@poolzin/pool-bot 2026.2.17 → 2026.2.18

package/dist/gateway/channel-health-monitor.js

@@ -0,0 +1,114 @@
+import { createSubsystemLogger } from "../logging/subsystem.js";
+const log = createSubsystemLogger("gateway/health-monitor");
+const DEFAULT_CHECK_INTERVAL_MS = 5 * 60_000;
+const DEFAULT_STARTUP_GRACE_MS = 60_000;
+const DEFAULT_COOLDOWN_CYCLES = 2;
+const DEFAULT_MAX_RESTARTS_PER_HOUR = 3;
+const ONE_HOUR_MS = 60 * 60_000;
+function isManagedAccount(snapshot) {
+    return snapshot.enabled !== false && snapshot.configured !== false;
+}
+function isChannelHealthy(snapshot) {
+    if (!isManagedAccount(snapshot)) {
+        return true;
+    }
+    if (!snapshot.running) {
+        return false;
+    }
+    if (snapshot.connected === false) {
+        return false;
+    }
+    return true;
+}
+export function startChannelHealthMonitor(deps) {
+    const { channelManager, checkIntervalMs = DEFAULT_CHECK_INTERVAL_MS, startupGraceMs = DEFAULT_STARTUP_GRACE_MS, cooldownCycles = DEFAULT_COOLDOWN_CYCLES, maxRestartsPerHour = DEFAULT_MAX_RESTARTS_PER_HOUR, abortSignal, } = deps;
+    const cooldownMs = cooldownCycles * checkIntervalMs;
+    const restartRecords = new Map();
+    const startedAt = Date.now();
+    let stopped = false;
+    let timer = null;
+    const rKey = (channelId, accountId) => `${channelId}:${accountId}`;
+    function pruneOldRestarts(record, now) {
+        record.restartsThisHour = record.restartsThisHour.filter((r) => now - r.at < ONE_HOUR_MS);
+    }
+    async function runCheck() {
+        if (stopped) {
+            return;
+        }
+        const now = Date.now();
+        if (now - startedAt < startupGraceMs) {
+            return;
+        }
+        const snapshot = channelManager.getRuntimeSnapshot();
+        for (const [channelId, accounts] of Object.entries(snapshot.channelAccounts)) {
+            if (!accounts) {
+                continue;
+            }
+            for (const [accountId, status] of Object.entries(accounts)) {
+                if (!status) {
+                    continue;
+                }
+                if (!isManagedAccount(status)) {
+                    continue;
+                }
+                if (channelManager.isManuallyStopped(channelId, accountId)) {
+                    continue;
+                }
+                if (isChannelHealthy(status)) {
+                    continue;
+                }
+                const key = rKey(channelId, accountId);
+                const record = restartRecords.get(key) ?? {
+                    lastRestartAt: 0,
+                    restartsThisHour: [],
+                };
+                if (now - record.lastRestartAt <= cooldownMs) {
+                    continue;
+                }
+                pruneOldRestarts(record, now);
+                if (record.restartsThisHour.length >= maxRestartsPerHour) {
+                    log.warn?.(`[${channelId}:${accountId}] health-monitor: hit ${maxRestartsPerHour} restarts/hour limit, skipping`);
+                    continue;
+                }
+                const reason = !status.running
+                    ? status.reconnectAttempts && status.reconnectAttempts >= 10
+                        ? "gave-up"
+                        : "stopped"
+                    : "stuck";
+                log.info?.(`[${channelId}:${accountId}] health-monitor: restarting (reason: ${reason})`);
+                try {
+                    if (status.running) {
+                        await channelManager.stopChannel(channelId, accountId);
+                    }
+                    channelManager.resetRestartAttempts(channelId, accountId);
+                    await channelManager.startChannel(channelId, accountId);
+                    record.lastRestartAt = now;
+                    record.restartsThisHour.push({ at: now });
+                    restartRecords.set(key, record);
+                }
+                catch (err) {
+                    log.error?.(`[${channelId}:${accountId}] health-monitor: restart failed: ${String(err)}`);
+                }
+            }
+        }
+    }
+    function stop() {
+        stopped = true;
+        if (timer) {
+            clearInterval(timer);
+            timer = null;
+        }
+    }
+    if (abortSignal?.aborted) {
+        stopped = true;
+    }
+    else {
+        abortSignal?.addEventListener("abort", stop, { once: true });
+        timer = setInterval(() => void runCheck(), checkIntervalMs);
+        if (typeof timer === "object" && "unref" in timer) {
+            timer.unref();
+        }
+        log.info?.(`started (interval: ${Math.round(checkIntervalMs / 1000)}s, grace: ${Math.round(startupGraceMs / 1000)}s)`);
+    }
+    return { stop };
+}

package/dist/gateway/control-ui-contract.js

@@ -0,0 +1 @@
+export const CONTROL_UI_BOOTSTRAP_CONFIG_PATH = "/__openclaw/control-ui-config.json";

package/dist/gateway/control-ui-csp.js

@@ -0,0 +1,15 @@
+export function buildControlUiCspHeader() {
+    // Control UI: block framing, block inline scripts, keep styles permissive
+    // (UI uses a lot of inline style attributes in templates).
+    return [
+        "default-src 'self'",
+        "base-uri 'none'",
+        "object-src 'none'",
+        "frame-ancestors 'none'",
+        "script-src 'self'",
+        "style-src 'self' 'unsafe-inline'",
+        "img-src 'self' data: https:",
+        "font-src 'self'",
+        "connect-src 'self' ws: wss:",
+    ].join("; ");
+}

