@lobu/worker 7.0.0 → 7.1.0

package/src/gateway/sse-client.ts

@@ -9,9 +9,11 @@ import {
   extractTraceId,
   flushTracing,
   SpanStatusCode,
+  stripEnv,
 } from "@lobu/core";
 import { z } from "zod";
 import type { WorkerConfig, WorkerExecutor } from "../core/types";
+import { SENSITIVE_WORKER_ENV_KEYS } from "../shared/worker-env-keys";
 import { HttpWorkerTransport } from "./gateway-integration";
 import { MessageBatcher } from "./message-batcher";
 import type { MessagePayload, QueuedMessage } from "./types";
@@ -574,16 +576,27 @@ export class GatewayClient {
     });
 
     let completed = false;
+    let sigkillTimer: NodeJS.Timeout | null = null;
 
     try {
-      // Spawn the command
+      // Strip the worker's own gateway credentials before handing the shell
+      // its env. An `exec` command is an arbitrary string from the gateway
+      // that ends up under `sh -c`; leaking WORKER_TOKEN / DISPATCHER_URL
+      // into that environment would let a malicious or buggy exec impersonate
+      // the worker against its own gateway. The bash-tool and just-bash
+      // spawners already apply the same filter (see openclaw/tools.ts and
+      // embedded/just-bash-bootstrap.ts) — keep parity here.
+      const baseEnv = stripEnv(process.env, SENSITIVE_WORKER_ENV_KEYS);
       const proc = spawn("sh", ["-c", execCommand], {
         cwd: workingDir,
-        env: { ...process.env, ...execEnv },
+        env: { ...baseEnv, ...execEnv },
         stdio: ["ignore", "pipe", "pipe"],
       });
 
-      // Setup timeout
+      // Setup timeout. The SIGKILL escalation timer is tracked so the `close`
+      // handler can clear it when the child exits between SIGTERM and SIGKILL;
+      // otherwise the timer pins the event loop for an extra 5s after every
+      // timed-out exec and (worse) leaks if `close`/`error` never fires.
       const timeoutId = setTimeout(() => {
         if (!completed) {
           logger.warn(
@@ -591,7 +604,8 @@ export class GatewayClient {
             "Exec timeout reached, killing process"
           );
           proc.kill("SIGTERM");
-          setTimeout(() => {
+          sigkillTimer = setTimeout(() => {
+            sigkillTimer = null;
             if (!completed) {
               proc.kill("SIGKILL");
             }
@@ -600,7 +614,7 @@ export class GatewayClient {
       }, timeout);
 
       // Stream stdout
-      proc.stdout?.on("data", (chunk: Buffer) => {
+      const onStdout = (chunk: Buffer) => {
         const content = chunk.toString();
         transport.sendExecOutput(execId, "stdout", content).catch((err) => {
           logger.error(
@@ -608,10 +622,11 @@ export class GatewayClient {
             "Failed to send stdout"
           );
         });
-      });
+      };
+      proc.stdout?.on("data", onStdout);
 
       // Stream stderr
-      proc.stderr?.on("data", (chunk: Buffer) => {
+      const onStderr = (chunk: Buffer) => {
         const content = chunk.toString();
         transport.sendExecOutput(execId, "stderr", content).catch((err) => {
           logger.error(
@@ -619,19 +634,34 @@ export class GatewayClient {
             "Failed to send stderr"
           );
         });
-      });
+      };
+      proc.stderr?.on("data", onStderr);
 
       // Wait for process to complete
       const exitCode = await new Promise<number>((resolve, reject) => {
         proc.on("close", (code) => {
           completed = true;
           clearTimeout(timeoutId);
+          if (sigkillTimer) {
+            clearTimeout(sigkillTimer);
+            sigkillTimer = null;
+          }
+          // Stop accepting late `data` events so a chunk buffered after exit
+          // can't fire `sendExecOutput` AFTER we've signalled completion.
+          proc.stdout?.removeListener("data", onStdout);
+          proc.stderr?.removeListener("data", onStderr);
           resolve(code ?? 0);
         });
 
