@ssdavidai/zoclaw 1.3.0-next.0 → 1.3.0-next.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/package.json +1 -1
  2. package/scripts/bootstrap.sh +39 -28
  3. package/scripts/setup.sh +1 -1
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@ssdavidai/zoclaw",
3
- "version": "1.3.0-next.0",
3
+ "version": "1.3.0-next.2",
4
4
  "description": "Set up OpenClaw on Zo with Tailscale access in one command",
5
5
  "license": "MIT",
6
6
  "repository": {
package/scripts/bootstrap.sh CHANGED
@@ -20,10 +20,9 @@ fi
20
20
 
21
21
  echo "Patching openclaw config for Tailscale Serve..."
22
22
 
23
- # Patch gateway config — use OpenClaw's native tailscale integration.
24
- # Also sets workspace to /home/workspace/.
25
23
  node -e "
26
24
  const fs = require('fs');
25
+ const crypto = require('crypto');
27
26
  const cfg = JSON.parse(fs.readFileSync(process.argv[1], 'utf8'));
28
27
  const gw = cfg.gateway ??= {};
29
28
 
@@ -31,28 +30,32 @@ node -e "
31
30
  gw.bind = 'loopback';
32
31
 
33
32
  // Enable OpenClaw's native Tailscale Serve integration.
34
- // The gateway will configure tailscale serve on startup
35
- // and proxy HTTPS traffic from the tailnet to the local port.
36
33
  gw.tailscale = { mode: 'serve' };
37
34
 
38
- // Trust localhost as a reverse proxy. Tailscale Serve connects
39
- // to the gateway on 127.0.0.1 and adds x-forwarded-for headers.
40
- // Without this, the gateway ignores proxy headers and can't
41
- // resolve the caller's Tailscale identity.
35
+ // Trust localhost as reverse proxy (Tailscale Serve → loopback).
42
36
  gw.trustedProxies = ['127.0.0.1/32'];
43
37
 
44
- // Trust Tailscale identity headers valid Tailscale Serve
45
- // requests authenticate via x-forwarded-for + tailscale whois
46
- // without needing a token or password.
38
+ // Ensure token auth is configured. The gateway token is how CLI
39
+ // tools (tui, devices list, etc.) authenticate over WebSocket.
40
+ // Without this, the gateway rejects all connections as 'pairing required'.
47
41
  gw.auth ??= {};
42
+ gw.auth.mode = 'token';
43
+ if (!gw.auth.token) {
44
+ gw.auth.token = crypto.randomBytes(24).toString('hex');
45
+ console.log(' gateway.auth.token -> generated');
46
+ } else {
47
+ console.log(' gateway.auth.token -> preserved');
48
+ }
49
+
50
+ // Trust Tailscale identity headers for browser access via Serve.
48
51
  gw.auth.allowTailscale = true;
49
52
 
50
53
  // Enable the browser Control UI
51
54
  gw.controlUi ??= {};
52
55
  gw.controlUi.enabled = true;
53
56
 
54
- // Remove invalid denyCommands entries (default config generates
55
- // names that don't match real command IDs, triggering audit warnings)
57
+ // Remove invalid denyCommands (default config generates names
58
+ // that don't match real command IDs, triggering audit warnings)
56
59
  if (gw.nodes?.denyCommands) delete gw.nodes.denyCommands;
57
60
 
58
61
  // Set workspace to /home/workspace/ (Zo standard workspace)
@@ -71,18 +74,17 @@ node -e "
71
74
  echo " gateway.bind = loopback"
72
75
  echo " gateway.tailscale.mode = serve"
73
76
  echo " gateway.trustedProxies = [127.0.0.1/32]"
77
+ echo " gateway.auth.mode = token"
74
78
  echo " gateway.auth.allowTailscale = true"
75
79
  echo " gateway.controlUi.enabled = true"
76
80
  echo " agents.defaults.workspace = /home/workspace/"
77
- echo " nodes.denyCommands -> removed"
78
- echo " credentials dir -> 700"
79
81
 
80
82
  # ─── 2. Migrate secrets to Zo secrets ─────────────────────────────────
81
83
 
82
84
  echo ""
83
85
  echo "Migrating secrets to Zo secrets..."
84
86
 
85
- # Extract gateway token from openclaw config
87
+ # Extract gateway token from (now-patched) openclaw config
86
88
  GW_TOKEN=$(node -pe "JSON.parse(require('fs').readFileSync('${CONFIG}','utf8')).gateway?.auth?.token ?? ''" 2>/dev/null || true)
87
89
 