package/dist/gateway/gateway-config-prompts.shared.js

@@ -0,0 +1,25 @@
+export const TAILSCALE_EXPOSURE_OPTIONS = [
+    { value: "off", label: "Off", hint: "No Tailscale exposure" },
+    {
+        value: "serve",
+        label: "Serve",
+        hint: "Private HTTPS for your tailnet (devices on Tailscale)",
+    },
+    {
+        value: "funnel",
+        label: "Funnel",
+        hint: "Public HTTPS via Tailscale Funnel (internet)",
+    },
+];
+export const TAILSCALE_MISSING_BIN_NOTE_LINES = [
+    "Tailscale binary not found in PATH or /Applications.",
+    "Ensure Tailscale is installed from:",
+    "  https://tailscale.com/download/mac",
+    "",
+    "You can continue setup, but serve/funnel will fail at runtime.",
+];
+export const TAILSCALE_DOCS_LINES = [
+    "Docs:",
+    "https://docs.openclaw.ai/gateway/tailscale",
+    "https://docs.openclaw.ai/web",
+];

package/dist/gateway/http-auth-helpers.js

@@ -0,0 +1,18 @@
+import { authorizeGatewayConnect } from "./auth.js";
+import { sendGatewayAuthFailure } from "./http-common.js";
+import { getBearerToken } from "./http-utils.js";
+export async function authorizeGatewayBearerRequestOrReply(params) {
+    const token = getBearerToken(params.req);
+    const authResult = await authorizeGatewayConnect({
+        auth: params.auth,
+        connectAuth: token ? { token, password: token } : null,
+        req: params.req,
+        trustedProxies: params.trustedProxies,
+        rateLimiter: params.rateLimiter,
+    });
+    if (!authResult.ok) {
+        sendGatewayAuthFailure(params.res, authResult);
+        return false;
+    }
+    return true;
+}

package/dist/gateway/http-common.js

@@ -18,6 +18,24 @@ export function sendUnauthorized(res) {
         error: { message: "Unauthorized", type: "unauthorized" },
     });
 }
+export function sendRateLimited(res, retryAfterMs) {
+    if (retryAfterMs && retryAfterMs > 0) {
+        res.setHeader("Retry-After", String(Math.ceil(retryAfterMs / 1000)));
+    }
+    sendJson(res, 429, {
+        error: {
+            message: "Too many failed authentication attempts. Please try again later.",
+            type: "rate_limited",
+        },
+    });
+}
+export function sendGatewayAuthFailure(res, authResult) {
+    if (authResult.rateLimited) {
+        sendRateLimited(res, authResult.retryAfterMs);
+        return;
+    }
+    sendUnauthorized(res);
+}
 export function sendInvalidRequest(res, message) {
     sendJson(res, 400, {
         error: { message, type: "invalid_request_error" },

package/dist/gateway/http-endpoint-helpers.js

@@ -0,0 +1,27 @@
+import { authorizeGatewayBearerRequestOrReply } from "./http-auth-helpers.js";
+import { readJsonBodyOrError, sendMethodNotAllowed } from "./http-common.js";
+export async function handleGatewayPostJsonEndpoint(req, res, opts) {
+    const url = new URL(req.url ?? "/", `http://${req.headers.host || "localhost"}`);
+    if (url.pathname !== opts.pathname) {
+        return false;
+    }
+    if (req.method !== "POST") {
+        sendMethodNotAllowed(res);
+        return undefined;
+    }
+    const authorized = await authorizeGatewayBearerRequestOrReply({
+        req,
+        res,
+        auth: opts.auth,
+        trustedProxies: opts.trustedProxies,
+        rateLimiter: opts.rateLimiter,
+    });
+    if (!authorized) {
+        return undefined;
+    }
+    const body = await readJsonBodyOrError(req, res, opts.maxBodyBytes);
+    if (body === undefined) {
+        return undefined;
+    }
+    return { body };
+}

package/dist/gateway/node-invoke-sanitize.js

@@ -0,0 +1,11 @@
+import { sanitizeSystemRunParamsForForwarding } from "./node-invoke-system-run-approval.js";
+export function sanitizeNodeInvokeParamsForForwarding(opts) {
+    if (opts.command === "system.run") {
+        return sanitizeSystemRunParamsForForwarding({
+            rawParams: opts.rawParams,
+            client: opts.client,
+            execApprovalManager: opts.execApprovalManager,
+        });
+    }
+    return { ok: true, params: opts.rawParams };
+}

