botschat 0.1.0

package/packages/api/src/env.ts

@@ -0,0 +1,8 @@
+/** Cloudflare Worker environment bindings */
+export type Env = {
+  DB: D1Database;
+  MEDIA: R2Bucket;
+  CONNECTION_DO: DurableObjectNamespace;
+  ENVIRONMENT: string;
+  JWT_SECRET?: string;
+};

package/packages/api/src/index.ts

@@ -0,0 +1,297 @@
+import { Hono } from "hono";
+import { cors } from "hono/cors";
+import type { Env } from "./env.js";
+import { authMiddleware } from "./utils/auth.js";
+import { auth } from "./routes/auth.js";
+import { agents } from "./routes/agents.js";
+import { channels } from "./routes/channels.js";
+import { tasks } from "./routes/tasks.js";
+import { jobs } from "./routes/jobs.js";
+import { models } from "./routes/models.js";
+import { pairing } from "./routes/pairing.js";
+import { sessions } from "./routes/sessions.js";
+import { upload } from "./routes/upload.js";
+
+// Re-export the Durable Object class so wrangler can find it
+export { ConnectionDO } from "./do/connection-do.js";
+
+const app = new Hono<{ Bindings: Env }>();
+
+// Global CORS
+app.use("/*", cors({ origin: "*", allowMethods: ["GET", "POST", "PATCH", "DELETE", "OPTIONS"] }));
+
+// Health check
+app.get("/api/health", (c) => c.json({ status: "ok", version: "0.1.0" }));
+
+// ---- Public routes (no auth) ----
+app.route("/api/auth", auth);
+
+// ---- Protected routes (require Bearer token) ----
+const protectedApp = new Hono<{ Bindings: Env; Variables: { userId: string } }>();
+protectedApp.use("/*", authMiddleware());
+protectedApp.route("/agents", agents);
+protectedApp.route("/channels", channels);
+protectedApp.route("/models", models);
+protectedApp.get("/me", async (c) => {
+  // Proxy /api/me to the auth /me handler
+  const userId = c.get("userId");
+  const row = await c.env.DB.prepare(
+    "SELECT id, email, display_name, settings_json, created_at FROM users WHERE id = ?",
+  )
+    .bind(userId)
+    .first<{
+      id: string;
+      email: string;
+      display_name: string | null;
+      settings_json: string;
+      created_at: number;
+    }>();
+  if (!row) return c.json({ error: "User not found" }, 404);
+  return c.json({
+    id: row.id,
+    email: row.email,
+    displayName: row.display_name,
+    settings: JSON.parse(row.settings_json || "{}"),
+    createdAt: row.created_at,
+  });
+});
+
+protectedApp.patch("/me", async (c) => {
+  const userId = c.get("userId");
+  const body = await c.req.json<{ defaultModel?: string }>();
+
+  const existing = await c.env.DB.prepare(
+    "SELECT settings_json FROM users WHERE id = ?",
+  )
+    .bind(userId)
+    .first<{ settings_json: string }>();
+
+  const settings = JSON.parse(existing?.settings_json || "{}");
+
+  if (body.defaultModel !== undefined) {
+    settings.defaultModel = body.defaultModel;
+  }
+
+  await c.env.DB.prepare(
+    "UPDATE users SET settings_json = ? WHERE id = ?",
+  )
+    .bind(JSON.stringify(settings), userId)
+    .run();
+
+  return c.json({ ok: true, settings });
+});
+
+// OpenClaw scan data — schedule/instructions/model cached in the ConnectionDO.
+// These fields belong to OpenClaw (not stored in D1) and are refreshed whenever
+// the plugin sends a task.scan.result message.
+protectedApp.get("/task-scan", async (c) => {
+  const userId = c.get("userId");
+  const doId = c.env.CONNECTION_DO.idFromName(userId);
+  const stub = c.env.CONNECTION_DO.get(doId);
+  const resp = await stub.fetch(new Request("https://internal/scan-data"));
+  return new Response(resp.body, { status: resp.status, headers: { "Content-Type": "application/json" } });
+});
+
+// Top-level task listing (for Automations view)
+// Note: schedule, instructions, model are NOT stored in D1.
