@elvatis_com/openclaw-cli-bridge-elvatis 2.2.0 → 2.2.2

package/.ai/handoff/DASHBOARD.md

@@ -1,13 +1,13 @@
 # DASHBOARD.md — openclaw-cli-bridge-elvatis
 
-_Last updated: 2026-04-09_
+_Last updated: 2026-04-10_
 
 <!-- SECTION: plugin_status -->
 ## Plugin Status
 
 | Component | Version | Build | Tests | Status |
 |-----------|---------|-------|-------|--------|
-| openclaw-cli-bridge-elvatis | 2.2.0 | ✅ | ✅ | ✅ Stable |
+| openclaw-cli-bridge-elvatis | 2.2.2 | ✅ | ✅ | ✅ Stable |
 <!-- /SECTION: plugin_status -->
 
 <!-- SECTION: release_state -->
@@ -15,9 +15,9 @@ _Last updated: 2026-04-09_
 
 | Platform | Published Version | Status |
 |----------|------------------|--------|
-| GitHub | v2.2.0 | ✅ Pushed to main |
-| npm | 2.1.3 | ⏳ Pending publish |
-| ClawHub | 2.1.3 | ⏳ Pending publish |
+| GitHub | v2.2.2 | ✅ Pushed to main |
+| npm | 2.2.2 | ✅ Published (via CI) |
+| ClawHub | 2.2.2 | ✅ Published (via CI) |
 <!-- /SECTION: release_state -->
 
 <!-- SECTION: open_tasks -->
@@ -31,6 +31,7 @@ _No open tasks._
 
 | Task | Title | Version |
 |------|-------|---------|
+| T-018 | Fix vllm apiKey corruption (401) + harden config-patcher | 2.2.2 |
 | T-017 | Fix log spam, restart loops, CLI blocking | 2.2.0 |
 | T-016 | Issue #2: Codex auth auto-import into agent auth store | 2.1.0 |
 | T-015 | Issue #4: Background session mgmt with workdir isolation | 2.1.0 |

package/.ai/handoff/LOG.md

@@ -4,6 +4,38 @@ _Last 10 sessions. Older entries in LOG-ARCHIVE.md._
 
 ---
 
+## 2026-04-10 — Session 10 (Claude Opus 4.6)
+
+> **Agent:** claude-opus-4-6
+> **Phase:** fix
+> **Commit before:** v2.2.0
+> **Commit after:** v2.2.1
+
+**T-018: Fix vllm apiKey corruption causing 401 + harden config-patcher**
+
+### Problem
+The vllm provider in `~/.openclaw/openclaw.json` had `"apiKey": "__OPENCLAW_KEEP__"` instead of `"cli-bridge"`. The CLI bridge proxy on port 31337 expects `Authorization: Bearer cli-bridge` and rejects any other value with HTTP 401.
+
+This caused all `vllm/cli-claude/*` requests to fail silently, triggering the self-healing plugin's model fallback to `openai-codex/gpt-5.1`.
+
+**Root cause:** An OpenClaw config migration overwrote the apiKey with the marker value `__OPENCLAW_KEEP__`. The config-patcher only checked whether cli-bridge models existed (line 46–53) — if they did, it skipped re-patching even though the apiKey was wrong.
+
+### Fix (src/config-patcher.ts)
+- Added `existingApiKey` / `hasCorrectApiKey` check to the skip-guard (line 55)
+- Patcher now re-patches if `apiKey !== "cli-bridge"`, preventing recurrence after future config migrations
+
+### Also in this session
+- Fixed `~/.openclaw/openclaw.json` directly: `"apiKey": "__OPENCLAW_KEEP__"` → `"cli-bridge"`
+- Gateway restarted — no 401 errors, self-heal model order confirmed working
+
+### Build
+- `npm run build` — ✅ (pre-existing TS errors from missing openclaw/plugin-sdk, JS emitted via `--noEmitOnError false`)
+
+### Version
+2.2.0 → 2.2.1
+
+---
+
 ## 2026-04-09 — Session 9 (Claude Opus 4.6)
 
 > **Agent:** claude-opus-4-6

package/.ai/handoff/NEXT_ACTIONS.md

@@ -1,13 +1,13 @@
 # NEXT_ACTIONS.md — openclaw-cli-bridge-elvatis
 
-_Last updated: 2026-04-09_
+_Last updated: 2026-04-10_
 
 <!-- SECTION: summary -->
 ## Status Summary
 
 | Status  | Count |
 |---------|-------|
-| Done    | 17    |
+| Done    | 18    |
 | Ready   | 0     |
 | Blocked | 0     |
 <!-- /SECTION: summary -->
@@ -30,6 +30,7 @@ _No blocked tasks._
 