package/dist/gateway/node-invoke-system-run-approval.js

@@ -0,0 +1,205 @@
+import { formatExecCommand, validateSystemRunCommandConsistency, } from "../infra/system-run-command.js";
+function asRecord(value) {
+    if (!value || typeof value !== "object" || Array.isArray(value)) {
+        return null;
+    }
+    return value;
+}
+function normalizeString(value) {
+    if (typeof value !== "string") {
+        return null;
+    }
+    const trimmed = value.trim();
+    return trimmed ? trimmed : null;
+}
+function normalizeApprovalDecision(value) {
+    const s = normalizeString(value);
+    return s === "allow-once" || s === "allow-always" ? s : null;
+}
+function clientHasApprovals(client) {
+    const scopes = Array.isArray(client?.connect?.scopes) ? client?.connect?.scopes : [];
+    return scopes.includes("operator.admin") || scopes.includes("operator.approvals");
+}
+function getCmdText(params) {
+    const raw = normalizeString(params.rawCommand);
+    if (raw) {
+        return raw;
+    }
+    if (Array.isArray(params.command)) {
+        const parts = params.command.map((v) => String(v));
+        if (parts.length > 0) {
+            return formatExecCommand(parts);
+        }
+    }
+    return "";
+}
+function approvalMatchesRequest(params, record) {
+    if (record.request.host !== "node") {
+        return false;
+    }
+    const cmdText = getCmdText(params);
+    if (!cmdText || record.request.command !== cmdText) {
+        return false;
+    }
+    const reqCwd = record.request.cwd ?? null;
+    const runCwd = normalizeString(params.cwd) ?? null;
+    if (reqCwd !== runCwd) {
+        return false;
+    }
+    const reqAgentId = record.request.agentId ?? null;
+    const runAgentId = normalizeString(params.agentId) ?? null;
+    if (reqAgentId !== runAgentId) {
+        return false;
+    }
+    const reqSessionKey = record.request.sessionKey ?? null;
+    const runSessionKey = normalizeString(params.sessionKey) ?? null;
+    if (reqSessionKey !== runSessionKey) {
+        return false;
+    }
+    return true;
+}
+function pickSystemRunParams(raw) {
+    // Defensive allowlist: only forward fields that the node-host `system.run` handler understands.
+    // This prevents future internal control fields from being smuggled through the gateway.
+    const next = {};
+    for (const key of [
+        "command",
+        "rawCommand",
+        "cwd",
+        "env",
+        "timeoutMs",
+        "needsScreenRecording",
+        "agentId",
+        "sessionKey",
+        "runId",
+    ]) {
+        if (key in raw) {
+            next[key] = raw[key];
+        }
+    }
+    return next;
+}
+/**
+ * Gate `system.run` approval flags (`approved`, `approvalDecision`) behind a real
+ * `exec.approval.*` record. This prevents users with only `operator.write` from
+ * bypassing node-host approvals by injecting control fields into `node.invoke`.
+ */
+export function sanitizeSystemRunParamsForForwarding(opts) {
+    const obj = asRecord(opts.rawParams);
+    if (!obj) {
+        return { ok: true, params: opts.rawParams };
+    }
+    const p = obj;
+    const argv = Array.isArray(p.command) ? p.command.map((v) => String(v)) : [];
+    const raw = normalizeString(p.rawCommand);
+    if (raw) {
+        if (!Array.isArray(p.command) || argv.length === 0) {
+            return {
+                ok: false,
+                message: "rawCommand requires params.command",
+                details: { code: "MISSING_COMMAND" },
+            };
+        }
+        const validation = validateSystemRunCommandConsistency({ argv, rawCommand: raw });
+        if (!validation.ok) {
+            return {
+                ok: false,
+                message: validation.message,
+                details: validation.details ?? { code: "RAW_COMMAND_MISMATCH" },
+            };
+        }
+    }
+    const approved = p.approved === true;
+    const requestedDecision = normalizeApprovalDecision(p.approvalDecision);
+    const wantsApprovalOverride = approved || requestedDecision !== null;
+    // Always strip control fields from user input. If the override is allowed,
+    // we re-add trusted fields based on the gateway approval record.
+    const next = pickSystemRunParams(obj);
+    if (!wantsApprovalOverride) {
+        return { ok: true, params: next };
+    }
+    const runId = normalizeString(p.runId);
+    if (!runId) {
+        return {
+            ok: false,
+            message: "approval override requires params.runId",
+            details: { code: "MISSING_RUN_ID" },
+        };
+    }
+    const manager = opts.execApprovalManager;
+    if (!manager) {
+        return {
+            ok: false,
+            message: "exec approvals unavailable",
+            details: { code: "APPROVALS_UNAVAILABLE" },
+        };
+    }
+    const snapshot = manager.getSnapshot(runId);
+    if (!snapshot) {
+        return {
+            ok: false,
+            message: "unknown or expired approval id",
+            details: { code: "UNKNOWN_APPROVAL_ID", runId },
+        };
+    }
+    const nowMs = typeof opts.nowMs === "number" ? opts.nowMs : Date.now();
+    if (nowMs > snapshot.expiresAtMs) {
+        return {
+            ok: false,
+            message: "approval expired",
+            details: { code: "APPROVAL_EXPIRED", runId },
+        };
+    }
+    // Prefer binding by device identity (stable across reconnects / per-call clients like callGateway()).
+    // Fallback to connId only when device identity is not available.
+    const snapshotDeviceId = snapshot.requestedByDeviceId ?? null;
+    const clientDeviceId = opts.client?.connect?.device?.id ?? null;
+    if (snapshotDeviceId) {
+        if (snapshotDeviceId !== clientDeviceId) {
+            return {
+                ok: false,
+                message: "approval id not valid for this device",
+                details: { code: "APPROVAL_DEVICE_MISMATCH", runId },
+            };
+        }
+    }
+    else if (snapshot.requestedByConnId &&
+        snapshot.requestedByConnId !== (opts.client?.connId ?? null)) {
+        return {
+            ok: false,
+            message: "approval id not valid for this client",
+            details: { code: "APPROVAL_CLIENT_MISMATCH", runId },
+        };
+    }
+    if (!approvalMatchesRequest(p, snapshot)) {
+        return {
+            ok: false,
+            message: "approval id does not match request",
+            details: { code: "APPROVAL_REQUEST_MISMATCH", runId },
+        };
+    }
+    // Normal path: enforce the decision recorded by the gateway.
+    if (snapshot.decision === "allow-once" || snapshot.decision === "allow-always") {
+        next.approved = true;
+        next.approvalDecision = snapshot.decision;
+        return { ok: true, params: next };
+    }
+    // If the approval request timed out (decision=null), allow askFallback-driven
+    // "allow-once" ONLY for clients that are allowed to use exec approvals.
+    const timedOut = snapshot.resolvedAtMs !== undefined &&
+        snapshot.decision === undefined &&
+        snapshot.resolvedBy === null;
+    if (timedOut &&
+        approved &&
+        requestedDecision === "allow-once" &&
+        clientHasApprovals(opts.client)) {
+        next.approved = true;
+        next.approvalDecision = "allow-once";
+        return { ok: true, params: next };
+    }
+    return {
+        ok: false,
+        message: "approval required",
+        details: { code: "APPROVAL_REQUIRED", runId },
+    };
+}

