@nextclaw/server 0.6.13 → 0.7.0

package/dist/index.d.ts

@@ -1,6 +1,7 @@
 import * as NextclawCore from '@nextclaw/core';
 import { ThinkingLevel, CronService, Config, ConfigActionExecuteRequest as ConfigActionExecuteRequest$1, ConfigActionExecuteResult as ConfigActionExecuteResult$1 } from '@nextclaw/core';
 import { Hono } from 'hono';
+import { IncomingMessage } from 'node:http';
 
 type ApiError = {
     code: string;
@@ -133,6 +134,26 @@ type ProviderAuthImportResult = {
     source: "cli";
     expiresAt?: string;
 };
+type AuthStatusView = {
+    enabled: boolean;
+    configured: boolean;
+    authenticated: boolean;
+    username?: string;
+};
+type AuthSetupRequest = {
+    username: string;
+    password: string;
+};
+type AuthLoginRequest = {
+    username: string;
+    password: string;
+};
+type AuthPasswordUpdateRequest = {
+    password: string;
+};
+type AuthEnabledUpdateRequest = {
+    enabled: boolean;
+};
 type AgentProfileView = {
     id: string;
     default?: boolean;
@@ -820,6 +841,44 @@ type UiServerHandle = {
 
 declare function startUiServer(options: UiServerOptions): UiServerHandle;
 
+declare class UiAuthService {
+    private readonly configPath;
+    private readonly sessions;
+    constructor(configPath: string);
+    private loadCurrentConfig;
+    private saveCurrentConfig;
+    private readAuthConfig;
+    private isConfigured;
+    isProtectionEnabled(): boolean;
+    private getSessionIdFromCookieHeader;
+    private getValidSession;
+    isRequestAuthenticated(request: Request): boolean;
+    isSocketAuthenticated(request: IncomingMessage): boolean;
+    getStatus(request: Request): AuthStatusView;
+    private createSession;
+    private clearAllSessions;
+    private deleteRequestSession;
+    private buildLoginCookie;
+    buildLogoutCookie(request: Request): string;
+    setup(request: Request, payload: AuthSetupRequest): {
+        status: AuthStatusView;
+        cookie: string;
+    };
+    login(request: Request, payload: AuthLoginRequest): {
+        status: AuthStatusView;
+        cookie: string;
+    };
+    logout(request: Request): void;
+    updatePassword(request: Request, payload: AuthPasswordUpdateRequest): {
+        status: AuthStatusView;
+        cookie?: string;
+    };
+    updateEnabled(request: Request, payload: AuthEnabledUpdateRequest): {
+        status: AuthStatusView;
+        cookie?: string;
+    };
+}
+
 type UiRouterOptions = {
     configPath: string;
     productVersion?: string;
@@ -827,6 +886,7 @@ type UiRouterOptions = {
     marketplace?: MarketplaceApiConfig;
     cronService?: InstanceType<typeof NextclawCore.CronService>;
     chatRuntime?: UiChatRuntime;
+    authService?: UiAuthService;
 };
 
 declare function createUiRouter(options: UiRouterOptions): Hono;
@@ -875,4 +935,4 @@ declare function deleteSession(configPath: string, key: string): boolean;
 declare function updateRuntime(configPath: string, patch: RuntimeConfigUpdate): Pick<ConfigView, "agents" | "bindings" | "session">;
 declare function updateSecrets(configPath: string, patch: SecretsConfigUpdate): SecretsView;
 
-export { type AgentBindingView, type AgentProfileView, type ApiError, type ApiResponse, type AppMetaView, type BindingPeerView, type BochaFreshnessValue, type ChannelSpecView, type ChatCapabilitiesView, type ChatCommandOptionView, type ChatCommandView, type ChatCommandsView, type ChatRunListView, type ChatRunState, type ChatRunView, type ChatSessionTypeOptionView, type ChatSessionTypesView, type ChatTurnRequest, type ChatTurnResult, type ChatTurnStopRequest, type ChatTurnStopResult, type ChatTurnStreamEvent, type ChatTurnView, type ConfigActionExecuteRequest, type ConfigActionExecuteResult, type ConfigActionManifest, type ConfigActionType, type ConfigMetaView, type ConfigSchemaResponse, type ConfigUiHint, type ConfigUiHints, type ConfigView, type CronActionResult, type CronEnableRequest, type CronJobStateView, type CronJobView, type CronListView, type CronPayloadView, type CronRunRequest, type CronScheduleView, DEFAULT_SESSION_TYPE, type MarketplaceApiConfig, type MarketplaceInstallKind, type MarketplaceInstallSkillParams, type MarketplaceInstallSpec, type MarketplaceInstalledRecord, type MarketplaceInstalledView, type MarketplaceInstaller, type MarketplaceItemSummary, type MarketplaceItemType, type MarketplaceItemView, type MarketplaceListView, type