botschat 0.1.1 → 0.1.3

package/README.md

@@ -8,6 +8,40 @@ A self-hosted chat interface for [OpenClaw](https://github.com/openclaw/openclaw
 
 BotsChat gives you a modern, Slack-like web UI to interact with your OpenClaw agents — organize conversations into **Channels**, schedule **Background Tasks**, and monitor **Job** executions. Everything runs on your own infrastructure; your API keys and data never leave your machine.
 
+## Key Features
+
+### Structured Conversation Management
+
+BotsChat organizes your conversations through a **Channel → Session → Thread** three-layer hierarchy, keeping complex agent interactions clean and navigable:
+
+- **Channel** — one workspace per agent (e.g. "#General", "#BotsChat"), listed in the left sidebar.
+- **Session** — multiple session tabs within each channel, so you can run parallel conversations without losing context.
+- **Thread** — branch off from any message to start a focused sub-conversation in the right panel, without cluttering the main chat.
+
+You can also **switch models on the fly** from the top-right selector, and trigger common **Skills** (like `/model`, `/help`, `/skills`) directly from the command bar at the bottom of the chat.
+
+![Conversation Structure — Channel, Session, and Thread](docs/thread.png)
+
+### Interactive Agent UI (A2UI)
+
+Instead of plain text walls, BotsChat renders agent responses as **interactive UI elements** — clickable buttons, radio groups, and selection cards. When an agent asks "What kind of project do you want to create?", you see styled option buttons you can click, not just text to read and retype. This makes multi-step workflows feel like a guided wizard rather than a raw chat.
+
+![Interactive UI — Agent responses rendered as buttons and selection cards](docs/a2ui.png)
+
+### Background Task Automation
+
+Schedule **cron-style background tasks** that run your agents on autopilot. Each task has its own prompt, schedule, model selection, and full execution history. You can view detailed job logs, re-run tasks on demand, and enable/disable them with a single toggle.
+
+![Background Task — Schedule, prompt, and execution history](docs/cron.png)
+
+### Built-in Debug Log
+
+A collapsible **Debug Log** panel at the bottom of the UI gives you real-time visibility into what's happening under the hood — WebSocket events, cron task loading, agent scan results, and more. Filter by log level (ALL, WS, WST, API, INF, WRN, ERR) to quickly diagnose issues without leaving the chat interface.
+
+![Debug Log — Real-time logs with level filtering](docs/debug.png)
+
+---
+
 ## Architecture
 
 ![BotsChat Architecture](docs/architecture.png)
@@ -51,9 +85,17 @@ npm install
 
 ### Step 2: Deploy BotsChat Server
 
-Choose one of the two options below:
+Choose one of the three options below:
+
+#### Option A: Use Hosted Console (Recommended)
+
+The easiest way to get started — no deployment needed. We run a hosted BotsChat instance at **[console.botschat.app](https://console.botschat.app)**. Just sign up, generate a pairing token, and connect your OpenClaw instance directly.
+
+Your API keys and data still stay on your machine — the hosted console only relays chat messages via WebSocket, exactly the same as a self-hosted deployment.
+
+> Skip to [Step 3](#step-3-install-the-openclaw-plugin) after signing up.
 
-#### Option A: Run Locally
+#### Option B: Run Locally
 
 Wrangler uses [Miniflare](https://miniflare.dev) under the hood, so D1, R2, and Durable Objects all run locally — **no Cloudflare account needed**.
 
@@ -82,7 +124,7 @@ Other dev commands:
 ./scripts/dev.sh logs      # Tail remote gateway logs
 ```
 
-#### Option B: Deploy to Cloudflare
+#### Option C: Deploy to Cloudflare
 
 For remote access (e.g. chatting with your agents from your phone), deploy to Cloudflare Workers. The free tier is more than enough for personal use.
 
@@ -122,6 +164,7 @@ Open the BotsChat web UI, register an account, and generate a **pairing token**
 **3. Configure the connection**
 
