@knotieaipro/openclaw-channel-knotie 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Knotie AI
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,144 @@
+# @knotie/openclaw-channel-knotie
+
+> **OpenClaw plugin** — Secure portal chat channel that connects the [Knotie AI](https://knotie.ai) whitelabel portal to an [OpenClaw](https://openclaw.ai) agent running on a customer VPS.
+
+---
+
+## What this plugin does
+
+When you deploy OpenClaw through Knotie's VPS catalog, your customers get an agent that runs on *their* infrastructure — but you need a way for the Knotie whitelabel portal to chat with it securely over the public internet.
+
+This plugin registers a hardened HTTP channel (`/knotie-channel`) on the OpenClaw instance. The Knotie portal's server-side proxy calls this channel to forward customer messages and receive agent replies — without any Tailscale or shared VPN required.
+
+### Endpoints
+
+| Method | Path | Auth | Description |
+|--------|------|------|-------------|
+| `GET` | `/knotie-channel/health` | None | Liveness check — used by the portal's status indicator |
+| `POST` | `/knotie-channel/chat` | Bearer + HMAC | Send a message, receive an agent reply |
+| `POST` | `/knotie-channel/clear-session` | Bearer + HMAC | Clear agent session history for a given session ID |
+
+---
+
+## Security model — 5 layers, defence-in-depth
+
+The channel is designed to be exposed on a public VPS port without becoming a liability. Each layer independently limits what an attacker can do:
+
+| Layer | Where | What it stops |
+|-------|-------|---------------|
+| **TLS** | nginx (self-signed cert) | Traffic interception — all data is encrypted in transit |
+| **Silent 444 drop** | nginx | Port scanning — every path except `/knotie-channel/` returns no response; the port appears closed to scanners |
+| **Knock header** (`X-Knotie-Gateway`) | nginx | Drive-by requests — nginx returns 444 (no response) if this per-instance secret is missing or wrong |
+| **Bearer token** | This plugin | Credential brute-force — constant-time (`timingSafeEqual`) verification of the 32-byte hex shared secret |
+| **HMAC request nonce** | This plugin | Replay attacks — every request must include `X-Knotie-Timestamp` + `X-Knotie-Nonce` + `X-Knotie-Signature` (HMAC-SHA256); the plugin rejects requests outside a ±5-minute window |
+
+The knock header and HMAC secret are generated per-deployment (not shared across instances) and stored only in the Knotie DB — never exposed to the browser.
+
+---
+
+## About Knotie AI
+
+[Knotie AI](https://knotie.ai) is a white-label AI platform built for agencies and developers who want to resell AI products under their own brand.
+
+**What agencies get on Knotie:**
+
+- One-click deploy templates for AI Receptionist, Voice SDR, Support Bot, Cloud Setup, and more — fully white-labeled under your domain
+- A VPS marketplace where customers can deploy self-hosted AI tools (OpenClaw, n8n, Open WebUI, etc.) and manage them from your portal
+- An AI Gateway (OpenAI-compatible, 50+ models) you can sell as a standalone product
+- Multi-provider voice support: VAPI, Retell, ElevenLabs, LiveKit, Ultravox
+- Built-in billing: Stripe Connect, credit system, metered usage — you set the margin
+
+OpenClaw deployed through Knotie gets a fully automated setup: SSH deploy, nginx TLS proxy, this channel plugin, the customizer plugin, and all secrets generated and stored without any manual steps.
+
+---
+
+## Installation
+
+```bash
+openclaw plugin add @knotieaipro/openclaw-channel-knotie
+```
+
+> **Note:** When deploying OpenClaw through Knotie's VPS catalog, this plugin is installed and configured automatically as part of the deploy script. Manual installation is only needed for self-managed instances that you want to connect to a Knotie portal.
+
+---
+
+## Configuration
+
+| Variable | Required | Description |
+|---|---|---|
+| `KNOTIE_CHANNEL_TOKEN` | Yes | 32-byte hex shared secret — generated by Knotie at deploy time |
+
+The token is injected into `/etc/environment` and `/root/.openclaw/channel.env` during the catalog deploy so it survives daemon restarts.
+
+---
+
+## Network topology
+
+```
+Customer browser
+    │
+    ▼
+Knotie whitelabel portal (Next.js)
+    │  POST /api/whitelabel/vps/instances/[id]/openclaw/chat
+    ▼
+Portal server-side proxy (Node.js)
+    │  HTTPS · Bearer token · Knock header · HMAC nonce
+    ▼
+VPS public IP : 18790 (nginx TLS proxy)
+    │  444 drop on unknown paths
+    │  Rate-limited: 10 req/min, 3 concurrent
+    ▼
+loopback : 18789 (OpenClaw)
+    │  This plugin validates Bearer + HMAC
+    ▼
+Agent reply → reverse through the same chain → browser
+```
+
+The customer connects their OpenClaw agent (and its control UI) via their own Tailscale network. The Knotie portal uses the public nginx channel — no shared VPN required.
+
+---
+
+## How the HMAC signature works
+
+The portal signs every request before sending it:
+
+```ts
+// Portal side (simplified)
+const timestamp = String(Date.now());
+const nonce     = randomBytes(16).toString('hex');
+const message   = `${timestamp}:${nonce}`;
+const signature = createHmac('sha256', channelToken).update(message).digest('hex');
+
+headers['X-Knotie-Timestamp'] = timestamp;
+headers['X-Knotie-Nonce']     = nonce;
+headers['X-Knotie-Signature'] = signature;
+```
+
+The plugin verifies:
+1. All three headers are present
+2. Timestamp is within ±5 minutes of the VPS clock
+3. HMAC-SHA256 matches (constant-time comparison)
+
+A captured request is useless after 5 minutes — even if the attacker has the exact headers.
+
+---
+
+## Requirements
+
+- OpenClaw ≥ 3.0.0
+- Node.js ≥ 18 (ESM)
+
+---
+
+## License
+
+MIT — see [LICENSE](./LICENSE)
+
+---
+
+## Links
+
+- [Knotie AI Platform](https://knotie.ai) — white-label AI for agencies
+- [OpenClaw](https://openclaw.ai) — self-hosted AI agent runtime
+- [Knotie Partner Dashboard](https://app.knotie.ai) — manage your deployments
+- [@knotieaipro/openclaw-customizer](https://www.npmjs.com/package/@knotieaipro/openclaw-customizer) — white-label branding plugin

