npm - colana - Versions diffs - 1.0.0-beta.49 → 1.0.0-beta.51 - Mend

colana 1.0.0-beta.49 → 1.0.0-beta.51

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json +1 -1
package/server/personal-agent-routes.js +16 -12
package/server/pty-manager.js +59 -38

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "colana",
-  "version": "1.0.0-beta.49",
+  "version": "1.0.0-beta.51",
   "description": "Agent-First. Multiplied. Multi-agent command center for AI coding agents.",
   "type": "module",
   "main": "server/index.js",

package/server/personal-agent-routes.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import { getOpenClawAuthToken, getOpenClawGatewayPort, getOpenClawDefaultModel, getOpenClawConfig, isChatCompletionsEnabled, ensureChatCompletionsEnabled, ensureAuthProfile, readAuthStore } from './openclaw-config.js';
 import { validate, personalChatSchema, openclawModelSetSchema, openclawModelAuthSchema } from './validation.js';
 import { setSetting } from './settings-store.js';
-import { restartOpenClawGateway } from './pty-manager.js';
+import { restartOpenClawGateway, isGatewaySpawnedByColana } from './pty-manager.js';
 import { addChatMessage, getChatHistory, clearChatHistory } from './personal-chat-store.js';
 import config from './config.js';
 import { trackEvent } from './analytics.js';
@@ -102,12 +102,6 @@ export function registerPersonalAgentRoutes(app, { sensitiveLimiter }) {
     const authToken = getOpenClawAuthToken();
     headers['Authorization'] = `Bearer ${authToken}`;
-    // Diagnostic: log token source for debugging auth failures
-    const cfg = getOpenClawConfig();
-    const nativeToken = cfg?.gateway?.auth?.token;
-    const tokenSource = nativeToken ? 'native-config' : 'colana-managed';
-    console.log(`[personal-agent] Auth: ${tokenSource}, token=${authToken?.slice(0, 8)}..., port=${port}`);
     // 60-second timeout
     const controller = new AbortController();
     const timeout = setTimeout(() => controller.abort(), 60000);
@@ -157,15 +151,25 @@ export function registerPersonalAgentRoutes(app, { sensitiveLimiter }) {
           const providerLabel = provider || null;
           const envVar = provider ? PROVIDER_ENV_MAP[provider] : null;
-          // Check if the error body hints at provider-level auth failure
+          // Distinguish gateway-level 401 (our token rejected) from upstream
+          // provider 401 (API key invalid/missing). The gateway proxies upstream
+          // 401s as-is, so we can't rely on the error body format alone.
+          //
+          // Strategy: check if Colana spawned this gateway with our current token
+          // (marker file). If yes, gateway auth is fine → upstream provider issue.
+          // Also detect known provider error patterns in the response body.
           const isProviderAuth = errText.includes('api_key') || errText.includes('API key')
-            || errText.includes('invalid_api_key') || errText.includes('authentication_error');
+            || errText.includes('invalid_api_key') || errText.includes('authentication_error')
+            || errText.includes('"type":"unauthorized"') || errText.includes('"type": "unauthorized"');
+          // If we spawned this gateway with our token, gateway auth is guaranteed OK
+          const gatewayAuthOk = isProviderAuth || isGatewaySpawnedByColana();
-          if (isProviderAuth) {
+          if (gatewayAuthOk) {
             return res.status(401).json({
               error: providerLabel
                 ? `Authentication failed — your ${providerLabel} API key may be missing or invalid.`
-                : 'Authentication failed — your API key may be missing or invalid.',
+                : 'Authentication failed — your model provider API key may be missing or invalid.',
               code: 'GATEWAY_AUTH_FAILED',
               fix: envVar
                 ? `Add or update your ${envVar} in Settings > Personal AI Agents.`
@@ -174,7 +178,7 @@ export function registerPersonalAgentRoutes(app, { sensitiveLimiter }) {
             });
           }
-          // Default: gateway token mismatch (token exists locally but doesn't match gateway)
+          // Gateway itself rejected our token — needs restart to resync
           return res.status(401).json({
             error: 'Gateway authentication failed — the auth token may be stale.',
             code: 'GATEWAY_TOKEN_STALE',

