@@ -17,6 +17,8 @@
  *   /cli-gemini3      → vllm/cli-gemini/gemini-3-pro-preview   (Gemini CLI proxy)
  *   /cli-codex        → openai-codex/gpt-5.3-codex             (Codex CLI OAuth, direct API)
  *   /cli-codex54      → openai-codex/gpt-5.4                   (Codex CLI OAuth, direct API)
+ *   /cli-opencode     → vllm/opencode/default                  (OpenCode CLI proxy)
+ *   /cli-pi           → vllm/pi/default                        (Pi CLI proxy)
  *   /cli-back         → restore model that was active before last /cli-* switch
  *   /cli-test [model] → one-shot proxy health check (does NOT switch global model)
  *   /cli-list         → list all registered CLI bridge models with commands
@@ -57,6 +59,7 @@ import {
   DEFAULT_MODEL as CODEX_DEFAULT_MODEL,
   readCodexCredentials,
 } from "./src/codex-auth.js";
+import { importCodexAuth } from "./src/codex-auth-import.js";
 import { startProxyServer } from "./src/proxy-server.js";
 import { patchOpencllawConfig } from "./src/config-patcher.js";
 import {
@@ -759,6 +762,10 @@ const CLI_MODEL_COMMANDS = [
   { name: "cli-codex52",      model: "openai-codex/gpt-5.2-codex",          description: "GPT-5.2 Codex (Codex CLI auth)",        label: "GPT-5.2 Codex" },
   { name: "cli-codex54",      model: "openai-codex/gpt-5.4",                description: "GPT-5.4 (Codex CLI auth)",              label: "GPT-5.4" },
   { name: "cli-codex-mini",   model: "openai-codex/gpt-5.1-codex-mini",     description: "GPT-5.1 Codex Mini (Codex CLI auth)",   label: "GPT-5.1 Codex Mini" },
+  // ── OpenCode CLI (via local proxy) ─────────────────────────────────────────
+  { name: "cli-opencode",     model: "vllm/opencode/default",               description: "OpenCode (CLI)",                         label: "OpenCode (CLI)" },
+  // ── Pi CLI (via local proxy) ─────────────────────────────────────────────────
+  { name: "cli-pi",           model: "vllm/pi/default",                     description: "Pi (CLI)",                               label: "Pi (CLI)" },
   // ── BitNet local inference (via local proxy → llama-server) ─────────────────
   { name: "cli-bitnet",       model: "vllm/local-bitnet/bitnet-2b",         description: "BitNet b1.58 2B (local CPU, no API key)", label: "BitNet 2B (local)" },
 ] as const;
@@ -1236,6 +1243,11 @@ const plugin = {
         refreshOAuth: async (cred: ProviderAuthContext) => {
           try {
             const fresh = await readCodexCredentials(codexAuthPath);
+            // Also update the agent auth store with refreshed tokens
+            void importCodexAuth({
+              codexAuthPath,
+              log: (msg) => api.logger.info(`[cli-bridge:codex-refresh] ${msg}`),
+            });
             return {
               ...cred,
               access: fresh.accessToken,
@@ -1249,6 +1261,22 @@ const plugin = {
       });
 
       api.logger.info("[cli-bridge] openai-codex provider registered");
+
+      // Auto-import Codex CLI credentials into the agent auth store (Issue #2).
+      // This ensures `openai-codex/*` models work immediately without manual
+      // `openclaw models auth login`. Runs async, non-blocking.
+      void importCodexAuth({
+        codexAuthPath,
+        log: (msg) => api.logger.info(`[cli-bridge:codex-import] ${msg}`),
+      }).then((result) => {
+        if (result.imported) {
+          api.logger.info("[cli-bridge] Codex auth auto-imported into agent auth store ✅");
+        } else if (result.skipped) {
+          api.logger.info("[cli-bridge] Codex auth already current in agent auth store");
+        } else if (result.error) {
+          api.logger.warn(`[cli-bridge] Codex auth import failed: ${result.error}`);
+        }
+      });
     }
 
