limbo-ai 1.9.4 → 1.10.0

package/README.md

@@ -50,11 +50,11 @@ Pulls the latest Limbo image and restarts the container. Your vault data is pers
 
 ## Connecting
 
-The easiest way to talk to Limbo is via **Telegram** — set up once, works from any device.
+There are two ways to connect: **talk to Limbo** (conversational, with its personality and memory logic) or **use the vault directly** (raw tool access from another agent).
 
-For everything else, Limbo speaks over WebSocket at `ws://localhost:18789` via the OpenClaw gateway. Any OpenClaw-compatible client can connect there directly.
+### Talk to Limbo
 
-### Telegram (recommended)
+#### Telegram (recommended)
 
 Set `TELEGRAM_ENABLED=true` and `TELEGRAM_BOT_TOKEN` in `~/.limbo/.env`, then restart:
 
@@ -62,17 +62,21 @@ Set `TELEGRAM_ENABLED=true` and `TELEGRAM_BOT_TOKEN` in `~/.limbo/.env`, then re
 npx limbo-ai start --reconfigure
 ```
 
-Message your bot and Limbo will respond.
+Message your bot and Limbo will respond — full agent with personality, memory logic, and vault tools.
 
-### Without Telegram
+#### OpenClaw client
 
-Connect any [OpenClaw](https://openclaw.dev)-compatible client to:
+Any [OpenClaw](https://openclaw.dev)-compatible chat client can connect to:
 
 ```
 ws://localhost:18789
 ```
 
-This includes Claude Code — add Limbo to your MCP config:
+This gives you a conversational session with Limbo, same as Telegram but over WebSocket.
+
+### Use the vault from another agent
+
+If you want another AI agent (like Claude Code) to read and write to Limbo's vault directly — without going through Limbo's personality or reasoning — add it as an MCP server:
 
