create-openclaw-bot 5.1.6 → 5.1.8

package/CHANGELOG.md

@@ -1,6 +1,22 @@
 # Changelog (English)
 
 
+## [5.1.8] — 2026-04-07
+
+### 🌟 Dashboard VPS Connectivity & Token Login Fix
+
+- **Fix `requireDeviceIdentity` Error on VPS**: OpenClaw's WebCrypto E2E identity check inherently demands a secure browser context (HTTPS or localhost). For raw IPv4 VPS deployments, the `crypto.subtle` browser limitation causes WebSocket `code=1008` rejection upon token login. The setup tool now seamlessly injects `requireDeviceIdentity: false` into the `gateway.controlUi` configuration, granting you flawless remote login capabilities over standard HTTP networks.
+- **Dynamic Terminal URLs**: The programmatic CLI will now intelligently scan and log your external, reachable IPv4 addresses in the console output alongside the local endpoints. This eliminates confusion and guarantees that the automatically generated tokenized dashboard links are ready for immediate copy-pasting.
+
+
+## [5.1.7] — 2026-04-07
+
+### 🌟 Fix Control UI CORS & Native 9Router Path Resolution
+
+- **Fix Control UI CORS Rejections**: OpenClaw v2026.3.x strict CORS policies blocked remote dashboard access. The setup configuration and Docker patching scripts now automatically resolve all active IPv4 interfaces (`os.networkInterfaces()`) alongside localhost to pre-populate the `gateway.controlUi.allowedOrigins` array. This ensures the Web UI works flawlessly out-of-the-box on remote VPS instances.
+- **Improved Native PM2 Path Resolution**: To prevent PM2 `$PATH` lookup failures with `nvm` on Linux, the script now bypasses the OS `9router` binary wrapper entirely. Instead, it computes the exact explicit path using `$(npm root -g)/9router/app/server.js` and executes it directly via the NodeJS interpreter.
+
+
 ## [5.1.6] — 2026-04-07
 
 ### 🐞 Fix PM2 SIGKILL on Native VPS Installs

package/CHANGELOG.vi.md

@@ -1,6 +1,22 @@
 # Changelog (Tiếng Việt)
 
 
+## [5.1.8] — 2026-04-07
+
+### 🌟 Sửa lỗi Đăng nhập Token (1008) & Cải tiến IP hiển thị trên VPS
+
+- **Tắt `requireDeviceIdentity` để vượt tường WebCrypto**: Do cơ chế bảo mật mới của Control UI bắt buộc trình duyệt phải dùng môi trường HTTPS (hoặc localhost) thì mới cấp quyền khởi tạo key mã hóa thiết bị E2E. Nếu dùng IP thường (HTTP) thì Dashboard sẽ báo lỗi đỏ `code=1008`. Bản setup mới nhất đã tự động chích cờ `requireDeviceIdentity: false` để tắt cơ chế ép buộc này đi, giúp bạn vào thẳng Dashboard bằng IP của VPS.
+- **Hiển thị Link Public ở Terminal**: Cấu trúc báo cáo của PM2 đã được viết lại để tự động tìm và sinh ra các đường dẫn kèm IPv4 Public (thay vì chỉ in mỗi `localhost`). Giờ đây bạn chỉ việc soi console và bấm/copy thẳng link vào trình duyệt mà không cần phải tự chế nữa.
+
+
+## [5.1.7] — 2026-04-07
+
+### 🌟 Sửa lỗi CORS Control UI & Đường dẫn 9Router Native
+
+- **Sửa lỗi dội ngược CORS khi vào Control UI**: OpenClaw v2026.3.x siết chặt policy CORS khiến việc truy cập dashboard từ IP ngoài bị block. Các script tạo config và vá Docker giờ đã tự động quét toàn bộ IPv4 hiện có của server (`os.networkInterfaces()`) để nhúng vào mảng `gateway.controlUi.allowedOrigins`. Đảm bảo người dùng VPS vào được thẳng Control UI mà không bị lỗi mạng.
+- **Tối ưu đường dẫn PM2 Native**: Để tránh trường hợp tính năng PM2 không nhận diện đúng môi trường (lỗi `\$PATH` khi dùng `nvm`), bộ cài giờ bỏ qua file thực thi `9router` của HĐH. Thay vào đó, bộ cài tự tính toán đường dẫn tuyệt đối `\$(npm root -g)/9router/app/server.js` và truyền thẳng vào trình thông dịch Node, đảm bảo PM2 100% tìm thấy file khởi chạy 9Router.
+
+
 ## [5.1.6] — 2026-04-07
 
 ### 🐞 Khắc phục lỗi PM2 ngắt cài đặt (SIGKILL) trên VPS

package/README.md

@@ -3,7 +3,7 @@
 # 🦞 OpenClaw Setup
 
 <p align="center">
-  <a href="https://github.com/tuanminhhole/openclaw-setup/releases"><img src="https://img.shields.io/badge/RELEASE-v5.1.6-0EA5E9?style=for-the-badge" alt="Version 5.1.6" /></a>
+  <a href="https://github.com/tuanminhhole/openclaw-setup/releases"><img src="https://img.shields.io/badge/RELEASE-v5.1.8-0EA5E9?style=for-the-badge" alt="Version 5.1.8" /></a>
   <a href="https://github.com/tuanminhhole/openclaw-setup?tab=MIT-1-ov-file"><img src="https://img.shields.io/badge/LICENSE-MIT-success?style=for-the-badge" alt="MIT License" /></a>
   <a href="https://www.npmjs.com/package/create-openclaw-bot"><img src="https://img.shields.io/npm/v/create-openclaw-bot?style=for-the-badge&label=CLI&color=2563EB&logo=npm&logoColor=white" alt="NPM Version" /></a>
   <a href="https://github.com/tuanminhhole/openclaw-setup/stargazers"><img src="https://img.shields.io/github/stars/tuanminhhole/openclaw-setup?style=for-the-badge&color=eab308&logo=github&logoColor=white" alt="GitHub Stars" /></a>
@@ -24,7 +24,7 @@ An interactive **CLI tool** and **Setup Wizard** to deploy your own free AI Bot
 
