npm - @syengup/friday-channel-next - Versions diffs - 0.0.1 - Mend

@syengup/friday-channel-next 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (67) hide show

package/README.md +35 -0
package/index.ts +191 -0
package/install.mjs +158 -0
package/install.sh +118 -0
package/openclaw.plugin.json +53 -0
package/package.json +65 -0
package/src/agent/abort-run.ts +10 -0
package/src/agent/active-runs.ts +26 -0
package/src/agent/dispatch-bridge.ts +18 -0
package/src/agent/media-bridge.ts +23 -0
package/src/agent-forward-runtime.ts +30 -0
package/src/agent-run-context-bridge.ts +32 -0
package/src/channel-actions.ts +129 -0
package/src/channel.ts +284 -0
package/src/collect-message-media-paths.ts +132 -0
package/src/config.test.ts +33 -0
package/src/config.ts +64 -0
package/src/e2e/attachments-inbound.e2e.test.ts +43 -0
package/src/e2e/attachments-outbound.e2e.test.ts +43 -0
package/src/e2e/cancel-reconnect-errors.e2e.test.ts +56 -0
package/src/e2e/connect-and-connected.e2e.test.ts +44 -0
package/src/e2e/offline-replay.e2e.test.ts +43 -0
package/src/e2e/send-text.e2e.test.ts +73 -0
package/src/e2e/slash-commands.e2e.test.ts +33 -0
package/src/e2e/status-cors-auth.e2e.test.ts +41 -0
package/src/e2e/tool-lifecycle.e2e.test.ts +49 -0
package/src/friday-inbound-stats.ts +10 -0
package/src/friday-session.forward-agent.test.ts +270 -0
package/src/friday-session.ts +327 -0
package/src/host-config.ts +20 -0
package/src/http/handlers/cancel.test.ts +70 -0
package/src/http/handlers/cancel.ts +35 -0
package/src/http/handlers/files-download.ts +239 -0
package/src/http/handlers/files-upload.ts +166 -0
package/src/http/handlers/files.ts +335 -0
package/src/http/handlers/messages.test.ts +119 -0
package/src/http/handlers/messages.ts +555 -0
package/src/http/handlers/models-list.ts +126 -0
package/src/http/handlers/sessions-delete.ts +59 -0
package/src/http/handlers/sessions-settings.ts +90 -0
package/src/http/handlers/sse.test.ts +71 -0
package/src/http/handlers/sse.ts +84 -0
package/src/http/handlers/status.test.ts +52 -0
package/src/http/handlers/status.ts +33 -0
package/src/http/middleware/auth.test.ts +46 -0
package/src/http/middleware/auth.ts +31 -0
package/src/http/middleware/body.test.ts +27 -0
package/src/http/middleware/body.ts +28 -0
package/src/http/middleware/cors.test.ts +40 -0
package/src/http/middleware/cors.ts +12 -0
package/src/http/server.ts +106 -0
package/src/logging.ts +27 -0
package/src/openclaw.d.ts +32 -0
package/src/run-metadata.ts +180 -0
package/src/runtime.ts +14 -0
package/src/session/session-manager.ts +230 -0
package/src/session-usage-snapshot.ts +80 -0
package/src/sse/emitter.test.ts +85 -0
package/src/sse/emitter.ts +249 -0
package/src/sse/frame-format.test.ts +56 -0
package/src/sse/offline-queue.test.ts +65 -0
package/src/sse/offline-queue.ts +140 -0
package/src/test-support/app-simulator.ts +243 -0
package/src/test-support/mock-dispatch.ts +181 -0
package/src/test-support/mock-runtime.ts +74 -0
package/src/vendor/runtime-store.ts +99 -0
package/tsconfig.json +17 -0

