@heretek-ai/openclaw 2026.3.27 → 2026.3.29

package/dist/chunks/setup-BY2mioiw.mjs

@@ -0,0 +1,399 @@
+import { n as DEFAULT_GATEWAY_PORT, u as resolveGatewayPort } from "./paths-CNST7z3O.mjs";
+import { m as defaultRuntime } from "./subsystem-yLe4Gjha.mjs";
+import { y as resolveUserPath } from "./utils-Dc9DiBqf.mjs";
+import { d as readConfigFileSnapshot, g as writeConfigFile } from "./io-CDQGJKjg.mjs";
+import { l as normalizeSecretInputString } from "./types.secrets-CKipkqRX.mjs";
+import { t as formatCliCommand } from "./command-format-D1DrcTDP.mjs";
+import { t as WizardCancelledError } from "./prompts-BqZHJHEi.mjs";
+import { n as buildPluginCompatibilityNotices, o as formatPluginCompatibilityNotice } from "./status-Baz1y8H2.mjs";
+import { t as resolveSetupSecretInputString } from "./setup.secret-input-DPX4L6ht.mjs";
+
+//#region src/wizard/setup.ts
+async function requireRiskAcknowledgement(params) {
+	if (params.opts.acceptRisk === true) return;
+	await params.prompter.note([
+		"Security warning — please read.",
+		"",
+		"OpenClaw is a hobby project and still in beta. Expect sharp edges.",
+		"By default, OpenClaw is a personal agent: one trusted operator boundary.",
+		"This bot can read files and run actions if tools are enabled.",
+		"A bad prompt can trick it into doing unsafe things.",
+		"",
+		"OpenClaw is not a hostile multi-tenant boundary by default.",
+		"If multiple users can message one tool-enabled agent, they share that delegated tool authority.",
+		"",
+		"If you’re not comfortable with security hardening and access control, don’t run OpenClaw.",
+		"Ask someone experienced to help before enabling tools or exposing it to the internet.",
+		"",
+		"Recommended baseline:",
+		"- Pairing/allowlists + mention gating.",
+		"- Multi-user/shared inbox: split trust boundaries (separate gateway/credentials, ideally separate OS users/hosts).",
+		"- Sandbox + least-privilege tools.",
+		"- Shared inboxes: isolate DM sessions (`session.dmScope: per-channel-peer`) and keep tool access minimal.",
+		"- Keep secrets out of the agent’s reachable filesystem.",
+		"- Use the strongest available model for any bot with tools or untrusted inboxes.",
+		"",
+		"Run regularly:",
+		"openclaw security audit --deep",
+		"openclaw security audit --fix",
+		"",
+		"Must read: https://docs.openclaw.ai/gateway/security"
+	].join("\n"), "Security");
+	if (!await params.prompter.confirm({
+		message: "I understand this is personal-by-default and shared/multi-user use requires lock-down. Continue?",
+		initialValue: false
+	})) throw new WizardCancelledError("risk not accepted");
+}
+async function runSetupWizard(opts, runtime = defaultRuntime, prompter) {
+	const onboardHelpers = await import("./onboard-helpers-yNblKlzQ.mjs");
+	onboardHelpers.printWizardHeader(runtime);
+	await prompter.intro("OpenClaw setup");
+	await requireRiskAcknowledgement({
+		opts,
+		prompter
+	});
+	const snapshot = await readConfigFileSnapshot();
+	let baseConfig = snapshot.valid ? snapshot.exists ? snapshot.config : {} : {};
+	if (snapshot.exists && !snapshot.valid) {
+		await prompter.note(onboardHelpers.summarizeExistingConfig(baseConfig), "Invalid config");
+		if (snapshot.issues.length > 0) await prompter.note([
+			...snapshot.issues.map((iss) => `- ${iss.path}: ${iss.message}`),
+			"",
+			"Docs: https://docs.openclaw.ai/gateway/configuration"
+		].join("\n"), "Config issues");
+		await prompter.outro(`Config invalid. Run \`${formatCliCommand("openclaw doctor")}\` to repair it, then re-run setup.`);