 ---
 
-## 🆕 What's new in v5.1.6
+## 🆕 What's new in v5.1.8
 
 - 💻 **OS-First Setup** — Step 1 is now choosing your OS (Windows, macOS, Ubuntu, VPS). All scripts, configs, and instructions are generated to match.
 - 🧠 **Gemma 4 — 4 sizes** — `gemma4:e2b` (~4 GB), `gemma4:e4b` (~8 GB), `gemma4:26b` (~18 GB), `gemma4:31b` (~24 GB). Auto-pulled on first launch.
@@ -112,7 +112,7 @@ Run in your terminal → follow the interactive prompts → startup script is ge
 2. Open this repo as your workspace
 3. Paste into chat:
    ```
-   Read SETUP.md and set up OpenClaw v5.1.6 for me.
+   Read SETUP.md and set up OpenClaw v5.1.8 for me.
    My bot token is X. Use 9Router (no API key).
    My project folder: <YOUR_PATH>
    ```

package/README.vi.md

@@ -3,7 +3,7 @@
 # 🦞 OpenClaw Setup
 
 <p align="center">
-  <a href="https://github.com/tuanminhhole/openclaw-setup/releases"><img src="https://img.shields.io/badge/RELEASE-v5.1.6-0EA5E9?style=for-the-badge" alt="Version 5.1.6" /></a>
+  <a href="https://github.com/tuanminhhole/openclaw-setup/releases"><img src="https://img.shields.io/badge/RELEASE-v5.1.8-0EA5E9?style=for-the-badge" alt="Version 5.1.8" /></a>
   <a href="https://github.com/tuanminhhole/openclaw-setup?tab=MIT-1-ov-file"><img src="https://img.shields.io/badge/LICENSE-MIT-success?style=for-the-badge" alt="MIT License" /></a>
   <a href="https://www.npmjs.com/package/create-openclaw-bot"><img src="https://img.shields.io/npm/v/create-openclaw-bot?style=for-the-badge&label=CLI&color=2563EB&logo=npm&logoColor=white" alt="NPM Version" /></a>
   <a href="https://github.com/tuanminhhole/openclaw-setup/stargazers"><img src="https://img.shields.io/github/stars/tuanminhhole/openclaw-setup?style=for-the-badge&color=eab308&logo=github&logoColor=white" alt="GitHub Stars" /></a>
@@ -24,7 +24,7 @@ Công cụ **CLI tương tác** và **Setup Wizard** để tự triển khai Bot
 
 ---
 
-## 🆕 Có gì mới trong v5.1.6
+## 🆕 Có gì mới trong v5.1.8
 
 - 💻 **OS-First Setup** — Bước đầu tiên bây giờ là chọn hệ điều hành của bạn (Windows, macOS, Ubuntu, VPS). Toàn bộ script, cấu hình và hướng dẫn được tạo ra phù hợp với lựa chọn đó.
 - 🧠 **Gemma 4 — 4 kích thước** — `gemma4:e2b` (~4 GB), `gemma4:e4b` (~8 GB), `gemma4:26b` (~18 GB), `gemma4:31b` (~24 GB). Tự pull về khi bot khởi động lần đầu.
@@ -112,7 +112,7 @@ Chạy lệnh trên trong Terminal → làm theo các prompt tương tác → sc
 2. Mở repo này làm workspace
 3. Paste vào chat:
    ```
-   Read SETUP.md and set up OpenClaw v5.1.6 for me.
+   Read SETUP.md and set up OpenClaw v5.1.8 for me.
    My bot token is X. Use 9Router (no API key).
    My project folder: <THƯ_MỤC_CỦA_BẠN>
    ```

package/cli.js

@@ -146,49 +146,87 @@ function spawnBackgroundProcess(command, args, options = {}) {
 }
 
 function resolveNative9RouterDesktopLaunch() {
-  if (process.platform === 'win32') {
-    const npmRoot = (() => {
-      try {
-        return execSync('npm root -g', {
-          stdio: ['ignore', 'pipe', 'ignore'],
-          encoding: 'utf8',
-          shell: true,
-          env: process.env
-        }).trim();
-      } catch {
-        return path.join(process.env.APPDATA || path.join(os.homedir(), 'AppData', 'Roaming'), 'npm', 'node_modules');
-      }
-    })();
-
-    return {
-      command: process.execPath,
-      args: [path.join(npmRoot, '9router', 'app', 'server.js')],
-      env: {
-        PORT: '20128',
-        HOSTNAME: '0.0.0.0'
-      }
-    };
-  }
-
   return {
-    command: '9router',
-    args: ['-n', '-l', '-H', '0.0.0.0', '-p', '20128', '--skip-update'],
-    env: {}
+    command: process.execPath,
+    args: [path.join(getGlobalNpmRoot(), '9router', 'app', 'server.js')],
+    env: {
+      PORT: '20128',
+      HOSTNAME: '0.0.0.0'
+    }
   };
 }
 
