@syengup/friday-channel-next 0.0.11 → 0.0.13

package/dist/index.js

@@ -0,0 +1,176 @@
+import { defineChannelPluginEntry } from "openclaw/plugin-sdk/core";
+import { fridayNextChannelPlugin } from "./src/channel.js";
+import { setFridayNextRuntime } from "./src/runtime.js";
+import { resolveFridayNextConfig } from "./src/config.js";
+import { getHostOpenClawConfigSnapshot } from "./src/host-config.js";
+import { registerFridayNextHttpRoutes } from "./src/http/server.js";
+import { getFridayNextRuntime } from "./src/runtime.js";
+import { sseEmitter } from "./src/sse/emitter.js";
+import { forwardAgentEventRaw, getLastRegisteredFridayDeviceId, resolveFridayDeviceIdForSessionKey, } from "./src/friday-session.js";
+import { setFridayAgentForwardRuntime } from "./src/agent-forward-runtime.js";
+import { getOpenClawAgentRunContext } from "./src/agent-run-context-bridge.js";
+export { fridayNextChannelPlugin } from "./src/channel.js";
+export { setFridayNextRuntime } from "./src/runtime.js";
+/** `api.on` returns void — register tool hooks at most once per process. */
+let fridayNextToolHooksRegistered = false;
+let disposeAgentEventListener = null;
+/** Avoid duplicate `registerHttpRoute` when gateway re-invokes `registerFull`. */
+let fridayNextPluginHttpRegistered = false;
+function deviceIdFromToolContext(ctx) {
+    if (ctx.runId) {
+        const d = sseEmitter.getDeviceIdByRunId(ctx.runId);
+        if (d)
+            return d;
+    }
+    const sk = typeof ctx.sessionKey === "string" && ctx.sessionKey.trim()
+        ? ctx.sessionKey.trim()
+        : (ctx.runId ? getOpenClawAgentRunContext(ctx.runId)?.sessionKey?.trim() : undefined) ?? "";
+    if (sk) {
+        const d = resolveFridayDeviceIdForSessionKey(sk);
+        if (d)
+            return d;
+    }
+    const sole = sseEmitter.getSoleConnectedDeviceId();
+    if (sole)
+        return sole;
+    const last = getLastRegisteredFridayDeviceId();
+    if (last)
+        return last;
+    return null;
+}
+function isFridaySessionKey(sk) {
+    return /^friday-next-/i.test(sk) || /^agent:main:friday-next-/i.test(sk);
+}
+function shouldForwardToolEventToFriday(ctx) {
+    if (ctx.runId) {
+        if (sseEmitter.getDeviceIdByRunId(ctx.runId))
+            return true;
+        const runSk = getOpenClawAgentRunContext(ctx.runId)?.sessionKey?.trim() ?? "";
+        if (runSk) {
+            if (resolveFridayDeviceIdForSessionKey(runSk))
+                return true;
+            if (isFridaySessionKey(runSk))
+                return true;
+        }
+    }
+    const sk = typeof ctx.sessionKey === "string" ? ctx.sessionKey.trim() : "";
+    if (sk) {
+        if (resolveFridayDeviceIdForSessionKey(sk))
+            return true;
+        if (isFridaySessionKey(sk))
+            return true;
+    }
+    return false;
+}
+export default defineChannelPluginEntry({
+    id: "friday-next",
+    name: "Friday Next",
+    description: "Friday Next Apple 应用通道",
+    plugin: fridayNextChannelPlugin,
+    setRuntime: setFridayNextRuntime,
+    registerFull: (api) => {
+        setFridayAgentForwardRuntime(api);
+        if (!fridayNextPluginHttpRegistered) {
+            fridayNextPluginHttpRegistered = true;
+            registerFridayNextHttpRoutes(api);
+        }
+        else {
+            const cfg = resolveFridayNextConfig(getHostOpenClawConfigSnapshot(getFridayNextRuntime().config));
+            sseEmitter.setBacklogLimit(cfg.sseBacklogPerDevice);
+        }
+        disposeAgentEventListener?.();
+        disposeAgentEventListener = api.runtime.events.onAgentEvent((evt) => {
+            forwardAgentEventRaw({
+                runId: evt.runId,
