@nextclaw/server 0.6.2 → 0.6.3

package/dist/index.d.ts

@@ -50,6 +50,31 @@ type ProviderConnectionTestResult = {
     latencyMs: number;
     message: string;
 };
+type ProviderAuthStartResult = {
+    provider: string;
+    kind: "device_code";
+    sessionId: string;
+    verificationUri: string;
+    userCode: string;
+    expiresAt: string;
+    intervalMs: number;
+    note?: string;
+};
+type ProviderAuthPollRequest = {
+    sessionId: string;
+};
+type ProviderAuthPollResult = {
+    provider: string;
+    status: "pending" | "authorized" | "denied" | "expired" | "error";
+    message?: string;
+    nextPollMs?: number;
+};
+type ProviderAuthImportResult = {
+    provider: string;
+    status: "imported";
+    source: "cli";
+    expiresAt?: string;
+};
 type AgentProfileView = {
     id: string;
     default?: boolean;
@@ -361,6 +386,20 @@ type ProviderSpecView = {
     isGateway?: boolean;
     isLocal?: boolean;
     defaultApiBase?: string;
+    logo?: string;
+    apiBaseHelp?: {
+        en?: string;
+        zh?: string;
+    };
+    auth?: {
+        kind: "device_code";
+        displayName?: string;
+        note?: {
+            en?: string;
+            zh?: string;
+        };
+        supportsCliImport?: boolean;
+    };
     defaultModels?: string[];
     supportsWireApi?: boolean;
     wireApiOptions?: Array<"auto" | "chat" | "responses">;
@@ -713,4 +752,4 @@ declare function deleteSession(configPath: string, key: string): boolean;
 declare function updateRuntime(configPath: string, patch: RuntimeConfigUpdate): Pick<ConfigView, "agents" | "bindings" | "session">;
 declare function updateSecrets(configPath: string, patch: SecretsConfigUpdate): SecretsView;
 
-export { type AgentBindingView, type AgentProfileView, type ApiError, type ApiResponse, type BindingPeerView, type ChannelSpecView, type ChatCapabilitiesView, type ChatRunListView, type ChatRunState, type ChatRunView, type ChatTurnRequest, type ChatTurnResult, type ChatTurnStopRequest, type ChatTurnStopResult, type ChatTurnStreamEvent, type ChatTurnView, type ConfigActionExecuteRequest, type ConfigActionExecuteResult, type ConfigActionManifest, type ConfigActionType, type ConfigMetaView, type ConfigSchemaResponse, type ConfigUiHint, type ConfigUiHints, type ConfigView, type CronActionResult, type CronEnableRequest, type CronJobStateView, type CronJobView, type CronListView, type CronPayloadView, type CronRunRequest, type CronScheduleView, type MarketplaceApiConfig, type MarketplaceInstallKind, type MarketplaceInstallSkillParams, type MarketplaceInstallSpec, type MarketplaceInstalledRecord, type MarketplaceInstalledView, type MarketplaceInstaller, type MarketplaceItemSummary, type MarketplaceItemType, type MarketplaceItemView, type MarketplaceListView, type MarketplaceLocalizedTextMap, type MarketplacePluginContentView, type MarketplacePluginInstallRequest, type MarketplacePluginInstallResult, type MarketplacePluginManageAction, type MarketplacePluginManageRequest, type MarketplacePluginManageResult, type MarketplaceRecommendationView, type MarketplaceSkillContentView, type MarketplaceSkillInstallRequest, type MarketplaceSkillInstallResult, type MarketplaceSkillManageAction, type MarketplaceSkillManageRequest, type MarketplaceSkillManageResult, type MarketplaceSort, type ProviderConfigUpdate, type ProviderConfigView, type ProviderConnectionTestRequest, type ProviderConnectionTestResult, type ProviderCreateRequest, type ProviderCreateResult, type ProviderDeleteResult, type ProviderSpecView, type RuntimeConfigUpdate, type SecretProviderEnvView, type SecretProviderExecView, type SecretProviderFileView, type SecretProviderView, type SecretRefView, type SecretSourceView, type SecretsConfigUpdate, type SecretsView, type SessionConfigView, type SessionEntryView, type SessionEventView, type SessionHistoryView, type SessionMessageView, type SessionPatchUpdate, type SessionsListView, type UiChatRuntime, type UiServerEvent, type UiServerHandle, type UiServerOptions, buildConfigMeta, buildConfigSchemaView, buildConfigView, createCustomProvider, createUiRouter, deleteCustomProvider, deleteSession, executeConfigAction, getSessionHistory, listSessions, loadConfigOrDefault, patchSession, startUiServer, testProviderConnection, updateChannel, updateModel, updateProvider, updateRuntime, updateSecrets };