package/dist/auth.d.ts

@@ -0,0 +1,52 @@
+/**
+ * auth.ts — Token verification helpers for the Knotie channel.
+ *
+ * Multi-layer authentication:
+ *
+ *  1. Bearer token  — `Authorization: Bearer <KNOTIE_CHANNEL_TOKEN>`
+ *     Constant-time comparison (timingSafeEqual) prevents timing attacks.
+ *
+ *  2. HMAC request nonce — Layer 5 replay prevention.
+ *     The portal signs every request with:
+ *       X-Knotie-Timestamp : unix epoch milliseconds (string)
+ *       X-Knotie-Nonce     : 16-byte random hex
+ *       X-Knotie-Signature : HMAC-SHA256(token, "<timestamp>:<nonce>")
+ *     The plugin validates:
+ *       - Timestamp is within ±5 minutes of server time.
+ *       - HMAC matches (constant-time compare).
+ *     This makes captured/intercepted requests expire within 5 minutes.
+ *
+ * Additional layers (handled outside this file):
+ *  3. nginx knock header (X-Knotie-Gateway) — anti-scanner, silent 444 drop.
+ *  4. nginx TLS (self-signed cert) — transport encryption.
+ *  5. nginx rate limiting — 10 req/min per IP.
+ */
+/** Resolve the channel token from env. Throws if missing. */
+export declare function resolveChannelToken(): string;
+/**
+ * Verify the Authorization header value against the configured channel token.
+ *
+ * @param authHeader  Full "Authorization: Bearer ..." header value.
+ * @param expected    The expected token (from resolveChannelToken).
+ * @returns true if valid, false otherwise.
+ */
+export declare function verifyBearerToken(authHeader: string | undefined, expected: string): boolean;
+/**
+ * Verify the HMAC request-nonce signature (Layer 5 — replay prevention).
+ *
+ * The portal must include three headers on every authenticated request:
+ *   X-Knotie-Timestamp  : unix ms as a decimal string
+ *   X-Knotie-Nonce      : random hex value (ensures uniqueness within window)
+ *   X-Knotie-Signature  : HMAC-SHA256(channelToken, "<timestamp>:<nonce>")
+ *
+ * @param headers   Request headers map (lowercase keys).
+ * @param token     The channel token to derive the HMAC key from.
+ * @returns true if valid (correct signature AND timestamp within ±5 min).
+ */
+export declare function verifyRequestSignature(headers: Record<string, string | undefined>, token: string): boolean;
+/**
+ * Generate an HMAC signature for a webhook payload.
+ * Used when the plugin pushes events back to the Knotie portal.
+ */
+export declare function signPayload(secret: string, payload: string): string;
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AASH,6DAA6D;AAC7D,wBAAgB,mBAAmB,IAAI,MAAM,CAS5C;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAW3F;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,EAC3C,KAAK,EAAE,MAAM,GACZ,OAAO,CAwBT;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAEnE"}

