@lobu/worker 7.0.0 → 7.2.0

package/src/gateway/sse-client.ts

@@ -9,9 +9,11 @@ import {
   extractTraceId,
   flushTracing,
   SpanStatusCode,
+  stripEnv,
 } from "@lobu/core";
 import { z } from "zod";
 import type { WorkerConfig, WorkerExecutor } from "../core/types";
+import { SENSITIVE_WORKER_ENV_KEYS } from "../shared/worker-env-keys";
 import { HttpWorkerTransport } from "./gateway-integration";
 import { MessageBatcher } from "./message-batcher";
 import type { MessagePayload, QueuedMessage } from "./types";
@@ -79,20 +81,33 @@ const AgentOptionsSchema = z
   .passthrough();
 
 const JobEventSchema = z.object({
-  payload: z.object({
-    botId: z.string(),
-    userId: z.string(),
-    agentId: z.string(),
-    conversationId: z.string(),
-    platform: z.string(),
-    channelId: z.string(),
-    messageId: z.string(),
-    messageText: z.string(),
-    platformMetadata: PlatformMetadataSchema,
-    agentOptions: AgentOptionsSchema,
-    jobId: z.string().optional(),
-    teamId: z.string().optional(), // Optional for WhatsApp (top-level) and Slack (in platformMetadata)
-  }),
+  payload: z
+    .object({
+      botId: z.string(),
+      userId: z.string(),
+      agentId: z.string(),
+      conversationId: z.string(),
+      platform: z.string(),
+      channelId: z.string(),
+      messageId: z.string(),
+      messageText: z.string(),
+      platformMetadata: PlatformMetadataSchema,
+      agentOptions: AgentOptionsSchema,
+      jobId: z.string().optional(),
+      teamId: z.string().optional(), // Optional for WhatsApp (top-level) and Slack (in platformMetadata)
+      // Threaded through from MessageConsumer's runs-queue claim. The worker
+      // asserts these in snapshot mode (LOBU_SESSION_STORE != "file") — see
+      // worker.ts:353-360. The default zod object mode strips unknown keys,
+      // which silently dropped these fields and broke every Telegram chat
+      // when snapshot mode became the default in PR #871. Declare them
+      // explicitly so they survive parsing, and `.passthrough()` keeps any
+      // future MessagePayload field (mcpConfig, nixConfig, egressConfig,
+      // preApprovedTools, exec* fields, organizationId, networkConfig...)
+      // from regressing the same way.
+      runId: z.number().optional(),
+      runJobToken: z.string().optional(),
+    })
+    .passthrough(),
   processedIds: z.array(z.string()).optional(),
 });
 
@@ -574,16 +589,27 @@ export class GatewayClient {
     });
 
     let completed = false;
+    let sigkillTimer: NodeJS.Timeout | null = null;
 
     try {
-      // Spawn the command
+      // Strip the worker's own gateway credentials before handing the shell
+      // its env. An `exec` command is an arbitrary string from the gateway
+      // that ends up under `sh -c`; leaking WORKER_TOKEN / DISPATCHER_URL
+      // into that environment would let a malicious or buggy exec impersonate
+      // the worker against its own gateway. The bash-tool and just-bash
+      // spawners already apply the same filter (see openclaw/tools.ts and
+      // embedded/just-bash-bootstrap.ts) — keep parity here.
+      const baseEnv = stripEnv(process.env, SENSITIVE_WORKER_ENV_KEYS);
       const proc = spawn("sh", ["-c", execCommand], {
         cwd: workingDir,
-        env: { ...process.env, ...execEnv },
+        env: { ...baseEnv, ...execEnv },
         stdio: ["ignore", "pipe", "pipe"],
       });
 
-      // Setup timeout
+      // Setup timeout. The SIGKILL escalation timer is tracked so the `close`
+      // handler can clear it when the child exits between SIGTERM and SIGKILL;
+      // otherwise the timer pins the event loop for an extra 5s after every
+      // timed-out exec and (worse) leaks if `close`/`error` never fires.
       const timeoutId = setTimeout(() => {
         if (!completed) {
           logger.warn(
@@ -591,7 +617,8 @@ export class GatewayClient {
             "Exec timeout reached, killing process"
           );
           proc.kill("SIGTERM");
-          setTimeout(() => {
+          sigkillTimer = setTimeout(() => {
+            sigkillTimer = null;
             if (!completed) {
               proc.kill("SIGKILL");
             }
@@ -600,7 +627,7 @@ export class GatewayClient {
       }, timeout);
 
