botschat 0.1.13 → 0.1.15

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "botschat",
-  "version": "0.1.13",
+  "version": "0.1.15",
   "description": "A self-hosted chat interface for OpenClaw AI agents",
   "workspaces": [
     "packages/*"

package/packages/api/src/do/connection-do.ts

@@ -1,6 +1,7 @@
 import type { Env } from "../env.js";
 import { verifyToken, getJwtSecret, signMediaUrl } from "../utils/auth.js";
 import { getFcmAccessToken, sendPushNotification } from "../utils/fcm.js";
+import { sendApnsNotification, type ApnsConfig } from "../utils/apns.js";
 import { generateId as generateIdUtil } from "../utils/id.js";
 import { randomUUID } from "../utils/uuid.js";
 
@@ -31,6 +32,9 @@ export class ConnectionDO implements DurableObject {
   /** Browser sessions that report themselves in foreground (push notifications are suppressed). */
   private foregroundSessions = new Set<string>();
 
+  /** Timestamp of last accepted OpenClaw WebSocket (in-memory, no storage write). */
+  private lastOpenClawAcceptedAt = 0;
+
   constructor(state: DurableObjectState, env: Env) {
     this.state = state;
     this.env = env;
@@ -38,16 +42,33 @@ export class ConnectionDO implements DurableObject {
 
   /** Handle incoming HTTP requests (WebSocket upgrades). */
   async fetch(request: Request): Promise<Response> {
+    try {
+      return await this._fetch(request);
+    } catch (err) {
+      const msg = String(err);
+      if (msg.includes("Exceeded")) {
+        console.error("[DO] Storage limit exceeded:", msg);
+        return new Response("Storage limit exceeded, retry later", {
+          status: 503,
+          headers: { "Retry-After": "300" },
+        });
+      }
+      throw err;
+    }
+  }
+
+  private async _fetch(request: Request): Promise<Response> {
     const url = new URL(request.url);
 
     // Route: /gateway/:accountId — OpenClaw plugin connects here
     if (url.pathname.startsWith("/gateway/")) {
-      // Extract and store userId from the gateway path
       const userId = url.pathname.split("/gateway/")[1]?.split("?")[0];
       if (userId) {
-        await this.state.storage.put("userId", userId);
+        const stored = await this.state.storage.get<string>("userId");
+        if (stored !== userId) {
+          await this.state.storage.put("userId", userId);
+        }
       }
-      // Check if the API worker already verified the token against D1
       const preVerified = url.searchParams.get("verified") === "1";
       return this.handleOpenClawConnect(request, preVerified);
     }
@@ -91,22 +112,32 @@ export class ConnectionDO implements DurableObject {
 
   /** Called when a WebSocket receives a message (wakes from hibernation). */
   async webSocketMessage(ws: WebSocket, message: string | ArrayBuffer): Promise<void> {
-    const tag = this.getTag(ws);
-    const data = typeof message === "string" ? message : new TextDecoder().decode(message);
-
-    let parsed: Record<string, unknown>;
     try {
-      parsed = JSON.parse(data);
-    } catch {
-      return; // Ignore malformed JSON
-    }
+      const tag = this.getTag(ws);
+      const data = typeof message === "string" ? message : new TextDecoder().decode(message);
 
-    if (tag === "openclaw") {
-      // Message from OpenClaw → handle auth or forward to browsers
-      await this.handleOpenClawMessage(ws, parsed);
-    } else if (tag?.startsWith("browser:")) {
-      // Message from browser → forward to OpenClaw
-      await this.handleBrowserMessage(ws, parsed);
+      let parsed: Record<string, unknown>;
+      try {
+        parsed = JSON.parse(data);
+      } catch {
+        return;
+      }
+
+      if (tag === "openclaw") {
+        await this.handleOpenClawMessage(ws, parsed);
+      } else if (tag?.startsWith("browser:")) {
+        await this.handleBrowserMessage(ws, parsed);
+      }
+    } catch (err) {
+      const msg = String(err);
+      if (msg.includes("Exceeded")) {
+        console.error("[DO] Storage limit exceeded in webSocketMessage:", msg);
+        try {
+          ws.send(JSON.stringify({ type: "error", message: "Storage limit exceeded, retry later" }));
+        } catch { /* socket may already be dead */ }
+        return;
+      }
+      throw err;
     }
   }
 