         proc.on("error", (error) => {
           completed = true;
           clearTimeout(timeoutId);
+          if (sigkillTimer) {
+            clearTimeout(sigkillTimer);
+            sigkillTimer = null;
+          }
+          proc.stdout?.removeListener("data", onStdout);
+          proc.stderr?.removeListener("data", onStderr);
           reject(error);
         });
       });
@@ -663,6 +693,13 @@ export class GatewayClient {
 
       logger.error({ traceId, execId, error: errorMessage }, "Exec failed");
     } finally {
+      // Defensive: if we threw before `close`/`error` fired (e.g. transport
+      // throwing during sendExecOutput on a long-running child), make sure
+      // the SIGKILL escalation timer doesn't outlive this exec.
+      if (sigkillTimer) {
+        clearTimeout(sigkillTimer);
+        sigkillTimer = null;
+      }
       this.currentJobId = undefined;
     }
   }

package/src/index.ts

@@ -16,7 +16,6 @@ import { startWorkerHttpServer, stopWorkerHttpServer } from "./server";
  * Main entry point for gateway-based persistent worker
  */
 async function main() {
-  // Register global rejection/exception handlers early
   process.on("unhandledRejection", (reason) => {
     logger.error("Unhandled rejection:", reason);
     process.exit(1);
@@ -29,10 +28,8 @@ async function main() {
 
   logger.info("Starting worker...");
 
-  // Initialize Sentry for error tracking
   await initSentry();
 
-  // Initialize OpenTelemetry tracing for distributed tracing
   const otlpEndpoint = process.env.OTEL_EXPORTER_OTLP_ENDPOINT;
   if (otlpEndpoint) {
     initTracing({
@@ -42,16 +39,12 @@ async function main() {
     logger.info(`Tracing initialized: lobu-worker -> ${otlpEndpoint}`);
   }
 
-  // Discover and register available modules
   await moduleRegistry.registerAvailableModules();
-
-  // Initialize all registered modules
   await moduleRegistry.initAll();
   logger.info("✅ Modules initialized");
 
   logger.info("🔄 Starting in gateway mode (SSE/HTTP-based persistent worker)");
 
-  // Get user ID from environment
   const userId = process.env.USER_ID;
 
   if (!userId) {
@@ -62,7 +55,6 @@ async function main() {
   }
 
   try {
-    // Get required environment variables
     const deploymentName = process.env.DEPLOYMENT_NAME;
     const dispatcherUrl = process.env.DISPATCHER_URL;
     const workerToken = process.env.WORKER_TOKEN;
@@ -80,11 +72,9 @@ async function main() {
       process.exit(1);
     }
 
-    // Start HTTP server before connecting to gateway
     const httpPort = await startWorkerHttpServer();
     logger.info(`Worker HTTP server started on port ${httpPort}`);
 
-    // Initialize gateway client directly
     logger.info(`🚀 Starting Gateway-based Persistent Worker`);
     logger.info(`- User ID: ${userId}`);
     logger.info(`- Deployment: ${deploymentName}`);
@@ -100,33 +90,25 @@ async function main() {
 
     // Register signal handlers before async operations
     let isShuttingDown = false;
-
-    process.on("SIGTERM", async () => {
+    const shutdown = async (signal: NodeJS.Signals) => {
       if (isShuttingDown) return;
       isShuttingDown = true;
-      logger.info("Received SIGTERM, shutting down gateway worker...");
+      logger.info(`Received ${signal}, shutting down gateway worker...`);
       await gatewayClient.stop();
       await stopWorkerHttpServer();
       process.exit(0);
-    });
+    };
 
-    process.on("SIGINT", async () => {
-      if (isShuttingDown) return;
-      isShuttingDown = true;
-      logger.info("Received SIGINT, shutting down gateway worker...");
-      await gatewayClient.stop();
-      await stopWorkerHttpServer();
-      process.exit(0);
-    });
+    process.on("SIGTERM", () => shutdown("SIGTERM"));
+    process.on("SIGINT", () => shutdown("SIGINT"));
 
     logger.info("🔌 Connecting to dispatcher...");
     await gatewayClient.start();
     logger.info("✅ Gateway worker started successfully");
 