MarketplaceLocalizedTextMap, type MarketplacePluginContentView, type MarketplacePluginInstallKind, type MarketplacePluginInstallRequest, type MarketplacePluginInstallResult, type MarketplacePluginManageAction, type MarketplacePluginManageRequest, type MarketplacePluginManageResult, type MarketplaceRecommendationView, type MarketplaceSkillContentView, type MarketplaceSkillInstallKind, type MarketplaceSkillInstallRequest, type MarketplaceSkillInstallResult, type MarketplaceSkillManageAction, type MarketplaceSkillManageRequest, type MarketplaceSkillManageResult, type MarketplaceSort, type ProviderAuthImportResult, type ProviderAuthPollRequest, type ProviderAuthPollResult, type ProviderAuthStartRequest, type ProviderAuthStartResult, type ProviderConfigUpdate, type ProviderConfigView, type ProviderConnectionTestRequest, type ProviderConnectionTestResult, type ProviderCreateRequest, type ProviderCreateResult, type ProviderDeleteResult, type ProviderSpecView, type RuntimeConfigUpdate, type SearchConfigUpdate, type SearchConfigView, type SearchProviderConfigView, type SearchProviderName, type SearchProviderSpecView, type SecretProviderEnvView, type SecretProviderExecView, type SecretProviderFileView, type SecretProviderView, type SecretRefView, type SecretSourceView, type SecretsConfigUpdate, type SecretsView, type SessionConfigView, type SessionEntryView, type SessionEventView, type SessionHistoryView, type SessionMessageView, type SessionPatchUpdate, SessionPatchValidationError, type SessionsListView, type UiChatRuntime, type UiServerEvent, type UiServerHandle, type UiServerOptions, buildConfigMeta, buildConfigSchemaView, buildConfigView, createCustomProvider, createUiRouter, deleteCustomProvider, deleteSession, executeConfigAction, getSessionHistory, listSessions, loadConfigOrDefault, patchSession, startUiServer, testProviderConnection, updateChannel, updateModel, updateProvider, updateRuntime, updateSearch, updateSecrets };
+export { type AgentBindingView, type AgentProfileView, type ApiError, type ApiResponse, type AppMetaView, type AuthEnabledUpdateRequest, type AuthLoginRequest, type AuthPasswordUpdateRequest, type AuthSetupRequest, type AuthStatusView, type BindingPeerView, type BochaFreshnessValue, type ChannelSpecView, type ChatCapabilitiesView, type ChatCommandOptionView, type ChatCommandView, type ChatCommandsView, type ChatRunListView, type ChatRunState, type ChatRunView, type ChatSessionTypeOptionView, type ChatSessionTypesView, type ChatTurnRequest, type ChatTurnResult, type ChatTurnStopRequest, type ChatTurnStopResult, type ChatTurnStreamEvent, type ChatTurnView, type ConfigActionExecuteRequest, type ConfigActionExecuteResult, type ConfigActionManifest, type ConfigActionType, type ConfigMetaView, type ConfigSchemaResponse, type ConfigUiHint, type ConfigUiHints, type ConfigView, type CronActionResult, type CronEnableRequest, type CronJobStateView, type CronJobView, type CronListView, type CronPayloadView, type CronRunRequest, type CronScheduleView, DEFAULT_SESSION_TYPE, type MarketplaceApiConfig, type MarketplaceInstallKind, type MarketplaceInstallSkillParams, type MarketplaceInstallSpec, type MarketplaceInstalledRecord, type MarketplaceInstalledView, type MarketplaceInstaller, type MarketplaceItemSummary, type MarketplaceItemType, type MarketplaceItemView, type MarketplaceListView, type MarketplaceLocalizedTextMap, type MarketplacePluginContentView, type MarketplacePluginInstallKind, type MarketplacePluginInstallRequest, type MarketplacePluginInstallResult, type MarketplacePluginManageAction, type MarketplacePluginManageRequest, type MarketplacePluginManageResult, type MarketplaceRecommendationView, type MarketplaceSkillContentView, type MarketplaceSkillInstallKind, type MarketplaceSkillInstallRequest, type MarketplaceSkillInstallResult, type MarketplaceSkillManageAction, type MarketplaceSkillManageRequest, type MarketplaceSkillManageResult, type MarketplaceSort, type ProviderAuthImportResult, type ProviderAuthPollRequest, type ProviderAuthPollResult, type ProviderAuthStartRequest, type ProviderAuthStartResult, type ProviderConfigUpdate, type ProviderConfigView, type ProviderConnectionTestRequest, type ProviderConnectionTestResult, type ProviderCreateRequest, type ProviderCreateResult, type ProviderDeleteResult, type ProviderSpecView, type RuntimeConfigUpdate, type SearchConfigUpdate, type SearchConfigView, type