npm - @poolzin/pool-bot - Versions diffs - 2026.3.22 → 2026.3.24 - Mend

@poolzin/pool-bot 2026.3.22 → 2026.3.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (159) hide show

package/CHANGELOG.md +111 -0
package/dist/.buildstamp +1 -1
package/dist/acp/bindings-store.js +209 -0
package/dist/acp/control-plane/runtime-cache.js +54 -0
package/dist/acp/control-plane/runtime-options.js +215 -0
package/dist/acp/control-plane/session-actor-queue.js +36 -0
package/dist/acp/policy.js +52 -0
package/dist/acp/runtime/errors.js +47 -0
package/dist/acp/runtime/registry.js +86 -0
package/dist/acp/runtime/types.js +1 -0
package/dist/acp/translator.js +97 -0
package/dist/agents/btw.js +280 -0
package/dist/agents/failover-error.js +145 -47
package/dist/agents/fast-mode.js +24 -0
package/dist/agents/live-model-errors.js +23 -0
package/dist/agents/model-auth-env-vars.js +44 -0
package/dist/agents/model-auth-markers.js +69 -0
package/dist/agents/models-config.providers.discovery.js +180 -0
package/dist/agents/models-config.providers.static.js +480 -0
package/dist/auto-reply/reply/typing-policy.js +15 -0
package/dist/browser/browser-profile-manager.js +319 -0
package/dist/browser/cdp-proxy-bypass.js +129 -0
package/dist/browser/cdp-timeouts.js +41 -0
package/dist/browser/chrome-extension-validator.js +406 -0
package/dist/browser/chrome-mcp-snapshot.js +222 -0
package/dist/browser/chrome-mcp.js +421 -0
package/dist/browser/chrome-mcp.snapshot.js +133 -0
package/dist/browser/errors.js +67 -0
package/dist/browser/form-fields.js +22 -0
package/dist/browser/output-atomic.js +44 -0
package/dist/browser/profile-capabilities.js +47 -0
package/dist/browser/safe-filename.js +25 -0
package/dist/browser/snapshot-roles.js +60 -0
package/dist/build-info.json +3 -3
package/dist/channels/account-snapshot-fields.js +176 -0
package/dist/channels/draft-stream-controls.js +89 -0
package/dist/channels/inbound-debounce-policy.js +28 -0
package/dist/channels/typing-lifecycle.js +39 -0
package/dist/cli/program/command-registry.js +52 -0
package/dist/commands/agent-binding.js +123 -0
package/dist/commands/agents.commands.bind.js +280 -0
package/dist/commands/backup-shared.js +186 -0
package/dist/commands/backup-verify.js +236 -0
package/dist/commands/backup.js +166 -0
package/dist/commands/channel-account-context.js +15 -0
package/dist/commands/channel-account.js +190 -0
package/dist/commands/gateway-install-token.js +117 -0
package/dist/commands/oauth-tls-preflight.js +121 -0
package/dist/commands/ollama-setup.js +402 -0
package/dist/commands/security-owner-only.js +86 -0
package/dist/commands/self-hosted-provider-setup.js +207 -0
package/dist/commands/session-store-targets.js +12 -0
package/dist/commands/sessions-cleanup.js +97 -0
package/dist/control-ui/assets/{index-Dvkl4Xlx.js → index-D7shnQwQ.js} +404 -388
package/dist/control-ui/assets/index-D7shnQwQ.js.map +1 -0
package/dist/control-ui/index.html +1 -1
package/dist/cron/cron-filters.js +150 -0
package/dist/cron/heartbeat-policy.js +26 -0
package/dist/gateway/device-pairing-security.js +197 -0
package/dist/gateway/event-deduplication.js +167 -0
package/dist/gateway/hooks-mapping.js +46 -7
package/dist/gateway/run-tracker.js +253 -0
package/dist/gateway/server-methods/nodes.js +14 -0
package/dist/gateway/websocket-preauth-security.js +188 -0
package/dist/hooks/module-loader.js +28 -0
package/dist/infra/agent-command-binding.js +144 -0
package/dist/infra/backup.js +328 -0
package/dist/infra/channel-account-context.js +173 -0
package/dist/infra/errors.js +53 -13
package/dist/infra/exec-approvals-security.js +217 -0
package/dist/infra/security/command-analyzer.js +257 -0
package/dist/infra/session-cleanup.js +143 -0
package/dist/plugins/loader.js +16 -8
package/dist/security/external-content.js +51 -1
package/dist/sessions/session-costs.js +228 -0
package/dist/shared/param-key.js +16 -0
package/dist/shared/poll-params.js +58 -0
package/dist/shared/polls.js +55 -0
package/docs/DASHBOARD-GAP-ANALYSIS-AND-PLAN.md +430 -0
package/docs/FEATURES.md +523 -0
package/docs/FINAL-IMPLEMENTATION-REVIEW.md +274 -0
package/docs/FINAL-IMPLEMENTATION-SUMMARY.md +356 -0