package/dist/gateway/probe-auth.js

@@ -0,0 +1,21 @@
+export function resolveGatewayProbeAuth(params) {
+    const env = params.env ?? process.env;
+    const authToken = params.cfg.gateway?.auth?.token;
+    const authPassword = params.cfg.gateway?.auth?.password;
+    const remote = params.cfg.gateway?.remote;
+    const token = params.mode === "remote"
+        ? typeof remote?.token === "string" && remote.token.trim()
+            ? remote.token.trim()
+            : undefined
+        : env.POOLBOT_GATEWAY_TOKEN?.trim() ||
+            (typeof authToken === "string" && authToken.trim() ? authToken.trim() : undefined);
+    const password = env.POOLBOT_GATEWAY_PASSWORD?.trim() ||
+        (params.mode === "remote"
+            ? typeof remote?.password === "string" && remote.password.trim()
+                ? remote.password.trim()
+                : undefined
+            : typeof authPassword === "string" && authPassword.trim()
+                ? authPassword.trim()
+                : undefined);
+    return { token, password };
+}

package/dist/gateway/protocol/index.js

@@ -1,5 +1,5 @@
 import AjvPkg from "ajv";
-import { AgentEventSchema, AgentIdentityParamsSchema, AgentIdentityResultSchema, AgentParamsSchema, AgentSummarySchema, AgentsFileEntrySchema, AgentsCreateParamsSchema, AgentsCreateResultSchema, AgentsUpdateParamsSchema, AgentsUpdateResultSchema, AgentsDeleteParamsSchema, AgentsDeleteResultSchema, AgentsFilesGetParamsSchema, AgentsFilesGetResultSchema, AgentsFilesListParamsSchema, AgentsFilesListResultSchema, AgentsFilesSetParamsSchema, AgentsFilesSetResultSchema, AgentsListParamsSchema, AgentsListResultSchema, AgentWaitParamsSchema, ChannelsLogoutParamsSchema, ChannelsStatusParamsSchema, ChannelsStatusResultSchema, ChatAbortParamsSchema, ChatEventSchema, ChatHistoryParamsSchema, ChatInjectParamsSchema, ChatSendParamsSchema, ConfigApplyParamsSchema, ConfigGetParamsSchema, ConfigPatchParamsSchema, ConfigSchemaParamsSchema, ConfigSchemaResponseSchema, ConfigSetParamsSchema, ConnectParamsSchema, CronAddParamsSchema, CronJobSchema, CronListParamsSchema, CronRemoveParamsSchema, CronRunParamsSchema, CronRunsParamsSchema, CronStatusParamsSchema, CronUpdateParamsSchema, DevicePairApproveParamsSchema, DevicePairListParamsSchema, DevicePairRejectParamsSchema, DeviceTokenRevokeParamsSchema, DeviceTokenRotateParamsSchema, ExecApprovalsGetParamsSchema, ExecApprovalsNodeGetParamsSchema, ExecApprovalsNodeSetParamsSchema, ExecApprovalsSetParamsSchema, ExecApprovalRequestParamsSchema, ExecApprovalResolveParamsSchema, ErrorCodes, ErrorShapeSchema, EventFrameSchema, errorShape, GatewayFrameSchema, HelloOkSchema, LogsTailParamsSchema, LogsTailResultSchema, ModelsListParamsSchema, NodeDescribeParamsSchema, NodeEventParamsSchema, NodeInvokeParamsSchema, NodeInvokeResultParamsSchema, NodeListParamsSchema, NodePairApproveParamsSchema, NodePairListParamsSchema, NodePairRejectParamsSchema, NodePairRequestParamsSchema, NodePairVerifyParamsSchema, NodeRenameParamsSchema, PollParamsSchema, PROTOCOL_VERSION, PresenceEntrySchema, ProtocolSchemas, RequestFrameSchema, ResponseFrameSchema, SendParamsSchema, SessionsCompactParamsSchema, SessionsDeleteParamsSchema, SessionsListParamsSchema, SessionsPatchParamsSchema, SessionsPreviewParamsSchema, SessionsResetParamsSchema, SessionsResolveParamsSchema, SessionsUsageParamsSchema, ShutdownEventSchema, SkillsBinsParamsSchema, SkillsInstallParamsSchema, SkillsStatusParamsSchema, SkillsUpdateParamsSchema, SnapshotSchema, StateVersionSchema, TalkModeParamsSchema, TickEventSchema, UpdateRunParamsSchema, WakeParamsSchema, WebLoginStartParamsSchema, WebLoginWaitParamsSchema, WizardCancelParamsSchema, WizardNextParamsSchema, WizardNextResultSchema, WizardStartParamsSchema, WizardStartResultSchema, WizardStatusParamsSchema, WizardStatusResultSchema, WizardStepSchema, } from "./schema.js";