-    // Keep process alive
-    await new Promise(() => {
-      // Keep process running indefinitely so we can listen messages from the queue
-    }); // Wait forever
+    await new Promise<never>(() => {
+      // Intentionally never resolves — block process until signal.
+    });
   } catch (error) {
     logger.error("❌ Gateway worker failed:", error);
     process.exit(1);

package/src/instructions/builder.ts

@@ -20,10 +20,9 @@ export async function generateCustomInstructions(
   context: InstructionContext
 ): Promise<string> {
   try {
+    const sorted = [...providers].sort((a, b) => a.priority - b.priority);
     const sections: string[] = [];
-    for (const provider of [...providers].sort(
-      (a, b) => a.priority - b.priority
-    )) {
+    for (const provider of sorted) {
       const instructions = await provider.getInstructions(context);
       if (instructions?.trim()) {
         sections.push(instructions.trim());

package/src/openclaw/plugin-loader.ts

@@ -99,16 +99,15 @@ async function loadSinglePlugin(
 ): Promise<LoadedPlugin | null> {
   const { source, slot, config: pluginConfig } = config;
 
-  let mod: Record<string, unknown>;
-  try {
-    mod = (await import(source)) as Record<string, unknown>;
-  } catch (err) {
+  const mod = await import(source).catch((err) => {
     throw new Error(
       `Cannot import "${source}": ${err instanceof Error ? err.message : String(err)}`
     );
-  }
+  });
 
-  const pluginEntrypoint = resolvePluginEntrypoint(mod);
+  const pluginEntrypoint = resolvePluginEntrypoint(
+    mod as Record<string, unknown>
+  );
   if (!pluginEntrypoint) {
     logger.warn(`Plugin "${source}" has no registerable entrypoint - skipping`);
     return null;
@@ -224,22 +223,19 @@ function createShimApi(params: {
     cwd,
   } = params;
   const noop = () => {
-    /* intentional no-op */
+    // No-op stub for shim plugin APIs that this loader does not implement.
   };
 
+  const prefix = `[plugin:${extractPluginName(source)}]`;
   const shimLogger = {
-    info(message: string, ...args: unknown[]) {
-      logger.info(`[plugin:${extractPluginName(source)}] ${message}`, ...args);
-    },
-    warn(message: string, ...args: unknown[]) {
-      logger.warn(`[plugin:${extractPluginName(source)}] ${message}`, ...args);
-    },
-    error(message: string, ...args: unknown[]) {
-      logger.error(`[plugin:${extractPluginName(source)}] ${message}`, ...args);
-    },
-    debug(message: string, ...args: unknown[]) {
-      logger.debug(`[plugin:${extractPluginName(source)}] ${message}`, ...args);
-    },
+    info: (message: string, ...args: unknown[]) =>
+      logger.info(`${prefix} ${message}`, ...args),
+    warn: (message: string, ...args: unknown[]) =>
+      logger.warn(`${prefix} ${message}`, ...args),
+    error: (message: string, ...args: unknown[]) =>
+      logger.error(`${prefix} ${message}`, ...args),
+    debug: (message: string, ...args: unknown[]) =>
+      logger.debug(`${prefix} ${message}`, ...args),
   };
 
   return {

package/src/openclaw/processor.ts

@@ -33,6 +33,7 @@ export class OpenClawProgressProcessor {
           return false;
         }
         const assistantEvent = event.assistantMessageEvent;
+        if (!assistantEvent) return false;
 
         if (assistantEvent.type === "text_delta") {
           this.hasStreamedText = true;

package/src/openclaw/sandbox-leak.ts

@@ -89,12 +89,7 @@ export function checkSandboxLeak(
   );
   redacted = redacted.replace(
     DELIVERY_PHRASE_RE,
-    (_match, _path: string, _offset: number, _full: string) => {
-      // Reconstruct the phrase prefix (everything before the path) by
-      // re-matching on the original substring. Simpler: replace the whole
-      // match with a generic note.
-      return "[file was created but not uploaded — use `UploadUserFile` to deliver it]";
-    }
+    "[file was created but not uploaded — use `UploadUserFile` to deliver it]"
   );
 
   const note =

package/src/openclaw/session-context.ts

@@ -231,6 +231,9 @@ export async function getOpenClawSessionContext(
       headers: {
         Authorization: `Bearer ${workerToken}`,
       },
+      // Session context is fetched once per turn; a stalled gateway here would
+      // otherwise hang the worker before the agent ever sees the prompt.
+      signal: AbortSignal.timeout(30_000),
     });
 
     if (!response.ok) {

package/src/openclaw/tool-policy.ts

@@ -86,10 +86,6 @@ export function isDirectPackageInstallCommand(command: string): boolean {
   );
 }
 