package/dist/auth.js

@@ -0,0 +1,102 @@
+/**
+ * auth.ts — Token verification helpers for the Knotie channel.
+ *
+ * Multi-layer authentication:
+ *
+ *  1. Bearer token  — `Authorization: Bearer <KNOTIE_CHANNEL_TOKEN>`
+ *     Constant-time comparison (timingSafeEqual) prevents timing attacks.
+ *
+ *  2. HMAC request nonce — Layer 5 replay prevention.
+ *     The portal signs every request with:
+ *       X-Knotie-Timestamp : unix epoch milliseconds (string)
+ *       X-Knotie-Nonce     : 16-byte random hex
+ *       X-Knotie-Signature : HMAC-SHA256(token, "<timestamp>:<nonce>")
+ *     The plugin validates:
+ *       - Timestamp is within ±5 minutes of server time.
+ *       - HMAC matches (constant-time compare).
+ *     This makes captured/intercepted requests expire within 5 minutes.
+ *
+ * Additional layers (handled outside this file):
+ *  3. nginx knock header (X-Knotie-Gateway) — anti-scanner, silent 444 drop.
+ *  4. nginx TLS (self-signed cert) — transport encryption.
+ *  5. nginx rate limiting — 10 req/min per IP.
+ */
+import { createHmac, timingSafeEqual } from 'node:crypto';
+const PLUGIN_NAME = '@knotie/openclaw-channel-knotie';
+/** Maximum clock skew accepted between portal and VPS (milliseconds). */
+const MAX_CLOCK_SKEW_MS = 5 * 60 * 1000; // 5 minutes
+/** Resolve the channel token from env. Throws if missing. */
+export function resolveChannelToken() {
+    const token = process.env['KNOTIE_CHANNEL_TOKEN']?.trim();
+    if (!token) {
+        throw new Error(`[${PLUGIN_NAME}] KNOTIE_CHANNEL_TOKEN is not set. ` +
+            'Set it in the gateway env (catalog deploy injects it automatically).');
+    }
+    return token;
+}
+/**
+ * Verify the Authorization header value against the configured channel token.
+ *
+ * @param authHeader  Full "Authorization: Bearer ..." header value.
+ * @param expected    The expected token (from resolveChannelToken).
+ * @returns true if valid, false otherwise.
+ */
+export function verifyBearerToken(authHeader, expected) {
+    if (!authHeader?.startsWith('Bearer '))
+        return false;
+    const provided = authHeader.slice('Bearer '.length).trim();
+    if (provided.length !== expected.length)
+        return false;
+    // timingSafeEqual requires equal-length Buffers
+    try {
+        return timingSafeEqual(Buffer.from(provided, 'utf8'), Buffer.from(expected, 'utf8'));
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Verify the HMAC request-nonce signature (Layer 5 — replay prevention).
+ *
+ * The portal must include three headers on every authenticated request:
+ *   X-Knotie-Timestamp  : unix ms as a decimal string
+ *   X-Knotie-Nonce      : random hex value (ensures uniqueness within window)
+ *   X-Knotie-Signature  : HMAC-SHA256(channelToken, "<timestamp>:<nonce>")
+ *
+ * @param headers   Request headers map (lowercase keys).
+ * @param token     The channel token to derive the HMAC key from.
+ * @returns true if valid (correct signature AND timestamp within ±5 min).
+ */
+export function verifyRequestSignature(headers, token) {
+    const timestamp = headers['x-knotie-timestamp'];
+    const nonce = headers['x-knotie-nonce'];
+    const signature = headers['x-knotie-signature'];
+    if (!timestamp || !nonce || !signature)
+        return false;
+    // Reject timestamps outside the ±5-minute window (replay prevention).
+    const ts = parseInt(timestamp, 10);
+    if (isNaN(ts) || Math.abs(Date.now() - ts) > MAX_CLOCK_SKEW_MS)
+        return false;
+    // Derive expected HMAC — must match what the portal computed.
+    const message = `${timestamp}:${nonce}`;
+    const expected = createHmac('sha256', token).update(message, 'utf8').digest('hex');
+    // Constant-time comparison — both buffers must be the same length (hex strings).
+    try {
+        const sigBuf = Buffer.from(signature, 'hex');
+        const expBuf = Buffer.from(expected, 'hex');
+        if (sigBuf.length !== expBuf.length)
+            return false;
+        return timingSafeEqual(sigBuf, expBuf);
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Generate an HMAC signature for a webhook payload.
+ * Used when the plugin pushes events back to the Knotie portal.
+ */
+export function signPayload(secret, payload) {
+    return createHmac('sha256', secret).update(payload, 'utf8').digest('hex');
+}
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE1D,MAAM,WAAW,GAAG,iCAAiC,CAAC;AAEtD,yEAAyE;AACzE,MAAM,iBAAiB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;AAErD,6DAA6D;AAC7D,MAAM,UAAU,mBAAmB;IACjC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,EAAE,IAAI,EAAE,CAAC;IAC1D,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,IAAI,WAAW,qCAAqC;YAClD,sEAAsE,CACzE,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB,CAAC,UAA8B,EAAE,QAAgB;IAChF,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IACrD,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;IAC3D,IAAI,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAEtD,gDAAgD;IAChD,IAAI,CAAC;QACH,OAAO,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;IACvF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,sBAAsB,CACpC,OAA2C,EAC3C,KAAa;IAEb,MAAM,SAAS,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAChD,MAAM,KAAK,GAAO,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAEhD,IAAI,CAAC,SAAS,IAAI,CAAC,KAAK,IAAI,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IAErD,sEAAsE;IACtE,MAAM,EAAE,GAAG,QAAQ,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;IACnC,IAAI,KAAK,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,GAAG,iBAAiB;QAAE,OAAO,KAAK,CAAC;IAE7E,8DAA8D;IAC9D,MAAM,OAAO,GAAI,GAAG,SAAS,IAAI,KAAK,EAAE,CAAC;IACzC,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAEnF,iFAAiF;IACjF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QAC5C,IAAI,MAAM,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAClD,OAAO,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,MAAc,EAAE,OAAe;IACzD,OAAO,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC5E,CAAC"}