+// They belong to OpenClaw and are retrieved via GET /api/task-scan.
+protectedApp.get("/tasks", async (c) => {
+  const userId = c.get("userId");
+  const kind = c.req.query("kind") ?? "background";
+
+  const { results } = await c.env.DB.prepare(
+    `SELECT t.id, t.channel_id, t.name, t.kind, t.openclaw_cron_job_id,
+            t.session_key, t.enabled, t.created_at, t.updated_at
+     FROM tasks t
+     JOIN channels ch ON t.channel_id = ch.id
+     WHERE ch.user_id = ? AND t.kind = ?
+     ORDER BY t.created_at ASC`,
+  )
+    .bind(userId, kind)
+    .all<{
+      id: string;
+      channel_id: string;
+      name: string;
+      kind: string;
+      openclaw_cron_job_id: string | null;
+      session_key: string | null;
+      enabled: number;
+      created_at: number;
+      updated_at: number;
+    }>();
+
+  return c.json({
+    tasks: (results ?? []).map((r) => ({
+      id: r.id,
+      channelId: r.channel_id,
+      name: r.name,
+      kind: r.kind,
+      openclawCronJobId: r.openclaw_cron_job_id,
+      sessionKey: r.session_key,
+      enabled: !!r.enabled,
+      createdAt: r.created_at,
+      updatedAt: r.updated_at,
+    })),
+  });
+});
+
+// Top-level job listing for a task (for Automations view)
+protectedApp.get("/tasks/:taskId/jobs", async (c) => {
+  const userId = c.get("userId");
+  const taskId = c.req.param("taskId");
+  const limit = Math.min(Number(c.req.query("limit") ?? 50), 200);
+
+  // Verify the task belongs to this user
+  const task = await c.env.DB.prepare(
+    `SELECT t.id, t.kind FROM tasks t
+     JOIN channels ch ON t.channel_id = ch.id
+     WHERE t.id = ? AND ch.user_id = ?`,
+  )
+    .bind(taskId, userId)
+    .first<{ id: string; kind: string }>();
+
+  if (!task) return c.json({ error: "Task not found" }, 404);
+  if (task.kind !== "background") return c.json({ error: "Only background tasks have jobs" }, 400);
+
+  const { results } = await c.env.DB.prepare(
+    `SELECT id, session_key, status, started_at, finished_at, duration_ms, summary, created_at
+     FROM jobs WHERE task_id = ? AND user_id = ?
+     ORDER BY started_at DESC LIMIT ?`,
+  )
+    .bind(taskId, userId, limit)
+    .all<{
+      id: string;
+      session_key: string;
+      status: string;
+      started_at: number;
+      finished_at: number | null;
+      duration_ms: number | null;
+      summary: string;
+      created_at: number;
+    }>();
+
+  return c.json({
+    jobs: (results ?? []).map((r, idx, arr) => ({
+      id: r.id,
+      number: arr.length - idx,
+      sessionKey: r.session_key,
+      status: r.status,
+      startedAt: r.started_at,
+      finishedAt: r.finished_at,
+      durationMs: r.duration_ms,
+      summary: r.summary,
+      time: new Date(r.started_at * 1000).toLocaleString(),
+    })),
+  });
+});
+
+// Nested task routes under /api/channels/:channelId/tasks
+protectedApp.route("/channels/:channelId/tasks", tasks);
+// Nested job routes under /api/channels/:channelId/tasks/:taskId/jobs
+protectedApp.route("/channels/:channelId/tasks/:taskId/jobs", jobs);
+// Nested session routes under /api/channels/:channelId/sessions
+protectedApp.route("/channels/:channelId/sessions", sessions);
+protectedApp.route("/pairing-tokens", pairing);
+protectedApp.route("/upload", upload);
+
+// ---- Media serving route (public, no auth) ----
+app.get("/api/media/:userId/:filename", async (c) => {
+  const userId = c.req.param("userId");
+  const filename = c.req.param("filename");
+  const key = `media/${userId}/${filename}`;
+
+  const object = await c.env.MEDIA.get(key);
+  if (!object) {
+    return c.json({ error: "Not found" }, 404);
+  }
+
+  const headers = new Headers();
+  headers.set("Content-Type", object.httpMetadata?.contentType ?? "application/octet-stream");
+  headers.set("Cache-Control", "public, max-age=31536000, immutable");
+
+  return new Response(object.body, { headers });
+});
+
+// ---- WebSocket upgrade routes (BEFORE protected middleware) ----
+
+// OpenClaw plugin connects to: /api/gateway/:connId
+// connId can be a userId or "default" — in the latter case, we look up
+// the user via the pairing token passed in the Sec-WebSocket-Protocol header
+// or the ?token= query parameter.