 | Task  | Title                                                              | Date       |
 |-------|--------------------------------------------------------------------|------------|
+| T-018 | Fix vllm apiKey corruption (401) + harden config-patcher (v2.2.1)| 2026-04-10 |
 | T-017 | Fix log spam, restart loops, CLI blocking (v2.2.0)               | 2026-04-09 |
 | T-016 | Issue #2: Codex auth auto-import into agent auth store            | 2026-03-19 |
 | T-015 | Issue #4: Background session mgmt with workdir isolation          | 2026-03-19 |

package/.ai/handoff/STATUS.md

@@ -1,9 +1,9 @@
 # STATUS — openclaw-cli-bridge-elvatis
 
-## Current Version: 2.2.0
+## Current Version: 2.2.2
 
-- **npm:** @elvatis_com/openclaw-cli-bridge-elvatis@2.2.0 (pending publish)
-- **ClawHub:** openclaw-cli-bridge-elvatis@2.2.0 (pending publish)
+- **npm:** @elvatis_com/openclaw-cli-bridge-elvatis@2.2.2
+- **ClawHub:** openclaw-cli-bridge-elvatis@2.2.2
 - **GitHub:** https://github.com/elvatis/openclaw-cli-bridge-elvatis (pushed to main)
 
 ## CLI Model Token Limits (corrected in v1.9.2)
@@ -47,6 +47,7 @@ This is by design — CLI tools output plain text only.
 - /bridge-status shows cookie-based status
 
 ## Release History (recent)
+- v2.2.1 (2026-04-10): Fix vllm apiKey corruption (401 Unauthorized) + harden config-patcher to re-patch on wrong apiKey
 - v2.2.0 (2026-04-09): Fix log spam (module-level guards), remove fuser -k restart loops, session restore gateway-only, EADDRINUSE graceful handling
 - v2.1.0 (2026-03-19): Issue #6 workdir isolation, Issue #4 session mgmt enhancements, Issue #2 codex auth auto-import
 - v2.0.0: Major version bump

package/README.md

@@ -2,7 +2,7 @@
 
 > OpenClaw plugin that bridges locally installed AI CLIs (Codex, Gemini, Claude Code, OpenCode, Pi) as model providers — with slash commands for instant model switching, restore, health testing, and model listing.
 
-**Current version:** `2.2.0`
+**Current version:** `2.2.2`
 
 ---
 
@@ -376,6 +376,9 @@ npm run ci          # lint + typecheck + test
 
 ## Changelog
 
+### v2.2.1
+- **fix:** Config-patcher now validates `apiKey` value — re-patches if `__OPENCLAW_KEEP__` or any wrong value is present (prevents vllm 401 Unauthorized after config migrations)
+
 ### v2.2.0
 - **fix:** Module-level guards prevent duplicate log spam — `register()` is called per-agent (~11×), now logs Chrome/provider/commands only once
 - **fix:** Shortened command registration log: count + `/cli-list` reference instead of listing all 32 commands

package/index.ts

@@ -240,20 +240,12 @@ let _cdpBrowserLaunchPromise: Promise<import("playwright").BrowserContext | null
 // Set to true after first run; hot-reloads see true and skip the restore loop.
 let _startupRestoreDone = false;
 
-// Registration guard — register() is called once per agent (~11 times on a
-// typical gateway). Only log noisy one-time info (Chrome check, provider
-// registration, command list, proxy status) on the FIRST call.
-let _registerLoggedOnce = false;
-
-// Proxy start guard — prevents multiple concurrent startProxy() calls from
-// racing. The first call wins; subsequent calls detect the running proxy via
-// probeExisting() and reuse it silently.
+// ── Proxy guards ─────────────────────────────────────────────────────────────
+// register() is called per-agent (~11×) AND on every hot-reload (~60s).
+// All noisy info logs removed. Only warnings/errors remain. These simple
+// module-level booleans are sufficient — probeExisting() handles the real
+// deduplication for the proxy.
 let _proxyStarted = false;
-
-// Tracks whether THIS process owns the proxy (freshly started it, not just reusing
-// an external one). Used to decide if heavyweight startup tasks (session restores,
-// keep-alive intervals) should run. Short-lived CLI commands (models status, doctor)
-// reuse the gateway's proxy but should NOT launch Chromium instances.
 let _proxyOwnedByThisProcess = false;
 
 // Session keep-alive interval — refreshes browser cookies every 20h
@@ -1026,16 +1018,13 @@ const plugin = {
     // Stealth mode uses channel: "chrome" (real system Chrome). If it's missing,
     // browser launches will fail or Cloudflare will block the bundled Chromium.
     const chromeCheck = checkSystemChrome();
-    if (!_registerLoggedOnce) {
-      if (chromeCheck.available) {
-        api.logger.info(`[cli-bridge] system Chrome found: ${chromeCheck.version ?? chromeCheck.path}`);
-      } else {
-        api.logger.warn(
-          `[cli-bridge] ⚠ system Chrome not found! Web browser providers (/grok-login, /gemini-login, etc.) ` +
-          `require Google Chrome or Chromium installed system-wide. ` +
-          `Install with: sudo apt install google-chrome-stable (or chromium-browser)`
-        );
-      }
+    // Chrome warning only — success is silent (logged hundreds of times per minute otherwise)
+    if (!chromeCheck.available) {
+      api.logger.warn(
+        `[cli-bridge] ⚠ system Chrome not found! Web browser providers (/grok-login, /gemini-login, etc.) ` +
+        `require Google Chrome or Chromium installed system-wide. ` +
+        `Install with: sudo apt install google-chrome-stable (or chromium-browser)`
+      );
     }
 