SearchProviderConfigView, type SearchProviderName, type SearchProviderSpecView, type SecretProviderEnvView, type SecretProviderExecView, type SecretProviderFileView, type SecretProviderView, type SecretRefView, type SecretSourceView, type SecretsConfigUpdate, type SecretsView, type SessionConfigView, type SessionEntryView, type SessionEventView, type SessionHistoryView, type SessionMessageView, type SessionPatchUpdate, SessionPatchValidationError, type SessionsListView, type UiChatRuntime, type UiServerEvent, type UiServerHandle, type UiServerOptions, buildConfigMeta, buildConfigSchemaView, buildConfigView, createCustomProvider, createUiRouter, deleteCustomProvider, deleteSession, executeConfigAction, getSessionHistory, listSessions, loadConfigOrDefault, patchSession, startUiServer, testProviderConnection, updateChannel, updateModel, updateProvider, updateRuntime, updateSearch, updateSecrets };

package/dist/index.js

@@ -8,6 +8,316 @@ import { existsSync, readFileSync } from "fs";
 import { readFile as readFile2, stat } from "fs/promises";
 import { join } from "path";
 
+// src/ui/auth.service.ts
+import { ConfigSchema, loadConfig, saveConfig } from "@nextclaw/core";
+import { randomBytes, randomUUID, scryptSync, timingSafeEqual } from "crypto";
+var SESSION_COOKIE_NAME = "nextclaw_ui_session";
+var PASSWORD_MIN_LENGTH = 8;
+function normalizeUsername(value) {
+  return value.trim();
+}
+function parseCookieHeader(rawHeader) {
+  if (!rawHeader) {
+    return {};
+  }
+  const cookies = {};
+  for (const chunk of rawHeader.split(";")) {
+    const [rawKey, ...rawValue] = chunk.split("=");
+    const key = rawKey?.trim();
+    if (!key) {
+      continue;
+    }
+    cookies[key] = decodeURIComponent(rawValue.join("=").trim());
+  }
+  return cookies;
+}
+function buildSetCookie(params) {
+  const parts = [
+    `${SESSION_COOKIE_NAME}=${encodeURIComponent(params.value)}`,
+    "Path=/",
+    "HttpOnly",
+    "SameSite=Lax"
+  ];
+  if (params.secure) {
+    parts.push("Secure");
+  }
+  if (typeof params.maxAgeSeconds === "number") {
+    parts.push(`Max-Age=${Math.max(0, Math.trunc(params.maxAgeSeconds))}`);
+  }
+  if (params.expires) {
+    parts.push(`Expires=${params.expires}`);
+  }
+  return parts.join("; ");
+}
+function resolveSecureRequest(url, protocolHint) {
+  if (protocolHint?.trim().toLowerCase() === "https") {
+    return true;
+  }
+  try {
+    return new URL(url).protocol === "https:";
+  } catch {
+    return false;
+  }
+}
+function hashPassword(password, salt) {
+  return scryptSync(password, salt, 64).toString("hex");
+}
+function verifyPassword(password, expectedHash, salt) {
+  const actualHashBuffer = Buffer.from(hashPassword(password, salt), "hex");
+  const expectedHashBuffer = Buffer.from(expectedHash, "hex");
+  if (actualHashBuffer.length !== expectedHashBuffer.length) {
+    return false;
+  }
+  return timingSafeEqual(actualHashBuffer, expectedHashBuffer);
+}
+function createPasswordRecord(password) {
+  const passwordSalt = randomBytes(16).toString("hex");
+  return {
+    passwordHash: hashPassword(password, passwordSalt),
+    passwordSalt
+  };
+}
+function validateUsernameAndPassword(username, password) {
+  if (!username) {
+    throw new Error("Username is required.");
+  }
+  if (password.trim().length < PASSWORD_MIN_LENGTH) {
+    throw new Error(`Password must be at least ${PASSWORD_MIN_LENGTH} characters.`);
+  }
+}
+var UiAuthService = class {
+  constructor(configPath) {
+    this.configPath = configPath;
+  }
+  sessions = /* @__PURE__ */ new Map();
+  loadCurrentConfig() {
+    return loadConfig(this.configPath);
+  }
+  saveCurrentConfig(config) {
+    saveConfig(ConfigSchema.parse(config), this.configPath);
+  }
+  readAuthConfig() {
+    return this.loadCurrentConfig().ui.auth;
+  }
+  isConfigured(auth) {
+    return Boolean(
+      normalizeUsername(auth.username).length > 0 && auth.passwordHash.trim().length > 0 && auth.passwordSalt.trim().length > 0
+    );
+  }
+  isProtectionEnabled() {
+    const auth = this.readAuthConfig();
+    return Boolean(auth.enabled && this.isConfigured(auth));
+  }
+  getSessionIdFromCookieHeader(rawCookieHeader) {
+    const cookies = parseCookieHeader(rawCookieHeader);
+    const sessionId = cookies[SESSION_COOKIE_NAME];
+    return sessionId?.trim() ? sessionId.trim() : null;
+  }
+  getValidSession(sessionId, username) {
+    if (!sessionId) {