+                seq: evt.seq,
+                ts: evt.ts,
+                stream: evt.stream,
+                data: evt.data,
+                sessionKey: evt.sessionKey,
+            });
+        });
+        if (fridayNextToolHooksRegistered) {
+            return;
+        }
+        fridayNextToolHooksRegistered = true;
+        api.on("subagent_delivery_target", (event) => {
+            if (!event.expectsCompletionMessage)
+                return;
+            const ch = event.requesterOrigin?.channel?.trim().toLowerCase();
+            if (ch !== "friday-next")
+                return;
+            const sk = event.requesterSessionKey?.trim();
+            if (!sk)
+                return;
+            const raw = resolveFridayDeviceIdForSessionKey(sk);
+            if (!raw)
+                return;
+            const to = raw.toUpperCase();
+            return {
+                origin: {
+                    channel: "friday-next",
+                    accountId: event.requesterOrigin?.accountId?.trim() || "default",
+                    to,
+                },
+            };
+        });
+        api.on("before_tool_call", (event, ctx) => {
+            if (!shouldForwardToolEventToFriday(ctx))
+                return;
+            const deviceId = deviceIdFromToolContext(ctx);
+            const runId = ctx.runId ?? "(unknown)";
+            const logLine = (detail) => {
+                const ts = new Date().toISOString();
+                console.error(`[Friday-HOOK] [${ts}] [TOOL_CALL] toolName=${event.toolName} runId=${runId} deviceId=${deviceId ?? "(unknown)"} detail=${detail}`);
+            };
+            if (!deviceId) {
+                logLine("SKIP_no_deviceId");
+                return;
+            }
+            logLine("START");
+            sseEmitter.broadcastToolEvent(deviceId.toUpperCase(), runId, {
+                type: "tool-hook",
+                data: {
+                    when: "before",
+                    runId,
+                    deviceId: deviceId.toUpperCase(),
+                    sessionKey: ctx.sessionKey,
+                    toolName: event.toolName,
+                    params: event.params,
+                    ts: Date.now(),
+                },
+            });
+        });
+        api.on("after_tool_call", (event, ctx) => {
+            if (!shouldForwardToolEventToFriday(ctx))
+                return;
+            const deviceId = deviceIdFromToolContext(ctx);
+            const runId = ctx.runId ?? "(unknown)";
+            const logLine = (detail) => {
+                const ts = new Date().toISOString();
+                console.error(`[Friday-HOOK] [${ts}] [TOOL_DONE] toolName=${event.toolName} runId=${runId} deviceId=${deviceId ?? "(unknown)"} detail=${detail}`);
+            };
+            if (!deviceId) {
+                logLine("SKIP_no_deviceId");
+                return;
+            }
+            logLine("END");
+            const normalizedDeviceId = deviceId.toUpperCase();
+            sseEmitter.broadcastToolEvent(normalizedDeviceId, runId, {
+                type: "tool-hook",
+                data: {
+                    when: "after",
+                    runId,
+                    deviceId: normalizedDeviceId,
+                    sessionKey: ctx.sessionKey,
+                    toolName: event.toolName,
+                    toolCallId: event.toolCallId,
+                    error: event.error ?? null,
+                    result: event.result,
+                    durationMs: event.durationMs ?? null,
+                    ts: Date.now(),
+                },
+            });
+        });
+    },
+});