       // Stream stdout
-      proc.stdout?.on("data", (chunk: Buffer) => {
+      const onStdout = (chunk: Buffer) => {
         const content = chunk.toString();
         transport.sendExecOutput(execId, "stdout", content).catch((err) => {
           logger.error(
@@ -608,10 +635,11 @@ export class GatewayClient {
             "Failed to send stdout"
           );
         });
-      });
+      };
+      proc.stdout?.on("data", onStdout);
 
       // Stream stderr
-      proc.stderr?.on("data", (chunk: Buffer) => {
+      const onStderr = (chunk: Buffer) => {
         const content = chunk.toString();
         transport.sendExecOutput(execId, "stderr", content).catch((err) => {
           logger.error(
@@ -619,19 +647,34 @@ export class GatewayClient {
             "Failed to send stderr"
           );
         });
-      });
+      };
+      proc.stderr?.on("data", onStderr);
 
       // Wait for process to complete
       const exitCode = await new Promise<number>((resolve, reject) => {
         proc.on("close", (code) => {
           completed = true;
           clearTimeout(timeoutId);
+          if (sigkillTimer) {
+            clearTimeout(sigkillTimer);
+            sigkillTimer = null;
+          }
+          // Stop accepting late `data` events so a chunk buffered after exit
+          // can't fire `sendExecOutput` AFTER we've signalled completion.
+          proc.stdout?.removeListener("data", onStdout);
+          proc.stderr?.removeListener("data", onStderr);
           resolve(code ?? 0);
         });
 
         proc.on("error", (error) => {
           completed = true;
           clearTimeout(timeoutId);
+          if (sigkillTimer) {
+            clearTimeout(sigkillTimer);
+            sigkillTimer = null;
+          }
+          proc.stdout?.removeListener("data", onStdout);
+          proc.stderr?.removeListener("data", onStderr);
           reject(error);
         });
       });
@@ -663,6 +706,13 @@ export class GatewayClient {
 
       logger.error({ traceId, execId, error: errorMessage }, "Exec failed");
     } finally {
+      // Defensive: if we threw before `close`/`error` fired (e.g. transport
+      // throwing during sendExecOutput on a long-running child), make sure
+      // the SIGKILL escalation timer doesn't outlive this exec.
+      if (sigkillTimer) {
+        clearTimeout(sigkillTimer);
+        sigkillTimer = null;
+      }
       this.currentJobId = undefined;
     }
   }
@@ -882,6 +932,21 @@ export class GatewayClient {
       workspace: {
         baseDirectory: process.env.WORKSPACE_DIR || "/workspace",
       },
+      // Threaded through from MessageConsumer (set from the runs-queue
+      // claim's job.id). Used by cleanup() to attribute the snapshot to
+      // the correct run; codex P1#1 on PR #865.
+      runId:
+        typeof payload.runId === "number" && Number.isFinite(payload.runId)
+          ? payload.runId
+          : undefined,
+      // Per-run JWT minted by MessageConsumer alongside runId. Worker
+      // uses this for the snapshot POST instead of the deployment-
+      // lifetime WORKER_TOKEN, so the gateway can enforce
+      // tokenData.runId === body.runId — codex round 2 finding A.
+      runJobToken:
+        typeof payload.runJobToken === "string" && payload.runJobToken
+          ? payload.runJobToken
+          : undefined,
     };
   }
 

package/src/gateway/types.ts

@@ -41,6 +41,21 @@ export interface MessagePayload {
   jobId?: string; // Optional job ID from gateway
   teamId?: string; // Optional team ID (WhatsApp uses top-level, Slack uses platformMetadata)
 
+  // The runs.id of the row that dispatched this job. Set by the gateway
+  // MessageConsumer (stamped from the runs-queue claim's job.id) and
+  // threaded into WorkerConfig.runId. The worker's cleanup() uses it to
+  // attribute the agent_transcript_snapshot row to the correct run —
+  // see codex P1#1 on PR #865.
+  runId?: number;
+
+  // Per-run worker JWT bound to `runId` above. Minted by MessageConsumer
+  // and threaded into WorkerConfig.runJobToken. The worker uses THIS
+  // token (not the deployment-lifetime WORKER_TOKEN) when calling the
+  // snapshot endpoint, so the route's `tokenData.runId === body.runId`
+  // equality check can reject any cross-run impersonation — codex round
+  // 2 finding A on PR #865.
+  runJobToken?: string;
+
   // Job type (default: "message")
   jobType?: JobType;
 

package/src/index.ts

@@ -16,7 +16,6 @@ import { startWorkerHttpServer, stopWorkerHttpServer } from "./server";
  * Main entry point for gateway-based persistent worker
  */
 async function main() {
-  // Register global rejection/exception handlers early
   process.on("unhandledRejection", (reason) => {
     logger.error("Unhandled rejection:", reason);
     process.exit(1);
@@ -29,10 +28,8 @@ async function main() {
 
   logger.info("Starting worker...");
 