-function normalizePattern(pattern: string): string {
-  return pattern.trim();
-}
-
 function normalizeToolName(name: string): string {
   return name.trim().toLowerCase();
 }
@@ -108,16 +104,13 @@ export function normalizeToolList(value?: string | string[]): string[] {
 
 function parseBashFilter(pattern: string): string | null {
   const match = pattern.match(/^Bash\(([^:]+):\*\)$/i);
-  if (!match) {
-    return null;
-  }
-  const prefix = match[1]?.trim();
-  return prefix ? prefix : null;
+  const prefix = match?.[1]?.trim();
+  return prefix || null;
 }
 
 function matchesToolPattern(toolName: string, pattern: string): boolean {
   const normalizedTool = normalizeToolName(toolName);
-  const normalizedPattern = normalizePattern(pattern);
+  const normalizedPattern = pattern.trim();
   const normalizedPatternLower = normalizedPattern.toLowerCase();
 
   if (normalizedPattern === "*") {
@@ -145,11 +138,11 @@ export function buildToolPolicy(params: {
   const mergedAllowed = [
     ...(toolsConfig?.allowedTools ?? []),
     ...allowedPatterns,
-  ].map(normalizePattern);
+  ].map((p) => p.trim());
   const mergedDenied = [
     ...(toolsConfig?.deniedTools ?? []),
     ...deniedPatterns,
-  ].map(normalizePattern);
+  ].map((p) => p.trim());
 
   const bashAllowPrefixes = mergedAllowed
     .map((pattern) => parseBashFilter(pattern))

package/src/openclaw/worker.ts

@@ -281,22 +281,20 @@ export class OpenClawWorker implements WorkerExecutor {
     this.workspaceManager = new WorkspaceManager(config.workspace);
     this.progressProcessor = new OpenClawProgressProcessor();
 
-    // Verify required environment variables
     const gatewayUrl = process.env.DISPATCHER_URL;
     const workerToken = process.env.WORKER_TOKEN;
-
     if (!gatewayUrl || !workerToken) {
       throw new Error(
         "DISPATCHER_URL and WORKER_TOKEN environment variables are required"
       );
     }
-
     if (!config.teamId) {
       throw new Error("teamId is required for worker initialization");
     }
     if (!config.conversationId) {
       throw new Error("conversationId is required for worker initialization");
     }
+
     this.workerTransport = new HttpWorkerTransport({
       gatewayUrl,
       workerToken,
@@ -327,13 +325,11 @@ export class OpenClawWorker implements WorkerExecutor {
         `[TIMING] Worker execute() started at: ${new Date(executeStartTime).toISOString()}`
       );
 
-      // Decode user prompt
       const userPrompt = Buffer.from(this.config.userPrompt, "base64").toString(
         "utf-8"
       );
       logger.info(`User prompt: ${userPrompt.substring(0, 100)}...`);
 
-      // Setup workspace
       logger.info("Setting up workspace...");
 
       await Sentry.startSpan(
@@ -360,13 +356,9 @@ export class OpenClawWorker implements WorkerExecutor {
         }
       );
 
-      // Setup I/O directories for file handling
       await this.setupIODirectories();
-
-      // Download input files if any
       await this.downloadInputFiles();
 
-      // Generate custom instructions
       let customInstructions = await generateCustomInstructions(
         [
           new OpenClawCoreInstructionProvider(),
@@ -385,7 +377,7 @@ export class OpenClawWorker implements WorkerExecutor {
         }
       );
 