+      return null;
+    }
+    const session = this.sessions.get(sessionId);
+    if (!session || session.username !== username) {
+      return null;
+    }
+    return session;
+  }
+  isRequestAuthenticated(request) {
+    const auth = this.readAuthConfig();
+    if (!auth.enabled || !this.isConfigured(auth)) {
+      return true;
+    }
+    const username = normalizeUsername(auth.username);
+    const sessionId = this.getSessionIdFromCookieHeader(request.headers.get("cookie"));
+    return Boolean(this.getValidSession(sessionId, username));
+  }
+  isSocketAuthenticated(request) {
+    const auth = this.readAuthConfig();
+    if (!auth.enabled || !this.isConfigured(auth)) {
+      return true;
+    }
+    const username = normalizeUsername(auth.username);
+    const rawCookieHeader = Array.isArray(request.headers.cookie) ? request.headers.cookie.join("; ") : request.headers.cookie;
+    const sessionId = this.getSessionIdFromCookieHeader(rawCookieHeader);
+    return Boolean(this.getValidSession(sessionId, username));
+  }
+  getStatus(request) {
+    const auth = this.readAuthConfig();
+    const configured = this.isConfigured(auth);
+    const enabled = Boolean(auth.enabled && configured);
+    const username = configured ? normalizeUsername(auth.username) : void 0;
+    return {
+      enabled,
+      configured,
+      authenticated: enabled ? this.isRequestAuthenticated(request) : false,
+      ...username ? { username } : {}
+    };
+  }
+  createSession(username) {
+    const sessionId = randomUUID();
+    this.sessions.set(sessionId, {
+      sessionId,
+      username,
+      createdAt: Date.now()
+    });
+    return sessionId;
+  }
+  clearAllSessions() {
+    this.sessions.clear();
+  }
+  deleteRequestSession(request) {
+    const sessionId = this.getSessionIdFromCookieHeader(request.headers.get("cookie"));
+    if (!sessionId) {
+      return;
+    }
+    this.sessions.delete(sessionId);
+  }
+  buildLoginCookie(request, sessionId) {
+    return buildSetCookie({
+      value: sessionId,
+      secure: resolveSecureRequest(request.url, request.headers.get("x-forwarded-proto"))
+    });
+  }
+  buildLogoutCookie(request) {
+    return buildSetCookie({
+      value: "",
+      secure: resolveSecureRequest(request.url, request.headers.get("x-forwarded-proto")),
+      maxAgeSeconds: 0,
+      expires: (/* @__PURE__ */ new Date(0)).toUTCString()
+    });
+  }
+  setup(request, payload) {
+    const config = this.loadCurrentConfig();
+    const currentAuth = config.ui.auth;
+    if (this.isConfigured(currentAuth)) {
+      throw new Error("UI authentication is already configured.");
+    }
+    const username = normalizeUsername(payload.username);
+    const password = payload.password;
+    validateUsernameAndPassword(username, password);
+    const nextPassword = createPasswordRecord(password);
+    config.ui.auth = {
+      enabled: true,
+      username,
+      ...nextPassword
+    };
+    this.saveCurrentConfig(config);
+    this.clearAllSessions();
+    const sessionId = this.createSession(username);
+    return {
+      status: {
+        enabled: true,
+        configured: true,
+        authenticated: true,
+        username
+      },
+      cookie: this.buildLoginCookie(request, sessionId)
+    };
+  }
+  login(request, payload) {
+    const auth = this.readAuthConfig();
+    if (!auth.enabled || !this.isConfigured(auth)) {
+      throw new Error("UI authentication is not enabled.");
+    }
+    const username = normalizeUsername(payload.username);
+    if (username !== normalizeUsername(auth.username) || !verifyPassword(payload.password, auth.passwordHash, auth.passwordSalt)) {
+      throw new Error("Invalid username or password.");
+    }
+    const sessionId = this.createSession(username);
+    return {
+      status: {
+        enabled: true,
+        configured: true,
+        authenticated: true,
+        username
+      },
+      cookie: this.buildLoginCookie(request, sessionId)
+    };
+  }
+  logout(request) {
+    this.deleteRequestSession(request);
+  }
+  updatePassword(request, payload) {
+    const config = this.loadCurrentConfig();
+    const auth = config.ui.auth;
+    if (!this.isConfigured(auth)) {
+      throw new Error("UI authentication is not configured.");
+    }
+    if (auth.enabled && !this.isRequestAuthenticated(request)) {
+      throw new Error("Authentication required.");