-  // Initialize Sentry for error tracking
   await initSentry();
 
-  // Initialize OpenTelemetry tracing for distributed tracing
   const otlpEndpoint = process.env.OTEL_EXPORTER_OTLP_ENDPOINT;
   if (otlpEndpoint) {
     initTracing({
@@ -42,16 +39,12 @@ async function main() {
     logger.info(`Tracing initialized: lobu-worker -> ${otlpEndpoint}`);
   }
 
-  // Discover and register available modules
   await moduleRegistry.registerAvailableModules();
-
-  // Initialize all registered modules
   await moduleRegistry.initAll();
   logger.info("✅ Modules initialized");
 
   logger.info("🔄 Starting in gateway mode (SSE/HTTP-based persistent worker)");
 
-  // Get user ID from environment
   const userId = process.env.USER_ID;
 
   if (!userId) {
@@ -62,7 +55,6 @@ async function main() {
   }
 
   try {
-    // Get required environment variables
     const deploymentName = process.env.DEPLOYMENT_NAME;
     const dispatcherUrl = process.env.DISPATCHER_URL;
     const workerToken = process.env.WORKER_TOKEN;
@@ -80,11 +72,9 @@ async function main() {
       process.exit(1);
     }
 
-    // Start HTTP server before connecting to gateway
     const httpPort = await startWorkerHttpServer();
     logger.info(`Worker HTTP server started on port ${httpPort}`);
 
-    // Initialize gateway client directly
     logger.info(`🚀 Starting Gateway-based Persistent Worker`);
     logger.info(`- User ID: ${userId}`);
     logger.info(`- Deployment: ${deploymentName}`);
@@ -100,33 +90,25 @@ async function main() {
 
     // Register signal handlers before async operations
     let isShuttingDown = false;
-
-    process.on("SIGTERM", async () => {
+    const shutdown = async (signal: NodeJS.Signals) => {
       if (isShuttingDown) return;
       isShuttingDown = true;
-      logger.info("Received SIGTERM, shutting down gateway worker...");
+      logger.info(`Received ${signal}, shutting down gateway worker...`);
       await gatewayClient.stop();
       await stopWorkerHttpServer();
       process.exit(0);
-    });
+    };
 
-    process.on("SIGINT", async () => {
-      if (isShuttingDown) return;
-      isShuttingDown = true;
-      logger.info("Received SIGINT, shutting down gateway worker...");
-      await gatewayClient.stop();
-      await stopWorkerHttpServer();
-      process.exit(0);
-    });
+    process.on("SIGTERM", () => shutdown("SIGTERM"));
+    process.on("SIGINT", () => shutdown("SIGINT"));
 
     logger.info("🔌 Connecting to dispatcher...");
     await gatewayClient.start();
     logger.info("✅ Gateway worker started successfully");
 
-    // Keep process alive
-    await new Promise(() => {
-      // Keep process running indefinitely so we can listen messages from the queue
-    }); // Wait forever
+    await new Promise<never>(() => {
+      // Intentionally never resolves — block process until signal.
+    });
   } catch (error) {
     logger.error("❌ Gateway worker failed:", error);
     process.exit(1);

package/src/instructions/builder.ts

@@ -20,10 +20,9 @@ export async function generateCustomInstructions(
   context: InstructionContext
 ): Promise<string> {
   try {
+    const sorted = [...providers].sort((a, b) => a.priority - b.priority);
     const sections: string[] = [];
-    for (const provider of [...providers].sort(
-      (a, b) => a.priority - b.priority
-    )) {
+    for (const provider of sorted) {
       const instructions = await provider.getInstructions(context);
       if (instructions?.trim()) {
         sections.push(instructions.trim());

package/src/openclaw/plugin-loader.ts

@@ -99,16 +99,15 @@ async function loadSinglePlugin(
 ): Promise<LoadedPlugin | null> {
   const { source, slot, config: pluginConfig } = config;
 
-  let mod: Record<string, unknown>;
-  try {
-    mod = (await import(source)) as Record<string, unknown>;
-  } catch (err) {
+  const mod = await import(source).catch((err) => {
     throw new Error(
       `Cannot import "${source}": ${err instanceof Error ? err.message : String(err)}`
     );
-  }
+  });
 