+export { type AgentBindingView, type AgentProfileView, type ApiError, type ApiResponse, type BindingPeerView, type ChannelSpecView, type ChatCapabilitiesView, type ChatRunListView, type ChatRunState, type ChatRunView, type ChatTurnRequest, type ChatTurnResult, type ChatTurnStopRequest, type ChatTurnStopResult, type ChatTurnStreamEvent, type ChatTurnView, type ConfigActionExecuteRequest, type ConfigActionExecuteResult, type ConfigActionManifest, type ConfigActionType, type ConfigMetaView, type ConfigSchemaResponse, type ConfigUiHint, type ConfigUiHints, type ConfigView, type CronActionResult, type CronEnableRequest, type CronJobStateView, type CronJobView, type CronListView, type CronPayloadView, type CronRunRequest, type CronScheduleView, type MarketplaceApiConfig, type MarketplaceInstallKind, type MarketplaceInstallSkillParams, type MarketplaceInstallSpec, type MarketplaceInstalledRecord, type MarketplaceInstalledView, type MarketplaceInstaller, type MarketplaceItemSummary, type MarketplaceItemType, type MarketplaceItemView, type MarketplaceListView, type MarketplaceLocalizedTextMap, type MarketplacePluginContentView, type MarketplacePluginInstallRequest, type MarketplacePluginInstallResult, type MarketplacePluginManageAction, type MarketplacePluginManageRequest, type MarketplacePluginManageResult, type MarketplaceRecommendationView, type MarketplaceSkillContentView, type MarketplaceSkillInstallRequest, type MarketplaceSkillInstallResult, type MarketplaceSkillManageAction, type MarketplaceSkillManageRequest, type MarketplaceSkillManageResult, type MarketplaceSort, type ProviderAuthImportResult, type ProviderAuthPollRequest, type ProviderAuthPollResult, type ProviderAuthStartResult, type ProviderConfigUpdate, type ProviderConfigView, type ProviderConnectionTestRequest, type ProviderConnectionTestResult, type ProviderCreateRequest, type ProviderCreateResult, type ProviderDeleteResult, type ProviderSpecView, type RuntimeConfigUpdate, type SecretProviderEnvView, type SecretProviderExecView, type SecretProviderFileView, type SecretProviderView, type SecretRefView, type SecretSourceView, type SecretsConfigUpdate, type SecretsView, type SessionConfigView, type SessionEntryView, type SessionEventView, type SessionHistoryView, type SessionMessageView, type SessionPatchUpdate, type SessionsListView, type UiChatRuntime, type UiServerEvent, type UiServerHandle, type UiServerOptions, buildConfigMeta, buildConfigSchemaView, buildConfigView, createCustomProvider, createUiRouter, deleteCustomProvider, deleteSession, executeConfigAction, getSessionHistory, listSessions, loadConfigOrDefault, patchSession, startUiServer, testProviderConnection, updateChannel, updateModel, updateProvider, updateRuntime, updateSecrets };

package/dist/index.js

@@ -5,12 +5,12 @@ import { cors } from "hono/cors";
 import { serve } from "@hono/node-server";
 import { WebSocketServer, WebSocket } from "ws";
 import { existsSync, readFileSync } from "fs";
-import { readFile as readFile2, stat } from "fs/promises";
+import { readFile as readFile3, stat } from "fs/promises";
 import { join } from "path";
 
 // src/ui/router.ts
 import { Hono } from "hono";
-import { readFile } from "fs/promises";
+import { readFile as readFile2 } from "fs/promises";
 import * as NextclawCore from "@nextclaw/core";
 import { buildPluginStatusReport } from "@nextclaw/openclaw-compat";
 
@@ -21,9 +21,7 @@ import {
   ConfigSchema,
   probeFeishu,
   LiteLLMProvider,
-  PROVIDERS,
   buildConfigSchema,
-  findProviderByName,
   getProviderName,
   getPackageVersion,
   hasSecretRef,
@@ -31,22 +29,9 @@ import {
   SessionManager,