package/docs/FINAL-PROFESSIONAL-EVALUATION.md +312 -0
package/docs/IMPLEMENTATION-PRIORITY-EVALUATION.md +298 -0
package/docs/IMPLEMENTATION-PROGRESS.md +237 -0
package/docs/IMPLEMENTATION-REVIEW-PHASE1-2.md +381 -0
package/docs/IMPLEMENTATION-REVIEW-PHASE4.md +389 -0
package/docs/IMPLEMENTATION-REVIEW-PHASE5.md +420 -0
package/docs/IMPLEMENTATION-REVIEW-PHASE6.md +422 -0
package/docs/IMPLEMENTATION-REVIEW-PHASE7-FINAL.md +184 -0
package/docs/MIKRODASH-ANALYSIS.md +412 -0
package/docs/OPENCLAW-GAP-ANALYSIS-FINAL.md +431 -0
package/docs/OPENCLAW-VS-POOLBOT-ANALYSIS.md +351 -0
package/docs/PHASE-7-SUMMARY.md +144 -0
package/docs/POOLBOT-OFFICE-PLAN.md +697 -0
package/docs/PROJECT-FINAL-STATUS.md +237 -0
package/docs/README.md +116 -0
package/docs/REAL-IMPROVEMENTS-EVALUATION.md +477 -0
package/docs/SECURITY-HARDENING-IMPLEMENTATION.md +161 -0
package/docs/channels/googlechat.md +235 -206
package/docs/channels/irc.md +332 -0
package/docs/channels/nostr.md +255 -168
package/docs/components/command-palette.md +166 -0
package/docs/components/login-gate.md +219 -0
package/docs/getting-started/installation.md +191 -0
package/docs/getting-started/introduction.md +120 -0
package/docs/improvements/USAGE-GUIDE.md +359 -0
package/docs/plans/2026-03-15-openclaw-features-implementation.md +1632 -0
package/docs/reference/deadcode-detection.md +72 -0
package/extensions/acpx/node_modules/.bin/acpx +21 -0
package/extensions/agency-agents/node_modules/.bin/vite +4 -4
package/extensions/agency-agents/node_modules/.bin/vitest +2 -2
package/extensions/googlechat/node_modules/.bin/tsc +21 -0
package/extensions/googlechat/node_modules/.bin/tsserver +21 -0
package/extensions/googlechat/node_modules/.bin/vitest +21 -0
package/extensions/googlechat/package.json +11 -28
package/extensions/googlechat/src/googlechat-channel.test.ts +60 -0
package/extensions/googlechat/src/googlechat-channel.ts +120 -0
package/extensions/googlechat/src/index.ts +14 -0
package/extensions/irc/node_modules/.bin/tsc +21 -0
package/extensions/irc/node_modules/.bin/tsserver +21 -0
package/extensions/irc/node_modules/.bin/vitest +21 -0
package/extensions/irc/package.json +16 -8
package/extensions/irc/src/index.ts +14 -0
package/extensions/irc/src/irc-channel.test.ts +43 -0
package/extensions/irc/src/irc-channel.ts +191 -0
package/extensions/keyed-async-queue/node_modules/.bin/tsc +21 -0
package/extensions/keyed-async-queue/node_modules/.bin/tsserver +21 -0
package/extensions/keyed-async-queue/node_modules/.bin/vitest +21 -0
package/extensions/keyed-async-queue/package.json +20 -0
package/extensions/keyed-async-queue/src/index.ts +14 -0
package/extensions/keyed-async-queue/src/queue.test.ts +135 -0
package/extensions/keyed-async-queue/src/queue.ts +200 -0
package/extensions/memory-core/node_modules/.bin/tsc +21 -0
package/extensions/memory-core/node_modules/.bin/tsserver +21 -0
package/extensions/memory-core/node_modules/.bin/vitest +21 -0
package/extensions/memory-core/package.json +11 -8
package/extensions/memory-core/src/index.ts +14 -0
package/extensions/memory-core/src/memory-manager.test.ts +124 -0
package/extensions/memory-core/src/memory-manager.ts +186 -0
package/extensions/nostr/node_modules/.bin/tsc +2 -2
package/extensions/nostr/node_modules/.bin/tsserver +2 -2
package/extensions/nostr/node_modules/.bin/vitest +21 -0
package/extensions/nostr/package.json +15 -24
package/extensions/nostr/src/index.ts +14 -0
package/extensions/nostr/src/nostr-channel.test.ts +55 -0
package/extensions/nostr/src/nostr-channel.ts +228 -0
package/extensions/page-agent/node_modules/.bin/vitest +2 -2
package/extensions/test-utils/node_modules/.bin/jiti +21 -0
package/extensions/test-utils/node_modules/.bin/playwright +21 -0
package/extensions/test-utils/node_modules/.bin/tsx +21 -0
package/extensions/test-utils/node_modules/.bin/vite +21 -0
package/extensions/test-utils/node_modules/.bin/vitest +21 -0
package/extensions/test-utils/node_modules/.bin/yaml +21 -0
package/extensions/xyops/node_modules/.bin/vitest +2 -2
package/package.json +2 -1
package/dist/control-ui/assets/index-Dvkl4Xlx.js.map +0 -1
package/extensions/googlechat/node_modules/.bin/poolbot +0 -21