-  const pluginEntrypoint = resolvePluginEntrypoint(mod);
+  const pluginEntrypoint = resolvePluginEntrypoint(
+    mod as Record<string, unknown>
+  );
   if (!pluginEntrypoint) {
     logger.warn(`Plugin "${source}" has no registerable entrypoint - skipping`);
     return null;
@@ -224,22 +223,19 @@ function createShimApi(params: {
     cwd,
   } = params;
   const noop = () => {
-    /* intentional no-op */
+    // No-op stub for shim plugin APIs that this loader does not implement.
   };
 
+  const prefix = `[plugin:${extractPluginName(source)}]`;
   const shimLogger = {
-    info(message: string, ...args: unknown[]) {
-      logger.info(`[plugin:${extractPluginName(source)}] ${message}`, ...args);
-    },
-    warn(message: string, ...args: unknown[]) {
-      logger.warn(`[plugin:${extractPluginName(source)}] ${message}`, ...args);
-    },
-    error(message: string, ...args: unknown[]) {
-      logger.error(`[plugin:${extractPluginName(source)}] ${message}`, ...args);
-    },
-    debug(message: string, ...args: unknown[]) {
-      logger.debug(`[plugin:${extractPluginName(source)}] ${message}`, ...args);
-    },
+    info: (message: string, ...args: unknown[]) =>
+      logger.info(`${prefix} ${message}`, ...args),
+    warn: (message: string, ...args: unknown[]) =>
+      logger.warn(`${prefix} ${message}`, ...args),
+    error: (message: string, ...args: unknown[]) =>
+      logger.error(`${prefix} ${message}`, ...args),
+    debug: (message: string, ...args: unknown[]) =>
+      logger.debug(`${prefix} ${message}`, ...args),
   };
 
   return {

package/src/openclaw/processor.ts

@@ -33,6 +33,7 @@ export class OpenClawProgressProcessor {
           return false;
         }
         const assistantEvent = event.assistantMessageEvent;
+        if (!assistantEvent) return false;
 
         if (assistantEvent.type === "text_delta") {
           this.hasStreamedText = true;

package/src/openclaw/sandbox-leak.ts

@@ -89,12 +89,7 @@ export function checkSandboxLeak(
   );
   redacted = redacted.replace(
     DELIVERY_PHRASE_RE,
-    (_match, _path: string, _offset: number, _full: string) => {
-      // Reconstruct the phrase prefix (everything before the path) by
-      // re-matching on the original substring. Simpler: replace the whole
-      // match with a generic note.
-      return "[file was created but not uploaded — use `UploadUserFile` to deliver it]";
-    }
+    "[file was created but not uploaded — use `UploadUserFile` to deliver it]"
   );
 
   const note =

package/src/openclaw/session-context.ts

@@ -231,6 +231,9 @@ export async function getOpenClawSessionContext(
       headers: {
         Authorization: `Bearer ${workerToken}`,
       },
+      // Session context is fetched once per turn; a stalled gateway here would
+      // otherwise hang the worker before the agent ever sees the prompt.
+      signal: AbortSignal.timeout(30_000),
     });
 
     if (!response.ok) {

package/src/openclaw/tool-policy.ts

@@ -86,10 +86,6 @@ export function isDirectPackageInstallCommand(command: string): boolean {
   );
 }
 
-function normalizePattern(pattern: string): string {
-  return pattern.trim();
-}
-
 function normalizeToolName(name: string): string {
   return name.trim().toLowerCase();
 }
@@ -108,16 +104,13 @@ export function normalizeToolList(value?: string | string[]): string[] {
 
 function parseBashFilter(pattern: string): string | null {
   const match = pattern.match(/^Bash\(([^:]+):\*\)$/i);
-  if (!match) {
-    return null;
-  }
-  const prefix = match[1]?.trim();
-  return prefix ? prefix : null;
+  const prefix = match?.[1]?.trim();
+  return prefix || null;
 }
 
 function matchesToolPattern(toolName: string, pattern: string): boolean {
   const normalizedTool = normalizeToolName(toolName);
-  const normalizedPattern = normalizePattern(pattern);
+  const normalizedPattern = pattern.trim();
   const normalizedPatternLower = normalizedPattern.toLowerCase();
 
   if (normalizedPattern === "*") {
@@ -145,11 +138,11 @@ export function buildToolPolicy(params: {
   const mergedAllowed = [
     ...(toolsConfig?.allowedTools ?? []),
     ...allowedPatterns,
-  ].map(normalizePattern);
+  ].map((p) => p.trim());
   const mergedDenied = [
     ...(toolsConfig?.deniedTools ?? []),
     ...deniedPatterns,
-  ].map(normalizePattern);
+  ].map((p) => p.trim());
 
   const bashAllowPrefixes = mergedAllowed
     .map((pattern) => parseBashFilter(pattern))