package/src/http/handlers/sessions-delete.ts ADDED Viewed

@@ -0,0 +1,59 @@
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { deleteFridaySession, toSessionStoreKey } from "../../session/session-manager.js";
+import { getActiveRunIds } from "../../agent/active-runs.js";
+import { abortRun } from "../../agent/abort-run.js";
+import { getRunRoute } from "../../run-metadata.js";
+import { sseEmitter } from "../../sse/emitter.js";
+import { readJsonBody } from "../middleware/body.js";
+import { extractBearerToken } from "../middleware/auth.js";
+async function cancelActiveRunsForSession(sessionKey: string): Promise<string[]> {
+  const storeKey = toSessionStoreKey(sessionKey);
+  const cancelled: string[] = [];
+  for (const runId of getActiveRunIds()) {
+    const route = getRunRoute(runId);
+    if (route?.sessionKey === storeKey) {
+      await abortRun(runId);
+      sseEmitter.untrackRun(runId);
+      cancelled.push(runId);
+    }
+  }
+  return cancelled;
+}
+export async function handleSessionsDelete(
+  req: IncomingMessage,
+  res: ServerResponse,
+): Promise<boolean> {
+  if (req.method !== "DELETE") {
+    res.statusCode = 405;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({ error: "Method Not Allowed" }));
+    return true;
+  }
+  const token = extractBearerToken(req);
+  if (!token) {
+    res.statusCode = 401;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({ error: "Unauthorized: bearer token mismatch" }));
+    return true;
+  }
+  const body = await readJsonBody(req);
+  const sessionKey = typeof body?.sessionKey === "string" ? body.sessionKey.trim() : "";
+  if (!sessionKey) {
+    res.statusCode = 400;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({ error: "Missing required field: sessionKey" }));
+    return true;
+  }
+  const cancelledRuns = await cancelActiveRunsForSession(sessionKey);
+  const result = deleteFridaySession(sessionKey);
+  res.statusCode = 200;
+  res.setHeader("Content-Type", "application/json");
+  res.end(JSON.stringify({ ok: true, ...result, cancelledRuns }));
+  return true;
+}

package/src/http/handlers/sessions-settings.ts ADDED Viewed

@@ -0,0 +1,90 @@
+import type { IncomingMessage, ServerResponse } from "node:http";
+import {
+  setSessionSettings,
+  getSessionSettings,
+  splitModelRef,
+} from "../../session/session-manager.js";
+import { readJsonBody } from "../middleware/body.js";
+import { extractBearerToken } from "../middleware/auth.js";
+const VALID_REASONING = new Set(["on", "off", "stream"]);
+const VALID_THINKING = new Set(["off", "minimal", "low", "medium", "high"]);
+export async function handleSessionsSettings(
+  req: IncomingMessage,
+  res: ServerResponse,
+): Promise<boolean> {
+  if (req.method !== "PUT" && req.method !== "GET") {
+    res.statusCode = 405;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({ error: "Method Not Allowed" }));
+    return true;
+  }
+  const token = extractBearerToken(req);
+  if (!token) {
+    res.statusCode = 401;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({ error: "Unauthorized: bearer token mismatch" }));
+    return true;
+  }
+  if (req.method === "GET") {
+    const url = new URL(req.url ?? "/", "http://localhost");
+    const sessionKey = (url.searchParams.get("sessionKey") ?? "").trim();
+    if (!sessionKey) {
+      res.statusCode = 400;
+      res.setHeader("Content-Type", "application/json");
+      res.end(JSON.stringify({ error: "Missing required query param: sessionKey" }));
+      return true;
+    }
+    const settings = getSessionSettings(sessionKey);
+    res.statusCode = 200;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({ ok: true, sessionKey, ...settings }));
+    return true;
+  }
+  // PUT
+  const body = await readJsonBody(req);
+  const sessionKey = typeof body?.sessionKey === "string" ? body.sessionKey.trim() : "";
+  if (!sessionKey) {
+    res.statusCode = 400;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({ error: "Missing required field: sessionKey" }));
+    return true;
+  }
+  const reasoningLevel = typeof body?.reasoningLevel === "string" ? body.reasoningLevel : undefined;
+  const thinkingLevel = typeof body?.thinkingLevel === "string" ? body.thinkingLevel : undefined;
+  const modelRef = typeof body?.modelRef === "string" ? body.modelRef : undefined;
+  const errors: string[] = [];
+  if (reasoningLevel !== undefined && !VALID_REASONING.has(reasoningLevel)) {
+    errors.push(`reasoningLevel must be one of: ${[...VALID_REASONING].join(", ")}`);
+  }
+  if (thinkingLevel !== undefined && !VALID_THINKING.has(thinkingLevel)) {
+    errors.push(`thinkingLevel must be one of: ${[...VALID_THINKING].join(", ")}`);
+  }
+  if (errors.length > 0) {
+    res.statusCode = 400;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({ error: errors.join("; ") }));
+    return true;
+  }
+  const settings: Record<string, string | undefined> = { reasoningLevel, thinkingLevel, modelRef };
+  if (modelRef) {
+    const split = splitModelRef(modelRef);
+    settings["providerOverride"] = split.provider;
+    settings["modelOverride"] = split.modelId;
+  }
+  const result = setSessionSettings(sessionKey, settings);
+  res.statusCode = 200;
+  res.setHeader("Content-Type", "application/json");
+  res.end(JSON.stringify({ ok: true, sessionKey, ...result }));
+  return true;
+}