package/extensions/memory-core/node_modules/.bin/poolbot +0 -21

package/dist/commands/backup.js ADDED Viewed

@@ -0,0 +1,166 @@
+/**
+ * Backup Command
+ *
+ * Create and restore backups of Pool Bot data.
+ */
+import { createBackup, restoreBackup, listBackups, deleteBackup, getBackupDir, } from "../infra/backup.js";
+function formatDuration(ms) {
+    if (ms < 1000)
+        return `${ms}ms`;
+    const seconds = Math.floor(ms / 1000);
+    if (seconds < 60)
+        return `${seconds}s`;
+    const minutes = Math.floor(seconds / 60);
+    const remainingSeconds = seconds % 60;
+    return `${minutes}m ${remainingSeconds}s`;
+}
+export function registerBackupCommand(program) {
+    const backupCmd = program.command("backup");
+    // Create backup
+    backupCmd
+        .command("create")
+        .description("Create a new backup")
+        .option("--no-sessions", "Exclude sessions from backup")
+        .option("--no-config", "Exclude config from backup")
+        .option("--no-credentials", "Exclude credentials from backup")
+        .option("--output <dir>", "Output directory for backup")
+        .action(async (options) => {
+        console.log("🎱 Pool Bot - Creating backup...\n");
+        const result = await createBackup({
+            includeSessions: options.sessions !== false,
+            includeConfig: options.config !== false,
+            includeCredentials: options.credentials !== false,
+            destinationDir: options.output,
+        });
+        if (result.success) {
+            console.log("✅ Backup created successfully!\n");
+            console.log(`📦 Backup Path: ${result.backupPath}`);
+            console.log(`⏱️  Duration: ${formatDuration(result.duration)}`);
+            console.log(`💾 Total Size: ${(result.totalSize / 1024 / 1024).toFixed(2)} MB`);
+            console.log(`\n📊 Contents:`);
+            if (result.metadata.includesSessions) {
+                console.log(`   - Sessions: ${result.sessionsBackedUp || 0} files`);
+            }
+            if (result.metadata.includesConfig) {
+                console.log(`   - Config: ${result.configBackedUp ? "Yes" : "No"}`);
+            }
+            if (result.metadata.includesCredentials) {
+                console.log(`   - Credentials: ${result.credentialsBackedUp ? "Yes" : "No"}`);
+            }
+        }
+        else {
+            console.error("❌ Backup failed!\n");
+            console.error(`Error: ${result.error}`);
+            process.exit(1);
+        }
+    });
+    // Restore backup
+    backupCmd
+        .command("restore <backupPath>")
+        .description("Restore from a backup")
+        .option("--no-sessions", "Do not restore sessions")
+        .option("--no-config", "Do not restore config")
+        .option("--no-credentials", "Do not restore credentials")
+        .option("--dry-run", "Show what would be restored without actually restoring")
+        .action(async (backupPath, options) => {
+        console.log("🎱 Pool Bot - Restoring backup...\n");
+        const result = await restoreBackup({
+            backupPath,
+            restoreSessions: options.sessions !== false,
+            restoreConfig: options.config !== false,
+            restoreCredentials: options.credentials !== false,
+            dryRun: options.dryRun,
+        });
+        if (result.success) {
+            if (options.dryRun) {
+                console.log("🔍 Dry Run - No changes made\n");
+                console.log("📊 Would restore:");
+                if (result.sessionsRestored) {
+                    console.log(`   - Sessions: ${result.sessionsRestored} files`);
+                }
+                if (result.configRestored) {
+                    console.log(`   - Config: Yes`);
+                }
+                if (result.credentialsRestored) {
+                    console.log(`   - Credentials: Yes`);
+                }
+            }
+            else {
+                console.log("✅ Backup restored successfully!\n");
+                console.log(`⏱️  Duration: ${formatDuration(result.duration)}`);
+                console.log(`\n📊 Restored:`);
+                if (result.sessionsRestored) {