-function getNative9RouterDataDir() {
-  if (process.platform === 'win32') {
-    return path.join(process.env.APPDATA || path.join(os.homedir(), 'AppData', 'Roaming'), '9router');
-  }
-
-  return path.join(os.homedir(), '.9router');
-}
-
-async function waitFor9RouterApiReady({ port = 20128, timeoutMs = 15000 } = {}) {
-  const deadline = Date.now() + timeoutMs;
-  const candidates = [
-    `http://127.0.0.1:${port}/api/settings/require-login`,
+function getNative9RouterDataDir() {
+  if (process.platform === 'win32') {
+    return path.join(process.env.APPDATA || path.join(os.homedir(), 'AppData', 'Roaming'), '9router');
+  }
+
+  return path.join(os.homedir(), '.9router');
+}
+
+function getGatewayAllowedOrigins(port) {
+  const normalizedPort = Number(port) || 18791;
+  const origins = new Set([
+    `http://localhost:${normalizedPort}`,
+    `http://127.0.0.1:${normalizedPort}`,
+    `http://0.0.0.0:${normalizedPort}`
+  ]);
+
+  for (const entries of Object.values(os.networkInterfaces() || {})) {
+    for (const entry of entries || []) {
+      if (!entry || entry.internal || entry.family !== 'IPv4' || !entry.address) {
+        continue;
+      }
+      origins.add(`http://${entry.address}:${normalizedPort}`);
+    }
+  }
+
+  return Array.from(origins);
+}
+
+function getReachableDashboardHosts(port) {
+  const normalizedPort = Number(port) || 18791;
+  const hosts = [];
+  const pushHost = (host) => {
+    if (!host) return;
+    const url = `http://${host}:${normalizedPort}`;
+    if (!hosts.includes(url)) {
+      hosts.push(url);
+    }
+  };
+
+  pushHost('127.0.0.1');
+  pushHost('localhost');
+
+  for (const entries of Object.values(os.networkInterfaces() || {})) {
+    for (const entry of entries || []) {
+      if (!entry || entry.internal || entry.family !== 'IPv4' || !entry.address) {
+        continue;
+      }
+      pushHost(entry.address);
+    }
+  }
+
+  return hosts;
+}
+
+function rewriteDashboardUrlHost(urlText, fallbackPort, targetBaseUrl) {
+  try {
+    const target = new URL(targetBaseUrl);
+    const parsed = new URL(urlText);
+    parsed.protocol = target.protocol;
+    parsed.hostname = target.hostname;
+    parsed.port = target.port || String(fallbackPort || '');
+    return parsed.toString();
+  } catch {
+    return `${targetBaseUrl}${String(urlText || '').startsWith('/') ? '' : '/'}${String(urlText || '')}`;
+  }
+}
+
+async function waitFor9RouterApiReady({ port = 20128, timeoutMs = 15000 } = {}) {
+  const deadline = Date.now() + timeoutMs;
+  const candidates = [
+    `http://127.0.0.1:${port}/api/settings/require-login`,
     `http://127.0.0.1:${port}/api/version`
   ];
 
@@ -380,6 +418,22 @@ function resolveCommandOnPath(command) {
   }
 }
 
+function getGlobalNpmRoot() {
+  try {
+    return execSync('npm root -g', {
+      stdio: ['ignore', 'pipe', 'ignore'],
+      encoding: 'utf8',
+      shell: true,
+      env: process.env
+    }).trim();
+  } catch {
+    if (process.platform === 'win32') {
+      return path.join(process.env.APPDATA || path.join(os.homedir(), 'AppData', 'Roaming'), 'npm', 'node_modules');
+    }
+    return path.join(os.homedir(), '.local', 'lib', 'node_modules');
+  }
+}
+
 function indentBlock(text, spaces) {
   const prefix = ' '.repeat(spaces);
   return String(text)
@@ -426,27 +480,45 @@ function getTokenizedDashboardUrl(projectDir) {
   }
 }
 
-function printNativeDashboardAccessInfo({ isVi, providerKey, projectDir, gatewayPort = 18791 }) {
-  const dashboardUrl = `http://localhost:${gatewayPort}`;
-  const tokenizedUrl = getTokenizedDashboardUrl(projectDir);
-
-  console.log(chalk.yellow(`\n🧭 ${isVi ? 'Dashboard OpenClaw:' : 'OpenClaw Dashboard:'} ${dashboardUrl}`));
-
-  if (tokenizedUrl) {
-    console.log(chalk.green(isVi
-      ? `   → Mở link đã kèm token: ${tokenizedUrl}`
-      : `   → Open the tokenized link directly: ${tokenizedUrl}`));
-  } else {
-    console.log(chalk.gray(isVi
-      ? '   → Nếu dashboard đòi Gateway Token, chạy: openclaw dashboard'
-      : '   → If the dashboard asks for a Gateway Token, run: openclaw dashboard'));
-  }
-
-  if (providerKey === '9router') {
-    console.log(chalk.yellow(`\n🔀 ${isVi ? '9Router Dashboard:' : '9Router Dashboard:'} http://localhost:20128/dashboard`));
-    console.log(chalk.gray(isVi
-      ? '   → Mở dashboard 9Router → đăng nhập OAuth → kết nối provider miễn phí'
-      : '   → Open the 9Router dashboard → complete OAuth login → connect a free provider'));
+function printNativeDashboardAccessInfo({ isVi, providerKey, projectDir, gatewayPort = 18791 }) {
+  const gatewayUrls = getReachableDashboardHosts(gatewayPort);
+  const dashboardUrl = gatewayUrls[0] || `http://127.0.0.1:${gatewayPort}`;
+  const tokenizedUrl = getTokenizedDashboardUrl(projectDir);
+
+  console.log(chalk.yellow(`\n🧭 ${isVi ? 'Dashboard OpenClaw:' : 'OpenClaw Dashboard:'} ${dashboardUrl}`));
+  if (gatewayUrls.length > 1) {
+    console.log(chalk.gray(isVi
+      ? `   → Link khac co the mo duoc: ${gatewayUrls.slice(1).join(' , ')}`
+      : `   → Other reachable URLs: ${gatewayUrls.slice(1).join(' , ')}`));
+  }
+
+  if (tokenizedUrl) {
+    const tokenizedUrls = gatewayUrls.map((baseUrl) => rewriteDashboardUrlHost(tokenizedUrl, gatewayPort, baseUrl));
+    console.log(chalk.green(isVi
+      ? `   → Mở link đã kèm token: ${tokenizedUrls[0]}`
+      : `   → Open the tokenized link directly: ${tokenizedUrls[0]}`));
+    if (tokenizedUrls.length > 1) {
+      console.log(chalk.gray(isVi
+        ? `   → Ban mo tu may khac/WSL thi thu: ${tokenizedUrls.slice(1).join(' , ')}`
+        : `   → If you are opening from another machine/WSL, try: ${tokenizedUrls.slice(1).join(' , ')}`));
+    }
+  } else {
+    console.log(chalk.gray(isVi
+      ? '   → Nếu dashboard đòi Gateway Token, chạy: openclaw dashboard'
+      : '   → If the dashboard asks for a Gateway Token, run: openclaw dashboard'));
+  }
+
+  if (providerKey === '9router') {
+    const routerUrls = getReachableDashboardHosts(20128).map((baseUrl) => `${baseUrl}/dashboard`);
+    console.log(chalk.yellow(`\n🔀 ${isVi ? '9Router Dashboard:' : '9Router Dashboard:'} ${routerUrls[0] || 'http://127.0.0.1:20128/dashboard'}`));
+    if (routerUrls.length > 1) {
+      console.log(chalk.gray(isVi
+        ? `   → Link khac co the mo duoc: ${routerUrls.slice(1).join(' , ')}`
+        : `   → Other reachable URLs: ${routerUrls.slice(1).join(' , ')}`));
+    }
+    console.log(chalk.gray(isVi
+      ? '   → Mở dashboard 9Router → đăng nhập OAuth → kết nối provider miễn phí'
+      : '   → Open the 9Router dashboard → complete OAuth login → connect a free provider'));
     console.log(chalk.gray(isVi
       ? '   → Sau khi login 9Router xong, bot sẽ tự dùng model smart-route qua http://localhost:20128/v1'
       : '   → Once 9Router is logged in, the bot will use smart-route through http://localhost:20128/v1'));
@@ -625,10 +697,10 @@ function runPm2Save({ projectDir, isVi }) {
 