@@ -138,10 +169,31 @@ export class ConnectionDO implements DurableObject {
       return new Response("Expected WebSocket upgrade", { status: 426 });
     }
 
+    const now = Date.now();
+    const cooldownMs = 30_000;
+    if (now - this.lastOpenClawAcceptedAt < cooldownMs) {
+      const retryAfter = Math.ceil((cooldownMs - (now - this.lastOpenClawAcceptedAt)) / 1000);
+      return new Response("Too many connections, retry later", {
+        status: 429,
+        headers: { "Retry-After": String(retryAfter) },
+      });
+    }
+    this.lastOpenClawAcceptedAt = now;
+
+    // Safety valve: if stale openclaw sockets accumulated (e.g. from
+    // rapid reconnects that authenticated but then lost their edge
+    // connection), close them all before accepting a new one.
+    const existing = this.state.getWebSockets("openclaw");
+    if (existing.length > 3) {
+      console.warn(`[DO] Safety valve: ${existing.length} openclaw sockets, closing all`);
+      for (const s of existing) {
+        try { s.close(4009, "replaced"); } catch { /* dead */ }
+      }
+    }
+
     const pair = new WebSocketPair();
     const [client, server] = [pair[0], pair[1]];
 
-    // Accept with Hibernation API, tag as "openclaw"
     this.state.acceptWebSocket(server, ["openclaw"]);
 
     // If the API worker already verified the token against D1, mark as
@@ -186,37 +238,35 @@ export class ConnectionDO implements DurableObject {
       const isValid = attachment?.preVerified || await this.validatePairingToken(token);
 
       if (isValid) {
-        // Close any existing (potentially stale) openclaw sockets before
-        // marking the new one as authenticated.  Cloudflare's edge infra
-        // terminates WebSocket connections every ~60 min (code 1006).  The
-        // plugin reconnects immediately, but the DO may not have detected
-        // the old socket's death yet (no close frame → no webSocketClose
-        // callback yet).  Without this cleanup, getOpenClawSocket() could
-        // return a stale/dead socket, silently dropping all messages.
+        // Close ALL other openclaw sockets. Use custom code 4009 so
+        // well-behaved plugins know they were replaced (not a crash)
+        // and should NOT reconnect. The Worker-level rate limit (10s)
+        // prevents the resulting close event from flooding the DO.
         const existingSockets = this.state.getWebSockets("openclaw");
+        let closedCount = 0;
         for (const oldWs of existingSockets) {
           if (oldWs !== ws) {
             try {
-              oldWs.close(1000, "replaced by new connection");
-            } catch {
-              // Socket may already be dead — ignore
-            }
+              oldWs.close(4009, "replaced");
+              closedCount++;
+            } catch { /* already dead */ }
           }
         }
 
         ws.serializeAttachment({ ...attachment, authenticated: true });
-        // Include userId so the plugin can derive the E2E key
         const userId = await this.state.storage.get<string>("userId");
-        console.log(`[DO] auth.ok → userId=${userId}, closedStale=${existingSockets.length - 1}`);
+        console.log(`[DO] auth.ok → userId=${userId}, closed=${closedCount}, total=${existingSockets.length}`);
         ws.send(JSON.stringify({ type: "auth.ok", userId }));
-        // Store gateway default model from plugin auth
-        if (msg.model) {
+        if (msg.model && msg.model !== this.defaultModel) {
           this.defaultModel = msg.model as string;
           await this.state.storage.put("defaultModel", this.defaultModel);
         }
         // After auth, request task scan + models list from the plugin
         ws.send(JSON.stringify({ type: "task.scan.request" }));
         ws.send(JSON.stringify({ type: "models.request" }));
+        // Send notification preview preference to plugin
+        const notifyPreview = await this.getNotifyPreviewSetting(userId);
+        ws.send(JSON.stringify({ type: "settings.notifyPreview", enabled: notifyPreview }));
         // Notify all browser clients that OpenClaw is now connected
         this.broadcastToBrowsers(
           JSON.stringify({ type: "connection.status", openclawConnected: true, defaultModel: this.defaultModel, models: this.cachedModels }),
@@ -291,20 +341,24 @@ export class ConnectionDO implements DurableObject {
       await this.handleTaskScanResult(msg);
     }
 