 ```bash
+# For hosted console, use https://console.botschat.app
 # For local deployment, use http://localhost:8787 or your LAN IP
 # For Cloudflare deployment, use your Workers URL
 openclaw config set channels.botschat.cloudUrl <BOTSCHAT_URL>

package/migrations/0009_google_auth.sql

@@ -0,0 +1,10 @@
+-- Support Firebase OAuth (Google, GitHub, etc.) users who don't have a password.
+
+-- auth_provider: 'email' (default), 'google', 'github'
+ALTER TABLE users ADD COLUMN auth_provider TEXT NOT NULL DEFAULT 'email';
+
+-- Firebase UID — unique across all Firebase auth providers
+ALTER TABLE users ADD COLUMN firebase_uid TEXT;
+
+-- Index for quick lookup by firebase_uid
+CREATE UNIQUE INDEX IF NOT EXISTS idx_users_firebase_uid ON users(firebase_uid) WHERE firebase_uid IS NOT NULL;

package/migrations/0010_pairing_token_security.sql

@@ -0,0 +1,10 @@
+-- Pairing token security enhancements: soft-delete (revoke), audit fields.
+
+-- Soft-delete: revoked tokens are rejected but kept for audit trail
+ALTER TABLE pairing_tokens ADD COLUMN revoked_at INTEGER;
+
+-- Last connecting IP (for audit)
+ALTER TABLE pairing_tokens ADD COLUMN last_ip TEXT;
+
+-- Connection count (for anomaly detection)
+ALTER TABLE pairing_tokens ADD COLUMN connection_count INTEGER NOT NULL DEFAULT 0;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "botschat",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "description": "A self-hosted chat interface for OpenClaw AI agents",
   "workspaces": [
     "packages/*"

package/packages/api/src/do/connection-do.ts

@@ -36,11 +36,13 @@ export class ConnectionDO implements DurableObject {
     // Route: /gateway/:accountId — OpenClaw plugin connects here
     if (url.pathname.startsWith("/gateway/")) {
       // Extract and store userId from the gateway path
-      const userId = url.pathname.split("/gateway/")[1];
+      const userId = url.pathname.split("/gateway/")[1]?.split("?")[0];
       if (userId) {
         await this.state.storage.put("userId", userId);
       }
-      return this.handleOpenClawConnect(request);
+      // Check if the API worker already verified the token against D1
+      const preVerified = url.searchParams.get("verified") === "1";
+      return this.handleOpenClawConnect(request, preVerified);
     }
 
     // Route: /client/:sessionId — Browser client connects here
@@ -121,7 +123,7 @@ export class ConnectionDO implements DurableObject {
 
   // ---- Connection handlers ----
 
-  private handleOpenClawConnect(request: Request): Response {
+  private handleOpenClawConnect(request: Request, preVerified = false): Response {
     if (request.headers.get("Upgrade") !== "websocket") {
       return new Response("Expected WebSocket upgrade", { status: 426 });
     }
@@ -132,8 +134,10 @@ export class ConnectionDO implements DurableObject {
     // Accept with Hibernation API, tag as "openclaw"
     this.state.acceptWebSocket(server, ["openclaw"]);
 
-    // Store initial state: not yet authenticated
-    server.serializeAttachment({ authenticated: false, tag: "openclaw" });
+    // If the API worker already verified the token against D1, mark as
+    // pre-verified. The plugin still sends an auth message, which we'll
+    // fast-track through without re-validating the token.
+    server.serializeAttachment({ authenticated: false, tag: "openclaw", preVerified });
 
     return new Response(null, { status: 101, webSocket: client });
   }
@@ -162,12 +166,14 @@ export class ConnectionDO implements DurableObject {
     ws: WebSocket,
     msg: Record<string, unknown>,
   ): Promise<void> {
-    const attachment = ws.deserializeAttachment() as { authenticated: boolean; tag: string } | null;
+    const attachment = ws.deserializeAttachment() as { authenticated: boolean; tag: string; preVerified?: boolean } | null;
 
     // Handle auth handshake
     if (msg.type === "auth") {
       const token = msg.token as string;
-      const isValid = await this.validatePairingToken(token);
+      // If the API worker already validated this token against D1, skip
+      // the DO-level check. Otherwise fall back to local validation.
+      const isValid = attachment?.preVerified || await this.validatePairingToken(token);
 
       if (isValid) {
         ws.serializeAttachment({ ...attachment, authenticated: true });

package/packages/api/src/env.ts

@@ -5,4 +5,7 @@ export type Env = {
   CONNECTION_DO: DurableObjectNamespace;
   ENVIRONMENT: string;
   JWT_SECRET?: string;
+  FIREBASE_PROJECT_ID?: string;
+  /** Canonical public URL override — if set, always use this as cloudUrl. */
+  PUBLIC_URL?: string;
 };

package/packages/api/src/index.ts

@@ -11,6 +11,7 @@ import { models } from "./routes/models.js";
 import { pairing } from "./routes/pairing.js";
 import { sessions } from "./routes/sessions.js";
 import { upload } from "./routes/upload.js";
+import { setup } from "./routes/setup.js";
 