   getWorkspacePathFromConfig
 } from "@nextclaw/core";
+import { findBuiltinProviderByName, listBuiltinProviders } from "@nextclaw/runtime";
 var MASK_MIN_LENGTH = 8;
 var EXTRA_SENSITIVE_PATH_PATTERNS = [/authorization/i, /cookie/i, /session/i, /bearer/i];
-var PROVIDER_TEST_MODEL_FALLBACKS = {
-  nextclaw: "dashscope/qwen3.5-flash",
-  openai: "gpt-5-mini",
-  deepseek: "deepseek-chat",
-  gemini: "gemini-3-flash-preview",
-  zhipu: "glm-5",
-  dashscope: "qwen3.5-flash",
-  moonshot: "kimi-k2.5",
-  minimax: "MiniMax-M2.5",
-  groq: "llama-3.1-8b-instant",
-  openrouter: "openai/gpt-5.3-codex",
-  aihubmix: "gpt-5.3-codex",
-  anthropic: "claude-opus-4-6"
-};
 var PREFERRED_PROVIDER_ORDER = [
   "nextclaw",
   "openai",
@@ -62,7 +47,8 @@ var PREFERRED_PROVIDER_ORDER = [
 var PREFERRED_PROVIDER_ORDER_INDEX = new Map(
   PREFERRED_PROVIDER_ORDER.map((name, index) => [name, index])
 );
-var BUILTIN_PROVIDER_NAMES = new Set(PROVIDERS.map((spec) => spec.name));
+var BUILTIN_PROVIDERS = listBuiltinProviders();
+var BUILTIN_PROVIDER_NAMES = new Set(BUILTIN_PROVIDERS.map((spec) => spec.name));
 var CUSTOM_PROVIDER_WIRE_API_OPTIONS = ["auto", "chat", "responses"];
 var CUSTOM_PROVIDER_PREFIX = "custom-";
 var PROVIDER_TEST_MAX_TOKENS = 16;
@@ -103,6 +89,33 @@ function findNextCustomProviderName(config) {
   }
   return `${CUSTOM_PROVIDER_PREFIX}${index}`;
 }
+function createDefaultProviderConfig(defaultWireApi = "auto") {
+  return {
+    displayName: "",
+    apiKey: "",
+    apiBase: null,
+    extraHeaders: null,
+    wireApi: defaultWireApi,
+    models: []
+  };
+}
+function ensureProviderConfig(config, providerName) {
+  const providers = config.providers;
+  const existing = providers[providerName];
+  if (existing) {
+    return existing;
+  }
+  if (isCustomProviderName(providerName)) {
+    return null;
+  }
+  const spec = findBuiltinProviderByName(providerName);
+  if (!spec) {
+    return null;
+  }
+  const created = createDefaultProviderConfig(spec.defaultWireApi ?? "auto");
+  providers[providerName] = created;
+  return created;
+}
 function clearSecretRefsByPrefix(config, pathPrefix) {
   for (const key of Object.keys(config.secrets.refs)) {
     if (key === pathPrefix || key.startsWith(`${pathPrefix}.`)) {
@@ -363,7 +376,7 @@ function buildConfigView(config) {
   const uiHints = buildUiHints(config);
   const providers = {};
   for (const [name, provider] of Object.entries(config.providers)) {
-    const spec = findProviderByName(name);
+    const spec = findBuiltinProviderByName(name);
     providers[name] = toProviderView(config, provider, name, uiHints, spec);
   }
   return {
@@ -394,7 +407,7 @@ function clearSecretRef(config, path) {
 }
 function buildConfigMeta(config) {
   const configProviders = config.providers;
-  const builtinProviders = PROVIDERS.map((spec) => {
+  const builtinProviders = BUILTIN_PROVIDERS.map((spec) => {
     const providerConfig = configProviders[spec.name];
     return {
       name: spec.name,
@@ -406,6 +419,14 @@ function buildConfigMeta(config) {
       isGateway: spec.isGateway,
       isLocal: spec.isLocal,
       defaultApiBase: spec.defaultApiBase,
+      logo: spec.logo,
+      apiBaseHelp: spec.apiBaseHelp,
+      auth: spec.auth ? {
+        kind: spec.auth.kind,
+        displayName: spec.auth.displayName,
+        note: spec.auth.note,
+        supportsCliImport: Boolean(spec.auth.cliCredential)
+      } : void 0,
       defaultModels: normalizeModelList(spec.defaultModels ?? []),
       supportsWireApi: spec.supportsWireApi,
       wireApiOptions: spec.wireApiOptions,
@@ -438,6 +459,9 @@ function buildConfigMeta(config) {
       isGateway: false,
       isLocal: false,
       defaultApiBase: void 0,
+      logo: void 0,
+      apiBaseHelp: void 0,
+      auth: void 0,
       defaultModels: [],
       supportsWireApi: true,
       wireApiOptions: CUSTOM_PROVIDER_WIRE_API_OPTIONS,
@@ -527,11 +551,11 @@ function updateModel(configPath, patch) {
 }