+    }
+    validateUsernameAndPassword(normalizeUsername(auth.username), payload.password);
+    const nextPassword = createPasswordRecord(payload.password);
+    config.ui.auth = {
+      ...auth,
+      ...nextPassword
+    };
+    this.saveCurrentConfig(config);
+    this.clearAllSessions();
+    if (!auth.enabled) {
+      return {
+        status: {
+          enabled: false,
+          configured: true,
+          authenticated: false,
+          username: normalizeUsername(auth.username)
+        }
+      };
+    }
+    const sessionId = this.createSession(normalizeUsername(auth.username));
+    return {
+      status: {
+        enabled: true,
+        configured: true,
+        authenticated: true,
+        username: normalizeUsername(auth.username)
+      },
+      cookie: this.buildLoginCookie(request, sessionId)
+    };
+  }
+  updateEnabled(request, payload) {
+    const config = this.loadCurrentConfig();
+    const auth = config.ui.auth;
+    const configured = this.isConfigured(auth);
+    const currentlyEnabled = Boolean(auth.enabled && configured);
+    if (currentlyEnabled && !this.isRequestAuthenticated(request)) {
+      throw new Error("Authentication required.");
+    }
+    if (payload.enabled && !configured) {
+      throw new Error("UI authentication must be configured before it can be enabled.");
+    }
+    config.ui.auth = {
+      ...auth,
+      enabled: Boolean(payload.enabled)
+    };
+    this.saveCurrentConfig(config);
+    if (!payload.enabled) {
+      this.clearAllSessions();
+      return {
+        status: {
+          enabled: false,
+          configured,
+          authenticated: false,
+          ...configured ? { username: normalizeUsername(auth.username) } : {}
+        },
+        cookie: this.buildLogoutCookie(request)
+      };
+    }
+    const username = normalizeUsername(auth.username);
+    const sessionId = this.createSession(username);
+    return {
+      status: {
+        enabled: true,
+        configured: true,
+        authenticated: true,
+        username
+      },
+      cookie: this.buildLoginCookie(request, sessionId)
+    };
+  }
+};
+
 // src/ui/router.ts
 import { Hono } from "hono";
 
@@ -82,14 +392,115 @@ var AppRoutesController = class {
   appMeta = (c) => c.json(ok(buildAppMetaView(this.options)));
 };
 
+// src/ui/router/auth.controller.ts
+function isAuthenticationRequiredError(message) {
+  return message === "Authentication required.";
+}
+function isConflictError(message) {
+  return message.includes("already configured");
+}
+function setCookieHeader(c, cookie) {
+  if (!cookie) {
+    return;
+  }
+  c.header("Set-Cookie", cookie);
+}
+var AuthRoutesController = class {
+  constructor(authService) {
+    this.authService = authService;
+  }
+  getStatus = (c) => {
+    return c.json(ok(this.authService.getStatus(c.req.raw)));
+  };
+  setup = async (c) => {
+    const body = await readJson(c.req.raw);
+    if (!body.ok) {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    }
+    if (typeof body.data.username !== "string" || typeof body.data.password !== "string") {
+      return c.json(err("INVALID_BODY", "username and password are required"), 400);
+    }
+    try {
+      const result = this.authService.setup(c.req.raw, body.data);
+      setCookieHeader(c, result.cookie);
+      return c.json(ok(result.status), 201);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      return c.json(err(isConflictError(message) ? "AUTH_ALREADY_CONFIGURED" : "INVALID_BODY", message), isConflictError(message) ? 409 : 400);
+    }
+  };
+  login = async (c) => {
+    const body = await readJson(c.req.raw);
+    if (!body.ok) {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    }
+    if (typeof body.data.username !== "string" || typeof body.data.password !== "string") {
+      return c.json(err("INVALID_BODY", "username and password are required"), 400);
+    }
+    try {
+      const result = this.authService.login(c.req.raw, body.data);
+      setCookieHeader(c, result.cookie);
+      return c.json(ok(result.status));
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      const code = message === "Invalid username or password." ? "INVALID_CREDENTIALS" : "AUTH_NOT_ENABLED";
+      const status = message === "Invalid username or password." ? 401 : 400;
+      return c.json(err(code, message), status);
+    }
+  };
+  logout = (c) => {