 // Re-export the Durable Object class so wrangler can find it
 export { ConnectionDO } from "./do/connection-do.js";
@@ -25,6 +26,7 @@ app.get("/api/health", (c) => c.json({ status: "ok", version: "0.1.0" }));
 
 // ---- Public routes (no auth) ----
 app.route("/api/auth", auth);
+app.route("/api/setup", setup);
 
 // ---- Protected routes (require Bearer token) ----
 const protectedApp = new Hono<{ Bindings: Env; Variables: { userId: string } }>();
@@ -232,9 +234,9 @@ app.all("/api/gateway/:connId", async (c) => {
       return c.json({ error: "Token required for gateway connection" }, 401);
     }
 
-    // Look up user by pairing token
+    // Look up user by pairing token (exclude revoked tokens)
     const row = await c.env.DB.prepare(
-      "SELECT user_id FROM pairing_tokens WHERE token = ?",
+      "SELECT user_id FROM pairing_tokens WHERE token = ? AND revoked_at IS NULL",
     )
       .bind(token)
       .first<{ user_id: string }>();
@@ -244,18 +246,24 @@ app.all("/api/gateway/:connId", async (c) => {
     }
     userId = row.user_id;
 
-    // Update last_connected_at
+    // Update audit fields: last_connected_at, last_ip, connection_count
+    const clientIp = c.req.header("CF-Connecting-IP") ?? c.req.header("X-Forwarded-For") ?? "unknown";
     await c.env.DB.prepare(
-      "UPDATE pairing_tokens SET last_connected_at = unixepoch() WHERE token = ?",
+      `UPDATE pairing_tokens
+       SET last_connected_at = unixepoch(), last_ip = ?, connection_count = connection_count + 1
+       WHERE token = ?`,
     )
-      .bind(token)
+      .bind(clientIp, token)
       .run();
   }
 
   const doId = c.env.CONNECTION_DO.idFromName(userId);
   const stub = c.env.CONNECTION_DO.get(doId);
   const url = new URL(c.req.url);
+  // Pass verified userId to DO — the API worker already validated the token
+  // against D1 above, so DO can trust this.
   url.pathname = `/gateway/${userId}`;
+  url.searchParams.set("verified", "1");
   return stub.fetch(new Request(url.toString(), c.req.raw));
 });
 

package/packages/api/src/routes/auth.ts

@@ -1,6 +1,7 @@
 import { Hono } from "hono";
 import type { Env } from "../env.js";
 import { createToken, hashPassword } from "../utils/auth.js";
+import { verifyFirebaseIdToken } from "../utils/firebase.js";
 import { generateId } from "../utils/id.js";
 
 const auth = new Hono<{ Bindings: Env }>();
@@ -73,6 +74,105 @@ auth.post("/login", async (c) => {
   });
 });
 