 function updateProvider(configPath, providerName, patch) {
   const config = loadConfigOrDefault(configPath);
-  const provider = config.providers[providerName];
+  const provider = ensureProviderConfig(config, providerName);
   if (!provider) {
     return null;
   }
-  const spec = findProviderByName(providerName);
+  const spec = findBuiltinProviderByName(providerName);
   const isCustom = isCustomProviderName(providerName);
   if (Object.prototype.hasOwnProperty.call(patch, "displayName") && isCustom) {
     provider.displayName = normalizeOptionalDisplayName(patch.displayName) ?? "";
@@ -653,7 +677,8 @@ function resolveTestModel(config, providerName, requestedModel, provider, spec)
   if (isCustomProviderName(providerName)) {
     return null;
   }
-  return PROVIDER_TEST_MODEL_FALLBACKS[providerName] ?? defaultModel ?? null;
+  const specDefaultModel = normalizeModelList(spec?.defaultModels ?? [])[0] ?? null;
+  return specDefaultModel ?? defaultModel ?? null;
 }
 function stringifyError(error) {
   const raw = error instanceof Error ? error.message : String(error);
@@ -661,11 +686,11 @@ function stringifyError(error) {
 }
 async function testProviderConnection(configPath, providerName, patch) {
   const config = loadConfigOrDefault(configPath);
-  const provider = config.providers[providerName];
+  const provider = ensureProviderConfig(config, providerName);
   if (!provider) {
     return null;
   }
-  const spec = findProviderByName(providerName);
+  const spec = findBuiltinProviderByName(providerName);
   const hasApiKeyPatch = Object.prototype.hasOwnProperty.call(patch, "apiKey");
   const providedApiKey = normalizeOptionalString(patch.apiKey);
   const currentApiKey = normalizeOptionalString(provider.apiKey);
@@ -1003,6 +1028,328 @@ function updateSecrets(configPath, patch) {
   };
 }
 
+// src/ui/provider-auth.ts
+import { createHash, randomBytes, randomUUID } from "crypto";
+import { readFile } from "fs/promises";
+import { homedir } from "os";
+import { isAbsolute, resolve } from "path";
+import {
+  ConfigSchema as ConfigSchema2,
+  loadConfig as loadConfig2,
+  saveConfig as saveConfig2
+} from "@nextclaw/core";
+import { findBuiltinProviderByName as findBuiltinProviderByName2 } from "@nextclaw/runtime";
+var authSessions = /* @__PURE__ */ new Map();
+var DEFAULT_AUTH_INTERVAL_MS = 2e3;
+var MAX_AUTH_INTERVAL_MS = 1e4;
+function normalizePositiveInt(value, fallback) {
+  if (typeof value !== "number" || !Number.isFinite(value) || value <= 0) {
+    return fallback;
+  }
+  return Math.floor(value);
+}
+function toBase64Url(buffer) {
+  return buffer.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function buildPkce() {
+  const verifier = toBase64Url(randomBytes(48));
+  const challenge = toBase64Url(createHash("sha256").update(verifier).digest());
+  return { verifier, challenge };
+}
+function withTrailingSlash(value) {
+  return value.endsWith("/") ? value : `${value}/`;
+}
+function cleanupExpiredAuthSessions(now = Date.now()) {
+  for (const [sessionId, session] of authSessions.entries()) {
+    if (session.expiresAtMs <= now) {
+      authSessions.delete(sessionId);
+    }
+  }
+}
+function resolveDeviceCodeEndpoints(baseUrl, deviceCodePath, tokenPath) {
+  const deviceCodeEndpoint = new URL(deviceCodePath, withTrailingSlash(baseUrl)).toString();
+  const tokenEndpoint = new URL(tokenPath, withTrailingSlash(baseUrl)).toString();
+  return { deviceCodeEndpoint, tokenEndpoint };
+}
+function resolveAuthNote(params) {
+  return params.zh ?? params.en;
+}
+function resolveHomePath(inputPath) {
+  const trimmed = inputPath.trim();
+  if (!trimmed) {
+    return trimmed;
+  }
+  if (trimmed === "~") {
+    return homedir();
+  }
+  if (trimmed.startsWith("~/")) {
+    return resolve(homedir(), trimmed.slice(2));
+  }
+  if (isAbsolute(trimmed)) {
+    return trimmed;
+  }
+  return resolve(trimmed);
+}
+function normalizeExpiresAt(value) {
+  if (typeof value === "number" && Number.isFinite(value) && value > 0) {