package/dist/channel.d.ts

@@ -0,0 +1,64 @@
+/**
+ * channel.ts — Knotie Portal channel registration for OpenClaw.
+ *
+ * Registers the channel with the OpenClaw plugin API. The channel exposes:
+ *
+ *   GET  /knotie-channel/health         — liveness check (no auth required)
+ *   POST /knotie-channel/chat           — send a message, get a reply (auth required)
+ *   POST /knotie-channel/clear-session  — clear agent session history (auth required)
+ *
+ * The Knotie portal's server-side proxy (Next.js API route) calls these
+ * endpoints via the Tailscale MagicDNS HTTPS URL.
+ *
+ * OpenClaw plugin channel API shape (inferred from openclaw-channel-streamchat):
+ *
+ *   api.registerChannel({
+ *     id:          string,
+ *     name:        string,
+ *     description: string,
+ *     routes: Array<{
+ *       method:  'GET' | 'POST',
+ *       path:    string,         // relative to /knotie-channel/
+ *       handler: (req, ctx) => Promise<{ status: number; body: unknown }>
+ *     }>
+ *   })
+ */
+export declare const KNOTIE_CHANNEL_ID = "knotie-portal";
+export declare const KNOTIE_CHANNEL_PATH = "/knotie-channel";
+/** Minimal request/response types — matches OpenClaw channel route handler signature. */
+interface ChannelRequest {
+    headers: Record<string, string | undefined>;
+    body?: unknown;
+}
+interface ChannelContext {
+    /** Send a message to the agent and await its response. */
+    sendMessage(opts: {
+        sessionId: string;
+        text: string;
+        userName?: string;
+    }): Promise<string>;
+    /** Clear the agent's session history for a given session ID. */
+    clearSession(sessionId: string): Promise<void>;
+}
+export declare function createKnotieChannel(): {
+    id: string;
+    name: string;
+    description: string;
+    routes: ({
+        method: "GET";
+        path: string;
+        handler: (_req: ChannelRequest, _ctx: ChannelContext) => Promise<{
+            status: number;
+            body: unknown;
+        }>;
+    } | {
+        method: "POST";
+        path: string;
+        handler: (req: ChannelRequest, ctx: ChannelContext) => Promise<{
+            status: number;
+            body: unknown;
+        }>;
+    })[];
+};
+export {};
+//# sourceMappingURL=channel.d.ts.map

package/dist/channel.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"channel.d.ts","sourceRoot":"","sources":["../src/channel.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAKH,eAAO,MAAM,iBAAiB,kBAAoB,CAAC;AACnD,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AAGrD,yFAAyF;AACzF,UAAU,cAAc;IACtB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;IAC5C,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AACD,UAAU,cAAc;IACtB,0DAA0D;IAC1D,WAAW,CAAC,IAAI,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC3F,gEAAgE;IAChE,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAChD;AAoBD,wBAAgB,mBAAmB;;;;;;;wBAWL,cAAc,QAAQ,cAAc;;;;;;;uBASrC,cAAc,OAAO,cAAc;;;;;EAgE/D"}