package/install.js

@@ -260,20 +260,27 @@ log("");
 log("Gateway URL:  " + BOLD_YELLOW(gatewayUrl));
 log("Bearer Token: " + BOLD_YELLOW(gatewayToken));
 log("");
-function isPrivateIp(ip) {
-  const parts = ip.split(".").map(Number);
-  if (parts[0] === 127) return true;                       // loopback
-  if (parts[0] === 10) return true;                         // RFC 1918
-  if (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) return true; // RFC 1918
-  if (parts[0] === 192 && parts[1] === 168) return true;    // RFC 1918
-  if (parts[0] === 169 && parts[1] === 254) return true;    // link-local
-  if (parts[0] === 100 && parts[1] >= 64 && parts[1] <= 127) return true; // CGNAT / Tailscale
-  return false;
+function classifyIp(ip) {
+  const p = ip.split(".").map(Number);
+  if (p[0] === 100 && p[1] >= 64 && p[1] <= 127) return "tailscale";
+  if (p[0] === 127) return "loopback";
+  if (p[0] === 10) return "private";
+  if (p[0] === 172 && p[1] >= 16 && p[1] <= 31) return "private";
+  if (p[0] === 192 && p[1] === 168) return "private";
+  if (p[0] === 169 && p[1] === 254) return "private";
+  return "public";
 }
 const ip = new URL(gatewayUrl).hostname;
-if (isPrivateIp(ip)) {
+const ipType = classifyIp(ip);
+if (ipType === "tailscale") {
+  log("This is a Tailscale network URL (" + ip + ").");
+  log("Accessible from your Tailnet devices.");
+} else if (ipType === "private") {
   log("This is a LOCAL network URL (" + ip + ", bind=" + bindMode + ").");
   log("If you need public access, configure HTTPS, Tailscale, or a reverse proxy.");
+} else if (ipType === "loopback") {
+  log("This is a LOOPBACK URL (" + ip + ").");
+  log("Only accessible from this machine.");
 } else {
   log("This URL appears to be publicly accessible (" + ip + ").");
 }