+import { AgentEventSchema, AgentIdentityParamsSchema, AgentIdentityResultSchema, AgentParamsSchema, AgentSummarySchema, AgentsFileEntrySchema, AgentsCreateParamsSchema, AgentsCreateResultSchema, AgentsUpdateParamsSchema, AgentsUpdateResultSchema, AgentsDeleteParamsSchema, AgentsDeleteResultSchema, AgentsFilesGetParamsSchema, AgentsFilesGetResultSchema, AgentsFilesListParamsSchema, AgentsFilesListResultSchema, AgentsFilesSetParamsSchema, AgentsFilesSetResultSchema, AgentsListParamsSchema, AgentsListResultSchema, AgentWaitParamsSchema, ChannelsLogoutParamsSchema, ChannelsStatusParamsSchema, ChannelsStatusResultSchema, ChatAbortParamsSchema, ChatEventSchema, ChatHistoryParamsSchema, ChatInjectParamsSchema, ChatSendParamsSchema, ConfigApplyParamsSchema, ConfigGetParamsSchema, ConfigPatchParamsSchema, ConfigSchemaParamsSchema, ConfigSchemaResponseSchema, ConfigSetParamsSchema, ConnectParamsSchema, CronAddParamsSchema, CronJobSchema, CronListParamsSchema, CronRemoveParamsSchema, CronRunParamsSchema, CronRunsParamsSchema, CronStatusParamsSchema, CronUpdateParamsSchema, DevicePairApproveParamsSchema, DevicePairListParamsSchema, DevicePairRejectParamsSchema, DeviceTokenRevokeParamsSchema, DeviceTokenRotateParamsSchema, ExecApprovalsGetParamsSchema, ExecApprovalsNodeGetParamsSchema, ExecApprovalsNodeSetParamsSchema, ExecApprovalsSetParamsSchema, ExecApprovalRequestParamsSchema, ExecApprovalResolveParamsSchema, ErrorCodes, ErrorShapeSchema, EventFrameSchema, errorShape, GatewayFrameSchema, HelloOkSchema, LogsTailParamsSchema, LogsTailResultSchema, ModelsListParamsSchema, MeshPlanParamsSchema, MeshPlanAutoParamsSchema, MeshRetryParamsSchema, MeshRunParamsSchema, MeshStatusParamsSchema, MeshWorkflowPlanSchema, NodeDescribeParamsSchema, NodeEventParamsSchema, NodeInvokeParamsSchema, NodeInvokeResultParamsSchema, NodeListParamsSchema, NodePairApproveParamsSchema, NodePairListParamsSchema, NodePairRejectParamsSchema, NodePairRequestParamsSchema, NodePairVerifyParamsSchema, NodeRenameParamsSchema, PollParamsSchema, PROTOCOL_VERSION, PresenceEntrySchema, ProtocolSchemas, RequestFrameSchema, ResponseFrameSchema, SendParamsSchema, SessionsCompactParamsSchema, SessionsDeleteParamsSchema, SessionsListParamsSchema, SessionsPatchParamsSchema, SessionsPreviewParamsSchema, SessionsResetParamsSchema, SessionsResolveParamsSchema, SessionsUsageParamsSchema, ShutdownEventSchema, SkillsBinsParamsSchema, SkillsInstallParamsSchema, SkillsStatusParamsSchema, SkillsUpdateParamsSchema, SnapshotSchema, StateVersionSchema, TalkModeParamsSchema, TickEventSchema, UpdateRunParamsSchema, WakeParamsSchema, WebLoginStartParamsSchema, WebLoginWaitParamsSchema, WizardCancelParamsSchema, WizardNextParamsSchema, WizardNextResultSchema, WizardStartParamsSchema, WizardStartResultSchema, WizardStatusParamsSchema, WizardStatusResultSchema, WizardStepSchema, } from "./schema.js";
 const ajv = new AjvPkg({
     allErrors: true,
     strict: false,
@@ -85,6 +85,11 @@ export const validateChatEvent = ajv.compile(ChatEventSchema);
 export const validateUpdateRunParams = ajv.compile(UpdateRunParamsSchema);
 export const validateWebLoginStartParams = ajv.compile(WebLoginStartParamsSchema);
 export const validateWebLoginWaitParams = ajv.compile(WebLoginWaitParamsSchema);
+export const validateMeshPlanParams = ajv.compile(MeshPlanParamsSchema);
+export const validateMeshPlanAutoParams = ajv.compile(MeshPlanAutoParamsSchema);
+export const validateMeshRunParams = ajv.compile(MeshRunParamsSchema);
+export const validateMeshStatusParams = ajv.compile(MeshStatusParamsSchema);
+export const validateMeshRetryParams = ajv.compile(MeshRetryParamsSchema);
 export function formatValidationErrors(errors) {
     if (!errors?.length)
         return "unknown validation error";
@@ -113,4 +118,4 @@ export function formatValidationErrors(errors) {
     }
     return unique.join("; ");
 }