+    this.authService.logout(c.req.raw);
+    setCookieHeader(c, this.authService.buildLogoutCookie(c.req.raw));
+    return c.json(ok({ success: true }));
+  };
+  updatePassword = async (c) => {
+    const body = await readJson(c.req.raw);
+    if (!body.ok) {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    }
+    if (typeof body.data.password !== "string") {
+      return c.json(err("INVALID_BODY", "password is required"), 400);
+    }
+    try {
+      const result = this.authService.updatePassword(c.req.raw, body.data);
+      setCookieHeader(c, result.cookie);
+      return c.json(ok(result.status));
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      const status = isAuthenticationRequiredError(message) ? 401 : 400;
+      const code = isAuthenticationRequiredError(message) ? "UNAUTHORIZED" : "INVALID_BODY";
+      return c.json(err(code, message), status);
+    }
+  };
+  updateEnabled = async (c) => {
+    const body = await readJson(c.req.raw);
+    if (!body.ok) {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    }
+    if (typeof body.data.enabled !== "boolean") {
+      return c.json(err("INVALID_BODY", "enabled is required"), 400);
+    }
+    try {
+      const result = this.authService.updateEnabled(c.req.raw, body.data);
+      setCookieHeader(c, result.cookie);
+      return c.json(ok(result.status));
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      const status = isAuthenticationRequiredError(message) ? 401 : 400;
+      const code = isAuthenticationRequiredError(message) ? "UNAUTHORIZED" : "INVALID_BODY";
+      return c.json(err(code, message), status);
+    }
+  };
+};
+
 // src/ui/router/chat.controller.ts
 import * as NextclawCore2 from "@nextclaw/core";
 
 // src/ui/config.ts
 import {
-  loadConfig,
-  saveConfig,
-  ConfigSchema,
+  loadConfig as loadConfig2,
+  saveConfig as saveConfig2,
+  ConfigSchema as ConfigSchema2,
   probeFeishu,
   LiteLLMProvider,
   buildConfigSchema,
@@ -432,7 +843,7 @@ function resolveRuntimeConfig(config, draftConfig) {
     return config;
   }
   const merged = deepMerge(config, draftConfig);
-  return ConfigSchema.parse(merged);
+  return ConfigSchema2.parse(merged);
 }
 function getActionById(config, actionId) {
   const actions = buildConfigSchemaView(config).actions;
@@ -783,15 +1194,15 @@ async function executeConfigAction(configPath, actionId, request) {
   };
 }
 function loadConfigOrDefault(configPath) {
-  return loadConfig(configPath);
+  return loadConfig2(configPath);
 }
 function updateModel(configPath, patch) {
   const config = loadConfigOrDefault(configPath);
   if (typeof patch.model === "string") {
     config.agents.defaults.model = patch.model;
   }
-  const next = ConfigSchema.parse(config);
-  saveConfig(next, configPath);
+  const next = ConfigSchema2.parse(config);
+  saveConfig2(next, configPath);
   return buildConfigView(next);
 }
 function updateSearch(configPath, patch) {
@@ -844,8 +1255,8 @@ function updateSearch(configPath, patch) {
       config.search.providers.brave.baseUrl = normalizeOptionalString(bravePatch.baseUrl) ?? "https://api.search.brave.com/res/v1/web/search";
     }
   }
-  const next = ConfigSchema.parse(config);
-  saveConfig(next, configPath);
+  const next = ConfigSchema2.parse(config);
+  saveConfig2(next, configPath);
   return buildSearchView(next);
 }
 function updateProvider(configPath, providerName, patch) {
@@ -878,8 +1289,8 @@ function updateProvider(configPath, providerName, patch) {
   if (Object.prototype.hasOwnProperty.call(patch, "modelThinking")) {
     provider.modelThinking = normalizeModelThinkingConfig(patch.modelThinking ?? {});
   }
-  const next = ConfigSchema.parse(config);
-  saveConfig(next, configPath);
+  const next = ConfigSchema2.parse(config);
+  saveConfig2(next, configPath);
   const uiHints = buildUiHints(next);
   const updated = next.providers[providerName];
   return toProviderView(next, updated, providerName, uiHints, spec ?? void 0);
@@ -898,8 +1309,8 @@ function createCustomProvider(configPath, patch = {}) {
     models: normalizeModelList(patch.models ?? []),
     modelThinking: normalizeModelThinkingConfig(patch.modelThinking ?? {})
   };
-  const next = ConfigSchema.parse(config);
-  saveConfig(next, configPath);
+  const next = ConfigSchema2.parse(config);
+  saveConfig2(next, configPath);
   const uiHints = buildUiHints(next);