88
90
  # Extract OpenRouter API key from agent auth profiles
@@ -121,25 +123,31 @@ else
121
123
  echo " No OpenRouter API key found (skipping)"
122
124
  fi
123
125
 
124
- # Source the updated secrets so they're available for the gateway
125
- source "$SECRETS_FILE" 2>/dev/null || true
126
-
127
126
  # ─── 3. Register gateway as Zo user service ───────────────────────────
128
127
 
129
128
  echo ""
130
129
  echo "Registering gateway as Zo user service..."
131
130
 
132
- # Kill any existing background gateway process (from previous installs)
131
+ # Remove any openclaw daemon (from --install-daemon during onboarding)
132
+ # that would conflict with our supervisor-managed gateway.
133
+ openclaw daemon uninstall 2>/dev/null || true
134
+
135
+ # Kill any existing background gateway process
133
136
  pkill -f "openclaw gateway run" 2>/dev/null || true
134
137
  pkill -f "openclaw-gateway" 2>/dev/null || true
135
138
  sleep 1
136
139
 
137
- # Add [program:openclaw-gateway] to user supervisor config if not present
140
+ # Add [program:openclaw-gateway] to user supervisor config if not present.
141
+ # The gateway reads its config (including auth token) from ~/.openclaw/openclaw.json.
142
+ # We do NOT pass OPENCLAW_GATEWAY_TOKEN via env — that would override
143
+ # the config file token and is only needed for the gateway startup, not
144
+ # for CLI tools that read the token from the same config file.
138
145
  if ! grep -q "\[program:openclaw-gateway\]" "$USER_SUPERVISOR" 2>/dev/null; then
139
146
  cat >> "$USER_SUPERVISOR" << 'SUPERVISOR'
140
147
  [program:openclaw-gateway]
141
- command=bash -c 'source ~/.zo_secrets 2>/dev/null; exec openclaw gateway run'
148
+ command=openclaw gateway run
142
149
  directory=/home/workspace
150
+ environment=HOME="/root"
143
151
  autostart=true
144
152
  autorestart=true
145
153
  startretries=10
@@ -171,19 +179,22 @@ sleep 5
171
179
  # Verify gateway is running
172
180
  if supervisorctl -c "$USER_SUPERVISOR" status openclaw-gateway 2>/dev/null | grep -q RUNNING; then
173
181
  echo " Gateway running (supervised)"
174
- elif pgrep -f "openclaw-gateway" > /dev/null 2>&1; then
175
- echo " Gateway running"
176
182
  else
177
- echo " Warning: gateway is not running. Check: supervisorctl -c $USER_SUPERVISOR status"
178
- echo " Logs: /dev/shm/openclaw-gateway.log"
179
- exit 1
183
+ echo " Warning: gateway may not be running."
184
+ echo " Check: supervisorctl -c $USER_SUPERVISOR status openclaw-gateway"
185
+ echo " Logs: tail /dev/shm/openclaw-gateway.log /dev/shm/openclaw-gateway_err.log"
180
186
  fi
181
187
 
188
+ # Quick gateway health check
189
+ echo ""
190
+ echo "Gateway health:"
191
+ openclaw gateway health 2>&1 | head -5 || echo " (health check unavailable)"
192
+
182
193
  # ─── 4. Print access info ─────────────────────────────────────────────
183
194
 
184
195
  TS_HOSTNAME=$(tailscale status --json 2>/dev/null | node -pe "
185
196
  const s = JSON.parse(require('fs').readFileSync('/dev/stdin','utf8'));
186
- (s.Self.DNSName || '').replace(/\\\.\$/, '')
197
+ (s.Self.DNSName || '').replace(/\\.\$/g, '')
187
198
  " 2>/dev/null || true)
188
199
 
189
200
  echo ""
package/scripts/setup.sh CHANGED
@@ -73,7 +73,7 @@ else
73
73
  echo " Running interactive setup..."
74
74
  echo " (When the onboarding finishes, setup will continue automatically.)"
75
75
  echo ""
76
- openclaw onboard --install-daemon
76
+ openclaw onboard --skip-daemon
77
77
  fi
78
78
 
79
79
  # ─── Step 5: Bootstrap (config + secrets + service) ──────────────────