-export { ConnectParamsSchema, HelloOkSchema, RequestFrameSchema, ResponseFrameSchema, EventFrameSchema, GatewayFrameSchema, PresenceEntrySchema, SnapshotSchema, ErrorShapeSchema, StateVersionSchema, AgentEventSchema, ChatEventSchema, SendParamsSchema, PollParamsSchema, AgentParamsSchema, AgentIdentityParamsSchema, AgentIdentityResultSchema, WakeParamsSchema, NodePairRequestParamsSchema, NodePairListParamsSchema, NodePairApproveParamsSchema, NodePairRejectParamsSchema, NodePairVerifyParamsSchema, NodeListParamsSchema, NodeInvokeParamsSchema, SessionsListParamsSchema, SessionsPreviewParamsSchema, SessionsPatchParamsSchema, SessionsResetParamsSchema, SessionsDeleteParamsSchema, SessionsCompactParamsSchema, SessionsUsageParamsSchema, ConfigGetParamsSchema, ConfigSetParamsSchema, ConfigApplyParamsSchema, ConfigPatchParamsSchema, ConfigSchemaParamsSchema, ConfigSchemaResponseSchema, WizardStartParamsSchema, WizardNextParamsSchema, WizardCancelParamsSchema, WizardStatusParamsSchema, WizardStepSchema, WizardNextResultSchema, WizardStartResultSchema, WizardStatusResultSchema, ChannelsStatusParamsSchema, ChannelsStatusResultSchema, ChannelsLogoutParamsSchema, WebLoginStartParamsSchema, WebLoginWaitParamsSchema, AgentSummarySchema, AgentsListParamsSchema, AgentsListResultSchema, AgentsFileEntrySchema, AgentsCreateParamsSchema, AgentsCreateResultSchema, AgentsUpdateParamsSchema, AgentsUpdateResultSchema, AgentsDeleteParamsSchema, AgentsDeleteResultSchema, AgentsFilesListParamsSchema, AgentsFilesListResultSchema, AgentsFilesGetParamsSchema, AgentsFilesGetResultSchema, AgentsFilesSetParamsSchema, AgentsFilesSetResultSchema, ModelsListParamsSchema, SkillsStatusParamsSchema, SkillsInstallParamsSchema, SkillsUpdateParamsSchema, CronJobSchema, CronListParamsSchema, CronStatusParamsSchema, CronAddParamsSchema, CronUpdateParamsSchema, CronRemoveParamsSchema, CronRunParamsSchema, CronRunsParamsSchema, LogsTailParamsSchema, LogsTailResultSchema, ChatHistoryParamsSchema, ChatSendParamsSchema, ChatInjectParamsSchema, UpdateRunParamsSchema, TickEventSchema, ShutdownEventSchema, ProtocolSchemas, PROTOCOL_VERSION, ErrorCodes, errorShape, };
+export { ConnectParamsSchema, HelloOkSchema, RequestFrameSchema, ResponseFrameSchema, EventFrameSchema, GatewayFrameSchema, PresenceEntrySchema, SnapshotSchema, ErrorShapeSchema, StateVersionSchema, AgentEventSchema, ChatEventSchema, SendParamsSchema, PollParamsSchema, AgentParamsSchema, AgentIdentityParamsSchema, AgentIdentityResultSchema, WakeParamsSchema, NodePairRequestParamsSchema, NodePairListParamsSchema, NodePairApproveParamsSchema, NodePairRejectParamsSchema, NodePairVerifyParamsSchema, NodeListParamsSchema, NodeInvokeParamsSchema, SessionsListParamsSchema, SessionsPreviewParamsSchema, SessionsPatchParamsSchema, SessionsResetParamsSchema, SessionsDeleteParamsSchema, SessionsCompactParamsSchema, SessionsUsageParamsSchema, ConfigGetParamsSchema, ConfigSetParamsSchema, ConfigApplyParamsSchema, ConfigPatchParamsSchema, ConfigSchemaParamsSchema, ConfigSchemaResponseSchema, WizardStartParamsSchema, WizardNextParamsSchema, WizardCancelParamsSchema, WizardStatusParamsSchema, WizardStepSchema, WizardNextResultSchema, WizardStartResultSchema, WizardStatusResultSchema, ChannelsStatusParamsSchema, ChannelsStatusResultSchema, ChannelsLogoutParamsSchema, WebLoginStartParamsSchema, WebLoginWaitParamsSchema, AgentSummarySchema, AgentsListParamsSchema, AgentsListResultSchema, AgentsFileEntrySchema, AgentsCreateParamsSchema, AgentsCreateResultSchema, AgentsUpdateParamsSchema, AgentsUpdateResultSchema, AgentsDeleteParamsSchema, AgentsDeleteResultSchema, AgentsFilesListParamsSchema, AgentsFilesListResultSchema, AgentsFilesGetParamsSchema, AgentsFilesGetResultSchema, AgentsFilesSetParamsSchema, AgentsFilesSetResultSchema, ModelsListParamsSchema, SkillsStatusParamsSchema, SkillsInstallParamsSchema, SkillsUpdateParamsSchema, CronJobSchema, CronListParamsSchema, CronStatusParamsSchema, CronAddParamsSchema, CronUpdateParamsSchema, CronRemoveParamsSchema, CronRunParamsSchema, CronRunsParamsSchema, LogsTailParamsSchema, LogsTailResultSchema, ChatHistoryParamsSchema, ChatSendParamsSchema, ChatInjectParamsSchema, UpdateRunParamsSchema, TickEventSchema, ShutdownEventSchema, MeshPlanParamsSchema, MeshPlanAutoParamsSchema, MeshWorkflowPlanSchema, MeshRunParamsSchema, MeshStatusParamsSchema, MeshRetryParamsSchema, ProtocolSchemas, PROTOCOL_VERSION, ErrorCodes, errorShape, };