+		runtime.exit(1);
+		return;
+	}
+	const compatibilityNotices = snapshot.valid ? buildPluginCompatibilityNotices({ config: baseConfig }) : [];
+	if (compatibilityNotices.length > 0) await prompter.note([
+		`Detected ${compatibilityNotices.length} plugin compatibility notice${compatibilityNotices.length === 1 ? "" : "s"} in the current config.`,
+		...compatibilityNotices.slice(0, 4).map((notice) => `- ${formatPluginCompatibilityNotice(notice)}`),
+		...compatibilityNotices.length > 4 ? [`- ... +${compatibilityNotices.length - 4} more`] : [],
+		"",
+		`Review: ${formatCliCommand("openclaw doctor")}`,
+		`Inspect: ${formatCliCommand("openclaw plugins inspect --all")}`
+	].join("\n"), "Plugin compatibility");
+	const quickstartHint = `Configure details later via ${formatCliCommand("openclaw configure")}.`;
+	const manualHint = "Configure port, network, Tailscale, and auth options.";
+	const explicitFlowRaw = opts.flow?.trim();
+	const normalizedExplicitFlow = explicitFlowRaw === "manual" ? "advanced" : explicitFlowRaw;
+	if (normalizedExplicitFlow && normalizedExplicitFlow !== "quickstart" && normalizedExplicitFlow !== "advanced") {
+		runtime.error("Invalid --flow (use quickstart, manual, or advanced).");
+		runtime.exit(1);
+		return;
+	}
+	let flow = (normalizedExplicitFlow === "quickstart" || normalizedExplicitFlow === "advanced" ? normalizedExplicitFlow : void 0) ?? await prompter.select({
+		message: "Setup mode",
+		options: [{
+			value: "quickstart",
+			label: "QuickStart",
+			hint: quickstartHint
+		}, {
+			value: "advanced",
+			label: "Manual",
+			hint: manualHint
+		}],
+		initialValue: "quickstart"
+	});
+	if (opts.mode === "remote" && flow === "quickstart") {
+		await prompter.note("QuickStart only supports local gateways. Switching to Manual mode.", "QuickStart");
+		flow = "advanced";
+	}
+	if (snapshot.exists) {
+		await prompter.note(onboardHelpers.summarizeExistingConfig(baseConfig), "Existing config detected");
+		if (await prompter.select({
+			message: "Config handling",
+			options: [
+				{
+					value: "keep",
+					label: "Use existing values"
+				},
+				{
+					value: "modify",
+					label: "Update values"
+				},
+				{
+					value: "reset",
+					label: "Reset"
+				}
+			]
+		}) === "reset") {
+			const workspaceDefault = baseConfig.agents?.defaults?.workspace ?? onboardHelpers.DEFAULT_WORKSPACE;
+			const resetScope = await prompter.select({
+				message: "Reset scope",
+				options: [
+					{
+						value: "config",
+						label: "Config only"
+					},
+					{
+						value: "config+creds+sessions",
+						label: "Config + creds + sessions"
+					},
+					{
+						value: "full",
+						label: "Full reset (config + creds + sessions + workspace)"
+					}
+				]
+			});
+			await onboardHelpers.handleReset(resetScope, resolveUserPath(workspaceDefault), runtime);
+			baseConfig = {};
+		}
+	}
+	const quickstartGateway = (() => {
+		const hasExisting = typeof baseConfig.gateway?.port === "number" || baseConfig.gateway?.bind !== void 0 || baseConfig.gateway?.auth?.mode !== void 0 || baseConfig.gateway?.auth?.token !== void 0 || baseConfig.gateway?.auth?.password !== void 0 || baseConfig.gateway?.customBindHost !== void 0 || baseConfig.gateway?.tailscale?.mode !== void 0;
+		const bindRaw = baseConfig.gateway?.bind;
+		const bind = bindRaw === "loopback" || bindRaw === "lan" || bindRaw === "auto" || bindRaw === "custom" || bindRaw === "tailnet" ? bindRaw : "loopback";
+		let authMode = "token";
+		if (baseConfig.gateway?.auth?.mode === "token" || baseConfig.gateway?.auth?.mode === "password") authMode = baseConfig.gateway.auth.mode;