 ```json
 {
@@ -84,6 +88,8 @@ This includes Claude Code — add Limbo to your MCP config:
 }
 ```
 
+This exposes the 4 vault tools (`vault_search`, `vault_read`, `vault_write_note`, `vault_update_map`) as MCP tools in the connecting agent. The agent operates on the vault directly — Limbo's LLM is not involved.
+
 ---
 
 ## Environment Variables

package/cli.js

@@ -20,8 +20,6 @@ const COMPOSE_FILE = path.join(LIMBO_DIR, 'docker-compose.yml');
 const GHCR_IMAGE = 'ghcr.io/tomasward1/limbo';
 const DEFAULT_TAG = require('./package.json').version;
 const PORT = 18789;
-// OpenClaw's OAuth callback server port — must be exposed when running auth inside Docker
-const OPENCLAW_AUTH_PORT = 1453;
 
 // OpenClaw compatibility snapshots from official docs:
 // - https://docs.openclaw.ai/providers/openai
@@ -72,6 +70,9 @@ const COMPOSE_CONTENT = `services:
       - no-new-privileges:true
     cap_drop:
       - ALL
+    cap_add:
+      - CHOWN
+      - FOWNER
     pids_limit: 200
     tmpfs:
       - /tmp:size=100M,noexec,nosuid,nodev
@@ -80,14 +81,14 @@ const COMPOSE_CONTENT = `services:
       - "127.0.0.1:${PORT}:${PORT}"
     volumes:
       - limbo-data:/data
-      - ./vault:/data/vault
+      - ${VAULT_DIR}:/data/vault
       - limbo-openclaw-state:/home/limbo/.openclaw
     secrets:
       - llm_api_key
       - telegram_bot_token
       - gateway_token
     env_file:
-      - .env
+      - ${LIMBO_DIR}/.env
     environment:
       OPENCLAW_CONFIG_PATH: /home/limbo/.openclaw/openclaw.json
       OPENCLAW_STATE_DIR: /home/limbo/.openclaw
@@ -104,11 +105,11 @@ const COMPOSE_CONTENT = `services:
 
 secrets:
   llm_api_key:
-    file: ./secrets/llm_api_key
+    file: ${SECRETS_DIR}/llm_api_key
   telegram_bot_token:
-    file: ./secrets/telegram_bot_token
+    file: ${SECRETS_DIR}/telegram_bot_token
   gateway_token:
-    file: ./secrets/gateway_token
+    file: ${SECRETS_DIR}/gateway_token
 
 volumes:
   limbo-data:
@@ -125,6 +126,9 @@ const COMPOSE_CONTENT_HARDENED = `services:
       - no-new-privileges:true
     cap_drop:
       - ALL
+    cap_add:
+      - CHOWN
+      - FOWNER
     pids_limit: 200
     tmpfs:
       - /tmp:size=100M,noexec,nosuid,nodev
@@ -133,14 +137,14 @@ const COMPOSE_CONTENT_HARDENED = `services:
       - "127.0.0.1:${PORT}:${PORT}"
     volumes:
       - limbo-data:/data
-      - ./vault:/data/vault
+      - ${VAULT_DIR}:/data/vault
       - limbo-openclaw-state:/home/limbo/.openclaw
     secrets:
       - llm_api_key
       - telegram_bot_token
       - gateway_token
     env_file:
-      - .env
+      - ${LIMBO_DIR}/.env
     environment:
       OPENCLAW_CONFIG_PATH: /home/limbo/.openclaw/openclaw.json
       OPENCLAW_STATE_DIR: /home/limbo/.openclaw
@@ -178,8 +182,8 @@ const COMPOSE_CONTENT_HARDENED = `services:
       - internal
       - external
     volumes:
-      - ./squid/squid.conf:/etc/squid/squid.conf:ro
-      - ./squid/allowed-domains.txt:/etc/squid/allowed-domains.txt:ro
+      - ${LIMBO_DIR}/squid/squid.conf:/etc/squid/squid.conf:ro
+      - ${LIMBO_DIR}/squid/allowed-domains.txt:/etc/squid/allowed-domains.txt:ro
 
 networks:
   internal:
@@ -188,11 +192,11 @@ networks:
 
 secrets:
   llm_api_key:
-    file: ./secrets/llm_api_key
+    file: ${SECRETS_DIR}/llm_api_key
   telegram_bot_token:
-    file: ./secrets/telegram_bot_token
+    file: ${SECRETS_DIR}/telegram_bot_token
   gateway_token:
-    file: ./secrets/gateway_token
+    file: ${SECRETS_DIR}/gateway_token
 
 volumes:
   limbo-data:
@@ -254,14 +258,19 @@ const TEXT = {
     logsHint: 'Check logs with: limbo logs',
     healthy: 'Container is healthy.',
     subscriptionSetup: 'Provider authentication',
-    openaiSubscriptionIntro: 'Limbo will authenticate with your AI provider. A URL will appear — open it in your browser to complete login.',
+    openaiSubscriptionIntro: 'Limbo will authenticate with your OpenAI account. A URL will open in your browser — log in and authorize access.',
     anthropicSubscriptionIntro: 'Generate a Claude setup-token on any machine with `claude setup-token`, then paste it into the next step.',
     authFlowStart: 'Starting authentication...',
     authFlowDone: 'Authentication complete.',
-    modelConnected: (model) => `Model connected: ${model}`,
     authFlowFailed: 'Authentication did not complete successfully.',
     authStatusFailed: 'Provider auth is still missing or invalid. Try running with --reconfigure.',
+    oauthPasteHint: 'After you log in, the browser will redirect to a localhost URL (it may show an error page — that\'s normal). Copy the full URL from the address bar and paste it below.',
+    oauthCallbackPrompt: '  Paste the callback URL: ',
+    oauthInvalidCallback: 'Could not extract an authorization code from that input. Paste the full URL from the browser address bar.',
+    oauthExchanging: 'Exchanging authorization code for tokens...',
+    oauthStateMismatch: 'OAuth state mismatch — proceeding anyway, but this may indicate a problem.',
     configFlowStart: 'Applying configuration...',