+                    console.log(`   - Sessions: ${result.sessionsRestored} files`);
+                }
+                if (result.configRestored) {
+                    console.log(`   - Config: Yes`);
+                }
+                if (result.credentialsRestored) {
+                    console.log(`   - Credentials: Yes`);
+                }
+            }
+        }
+        else {
+            console.error("❌ Restore failed!\n");
+            console.error(`Error: ${result.error}`);
+            process.exit(1);
+        }
+    });
+    // List backups
+    backupCmd
+        .command("list")
+        .description("List available backups")
+        .option("--dir <dir>", "Backup directory", getBackupDir())
+        .action(async (options) => {
+        console.log("🎱 Pool Bot - Available backups:\n");
+        const backups = await listBackups(options.dir);
+        if (backups.length === 0) {
+            console.log("No backups found.\n");
+            return;
+        }
+        console.log(`📂 Backup Directory: ${options.dir}\n`);
+        console.log("┌─────┬──────────────────────┬──────────────┬──────────┬─────────┐");
+        console.log("│ #   │ Created              │ Sessions     │ Size     │ Path    │");
+        console.log("├─────┼──────────────────────┼──────────────┼──────────┼─────────┤");
+        backups.forEach((backup, index) => {
+            const date = new Date(backup.createdAt).toLocaleString();
+            const sessions = backup.metadata.sessionCount || 0;
+            const size = (backup.size / 1024 / 1024).toFixed(2);
+            const pathDisplay = backup.path.length > 40 ? "..." + backup.path.slice(-37) : backup.path;
+            console.log(`│ ${String(index + 1).padEnd(3)} │ ${date.padEnd(20)} │ ${String(sessions).padEnd(12)} │ ${(size + " MB").padEnd(8)} │ ${pathDisplay.padEnd(7)} │`);
+        });
+        console.log("└─────┴──────────────────────┴──────────────┴──────────┴─────────┘\n");
+        console.log(`Total: ${backups.length} backup(s)\n`);
+    });
+    // Delete backup
+    backupCmd
+        .command("delete <backupPath>")
+        .description("Delete a backup")
+        .option("--force", "Skip confirmation")
+        .action(async (backupPath, options) => {
+        if (!options.force) {
+            const readline = await import("node:readline");
+            const rl = readline.createInterface({
+                input: process.stdin,
+                output: process.stdout,
+            });
+            const answer = await new Promise((resolve) => {
+                rl.question(`⚠️  Are you sure you want to delete this backup?\n   ${backupPath}\n\n   Type 'yes' to confirm: `, resolve);
+            });
+            rl.close();
+            if (answer.toLowerCase() !== "yes") {
+                console.log("\n❌ Deletion cancelled.\n");
+                return;
+            }
+        }
+        const success = await deleteBackup(backupPath);
+        if (success) {
+            console.log("✅ Backup deleted successfully.\n");
+        }
+        else {
+            console.error("❌ Failed to delete backup.\n");
+            process.exit(1);
+        }
+    });
+    return backupCmd;
+}

package/dist/commands/channel-account-context.js ADDED Viewed

@@ -0,0 +1,15 @@
+import { resolveChannelDefaultAccountId } from "../channels/plugins/helpers.js";
+export async function resolveDefaultChannelAccountContext(plugin, cfg) {
+    const accountIds = plugin.config.listAccountIds(cfg);
+    const defaultAccountId = resolveChannelDefaultAccountId({
+        plugin,
+        cfg,
+        accountIds,
+    });
+    const account = plugin.config.resolveAccount(cfg, defaultAccountId);
+    const enabled = plugin.config.isEnabled ? plugin.config.isEnabled(account, cfg) : true;
+    const configured = plugin.config.isConfigured
+        ? await plugin.config.isConfigured(account, cfg)
+        : true;
+    return { accountIds, defaultAccountId, account, enabled, configured };
+}

package/dist/commands/channel-account.js ADDED Viewed

@@ -0,0 +1,190 @@
+/**
+ * Channel Account Context CLI
+ *
+ * Manage multiple accounts per channel.