   const created = next.providers[providerName];
   return {
@@ -918,8 +1329,8 @@ function deleteCustomProvider(configPath, providerName) {
   }
   delete providers[providerName];
   clearSecretRefsByPrefix(config, `providers.${providerName}`);
-  const next = ConfigSchema.parse(config);
-  saveConfig(next, configPath);
+  const next = ConfigSchema2.parse(config);
+  saveConfig2(next, configPath);
   return true;
 }
 function normalizeOptionalString(value) {
@@ -1069,8 +1480,8 @@ function updateChannel(configPath, channelName, patch) {
     }
   }
   config.channels[channelName] = { ...channel, ...patch };
-  const next = ConfigSchema.parse(config);
-  saveConfig(next, configPath);
+  const next = ConfigSchema2.parse(config);
+  saveConfig2(next, configPath);
   const uiHints = buildUiHints(next);
   return sanitizePublicConfigValue(
     next.channels[channelName],
@@ -1356,8 +1767,8 @@ function updateRuntime(configPath, patch) {
       agentToAgent: nextAgentToAgent
     };
   }
-  const next = ConfigSchema.parse(config);
-  saveConfig(next, configPath);
+  const next = ConfigSchema2.parse(config);
+  saveConfig2(next, configPath);
   const view = buildConfigView(next);
   return {
     agents: view.agents,
@@ -1391,8 +1802,8 @@ function updateSecrets(configPath, patch) {
   if (Object.prototype.hasOwnProperty.call(patch, "refs")) {
     config.secrets.refs = patch.refs ?? {};
   }
-  const next = ConfigSchema.parse(config);
-  saveConfig(next, configPath);
+  const next = ConfigSchema2.parse(config);
+  saveConfig2(next, configPath);
   return {
     enabled: next.secrets.enabled,
     defaults: { ...next.secrets.defaults },
@@ -1998,14 +2409,14 @@ var ChatRoutesController = class {
 };
 
 // src/ui/provider-auth.ts
-import { createHash, randomBytes, randomUUID } from "crypto";
+import { createHash, randomBytes as randomBytes2, randomUUID as randomUUID2 } from "crypto";
 import { readFile } from "fs/promises";
 import { homedir } from "os";
 import { isAbsolute, resolve } from "path";
 import {
-  ConfigSchema as ConfigSchema2,
-  loadConfig as loadConfig2,
-  saveConfig as saveConfig2
+  ConfigSchema as ConfigSchema3,
+  loadConfig as loadConfig3,
+  saveConfig as saveConfig3
 } from "@nextclaw/core";
 var authSessions = /* @__PURE__ */ new Map();
 var DEFAULT_AUTH_INTERVAL_MS = 2e3;
@@ -2026,7 +2437,7 @@ function toBase64Url(buffer) {
   return buffer.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
 }
 function buildPkce() {
-  const verifier = toBase64Url(randomBytes(48));
+  const verifier = toBase64Url(randomBytes2(48));
   const challenge = toBase64Url(createHash("sha256").update(verifier).digest());
   return { verifier, challenge };
 }
@@ -2199,7 +2610,7 @@ function readFieldAsString(source, fieldName) {
   return trimmed.length > 0 ? trimmed : null;
 }
 function setProviderApiKey(params) {
-  const config = loadConfig2(params.configPath);
+  const config = loadConfig3(params.configPath);
   const providers = config.providers;
   if (!providers[params.provider]) {
     providers[params.provider] = {
@@ -2217,8 +2628,8 @@ function setProviderApiKey(params) {
   if (!target.apiBase && params.defaultApiBase) {
     target.apiBase = params.defaultApiBase;
   }
-  const next = ConfigSchema2.parse(config);
-  saveConfig2(next, params.configPath);
+  const next = ConfigSchema3.parse(config);
+  saveConfig3(next, params.configPath);
 }
 async function startProviderAuth(configPath, providerName, options) {
   cleanupExpiredAuthSessions();
@@ -2243,7 +2654,7 @@ async function startProviderAuth(configPath, providerName, options) {
     if (!pkce) {
       throw new Error("MiniMax OAuth requires PKCE");
     }
-    const state = toBase64Url(randomBytes(16));
+    const state = toBase64Url(randomBytes2(16));
     const body = new URLSearchParams({
       response_type: "code",
       client_id: resolvedMethod.clientId,
@@ -2257,7 +2668,7 @@ async function startProviderAuth(configPath, providerName, options) {
       headers: {
         "Content-Type": "application/x-www-form-urlencoded",
         Accept: "application/json",
-        "x-request-id": randomUUID()
+        "x-request-id": randomUUID2()
       },
       body
     });
@@ -2309,7 +2720,7 @@ async function startProviderAuth(configPath, providerName, options) {
     const expiresInSec = normalizePositiveInt(payload.expires_in, 600);
     expiresAtMs = Date.now() + expiresInSec * 1e3;