     // ── Phase 2: CLI request proxy ─────────────────────────────────────────────

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elvatis_com/openclaw-cli-bridge-elvatis",
-  "version": "2.0.0",
+  "version": "2.1.1",
   "description": "Bridges gemini, claude, and codex CLI tools as OpenClaw model providers. Reads existing CLI auth without re-login.",
   "type": "module",
   "openclaw": {
@@ -25,5 +25,6 @@
   },
   "dependencies": {
     "playwright": "^1.58.2"
-  }
-}
+  },
+  "license": "Apache-2.0"
+}

package/src/codex-auth-import.ts

@@ -0,0 +1,127 @@
+/**
+ * codex-auth-import.ts
+ *
+ * Auto-imports Codex CLI OAuth credentials from ~/.codex/auth.json into
+ * OpenClaw's agent auth store (~/.openclaw/agents/main/agent/auth-profiles.json).
+ *
+ * This solves Issue #2: the provider is registered but actual API calls fail
+ * because the auth store doesn't have the credentials. The user shouldn't need
+ * to run `openclaw models auth login` manually when Codex CLI is already logged in.
+ *
+ * Strategy:
+ *   1. Read credentials from ~/.codex/auth.json (via codex-auth.ts)
+ *   2. Read the existing auth-profiles.json
+ *   3. Upsert the "openai-codex:default" profile with fresh tokens
+ *   4. Write back atomically
+ *
+ * This runs on plugin startup and on OAuth refresh.
+ */
+
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "node:fs";
+import { homedir } from "node:os";
+import { join, dirname } from "node:path";
+import { readCodexCredentials, DEFAULT_CODEX_AUTH_PATH } from "./codex-auth.js";
+
+/** Default path to the OpenClaw agent auth store. */
+const DEFAULT_AUTH_STORE_PATH = join(
+  homedir(),
+  ".openclaw",
+  "agents",
+  "main",
+  "agent",
+  "auth-profiles.json"
+);
+
+/** Auth profile entry format (matches OpenClaw's auth-profiles.json schema). */
+interface AuthProfile {
+  type: "oauth" | "token";
+  provider: string;
+  access?: string;
+  refresh?: string;
+  expires?: number;
+  email?: string;
+  accountId?: string;
+  token?: string;
+}
+
+interface AuthStore {
+  version: number;
+  profiles: Record<string, AuthProfile>;
+}
+
+/**
+ * Import Codex CLI credentials into the OpenClaw agent auth store.
+ *
+ * Returns an object describing the result:
+ *   - imported: true if credentials were written
+ *   - skipped: true if credentials are already up-to-date
+ *   - error: error message if import failed
+ */
+export async function importCodexAuth(opts?: {
+  codexAuthPath?: string;
+  authStorePath?: string;
+  log?: (msg: string) => void;
+}): Promise<{ imported: boolean; skipped: boolean; error?: string }> {
+  const codexAuthPath = opts?.codexAuthPath ?? DEFAULT_CODEX_AUTH_PATH;
+  const authStorePath = opts?.authStorePath ?? DEFAULT_AUTH_STORE_PATH;
+  const log = opts?.log ?? (() => {});
+
+  // Step 1: Read Codex CLI credentials
+  let creds;
+  try {
+    creds = await readCodexCredentials(codexAuthPath);
+  } catch (err) {
+    const msg = `Codex auth not available: ${(err as Error).message}`;
+    log(msg);
+    return { imported: false, skipped: false, error: msg };
+  }
+
+  // Step 2: Read existing auth store (or create skeleton)
+  let store: AuthStore;
+  try {
+    if (existsSync(authStorePath)) {
+      store = JSON.parse(readFileSync(authStorePath, "utf8")) as AuthStore;
+    } else {
+      store = { version: 1, profiles: {} };
+    }
+  } catch (err) {
+    const msg = `Cannot read auth store at ${authStorePath}: ${(err as Error).message}`;
+    log(msg);
+    return { imported: false, skipped: false, error: msg };
+  }
+
+  // Step 3: Check if update is needed
+  const profileKey = "openai-codex:default";
+  const existing = store.profiles[profileKey];
+
+  if (
+    existing &&
+    existing.access === creds.accessToken &&
+    existing.refresh === (creds.refreshToken ?? existing.refresh)
+  ) {
+    log(`Codex auth already up-to-date in ${profileKey}`);
+    return { imported: false, skipped: true };
+  }
+
+  // Step 4: Upsert the profile
+  store.profiles[profileKey] = {
+    type: "oauth",
+    provider: "openai-codex",
+    access: creds.accessToken,
+    ...(creds.refreshToken ? { refresh: creds.refreshToken } : {}),
+    ...(creds.expiresAt ? { expires: creds.expiresAt } : {}),
+    ...(creds.email ? { email: creds.email } : {}),
+  };
+
+  // Step 5: Write back atomically
+  try {
+    mkdirSync(dirname(authStorePath), { recursive: true });
+    writeFileSync(authStorePath, JSON.stringify(store, null, 4) + "\n", "utf8");
+    log(`Codex auth imported into ${profileKey}`);
+    return { imported: true, skipped: false };
+  } catch (err) {
+    const msg = `Failed to write auth store: ${(err as Error).message}`;
+    log(msg);
+    return { imported: false, skipped: false, error: msg };
+  }
+}

