@taptapai/taptapai-openclaw 0.0.2 → 0.1.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@taptapai/taptapai-openclaw",
-  "version": "0.0.2",
+  "version": "0.1.1",
   "description": "TapTapAI gateway proxy plugin",
   "type": "module",
   "openclaw": {

package/src/backendWs.ts

@@ -30,6 +30,10 @@ export type BackendWsState = {
   reconnectAttempt: number;
   watchdogTimer: ReturnType<typeof setInterval> | null;
   pingTimer: ReturnType<typeof setInterval> | null;
+  /** Tracks consecutive connect errors for log throttling. */
+  _consecutiveConnectErrors: number;
+  /** Timestamp of last logged connect error. */
+  _lastConnectErrorLog: number;
 };
 
 export function connectBackendWs(params: {
@@ -92,6 +96,7 @@ export function connectBackendWs(params: {
     try {
       logger.info?.("[taptapai] WS open, sending handshake...");
       state.reconnectAttempt = 0;
+      state._consecutiveConnectErrors = 0;
       ws.send(
         JSON.stringify({
           type: "handshake",
@@ -151,11 +156,25 @@ export function connectBackendWs(params: {
   ws.addEventListener("error", (event: any) => {
     if (state.ws !== ws) return;
     const msg = event?.message || event?.error?.message || String(event);
-    logger.error?.(`[taptapai] WS error: ${msg}`);
-    try { ws.close(); } catch {}
+
+    // Throttle identical connection errors to avoid log flood during startup.
+    state._consecutiveConnectErrors++;
+    const now = Date.now();
+    const sinceLast = now - state._lastConnectErrorLog;
+    if (state._consecutiveConnectErrors === 1 || sinceLast >= 5000) {
+      const suffix = state._consecutiveConnectErrors > 1
+        ? ` (repeated ${state._consecutiveConnectErrors} times)`
+        : "";
+      logger.warn?.(`[taptapai] WS error: ${msg}${suffix}`);
+      state._lastConnectErrorLog = now;
+      state._consecutiveConnectErrors = 0;
+    }
+
+    // Null out state.ws BEFORE closing to prevent synchronous close handler re-entry.
     state.ws = null;
     state.connected = false;
     state.connecting = false;
+    try { ws.close(); } catch {}
     scheduleReconnect({ ...params, url: normalizedUrl, token: normalizedToken });
   });
 
@@ -199,7 +218,7 @@ export function scheduleReconnect(params: {
   if (state.connecting) return;
 
   state.reconnectAttempt++;
-  const delay = Math.min(1000 * Math.pow(2, state.reconnectAttempt - 1), MAX_RECONNECT_DELAY_MS);
+  const delay = Math.min(Math.max(2000, 1000 * Math.pow(2, state.reconnectAttempt - 1)), MAX_RECONNECT_DELAY_MS);
   logger.info?.(`[taptapai] Reconnecting in ${delay}ms (attempt ${state.reconnectAttempt})...`);
   state.reconnectTimer = setTimeout(() => {
     state.reconnectTimer = null;