package/src/http/handlers/sse.test.ts ADDED Viewed

@@ -0,0 +1,71 @@
+import { describe, expect, it, vi } from "vitest";
+import { EventEmitter } from "node:events";
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { handleSseStream } from "./sse.js";
+import { setFridayNextRuntime } from "../../runtime.js";
+import { sseEmitter } from "../../sse/emitter.js";
+class MockReq extends EventEmitter {
+  method = "GET";
+  url = "/friday-next/events?deviceId=dev-a&lastEventId=3";
+  headers: Record<string, string> = {
+    authorization: "Bearer t1",
+  };
+}
+class MockRes extends EventEmitter {
+  statusCode = 0;
+  headers: Record<string, string> = {};
+  writes: string[] = [];
+  setHeader(name: string, value: string): void {
+    this.headers[name.toLowerCase()] = value;
+  }
+  flushHeaders(): void {
+    // no-op
+  }
+  write(chunk: string): boolean {
+    this.writes.push(chunk);
+    return true;
+  }
+  end(body?: string): void {
+    if (body) this.writes.push(body);
+  }
+}
+describe("handleSseStream", () => {
+  it("returns 401 when bearer missing", async () => {
+    setFridayNextRuntime({
+      config: { loadConfig: () => ({ channels: { "friday-next": { authToken: "t1" } } }) },
+    } as never);
+    const req = new MockReq() as unknown as IncomingMessage;
+    (req as IncomingMessage).headers = {};
+    const res = new MockRes() as unknown as ServerResponse;
+    await handleSseStream(req, res);
+    expect((res as unknown as MockRes).statusCode).toBe(401);
+  });
+  it("sets SSE headers and replays from Last-Event-ID", async () => {
+    setFridayNextRuntime({
+      config: {
+        loadConfig: () => ({
+          channels: {
+            "friday-next": {
+              authToken: "t1",
+              sse: { keepaliveSec: 30, backlogPerDevice: 20 },
+            },
+          },
+        }),
+      },
+    } as never);
+    const req = new MockReq() as unknown as IncomingMessage;
+    const res = new MockRes() as unknown as ServerResponse;
+    const spyReplay = vi.spyOn(sseEmitter, "replayBacklog").mockReturnValue(0);
+    await handleSseStream(req, res);
+    const headers = (res as unknown as MockRes).headers;
+    expect((res as unknown as MockRes).statusCode).toBe(200);
+    expect(headers["content-type"]).toContain("text/event-stream");
+    expect(spyReplay).toHaveBeenCalledWith("dev-a", 3);
+    (req as unknown as MockReq).emit("close");
+    spyReplay.mockRestore();
+  });
+});