-    // Handle models list from plugin — persist to storage and broadcast to browsers
     if (msg.type === "models.list") {
-      this.cachedModels = (msg.models as Array<{ id: string; name: string; provider: string }>) ?? [];
-      await this.state.storage.put("cachedModels", this.cachedModels);
-      console.log(`[DO] Persisted ${this.cachedModels.length} models to storage, broadcasting connection.status`);
+      const newModels = (msg.models as Array<{ id: string; name: string; provider: string }>) ?? [];
+      const changed = JSON.stringify(newModels) !== JSON.stringify(this.cachedModels);
+      this.cachedModels = newModels;
+      if (changed) {
+        await this.state.storage.put("cachedModels", this.cachedModels);
+        console.log(`[DO] Persisted ${this.cachedModels.length} models to storage`);
+      }
       this.broadcastToBrowsers(
         JSON.stringify({ type: "connection.status", openclawConnected: true, defaultModel: this.defaultModel, models: this.cachedModels }),
       );
     }
 
-    // Plugin applied BotsChat default model to OpenClaw config — update and broadcast
     if (msg.type === "defaultModel.updated" && typeof msg.model === "string") {
-      this.defaultModel = msg.model;
-      await this.state.storage.put("defaultModel", this.defaultModel);
+      if (msg.model !== this.defaultModel) {
+        this.defaultModel = msg.model;
+        await this.state.storage.put("defaultModel", this.defaultModel);
+      }
       this.broadcastToBrowsers(
         JSON.stringify({ type: "connection.status", openclawConnected: true, defaultModel: this.defaultModel, models: this.cachedModels }),
       );
@@ -315,17 +369,19 @@ export class ConnectionDO implements DurableObject {
       await this.handleJobUpdate(msg);
     }
 
-    // Forward all messages to browser clients
+    // Forward all messages to browser clients (strip notifyPreview — plaintext
+    // must not be relayed to browser WebSockets; browsers decrypt locally)
     if (msg.type === "agent.text") {
       console.log(`[DO] Forwarding agent.text to browsers: encrypted=${msg.encrypted}, messageId=${msg.messageId}, textLen=${typeof msg.text === "string" ? msg.text.length : "?"}`);
     }
-    this.broadcastToBrowsers(JSON.stringify(msg));
+    const { notifyPreview: _stripped, ...msgForBrowser } = msg;
+    this.broadcastToBrowsers(JSON.stringify(msgForBrowser));
 
     // Send push notification if no browser session is in foreground
     if (
       (msg.type === "agent.text" || msg.type === "agent.media" || msg.type === "agent.a2ui") &&
       this.foregroundSessions.size === 0 &&
-      this.env.FCM_SERVICE_ACCOUNT_JSON
+      (this.env.FCM_SERVICE_ACCOUNT_JSON || this.env.APNS_AUTH_KEY)
     ) {
       this.sendPushNotifications(msg).catch((err) => {
         console.error("[DO] Push notification failed:", err);
@@ -546,6 +602,24 @@ export class ConnectionDO implements DurableObject {
 
