@omnixal/openclaw-nats-plugin 0.2.12 → 0.2.14

package/cli/bun-setup.ts

@@ -7,7 +7,7 @@ import {
 } from './paths';
 import { downloadNatsServer, NATS_VERSION } from './download-nats';
 import { writeNatsConfig } from './nats-config';
-import { generateApiKey, getExistingApiKey, writeEnvVariables } from './env-writer';
+import { generateApiKey, getExistingApiKey, getExistingHookToken, writeEnvVariables } from './env-writer';
 import {
   getServiceManager, generateSystemdUnit, generateLaunchdPlist,
   installSystemdUnit, installLaunchdPlist, startService, stopService,
@@ -48,6 +48,7 @@ export async function bunSetup(): Promise<void> {
 
   // 6. Reuse existing API key or generate new one
   const apiKey = getExistingApiKey() ?? generateApiKey();
+  const hookToken = getExistingHookToken() ?? generateApiKey();
 
   // 7. Write env variables (to OpenClaw .env for hooks, and sidecar .env for the service)
   const envVars: Record<string, string> = {
@@ -55,6 +56,7 @@ export async function bunSetup(): Promise<void> {
     NATS_PLUGIN_API_KEY: apiKey,
     NATS_SERVERS: 'nats://127.0.0.1:4222',
     OPENCLAW_GATEWAY_URL: 'http://127.0.0.1:18789',
+    OPENCLAW_HOOK_TOKEN: hookToken,
   };
   writeEnvVariables(envVars);
 
@@ -66,6 +68,7 @@ export async function bunSetup(): Promise<void> {
     `NATS_SERVERS=nats://127.0.0.1:4222`,
     `NATS_PLUGIN_API_KEY=${apiKey}`,
     `OPENCLAW_GATEWAY_URL=http://127.0.0.1:18789`,
+    `OPENCLAW_HOOK_TOKEN=${hookToken}`,
   ].join('\n');
   writeFileSync(join(SIDECAR_DIR, '.env'), sidecarEnv, 'utf-8');
 

package/cli/docker-setup.ts

@@ -2,7 +2,7 @@ import { mkdirSync, cpSync, writeFileSync, existsSync } from 'node:fs';
 import { execFileSync } from 'node:child_process';
 import { join, dirname } from 'node:path';
 import { PLUGIN_DIR, DOCKER_DIR, DASHBOARD_DIR, STATE_FILE, type PluginState } from './paths';
-import { generateApiKey, getExistingApiKey, writeEnvVariables } from './env-writer';
+import { generateApiKey, getExistingApiKey, getExistingHookToken, writeEnvVariables } from './env-writer';
 
 /**
  * Try to copy dashboard dist into a running OpenClaw container's volume.
@@ -58,9 +58,10 @@ export async function dockerSetup(): Promise<void> {
   cpSync(templateDir, DOCKER_DIR, { recursive: true });
   cpSync(sidecarSrc, join(DOCKER_DIR, 'sidecar'), { recursive: true });
 
-  // 2. Reuse existing API key or generate new one
+  // 2. Reuse existing API key and hook token or generate new ones
   const apiKey = getExistingApiKey() ?? generateApiKey();
-  writeFileSync(join(DOCKER_DIR, '.env'), `NATS_PLUGIN_API_KEY=${apiKey}\n`);
+  const hookToken = getExistingHookToken() ?? generateApiKey();
+  writeFileSync(join(DOCKER_DIR, '.env'), `NATS_PLUGIN_API_KEY=${apiKey}\nOPENCLAW_HOOK_TOKEN=${hookToken}\n`);
 
   // 3. Build and start
   console.log('Building and starting containers...');
@@ -71,6 +72,8 @@ export async function dockerSetup(): Promise<void> {
     NATS_SIDECAR_URL: 'http://127.0.0.1:3104',
     NATS_PLUGIN_API_KEY: apiKey,
     NATS_SERVERS: 'nats://127.0.0.1:4222',
+    OPENCLAW_GATEWAY_URL: 'http://127.0.0.1:18789',
+    OPENCLAW_HOOK_TOKEN: hookToken,
   });
 
   // 5. Copy dashboard dist into OpenClaw container (host→container bridge)

package/cli/env-writer.ts

@@ -14,6 +14,13 @@ export function getExistingApiKey(): string | null {
   return match?.[1]?.trim() || null;
 }
 