     // ── Session restore: only on first plugin load (not on hot-reloads) ──────
@@ -1284,27 +1273,23 @@ const plugin = {
         },
       });
 
-      if (!_registerLoggedOnce) {
-        api.logger.info("[cli-bridge] openai-codex provider registered");
-      }
+      // Provider registration is silent — logged hundreds of times otherwise
 
       // Auto-import Codex CLI credentials into the agent auth store (Issue #2).
       // This ensures `openai-codex/*` models work immediately without manual
       // `openclaw models auth login`. Runs async, non-blocking.
-      // Only run Codex auth import once — it fires per-agent and spams logs otherwise
-      if (!_registerLoggedOnce) {
-        void importCodexAuth({
-          codexAuthPath,
-          log: (msg) => api.logger.info(`[cli-bridge:codex-import] ${msg}`),
-        }).then((result) => {
-          if (result.imported) {
-            api.logger.info("[cli-bridge] Codex auth auto-imported into agent auth store ✅");
-          } else if (result.error) {
-            api.logger.warn(`[cli-bridge] Codex auth import failed: ${result.error}`);
-          }
-          // skipped = already current → no log needed
-        });
-      }
+      // Codex auth import: silent log callback (suppress "already up-to-date" spam)
+      // Only log on actual import or error — not on skip/already-current.
+      void importCodexAuth({
+        codexAuthPath,
+        log: () => {}, // silent — internal "already up-to-date" spam suppressed
+      }).then((result) => {
+        if (result.imported) {
+          api.logger.info("[cli-bridge] Codex auth auto-imported into agent auth store ✅");
+        } else if (result.error) {
+          api.logger.warn(`[cli-bridge] Codex auth import failed: ${result.error}`);
+        }
+      });
     }
 
     // ── Phase 2: CLI request proxy ─────────────────────────────────────────────
@@ -1331,14 +1316,14 @@ const plugin = {
 
       const startProxy = async (): Promise<void> => {
         // Guard: only the first register() call starts the proxy.
-        // Subsequent per-agent calls skip entirely.
+        // Subsequent per-agent calls AND hot-reloads skip entirely.
         if (_proxyStarted) return;
         _proxyStarted = true;
 
         // If a healthy proxy is already up, reuse it — no need to rebind.
         const alive = await probeExisting();
         if (alive) {
-          api.logger.info(`[cli-bridge] proxy already running on :${port} — reusing`);
+          // Silent — this fires on every hot-reload (~60s) and every register() call
           return;
         }
 
@@ -2476,10 +2461,7 @@ const plugin = {
       "/bridge-status",
       "/cli-help",
     ];
-    if (!_registerLoggedOnce) {
-      api.logger.info(`[cli-bridge] registered ${allCommands.length} commands (use /cli-list to see all)`);
-    }
-    _registerLoggedOnce = true;
+    // Command registration is silent — fires on every register() call
   },
 };
 

package/openclaw.plugin.json

@@ -2,7 +2,7 @@
   "id": "openclaw-cli-bridge-elvatis",
   "slug": "openclaw-cli-bridge-elvatis",
   "name": "OpenClaw CLI Bridge",
-  "version": "2.2.0",
+  "version": "2.2.2",
   "license": "MIT",
   "description": "Phase 1: openai-codex auth bridge. Phase 2: local HTTP proxy routing model calls through gemini/claude CLIs (vllm provider).",
   "providers": [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elvatis_com/openclaw-cli-bridge-elvatis",
-  "version": "2.2.0",
+  "version": "2.2.2",
   "description": "Bridges gemini, claude, and codex CLI tools as OpenClaw model providers. Reads existing CLI auth without re-login.",
   "type": "module",
   "openclaw": {

package/src/config-patcher.ts

@@ -52,7 +52,10 @@ export function patchOpencllawConfig(port: number): PatchResult {
     !!allowedModels["vllm/cli-gemini/gemini-2.5-pro"] ||
     !!allowedModels["vllm/cli-claude/claude-sonnet-4-6"];
 
-  if (hasBridgeProviderModels && hasBridgeAllowlist) {
+  const existingApiKey = (cfg as any)?.models?.providers?.vllm?.apiKey;
+  const hasCorrectApiKey = existingApiKey === CLI_BRIDGE_API_KEY;
+
+  if (hasBridgeProviderModels && hasBridgeAllowlist && hasCorrectApiKey) {
     return { patched: false, reason: "vllm provider + agent allowlist already include cli-bridge models." };
   }