+    return Math.floor(value);
+  }
+  if (typeof value === "string" && value.trim()) {
+    const asNumber = Number(value);
+    if (Number.isFinite(asNumber) && asNumber > 0) {
+      return Math.floor(asNumber);
+    }
+    const parsedTime = Date.parse(value);
+    if (Number.isFinite(parsedTime) && parsedTime > 0) {
+      return parsedTime;
+    }
+  }
+  return null;
+}
+function readFieldAsString(source, fieldName) {
+  if (!fieldName) {
+    return null;
+  }
+  const rawValue = source[fieldName];
+  if (typeof rawValue !== "string") {
+    return null;
+  }
+  const trimmed = rawValue.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function setProviderApiKey(params) {
+  const config = loadConfig2(params.configPath);
+  const providers = config.providers;
+  if (!providers[params.provider]) {
+    providers[params.provider] = {
+      displayName: "",
+      apiKey: "",
+      apiBase: null,
+      extraHeaders: null,
+      wireApi: "auto",
+      models: []
+    };
+  }
+  const target = providers[params.provider];
+  target.apiKey = params.accessToken;
+  if (!target.apiBase && params.defaultApiBase) {
+    target.apiBase = params.defaultApiBase;
+  }
+  const next = ConfigSchema2.parse(config);
+  saveConfig2(next, params.configPath);
+}
+async function startProviderAuth(configPath, providerName) {
+  cleanupExpiredAuthSessions();
+  const spec = findBuiltinProviderByName2(providerName);
+  if (!spec?.auth || spec.auth.kind !== "device_code") {
+    return null;
+  }
+  const { deviceCodeEndpoint, tokenEndpoint } = resolveDeviceCodeEndpoints(
+    spec.auth.baseUrl,
+    spec.auth.deviceCodePath,
+    spec.auth.tokenPath
+  );
+  const pkce = spec.auth.usePkce ? buildPkce() : null;
+  const body = new URLSearchParams({
+    client_id: spec.auth.clientId,
+    scope: spec.auth.scope
+  });
+  if (pkce) {
+    body.set("code_challenge", pkce.challenge);
+    body.set("code_challenge_method", "S256");
+  }
+  const response = await fetch(deviceCodeEndpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json"
+    },
+    body
+  });
+  const payload = await response.json().catch(() => ({}));
+  if (!response.ok) {
+    const message = payload.error_description || payload.error || response.statusText || "device code auth failed";
+    throw new Error(message);
+  }
+  const deviceCode = payload.device_code?.trim() ?? "";
+  const userCode = payload.user_code?.trim() ?? "";
+  const verificationUri = payload.verification_uri_complete?.trim() || payload.verification_uri?.trim() || "";
+  if (!deviceCode || !userCode || !verificationUri) {
+    throw new Error("provider auth payload is incomplete");
+  }
+  const intervalMs = normalizePositiveInt(payload.interval, DEFAULT_AUTH_INTERVAL_MS / 1e3) * 1e3;
+  const expiresInSec = normalizePositiveInt(payload.expires_in, 600);
+  const expiresAtMs = Date.now() + expiresInSec * 1e3;
+  const sessionId = randomUUID();
+  authSessions.set(sessionId, {
+    sessionId,
+    provider: providerName,
+    configPath,
+    deviceCode,
+    codeVerifier: pkce?.verifier,
+    tokenEndpoint,
+    clientId: spec.auth.clientId,
+    grantType: spec.auth.grantType,
+    expiresAtMs,
+    intervalMs
+  });
+  return {
+    provider: providerName,
+    kind: "device_code",
+    sessionId,
+    verificationUri,
+    userCode,
+    expiresAt: new Date(expiresAtMs).toISOString(),
+    intervalMs,
+    note: resolveAuthNote(spec.auth.note ?? {})
+  };
+}
+async function pollProviderAuth(params) {
+  cleanupExpiredAuthSessions();
+  const session = authSessions.get(params.sessionId);
+  if (!session || session.provider !== params.providerName || session.configPath !== params.configPath) {
+    return null;
+  }
+  if (Date.now() >= session.expiresAtMs) {
+    authSessions.delete(params.sessionId);
+    return {
+      provider: params.providerName,
+      status: "expired",
+      message: "authorization session expired"
+    };
+  }
+  const body = new URLSearchParams({