+ */
+import { addChannelAccount, removeChannelAccount, getChannelAccount, getChannelAccounts, getActiveChannelAccount, setActiveChannelAccount, updateChannelAccount, getChannelAccountStats, } from "../infra/channel-account-context.js";
+function formatAccount(account) {
+    const status = account.isActive ? "🟢 Active" : "⚪ Inactive";
+    const lastUsed = account.lastUsedAt ? new Date(account.lastUsedAt).toLocaleString() : "Never";
+    return `${status} | ${account.accountName} | ${account.channelType} | Last: ${lastUsed}`;
+}
+export function registerChannelAccountCommand(program) {
+    const accountCmd = program
+        .command("channel-account")
+        .description("Manage channel accounts (multi-account support)");
+    // List accounts
+    accountCmd
+        .command("list [channelId]")
+        .description("List channel accounts")
+        .action(async (channelId) => {
+        console.log("🎱 Pool Bot - Channel Accounts\n");
+        if (channelId) {
+            const accounts = await getChannelAccounts(channelId);
+            const active = await getActiveChannelAccount(channelId);
+            console.log(`Channel: ${channelId}`);
+            console.log(`Active Account: ${active ? active.accountName : "None"}\n`);
+            if (accounts.length === 0) {
+                console.log("No accounts found for this channel.\n");
+                return;
+            }
+            accounts.forEach((account) => {
+                console.log(formatAccount(account));
+            });
+            console.log(`\nTotal: ${accounts.length} account(s)\n`);
+        }
+        else {
+            const stats = await getChannelAccountStats();
+            console.log("📊 Account Statistics:");
+            console.log(`   Total Accounts: ${stats.totalAccounts}`);
+            console.log(`   Channels: ${stats.channelsWithAccounts}`);
+            console.log(`   Active Accounts: ${stats.activeAccounts}`);
+            console.log("\nAccounts by Channel Type:");
+            Object.entries(stats.accountsByChannelType).forEach(([type, count]) => {
+                console.log(`   ${type}: ${count}`);
+            });
+            console.log();
+        }
+    });
+    // Add account
+    accountCmd
+        .command("add <channelId> <channelType> <accountName>")
+        .description("Add a new channel account")
+        .option("--metadata <json>", "Additional metadata (JSON)")
+        .action(async (channelId, channelType, accountName, options) => {
+        console.log("🎱 Pool Bot - Adding Channel Account\n");
+        let metadata;
+        if (options.metadata) {
+            try {
+                metadata = JSON.parse(options.metadata);
+            }
+            catch {
+                console.error("Error: Invalid JSON for metadata\n");
+                process.exit(1);
+            }
+        }
+        const account = await addChannelAccount({
+            channelId,
+            channelType,
+            accountName,
+            metadata,
+        });
+        console.log(`✅ Account added successfully!\n`);
+        console.log(`Account ID: ${account.id}`);
+        console.log(`Channel: ${account.channelId}`);
+        console.log(`Type: ${account.channelType}`);
+        console.log(`Name: ${account.accountName}`);
+        console.log(`Status: ${account.isActive ? "Active" : "Inactive"}\n`);
+        console.log(`💡 Use "poolbot channel-account switch ${channelId} ${account.id}" to activate\n`);
+    });
+    // Switch account
+    accountCmd
+        .command("switch <channelId> <accountId>")
+        .description("Switch active account for a channel")
+        .action(async (channelId, accountId) => {
+        console.log("🎱 Pool Bot - Switching Account\n");
+        const success = await setActiveChannelAccount(channelId, accountId);
+        if (success) {
+            console.log(`✅ Switched to account ${accountId}\n`);
+        }
+        else {
+            console.error(`❌ Account not found: ${accountId}\n`);
+            process.exit(1);
+        }
+    });
+    // Remove account
+    accountCmd
+        .command("remove <channelId> <accountId>")
+        .description("Remove a channel account")
+        .action(async (channelId, accountId) => {
+        console.log("🎱 Pool Bot - Removing Account\n");
+        const success = await removeChannelAccount(channelId, accountId);
+        if (success) {
+            console.log(`✅ Account removed successfully\n`);
+        }
+        else {
+            console.error(`❌ Account not found\n`);
+            process.exit(1);
+        }
+    });