package/dist/channel.js

@@ -0,0 +1,128 @@
+/**
+ * channel.ts — Knotie Portal channel registration for OpenClaw.
+ *
+ * Registers the channel with the OpenClaw plugin API. The channel exposes:
+ *
+ *   GET  /knotie-channel/health         — liveness check (no auth required)
+ *   POST /knotie-channel/chat           — send a message, get a reply (auth required)
+ *   POST /knotie-channel/clear-session  — clear agent session history (auth required)
+ *
+ * The Knotie portal's server-side proxy (Next.js API route) calls these
+ * endpoints via the Tailscale MagicDNS HTTPS URL.
+ *
+ * OpenClaw plugin channel API shape (inferred from openclaw-channel-streamchat):
+ *
+ *   api.registerChannel({
+ *     id:          string,
+ *     name:        string,
+ *     description: string,
+ *     routes: Array<{
+ *       method:  'GET' | 'POST',
+ *       path:    string,         // relative to /knotie-channel/
+ *       handler: (req, ctx) => Promise<{ status: number; body: unknown }>
+ *     }>
+ *   })
+ */
+import { resolveChannelToken, verifyBearerToken, verifyRequestSignature } from './auth.js';
+export const KNOTIE_CHANNEL_ID = 'knotie-portal';
+export const KNOTIE_CHANNEL_PATH = '/knotie-channel';
+const PLUGIN_VERSION = '0.1.0';
+function json(status, body) {
+    return { status, body };
+}
+function unauthorized() {
+    return json(401, { error: 'unauthorized', message: 'Invalid or missing Bearer token.' });
+}
+function buildHealthPayload() {
+    const tailscaleMode = Boolean(process.env['KNOTIE_TS_HOSTNAME']);
+    return {
+        ok: true,
+        plugin: KNOTIE_CHANNEL_ID,
+        version: PLUGIN_VERSION,
+        mode: tailscaleMode ? 'tailscale' : 'local',
+    };
+}
+export function createKnotieChannel() {
+    return {
+        id: KNOTIE_CHANNEL_ID,
+        name: 'Knotie Portal',
+        description: 'Connects the Knotie whitelabel portal chat interface to OpenClaw via Tailscale.',
+        routes: [
+            // ── Health ──────────────────────────────────────────────────────────────
+            {
+                method: 'GET',
+                path: '/health',
+                handler: async (_req, _ctx) => {
+                    return json(200, buildHealthPayload());
+                },
+            },
+            // ── Chat ────────────────────────────────────────────────────────────────
+            {
+                method: 'POST',
+                path: '/chat',
+                handler: async (req, ctx) => {
+                    let token;
+                    try {
+                        token = resolveChannelToken();
+                    }
+                    catch {
+                        return json(503, { error: 'misconfigured', message: 'Channel token not set on server.' });
+                    }
+                    // Layer 1: Bearer token auth
+                    if (!verifyBearerToken(req.headers['authorization'], token)) {
+                        return unauthorized();
+                    }
+                    // Layer 5: HMAC nonce (replay prevention — 5-min window)
+                    if (!verifyRequestSignature(req.headers, token)) {
+                        return json(401, { error: 'unauthorized', message: 'Missing or invalid HMAC request signature.' });
+                    }
+                    const msg = req.body;
+                    if (!msg?.sessionId || !msg?.text) {
+                        return json(400, { error: 'bad_request', message: 'sessionId and text are required.' });
+                    }
+                    const reply = await ctx.sendMessage({
+                        sessionId: msg.sessionId,
+                        text: msg.text,
+                        userName: msg.userName,
+                    });
+                    const response = {
+                        sessionId: msg.sessionId,
+                        reply,
+                        streaming: false,
+                        timestamp: new Date().toISOString(),
+                    };
+                    return json(200, response);
+                },
+            },
+            // ── Clear session ────────────────────────────────────────────────────────
+            {
+                method: 'POST',
+                path: '/clear-session',
+                handler: async (req, ctx) => {
+                    let token;
+                    try {
+                        token = resolveChannelToken();
+                    }
+                    catch {
+                        return json(503, { error: 'misconfigured', message: 'Channel token not set on server.' });
+                    }
+                    // Layer 1: Bearer token auth
+                    if (!verifyBearerToken(req.headers['authorization'], token)) {
+                        return unauthorized();
+                    }
+                    // Layer 5: HMAC nonce (replay prevention — 5-min window)
+                    if (!verifyRequestSignature(req.headers, token)) {
+                        return json(401, { error: 'unauthorized', message: 'Missing or invalid HMAC request signature.' });
+                    }
+                    const body = req.body;
+                    if (!body?.sessionId) {
+                        return json(400, { error: 'bad_request', message: 'sessionId is required.' });
+                    }
+                    await ctx.clearSession(body.sessionId);
+                    return json(200, { ok: true, sessionId: body.sessionId });
+                },
+            },
+        ],
+    };
+}
+//# sourceMappingURL=channel.js.map