+    grant_type: session.grantType,
+    client_id: session.clientId,
+    device_code: session.deviceCode
+  });
+  if (session.codeVerifier) {
+    body.set("code_verifier", session.codeVerifier);
+  }
+  const response = await fetch(session.tokenEndpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json"
+    },
+    body
+  });
+  const payload = await response.json().catch(() => ({}));
+  if (!response.ok) {
+    const errorCode = payload.error?.trim().toLowerCase();
+    if (errorCode === "authorization_pending") {
+      return {
+        provider: params.providerName,
+        status: "pending",
+        nextPollMs: session.intervalMs
+      };
+    }
+    if (errorCode === "slow_down") {
+      const nextPollMs = Math.min(Math.floor(session.intervalMs * 1.5), MAX_AUTH_INTERVAL_MS);
+      session.intervalMs = nextPollMs;
+      authSessions.set(params.sessionId, session);
+      return {
+        provider: params.providerName,
+        status: "pending",
+        nextPollMs
+      };
+    }
+    if (errorCode === "access_denied") {
+      authSessions.delete(params.sessionId);
+      return {
+        provider: params.providerName,
+        status: "denied",
+        message: payload.error_description || "authorization denied"
+      };
+    }
+    if (errorCode === "expired_token") {
+      authSessions.delete(params.sessionId);
+      return {
+        provider: params.providerName,
+        status: "expired",
+        message: payload.error_description || "authorization session expired"
+      };
+    }
+    return {
+      provider: params.providerName,
+      status: "error",
+      message: payload.error_description || payload.error || response.statusText || "authorization failed"
+    };
+  }
+  const accessToken = payload.access_token?.trim();
+  if (!accessToken) {
+    return {
+      provider: params.providerName,
+      status: "error",
+      message: "provider token response missing access token"
+    };
+  }
+  const spec = findBuiltinProviderByName2(params.providerName);
+  setProviderApiKey({
+    configPath: params.configPath,
+    provider: params.providerName,
+    accessToken,
+    defaultApiBase: spec?.defaultApiBase
+  });
+  authSessions.delete(params.sessionId);
+  return {
+    provider: params.providerName,
+    status: "authorized"
+  };
+}
+async function importProviderAuthFromCli(configPath, providerName) {
+  const spec = findBuiltinProviderByName2(providerName);
+  if (!spec?.auth || spec.auth.kind !== "device_code" || !spec.auth.cliCredential) {
+    return null;
+  }
+  const credentialPath = resolveHomePath(spec.auth.cliCredential.path);
+  if (!credentialPath) {
+    throw new Error("provider cli credential path is empty");
+  }
+  let rawContent = "";
+  try {
+    rawContent = await readFile(credentialPath, "utf8");
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    throw new Error(`failed to read CLI credential: ${message}`);
+  }
+  let payload;
+  try {
+    const parsed = JSON.parse(rawContent);
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+      throw new Error("credential payload is not an object");
+    }
+    payload = parsed;
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    throw new Error(`invalid CLI credential JSON: ${message}`);
+  }
+  const accessToken = readFieldAsString(payload, spec.auth.cliCredential.accessTokenField);
+  if (!accessToken) {
+    throw new Error(
+      `CLI credential missing access token field: ${spec.auth.cliCredential.accessTokenField}`
+    );
+  }
+  const expiresAtMs = normalizeExpiresAt(
+    spec.auth.cliCredential.expiresAtField ? payload[spec.auth.cliCredential.expiresAtField] : void 0
+  );
+  if (typeof expiresAtMs === "number" && expiresAtMs <= Date.now()) {
+    throw new Error("CLI credential has expired, please login again");
+  }
+  setProviderApiKey({
+    configPath,
+    provider: providerName,
+    accessToken,
+    defaultApiBase: spec.defaultApiBase
+  });
+  return {