package/install.sh

@@ -232,19 +232,25 @@ console.log("");
 console.log("Gateway URL:  " + YB + "http://" + host + ":" + port + N);
 console.log("Bearer Token: " + YB + token + N);
 console.log("");
-function isPrivateIp(ip) {
+function classifyIp(ip) {
   var p = ip.split(".").map(Number);
-  if (p[0] === 127) return true;
-  if (p[0] === 10) return true;
-  if (p[0] === 172 && p[1] >= 16 && p[1] <= 31) return true;
-  if (p[0] === 192 && p[1] === 168) return true;
-  if (p[0] === 169 && p[1] === 254) return true;
-  if (p[0] === 100 && p[1] >= 64 && p[1] <= 127) return true;
-  return false;
+  if (p[0] === 100 && p[1] >= 64 && p[1] <= 127) return "tailscale";
+  if (p[0] === 127) return "loopback";
+  if (p[0] === 10) return "private";
+  if (p[0] === 172 && p[1] >= 16 && p[1] <= 31) return "private";
+  if (p[0] === 192 && p[1] === 168) return "private";
+  if (p[0] === 169 && p[1] === 254) return "private";
+  return "public";
 }
-if (isPrivateIp(host)) {
+if (classifyIp(host) === "tailscale") {
+  console.log("This is a Tailscale network URL (" + host + ").");
+  console.log("Accessible from your Tailnet devices.");
+} else if (classifyIp(host) === "private") {
   console.log("This is a LOCAL network URL (" + host + ", bind=" + bind + ").");
   console.log("If you need public access, configure HTTPS, Tailscale, or a reverse proxy.");
+} else if (classifyIp(host) === "loopback") {
+  console.log("This is a LOOPBACK URL (" + host + ").");
+  console.log("Only accessible from this machine.");
 } else {
   console.log("This URL appears to be publicly accessible (" + host + ").");
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@syengup/friday-channel-next",
-  "version": "0.0.11",
+  "version": "0.0.13",
   "description": "OpenClaw Friday Next Apple channel plugin",
   "type": "module",
   "files": [
@@ -11,14 +11,6 @@
     "tsconfig.json",
     "openclaw.plugin.json"
   ],
-  "scripts": {
-    "build": "tsc -p tsconfig.json",
-    "test": "pnpm test:unit && pnpm test:e2e",
-    "test:unit": "vitest run",
-    "test:e2e": "vitest run --config vitest.e2e.config.ts",
-    "test:smoke": "node scripts/e2e-smoke.mjs",
-    "test:msg-live": "node scripts/message-roundtrip-live.mjs"
-  },
   "bin": {
     "friday-channel-next": "./install.js",
     "install-friday-next": "./install.js"
@@ -64,5 +56,13 @@
     "typescript": "^6.0.3",
     "vitest": "^4.1.5",
     "zod": "^4.3.6"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "test": "pnpm test:unit && pnpm test:e2e",
+    "test:unit": "vitest run",
+    "test:e2e": "vitest run --config vitest.e2e.config.ts",
+    "test:smoke": "node scripts/e2e-smoke.mjs",
+    "test:msg-live": "node scripts/message-roundtrip-live.mjs"
   }
-}
+}