 function startNative9RouterPm2({ isVi, projectDir, appName, syncScriptPath }) {
   const routerAppName = `${appName}-9router`;
-  const routerCommand = resolveCommandOnPath('9router');
+  const routerLaunch = resolveNative9RouterDesktopLaunch();
   execFileSync('pm2', [
     'start',
-    routerCommand,
+    routerLaunch.command,
     '--name',
     routerAppName,
     '--cwd',
@@ -636,17 +708,11 @@ function startNative9RouterPm2({ isVi, projectDir, appName, syncScriptPath }) {
     '--interpreter',
     'none',
     '--',
-    '-n',
-    '-l',
-    '-H',
-    '0.0.0.0',
-    '-p',
-    '20128',
-    '--skip-update'
+    ...routerLaunch.args
   ], {
     cwd: projectDir,
     stdio: 'inherit',
-    env: process.env
+    env: { ...process.env, ...routerLaunch.env }
   });
   if (syncScriptPath) {
     const syncAppName = `${appName}-9router-sync`;
@@ -1273,7 +1339,7 @@ async function main() {
   }
   
   
-  const patchScript = `const fs=require('fs'),p='/root/.openclaw/openclaw.json';if(fs.existsSync(p)){const c=JSON.parse(fs.readFileSync(p,'utf8'));c.tools=Object.assign({},c.tools,{profile:'full',exec:{host:'gateway',security:'full',ask:'off'}});c.gateway=Object.assign({},c.gateway,{port:18791,bind:'custom',customBindHost:'0.0.0.0'});fs.writeFileSync(p,JSON.stringify(c,null,2));}`;
+  const patchScript = `const fs=require('fs'),os=require('os'),p='/root/.openclaw/openclaw.json';if(fs.existsSync(p)){const c=JSON.parse(fs.readFileSync(p,'utf8'));const a=new Set(['http://localhost:18791','http://127.0.0.1:18791','http://0.0.0.0:18791']);for(const entries of Object.values(os.networkInterfaces()||{})){for(const entry of entries||[]){if(!entry||entry.internal||entry.family!=='IPv4'||!entry.address)continue;a.add(\`http://\${entry.address}:18791\`);}}c.tools=Object.assign({},c.tools,{profile:'full',exec:{host:'gateway',security:'full',ask:'off'}});c.gateway=Object.assign({},c.gateway,{port:18791,bind:'custom',customBindHost:'0.0.0.0',controlUi:Object.assign({},c.gateway?.controlUi,{allowedOrigins:Array.from(a),requireDeviceIdentity:false})});fs.writeFileSync(p,JSON.stringify(c,null,2));}`;
   const b64Patch = Buffer.from(patchScript).toString('base64');
 
   // Browser Playwright (both desktop & server modes need chromium)
@@ -1732,13 +1798,17 @@ ${hasBrowserDesktop ? `    extra_hosts:
           allow: agentMetas.map((meta) => meta.agentId),
         },
       },
-      gateway: {
-        port: 18791,
-        mode: 'local',
-        bind: 'custom',
-        customBindHost: '0.0.0.0',
-        auth: { mode: 'token', token: 'cli-dummy-token-xyz123' },
-      },
+      gateway: {
+        port: 18791,
+        mode: 'local',
+        bind: 'custom',
+        customBindHost: '0.0.0.0',
+        controlUi: {
+          allowedOrigins: getGatewayAllowedOrigins(18791),
+          requireDeviceIdentity: false,
+        },
+        auth: { mode: 'token', token: 'cli-dummy-token-xyz123' },
+      },
     };
     sharedConfig.plugins = {
       entries: {
@@ -1965,10 +2035,11 @@ ${hasBrowserDesktop ? `    extra_hosts:
       commands: { native: 'auto', nativeSkills: 'auto', restart: true, ownerDisplay: 'raw' },
       channels: {},
       tools: { profile: 'full', exec: { host: 'gateway', security: 'full', ask: 'off' } },
-      gateway: {
-        port: 18791 + (isMultiBot ? bIndex : 0), mode: 'local', bind: 'custom', customBindHost: '0.0.0.0',
-        auth: { mode: 'token', token: 'cli-dummy-token-xyz123' }
-      }
+      gateway: {
+        port: 18791 + (isMultiBot ? bIndex : 0), mode: 'local', bind: 'custom', customBindHost: '0.0.0.0',
+        controlUi: { allowedOrigins: getGatewayAllowedOrigins(18791 + (isMultiBot ? bIndex : 0)), requireDeviceIdentity: false },
+        auth: { mode: 'token', token: 'cli-dummy-token-xyz123' }
+      }
     };
 
     if (hasBrowserDesktop) {
@@ -2220,13 +2291,14 @@ fi
       if (code === 0) {
         console.log(chalk.green(`\n🎉 ${isVi ? 'Setup hoàn tất! Bot đang chạy.' : 'Setup complete! Bot is running.'}`));
         