+		else if (baseConfig.gateway?.auth?.token) authMode = "token";
+		else if (baseConfig.gateway?.auth?.password) authMode = "password";
+		const tailscaleRaw = baseConfig.gateway?.tailscale?.mode;
+		const tailscaleMode = tailscaleRaw === "off" || tailscaleRaw === "serve" || tailscaleRaw === "funnel" ? tailscaleRaw : "off";
+		return {
+			hasExisting,
+			port: resolveGatewayPort(baseConfig),
+			bind,
+			authMode,
+			tailscaleMode,
+			token: baseConfig.gateway?.auth?.token,
+			password: baseConfig.gateway?.auth?.password,
+			customBindHost: baseConfig.gateway?.customBindHost,
+			tailscaleResetOnExit: baseConfig.gateway?.tailscale?.resetOnExit ?? false
+		};
+	})();
+	if (flow === "quickstart") {
+		const formatBind = (value) => {
+			if (value === "loopback") return "Loopback (127.0.0.1)";
+			if (value === "lan") return "LAN";
+			if (value === "custom") return "Custom IP";
+			if (value === "tailnet") return "Tailnet (Tailscale IP)";
+			return "Auto";
+		};
+		const formatAuth = (value) => {
+			if (value === "token") return "Token (default)";
+			return "Password";
+		};
+		const formatTailscale = (value) => {
+			if (value === "off") return "Off";
+			if (value === "serve") return "Serve";
+			return "Funnel";
+		};
+		const quickstartLines = quickstartGateway.hasExisting ? [
+			"Keeping your current gateway settings:",
+			`Gateway port: ${quickstartGateway.port}`,
+			`Gateway bind: ${formatBind(quickstartGateway.bind)}`,
+			...quickstartGateway.bind === "custom" && quickstartGateway.customBindHost ? [`Gateway custom IP: ${quickstartGateway.customBindHost}`] : [],
+			`Gateway auth: ${formatAuth(quickstartGateway.authMode)}`,
+			`Tailscale exposure: ${formatTailscale(quickstartGateway.tailscaleMode)}`,
+			"Direct to chat channels."
+		] : [
+			`Gateway port: ${DEFAULT_GATEWAY_PORT}`,
+			"Gateway bind: Loopback (127.0.0.1)",
+			"Gateway auth: Token (default)",
+			"Tailscale exposure: Off",
+			"Direct to chat channels."
+		];
+		await prompter.note(quickstartLines.join("\n"), "QuickStart");
+	}
+	const localPort = resolveGatewayPort(baseConfig);
+	const localUrl = `ws://127.0.0.1:${localPort}`;
+	let localGatewayToken = process.env.OPENCLAW_GATEWAY_TOKEN;
+	try {
+		const resolvedGatewayToken = await resolveSetupSecretInputString({
+			config: baseConfig,
+			value: baseConfig.gateway?.auth?.token,
+			path: "gateway.auth.token",
+			env: process.env
+		});
+		if (resolvedGatewayToken) localGatewayToken = resolvedGatewayToken;
+	} catch (error) {
+		await prompter.note(["Could not resolve gateway.auth.token SecretRef for setup probe.", error instanceof Error ? error.message : String(error)].join("\n"), "Gateway auth");
+	}
+	let localGatewayPassword = process.env.OPENCLAW_GATEWAY_PASSWORD;
+	try {
+		const resolvedGatewayPassword = await resolveSetupSecretInputString({
+			config: baseConfig,
+			value: baseConfig.gateway?.auth?.password,
+			path: "gateway.auth.password",
+			env: process.env
+		});
+		if (resolvedGatewayPassword) localGatewayPassword = resolvedGatewayPassword;
+	} catch (error) {
+		await prompter.note(["Could not resolve gateway.auth.password SecretRef for setup probe.", error instanceof Error ? error.message : String(error)].join("\n"), "Gateway auth");
+	}
+	const localProbe = await onboardHelpers.probeGatewayReachable({
+		url: localUrl,
+		token: localGatewayToken,
+		password: localGatewayPassword
+	});
+	const remoteUrl = baseConfig.gateway?.remote?.url?.trim() ?? "";