-      // Call module onSessionStart hooks to allow modules to modify system prompt
+      // Module hooks may modify the system prompt before agent execution.
       try {
         const { onSessionStart } = await import("../modules/lifecycle");
         const moduleContext = await onSessionStart({
@@ -407,7 +399,6 @@ export class OpenClawWorker implements WorkerExecutor {
       // Add file I/O instructions AFTER module hooks so they aren't overwritten
       customInstructions += this.getFileIOInstructions();
 
-      // Execute AI session
       logger.info(
         `[TIMING] Starting OpenClaw session at: ${new Date().toISOString()}`
       );
@@ -468,7 +459,6 @@ export class OpenClawWorker implements WorkerExecutor {
         }
       );
 
-      // Collect module data before sending final response
       const { collectModuleData } = await import("../modules/lifecycle");
       const moduleData = await collectModuleData({
         workspaceDir: this.workspaceManager.getCurrentWorkingDirectory(),
@@ -477,7 +467,6 @@ export class OpenClawWorker implements WorkerExecutor {
       });
       this.workerTransport.setModuleData(moduleData);
 
-      // Handle result
       if (result.success) {
         const outputSnapshot = this.progressProcessor.getOutputSnapshot();
         const hintGatewayUrl = process.env.DISPATCHER_URL;

package/src/server.ts

@@ -3,7 +3,7 @@
  * Lightweight Hono server started before SSE gateway connection.
  */
 
-import { readFile } from "node:fs/promises";
+import { readdir, readFile, stat } from "node:fs/promises";
 import { createServer } from "node:http";
 import { join } from "node:path";
 import { getRequestListener } from "@hono/node-server";
@@ -20,7 +20,6 @@ const logger = createLogger("worker-http");
 const app = new Hono();
 
 async function findSessionFile(): Promise<string | null> {
-  const { readdir, stat } = await import("node:fs/promises");
   const workspaceDir = getOptionalEnv("WORKSPACE_DIR", "/workspace");
 
   // Direct path: {WORKSPACE_DIR}/.openclaw/session.jsonl
@@ -163,10 +162,8 @@ function entryToMessage(entry: SessionEntry): ParsedMessage | null {
   return null;
 }
 
-// Health check
 app.get("/health", (c) => c.json({ status: "ok" }));
 
-// Full session messages with cursor-based pagination
 app.get("/session/messages", async (c) => {
   const cursor = c.req.query("cursor");
   const limit = Math.min(parseInt(c.req.query("limit") || "50", 10), 200);
@@ -230,7 +227,6 @@ app.get("/session/messages", async (c) => {
   }
 });
 
-// Session stats
 app.get("/session/stats", async (c) => {
   try {
     const sessionPath = await findSessionFile();

package/src/shared/audio-provider-suggestions.ts

@@ -5,11 +5,7 @@ interface AudioProviderSuggestions {
   usedFallback: boolean;
 }
 
-const FALLBACK_PROVIDER_ENTRIES = [
-  { id: "chatgpt" },
-  { id: "gemini" },
-  { id: "elevenlabs" },
-] as const;
+const FALLBACK_PROVIDER_IDS = ["chatgpt", "gemini", "elevenlabs"] as const;
 
 const KNOWN_PROVIDER_LABELS: Record<string, string> = {
   chatgpt: "ChatGPT/OpenAI",
@@ -48,7 +44,7 @@ function getFallbackSuggestions(
   available: boolean | null
 ): AudioProviderSuggestions {
   return {
-    providerIds: FALLBACK_PROVIDER_ENTRIES.map((entry) => entry.id),
+    providerIds: [...FALLBACK_PROVIDER_IDS],
     providerDisplayList: "",
     available,
     usedFallback: true,
@@ -119,6 +115,8 @@ export async function fetchAudioProviderSuggestions(params: {
       `${params.gatewayUrl}/internal/audio/capabilities`,
       {
         headers: { Authorization: `Bearer ${params.workerToken}` },
+        // Capability probing is best-effort; never block the agent turn on it.
+        signal: AbortSignal.timeout(15_000),
       }
     );
     if (!response.ok) {

package/src/shared/tool-implementations.ts

@@ -285,17 +285,30 @@ export async function uploadUserFile(
     const formDataBuffer = await formDataToBuffer(formData);
     const fdHeaders = formData.getHeaders();
 