package/src/http/handlers/sse.ts ADDED Viewed

@@ -0,0 +1,84 @@
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { resolveFridayNextConfig } from "../../config.js";
+import { getHostOpenClawConfigSnapshot } from "../../host-config.js";
+import { getFridayNextRuntime } from "../../runtime.js";
+import { sseEmitter } from "../../sse/emitter.js";
+import { extractBearerToken } from "../middleware/auth.js";
+function parseLastEventId(req: IncomingMessage, url: URL): number {
+  const query = Number.parseInt(url.searchParams.get("lastEventId") ?? "", 10);
+  if (Number.isFinite(query)) return query;
+  const header = Number.parseInt((req.headers["last-event-id"] as string) ?? "", 10);
+  return Number.isFinite(header) ? header : 0;
+}
+export async function handleSseStream(req: IncomingMessage, res: ServerResponse): Promise<boolean> {
+  if (req.method !== "GET") {
+    res.statusCode = 405;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({ error: "Method Not Allowed" }));
+    return true;
+  }
+  const token = extractBearerToken(req);
+  if (!token) {
+    res.statusCode = 401;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({ error: "Unauthorized: bearer token mismatch" }));
+    return true;
+  }
+  const url = new URL(req.url ?? "/", "http://localhost");
+  const deviceId = (url.searchParams.get("deviceId") ?? "").trim();
+  if (!deviceId) {
+    res.statusCode = 400;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({ error: "Missing required query parameter: deviceId" }));
+    return true;
+  }
+  res.statusCode = 200;
+  res.setHeader("Content-Type", "text/event-stream; charset=utf-8");
+  res.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
+  res.setHeader("Connection", "keep-alive");
+  res.setHeader("X-Accel-Buffering", "no");
+  res.setHeader("X-Content-Type-Options", "nosniff");
+  res.flushHeaders();
+  const conn = sseEmitter.addConnection(deviceId, res);
+  const normalized = deviceId.trim().toUpperCase();
+  const lastSeq = sseEmitter.latestSeqForDevice(normalized);
+  sseEmitter.broadcast(
+    {
+      type: "connected",
+      data: {
+        deviceId: normalized,
+        serverTime: Date.now(),
+        lastSeq,
+      },
+    },
+    deviceId,
+    true,
+  );
+  const lastEventId = parseLastEventId(req, url);
+  if (lastEventId > 0) sseEmitter.replayBacklog(deviceId, lastEventId);
+  const config = resolveFridayNextConfig(getHostOpenClawConfigSnapshot(getFridayNextRuntime().config));
+  const keepalive = setInterval(() => {
+    if (conn.isClosed) {
+      clearInterval(keepalive);
+      return;
+    }
+    conn.sendRaw(": keepalive\n\n");
+  }, config.sseKeepaliveSec * 1000);
+  keepalive.unref();
+  req.on("close", () => {
+    clearInterval(keepalive);
+    sseEmitter.removeConnection(deviceId, conn);
+  });
+  return true;
+}

package/src/http/handlers/status.test.ts ADDED Viewed

@@ -0,0 +1,52 @@
+import { afterEach, describe, expect, it } from "vitest";
+import { EventEmitter } from "node:events";
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { handleStatus } from "./status.js";
+import { clearFridayNextRuntime, setFridayNextRuntime } from "../../runtime.js";
+class MockRes extends EventEmitter {
+  statusCode = 0;
+  headers: Record<string, string> = {};
+  body = "";
+  setHeader(name: string, value: string): void {
+    this.headers[name.toLowerCase()] = value;
+  }
+  end(body?: string): void {
+    if (body) this.body += body;
+    this.emit("finish");
+  }
+}
+describe("handleStatus", () => {
+  afterEach(() => {
+    clearFridayNextRuntime();
+  });
+  it("401 without bearer", async () => {
+    setFridayNextRuntime({
+      config: { loadConfig: () => ({ gateway: { auth: { token: "tok" } }, channels: {} }) },
+    } as never);
+    const req = { method: "GET", headers: {} } as IncomingMessage;
+    const res = new MockRes() as unknown as ServerResponse;
+    await handleStatus(req, res);
+    expect((res as unknown as MockRes).statusCode).toBe(401);
+  });
+  it("returns channel health payload", async () => {
+    setFridayNextRuntime({
+      config: { loadConfig: () => ({ gateway: { auth: { token: "tok" } }, channels: {} }) },
+    } as never);
+    const req = {
+      method: "GET",
+      headers: { authorization: "Bearer tok" },
+    } as IncomingMessage;
+    const res = new MockRes() as unknown as ServerResponse;
+    const handled = await handleStatus(req, res);
+    expect(handled).toBe(true);
+    expect((res as unknown as MockRes).statusCode).toBe(200);
+    const body = JSON.parse((res as unknown as MockRes).body) as Record<string, unknown>;
+    expect(body.channel).toBe("friday-next");
+    expect(Array.isArray(body.activeRuns)).toBe(true);
+    expect(typeof body.activeRunCount).toBe("number");
+  });
+});