package/dist/channel.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"channel.js","sourceRoot":"","sources":["../src/channel.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,WAAW,CAAC;AAG3F,MAAM,CAAC,MAAM,iBAAiB,GAAK,eAAe,CAAC;AACnD,MAAM,CAAC,MAAM,mBAAmB,GAAG,iBAAiB,CAAC;AACrD,MAAM,cAAc,GAAG,OAAO,CAAC;AAc/B,SAAS,IAAI,CAAC,MAAc,EAAE,IAAa;IACzC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;AAC1B,CAAC;AAED,SAAS,YAAY;IACnB,OAAO,IAAI,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,cAAc,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC,CAAC;AAC3F,CAAC;AAED,SAAS,kBAAkB;IACzB,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC,CAAC;IACjE,OAAO;QACL,EAAE,EAAO,IAAI;QACb,MAAM,EAAG,iBAAiB;QAC1B,OAAO,EAAE,cAAc;QACvB,IAAI,EAAK,aAAa,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,OAAO;KAC/C,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB;IACjC,OAAO;QACL,EAAE,EAAW,iBAAiB;QAC9B,IAAI,EAAS,eAAe;QAC5B,WAAW,EAAE,iFAAiF;QAE9F,MAAM,EAAE;YACN,2EAA2E;YAC3E;gBACE,MAAM,EAAG,KAAc;gBACvB,IAAI,EAAK,SAAS;gBAClB,OAAO,EAAE,KAAK,EAAE,IAAoB,EAAE,IAAoB,EAAE,EAAE;oBAC5D,OAAO,IAAI,CAAC,GAAG,EAAE,kBAAkB,EAAE,CAAC,CAAC;gBACzC,CAAC;aACF;YAED,2EAA2E;YAC3E;gBACE,MAAM,EAAG,MAAe;gBACxB,IAAI,EAAK,OAAO;gBAChB,OAAO,EAAE,KAAK,EAAE,GAAmB,EAAE,GAAmB,EAAE,EAAE;oBAC1D,IAAI,KAAa,CAAC;oBAClB,IAAI,CAAC;wBAAC,KAAK,GAAG,mBAAmB,EAAE,CAAC;oBAAC,CAAC;oBACtC,MAAM,CAAC;wBAAC,OAAO,IAAI,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,eAAe,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC,CAAC;oBAAC,CAAC;oBAEpG,6BAA6B;oBAC7B,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;wBAC5D,OAAO,YAAY,EAAE,CAAC;oBACxB,CAAC;oBACD,yDAAyD;oBACzD,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,EAAE,CAAC;wBAChD,OAAO,IAAI,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,cAAc,EAAE,OAAO,EAAE,4CAA4C,EAAE,CAAC,CAAC;oBACrG,CAAC;oBAED,MAAM,GAAG,GAAG,GAAG,CAAC,IAA2B,CAAC;oBAC5C,IAAI,CAAC,GAAG,EAAE,SAAS,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;wBAClC,OAAO,IAAI,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC,CAAC;oBAC1F,CAAC;oBAED,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,WAAW,CAAC;wBAClC,SAAS,EAAE,GAAG,CAAC,SAAS;wBACxB,IAAI,EAAO,GAAG,CAAC,IAAI;wBACnB,QAAQ,EAAG,GAAG,CAAC,QAAQ;qBACxB,CAAC,CAAC;oBAEH,MAAM,QAAQ,GAA0B;wBACtC,SAAS,EAAE,GAAG,CAAC,SAAS;wBACxB,KAAK;wBACL,SAAS,EAAE,KAAK;wBAChB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;qBACpC,CAAC;oBACF,OAAO,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;gBAC7B,CAAC;aACF;YAED,4EAA4E;YAC5E;gBACE,MAAM,EAAG,MAAe;gBACxB,IAAI,EAAK,gBAAgB;gBACzB,OAAO,EAAE,KAAK,EAAE,GAAmB,EAAE,GAAmB,EAAE,EAAE;oBAC1D,IAAI,KAAa,CAAC;oBAClB,IAAI,CAAC;wBAAC,KAAK,GAAG,mBAAmB,EAAE,CAAC;oBAAC,CAAC;oBACtC,MAAM,CAAC;wBAAC,OAAO,IAAI,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,eAAe,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC,CAAC;oBAAC,CAAC;oBAEpG,6BAA6B;oBAC7B,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;wBAC5D,OAAO,YAAY,EAAE,CAAC;oBACxB,CAAC;oBACD,yDAAyD;oBACzD,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,EAAE,CAAC;wBAChD,OAAO,IAAI,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,cAAc,EAAE,OAAO,EAAE,4CAA4C,EAAE,CAAC,CAAC;oBACrG,CAAC;oBAED,MAAM,IAAI,GAAG,GAAG,CAAC,IAA8B,CAAC;oBAChD,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC;wBACrB,OAAO,IAAI,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC,CAAC;oBAChF,CAAC;oBAED,MAAM,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;oBACvC,OAAO,IAAI,CAAC,GAAG,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;gBAC5D,CAAC;aACF;SACF;KACF,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,30 @@
+/**
+ * @knotie/openclaw-channel-knotie
+ *
+ * OpenClaw channel plugin that exposes a hardened HTTP API so the Knotie
+ * whitelabel portal can chat with OpenClaw over the public internet.
+ *
+ * ┌──────────────────────────────────────────────────────────────────────┐
+ * │  Knotie Portal (Next.js) — server-side proxy only                   │
+ * │    POST /api/whitelabel/vps/instances/[id]/openclaw/chat            │
+ * │      ↕ HTTPS · Bearer token · Knock header · HMAC nonce             │
+ * │  VPS nginx proxy (port 18790, self-signed TLS)                      │
+ * │    silent 444 on all paths except /knotie-channel/*                 │
+ * │  OpenClaw Gateway (loopback:18789)                                  │
+ * │    GET  /knotie-channel/health       — liveness check (no auth)    │
+ * │    POST /knotie-channel/chat         — send message, get reply      │
+ * │    POST /knotie-channel/clear-session — reset conversation          │
+ * └──────────────────────────────────────────────────────────────────────┘
+ *
+ * Install on the VPS:
+ *   openclaw plugin add @knotie/openclaw-channel-knotie
+ *
+ * Required env vars (injected during catalog deploy):
+ *   KNOTIE_CHANNEL_TOKEN  — 32-byte hex shared secret (auto-generated)
+ */
+export { createKnotieChannel, KNOTIE_CHANNEL_ID, KNOTIE_CHANNEL_PATH } from './channel.js';
+export { resolveChannelToken, verifyBearerToken, verifyRequestSignature, signPayload } from './auth.js';
+export type { KnotiePortalMessage, KnotieChannelResponse, KnotieChannelHealth, KnotieChannelConfig, } from './types.js';
+declare const plugin: import("openclaw/plugin-sdk/plugin-entry").PluginDefinition;
+export default plugin;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAKH,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAC3F,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACxG,YAAY,EACV,mBAAmB,EACnB,qBAAqB,EACrB,mBAAmB,EACnB,mBAAmB,GACpB,MAAM,YAAY,CAAC;AAEpB,QAAA,MAAM,MAAM,6DAcV,CAAC;AAEH,eAAe,MAAM,CAAC"}