   // ---- Helpers ----
 
+  /** Read the user's notifyPreview preference from D1 settings_json. */
+  private async getNotifyPreviewSetting(userId?: string | null): Promise<boolean> {
+    const uid = userId ?? await this.state.storage.get<string>("userId");
+    if (!uid) return false;
+    try {
+      const row = await this.env.DB.prepare(
+        "SELECT settings_json FROM users WHERE id = ?",
+      ).bind(uid).first<{ settings_json: string }>();
+      if (row?.settings_json) {
+        const settings = JSON.parse(row.settings_json);
+        return settings.notifyPreview === true;
+      }
+    } catch (err) {
+      console.error("[DO] Failed to read notifyPreview setting:", err);
+    }
+    return false;
+  }
+
   /** Restore cachedModels and defaultModel from durable storage if in-memory cache is empty. */
   private async ensureCachedModels(): Promise<void> {
     if (this.cachedModels.length > 0) return;
@@ -599,7 +673,9 @@ export class ConnectionDO implements DurableObject {
   /**
    * Send push notifications to all of the user's registered devices.
    * Called when an agent message arrives and no browser session is in foreground.
-   * Sends data-only FCM messages so clients can decrypt E2E content before showing.
+   *
+   * iOS tokens go directly to APNs (Capacitor returns raw APNs device tokens).
+   * Web/Android tokens go through FCM HTTP v1 API.
    */
   private async sendPushNotifications(msg: Record<string, unknown>): Promise<void> {
     const userId = await this.state.storage.get<string>("userId");
@@ -612,8 +688,8 @@ export class ConnectionDO implements DurableObject {
       .all<{ id: string; token: string; platform: string }>();
 
     if (!results || results.length === 0) return;
+    console.log(`[DO] Push: ${results.length} token(s) for ${userId} (ios: ${results.filter((r) => r.platform === "ios").length})`);
 
-    // Build data payload — includes ciphertext so the client can decrypt
     const data: Record<string, string> = {
       type: msg.type as string,
       sessionKey: (msg.sessionKey as string) ?? "",
@@ -621,30 +697,88 @@ export class ConnectionDO implements DurableObject {
       encrypted: msg.encrypted ? "1" : "0",
     };
 
+    let notifBody = "New message";
     if (msg.type === "agent.text") {
       data.text = (msg.text as string) ?? "";
+      if (msg.encrypted && typeof msg.notifyPreview === "string" && msg.notifyPreview) {
+        const preview = msg.notifyPreview as string;
+        notifBody = preview.length > 100 ? preview.slice(0, 100) + "…" : preview;
+      } else if (!msg.encrypted && data.text) {
+        notifBody = data.text.length > 100 ? data.text.slice(0, 100) + "…" : data.text;
+      } else if (msg.encrypted) {
+        notifBody = "New encrypted message";
+      }
     } else if (msg.type === "agent.media") {
       data.text = (msg.caption as string) || "";
       data.mediaUrl = (msg.mediaUrl as string) ?? "";
+      notifBody = data.text || "Sent a media file";
     } else if (msg.type === "agent.a2ui") {
       data.text = "New interactive message";
+      notifBody = "New interactive message";
     }
 
-    const accessToken = await getFcmAccessToken(this.env.FCM_SERVICE_ACCOUNT_JSON!);
-    const projectId = this.env.FIREBASE_PROJECT_ID ?? "botschat-130ff";
-
+    const iosTokens = results.filter((r) => r.platform === "ios");
+    const androidTokens = results.filter((r) => r.platform === "android");
+    const webTokens = results.filter((r) => r.platform === "web");
     const invalidTokenIds: string[] = [];
-    await Promise.allSettled(
-      results.map(async (row) => {
-        const ok = await sendPushNotification({
-          accessToken,
-          projectId,
-          fcmToken: row.token,
-          data,
-        });
-        if (!ok) invalidTokenIds.push(row.id);
-      }),
-    );
+    const notification = { title: "BotsChat", body: notifBody };
+
+    // iOS: send via APNs directly (Capacitor registers raw APNs device tokens)
+    if (iosTokens.length > 0 && this.env.APNS_AUTH_KEY) {
+      const apnsConfig: ApnsConfig = {
+        authKey: this.env.APNS_AUTH_KEY,
+        keyId: this.env.APNS_KEY_ID ?? "",
+        teamId: this.env.APNS_TEAM_ID ?? "",
+        bundleId: "app.botschat.console",
+      };
+      await Promise.allSettled(
+        iosTokens.map(async (row) => {
+          const ok = await sendApnsNotification({
+            config: apnsConfig,
+            deviceToken: row.token,
+            title: "BotsChat",
+            body: notifBody,
+            data,
+          });
+          if (!ok) invalidTokenIds.push(row.id);
+        }),
+      );
+    }
+
+    // Android: FCM with notification payload (data-only is silent in background)
+    if (androidTokens.length > 0 && this.env.FCM_SERVICE_ACCOUNT_JSON) {
+      const accessToken = await getFcmAccessToken(this.env.FCM_SERVICE_ACCOUNT_JSON);
+      const projectId = this.env.FIREBASE_PROJECT_ID ?? "botschat-130ff";
+      await Promise.allSettled(
+        androidTokens.map(async (row) => {
+          const ok = await sendPushNotification({
+            accessToken,
+            projectId,
+            fcmToken: row.token,
+            data,
+            notification,
+          });
+          if (!ok) invalidTokenIds.push(row.id);
+        }),
+      );
+    }
+
+    // Web: FCM data-only (Service Worker decrypts + shows notification)
+    if (webTokens.length > 0 && this.env.FCM_SERVICE_ACCOUNT_JSON) {
+      const accessToken = await getFcmAccessToken(this.env.FCM_SERVICE_ACCOUNT_JSON);
+      const projectId = this.env.FIREBASE_PROJECT_ID ?? "botschat-130ff";
+      await Promise.allSettled(
+        webTokens.map(async (row) => {
+          const ok = await sendPushNotification({
+            accessToken,
+            projectId,
+            fcmToken: row.token,
+            data,
+          });
+          if (!ok) invalidTokenIds.push(row.id);
+        }),
+      );
+    }
 