package/src/http/handlers/status.ts ADDED Viewed

@@ -0,0 +1,33 @@
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { getActiveRunIds } from "../../agent/active-runs.js";
+import { sseEmitter } from "../../sse/emitter.js";
+import { extractBearerToken } from "../middleware/auth.js";
+export async function handleStatus(req: IncomingMessage, res: ServerResponse): Promise<boolean> {
+  if (req.method !== "GET") {
+    res.statusCode = 405;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({ error: "Method Not Allowed" }));
+    return true;
+  }
+  if (!extractBearerToken(req)) {
+    res.statusCode = 401;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({ error: "Unauthorized: bearer token mismatch" }));
+    return true;
+  }
+  const activeRuns = getActiveRunIds();
+  res.statusCode = 200;
+  res.setHeader("Content-Type", "application/json");
+  res.end(
+    JSON.stringify({
+      ok: true,
+      channel: "friday-next",
+      version: "v2",
+      connections: sseEmitter.getConnectionCount(),
+      activeRuns,
+      activeRunCount: activeRuns.length,
+    }),
+  );
+  return true;
+}

package/src/http/middleware/auth.test.ts ADDED Viewed

@@ -0,0 +1,46 @@
+import { describe, expect, it } from "vitest";
+import type { IncomingMessage } from "node:http";
+import { extractBearerToken } from "./auth.js";
+import { setFridayNextRuntime } from "../../runtime.js";
+function setConfig(config: unknown): void {
+  setFridayNextRuntime({
+    config: { loadConfig: () => config },
+  } as never);
+}
+function req(auth?: string): IncomingMessage {
+  return { headers: auth ? { authorization: auth } : {} } as IncomingMessage;
+}
+describe("extractBearerToken", () => {
+  it("uses gateway.auth.token with highest priority", () => {
+    setConfig({
+      gateway: { auth: { token: "gateway-token" } },
+      channels: {
+        "friday-next": { authToken: "plugin-token" },
+      },
+    });
+    expect(extractBearerToken(req("Bearer gateway-token"))).toBe("gateway-token");
+    expect(extractBearerToken(req("Bearer plugin-token"))).toBeNull();
+  });
+  it("falls back to plugin authToken", () => {
+    setConfig({
+      channels: {
+        "friday-next": { authToken: "plugin-token" },
+      },
+    });
+    expect(extractBearerToken(req("Bearer plugin-token"))).toBe("plugin-token");
+  });
+  it("returns null for missing or malformed header", () => {
+    setConfig({
+      channels: {
+        "friday-next": { authToken: "x" },
+      },
+    });
+    expect(extractBearerToken(req())).toBeNull();
+    expect(extractBearerToken(req("x y z"))).toBeNull();
+  });
+});

package/src/http/middleware/auth.ts ADDED Viewed

@@ -0,0 +1,31 @@
+/**
+ * Bearer token authentication middleware for Friday HTTP routes.
+ *
+ * Validates that the bearer token matches the gateway's configured auth token.
+ * This ensures plugin HTTP endpoints use the same token as gateway WS connections.
+ */
+import type { IncomingMessage } from "node:http";
+import { resolveFridayNextConfig } from "../../config.js";
+import { getHostOpenClawConfigSnapshot } from "../../host-config.js";
+import { getFridayNextRuntime } from "../../runtime.js";
+/**
+ * Extract and validate bearer token from Authorization header.
+ * Returns the token only if it matches the gateway's configured auth token.
+ * Returns null if token is missing, malformed, or doesn't match.
+ */
+export function extractBearerToken(req: IncomingMessage): string | null {
+  const auth = req.headers.authorization;
+  if (!auth || typeof auth !== "string") return null;
+  const parts = auth.trim().split(/\s+/);
+  if (parts.length !== 2 || parts[0].toLowerCase() !== "bearer") return null;
+  const token = parts[1];
+  // Validate token matches the gateway's configured auth token.
+  const cfg = getHostOpenClawConfigSnapshot(getFridayNextRuntime().config);
+  const runtimeConfig = resolveFridayNextConfig(cfg);
+  if (!runtimeConfig.authToken || token !== runtimeConfig.authToken) return null;
+  return token;
+}