package/dist/index.js

@@ -0,0 +1,43 @@
+/**
+ * @knotie/openclaw-channel-knotie
+ *
+ * OpenClaw channel plugin that exposes a hardened HTTP API so the Knotie
+ * whitelabel portal can chat with OpenClaw over the public internet.
+ *
+ * ┌──────────────────────────────────────────────────────────────────────┐
+ * │  Knotie Portal (Next.js) — server-side proxy only                   │
+ * │    POST /api/whitelabel/vps/instances/[id]/openclaw/chat            │
+ * │      ↕ HTTPS · Bearer token · Knock header · HMAC nonce             │
+ * │  VPS nginx proxy (port 18790, self-signed TLS)                      │
+ * │    silent 444 on all paths except /knotie-channel/*                 │
+ * │  OpenClaw Gateway (loopback:18789)                                  │
+ * │    GET  /knotie-channel/health       — liveness check (no auth)    │
+ * │    POST /knotie-channel/chat         — send message, get reply      │
+ * │    POST /knotie-channel/clear-session — reset conversation          │
+ * └──────────────────────────────────────────────────────────────────────┘
+ *
+ * Install on the VPS:
+ *   openclaw plugin add @knotie/openclaw-channel-knotie
+ *
+ * Required env vars (injected during catalog deploy):
+ *   KNOTIE_CHANNEL_TOKEN  — 32-byte hex shared secret (auto-generated)
+ */
+import { definePluginEntry } from 'openclaw/plugin-sdk/plugin-entry';
+import { createKnotieChannel, KNOTIE_CHANNEL_ID } from './channel.js';
+export { createKnotieChannel, KNOTIE_CHANNEL_ID, KNOTIE_CHANNEL_PATH } from './channel.js';
+export { resolveChannelToken, verifyBearerToken, verifyRequestSignature, signPayload } from './auth.js';
+const plugin = definePluginEntry({
+    id: KNOTIE_CHANNEL_ID,
+    name: 'KnotiePortalChannel',
+    description: 'Secure HTTP channel for the Knotie whitelabel portal to reach OpenClaw over the public internet.',
+    register(api) {
+        // Register the channel with OpenClaw's gateway HTTP server.
+        // The gateway will mount the channel routes at /knotie-channel/*.
+        api.registerChannel(createKnotieChannel());
+        // Log startup info so partners can confirm the channel is live
+        // (visible in `openclaw gateway logs`).
+        console.log('[knotie-channel] Channel registered. Listening at /knotie-channel/* (nginx proxy on port 18790).');
+    },
+});
+export default plugin;
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AACrE,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAEtE,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAC3F,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAQxG,MAAM,MAAM,GAAG,iBAAiB,CAAC;IAC/B,EAAE,EAAW,iBAAiB;IAC9B,IAAI,EAAS,qBAAqB;IAClC,WAAW,EAAE,kGAAkG;IAE/G,QAAQ,CAAC,GAAG;QACV,4DAA4D;QAC5D,kEAAkE;QAClE,GAAG,CAAC,eAAe,CAAC,mBAAmB,EAAE,CAAC,CAAC;QAE3C,+DAA+D;QAC/D,wCAAwC;QACxC,OAAO,CAAC,GAAG,CAAC,kGAAkG,CAAC,CAAC;IAClH,CAAC;CACF,CAAC,CAAC;AAEH,eAAe,MAAM,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,62 @@
+/**
+ * types.ts — Shared types for the Knotie portal ↔ OpenClaw channel.
+ *
+ * Architecture overview:
+ *
+ *   Knotie Whitelabel Portal (Next.js)
+ *     │  POST /api/whitelabel/openclaw/chat  (server-side proxy)
+ *     │  ↕ via Tailscale MagicDNS HTTPS
+ *   OpenClaw Gateway (port 18789, loopback only, served via tailscale serve)
+ *     │  /knotie-channel/* endpoints registered by this plugin
+ *     │
+ *   OpenClaw Agent (local process)
+ *
+ * This plugin registers a lightweight HTTP channel on the OpenClaw gateway.
+ * The Knotie portal's server-side proxy route calls it — never the browser
+ * directly, so the Tailscale network key never leaves the server.
+ *
+ * Auth:
+ *   Every request must carry:
+ *     Authorization: Bearer <KNOTIE_CHANNEL_TOKEN>
+ *   where KNOTIE_CHANNEL_TOKEN is the shared secret set during catalog deploy
+ *   (same secret stored in the portal's env as OPENCLAW_CHANNEL_TOKEN).
+ */
+/** Sent by the Knotie portal to the channel endpoint. */
+export interface KnotiePortalMessage {
+    /** Unique session/conversation ID — maps to an OpenClaw session. */
+    sessionId: string;
+    /** Display name for the user (shown in OpenClaw's context if available). */
+    userName?: string;
+    /** The chat message text. */
+    text: string;
+    /** Optional metadata forwarded as-is (e.g. customer ID, page context). */
+    metadata?: Record<string, unknown>;
+}
+/** Returned synchronously from POST /knotie-channel/chat. */
+export interface KnotieChannelResponse {
+    /** Echo of the session ID. */
+    sessionId: string;
+    /** The agent's reply text. */
+    reply: string;
+    /** Whether this response is still streaming (always false for HTTP mode). */
+    streaming: false;
+    /** ISO timestamp of the response. */
+    timestamp: string;
+}
+/** Returned from GET /knotie-channel/health. */
+export interface KnotieChannelHealth {
+    ok: true;
+    plugin: string;
+    version: string;
+    mode: 'tailscale' | 'local';
+}
+/** Internal config resolved from env vars. */
+export interface KnotieChannelConfig {
+    /** Auth token — must match KNOTIE_CHANNEL_TOKEN env var. */
+    channelToken: string;
+    /** Gateway port (default 18789). */
+    port: number;
+    /** Whether the gateway is accessible via Tailscale (informational). */
+    tailscaleMode: boolean;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,yDAAyD;AACzD,MAAM,WAAW,mBAAmB;IAClC,oEAAoE;IACpE,SAAS,EAAE,MAAM,CAAC;IAClB,4EAA4E;IAC5E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6BAA6B;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,0EAA0E;IAC1E,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED,6DAA6D;AAC7D,MAAM,WAAW,qBAAqB;IACpC,8BAA8B;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,8BAA8B;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,6EAA6E;IAC7E,SAAS,EAAE,KAAK,CAAC;IACjB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,gDAAgD;AAChD,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,IAAI,CAAC;IACT,MAAM,EAAG,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAK,WAAW,GAAG,OAAO,CAAC;CAChC;AAED,8CAA8C;AAC9C,MAAM,WAAW,mBAAmB;IAClC,4DAA4D;IAC5D,YAAY,EAAE,MAAM,CAAC;IACrB,oCAAoC;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,uEAAuE;IACvE,aAAa,EAAE,OAAO,CAAC;CACxB"}