     // Clean up invalid/expired tokens
     for (const id of invalidTokenIds) {
@@ -1215,7 +1349,11 @@ export class ConnectionDO implements DurableObject {
         .first<{ user_id: string }>();
 
       const isValid = !!row;
-      await this.state.storage.put(cacheKey, { valid: isValid, cachedAt: Date.now() });
+      try {
+        await this.state.storage.put(cacheKey, { valid: isValid, cachedAt: Date.now() });
+      } catch {
+        // Non-critical — skip caching if storage is full
+      }
       return isValid;
     } catch (err) {
       console.error("[DO] Failed to validate pairing token against D1:", err);

package/packages/api/src/env.ts

@@ -14,4 +14,10 @@ export type Env = {
   DEV_AUTH_SECRET?: string;
   /** FCM Service Account JSON for push notifications (stored as secret via `wrangler secret put`). */
   FCM_SERVICE_ACCOUNT_JSON?: string;
+  /** APNs Auth Key (.p8 content) for direct iOS push via APNs HTTP/2 API. */
+  APNS_AUTH_KEY?: string;
+  /** APNs Key ID (from Apple Developer portal, e.g. "3Q4V693LW4"). */
+  APNS_KEY_ID?: string;
+  /** Apple Developer Team ID (e.g. "C5N5PPC329"). */
+  APNS_TEAM_ID?: string;
 };

package/packages/api/src/index.ts

@@ -124,7 +124,7 @@ protectedApp.get("/me", async (c) => {
 
 protectedApp.patch("/me", async (c) => {
   const userId = c.get("userId");
-  const body = await c.req.json<{ defaultModel?: string }>();
+  const body = await c.req.json<{ defaultModel?: string; notifyPreview?: boolean }>();
 
   // defaultModel is not stored in D1 — get/set only via plugin (connection.status / push).
   const existing = await c.env.DB.prepare(
@@ -135,7 +135,11 @@ protectedApp.patch("/me", async (c) => {
 
   const settings = JSON.parse(existing?.settings_json || "{}");
   delete settings.defaultModel;
-  // Persist other settings (if any) to D1; defaultModel is never written.
+
+  if (body.notifyPreview !== undefined) {
+    settings.notifyPreview = body.notifyPreview;
+  }
+
   await c.env.DB.prepare(
     "UPDATE users SET settings_json = ? WHERE id = ?",
   )
@@ -161,6 +165,25 @@ protectedApp.patch("/me", async (c) => {
     }
   }
 