+app.all("/api/gateway/:connId", async (c) => {
+  let userId = c.req.param("connId");
+
+  // If connId is not a real user ID (e.g. "default"), resolve via token
+  if (!userId.startsWith("u_")) {
+    const token =
+      c.req.query("token") ??
+      c.req.header("X-Pairing-Token") ??
+      null;
+
+    if (!token) {
+      return c.json({ error: "Token required for gateway connection" }, 401);
+    }
+
+    // Look up user by pairing token
+    const row = await c.env.DB.prepare(
+      "SELECT user_id FROM pairing_tokens WHERE token = ?",
+    )
+      .bind(token)
+      .first<{ user_id: string }>();
+
+    if (!row) {
+      return c.json({ error: "Invalid pairing token" }, 401);
+    }
+    userId = row.user_id;
+
+    // Update last_connected_at
+    await c.env.DB.prepare(
+      "UPDATE pairing_tokens SET last_connected_at = unixepoch() WHERE token = ?",
+    )
+      .bind(token)
+      .run();
+  }
+
+  const doId = c.env.CONNECTION_DO.idFromName(userId);
+  const stub = c.env.CONNECTION_DO.get(doId);
+  const url = new URL(c.req.url);
+  url.pathname = `/gateway/${userId}`;
+  return stub.fetch(new Request(url.toString(), c.req.raw));
+});
+
+// Browser client connects to: /api/ws/:userId/:sessionId
+app.all("/api/ws/:userId/:sessionId", async (c) => {
+  const userId = c.req.param("userId");
+  const sessionId = c.req.param("sessionId");
+  const doId = c.env.CONNECTION_DO.idFromName(userId);
+  const stub = c.env.CONNECTION_DO.get(doId);
+  const url = new URL(c.req.url);
+  url.pathname = `/client/${sessionId}`;
+  return stub.fetch(new Request(url.toString(), c.req.raw));
+});
+
+// Connection status: /api/connection/:userId/status
+app.get("/api/connection/:userId/status", async (c) => {
+  const userId = c.req.param("userId");
+  const doId = c.env.CONNECTION_DO.idFromName(userId);
+  const stub = c.env.CONNECTION_DO.get(doId);
+  const url = new URL(c.req.url);
+  url.pathname = "/status";
+  return stub.fetch(new Request(url.toString()));
+});
+
+// Message history: /api/messages/:userId?sessionKey=xxx
+app.get("/api/messages/:userId", async (c) => {
+  const userId = c.req.param("userId");
+  const doId = c.env.CONNECTION_DO.idFromName(userId);
+  const stub = c.env.CONNECTION_DO.get(doId);
+  const url = new URL(c.req.url);
+  url.pathname = "/messages";
+  // Forward query params (sessionKey, threadId, limit)
+  return stub.fetch(new Request(url.toString()));
+});
+
+// ---- Protected routes (require Bearer token) — AFTER ws routes ----
+app.route("/api", protectedApp);
+
+export default app;

package/packages/api/src/routes/agents.ts

@@ -0,0 +1,68 @@
+import { Hono } from "hono";
+import type { Env } from "../env.js";
+
+/**
+ * Agents API — OpenClaw-aligned first-level entity.