+/**
+ * POST /api/auth/firebase — sign in (or register) with a Firebase ID token.
+ * Works for all Firebase-backed providers (Google, GitHub, etc.).
+ */
+async function handleFirebaseAuth(c: {
+  req: { json: <T>() => Promise<T> };
+  env: Env;
+  json: (data: unknown, status?: number) => Response;
+}) {
+  const { idToken } = await c.req.json<{ idToken: string }>();
+
+  if (!idToken?.trim()) {
+    return c.json({ error: "idToken is required" }, 400);
+  }
+
+  const projectId = c.env.FIREBASE_PROJECT_ID;
+  if (!projectId) {
+    return c.json({ error: "Firebase sign-in is not configured" }, 500);
+  }
+
+  // 1. Verify the Firebase ID token
+  let firebaseUser;
+  try {
+    firebaseUser = await verifyFirebaseIdToken(idToken, projectId);
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : "Token verification failed";
+    return c.json({ error: msg }, 401);
+  }
+
+  const email = firebaseUser.email?.toLowerCase();
+  if (!email) {
+    return c.json({ error: "Account has no email address" }, 400);
+  }
+
+  const firebaseUid = firebaseUser.sub;
+  // Determine provider from Firebase token (google.com, github.com, etc.)
+  const signInProvider = firebaseUser.firebase?.sign_in_provider ?? "unknown";
+  const authProvider = signInProvider.includes("google")
+    ? "google"
+    : signInProvider.includes("github")
+      ? "github"
+      : signInProvider;
+  const displayName = firebaseUser.name ?? email.split("@")[0];
+
+  // 2. Look up existing user by firebase_uid first, then by email
+  let row = await c.env.DB.prepare(
+    "SELECT id, email, display_name, auth_provider FROM users WHERE firebase_uid = ?",
+  )
+    .bind(firebaseUid)
+    .first<{ id: string; email: string; display_name: string | null; auth_provider: string }>();
+
+  if (!row) {
+    // Check if there's an existing email-based account — link it
+    row = await c.env.DB.prepare(
+      "SELECT id, email, display_name, auth_provider FROM users WHERE email = ?",
+    )
+      .bind(email)
+      .first<{ id: string; email: string; display_name: string | null; auth_provider: string }>();
+
+    if (row) {
+      // Link Firebase UID to existing account
+      await c.env.DB.prepare(
+        "UPDATE users SET firebase_uid = ?, auth_provider = ?, updated_at = unixepoch() WHERE id = ?",
+      )
+        .bind(firebaseUid, authProvider, row.id)
+        .run();
+    }
+  }
+
+  if (!row) {
+    // 3. Create a new user (OAuth-only, no password)
+    const id = generateId("u_");
+    await c.env.DB.prepare(
+      `INSERT INTO users (id, email, password_hash, display_name, auth_provider, firebase_uid)
+       VALUES (?, ?, '', ?, ?, ?)`,
+    )
+      .bind(id, email, displayName, authProvider, firebaseUid)
+      .run();
+
+    row = { id, email, display_name: displayName, auth_provider: authProvider };
+  }
+
+  // 4. Issue our own JWT
+  const secret = c.env.JWT_SECRET ?? "botschat-dev-secret";
+  const token = await createToken(row.id, secret);
+
+  return c.json({
+    id: row.id,
+    email: row.email,
+    displayName: row.display_name,
+    token,
+  });
+}
+
+// Register the unified Firebase auth handler and provider-specific aliases
+auth.post("/firebase", (c) => handleFirebaseAuth(c));
+auth.post("/google", (c) => handleFirebaseAuth(c));
+auth.post("/github", (c) => handleFirebaseAuth(c));
+
 /** GET /api/auth/me — returns current user info */
 auth.get("/me", async (c) => {
   // This route requires auth middleware to be applied upstream

package/packages/api/src/routes/pairing.ts

@@ -4,12 +4,15 @@ import { generateId, generatePairingToken } from "../utils/id.js";
 
 const pairing = new Hono<{ Bindings: Env; Variables: { userId: string } }>();
 
-/** GET /api/pairing-tokens — list pairing tokens for the current user */
+/** GET /api/pairing-tokens — list active (non-revoked) pairing tokens for the current user */
 pairing.get("/", async (c) => {
   const userId = c.get("userId");
 
   const { results } = await c.env.DB.prepare(
-    "SELECT id, token, label, last_connected_at, created_at FROM pairing_tokens WHERE user_id = ? ORDER BY created_at DESC",
+    `SELECT id, token, label, last_connected_at, last_ip, connection_count, created_at
+     FROM pairing_tokens
+     WHERE user_id = ? AND revoked_at IS NULL
+     ORDER BY created_at DESC`,
   )
     .bind(userId)
     .all<{
@@ -17,17 +20,20 @@ pairing.get("/", async (c) => {
       token: string;
       label: string | null;
       last_connected_at: number | null;
+      last_ip: string | null;
+      connection_count: number;
       created_at: number;
     }>();
 
   return c.json({
     tokens: (results ?? []).map((r) => ({
       id: r.id,
-      // Show only last 8 chars for security
       token: r.token,
       tokenPreview: `bc_pat_...${r.token.slice(-8)}`,
       label: r.label,
       lastConnectedAt: r.last_connected_at,
+      lastIp: r.last_ip,
+      connectionCount: r.connection_count,
       createdAt: r.created_at,
     })),
   });
@@ -59,13 +65,14 @@ pairing.post("/", async (c) => {
   );
 });
 