   }
-  const sessionId = randomUUID();
+  const sessionId = randomUUID2();
   authSessions.set(sessionId, {
     sessionId,
     provider: providerName,
@@ -4046,7 +4457,9 @@ var SessionRoutesController = class {
 function createUiRouter(options) {
   const app = new Hono();
   const marketplaceBaseUrl = normalizeMarketplaceBaseUrl(options);
+  const authService = options.authService ?? new UiAuthService(options.configPath);
   const appController = new AppRoutesController(options);
+  const authController = new AuthRoutesController(authService);
   const configController = new ConfigRoutesController(options);
   const chatController = new ChatRoutesController(options);
   const sessionController = new SessionRoutesController(options);
@@ -4054,8 +4467,27 @@ function createUiRouter(options) {
   const pluginMarketplaceController = new PluginMarketplaceController(options, marketplaceBaseUrl);
   const skillMarketplaceController = new SkillMarketplaceController(options, marketplaceBaseUrl);
   app.notFound((c) => c.json(err("NOT_FOUND", "endpoint not found"), 404));
+  app.use("/api/*", async (c, next) => {
+    const path = c.req.path;
+    if (path === "/api/health" || path.startsWith("/api/auth/")) {
+      await next();
+      return;
+    }
+    if (!authService.isProtectionEnabled() || authService.isRequestAuthenticated(c.req.raw)) {
+      await next();
+      return;
+    }
+    c.status(401);
+    return c.json(err("UNAUTHORIZED", "Authentication required."), 401);
+  });
   app.get("/api/health", appController.health);
   app.get("/api/app/meta", appController.appMeta);
+  app.get("/api/auth/status", authController.getStatus);
+  app.post("/api/auth/setup", authController.setup);
+  app.post("/api/auth/login", authController.login);
+  app.post("/api/auth/logout", authController.logout);
+  app.put("/api/auth/password", authController.updatePassword);
+  app.put("/api/auth/enabled", authController.updateEnabled);
   app.get("/api/config", configController.getConfig);
   app.get("/api/config/meta", configController.getConfigMeta);
   app.get("/api/config/schema", configController.getConfigSchema);
@@ -4121,7 +4553,8 @@ function startUiServer(options) {
   const app = new Hono2();
   app.use("/*", compress());
   const origin = options.corsOrigins ?? DEFAULT_CORS_ORIGINS;
-  app.use("/api/*", cors({ origin }));
+  const authService = new UiAuthService(options.configPath);
+  app.use("/api/*", cors({ origin, credentials: true }));
   const clients = /* @__PURE__ */ new Set();
   const publish = (event) => {
     const payload = JSON.stringify(event);
@@ -4139,7 +4572,8 @@ function startUiServer(options) {
       publish,
       marketplace: options.marketplace,
       cronService: options.cronService,
-      chatRuntime: options.chatRuntime
+      chatRuntime: options.chatRuntime,
+      authService
     })
   );
   const staticDir = options.staticDir;
@@ -4179,9 +4613,23 @@ function startUiServer(options) {
     port: options.port,
     hostname: options.host
   });
-  const wss = new WebSocketServer({
-    server,
-    path: "/ws"
+  const httpServer = server;
+  const wss = new WebSocketServer({ noServer: true });
+  httpServer.on("upgrade", (request, socket, head) => {
+    const host = request.headers.host ?? "127.0.0.1";
+    const url = request.url ?? "/";
+    const pathname = new URL(url, `http://${host}`).pathname;
+    if (pathname !== "/ws") {
+      return;
+    }
+    if (!authService.isSocketAuthenticated(request)) {
+      socket.write("HTTP/1.1 401 Unauthorized\r\nConnection: close\r\n\r\n");
+      socket.destroy();
+      return;
+    }
+    wss.handleUpgrade(request, socket, head, (ws) => {
+      wss.emit("connection", ws, request);
+    });
   });
   wss.on("connection", (socket) => {
     clients.add(socket);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nextclaw/server",
-  "version": "0.6.13",
+  "version": "0.7.0",
   "private": false,
   "description": "Nextclaw UI/API server.",
   "type": "module",
@@ -18,9 +18,9 @@
     "@hono/node-server": "^1.13.3",
     "hono": "^4.6.2",
     "ws": "^8.18.0",
-    "@nextclaw/openclaw-compat": "0.2.6",
-    "@nextclaw/runtime": "0.1.6",
-    "@nextclaw/core": "0.7.7"
+    "@nextclaw/openclaw-compat": "0.2.7",
+    "@nextclaw/runtime": "0.1.7",
+    "@nextclaw/core": "0.8.0"
   },
   "devDependencies": {
     "@types/node": "^20.17.6",