package/src/http/handlers/device-approve.test.ts

@@ -0,0 +1,244 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { EventEmitter } from "node:events";
+import { PassThrough } from "node:stream";
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { setMockRuntime } from "../../test-support/mock-runtime.js";
+
+const mockExecImpl = vi.hoisted(() => vi.fn());
+vi.mock("node:child_process", () => ({
+  exec: mockExecImpl,
+}));
+
+import { handleDeviceApprove } from "./device-approve.js";
+
+class MockRes extends EventEmitter {
+  statusCode = 0;
+  headers: Record<string, string> = {};
+  body = "";
+  setHeader(name: string, value: string): void {
+    this.headers[name.toLowerCase()] = value;
+  }
+  end(body?: string): void {
+    if (body) this.body += body;
+  }
+}
+
+function mockReq(method: string, headers: Record<string, string> = {}): PassThrough & { method: string; headers: Record<string, string> } {
+  const stream = new PassThrough() as unknown as PassThrough & { method: string; headers: Record<string, string> };
+  stream.method = method;
+  stream.headers = headers;
+  return stream;
+}
+
+function mockExecSuccess(stdout: string) {
+  const child = new EventEmitter() as EventEmitter & { stdout: EventEmitter; stderr: EventEmitter };
+  child.stdout = new EventEmitter();
+  child.stderr = new EventEmitter();
+  mockExecImpl.mockImplementationOnce((_cmd: string, _opts: unknown, cb: (error: null, stdout: string, stderr: string) => void) => {
+    cb(null, stdout, "");
+    return child;
+  });
+}
+
+function mockExecError(message: string, stderr?: string) {
+  const err = new Error(message) as Error & { stderr: string };
+  err.stderr = stderr ?? "";
+  const child = new EventEmitter() as EventEmitter & { stdout: EventEmitter; stderr: EventEmitter };
+  child.stdout = new EventEmitter();
+  child.stderr = new EventEmitter();
+  mockExecImpl.mockImplementationOnce((_cmd: string, _opts: unknown, cb: (error: Error) => void) => {
+    cb(err);
+    return child;
+  });
+}
+
+function mockExecErrorWithStderr(err: Error & { stderr?: string }) {
+  const child = new EventEmitter() as EventEmitter & { stdout: EventEmitter; stderr: EventEmitter };
+  child.stdout = new EventEmitter();
+  child.stderr = new EventEmitter();
+  mockExecImpl.mockImplementationOnce((_cmd: string, _opts: unknown, cb: (error: Error) => void) => {
+    cb(err);
+    return child;
+  });
+}
+
+const DEVICE_ID = "a80b8c4b305fb02c5772c409c6dfcbacde691b61557f7779511ad1a5be8fdf06";
+const REQUEST_ID = "12f150e8-b1bc-4688-be23-e3a7fa8b9e51";
+
+describe("handleDeviceApprove", () => {
+  beforeEach(() => {
+    setMockRuntime();
+    mockExecImpl.mockReset();
+  });
+
+  it("returns 405 on non-POST", async () => {
+    const req = { method: "GET", headers: {} } as IncomingMessage;
+    const res = new MockRes() as unknown as ServerResponse;
+    await handleDeviceApprove(req, res);
+    expect((res as unknown as MockRes).statusCode).toBe(405);
+  });
+
+  it("returns 401 for missing auth", async () => {
+    const req = mockReq("POST");
+    const res = new MockRes() as unknown as ServerResponse;
+    const p = handleDeviceApprove(req as unknown as IncomingMessage, res);
+    req.end(JSON.stringify({ deviceId: DEVICE_ID }));
+    await p;
+    expect((res as unknown as MockRes).statusCode).toBe(401);
+  });
+
+  it("returns 400 for missing body", async () => {
+    const req = mockReq("POST", { authorization: "Bearer test-token" });
+    const res = new MockRes() as unknown as ServerResponse;
+    const p = handleDeviceApprove(req as unknown as IncomingMessage, res);
+    req.end("");
+    await p;
+    expect((res as unknown as MockRes).statusCode).toBe(400);
+  });
+
+  it("returns 400 for missing deviceId", async () => {
+    const req = mockReq("POST", { authorization: "Bearer test-token" });
+    const res = new MockRes() as unknown as ServerResponse;
+    const p = handleDeviceApprove(req as unknown as IncomingMessage, res);
+    req.end(JSON.stringify({}));
+    await p;
+    expect((res as unknown as MockRes).statusCode).toBe(400);
+    expect(JSON.parse((res as unknown as MockRes).body).error).toContain("deviceId");
+  });
+
+  it("returns 502 when devices list CLI fails", async () => {
+    mockExecError("ENOENT");
+
+    const req = mockReq("POST", { authorization: "Bearer test-token" });
+    const res = new MockRes() as unknown as ServerResponse;
+    const p = handleDeviceApprove(req as unknown as IncomingMessage, res);
+    req.end(JSON.stringify({ deviceId: DEVICE_ID }));
+    await p;
+    expect((res as unknown as MockRes).statusCode).toBe(502);
+    expect(JSON.parse((res as unknown as MockRes).body).error).toContain("Failed to list devices");
+  });
+
+  it("returns 502 when devices list returns invalid JSON", async () => {
+    mockExecSuccess("not valid json {{{");
+
+    const req = mockReq("POST", { authorization: "Bearer test-token" });
+    const res = new MockRes() as unknown as ServerResponse;
+    const p = handleDeviceApprove(req as unknown as IncomingMessage, res);