package/dist/types.js

@@ -0,0 +1,25 @@
+/**
+ * types.ts — Shared types for the Knotie portal ↔ OpenClaw channel.
+ *
+ * Architecture overview:
+ *
+ *   Knotie Whitelabel Portal (Next.js)
+ *     │  POST /api/whitelabel/openclaw/chat  (server-side proxy)
+ *     │  ↕ via Tailscale MagicDNS HTTPS
+ *   OpenClaw Gateway (port 18789, loopback only, served via tailscale serve)
+ *     │  /knotie-channel/* endpoints registered by this plugin
+ *     │
+ *   OpenClaw Agent (local process)
+ *
+ * This plugin registers a lightweight HTTP channel on the OpenClaw gateway.
+ * The Knotie portal's server-side proxy route calls it — never the browser
+ * directly, so the Tailscale network key never leaves the server.
+ *
+ * Auth:
+ *   Every request must carry:
+ *     Authorization: Bearer <KNOTIE_CHANNEL_TOKEN>
+ *   where KNOTIE_CHANNEL_TOKEN is the shared secret set during catalog deploy
+ *   (same secret stored in the portal's env as OPENCLAW_CHANNEL_TOKEN).
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG"}

package/package.json

@@ -0,0 +1,47 @@
+{
+  "name": "@knotieaipro/openclaw-channel-knotie",
+  "version": "0.1.0",
+  "description": "OpenClaw channel plugin — secure 5-layer portal-to-agent channel for Knotie whitelabel deployments (TLS, HMAC nonces, silent 444 drop)",
+  "type": "module",
+  "main": "./dist/index.js",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "openclaw",
+    "plugin",
+    "channel",
+    "knotie",
+    "whitelabel",
+    "portal",
+    "security",
+    "hmac",
+    "nginx"
+  ],
+  "author": "Knotie AI <hello@knotie-ai.pro>",
+  "license": "MIT",
+  "peerDependencies": {
+    "openclaw": ">=3.0.0"
+  },
+  "peerDependenciesMeta": {
+    "openclaw": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "typescript": "^5.0.0"
+  }
+}