+ * Returns the default agent (always) plus one agent per channel (default session = first adhoc task).
+ */
+const agents = new Hono<{ Bindings: Env; Variables: { userId: string } }>();
+
+export type Agent = {
+  id: string;
+  name: string;
+  sessionKey: string;
+  isDefault: boolean;
+  channelId: string | null;
+};
+
+/** GET /api/agents — list agents: default + one per channel with default session */
+agents.get("/", async (c) => {
+  const userId = c.get("userId");
+
+  const list: Agent[] = [];
+
+  // 1. Channel-based agents (each channel = one agent, default session = first adhoc task)
+  const { results: channels } = await c.env.DB.prepare(
+    "SELECT id, name, openclaw_agent_id FROM channels WHERE user_id = ? ORDER BY created_at ASC",
+  )
+    .bind(userId)
+    .all<{ id: string; name: string; openclaw_agent_id: string }>();
+
+  // Find the "General" channel to associate with the default agent (for session support).
+  // If the user has created a "General" channel (auto-created on first session "+"),
+  // link it to the default agent so sessions work.
+  const generalChannel = (channels ?? []).find((ch) => ch.name === "General");
+
+  // Always show the "general" default agent for ad-hoc chat.
+  list.push({
+    id: "default",
+    name: "General",
+    sessionKey: `agent:main:botschat:${userId}:default`,
+    isDefault: true,
+    channelId: generalChannel?.id ?? null,
+  });
+
+  for (const ch of channels ?? []) {
+    // Skip the "General" channel — it's linked to the default agent above
+    if (generalChannel && ch.id === generalChannel.id) continue;
+    const task = await c.env.DB.prepare(
+      "SELECT session_key FROM tasks WHERE channel_id = ? AND kind = 'adhoc' AND session_key IS NOT NULL ORDER BY created_at ASC LIMIT 1",
+    )
+      .bind(ch.id)
+      .first<{ session_key: string }>();
+
+    const sessionKey =
+      task?.session_key ?? `agent:${ch.openclaw_agent_id}:botschat:${userId}:adhoc`;
+    list.push({
+      id: ch.id,
+      name: ch.name,
+      sessionKey,
+      isDefault: false,
+      channelId: ch.id,
+    });
+  }
+
+  return c.json({ agents: list });
+});
+
+export { agents };

package/packages/api/src/routes/auth.ts

@@ -0,0 +1,105 @@
+import { Hono } from "hono";
+import type { Env } from "../env.js";
+import { createToken, hashPassword } from "../utils/auth.js";
+import { generateId } from "../utils/id.js";
+
+const auth = new Hono<{ Bindings: Env }>();
+
+/** POST /api/auth/register */
+auth.post("/register", async (c) => {
+  const { email, password, displayName } = await c.req.json<{
+    email: string;
+    password: string;
+    displayName?: string;
+  }>();
+
+  if (!email?.trim() || !password?.trim()) {
+    return c.json({ error: "Email and password are required" }, 400);
+  }
+
+  const id = generateId("u_");
+  const passwordHash = await hashPassword(password);
+
+  try {
+    await c.env.DB.prepare(
+      "INSERT INTO users (id, email, password_hash, display_name) VALUES (?, ?, ?, ?)",
+    )
+      .bind(id, email.trim().toLowerCase(), passwordHash, displayName?.trim() ?? null)
+      .run();
+  } catch (err: unknown) {
+    if (err instanceof Error && err.message.includes("UNIQUE")) {
+      return c.json({ error: "Email already registered" }, 409);
+    }
+    throw err;
+  }
+
+  const secret = c.env.JWT_SECRET ?? "botschat-dev-secret";
+  const token = await createToken(id, secret);
+
+  return c.json({ id, email, token }, 201);
+});
+
+/** POST /api/auth/login */