package/src/http/middleware/body.test.ts ADDED Viewed

@@ -0,0 +1,27 @@
+import { describe, expect, it } from "vitest";
+import { PassThrough } from "node:stream";
+import { readJsonBody } from "./body.js";
+describe("readJsonBody", () => {
+  it("parses valid json", async () => {
+    const req = new PassThrough();
+    const p = readJsonBody(req as never);
+    req.end(JSON.stringify({ ok: true }));
+    await expect(p).resolves.toEqual({ ok: true });
+  });
+  it("returns null for invalid json", async () => {
+    const req = new PassThrough();
+    const p = readJsonBody(req as never);
+    req.end("{");
+    await expect(p).resolves.toBeNull();
+  });
+  it("returns null for oversized body", async () => {
+    const req = new PassThrough();
+    const p = readJsonBody(req as never, 8);
+    req.write("123456789");
+    req.end();
+    await expect(p).resolves.toBeNull();
+  });
+});

package/src/http/middleware/body.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import type { IncomingMessage } from "node:http";
+export async function readJsonBody(
+  req: IncomingMessage,
+  maxBytes = 2 * 1024 * 1024,
+): Promise<Record<string, unknown> | null> {
+  return await new Promise((resolve) => {
+    const chunks: Buffer[] = [];
+    let total = 0;
+    req.on("data", (chunk: Buffer) => {
+      total += chunk.length;
+      if (total > maxBytes) {
+        resolve(null);
+        req.destroy();
+        return;
+      }
+      chunks.push(chunk);
+    });
+    req.on("end", () => {
+      try {
+        resolve(JSON.parse(Buffer.concat(chunks).toString("utf-8")) as Record<string, unknown>);
+      } catch {
+        resolve(null);
+      }
+    });
+    req.on("error", () => resolve(null));
+  });
+}

package/src/http/middleware/cors.test.ts ADDED Viewed

@@ -0,0 +1,40 @@
+import { describe, expect, it } from "vitest";
+import { applyCorsHeaders } from "./cors.js";
+import { setFridayNextRuntime } from "../../runtime.js";
+class MockRes {
+  headers: Record<string, string> = {};
+  setHeader(name: string, value: string): void {
+    this.headers[name] = value;
+  }
+}
+describe("applyCorsHeaders", () => {
+  it("does nothing when cors disabled", () => {
+    setFridayNextRuntime({
+      config: { loadConfig: () => ({ channels: { "friday-next": { cors: { enabled: false } } } }) },
+    } as never);
+    const res = new MockRes();
+    applyCorsHeaders(res as never);
+    expect(Object.keys(res.headers)).toHaveLength(0);
+  });
+  it("sets configured cors headers", () => {
+    setFridayNextRuntime({
+      config: {
+        loadConfig: () => ({
+          channels: {
+            "friday-next": {
+              cors: { enabled: true, allowOrigin: "https://app.local" },
+            },
+          },
+        }),
+      },
+    } as never);
+    const res = new MockRes();
+    applyCorsHeaders(res as never);
+    expect(res.headers["Access-Control-Allow-Origin"]).toBe("https://app.local");
+    expect(res.headers["Access-Control-Allow-Headers"]).toContain("Authorization");
+    expect(res.headers["Access-Control-Allow-Methods"]).toContain("OPTIONS");
+  });
+});

package/src/http/middleware/cors.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import type { ServerResponse } from "node:http";
+import { resolveFridayNextConfig } from "../../config.js";
+import { getHostOpenClawConfigSnapshot } from "../../host-config.js";
+import { getFridayNextRuntime } from "../../runtime.js";
+export function applyCorsHeaders(res: ServerResponse): void {
+  const cfg = resolveFridayNextConfig(getHostOpenClawConfigSnapshot(getFridayNextRuntime().config));
+  if (!cfg.corsEnabled) return;
+  res.setHeader("Access-Control-Allow-Origin", cfg.corsAllowOrigin || "*");
+  res.setHeader("Access-Control-Allow-Headers", "Authorization, Content-Type, Last-Event-ID");
+  res.setHeader("Access-Control-Allow-Methods", "GET,POST,DELETE,OPTIONS");
+}