package/src/deviceAuth.ts

@@ -0,0 +1,151 @@
+/**
+ * Device authentication for the local OpenClaw gateway.
+ *
+ * The gateway strips all scopes from WebSocket connections that do not include
+ * a valid device identity.  Without scopes, methods like `chat.send` (which
+ * requires `operator.write`) are rejected.
+ *
+ * This module reads the device keypair that the `openclaw` CLI created during
+ * its initial pairing (`~/.openclaw/identity/device.json`) and builds the
+ * cryptographic `device` object that must be included in the WS `connect`
+ * frame.
+ */
+
+import * as crypto from "crypto";
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+import type { LoggerLike } from "./types";
+
+// ── Types ──
+
+export interface DeviceIdentity {
+  deviceId: string;
+  publicKeyPem: string;
+  privateKeyPem: string;
+}
+
+export interface DeviceConnectField {
+  id: string;
+  publicKey: string;   // base64url raw 32-byte Ed25519 public key
+  signature: string;   // base64url Ed25519 signature of the auth payload
+  signedAt: number;    // ms since epoch
+}
+
+// ── Helpers ──
+
+const ED25519_SPKI_PREFIX = Buffer.from("302a300506032b6570032100", "hex");
+
+/** Convert standard base64 to base64url (no padding). */
+function toBase64Url(buf: Buffer): string {
+  return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+
+/** Extract the raw 32-byte public key from a PEM-encoded Ed25519 public key. */
+function derivePublicKeyRaw(publicKeyPem: string): Buffer {
+  const keyObj = crypto.createPublicKey(publicKeyPem);
+  const spkiDer = keyObj.export({ type: "spki", format: "der" });
+  // Ed25519 SPKI = 12-byte prefix + 32-byte raw key
+  return spkiDer.subarray(ED25519_SPKI_PREFIX.length);
+}
+
+/** Build the same payload string that the gateway expects. */
+function buildDeviceAuthPayload(params: {
+  deviceId: string;
+  clientId: string;
+  clientMode: string;
+  role: string;
+  scopes: string[];
+  signedAtMs: number;
+  token: string | null;
+}): string {
+  // v1 format (no nonce): version|deviceId|clientId|clientMode|role|scopes|signedAtMs|token
+  return [
+    "v1",
+    params.deviceId,
+    params.clientId,
+    params.clientMode,
+    params.role,
+    params.scopes.join(","),
+    String(params.signedAtMs),
+    params.token ?? "",
+  ].join("|");
+}
+
+/** Sign a payload with an Ed25519 private key and return base64url signature. */
+function signPayload(privateKeyPem: string, payload: string): string {
+  const key = crypto.createPrivateKey(privateKeyPem);
+  const sig = crypto.sign(null, Buffer.from(payload, "utf8"), key);
+  return toBase64Url(sig);
+}
+
+// ── Public API ──
+
+const DEFAULT_IDENTITY_PATH = path.join(os.homedir(), ".openclaw", "identity", "device.json");
+
+/**
+ * Load the device identity from disk.
+ * Returns `null` if the file does not exist or is malformed.
+ */
+export function loadDeviceIdentity(logger: LoggerLike, filePath?: string): DeviceIdentity | null {
+  const p = filePath ?? DEFAULT_IDENTITY_PATH;
+  try {
+    if (!fs.existsSync(p)) {
+      logger.info?.(`[taptapai] No device identity at ${p} — device auth disabled`);
+      return null;
+    }
+    const raw = JSON.parse(fs.readFileSync(p, "utf8"));
+    if (raw?.version === 1 && raw.deviceId && raw.publicKeyPem && raw.privateKeyPem) {
+      logger.info?.(`[taptapai] Loaded device identity: ${raw.deviceId.substring(0, 12)}...`);
+      return {
+        deviceId: raw.deviceId,
+        publicKeyPem: raw.publicKeyPem,
+        privateKeyPem: raw.privateKeyPem,
+      };
+    }
+    logger.warn?.(`[taptapai] Device identity at ${p} has unexpected format`);
+    return null;
+  } catch (e: any) {
+    logger.warn?.(`[taptapai] Failed to load device identity: ${e?.message}`);
+    return null;
+  }
+}
+
+/**
+ * Build the `device` field for the gateway WS `connect` frame.
+ *
+ * @param identity  The device identity (from `loadDeviceIdentity`).
+ * @param clientId  The client ID used in the connect frame (e.g. "gateway-client").
+ * @param clientMode  The client mode (e.g. "backend").
+ * @param role  The role (e.g. "operator").
+ * @param scopes  The scopes to request (e.g. ["operator.admin", "operator.write", "operator.read"]).
+ * @param authToken  The gateway auth token sent in `auth.token`.
+ */
+export function buildDeviceConnect(
+  identity: DeviceIdentity,
+  clientId: string,
+  clientMode: string,
+  role: string,
+  scopes: string[],
+  authToken: string,
+): DeviceConnectField {
+  const signedAtMs = Date.now();
+  const payload = buildDeviceAuthPayload({
+    deviceId: identity.deviceId,
+    clientId,
+    clientMode,
+    role,
+    scopes,
+    signedAtMs,
+    token: authToken,
+  });
+  const signature = signPayload(identity.privateKeyPem, payload);
+  const publicKey = toBase64Url(derivePublicKeyRaw(identity.publicKeyPem));
+
+  return {
+    id: identity.deviceId,
+    publicKey,
+    signature,
+    signedAt: signedAtMs,
+  };
+}

package/src/gatewayWs.ts

@@ -4,6 +4,7 @@ import { readFileSync } from "fs";
 import { fileURLToPath } from "url";
 import { dirname, join } from "path";
 import type { LoggerLike } from "./types";
+import { loadDeviceIdentity, buildDeviceConnect, type DeviceIdentity } from "./deviceAuth";
 