-        if (providerKey === '9router') {
-          console.log(chalk.yellow(`\n🔀 ${isVi
-            ? '9Router Dashboard: http://localhost:20128/dashboard'
-            : '9Router Dashboard: http://localhost:20128/dashboard'}`));
-          console.log(chalk.gray(isVi
-            ? '   → Mở dashboard → đăng nhập OAuth để kết nối các Provider (iFlow, Gemini CLI, Claude Code...)'
-            : '   → Open dashboard → OAuth login to connect Providers (iFlow, Gemini CLI, Claude Code...)'));
+        if (providerKey === '9router') {
+          const routerDashboardUrl = `${getReachableDashboardHosts(20128)[0] || 'http://127.0.0.1:20128'}/dashboard`;
+          console.log(chalk.yellow(`\n🔀 ${isVi
+            ? `9Router Dashboard: ${routerDashboardUrl}`
+            : `9Router Dashboard: ${routerDashboardUrl}`}`));
+          console.log(chalk.gray(isVi
+            ? '   → Mở dashboard → đăng nhập OAuth để kết nối các Provider (iFlow, Gemini CLI, Claude Code...)'
+            : '   → Open dashboard → OAuth login to connect Providers (iFlow, Gemini CLI, Claude Code...)'));
           console.log(chalk.gray(isVi
             ? '   → Sau khi kết nối provider, bot sẽ tự động hoạt động qua combo "smart-route"'
             : '   → After connecting providers, bot works automatically via "smart-route" combo'));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-openclaw-bot",
-  "version": "5.1.6",
+  "version": "5.1.8",
   "description": "Interactive CLI installer for OpenClaw Bot",
   "main": "cli.js",
   "bin": {

package/setup.js

@@ -1,4 +1,4 @@
-/* ============================================
+/* ============================================
    OpenClaw Setup Wizard — Logic v2
    Multi-model, Multi-plugin, Multi-channel
    ============================================ */
@@ -24,7 +24,7 @@
   };
 
   // ========== State ==========
-  const state = {
+  const state = {
     currentStep: 1,
     totalSteps: 5,
     channel: null,
@@ -47,7 +47,21 @@
       apiKey: '',
       projectPath: '',
     },
-  };
+  };
+
+  function getGatewayAllowedOrigins(port) {
+    const normalizedPort = Number(port) || 18791;
+    const origins = new Set([
+      `http://localhost:${normalizedPort}`,
+      `http://127.0.0.1:${normalizedPort}`,
+      `http://0.0.0.0:${normalizedPort}`,
+    ]);
+    const currentHost = (window.location && window.location.hostname) ? window.location.hostname.trim() : '';
+    if (currentHost) {
+      origins.add(`http://${currentHost}:${normalizedPort}`);
+    }
+    return Array.from(origins);
+  }
 
 
   // ========== AI Providers & Models ==========
@@ -1577,12 +1591,16 @@ Write-Host "Chrome se tu dong bat Debug Mode moi khi ban dang nhap Windows (dela
       commands: { native: 'auto', nativeSkills: 'auto', restart: true, ownerDisplay: 'raw' },
       channels: ch.channelConfig,
       tools: { profile: 'full', exec: { host: 'gateway', security: 'full', ask: 'off' } },
-      gateway: {
-        port: 18791,
-        mode: 'local',
-        bind: '0.0.0.0',
-        auth: { mode: 'token', token: crypto.randomUUID().replace(/-/g, '') },
-      },
+      gateway: {
+        port: 18791,
+        mode: 'local',
+        bind: '0.0.0.0',
+        controlUi: {
+          allowedOrigins: getGatewayAllowedOrigins(18791),
+          requireDeviceIdentity: false,
+        },
+        auth: { mode: 'token', token: crypto.randomUUID().replace(/-/g, '') },
+      },
     };
 