package/src/proxy-server.ts

@@ -149,6 +149,10 @@ export function startProxyServer(opts: ProxyServerOptions): Promise<http.Server>
       opts.log(
         `[cli-bridge] proxy server listening on http://127.0.0.1:${opts.port}`
       );
+      // unref() so the proxy server does not keep the Node.js event loop alive
+      // when openclaw doctor or other short-lived CLI commands load plugins.
+      // The gateway's own main loop keeps the process alive during normal operation.
+      server.unref();
       // Start proactive OAuth token refresh scheduler for Claude Code CLI.
       setAuthLogger(opts.log);
       void scheduleTokenRefresh();

package/src/session-manager.ts

@@ -15,6 +15,7 @@ import { existsSync } from "node:fs";
 import { join } from "node:path";
 import { execSync } from "node:child_process";
 import { formatPrompt, type ChatMessage } from "./cli-runner.js";
+import { createIsolatedWorkdir, cleanupWorkdir, sweepOrphanedWorkdirs } from "./workdir.js";
 
 // ──────────────────────────────────────────────────────────────────────────────
 // Types
@@ -30,6 +31,8 @@ export interface SessionEntry {
   exitCode: number | null;
   model: string;
   status: SessionStatus;
+  /** Isolated workdir created for this session (null if caller provided explicit workdir). */
+  isolatedWorkdir: string | null;
 }
 
 export interface SessionInfo {
@@ -38,11 +41,20 @@ export interface SessionInfo {
   status: SessionStatus;
   startTime: number;
   exitCode: number | null;
+  /** Isolated workdir path (null if not using workdir isolation). */
+  isolatedWorkdir: string | null;
 }
 
 export interface SpawnOptions {
   workdir?: string;
   timeout?: number;
+  /**
+   * If true, create an isolated temp directory for this session.
+   * The directory is automatically cleaned up when the session exits or is killed.
+   * Ignored if `workdir` is explicitly set.
+   * Default: false (uses per-runner defaults: tmpdir for gemini, homedir for others).
+   */
+  isolateWorkdir?: boolean;
 }
 
 // ──────────────────────────────────────────────────────────────────────────────
@@ -102,7 +114,15 @@ export class SessionManager {
     const sessionId = randomBytes(8).toString("hex");
     const prompt = formatPrompt(messages);
 
-    const { cmd, args, cwd, useStdin } = this.resolveCliCommand(model, prompt, opts);
+    // Workdir isolation: create a temp dir if requested and no explicit workdir given
+    let isolatedDir: string | null = null;
+    const effectiveOpts = { ...opts };
+    if (opts.isolateWorkdir && !opts.workdir) {
+      isolatedDir = createIsolatedWorkdir();
+      effectiveOpts.workdir = isolatedDir;
+    }
+
+    const { cmd, args, cwd, useStdin } = this.resolveCliCommand(model, prompt, effectiveOpts);
 
     const proc = spawn(cmd, args, {
       env: buildMinimalEnv(),
@@ -118,6 +138,7 @@ export class SessionManager {
       exitCode: null,
       model,
       status: "running",
+      isolatedWorkdir: isolatedDir,
     };
 
     if (useStdin) {
@@ -132,11 +153,19 @@ export class SessionManager {
     proc.on("close", (code) => {
       entry.exitCode = code ?? 0;
       if (entry.status === "running") entry.status = "exited";
+      // Auto-cleanup isolated workdir on process exit
+      if (entry.isolatedWorkdir) {
+        cleanupWorkdir(entry.isolatedWorkdir);
+      }
     });
 
     proc.on("error", () => {
       if (entry.status === "running") entry.status = "exited";
       entry.exitCode = entry.exitCode ?? 1;
+      // Auto-cleanup isolated workdir on error too
+      if (entry.isolatedWorkdir) {
+        cleanupWorkdir(entry.isolatedWorkdir);
+      }
     });
 
     this.sessions.set(sessionId, entry);
@@ -196,12 +225,13 @@ export class SessionManager {
         status: entry.status,
         startTime: entry.startTime,
         exitCode: entry.exitCode,
+        isolatedWorkdir: entry.isolatedWorkdir,
       });
     }
     return result;
   }
 
-  /** Remove sessions older than SESSION_TTL_MS. Kill running ones first. */
+  /** Remove sessions older than SESSION_TTL_MS. Kill running ones first. Clean up isolated workdirs. */
   cleanup(): void {
     const now = Date.now();
     for (const [sessionId, entry] of this.sessions) {
@@ -210,9 +240,15 @@ export class SessionManager {
           entry.proc.kill("SIGTERM");
           entry.status = "killed";
         }
+        // Clean up isolated workdir if it wasn't cleaned on exit
+        if (entry.isolatedWorkdir) {
+          cleanupWorkdir(entry.isolatedWorkdir);
+        }
         this.sessions.delete(sessionId);
       }
     }
+    // Sweep orphaned workdirs from crashed sessions
+    sweepOrphanedWorkdirs();
   }
 