 let _pluginVersion = "";
 function getPluginVersion(): string {
@@ -42,6 +43,12 @@ export type GatewayWsState = {
   rpcId: number;
   pendingRequests: Map<string, PendingRequest>;
   pendingChat: Map<string, PendingChat>;
+  /** Tracks consecutive connect errors for log throttling. */
+  _consecutiveConnectErrors: number;
+  /** Timestamp of last logged connect error. */
+  _lastConnectErrorLog: number;
+  /** Cached device identity for device-auth (loaded once). */
+  _deviceIdentity?: DeviceIdentity | null;
 };
 
 export function getGatewayToken(runtime: any, pluginConfig: any, readOpenClawConfig: () => any): string {
@@ -111,6 +118,7 @@ export function connectGatewayWs(params: {
     try { clearTimeout(connectTimeout); } catch {}
     logger.info?.("[taptapai] Gateway WS open, waiting for connect.challenge...");
     state.reconnectAttempt = 0;
+    state._consecutiveConnectErrors = 0;
   });
 
   ws.addEventListener("message", (event: MessageEvent) => {
@@ -171,12 +179,25 @@ export function connectGatewayWs(params: {
     if (state.ws !== ws) return;
     const anyEvent: any = event as any;
     const msg = anyEvent?.message || anyEvent?.error?.message || String(event);
-    logger.error?.(`[taptapai] Gateway WS error: ${msg}`);
+
+    // Throttle identical connection errors to avoid log flood during startup.
+    state._consecutiveConnectErrors++;
+    const now = Date.now();
+    const sinceLast = now - state._lastConnectErrorLog;
+    if (state._consecutiveConnectErrors === 1 || sinceLast >= 5000) {
+      const suffix = state._consecutiveConnectErrors > 1
+        ? ` (repeated ${state._consecutiveConnectErrors} times)`
+        : "";
+      logger.warn?.(`[taptapai] Gateway WS error: ${msg}${suffix}`);
+      state._lastConnectErrorLog = now;
+      state._consecutiveConnectErrors = 0;
+    }
 
     try { clearTimeout(connectTimeout); } catch {}
-    try { ws.close(); } catch {}
+    // Null out state.ws BEFORE closing to prevent synchronous close handler re-entry.
     state.connected = false;
     state.ws = null;
+    try { ws.close(); } catch {}
 
     // Some implementations emit error without close; make sure we fail any waiters.
     for (const [id, pending] of state.pendingRequests) {
@@ -209,6 +230,29 @@ function sendGatewayConnect(params: {
   }
 
   const id = `gw-connect-${++state.rpcId}`;
+
+  // Load device identity once (cached on the state object).
+  // The device keypair was created by the `openclaw` CLI during initial pairing.
+  // Including it in the connect frame prevents the gateway from stripping scopes.
+  if (state._deviceIdentity === undefined) {
+    state._deviceIdentity = loadDeviceIdentity(logger);
+  }
+
+  const clientId = "gateway-client";
+  const clientMode = "backend";
+  const role = "operator";
+  const scopes = ["operator.admin", "operator.write", "operator.read"];
+
+  const device = state._deviceIdentity
+    ? buildDeviceConnect(state._deviceIdentity, clientId, clientMode, role, scopes, token)
+    : undefined;
+
+  if (device) {
+    logger.info?.(`[taptapai] Including device auth in connect (device=${device.id.substring(0, 12)}...)`);
+  } else {
+    logger.warn?.(`[taptapai] No device identity — scopes will be stripped by gateway`);
+  }
+
   const frame = {
     type: "req",
     id,
@@ -217,15 +261,16 @@ function sendGatewayConnect(params: {
       minProtocol: GATEWAY_PROTOCOL_VERSION,
       maxProtocol: GATEWAY_PROTOCOL_VERSION,
       client: {
-        id: "gateway-client",
+        id: clientId,
         displayName: "TapTapAI Plugin",
         version: getPluginVersion(),
         platform: process.platform || "linux",
-        mode: "backend",
+        mode: clientMode,
       },
       auth: { token },
-      role: "operator",
-      scopes: ["operator.admin"],
+      role,
+      scopes,
+      device,
     },
   };
 