+    // Show account
+    accountCmd
+        .command("show <channelId> <accountId>")
+        .description("Show account details")
+        .action(async (channelId, accountId) => {
+        console.log(`🎱 Pool Bot - Account Details\n`);
+        const account = await getChannelAccount(channelId, accountId);
+        if (!account) {
+            console.error(`❌ Account not found\n`);
+            process.exit(1);
+        }
+        console.log(`Account ID: ${account.id}`);
+        console.log(`Channel: ${account.channelId}`);
+        console.log(`Type: ${account.channelType}`);
+        console.log(`Name: ${account.accountName}`);
+        console.log(`Status: ${account.isActive ? "Active 🟢" : "Inactive ⚪"}`);
+        console.log(`Created: ${new Date(account.createdAt).toLocaleString()}`);
+        console.log(`Updated: ${new Date(account.updatedAt).toLocaleString()}`);
+        console.log(`Last Used: ${account.lastUsedAt ? new Date(account.lastUsedAt).toLocaleString() : "Never"}`);
+        if (account.metadata && Object.keys(account.metadata).length > 0) {
+            console.log("\nMetadata:");
+            Object.entries(account.metadata).forEach(([key, value]) => {
+                console.log(`  ${key}: ${value}`);
+            });
+        }
+        console.log();
+    });
+    // Update account
+    accountCmd
+        .command("update <channelId> <accountId>")
+        .description("Update account details")
+        .option("--name <name>", "New account name")
+        .option("--metadata <json>", "New metadata (JSON, merges with existing)")
+        .action(async (channelId, accountId, options) => {
+        console.log("🎱 Pool Bot - Updating Account\n");
+        let metadata;
+        if (options.metadata) {
+            try {
+                metadata = JSON.parse(options.metadata);
+            }
+            catch {
+                console.error("Error: Invalid JSON for metadata\n");
+                process.exit(1);
+            }
+        }
+        const account = await updateChannelAccount({
+            channelId,
+            accountId,
+            accountName: options.name,
+            metadata,
+        });
+        if (!account) {
+            console.error(`❌ Account not found\n`);
+            process.exit(1);
+        }
+        console.log(`✅ Account updated successfully\n`);
+    });
+    // Stats
+    accountCmd
+        .command("stats")
+        .description("Show account statistics")
+        .action(async () => {
+        console.log("🎱 Pool Bot - Account Statistics\n");
+        const stats = await getChannelAccountStats();
+        console.log("📊 Statistics:");
+        console.log(`   Total Accounts: ${stats.totalAccounts}`);
+        console.log(`   Channels with Accounts: ${stats.channelsWithAccounts}`);
+        console.log(`   Active Accounts: ${stats.activeAccounts}`);
+        console.log("\nAccounts by Channel Type:");
+        if (Object.keys(stats.accountsByChannelType).length === 0) {
+            console.log("   No accounts yet");
+        }
+        else {
+            Object.entries(stats.accountsByChannelType).forEach(([type, count]) => {
+                console.log(`   ${type}: ${count}`);
+            });
+        }
+        console.log();
+    });
+    return accountCmd;
+}

package/dist/commands/gateway-install-token.js ADDED Viewed

@@ -0,0 +1,117 @@
+import { formatCliCommand } from "../cli/command-format.js";
+import { readConfigFileSnapshot, writeConfigFile } from "../config/config.js";
+import { resolveSecretInputRef } from "../config/types.secrets.js";
+import { shouldRequireGatewayTokenForInstall } from "../gateway/auth-install-policy.js";
+import { hasAmbiguousGatewayAuthModeConfig } from "../gateway/auth-mode-policy.js";
+import { resolveGatewayAuth } from "../gateway/auth.js";
+import { readGatewayTokenEnv } from "../gateway/credentials.js";
+import { secretRefKey } from "../secrets/ref-contract.js";
+import { resolveSecretRefValues } from "../secrets/resolve.js";
+import { randomToken } from "./onboard-helpers.js";
+function formatAmbiguousGatewayAuthModeReason() {
+    return [
+        "gateway.auth.token and gateway.auth.password are both configured while gateway.auth.mode is unset.",
+        `Set ${formatCliCommand("openclaw config set gateway.auth.mode token")} or ${formatCliCommand("openclaw config set gateway.auth.mode password")}.`,
+    ].join(" ");
+}
+export async function resolveGatewayInstallToken(options) {
+    const cfg = options.config;
+    const warnings = [];
+    const tokenRef = resolveSecretInputRef({
+        value: cfg.gateway?.auth?.token,