+auth.post("/login", async (c) => {
+  const { email, password } = await c.req.json<{
+    email: string;
+    password: string;
+  }>();
+
+  if (!email?.trim() || !password?.trim()) {
+    return c.json({ error: "Email and password are required" }, 400);
+  }
+
+  const passwordHash = await hashPassword(password);
+
+  const row = await c.env.DB.prepare(
+    "SELECT id, email, display_name FROM users WHERE email = ? AND password_hash = ?",
+  )
+    .bind(email.trim().toLowerCase(), passwordHash)
+    .first<{ id: string; email: string; display_name: string | null }>();
+
+  if (!row) {
+    return c.json({ error: "Invalid email or password" }, 401);
+  }
+
+  const secret = c.env.JWT_SECRET ?? "botschat-dev-secret";
+  const token = await createToken(row.id, secret);
+
+  return c.json({
+    id: row.id,
+    email: row.email,
+    displayName: row.display_name,
+    token,
+  });
+});
+
+/** GET /api/auth/me — returns current user info */
+auth.get("/me", async (c) => {
+  // This route requires auth middleware to be applied upstream
+  const userId = c.get("userId" as never) as string;
+  if (!userId) return c.json({ error: "Unauthorized" }, 401);
+
+  const row = await c.env.DB.prepare(
+    "SELECT id, email, display_name, settings_json, created_at FROM users WHERE id = ?",
+  )
+    .bind(userId)
+    .first<{
+      id: string;
+      email: string;
+      display_name: string | null;
+      settings_json: string;
+      created_at: number;
+    }>();
+
+  if (!row) return c.json({ error: "User not found" }, 404);
+
+  return c.json({
+    id: row.id,
+    email: row.email,
+    displayName: row.display_name,
+    settings: JSON.parse(row.settings_json || "{}"),
+    createdAt: row.created_at,
+  });
+});
+
+export { auth };

package/packages/api/src/routes/channels.ts

@@ -0,0 +1,185 @@
+import { Hono } from "hono";
+import type { Env } from "../env.js";
+import { generateId } from "../utils/id.js";
+
+const channels = new Hono<{ Bindings: Env; Variables: { userId: string } }>();
+
+/** GET /api/channels — list all channels for the current user */
+channels.get("/", async (c) => {
+  const userId = c.get("userId");
+
+  const { results } = await c.env.DB.prepare(
+    "SELECT id, name, description, openclaw_agent_id, system_prompt, created_at, updated_at FROM channels WHERE user_id = ? ORDER BY created_at DESC",
+  )
+    .bind(userId)
+    .all<{
+      id: string;
+      name: string;
+      description: string;
+      openclaw_agent_id: string;
+      system_prompt: string;
+      created_at: number;
+      updated_at: number;
+    }>();
+
+  return c.json({
+    channels: (results ?? []).map((r) => ({
+      id: r.id,
+      name: r.name,
+      description: r.description,
+      openclawAgentId: r.openclaw_agent_id,
+      systemPrompt: r.system_prompt,
+      createdAt: r.created_at,
+      updatedAt: r.updated_at,
+    })),
+  });
+});
+
+/** POST /api/channels — create a new channel */
+channels.post("/", async (c) => {
+  const userId = c.get("userId");
+  const { name, description, openclawAgentId, systemPrompt } = await c.req.json<{
+    name: string;
+    description?: string;
+    openclawAgentId?: string;
+    systemPrompt?: string;
+  }>();
+
+  if (!name?.trim()) {
+    return c.json({ error: "Channel name is required" }, 400);
+  }
+
+  const id = generateId("ch_");
+  // Default agent ID derived from channel name (slug)
+  const agentId =
+    openclawAgentId?.trim() ||
+    name
+      .trim()
+      .toLowerCase()