+  if (body.notifyPreview !== undefined) {
+    try {
+      const doId = c.env.CONNECTION_DO.idFromName(userId);
+      const stub = c.env.CONNECTION_DO.get(doId);
+      await stub.fetch(
+        new Request("https://internal/send", {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({
+            type: "settings.notifyPreview",
+            enabled: body.notifyPreview,
+          }),
+        }),
+      );
+    } catch (err) {
+      console.error("Failed to push notifyPreview to OpenClaw:", err);
+    }
+  }
+
   const outSettings = { ...settings };
   delete outSettings.defaultModel;
   return c.json({ ok: true, settings: outSettings });
@@ -342,7 +365,6 @@ async function verifyUserAccess(c: { req: { header: (n: string) => string | unde
 app.all("/api/gateway/:connId", async (c) => {
   let userId = c.req.param("connId");
 
-  // If connId is not a real user ID (e.g. "default"), resolve via token
   if (!userId.startsWith("u_")) {
     const token =
       c.req.query("token") ??
@@ -353,7 +375,6 @@ app.all("/api/gateway/:connId", async (c) => {
       return c.json({ error: "Token required for gateway connection" }, 401);
     }
 
-    // Look up user by pairing token (exclude revoked tokens)
     const row = await c.env.DB.prepare(
       "SELECT user_id FROM pairing_tokens WHERE token = ? AND revoked_at IS NULL",
     )
@@ -364,26 +385,57 @@ app.all("/api/gateway/:connId", async (c) => {
       return c.json({ error: "Invalid pairing token" }, 401);
     }
     userId = row.user_id;
+  }
 
-    // Update audit fields: last_connected_at, last_ip, connection_count
+  // --- Worker-level rate limit (Cache API) ---
+  // Protects the DO from being woken up during reconnection storms.
+  // The Cache API persists across Worker isolates within the same colo.
+  const GATEWAY_COOLDOWN_S = 10;
+  const cache = caches.default;
+  const rateCacheUrl = `https://rate.internal/gateway/${userId}`;
+  const rateCacheReq = new Request(rateCacheUrl);
+  const rateCached = await cache.match(rateCacheReq);
+  if (rateCached) {
+    return c.text("Too many connections, retry later", 429, {
+      "Retry-After": String(GATEWAY_COOLDOWN_S),
+    });
+  }
+
+  // Audit: update pairing token stats (only when not rate-limited)
+  const token = c.req.query("token") ?? c.req.header("X-Pairing-Token");
+  if (token) {
     const clientIp = c.req.header("CF-Connecting-IP") ?? c.req.header("X-Forwarded-For") ?? "unknown";
-    await c.env.DB.prepare(
-      `UPDATE pairing_tokens
-       SET last_connected_at = unixepoch(), last_ip = ?, connection_count = connection_count + 1
-       WHERE token = ?`,
-    )
-      .bind(clientIp, token)
-      .run();
+    c.executionCtx.waitUntil(
+      c.env.DB.prepare(
+        `UPDATE pairing_tokens
+         SET last_connected_at = unixepoch(), last_ip = ?, connection_count = connection_count + 1
+         WHERE token = ?`,
+      ).bind(clientIp, token).run(),
+    );
   }
 
   const doId = c.env.CONNECTION_DO.idFromName(userId);
   const stub = c.env.CONNECTION_DO.get(doId);
   const url = new URL(c.req.url);
-  // Pass verified userId to DO — the API worker already validated the token
-  // against D1 above, so DO can trust this.
   url.pathname = `/gateway/${userId}`;
   url.searchParams.set("verified", "1");
-  return stub.fetch(new Request(url.toString(), c.req.raw));
+  const doResp = await stub.fetch(new Request(url.toString(), c.req.raw));
+
+  // Cache the rate limit after the DO responds (success or rate-limited).
+  // 101 = WebSocket accepted; 429 = DO's own rate limit.
+  // Either way, prevent further DO wake-ups for GATEWAY_COOLDOWN_S.
+  if (doResp.status === 101 || doResp.status === 429) {
+    c.executionCtx.waitUntil(
+      cache.put(
+        rateCacheReq,
+        new Response(null, {
+          headers: { "Cache-Control": `public, max-age=${GATEWAY_COOLDOWN_S}` },
+        }),
+      ),
+    );
+  }
+
+  return doResp;
 });
 
 // Browser client connects to: /api/ws/:userId/:sessionId