     // 9Router: add proxy endpoint config under models.providers
@@ -1815,7 +1833,7 @@ model:
       ? 'socat TCP-LISTEN:9222,fork,reuseaddr TCP:host.docker.internal:9222 & '
       : '';
     // Patch config on every startup to keep gateway settings stable
-    const patchCmd = `node -e \\"const fs=require('fs'),p='/root/.openclaw/openclaw.json';if(fs.existsSync(p)){const c=JSON.parse(fs.readFileSync(p,'utf8'));c.tools=Object.assign({},c.tools,{profile:'full',exec:{host:'gateway',security:'full',ask:'off'}});c.gateway=Object.assign({},c.gateway,{port:18791,bind:'custom',customBindHost:'0.0.0.0'});fs.writeFileSync(p,JSON.stringify(c,null,2));}\\" && `;
+    const patchCmd = `node -e \\"const fs=require('fs'),os=require('os'),p='/root/.openclaw/openclaw.json';if(fs.existsSync(p)){const c=JSON.parse(fs.readFileSync(p,'utf8'));const a=new Set(['http://localhost:18791','http://127.0.0.1:18791','http://0.0.0.0:18791']);for(const entries of Object.values(os.networkInterfaces()||{})){for(const entry of entries||[]){if(!entry||entry.internal||entry.family!=='IPv4'||!entry.address)continue;a.add(\\\`http://\\\${entry.address}:18791\\\`);}}c.tools=Object.assign({},c.tools,{profile:'full',exec:{host:'gateway',security:'full',ask:'off'}});c.gateway=Object.assign({},c.gateway,{port:18791,bind:'custom',customBindHost:'0.0.0.0',controlUi:Object.assign({},c.gateway?.controlUi,{allowedOrigins:Array.from(a),requireDeviceIdentity:false})});fs.writeFileSync(p,JSON.stringify(c,null,2));}\\" && `;
     // Auto-approve device pairing after gateway starts (required since v2026.3.x)
     const autoApproveCmd = '(while true; do sleep 5; openclaw devices approve --latest 2>/dev/null || true; done) & ';
     const finalCmd = `CMD sh -c "${pluginInstallCmd}${patchCmd}${browserPrefix}${autoApproveCmd}${gatewayCmd}"`;
@@ -2868,17 +2886,17 @@ const sync=()=>{try{let db={};try{db=JSON.parse(fs.readFileSync(p,'utf8'));}catc
     // ─── Shared initializer (provider install) ───────────────────────────────
     function providerLines(arr, shell) {
       if (is9Router) {
-        if (shell === 'bat') {
-          arr.push('npm install -g 9router');
+        if (shell === 'bat') {
+          arr.push('npm install -g 9router');
           arr.push('start "9Router" cmd /k "9router -n -l -H 0.0.0.0 -p 20128 --skip-update"');
-          arr.push('start "9Router Smart Route Sync" cmd /k "node .\\.openclaw\\9router-smart-route-sync.js"');
-          arr.push('timeout /t 5 /nobreak >nul');
-        } else {
-          arr.push('npm install -g 9router');
-          arr.push('nohup 9router -n -l -H 0.0.0.0 -p 20128 --skip-update >/tmp/9router.log 2>&1 &');
-          arr.push('nohup node ./.openclaw/9router-smart-route-sync.js >/tmp/9router-sync.log 2>&1 &');
-          arr.push('sleep 3');
-        }
+          arr.push('start "9Router Smart Route Sync" cmd /k "node .\\.openclaw\\9router-smart-route-sync.js"');
+          arr.push('timeout /t 5 /nobreak >nul');
+        } else {
+          arr.push('npm install -g 9router');
+          arr.push('nohup env PORT=20128 HOSTNAME=0.0.0.0 node "$(npm root -g)/9router/app/server.js" >/tmp/9router.log 2>&1 &');
+          arr.push('nohup node ./.openclaw/9router-smart-route-sync.js >/tmp/9router-sync.log 2>&1 &');
+          arr.push('sleep 3');
+        }
       } else if (isOllama) {
         if (shell === 'bat') {
           arr.push('where ollama >nul 2>&1 || (powershell -Command "Invoke-WebRequest -Uri https://ollama.com/download/OllamaSetup.exe -OutFile OllamaSetup.exe" && OllamaSetup.exe && del OllamaSetup.exe)');
@@ -3036,12 +3054,16 @@ const sync=()=>{try{let db={};try{db=JSON.parse(fs.readFileSync(p,'utf8'));}catc
             'telegram-multibot-relay': { enabled: true },
           },
         },
-        gateway: {
-          port: 18791,
-          mode: 'local',
-          bind: '0.0.0.0',
-          auth: { mode: 'token', token: crypto.randomUUID().replace(/-/g, '') },
-        },
+        gateway: {
+          port: 18791,
+          mode: 'local',
+          bind: '0.0.0.0',
+          controlUi: {
+            allowedOrigins: getGatewayAllowedOrigins(18791),
+            requireDeviceIdentity: false,
+          },
+          auth: { mode: 'token', token: crypto.randomUUID().replace(/-/g, '') },
+        },
       };
       return JSON.stringify(cfg, null, 2);
     }
@@ -3149,12 +3171,16 @@ const sync=()=>{try{let db={};try{db=JSON.parse(fs.readFileSync(p,'utf8'));}catc
         },
         commands: { native: 'auto', nativeSkills: 'auto', restart: true },
         channels: channelConfig,
-        gateway: {
-          port: basePort,
-          mode: 'local',
-          bind: '0.0.0.0',
-          auth: { mode: 'token', token: crypto.randomUUID().replace(/-/g, '') },
-        },
+        gateway: {
+          port: basePort,
+          mode: 'local',
+          bind: '0.0.0.0',
+          controlUi: {
+            allowedOrigins: getGatewayAllowedOrigins(basePort),
+            requireDeviceIdentity: false,
+          },
+          auth: { mode: 'token', token: crypto.randomUUID().replace(/-/g, '') },
+        },
 
       };
       return JSON.stringify(cfg, null, 2);
@@ -3533,12 +3559,12 @@ ${selectedSkillNames.length ? selectedSkillNames.join('\n') : '- _(No skills ins
 