   /** Stop the cleanup timer (for graceful shutdown). */
@@ -221,12 +257,15 @@ export class SessionManager {
       clearInterval(this.cleanupTimer);
       this.cleanupTimer = null;
     }
-    // Kill all running sessions
+    // Kill all running sessions and clean up their workdirs
     for (const [, entry] of this.sessions) {
       if (entry.status === "running") {
         entry.proc.kill("SIGTERM");
         entry.status = "killed";
       }
+      if (entry.isolatedWorkdir) {
+        cleanupWorkdir(entry.isolatedWorkdir);
+      }
     }
   }
 

package/src/workdir.ts

@@ -0,0 +1,108 @@
+/**
+ * workdir.ts
+ *
+ * Workdir isolation for CLI agent spawns (Issue #6).
+ *
+ * Creates a unique temporary directory per agent session and cleans it up
+ * after the session completes. This prevents agents from interfering with
+ * each other or polluting the user's home directory.
+ *
+ * Each isolated workdir is created under a base directory:
+ *   <base>/cli-bridge-<randomHex>/
+ *
+ * Default base: os.tmpdir() (e.g. /tmp/)
+ * Override via OPENCLAW_CLI_BRIDGE_WORKDIR_BASE env var.
+ *
+ * Cleanup is best-effort: directories are removed when the session ends,
+ * and a periodic sweep removes any orphaned dirs older than 1 hour.
+ */
+
+import { mkdtempSync, rmSync, readdirSync, statSync, existsSync, mkdirSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
+/** Prefix for all isolated workdir directories. */
+const WORKDIR_PREFIX = "cli-bridge-";
+
+/** Max age for orphaned workdirs before cleanup sweep removes them (ms). */
+const ORPHAN_MAX_AGE_MS = 60 * 60 * 1000; // 1 hour
+
+/** Get the base directory for isolated workdirs. */
+export function getWorkdirBase(): string {
+  return process.env.OPENCLAW_CLI_BRIDGE_WORKDIR_BASE ?? tmpdir();
+}
+
+/**
+ * Create an isolated temporary directory for an agent session.
+ * Returns the absolute path to the new directory.
+ *
+ * The directory is created with a random suffix to ensure uniqueness:
+ *   /tmp/cli-bridge-a1b2c3d4/
+ */
+export function createIsolatedWorkdir(base?: string): string {
+  const dir = mkdtempSync(join(base ?? getWorkdirBase(), WORKDIR_PREFIX));
+  return dir;
+}
+
+/**
+ * Clean up an isolated workdir by removing it and all contents.
+ * Returns true if removed successfully, false if it didn't exist or failed.
+ *
+ * Safety: only removes directories that match the cli-bridge- prefix.
+ */
+export function cleanupWorkdir(dirPath: string): boolean {
+  if (!dirPath || !dirPath.includes(WORKDIR_PREFIX)) {
+    return false; // safety: refuse to remove dirs that don't match our prefix
+  }
+  try {
+    rmSync(dirPath, { recursive: true, force: true });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Sweep orphaned workdirs older than ORPHAN_MAX_AGE_MS.
+ * Scans the base directory for cli-bridge-* dirs and removes stale ones.
+ * Returns the number of dirs removed.
+ */
+export function sweepOrphanedWorkdirs(base?: string): number {
+  const baseDir = base ?? getWorkdirBase();
+  let removed = 0;
+
+  try {
+    const entries = readdirSync(baseDir);
+    const now = Date.now();
+
+    for (const entry of entries) {
+      if (!entry.startsWith(WORKDIR_PREFIX)) continue;
+
+      const fullPath = join(baseDir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory() && (now - stat.mtimeMs) > ORPHAN_MAX_AGE_MS) {
+          rmSync(fullPath, { recursive: true, force: true });
+          removed++;
+        }
+      } catch {
+        // Skip entries we can't stat (race condition, permissions)
+      }
+    }
+  } catch {
+    // Base dir doesn't exist or not readable
+  }
+
+  return removed;
+}
+
+/**
+ * Ensure a directory exists, creating it if needed.
+ * Returns the path.
+ */
+export function ensureDir(dirPath: string): string {
+  if (!existsSync(dirPath)) {
+    mkdirSync(dirPath, { recursive: true });
+  }
+  return dirPath;
+}