+    req.end(JSON.stringify({ deviceId: DEVICE_ID }));
+    await p;
+    expect((res as unknown as MockRes).statusCode).toBe(502);
+    expect(JSON.parse((res as unknown as MockRes).body).error).toContain("Unexpected response");
+  });
+
+  it("returns 404 when deviceId not in pending list", async () => {
+    mockExecSuccess(JSON.stringify({
+      pending: [{ requestId: "uuid-1", deviceId: "OTHER_DEVICE" }],
+      paired: [],
+    }));
+
+    const req = mockReq("POST", { authorization: "Bearer test-token" });
+    const res = new MockRes() as unknown as ServerResponse;
+    const p = handleDeviceApprove(req as unknown as IncomingMessage, res);
+    req.end(JSON.stringify({ deviceId: DEVICE_ID }));
+    await p;
+    expect((res as unknown as MockRes).statusCode).toBe(404);
+    const body = JSON.parse((res as unknown as MockRes).body);
+    expect(body.error).toContain("No pending device found");
+    expect(body.deviceId).toBe(DEVICE_ID.toUpperCase());
+  });
+
+  it("returns 404 when pending array is empty", async () => {
+    mockExecSuccess(JSON.stringify({ pending: [], paired: [] }));
+
+    const req = mockReq("POST", { authorization: "Bearer test-token" });
+    const res = new MockRes() as unknown as ServerResponse;
+    const p = handleDeviceApprove(req as unknown as IncomingMessage, res);
+    req.end(JSON.stringify({ deviceId: DEVICE_ID }));
+    await p;
+    expect((res as unknown as MockRes).statusCode).toBe(404);
+  });
+
+  it("returns 502 when approve command fails", async () => {
+    mockExecSuccess(JSON.stringify({
+      pending: [{ requestId: REQUEST_ID, deviceId: DEVICE_ID }],
+      paired: [],
+    }));
+    // second call (approve) fails
+    const approveErr = new Error("Command failed") as Error & { stderr: string };
+    approveErr.stderr = "unknown requestId";
+    mockExecErrorWithStderr(approveErr);
+
+    const req = mockReq("POST", { authorization: "Bearer test-token" });
+    const res = new MockRes() as unknown as ServerResponse;
+    const p = handleDeviceApprove(req as unknown as IncomingMessage, res);
+    req.end(JSON.stringify({ deviceId: DEVICE_ID }));
+    await p;
+    expect((res as unknown as MockRes).statusCode).toBe(502);
+    const body = JSON.parse((res as unknown as MockRes).body);
+    expect(body.error).toContain("Device approval command failed");
+    expect(body.detail).toBe("unknown requestId");
+  });
+
+  it("returns 502 when approve returns non-JSON", async () => {
+    mockExecSuccess(JSON.stringify({
+      pending: [{ requestId: REQUEST_ID, deviceId: DEVICE_ID }],
+      paired: [],
+    }));
+    mockExecSuccess("No pending device pairing requests to approve");
+
+    const req = mockReq("POST", { authorization: "Bearer test-token" });
+    const res = new MockRes() as unknown as ServerResponse;
+    const p = handleDeviceApprove(req as unknown as IncomingMessage, res);
+    req.end(JSON.stringify({ deviceId: DEVICE_ID }));
+    await p;
+    expect((res as unknown as MockRes).statusCode).toBe(502);
+    expect(JSON.parse((res as unknown as MockRes).body).error).toContain("Unexpected response from device approval");
+  });
+
+  it("succeeds with complete flow", async () => {
+    mockExecSuccess(JSON.stringify({
+      pending: [{ requestId: REQUEST_ID, deviceId: DEVICE_ID }],
+      paired: [],
+    }));
+    mockExecSuccess(JSON.stringify({
+      requestId: REQUEST_ID,
+      device: { deviceId: DEVICE_ID, approvedAtMs: 1778571972361 },
+    }));
+
+    const req = mockReq("POST", { authorization: "Bearer test-token" });
+    const res = new MockRes() as unknown as ServerResponse;
+    const p = handleDeviceApprove(req as unknown as IncomingMessage, res);
+    req.end(JSON.stringify({ deviceId: DEVICE_ID }));
+    await p;
+
+    expect((res as unknown as MockRes).statusCode).toBe(200);
+    const body = JSON.parse((res as unknown as MockRes).body);
+    expect(body.ok).toBe(true);
+    expect(body.deviceId).toBe(DEVICE_ID.toUpperCase());
+    expect(body.requestId).toBe(REQUEST_ID);
+    expect(body.approvedAtMs).toBe(1778571972361);
+    expect(mockExecImpl).toHaveBeenCalledTimes(2);
+  });
+
+  it("normalizes deviceId case-insensitively", async () => {
+    mockExecSuccess(JSON.stringify({
+      pending: [{ requestId: REQUEST_ID, deviceId: DEVICE_ID }],
+      paired: [],
+    }));
+    mockExecSuccess(JSON.stringify({
+      requestId: REQUEST_ID,
+      device: { deviceId: DEVICE_ID, approvedAtMs: 1 },
+    }));
+
+    const req = mockReq("POST", { authorization: "Bearer test-token" });
+    const res = new MockRes() as unknown as ServerResponse;
+    const p = handleDeviceApprove(req as unknown as IncomingMessage, res);
+    req.end(JSON.stringify({ deviceId: DEVICE_ID.toLowerCase() }));
+    await p;
+
+    expect((res as unknown as MockRes).statusCode).toBe(200);
+    const body = JSON.parse((res as unknown as MockRes).body);
+    expect(body.ok).toBe(true);
+    expect(body.deviceId).toBe(DEVICE_ID.toUpperCase());
+  });
+});