+    provider: providerName,
+    status: "imported",
+    source: "cli",
+    expiresAt: expiresAtMs ? new Date(expiresAtMs).toISOString() : void 0
+  };
+}
+
 // src/ui/router.ts
 var DEFAULT_MARKETPLACE_API_BASE = "https://marketplace-api.nextclaw.io";
 var NEXTCLAW_PLUGIN_NPM_PREFIX = "@nextclaw/channel-plugin-";
@@ -1672,7 +2019,7 @@ async function loadLocalSkillMarkdown(options, skillName) {
     return null;
   }
   try {
-    const raw = await readFile(skillInfo.path, "utf-8");
+    const raw = await readFile2(skillInfo.path, "utf-8");
     return {
       raw,
       source: skillInfo.source
@@ -2370,6 +2717,56 @@ function createUiRouter(options) {
     }
     return c.json(ok(result));
   });
+  app.post("/api/config/providers/:provider/auth/start", async (c) => {
+    const provider = c.req.param("provider");
+    try {
+      const result = await startProviderAuth(options.configPath, provider);
+      if (!result) {
+        return c.json(err("NOT_SUPPORTED", `provider auth is not supported: ${provider}`), 404);
+      }
+      return c.json(ok(result));
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      return c.json(err("AUTH_START_FAILED", message), 400);
+    }
+  });
+  app.post("/api/config/providers/:provider/auth/poll", async (c) => {
+    const provider = c.req.param("provider");
+    const body = await readJson(c.req.raw);
+    if (!body.ok) {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    }
+    const sessionId = typeof body.data.sessionId === "string" ? body.data.sessionId.trim() : "";
+    if (!sessionId) {
+      return c.json(err("INVALID_BODY", "sessionId is required"), 400);
+    }
+    const result = await pollProviderAuth({
+      configPath: options.configPath,
+      providerName: provider,
+      sessionId
+    });
+    if (!result) {
+      return c.json(err("NOT_FOUND", "provider auth session not found"), 404);
+    }
+    if (result.status === "authorized") {
+      options.publish({ type: "config.updated", payload: { path: `providers.${provider}` } });
+    }
+    return c.json(ok(result));
+  });
+  app.post("/api/config/providers/:provider/auth/import-cli", async (c) => {
+    const provider = c.req.param("provider");
+    try {
+      const result = await importProviderAuthFromCli(options.configPath, provider);
+      if (!result) {
+        return c.json(err("NOT_SUPPORTED", `provider cli auth import is not supported: ${provider}`), 404);
+      }
+      options.publish({ type: "config.updated", payload: { path: `providers.${provider}` } });
+      return c.json(ok(result));
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      return c.json(err("AUTH_IMPORT_FAILED", message), 400);
+    }
+  });
   app.put("/api/config/channels/:channel", async (c) => {
     const channel = c.req.param("channel");
     const body = await readJson(c.req.raw);
@@ -3013,7 +3410,7 @@ function startUiServer(options) {
         join,
         getContent: async (path) => {
           try {
-            return await readFile2(path);
+            return await readFile3(path);
           } catch {
             return null;
           }
@@ -3052,9 +3449,9 @@ function startUiServer(options) {
     host: options.host,
     port: options.port,
     publish,
-    close: () => new Promise((resolve) => {
+    close: () => new Promise((resolve2) => {
       wss.close(() => {
-        server.close(() => resolve());
+        server.close(() => resolve2());
       });
     })
   };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nextclaw/server",
-  "version": "0.6.2",
+  "version": "0.6.3",
   "private": false,
   "description": "Nextclaw UI/API server.",
   "type": "module",
@@ -16,9 +16,10 @@
   "dependencies": {
     "@hono/node-server": "^1.13.3",
     "@nextclaw/openclaw-compat": "^0.2.0",
+    "@nextclaw/runtime": "^0.1.1",
     "hono": "^4.6.2",
     "ws": "^8.18.0",
-    "@nextclaw/core": "^0.7.0"
+    "@nextclaw/core": "^0.7.1"
   },
   "devDependencies": {
     "@types/node": "^20.17.6",