+	let remoteGatewayToken = normalizeSecretInputString(baseConfig.gateway?.remote?.token);
+	try {
+		const resolvedRemoteGatewayToken = await resolveSetupSecretInputString({
+			config: baseConfig,
+			value: baseConfig.gateway?.remote?.token,
+			path: "gateway.remote.token",
+			env: process.env
+		});
+		if (resolvedRemoteGatewayToken) remoteGatewayToken = resolvedRemoteGatewayToken;
+	} catch (error) {
+		await prompter.note(["Could not resolve gateway.remote.token SecretRef for setup probe.", error instanceof Error ? error.message : String(error)].join("\n"), "Gateway auth");
+	}
+	const remoteProbe = remoteUrl ? await onboardHelpers.probeGatewayReachable({
+		url: remoteUrl,
+		token: remoteGatewayToken
+	}) : null;
+	const mode = opts.mode ?? (flow === "quickstart" ? "local" : await prompter.select({
+		message: "What do you want to set up?",
+		options: [{
+			value: "local",
+			label: "Local gateway (this machine)",
+			hint: localProbe.ok ? `Gateway reachable (${localUrl})` : `No gateway detected (${localUrl})`
+		}, {
+			value: "remote",
+			label: "Remote gateway (info-only)",
+			hint: !remoteUrl ? "No remote URL configured yet" : remoteProbe?.ok ? `Gateway reachable (${remoteUrl})` : `Configured but unreachable (${remoteUrl})`
+		}]
+	}));
+	if (mode === "remote") {
+		const { promptRemoteGatewayConfig } = await import("./onboard-remote-CRNeWdAr.mjs");
+		const { logConfigUpdated: logConfigUpdated$1 } = await import("./logging-CMnQ2lwx.mjs");
+		let nextConfig$1 = await promptRemoteGatewayConfig(baseConfig, prompter, { secretInputMode: opts.secretInputMode });
+		nextConfig$1 = onboardHelpers.applyWizardMetadata(nextConfig$1, {
+			command: "onboard",
+			mode
+		});
+		await writeConfigFile(nextConfig$1);
+		logConfigUpdated$1(runtime);
+		await prompter.outro("Remote gateway configured.");
+		return;
+	}
+	const workspaceDir = resolveUserPath((opts.workspace ?? (flow === "quickstart" ? baseConfig.agents?.defaults?.workspace ?? onboardHelpers.DEFAULT_WORKSPACE : await prompter.text({
+		message: "Workspace directory",
+		initialValue: baseConfig.agents?.defaults?.workspace ?? onboardHelpers.DEFAULT_WORKSPACE
+	}))).trim() || onboardHelpers.DEFAULT_WORKSPACE);
+	const { applyLocalSetupWorkspaceConfig } = await import("./onboard-config-DDVUZ_ep.mjs");
+	let nextConfig = applyLocalSetupWorkspaceConfig(baseConfig, workspaceDir);
+	const { ensureAuthProfileStore } = await import("./auth-profiles.runtime-CBC0dso5.mjs");
+	const { promptAuthChoiceGrouped } = await import("./auth-choice-prompt-BQyfn30v.mjs");
+	const { promptCustomApiConfig } = await import("./onboard-custom-NVhhzO9B.mjs");
+	const { applyAuthChoice, resolvePreferredProviderForAuthChoice, warnIfModelConfigLooksOff } = await import("./auth-choice-CqTHhkAf.mjs");
+	const { applyPrimaryModel, promptDefaultModel } = await import("./model-picker-CsiewqeZ.mjs");
+	const authStore = ensureAuthProfileStore(void 0, { allowKeychainPrompt: false });
+	const authChoiceFromPrompt = opts.authChoice === void 0;
+	const authChoice = opts.authChoice ?? await promptAuthChoiceGrouped({
+		prompter,
+		store: authStore,
+		includeSkip: true,
+		config: nextConfig,
+		workspaceDir
+	});
+	if (authChoice === "custom-api-key") nextConfig = (await promptCustomApiConfig({
+		prompter,
+		runtime,
+		config: nextConfig,
+		secretInputMode: opts.secretInputMode
+	})).config;
+	else {
+		const authResult = await applyAuthChoice({
+			authChoice,
+			config: nextConfig,
+			prompter,
+			runtime,
+			setDefaultModel: true,
+			opts: {
+				tokenProvider: opts.tokenProvider,