       if (isMultiBot) {
         vps.push('echo "--- Creating shared multi-agent runtime ---"');
-        appendShWriteCommands(vps, sharedNativeFileMap());
-        vps.push('echo "--- Starting shared gateway via PM2 ---"');
-        if (is9Router) {
-          vps.push('pm2 start --name openclaw-multibot-9router -- sh -c "9router -n -l -H 0.0.0.0 -p 20128 --skip-update"');
-          vps.push('pm2 start --name openclaw-multibot-9router-sync -- sh -c "node ./.openclaw/9router-smart-route-sync.js"');
-        }
+        appendShWriteCommands(vps, sharedNativeFileMap());
+        vps.push('echo "--- Starting shared gateway via PM2 ---"');
+        if (is9Router) {
+          vps.push('PORT=20128 HOSTNAME=0.0.0.0 pm2 start "$(npm root -g)/9router/app/server.js" --name openclaw-multibot-9router --interpreter "$(command -v node)"');
+          vps.push('pm2 start --name openclaw-multibot-9router-sync -- sh -c "node ./.openclaw/9router-smart-route-sync.js"');
+        }
         vps.push('pm2 start --name openclaw-multibot -- sh -c "openclaw gateway run"');
         vps.push('pm2 save && pm2 startup');
         vps.push(`echo ""`);
@@ -3546,12 +3572,12 @@ ${selectedSkillNames.length ? selectedSkillNames.join('\n') : '- _(No skills ins
         vps.push(`echo "Commands:"`);
         vps.push(`echo "  pm2 status            # Status gateway"`);
         vps.push(`echo "  pm2 logs openclaw-multibot"`);
-      } else {
-        appendShWriteCommands(vps, botFiles(0));
-        if (is9Router) {
-          vps.push('pm2 start --name openclaw-9router -- sh -c "9router -n -l -H 0.0.0.0 -p 20128 --skip-update"');
-          vps.push('pm2 start --name openclaw-9router-sync -- sh -c "node ./.openclaw/9router-smart-route-sync.js"');
-        }
+      } else {
+        appendShWriteCommands(vps, botFiles(0));
+        if (is9Router) {
+          vps.push('PORT=20128 HOSTNAME=0.0.0.0 pm2 start "$(npm root -g)/9router/app/server.js" --name openclaw-9router --interpreter "$(command -v node)"');
+          vps.push('pm2 start --name openclaw-9router-sync -- sh -c "node ./.openclaw/9router-smart-route-sync.js"');
+        }
         vps.push('pm2 start --name openclaw -- sh -c "openclaw gateway run"');
         vps.push('pm2 save && pm2 startup');
         vps.push('echo "Bot dang chay! Xem log: pm2 logs openclaw"');

package/tests/smoke-cli-logic.mjs

@@ -107,6 +107,23 @@ checks.push(() => expectMatch(
   'CLI must resolve the correct native 9Router data directory on both Windows and Unix'
 ));
 
+checks.push(() => expect(
+  cli.includes('function getGatewayAllowedOrigins(port) {')
+    && cli.includes('Object.values(os.networkInterfaces() || {})')
+    && cli.includes('`http://localhost:${normalizedPort}`')
+    && cli.includes('`http://127.0.0.1:${normalizedPort}`')
+    && cli.includes('`http://0.0.0.0:${normalizedPort}`'),
+  'CLI must derive control UI allowed origins from localhost plus non-internal IPv4 interfaces'
+));
+
+checks.push(() => expect(
+  cli.includes('function getReachableDashboardHosts(port) {')
+    && cli.includes('pushHost(\'127.0.0.1\')')
+    && cli.includes('pushHost(\'localhost\')')
+    && cli.includes('function rewriteDashboardUrlHost(urlText, fallbackPort, targetBaseUrl) {'),
+  'CLI must derive reachable dashboard hosts and rewrite tokenized dashboard URLs for WSL/LAN access'
+));
+
 checks.push(() => expect(
   cli.includes("Removed smart-route (no active providers)")
     && cli.includes("if (!a.length) {")
@@ -135,7 +152,7 @@ checks.push(() => expectMatch(
 
 checks.push(() => expectMatch(
   cli,
-  /function printNativeDashboardAccessInfo\(\{ isVi, providerKey, projectDir, gatewayPort = 18791 \}\) \{[\s\S]*openclaw dashboard[\s\S]*9Router Dashboard:[\s\S]*localhost:20128\/dashboard/s,
+  /function printNativeDashboardAccessInfo\(\{ isVi, providerKey, projectDir, gatewayPort = 18791 \}\) \{[\s\S]*getReachableDashboardHosts\(gatewayPort\)[\s\S]*rewriteDashboardUrlHost[\s\S]*Other reachable URLs[\s\S]*getReachableDashboardHosts\(20128\)/s,
   'Native PM2 flow must expose dashboard access info and the tokenized dashboard command'
 ));
 
@@ -187,6 +204,18 @@ checks.push(() => expectMatch(
   'Native 9Router config must target localhost instead of the Docker hostname'
 ));
 
+checks.push(() => expectMatch(
+  cli,
+  /controlUi:\s*\{\s*allowedOrigins: getGatewayAllowedOrigins\(18791\)/s,
+  'Native shared gateway config must seed control UI allowed origins'
+));
+
+checks.push(() => expectMatch(
+  cli,
+  /controlUi:\s*\{\s*allowedOrigins: getGatewayAllowedOrigins\(18791 \+ \(isMultiBot \? bIndex : 0\)\)/s,
+  'Native per-bot gateway config must seed control UI allowed origins for each port'
+));
+
 checks.push(() => expectMatch(
   cli,
   /channelKey === 'zalo-personal'\) \{\s*botConfig\.channels\['zalouser'\] = \{\s*enabled: true,\s*dmPolicy: 'pairing',\s*autoReply: true/s,
@@ -195,7 +224,7 @@ checks.push(() => expectMatch(
 
 checks.push(() => expectMatch(
   cli,
-  /function startNative9RouterPm2\(\{ isVi, projectDir, appName, syncScriptPath \}\) \{[\s\S]*resolveCommandOnPath\('9router'\)[\s\S]*execFileSync\('pm2'[\s\S]*--interpreter'?,?[\s\S]*none[\s\S]*'-n'[\s\S]*'-l'[\s\S]*'--skip-update'[\s\S]*nohup "\$\{process\.execPath\}" "\$\{normalizedSyncScriptPath\}" >\/tmp\/\$\{syncAppName\}\.log 2>&1 &[\s\S]*runPm2Save\(\{ projectDir, isVi \}\)/s,
+  /function startNative9RouterPm2\(\{ isVi, projectDir, appName, syncScriptPath \}\) \{[\s\S]*resolveNative9RouterDesktopLaunch\(\)[\s\S]*execFileSync\('pm2'[\s\S]*routerLaunch\.command[\s\S]*--interpreter'?,?[\s\S]*none[\s\S]*routerLaunch\.args[\s\S]*routerLaunch\.env[\s\S]*nohup "\$\{process\.execPath\}" "\$\{normalizedSyncScriptPath\}" >\/tmp\/\$\{syncAppName\}\.log 2>&1 &[\s\S]*runPm2Save\(\{ projectDir, isVi \}\)/s,
   'VPS native 9Router flow must start a standalone 9Router dashboard on port 20128 via PM2'
 ));
 