package/dist/gateway/protocol/schema/mesh.js

@@ -0,0 +1,54 @@
+import { Type } from "@sinclair/typebox";
+import { NonEmptyString } from "./primitives.js";
+export const MeshPlanStepSchema = Type.Object({
+    id: NonEmptyString,
+    name: Type.Optional(NonEmptyString),
+    prompt: NonEmptyString,
+    dependsOn: Type.Optional(Type.Array(NonEmptyString, { maxItems: 64 })),
+    agentId: Type.Optional(NonEmptyString),
+    sessionKey: Type.Optional(NonEmptyString),
+    thinking: Type.Optional(Type.String()),
+    timeoutMs: Type.Optional(Type.Integer({ minimum: 1_000, maximum: 3_600_000 })),
+}, { additionalProperties: false });
+export const MeshWorkflowPlanSchema = Type.Object({
+    planId: NonEmptyString,
+    goal: NonEmptyString,
+    createdAt: Type.Integer({ minimum: 0 }),
+    steps: Type.Array(MeshPlanStepSchema, { minItems: 1, maxItems: 128 }),
+}, { additionalProperties: false });
+export const MeshPlanParamsSchema = Type.Object({
+    goal: NonEmptyString,
+    steps: Type.Optional(Type.Array(Type.Object({
+        id: Type.Optional(NonEmptyString),
+        name: Type.Optional(NonEmptyString),
+        prompt: NonEmptyString,
+        dependsOn: Type.Optional(Type.Array(NonEmptyString, { maxItems: 64 })),
+        agentId: Type.Optional(NonEmptyString),
+        sessionKey: Type.Optional(NonEmptyString),
+        thinking: Type.Optional(Type.String()),
+        timeoutMs: Type.Optional(Type.Integer({ minimum: 1_000, maximum: 3_600_000 })),
+    }, { additionalProperties: false }), { minItems: 1, maxItems: 128 })),
+}, { additionalProperties: false });
+export const MeshRunParamsSchema = Type.Object({
+    plan: MeshWorkflowPlanSchema,
+    continueOnError: Type.Optional(Type.Boolean()),
+    maxParallel: Type.Optional(Type.Integer({ minimum: 1, maximum: 16 })),
+    defaultStepTimeoutMs: Type.Optional(Type.Integer({ minimum: 1_000, maximum: 3_600_000 })),
+    lane: Type.Optional(Type.String()),
+}, { additionalProperties: false });
+export const MeshPlanAutoParamsSchema = Type.Object({
+    goal: NonEmptyString,
+    maxSteps: Type.Optional(Type.Integer({ minimum: 1, maximum: 16 })),
+    agentId: Type.Optional(NonEmptyString),
+    sessionKey: Type.Optional(NonEmptyString),
+    thinking: Type.Optional(Type.String()),
+    timeoutMs: Type.Optional(Type.Integer({ minimum: 1_000, maximum: 3_600_000 })),
+    lane: Type.Optional(Type.String()),
+}, { additionalProperties: false });
+export const MeshStatusParamsSchema = Type.Object({
+    runId: NonEmptyString,
+}, { additionalProperties: false });
+export const MeshRetryParamsSchema = Type.Object({
+    runId: NonEmptyString,
+    stepIds: Type.Optional(Type.Array(NonEmptyString, { minItems: 1, maxItems: 128 })),
+}, { additionalProperties: false });