-/** DELETE /api/pairing-tokens/:id — revoke a pairing token */
+/** DELETE /api/pairing-tokens/:id — soft-revoke a pairing token */
 pairing.delete("/:id", async (c) => {
   const userId = c.get("userId");
   const tokenId = c.req.param("id");
 
+  // Soft-delete: set revoked_at instead of removing the row
   await c.env.DB.prepare(
-    "DELETE FROM pairing_tokens WHERE id = ? AND user_id = ?",
+    "UPDATE pairing_tokens SET revoked_at = unixepoch() WHERE id = ? AND user_id = ? AND revoked_at IS NULL",
   )
     .bind(tokenId, userId)
     .run();

package/packages/api/src/routes/setup.ts

@@ -0,0 +1,199 @@
+import { Hono } from "hono";
+import type { Env } from "../env.js";
+import { createToken, hashPassword } from "../utils/auth.js";
+import { verifyFirebaseIdToken } from "../utils/firebase.js";
+import { generateId, generatePairingToken } from "../utils/id.js";
+import { resolveCloudUrlWithHints } from "../utils/resolve-url.js";
+
+const setup = new Hono<{ Bindings: Env }>();
+
+/**
+ * POST /api/setup/init — One-shot CLI onboarding endpoint.
+ *
+ * Accepts email+password OR a Firebase idToken.
+ * Returns everything the CLI needs to configure the OpenClaw plugin:
+ *   - userId, JWT token, pairing token, cloud URL, ready-to-run commands.
+ *
+ * Idempotent: if the user already has a pairing token, a new one is created
+ * for this setup session (old ones remain valid).
+ */
+setup.post("/init", async (c) => {
+  const body = await c.req.json<{
+    email?: string;
+    password?: string;
+    idToken?: string;
+  }>();
+
+  let userId: string;
+  let email: string;
+  let displayName: string | null = null;
+
+  if (body.idToken) {
+    // ---- Firebase auth path ----
+    const projectId = c.env.FIREBASE_PROJECT_ID;
+    if (!projectId) {
+      return c.json({ error: "Firebase sign-in is not configured" }, 500);
+    }
+
+    let firebaseUser;
+    try {
+      firebaseUser = await verifyFirebaseIdToken(body.idToken, projectId);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : "Token verification failed";
+      return c.json({ error: msg }, 401);
+    }
+
+    email = firebaseUser.email?.toLowerCase() ?? "";
+    if (!email) return c.json({ error: "Account has no email" }, 400);
+
+    displayName = firebaseUser.name ?? null;
+    const firebaseUid = firebaseUser.sub;
+
+    // Find or create user
+    let row = await c.env.DB.prepare(
+      "SELECT id, display_name FROM users WHERE firebase_uid = ?",
+    ).bind(firebaseUid).first<{ id: string; display_name: string | null }>();
+
+    if (!row) {
+      row = await c.env.DB.prepare(
+        "SELECT id, display_name FROM users WHERE email = ?",
+      ).bind(email).first<{ id: string; display_name: string | null }>();
+
+      if (row) {
+        await c.env.DB.prepare(
+          "UPDATE users SET firebase_uid = ?, updated_at = unixepoch() WHERE id = ?",
+        ).bind(firebaseUid, row.id).run();
+      }
+    }
+
+    if (!row) {
+      const id = generateId("u_");
+      const signInProvider = firebaseUser.firebase?.sign_in_provider ?? "unknown";
+      const authProvider = signInProvider.includes("google") ? "google"
+        : signInProvider.includes("github") ? "github" : signInProvider;
+      await c.env.DB.prepare(
+        `INSERT INTO users (id, email, password_hash, display_name, auth_provider, firebase_uid)
+         VALUES (?, ?, '', ?, ?, ?)`,
+      ).bind(id, email, displayName ?? email.split("@")[0], authProvider, firebaseUid).run();
+      row = { id, display_name: displayName };
+    }
+
+    userId = row.id;
+    displayName = row.display_name;
+  } else {
+    // ---- Email + password path ----
+    if (!body.email?.trim() || !body.password?.trim()) {
+      return c.json({ error: "email+password or idToken is required" }, 400);