+      .replace(/[^a-z0-9]+/g, "-")
+      .replace(/^-|-$/g, "");
+
+  await c.env.DB.prepare(
+    "INSERT INTO channels (id, user_id, name, description, openclaw_agent_id, system_prompt) VALUES (?, ?, ?, ?, ?, ?)",
+  )
+    .bind(id, userId, name.trim(), description?.trim() ?? "", agentId, systemPrompt?.trim() ?? "")
+    .run();
+
+  // Auto-create a default "Ad Hoc Chat" task
+  const taskId = generateId("tsk_");
+  const sessionKey = `agent:${agentId}:botschat:${userId}:adhoc`;
+  await c.env.DB.prepare(
+    "INSERT INTO tasks (id, channel_id, name, kind, session_key) VALUES (?, ?, ?, ?, ?)",
+  )
+    .bind(taskId, id, "Ad Hoc Chat", "adhoc", sessionKey)
+    .run();
+
+  // Auto-create a default session
+  const sessionId = generateId("ses_");
+  await c.env.DB.prepare(
+    "INSERT INTO sessions (id, channel_id, user_id, name, session_key) VALUES (?, ?, ?, ?, ?)",
+  )
+    .bind(sessionId, id, userId, "Session 1", sessionKey)
+    .run();
+
+  return c.json(
+    {
+      id,
+      name: name.trim(),
+      description: description?.trim() ?? "",
+      openclawAgentId: agentId,
+      systemPrompt: systemPrompt?.trim() ?? "",
+    },
+    201,
+  );
+});
+
+/** GET /api/channels/:id — get a single channel */
+channels.get("/:id", async (c) => {
+  const userId = c.get("userId");
+  const channelId = c.req.param("id");
+
+  const row = await c.env.DB.prepare(
+    "SELECT id, name, description, openclaw_agent_id, system_prompt, created_at, updated_at FROM channels WHERE id = ? AND user_id = ?",
+  )
+    .bind(channelId, userId)
+    .first<{
+      id: string;
+      name: string;
+      description: string;
+      openclaw_agent_id: string;
+      system_prompt: string;
+      created_at: number;
+      updated_at: number;
+    }>();
+
+  if (!row) return c.json({ error: "Channel not found" }, 404);
+
+  return c.json({
+    id: row.id,
+    name: row.name,
+    description: row.description,
+    openclawAgentId: row.openclaw_agent_id,
+    systemPrompt: row.system_prompt,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at,
+  });
+});
+
+/** PATCH /api/channels/:id — update a channel */
+channels.patch("/:id", async (c) => {
+  const userId = c.get("userId");
+  const channelId = c.req.param("id");
+  const body = await c.req.json<{
+    name?: string;
+    description?: string;
+    systemPrompt?: string;
+  }>();
+
+  const sets: string[] = [];
+  const values: unknown[] = [];
+
+  if (body.name !== undefined) {
+    sets.push("name = ?");
+    values.push(body.name.trim());
+  }
+  if (body.description !== undefined) {
+    sets.push("description = ?");
+    values.push(body.description.trim());
+  }
+  if (body.systemPrompt !== undefined) {
+    sets.push("system_prompt = ?");
+    values.push(body.systemPrompt.trim());
+  }
+
+  if (sets.length === 0) {
+    return c.json({ error: "No fields to update" }, 400);
+  }
+
+  sets.push("updated_at = unixepoch()");
+  values.push(channelId, userId);
+
+  await c.env.DB.prepare(
+    `UPDATE channels SET ${sets.join(", ")} WHERE id = ? AND user_id = ?`,
+  )
+    .bind(...values)
+    .run();
+
+  return c.json({ ok: true });
+});
+
+/** DELETE /api/channels/:id — delete a channel */
+channels.delete("/:id", async (c) => {
+  const userId = c.get("userId");
+  const channelId = c.req.param("id");
+
+  await c.env.DB.prepare(
+    "DELETE FROM channels WHERE id = ? AND user_id = ?",
+  )
+    .bind(channelId, userId)
+    .run();
+
+  return c.json({ ok: true });
+});
+
+export { channels };