+        defaults: cfg.secrets?.defaults,
+    }).ref;
+    const tokenRefConfigured = Boolean(tokenRef);
+    const configToken = tokenRef || typeof cfg.gateway?.auth?.token !== "string"
+        ? undefined
+        : cfg.gateway.auth.token.trim() || undefined;
+    const explicitToken = options.explicitToken?.trim() || undefined;
+    const envToken = readGatewayTokenEnv(options.env);
+    if (hasAmbiguousGatewayAuthModeConfig(cfg)) {
+        return {
+            token: undefined,
+            tokenRefConfigured,
+            unavailableReason: formatAmbiguousGatewayAuthModeReason(),
+            warnings,
+        };
+    }
+    const resolvedAuth = resolveGatewayAuth({
+        authConfig: cfg.gateway?.auth,
+        tailscaleMode: cfg.gateway?.tailscale?.mode ?? "off",
+    });
+    const needsToken = shouldRequireGatewayTokenForInstall(cfg, options.env) && !resolvedAuth.allowTailscale;
+    let token = explicitToken || configToken || (tokenRef ? undefined : envToken);
+    let unavailableReason;
+    if (tokenRef && !token && needsToken) {
+        try {
+            const resolved = await resolveSecretRefValues([tokenRef], {
+                config: cfg,
+                env: options.env,
+            });
+            const value = resolved.get(secretRefKey(tokenRef));
+            if (typeof value !== "string" || value.trim().length === 0) {
+                throw new Error("gateway.auth.token resolved to an empty or non-string value.");
+            }
+            warnings.push("gateway.auth.token is SecretRef-managed; install will not persist a resolved token in service environment. Ensure the SecretRef is resolvable in the daemon runtime context.");
+        }
+        catch (err) {
+            unavailableReason = `gateway.auth.token SecretRef is configured but unresolved (${String(err)}).`;
+        }
+    }
+    const allowAutoGenerate = options.autoGenerateWhenMissing ?? false;
+    const persistGeneratedToken = options.persistGeneratedToken ?? false;
+    if (!token && needsToken && !tokenRef && allowAutoGenerate) {
+        token = randomToken();
+        warnings.push(persistGeneratedToken
+            ? "No gateway token found. Auto-generated one and saving to config."
+            : "No gateway token found. Auto-generated one for this run without saving to config.");
+        if (persistGeneratedToken) {
+            // Persist token in config so daemon and CLI share a stable credential source.
+            try {
+                const snapshot = await readConfigFileSnapshot();
+                if (snapshot.exists && !snapshot.valid) {
+                    warnings.push("Warning: config file exists but is invalid; skipping token persistence.");
+                }
+                else {
+                    const baseConfig = snapshot.exists ? snapshot.config : {};
+                    const existingTokenRef = resolveSecretInputRef({
+                        value: baseConfig.gateway?.auth?.token,
+                        defaults: baseConfig.secrets?.defaults,
+                    }).ref;
+                    const baseConfigToken = existingTokenRef || typeof baseConfig.gateway?.auth?.token !== "string"
+                        ? undefined
+                        : baseConfig.gateway.auth.token.trim() || undefined;
+                    if (!existingTokenRef && !baseConfigToken) {
+                        await writeConfigFile({
+                            ...baseConfig,
+                            gateway: {
+                                ...baseConfig.gateway,
+                                auth: {
+                                    ...baseConfig.gateway?.auth,
+                                    mode: baseConfig.gateway?.auth?.mode ?? "token",
+                                    token,
+                                },
+                            },
+                        });
+                    }
+                    else if (baseConfigToken) {
+                        token = baseConfigToken;
+                    }
+                    else {
+                        token = undefined;
+                        warnings.push("Warning: gateway.auth.token is SecretRef-managed; skipping plaintext token persistence.");
+                    }
+                }
+            }
+            catch (err) {
+                warnings.push(`Warning: could not persist token to config: ${String(err)}`);
+            }
+        }
+    }
+    return {
+        token,
+        tokenRefConfigured,
+        unavailableReason,
+        warnings,
+    };
+}

package/dist/commands/oauth-tls-preflight.js ADDED Viewed