+    }
+
+    email = body.email.trim().toLowerCase();
+    const passwordHash = await hashPassword(body.password);
+
+    const row = await c.env.DB.prepare(
+      "SELECT id, display_name FROM users WHERE email = ? AND password_hash = ?",
+    ).bind(email, passwordHash).first<{ id: string; display_name: string | null }>();
+
+    if (!row) {
+      return c.json({ error: "Invalid email or password" }, 401);
+    }
+
+    userId = row.id;
+    displayName = row.display_name;
+  }
+
+  // ---- Create a fresh pairing token for this setup ----
+  const ptId = generateId("pt_");
+  const pairingToken = generatePairingToken();
+  await c.env.DB.prepare(
+    "INSERT INTO pairing_tokens (id, user_id, token, label) VALUES (?, ?, ?, ?)",
+  ).bind(ptId, userId, pairingToken, "CLI setup").run();
+
+  // ---- Ensure a default channel exists ----
+  let channel = await c.env.DB.prepare(
+    "SELECT id, name FROM channels WHERE user_id = ? LIMIT 1",
+  ).bind(userId).first<{ id: string; name: string }>();
+
+  if (!channel) {
+    const chId = generateId("ch_");
+    await c.env.DB.prepare(
+      "INSERT INTO channels (id, user_id, name, description) VALUES (?, ?, ?, ?)",
+    ).bind(chId, userId, "My Agent", "Default channel").run();
+    channel = { id: chId, name: "My Agent" };
+  }
+
+  // ---- Issue JWT ----
+  const secret = c.env.JWT_SECRET ?? "botschat-dev-secret";
+  const token = await createToken(userId, secret);
+
+  // ---- Resolve the best cloud URL for the plugin to connect back ----
+  const { cloudUrl, isLoopback, hint } = resolveCloudUrlWithHints(c.req.raw, c.env);
+
+  return c.json({
+    userId,
+    email,
+    displayName,
+    token,
+    pairingToken,
+    cloudUrl,
+    ...(isLoopback ? { cloudUrlWarning: hint } : {}),
+    channel: { id: channel.id, name: channel.name },
+    setupCommands: [
+      "openclaw plugins install @botschat/openclaw-plugin",
+      `openclaw config set channels.botschat.cloudUrl ${cloudUrl}`,
+      `openclaw config set channels.botschat.pairingToken ${pairingToken}`,
+      "openclaw config set channels.botschat.enabled true",
+      "openclaw gateway restart",
+    ],
+  });
+});
+
+/**
+ * GET /api/setup/cloud-url — Returns the recommended cloudUrl for the plugin.
+ *
+ * Used by the web onboarding page to display the correct URL in commands.
+ * No auth required (the URL is not secret).
+ */
+setup.get("/cloud-url", async (c) => {
+  const { cloudUrl, isLoopback, hint } = resolveCloudUrlWithHints(c.req.raw, c.env);
+  return c.json({ cloudUrl, isLoopback, ...(hint ? { hint } : {}) });
+});
+
+/**
+ * GET /api/setup/status — Check if the user's OpenClaw is connected.
+ *
+ * Used by CLI to verify the setup was successful.
+ * Requires Bearer token auth.
+ */
+setup.get("/status", async (c) => {
+  const authHeader = c.req.header("Authorization");
+  if (!authHeader?.startsWith("Bearer ")) {
+    return c.json({ error: "Missing Authorization header" }, 401);
+  }
+
+  const { verifyToken } = await import("../utils/auth.js");
+  const jwtSecret = c.env.JWT_SECRET ?? "botschat-dev-secret";
+  const payload = await verifyToken(authHeader.slice(7), jwtSecret);
+  if (!payload) {
+    return c.json({ error: "Invalid or expired token" }, 401);
+  }
+
+  const userId = payload.sub;
+
+  // Query the DO for connection status
+  const doId = c.env.CONNECTION_DO.idFromName(userId);
+  const stub = c.env.CONNECTION_DO.get(doId);
+  const resp = await stub.fetch(new Request("https://internal/status"));
+
+  if (!resp.ok) {
+    return c.json({ connected: false });
+  }
+
+  const status = await resp.json() as { openclawConnected?: boolean };
+
+  return c.json({
+    connected: !!status.openclawConnected,
+    userId,
+  });
+});
+
+export { setup };