+export function getExistingHookToken(): string | null {
+  if (!existsSync(OPENCLAW_ENV)) return null;
+  const content = readFileSync(OPENCLAW_ENV, 'utf-8');
+  const match = content.match(/^OPENCLAW_HOOK_TOKEN=(.+)$/m);
+  return match?.[1]?.trim() || null;
+}
+
 export function mergeEnvContent(
   existingContent: string,
   variables: Record<string, string>,

package/docker/docker-compose.yml

@@ -31,6 +31,7 @@ services:
       - NATS_SERVERS=nats://nats:4222
       - OPENCLAW_GATEWAY_URL=http://host.docker.internal:18789
       - NATS_PLUGIN_API_KEY=${NATS_PLUGIN_API_KEY}
+      - OPENCLAW_HOOK_TOKEN=${OPENCLAW_HOOK_TOKEN}
     volumes:
       - sidecar-data:/app/data
     restart: unless-stopped

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@omnixal/openclaw-nats-plugin",
-  "version": "0.2.12",
+  "version": "0.2.14",
   "description": "NATS JetStream event-driven plugin for OpenClaw",
   "license": "MIT",
   "type": "module",

package/plugins/nats-context-engine/http-handler.ts

@@ -2,11 +2,13 @@ import fs from 'node:fs/promises';
 import path from 'node:path';
 import { existsSync } from 'node:fs';
 import { homedir } from 'node:os';
+import http from 'node:http';
 import type { IncomingMessage, ServerResponse } from 'node:http';
 
 const ROUTE_PREFIX = '/nats-dashboard';
 const SIDECAR_URL = process.env.NATS_SIDECAR_URL || 'http://127.0.0.1:3104';
 const API_KEY = process.env.NATS_PLUGIN_API_KEY || 'dev-nats-plugin-key';
+const sidecarParsed = new URL(SIDECAR_URL);
 
 // Stable location (copied during setup) takes priority over in-package dist
 const STABLE_DIST = path.join(homedir(), '.openclaw', 'nats-plugin', 'dashboard');
@@ -52,7 +54,6 @@ async function proxyToSidecar(
   res: ServerResponse,
 ): Promise<boolean> {
   try {
-    const targetUrl = `${SIDECAR_URL}${subPath}${search}`;
     const headers: Record<string, string> = {
       'Authorization': `Bearer ${API_KEY}`,
     };
@@ -65,27 +66,61 @@ async function proxyToSidecar(
       body = await readBody(req);
     }
 
-    const upstream = await fetch(targetUrl, {
+    // Use node:http directly — global fetch() may be intercepted by gateway SSRF guards
+    const upstream = await httpRequest({
+      hostname: sidecarParsed.hostname,
+      port: Number(sidecarParsed.port),
+      path: `${subPath}${search}`,
       method: req.method || 'GET',
       headers,
-      body,
-      signal: AbortSignal.timeout(10000),
-    });
-
-    res.statusCode = upstream.status;
-    res.setHeader('content-type', upstream.headers.get('content-type') || 'application/json');
-    const responseBody = await upstream.text();
-    res.end(responseBody);
-  } catch {
+      timeout: 10_000,
+    }, body);
+
+    res.statusCode = upstream.statusCode;
+    res.setHeader('content-type', upstream.headers['content-type'] || 'application/json');
+    res.end(upstream.body);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    console.error(`[nats-dashboard] Sidecar proxy error: ${message} (url=${SIDECAR_URL}${subPath})`);
     res.statusCode = 502;
     res.setHeader('content-type', 'application/json');
-    res.end(JSON.stringify({ error: 'Sidecar unreachable' }));
+    res.end(JSON.stringify({ error: 'Sidecar unreachable', detail: message }));
   }
   return true;
 }
 
 const MAX_BODY_BYTES = 1_048_576; // 1MB
 
+interface HttpResponse {
+  statusCode: number;
+  headers: Record<string, string | string[] | undefined>;
+  body: string;
+}
+
+function httpRequest(
+  opts: http.RequestOptions,
+  body?: string,
+): Promise<HttpResponse> {
+  return new Promise((resolve, reject) => {
+    const req = http.request(opts, (res) => {
+      const chunks: Buffer[] = [];
+      res.on('data', (chunk: Buffer) => chunks.push(chunk));
+      res.on('end', () => {
+        resolve({
+          statusCode: res.statusCode || 500,
+          headers: res.headers,
+          body: Buffer.concat(chunks).toString(),
+        });
+      });
+      res.on('error', reject);
+    });
+    req.on('error', reject);
+    req.on('timeout', () => { req.destroy(); reject(new Error('Request timeout')); });
+    if (body) req.write(body);
+    req.end();
+  });
+}
+
 function readBody(req: IncomingMessage): Promise<string> {
   return new Promise((resolve, reject) => {
     const chunks: Buffer[] = [];