@@ -0,0 +1,121 @@
+import path from "node:path";
+import { formatCliCommand } from "../cli/command-format.js";
+import { note } from "../terminal/note.js";
+const TLS_CERT_ERROR_CODES = new Set([
+    "UNABLE_TO_GET_ISSUER_CERT_LOCALLY",
+    "UNABLE_TO_VERIFY_LEAF_SIGNATURE",
+    "CERT_HAS_EXPIRED",
+    "DEPTH_ZERO_SELF_SIGNED_CERT",
+    "SELF_SIGNED_CERT_IN_CHAIN",
+    "ERR_TLS_CERT_ALTNAME_INVALID",
+]);
+const TLS_CERT_ERROR_PATTERNS = [
+    /unable to get local issuer certificate/i,
+    /unable to verify the first certificate/i,
+    /self[- ]signed certificate/i,
+    /certificate has expired/i,
+];
+const OPENAI_AUTH_PROBE_URL = "https://auth.openai.com/oauth/authorize?response_type=code&client_id=openclaw-preflight&redirect_uri=http%3A%2F%2Flocalhost%3A1455%2Fauth%2Fcallback&scope=openid+profile+email";
+function asRecord(value) {
+    return value && typeof value === "object" ? value : null;
+}
+function extractFailure(error) {
+    const root = asRecord(error);
+    const rootCause = asRecord(root?.cause);
+    const code = typeof rootCause?.code === "string" ? rootCause.code : undefined;
+    const message = typeof rootCause?.message === "string"
+        ? rootCause.message
+        : typeof root?.message === "string"
+            ? root.message
+            : String(error);
+    const isTlsCertError = (code ? TLS_CERT_ERROR_CODES.has(code) : false) ||
+        TLS_CERT_ERROR_PATTERNS.some((pattern) => pattern.test(message));
+    return {
+        code,
+        message,
+        kind: isTlsCertError ? "tls-cert" : "network",
+    };
+}
+function resolveHomebrewPrefixFromExecPath(execPath) {
+    const marker = `${path.sep}Cellar${path.sep}`;
+    const idx = execPath.indexOf(marker);
+    if (idx > 0) {
+        return execPath.slice(0, idx);
+    }
+    const envPrefix = process.env.HOMEBREW_PREFIX?.trim();
+    return envPrefix ? envPrefix : null;
+}
+function resolveCertBundlePath() {
+    const prefix = resolveHomebrewPrefixFromExecPath(process.execPath);
+    if (!prefix) {
+        return null;
+    }
+    return path.join(prefix, "etc", "openssl@3", "cert.pem");
+}
+function hasOpenAICodexOAuthProfile(cfg) {
+    const profiles = cfg.auth?.profiles;
+    if (!profiles) {
+        return false;
+    }
+    return Object.values(profiles).some((profile) => profile.provider === "openai-codex" && profile.mode === "oauth");
+}
+function shouldRunOpenAIOAuthTlsPrerequisites(params) {
+    if (params.deep === true) {
+        return true;
+    }
+    return hasOpenAICodexOAuthProfile(params.cfg);
+}
+export async function runOpenAIOAuthTlsPreflight(options) {
+    const timeoutMs = options?.timeoutMs ?? 5000;
+    const fetchImpl = options?.fetchImpl ?? fetch;
+    try {
+        await fetchImpl(OPENAI_AUTH_PROBE_URL, {
+            method: "GET",
+            redirect: "manual",
+            signal: AbortSignal.timeout(timeoutMs),
+        });
+        return { ok: true };
+    }
+    catch (error) {
+        const failure = extractFailure(error);
+        return {
+            ok: false,
+            kind: failure.kind,
+            code: failure.code,
+            message: failure.message,
+        };
+    }
+}
+export function formatOpenAIOAuthTlsPreflightFix(result) {
+    if (result.kind !== "tls-cert") {
+        return [
+            "OpenAI OAuth prerequisites check failed due to a network error before the browser flow.",
+            `Cause: ${result.message}`,
+            "Verify DNS/firewall/proxy access to auth.openai.com and retry.",
+        ].join("\n");
+    }
+    const certBundlePath = resolveCertBundlePath();
+    const lines = [
+        "OpenAI OAuth prerequisites check failed: Node/OpenSSL cannot validate TLS certificates.",
+        `Cause: ${result.code ? `${result.code} (${result.message})` : result.message}`,
+        "",
+        "Fix (Homebrew Node/OpenSSL):",
+        `- ${formatCliCommand("brew postinstall ca-certificates")}`,
+        `- ${formatCliCommand("brew postinstall openssl@3")}`,
+    ];
+    if (certBundlePath) {
+        lines.push(`- Verify cert bundle exists: ${certBundlePath}`);
+    }
+    lines.push("- Retry the OAuth login flow.");
+    return lines.join("\n");
+}
+export async function noteOpenAIOAuthTlsPrerequisites(params) {
+    if (!shouldRunOpenAIOAuthTlsPrerequisites(params)) {
+        return;
+    }
+    const result = await runOpenAIOAuthTlsPreflight({ timeoutMs: 4000 });
+    if (result.ok || result.kind !== "tls-cert") {
+        return;
+    }
+    note(formatOpenAIOAuthTlsPreflightFix(result), "OAuth TLS prerequisites");
+}