@@ -265,7 +310,7 @@ function scheduleGatewayReconnect(params: {
   if (state.reconnectTimer) return;
 
   state.reconnectAttempt++;
-  const delay = Math.min(1000 * Math.pow(2, state.reconnectAttempt - 1), MAX_RECONNECT_DELAY_MS);
+  const delay = Math.min(Math.max(2000, 1000 * Math.pow(2, state.reconnectAttempt - 1)), MAX_RECONNECT_DELAY_MS);
   logger.info?.(`[taptapai] Gateway WS reconnecting in ${delay}ms (attempt ${state.reconnectAttempt})...`);
   state.reconnectTimer = setTimeout(() => {
     state.reconnectTimer = null;

package/src/plugin.ts

@@ -45,6 +45,8 @@ function createInitialState(): PluginState {
       reconnectAttempt: 0,
       watchdogTimer: null,
       pingTimer: null,
+      _consecutiveConnectErrors: 0,
+      _lastConnectErrorLog: 0,
     },
     gateway: {
       ws: null,
@@ -55,6 +57,8 @@ function createInitialState(): PluginState {
       rpcId: 0,
       pendingRequests: new Map(),
       pendingChat: new Map(),
+      _consecutiveConnectErrors: 0,
+      _lastConnectErrorLog: 0,
     },
     shutdownHandlersInstalled: false,
     globalErrorGuardsInstalled: false,
@@ -283,15 +287,21 @@ export function createTapTapAiPlugin() {
             state.aborted = false;
 
             logger.info?.("[taptapai] Starting local gateway WS client for agent dispatch...");
-            connectGatewayWs({
-              state: state.gateway,
-              logger,
-              aborted,
-              enabled: () => state.bridgeLock.held,
-              readOpenClawConfig: () => readOpenClawConfig(logger),
-              runtime,
-              pluginConfig,
-            });
+            // Delay initial connection to let the gateway WS server finish starting.
+            // Inside the gateway process the server may not be listening yet.
+            const gwConnectDelay = isRunningInGatewayProcess() ? 3000 : 500;
+            setTimeout(() => {
+              if (aborted()) return;
+              connectGatewayWs({
+                state: state.gateway,
+                logger,
+                aborted,
+                enabled: () => state.bridgeLock.held,
+                readOpenClawConfig: () => readOpenClawConfig(logger),
+                runtime,
+                pluginConfig,
+              });
+            }, gwConnectDelay);
 
             if (backendWsUrl) {
               logger.info?.(`[taptapai] Starting backend WS connection to ${backendWsUrl}`);

package/src/requestHandler.ts

@@ -81,15 +81,16 @@ export async function handleBackendRequest(deps: RequestHandlerDeps, req: RpcReq
         send("ack");
 
         try {
+          // Prefer WS chat.send through the local gateway — this requires
+          // device auth (operator.write scope).  Falls back to HTTP
+          // /v1/chat/completions if the WS is not connected.
+          let responseText: string;
           if (gatewayState.connected) {
             logger.info?.(`[taptapai] Dispatching via gateway WS (chat.send) [ack sent in ${Date.now() - t0}ms]`);
-            const responseText = await dispatchViaGateway({ state: gatewayState, logger, text: String(text), session: String(session) });
-            const t1 = Date.now();
-            logger.info?.(`[taptapai] ⏱️ agent.send DONE: total=${t1 - t0}ms | Gateway WS response: "${responseText.substring(0, 80)}..."`);
-            send("stream", { text: responseText }, { event: "done" });
+            responseText = await dispatchViaGateway({ state: gatewayState, logger, text: String(text), session: String(session) });
           } else {
-            logger.info?.("[taptapai] Gateway WS not connected — falling back to HTTP");
-            const responseText = await callGatewayHttp({
+            logger.info?.(`[taptapai] Gateway WS not connected — falling back to HTTP (chat/completions) [ack sent in ${Date.now() - t0}ms]`);
+            responseText = await callGatewayHttp({
               text: String(text),
               session: String(session),
               runtime,
@@ -97,13 +98,13 @@ export async function handleBackendRequest(deps: RequestHandlerDeps, req: RpcReq
               readOpenClawConfig: () => readOpenClawConfig(logger),
               logger,
             });
-            const t1 = Date.now();
-            logger.info?.(`[taptapai] ⏱️ agent.send HTTP fallback DONE: total=${t1 - t0}ms`);
-            send("stream", { text: responseText }, { event: "done" });
           }
+          const t1 = Date.now();
+          logger.info?.(`[taptapai] ⏱️ agent.send DONE: total=${t1 - t0}ms | Gateway HTTP response: "${responseText.substring(0, 80)}..."`);
+          send("stream", { text: responseText }, { event: "done" });
         } catch (e: any) {
           logger.error?.(`[taptapai] agent.send error after ${Date.now() - t0}ms: ${e?.message || e}`);
-          send("stream", { text: `Error: ${e?.message || e}` }, { event: "done" });
+          send("error", undefined, { message: `${e?.message || e}`, code: 502 });
         }
 
         break;