+				token: opts.authChoice === "apiKey" && opts.token ? opts.token : void 0
+			}
+		});
+		nextConfig = authResult.config;
+		if (authResult.agentModelOverride) nextConfig = applyPrimaryModel(nextConfig, authResult.agentModelOverride);
+	}
+	if (authChoice !== "custom-api-key" && (authChoiceFromPrompt || authChoice === "ollama")) {
+		const modelSelection = await promptDefaultModel({
+			config: nextConfig,
+			prompter,
+			allowKeep: authChoice !== "ollama",
+			ignoreAllowlist: true,
+			includeProviderPluginSetups: true,
+			preferredProvider: await resolvePreferredProviderForAuthChoice({
+				choice: authChoice,
+				config: nextConfig,
+				workspaceDir
+			}),
+			workspaceDir,
+			runtime
+		});
+		if (modelSelection.config) nextConfig = modelSelection.config;
+		if (modelSelection.model) nextConfig = applyPrimaryModel(nextConfig, modelSelection.model);
+	}
+	await warnIfModelConfigLooksOff(nextConfig, prompter);
+	const { configureGatewayForSetup } = await import("./setup.gateway-config-D56aZGFi.mjs");
+	const gateway = await configureGatewayForSetup({
+		flow,
+		baseConfig,
+		nextConfig,
+		localPort,
+		quickstartGateway,
+		secretInputMode: opts.secretInputMode,
+		prompter,
+		runtime
+	});
+	nextConfig = gateway.nextConfig;
+	const settings = gateway.settings;
+	if (opts.skipChannels ?? opts.skipProviders) await prompter.note("Skipping channel setup.", "Channels");
+	else {
+		const { listChannelPlugins } = await import("./plugins-BlfLo1YX.mjs");
+		const { setupChannels } = await import("./onboard-channels-Bjl7Zcw9.mjs");
+		const quickstartAllowFromChannels = flow === "quickstart" ? listChannelPlugins().filter((plugin) => plugin.meta.quickstartAllowFrom).map((plugin) => plugin.id) : [];
+		nextConfig = await setupChannels(nextConfig, runtime, prompter, {
+			allowSignalInstall: true,
+			forceAllowFromChannels: quickstartAllowFromChannels,
+			skipDmPolicyPrompt: flow === "quickstart",
+			skipConfirm: flow === "quickstart",
+			quickstartDefaults: flow === "quickstart",
+			secretInputMode: opts.secretInputMode
+		});
+	}
+	await writeConfigFile(nextConfig);
+	const { logConfigUpdated } = await import("./logging-CMnQ2lwx.mjs");
+	logConfigUpdated(runtime);
+	await onboardHelpers.ensureWorkspaceAndSessions(workspaceDir, runtime, { skipBootstrap: Boolean(nextConfig.agents?.defaults?.skipBootstrap) });
+	if (opts.skipSearch) await prompter.note("Skipping search setup.", "Search");
+	else {
+		const { setupSearch } = await import("./onboard-search-DxFHQULC.mjs");
+		nextConfig = await setupSearch(nextConfig, runtime, prompter, {
+			quickstartDefaults: flow === "quickstart",
+			secretInputMode: opts.secretInputMode
+		});
+	}
+	if (opts.skipSkills) await prompter.note("Skipping skills setup.", "Skills");
+	else {
+		const { setupSkills } = await import("./onboard-skills-DpIv1YxW.mjs");
+		nextConfig = await setupSkills(nextConfig, workspaceDir, runtime, prompter);
+	}
+	const { setupInternalHooks } = await import("./onboard-hooks-CtPGBMBE.mjs");
+	nextConfig = await setupInternalHooks(nextConfig, runtime, prompter);
+	nextConfig = onboardHelpers.applyWizardMetadata(nextConfig, {
+		command: "onboard",
+		mode
+	});
+	await writeConfigFile(nextConfig);
+	const { finalizeSetupWizard } = await import("./setup.finalize-DvAFcLhU.mjs");
+	const { launchedTui } = await finalizeSetupWizard({
+		flow,
+		opts,
+		baseConfig,
+		nextConfig,
+		workspaceDir,
+		settings,
+		prompter,
+		runtime
+	});
+	if (launchedTui) return;
+}
+
+//#endregion
+export { runSetupWizard as t };