package/server/pty-manager.js CHANGED Viewed

@@ -315,41 +315,49 @@ async function ensureOpenClawConfigured() {
   });
 }
+// Marker file: tracks which gateway instance Colana spawned and with which token.
+// On startup, if the running gateway wasn't spawned by us (no marker / token mismatch),
+// we kill it and restart with our AUTH_TOKEN env var.
+const GATEWAY_MARKER_PATH = path.join(os.homedir(), '.openclaw', '.colana-gateway-marker');
 /**
- * Verify that the running gateway accepts our bearer token.
- * Uses POST /v1/chat/completions with a minimal body — the same endpoint
- * the chat route uses — to ensure auth is truly valid end-to-end.
- * Returns true if token is accepted, false if 401.
+ * Verify that the running gateway was spawned by Colana with our current token.
+ * The OpenClaw gateway's /v1/models endpoint does NOT require auth, so HTTP
+ * probing is unreliable. Instead, we use a marker file written at spawn time.
+ *
+ * Returns true if gateway was spawned by us with the matching token.
  */
-async function verifyGatewayToken(port, token) {
+function verifyGatewayToken(_port, token) {
   try {
-    const controller = new AbortController();
-    const timeout = setTimeout(() => controller.abort(), 5000);
-    // Use the actual chat endpoint — /v1/models may not require auth
-    const res = await fetch(`http://127.0.0.1:${port}/v1/chat/completions`, {
-      method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
-        'Authorization': `Bearer ${token}`,
-        'x-openclaw-agent-id': 'main',
-      },
-      body: JSON.stringify({
-        messages: [{ role: 'user', content: 'ping' }],
-        max_tokens: 1,
-      }),
-      signal: controller.signal,
-    });
-    clearTimeout(timeout);
-    // 401 = token rejected. Anything else (200, 400, 500, etc.) = token accepted.
-    const accepted = res.status !== 401;
-    if (!accepted) {
-      const body = await res.text().catch(() => '');
-      console.log(`[pty-manager] Gateway token probe: 401 — ${body.slice(0, 200)}`);
+    if (fs.existsSync(GATEWAY_MARKER_PATH)) {
+      const marker = JSON.parse(fs.readFileSync(GATEWAY_MARKER_PATH, 'utf-8'));
+      if (marker.token === token) {
+        return true;
+      }
+      console.log(`[pty-manager] Gateway marker token mismatch (marker=${marker.token?.slice(0, 8)}..., ours=${token?.slice(0, 8)}...)`);
+    } else {
+      console.log('[pty-manager] No gateway marker file — gateway was not started by Colana');
     }
-    return accepted;
   } catch (err) {
-    console.log(`[pty-manager] Gateway token probe error: ${err.message}`);
-    return true; // network error = assume gateway is fine, will fail later with better error
+    console.log(`[pty-manager] Failed to read gateway marker: ${err.message}`);
+  }
+  return false;
+}
+/**
+ * Write a marker file after successfully spawning the gateway.
+ * Records the token and timestamp so subsequent startups can verify.
+ */
+function writeGatewayMarker(token) {
+  try {
+    const dir = path.dirname(GATEWAY_MARKER_PATH);
+    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+    fs.writeFileSync(GATEWAY_MARKER_PATH, JSON.stringify({
+      token,
+      timestamp: Date.now(),
+    }), 'utf-8');
+  } catch (err) {
+    console.warn(`[pty-manager] Failed to write gateway marker: ${err.message}`);
   }
 }
@@ -399,17 +407,17 @@ async function ensureOpenClawGateway(port) {
   }
   if (await tcpProbe('127.0.0.1', port)) {
-    // Gateway is listening — verify our token works.
-    // The gateway may be from a previous Colana session (different token),
-    // started manually, or started by a pre-token Colana version.
+    // Gateway is listening — check if we spawned it with our current token.
+    // The gateway's /v1/models endpoint does NOT require auth, so HTTP probing
+    // is unreliable. We use a marker file written at spawn time instead.
     const token = getOrCreateGatewayToken();
-    const tokenValid = await verifyGatewayToken(port, token);
+    const tokenValid = verifyGatewayToken(port, token);
     if (tokenValid) {
-      console.log('[pty-manager] OpenClaw gateway already running, token valid');
+      console.log('[pty-manager] OpenClaw gateway already running, token valid (marker match)');
       return;
     }
-    // Token mismatch: kill existing gateway and restart with our token
-    console.log('[pty-manager] Gateway running but token mismatch — restarting with correct token...');
+    // Gateway was not started by us or token changed — kill and restart with our token
+    console.log('[pty-manager] Gateway running but not started by Colana (or token changed) — restarting with AUTH_TOKEN...');
     await killGatewayOnPort(port);
     // Fall through to spawn new gateway
   }
@@ -425,13 +433,14 @@ async function ensureOpenClawGateway(port) {
   const logFile = path.join(logDir, 'openclaw-gateway.log');
   const logFd = fs.openSync(logFile, 'a');
+  // Hoist token so it's accessible in the poll loop (for marker file write)
+  const gatewayToken = getOrCreateGatewayToken();
   let gwProcess;
   try {
     const { buildSafeSpawnEnv: buildGwEnv } = await import('./spawn-env.js');
     // Pass AUTH_TOKEN so the gateway uses a known bearer token for auth.
     // On platforms where OpenClaw config has gateway.auth: false (Windows),
     // this env var is the only way to enable token auth on the gateway.
-    const gatewayToken = getOrCreateGatewayToken();
     const gwEnv = buildGwEnv({
       GOG_KEYRING_PASSWORD: process.env.GOG_KEYRING_PASSWORD || config.deriveGogKeyringPassword(),
       AUTH_TOKEN: gatewayToken,
@@ -502,6 +511,7 @@ async function ensureOpenClawGateway(port) {
     if (await tcpProbe('127.0.0.1', port)) {
       fs.closeSync(logFd);
+      writeGatewayMarker(gatewayToken);
       console.log('[pty-manager] OpenClaw gateway is now running');
       return;
     }
@@ -2099,6 +2109,8 @@ export async function restartOpenClawGateway() {
   if (isRunning) {
     console.log('[pty-manager] Restarting OpenClaw gateway to reload MCP config...');
+    // Clear marker before kill so ensureOpenClawGateway knows to respawn
+    try { fs.unlinkSync(GATEWAY_MARKER_PATH); } catch { /* may not exist */ }
     await killGatewayOnPort(gwPort);
   } else {
     console.log('[pty-manager] OpenClaw gateway not running — starting fresh...');
@@ -2118,6 +2130,15 @@ export async function restartOpenClawGateway() {
 // Start idle cleanup on module load
 startIdleCleanup();
+/**
+ * Check if the running gateway was spawned by Colana with the current token.
+ * Used by personal-agent-routes to distinguish gateway-level 401 from provider-level 401.
+ */
+export function isGatewaySpawnedByColana() {
+  const token = getOrCreateGatewayToken();
+  return verifyGatewayToken(null, token);
+}
 export { ensureOpenClawGateway };
 export default {