package/src/http/handlers/device-approve.ts

@@ -0,0 +1,158 @@
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { exec } from "node:child_process";
+import { readJsonBody } from "../middleware/body.js";
+import { extractBearerToken } from "../middleware/auth.js";
+import { createFridayNextLogger } from "../../logging.js";
+
+// macOS LaunchAgent strips Homebrew from PATH; prepend common prefixes so
+// the child process can find openclaw. Windows doesn't need this.
+const EXEC_ENV = process.platform === "win32"
+  ? process.env
+  : { ...process.env, PATH: `/opt/homebrew/bin:/usr/local/bin:/home/linuxbrew/.linuxbrew/bin:${process.env.PATH ?? ""}` };
+
+interface PendingDevice {
+  requestId: string;
+  deviceId: string;
+}
+
+interface DeviceListJson {
+  pending?: PendingDevice[];
+}
+
+interface ApproveJson {
+  requestId: string;
+  device?: { deviceId: string; approvedAtMs?: number };
+}
+
+function execAsync(command: string, timeoutMs: number): Promise<{ stdout: string; stderr: string }> {
+  return new Promise((resolve, reject) => {
+    const child = exec(command, { encoding: "utf-8", timeout: timeoutMs, maxBuffer: 1024 * 1024, env: EXEC_ENV }, (error, stdout, stderr) => {
+      if (error) {
+        reject(error);
+      } else {
+        resolve({ stdout, stderr });
+      }
+    });
+    child.stdout?.on("data", () => { /* drain */ });
+    child.stderr?.on("data", () => { /* drain */ });
+  });
+}
+
+export async function handleDeviceApprove(
+  req: IncomingMessage,
+  res: ServerResponse,
+): Promise<boolean> {
+  const log = createFridayNextLogger("device-approve");
+
+  if (req.method !== "POST") {
+    res.statusCode = 405;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({ error: "Method Not Allowed" }));
+    return true;
+  }
+
+  const token = extractBearerToken(req);
+  if (!token) {
+    res.statusCode = 401;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({ error: "Unauthorized: bearer token mismatch" }));
+    return true;
+  }
+
+  const body = await readJsonBody(req);
+  if (!body) {
+    res.statusCode = 400;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({ error: "Invalid JSON body" }));
+    return true;
+  }
+
+  const rawDeviceId = typeof body.deviceId === "string" ? body.deviceId : "";
+  if (!rawDeviceId.trim()) {
+    res.statusCode = 400;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({ error: "Missing required field: deviceId" }));
+    return true;
+  }
+
+  const normalizedDeviceId = rawDeviceId.trim().toUpperCase();
+
+  let listStdout: string;
+  try {
+    const result = await execAsync("openclaw devices list --json", 15000);
+    listStdout = result.stdout;
+  } catch (err) {
+    const stderr = (err as { stderr?: string })?.stderr?.trim();
+    log.error(`devices list failed: ${err instanceof Error ? err.message : String(err)}`);
+    res.statusCode = 502;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({ error: "Failed to list devices from gateway", detail: stderr || undefined }));
+    return true;
+  }
+
+  let listData: DeviceListJson;
+  try {
+    listData = JSON.parse(listStdout) as DeviceListJson;
+  } catch {
+    log.error(`devices list returned invalid JSON: ${listStdout.slice(0, 200)}`);
+    res.statusCode = 502;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({ error: "Unexpected response from gateway device list" }));
+    return true;
+  }
+
+  const pending = listData.pending ?? [];
+  const match = pending.find(
+    (entry) => entry.deviceId.trim().toUpperCase() === normalizedDeviceId,
+  );
+
+  if (!match) {
+    res.statusCode = 404;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({
+      error: "No pending device found for this deviceId",
+      deviceId: normalizedDeviceId,
+    }));
+    return true;
+  }
+
+  const requestId = match.requestId;
+  log.info(`approving deviceId=${normalizedDeviceId} requestId=${requestId}`);
+
+  let approveStdout: string;
+  try {
+    const result = await execAsync(`openclaw devices approve ${requestId} --json`, 15000);
+    approveStdout = result.stdout;
+  } catch (err) {
+    const stderr = (err as { stderr?: string })?.stderr?.trim();
+    log.error(`devices approve failed: ${err instanceof Error ? err.message : String(err)}`);
+    res.statusCode = 502;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({
+      error: "Device approval command failed",
+      detail: stderr || (err instanceof Error ? err.message : "Unknown error"),
+    }));
+    return true;
+  }
+
+  let approveData: ApproveJson;
+  try {
+    approveData = JSON.parse(approveStdout) as ApproveJson;
+  } catch {
+    log.error(`devices approve returned non-JSON: ${approveStdout.slice(0, 200)}`);
+    res.statusCode = 502;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({ error: "Unexpected response from device approval" }));
+    return true;
+  }
+
+  res.statusCode = 200;
+  res.setHeader("Content-Type", "application/json");
+  res.end(JSON.stringify({
+    ok: true,
+    deviceId: normalizedDeviceId,
+    requestId: approveData.requestId,
+    approvedAtMs: approveData.device?.approvedAtMs,
+  }));
+  return true;
+}

package/src/http/server.ts

@@ -11,6 +11,7 @@ import { handleSseStream } from "./handlers/sse.js";
 import { handleFilesUpload } from "./handlers/files-upload.js";
 import { handleFilesDownload } from "./handlers/files-download.js";
 import { handleCancel } from "./handlers/cancel.js";
+import { handleDeviceApprove } from "./handlers/device-approve.js";
 import { handleSessionsDelete } from "./handlers/sessions-delete.js";
 import { handleSessionsSettings } from "./handlers/sessions-settings.js";
 import { handleModelsList } from "./handlers/models-list.js";
@@ -59,6 +60,10 @@ async function handleFridayNextRoute(
     return await handleCancel(req, res);
   }
 
+  if (req.method === "POST" && pathname === "/friday-next/device-approve") {
+    return await handleDeviceApprove(req, res);
+  }
+
   if (req.method === "DELETE" && pathname === "/friday-next/sessions") {
     return await handleSessionsDelete(req, res);
   }