@@ -207,8 +236,8 @@ checks.push(() => expectMatch(
 
 checks.push(() => expectMatch(
   cli,
-  /function resolveNative9RouterDesktopLaunch\(\) \{[\s\S]*process\.platform === 'win32'[\s\S]*npm root -g[\s\S]*9router', 'app', 'server\.js'[\s\S]*PORT: '20128'[\s\S]*HOSTNAME: '0\.0\.0\.0'[\s\S]*command: '9router'[\s\S]*\['-n', '-l', '-H', '0\.0\.0\.0', '-p', '20128', '--skip-update'\]/s,
-  'Native desktop 9Router launch must bypass the interactive CLI menu on Windows while preserving the standard CLI launch elsewhere'
+  /function resolveNative9RouterDesktopLaunch\(\) \{[\s\S]*command: process\.execPath[\s\S]*getGlobalNpmRoot\(\), '9router', 'app', 'server\.js'[\s\S]*PORT: '20128'[\s\S]*HOSTNAME: '0\.0\.0\.0'/s,
+  'Native desktop 9Router launch must bypass the interactive CLI menu by running the 9Router server entry directly'
 ));
 
 checks.push(() => expectMatch(
@@ -292,7 +321,7 @@ checks.push(() => expectMatch(
 
 checks.push(() => expectMatch(
   setup,
-  /function providerLines\(arr, shell\) \{[\s\S]*npm install -g 9router[\s\S]*start "9Router" cmd \/k "9router -n -l -H 0\.0\.0\.0 -p 20128 --skip-update"[\s\S]*nohup 9router -n -l -H 0\.0\.0\.0 -p 20128 --skip-update[\s\S]*9router-smart-route-sync\.js/s,
+  /function providerLines\(arr, shell\) \{[\s\S]*npm install -g 9router[\s\S]*start "9Router" cmd \/k "9router -n -l -H 0\.0\.0\.0 -p 20128 --skip-update"[\s\S]*nohup env PORT=20128 HOSTNAME=0\.0\.0\.0 node "\$\(npm root -g\)\/9router\/app\/server\.js"[\s\S]*9router-smart-route-sync\.js/s,
   'Native script generation must install and start a standalone 9Router dashboard on port 20128'
 ));
 
@@ -340,13 +369,13 @@ checks.push(() => expect(
 
 checks.push(() => expectMatch(
   setup,
-  /else if \(state\.nativeOs === 'vps'\) \{[\s\S]*pm2 start --name openclaw-multibot -- sh -c "openclaw gateway run"[\s\S]*pm2 logs openclaw-multibot/s,
+  /else if \(state\.nativeOs === 'vps'\) \{[\s\S]*PORT=20128 HOSTNAME=0\.0\.0\.0 pm2 start "\$\(npm root -g\)\/9router\/app\/server\.js" --name openclaw-multibot-9router --interpreter "\$\(command -v node\)"[\s\S]*pm2 start --name openclaw-multibot -- sh -c "openclaw gateway run"[\s\S]*pm2 logs openclaw-multibot/s,
   'VPS multi-bot native script must start the shared gateway via PM2'
 ));
 
 checks.push(() => expectMatch(
   setup,
-  /else if \(state\.nativeOs === 'vps'\) \{[\s\S]*pm2 start --name openclaw -- sh -c "openclaw gateway run"[\s\S]*pm2 logs openclaw/s,
+  /else if \(state\.nativeOs === 'vps'\) \{[\s\S]*PORT=20128 HOSTNAME=0\.0\.0\.0 pm2 start "\$\(npm root -g\)\/9router\/app\/server\.js" --name openclaw-9router --interpreter "\$\(command -v node\)"[\s\S]*pm2 start --name openclaw -- sh -c "openclaw gateway run"[\s\S]*pm2 logs openclaw/s,
   'VPS single-bot native script must start one bot via PM2'
 ));
 
@@ -374,6 +403,32 @@ checks.push(() => expectMatch(
   'Wizard copy must mention native auto-login and still show the dedicated Docker QR login command'
 ));
 
+checks.push(() => expect(
+  setup.includes('function getGatewayAllowedOrigins(port) {')
+    && setup.includes('window.location')
+    && setup.includes('`http://localhost:${normalizedPort}`')
+    && setup.includes('`http://127.0.0.1:${normalizedPort}`'),
+  'Web wizard must expose a helper that seeds likely control UI origins'
+));
+
+checks.push(() => expectMatch(
+  setup,
+  /controlUi:\s*\{\s*allowedOrigins: getGatewayAllowedOrigins\(18791\)/s,
+  'Web wizard single-bot gateway config must seed control UI allowed origins'
+));
+
+checks.push(() => expectMatch(
+  setup,
+  /controlUi:\s*\{\s*allowedOrigins: getGatewayAllowedOrigins\(basePort\)/s,
+  'Web wizard per-bot gateway config must seed control UI allowed origins'
+));
+
+checks.push(() => expectMatch(
+  setup,
+  /const patchCmd = `node -e \\\\"const fs=require\('fs'\),os=require\('os'\),p='\/root\/\.openclaw\/openclaw\.json';if\(fs\.existsSync\(p\)\)\{[\s\S]*allowedOrigins:Array\.from\(a\)/s,
+  'Web wizard Docker patch command must add interface-based control UI allowed origins'
+));
+
 for (const check of checks) {
   check();
 }