-    const response = await fetch(`${gw.gatewayUrl}/internal/files/upload`, {
-      method: "POST",
-      headers: {
-        Authorization: `Bearer ${gw.workerToken}`,
-        "X-Channel-Id": gw.channelId,
-        "X-Conversation-Id": gw.conversationId,
-        ...fdHeaders,
-        "Content-Length": formDataBuffer.length.toString(),
-      },
-      body: formDataBuffer,
-    });
+    let response: Response;
+    try {
+      response = await fetch(`${gw.gatewayUrl}/internal/files/upload`, {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${gw.workerToken}`,
+          "X-Channel-Id": gw.channelId,
+          "X-Conversation-Id": gw.conversationId,
+          ...fdHeaders,
+          "Content-Length": formDataBuffer.length.toString(),
+        },
+        body: formDataBuffer,
+        // A stalled gateway upload must not wedge the agent turn forever —
+        // a 5-minute ceiling is well above any legitimate file delivery.
+        signal: AbortSignal.timeout(300_000),
+      });
+    } catch (err) {
+      if (err instanceof Error && err.name === "TimeoutError") {
+        return textResult(
+          `Error: Failed to show file to user: upload timed out`
+        );
+      }
+      throw err;
+    }
 
     if (!response.ok) {
       const error = await response.text();
@@ -582,9 +595,9 @@ async function uploadGeneratedFile(
     const formDataBuffer = await formDataToBuffer(formData);
     const fdHeaders = formData.getHeaders();
 
-    const uploadResponse = await fetch(
-      `${gw.gatewayUrl}/internal/files/upload`,
-      {
+    let uploadResponse: Response;
+    try {
+      uploadResponse = await fetch(`${gw.gatewayUrl}/internal/files/upload`, {
         method: "POST",
         headers: {
           Authorization: `Bearer ${gw.workerToken}`,
@@ -595,8 +608,14 @@ async function uploadGeneratedFile(
           ...extraHeaders,
         },
         body: formDataBuffer,
+        signal: AbortSignal.timeout(300_000),
+      });
+    } catch (err) {
+      if (err instanceof Error && err.name === "TimeoutError") {
+        return textResult(`Generated content but upload timed out`);
       }
-    );
+      throw err;
+    }
 
     if (!uploadResponse.ok) {
       const uploadError = await uploadResponse.text();
@@ -638,6 +657,7 @@ export async function generateImage(
       `${gw.gatewayUrl}/internal/images/capabilities`,
       {
         headers: { Authorization: `Bearer ${gw.workerToken}` },
+        signal: AbortSignal.timeout(30_000),
       }
     );
 
@@ -668,6 +688,9 @@ export async function generateImage(
         background: args.background,
         format: args.format,
       }),
+      // Image gen can take a while at high quality, but never minutes — cap
+      // the wait so a stalled upstream provider doesn't hang the agent turn.
+      signal: AbortSignal.timeout(120_000),
     });
 
     if (!response.ok) {
@@ -758,6 +781,7 @@ export async function generateAudio(
         voice: args.voice,
         speed: args.speed,
       }),
+      signal: AbortSignal.timeout(120_000),
     });
 
     if (!response.ok) {
@@ -915,11 +939,28 @@ export async function callMcpTool(
       throw err;
     }
 
-    const data = (await response.json()) as {
+    // MCP proxy returns JSON on success, but a misbehaving upstream (502
+    // HTML, plain-text 500, empty body) would otherwise crash the tool call
+    // with "Unexpected token < in JSON". Treat parse failure as a transport
+    // error message instead of letting it bubble out as an unhandled throw.
+    let data: {
       content?: Array<{ type: string; text: string }>;
       error?: string;
       isError?: boolean;
     };
+    try {
+      data = (await response.json()) as {
+        content?: Array<{ type: string; text: string }>;
+        error?: string;
+        isError?: boolean;
+      };
+    } catch (parseErr) {
+      const parseMsg =
+        parseErr instanceof Error ? parseErr.message : String(parseErr);
+      return textResult(
+        `Error: ${toolName} returned a non-JSON response (status ${response.status}): ${parseMsg}`
+      );
+    }
 
     if (!response.ok || data.isError) {
       const contentText = data.content