package/dist/gateway/protocol/schema/protocol-schemas.js

@@ -6,6 +6,7 @@ import { CronAddParamsSchema, CronJobSchema, CronListParamsSchema, CronRemovePar
 import { ExecApprovalsGetParamsSchema, ExecApprovalsNodeGetParamsSchema, ExecApprovalsNodeSetParamsSchema, ExecApprovalsSetParamsSchema, ExecApprovalsSnapshotSchema, ExecApprovalRequestParamsSchema, ExecApprovalResolveParamsSchema, } from "./exec-approvals.js";
 import { DevicePairApproveParamsSchema, DevicePairListParamsSchema, DevicePairRejectParamsSchema, DevicePairRequestedEventSchema, DevicePairResolvedEventSchema, DeviceTokenRevokeParamsSchema, DeviceTokenRotateParamsSchema, } from "./devices.js";
 import { ConnectParamsSchema, ErrorShapeSchema, EventFrameSchema, GatewayFrameSchema, HelloOkSchema, RequestFrameSchema, ResponseFrameSchema, ShutdownEventSchema, TickEventSchema, } from "./frames.js";
+import { MeshPlanAutoParamsSchema, MeshPlanParamsSchema, MeshRetryParamsSchema, MeshRunParamsSchema, MeshStatusParamsSchema, MeshWorkflowPlanSchema, } from "./mesh.js";
 import { ChatAbortParamsSchema, ChatEventSchema, ChatHistoryParamsSchema, ChatInjectParamsSchema, ChatSendParamsSchema, LogsTailParamsSchema, LogsTailResultSchema, } from "./logs-chat.js";
 import { NodeDescribeParamsSchema, NodeEventParamsSchema, NodeInvokeParamsSchema, NodeInvokeResultParamsSchema, NodeInvokeRequestEventSchema, NodeListParamsSchema, NodePairApproveParamsSchema, NodePairListParamsSchema, NodePairRejectParamsSchema, NodePairRequestParamsSchema, NodePairVerifyParamsSchema, NodeRenameParamsSchema, } from "./nodes.js";
 import { SessionsCompactParamsSchema, SessionsDeleteParamsSchema, SessionsListParamsSchema, SessionsPatchParamsSchema, SessionsPreviewParamsSchema, SessionsResetParamsSchema, SessionsResolveParamsSchema, SessionsUsageParamsSchema, } from "./sessions.js";
@@ -127,5 +128,11 @@ export const ProtocolSchemas = {
     UpdateRunParams: UpdateRunParamsSchema,
     TickEvent: TickEventSchema,
     ShutdownEvent: ShutdownEventSchema,
+    MeshPlanParams: MeshPlanParamsSchema,
+    MeshPlanAutoParams: MeshPlanAutoParamsSchema,
+    MeshWorkflowPlan: MeshWorkflowPlanSchema,
+    MeshRunParams: MeshRunParamsSchema,
+    MeshStatusParams: MeshStatusParamsSchema,
+    MeshRetryParams: MeshRetryParamsSchema,
 };
 export const PROTOCOL_VERSION = 3;

package/dist/gateway/protocol/schema.js

@@ -13,4 +13,5 @@ export * from "./schema/protocol-schemas.js";
 export * from "./schema/sessions.js";
 export * from "./schema/snapshot.js";
 export * from "./schema/types.js";
+export * from "./schema/mesh.js";
 export * from "./schema/wizard.js";

package/dist/gateway/server/ws-connection/auth-messages.js

@@ -0,0 +1,54 @@
+import { isGatewayCliClient, isWebchatClient } from "../../../utils/message-channel.js";
+import { GATEWAY_CLIENT_IDS } from "../../protocol/client-info.js";
+export function formatGatewayAuthFailureMessage(params) {
+    const { authMode, authProvided, reason, client } = params;
+    const isCli = isGatewayCliClient(client);
+    const isControlUi = client?.id === GATEWAY_CLIENT_IDS.CONTROL_UI;
+    const isWebchat = isWebchatClient(client);
+    const uiHint = "open the dashboard URL and paste the token in Control UI settings";
+    const tokenHint = isCli
+        ? "set gateway.remote.token to match gateway.auth.token"
+        : isControlUi || isWebchat
+            ? uiHint
+            : "provide gateway auth token";
+    const passwordHint = isCli
+        ? "set gateway.remote.password to match gateway.auth.password"
+        : isControlUi || isWebchat
+            ? "enter the password in Control UI settings"
+            : "provide gateway auth password";
+    switch (reason) {
+        case "token_missing":
+            return `unauthorized: gateway token missing (${tokenHint})`;
+        case "token_mismatch":
+            return `unauthorized: gateway token mismatch (${tokenHint})`;
+        case "token_missing_config":
+            return "unauthorized: gateway token not configured on gateway (set gateway.auth.token)";
+        case "password_missing":
+            return `unauthorized: gateway password missing (${passwordHint})`;
+        case "password_mismatch":
+            return `unauthorized: gateway password mismatch (${passwordHint})`;
+        case "password_missing_config":
+            return "unauthorized: gateway password not configured on gateway (set gateway.auth.password)";
+        case "tailscale_user_missing":
+            return "unauthorized: tailscale identity missing (use Tailscale Serve auth or gateway token/password)";
+        case "tailscale_proxy_missing":
+            return "unauthorized: tailscale proxy headers missing (use Tailscale Serve or gateway token/password)";
+        case "tailscale_whois_failed":
+            return "unauthorized: tailscale identity check failed (use Tailscale Serve auth or gateway token/password)";
+        case "tailscale_user_mismatch":
+            return "unauthorized: tailscale identity mismatch (use Tailscale Serve auth or gateway token/password)";
+        case "rate_limited":
+            return "unauthorized: too many failed authentication attempts (retry later)";
+        case "device_token_mismatch":
+            return "unauthorized: device token mismatch (rotate/reissue device token)";
+        default:
+            break;
+    }
+    if (authMode === "token" && authProvided === "none") {
+        return `unauthorized: gateway token missing (${tokenHint})`;
+    }
+    if (authMode === "password" && authProvided === "none") {
+        return `unauthorized: gateway password missing (${passwordHint})`;
+    }
+    return "unauthorized";
+}