+    configFlowSlow: 'This may take a couple of minutes.',
     configFlowDone: 'Configuration applied.',
     configFlowFailed: 'Could not apply configuration. Check your settings and try again.',
     composing: 'Initializing...',
@@ -347,14 +356,19 @@ const TEXT = {
     logsHint: 'Mira los logs con: limbo logs',
     healthy: 'El container esta healthy.',
     subscriptionSetup: 'Autenticacion del provider',
-    openaiSubscriptionIntro: 'Limbo va a autenticarse con tu proveedor de IA. Aparecera una URL — abrisla en el navegador para completar el login.',
+    openaiSubscriptionIntro: 'Limbo va a autenticarse con tu cuenta de OpenAI. Se va a abrir una URL en tu navegador — inicia sesion y autoriza el acceso.',
     anthropicSubscriptionIntro: 'Genera un Claude setup-token en cualquier maquina con `claude setup-token` y pegalo en el siguiente paso.',
     authFlowStart: 'Iniciando autenticacion...',
     authFlowDone: 'Autenticacion completada.',
-    modelConnected: (model) => `Modelo conectado: ${model}`,
     authFlowFailed: 'La autenticacion no termino correctamente.',
     authStatusFailed: 'La autenticacion del provider sigue siendo invalida o no esta configurada. Proba con --reconfigure.',
+    oauthPasteHint: 'Despues de loguearte, el browser va a redirigir a una URL de localhost (puede mostrar una pagina de error — es normal). Copa la URL completa de la barra de direcciones y pegala abajo.',
+    oauthCallbackPrompt: '  Pega la URL de callback: ',
+    oauthInvalidCallback: 'No se pudo extraer un codigo de autorizacion. Pega la URL completa de la barra del navegador.',
+    oauthExchanging: 'Intercambiando codigo de autorizacion por tokens...',
+    oauthStateMismatch: 'OAuth state mismatch — se continua igual, pero esto puede indicar un problema.',
     configFlowStart: 'Aplicando configuracion...',
+    configFlowSlow: 'Esto puede tardar un par de minutos.',
     configFlowDone: 'Configuracion aplicada.',
     configFlowFailed: 'No se pudo aplicar la configuracion. Revisa los ajustes e intenta de nuevo.',
     composing: 'Inicializando...',
@@ -751,19 +765,21 @@ function ensureGatewayToken(existingEnv) {
 }
 
 function pullOrBuildImage(lang) {
+  // When running from the repo (npx .), prefer local build over registry pull.
+  const repoDockerfile = path.join(__dirname, 'Dockerfile');
+  if (fs.existsSync(repoDockerfile)) {
+    header(t(lang, 'buildingFallback'));
+    execSync(`docker build -t ${GHCR_IMAGE}:${DEFAULT_TAG} .`, { stdio: 'inherit', cwd: __dirname });
+    ok(t(lang, 'buildOk', DEFAULT_TAG));
+    return;
+  }
+
   header(t(lang, 'pullingImage'));
   try {
     run('docker compose pull -q');
     ok(t(lang, 'imagePulled'));
   } catch {
-    warn(t(lang, 'pullFailed'));
-    const repoDockerfile = path.join(__dirname, 'Dockerfile');
-    if (!fs.existsSync(repoDockerfile)) {
-      die('Could not pull image and no local Dockerfile found. Check your network or GHCR access.');
-    }
-    log(t(lang, 'buildingFallback'));
-    execSync(`docker build -t ${GHCR_IMAGE}:${DEFAULT_TAG} .`, { stdio: 'inherit', cwd: __dirname });
-    ok(t(lang, 'buildOk', DEFAULT_TAG));
+    die('Could not pull image and no local Dockerfile found. Check your network or GHCR access.');
   }
 }
 
@@ -771,8 +787,24 @@ function runOpenClaw(args, opts = {}) {
   return runDockerCompose(['run', '--rm', '--entrypoint', 'openclaw', 'limbo', ...args], opts);
 }
 
+// Fix volume ownership before any docker compose run commands.
+// cap_drop:ALL strips CAP_DAC_OVERRIDE from root, so a root-user container
+// cannot write to limbo-owned volumes.  This one-shot container runs as root
+// with the minimum caps needed to chown the volume dirs back to limbo.
+function ensureVolumePermissions() {
+  runDockerCompose([
+    'run', '--rm', '--no-deps',
+    '--user', 'root',
+    '--cap-add', 'DAC_OVERRIDE',
+    '--entrypoint', 'sh',
+    'limbo',
+    '-c', 'chown -R limbo:limbo /data /home/limbo/.openclaw 2>/dev/null; true',
+  ], { stdio: 'pipe' });
+}
+
 function applyOpenClawConfig(cfg) {
   header(t(cfg.language, 'configFlowStart'));
+  log(t(cfg.language, 'configFlowSlow'));
 
   const setCommands = [
     ['config', 'set', 'gateway.mode', 'local'],
@@ -790,9 +822,15 @@ function applyOpenClawConfig(cfg) {
     );
   }
 
+  const total = setCommands.length + 1; // +1 for validate
+  let step = 0;
+
   for (const command of setCommands) {
+    step++;
+    process.stdout.write(`\r${c.dim}  [${step}/${total}] ${command.slice(1, 4).join(' ')}${c.reset}`.padEnd(60));
     const result = runOpenClaw(command, { stdio: 'pipe' });
     if (result.status !== 0) {
+      console.log('');
       process.stdout.write(result.stdout || '');
       process.stderr.write(result.stderr || '');
       die(t(cfg.language, 'configFlowFailed'));
@@ -803,131 +841,213 @@ function applyOpenClawConfig(cfg) {
     runOpenClaw(['config', 'unset', 'channels.telegram'], { stdio: 'pipe' });
   }
 
+  step++;
+  process.stdout.write(`\r${c.dim}  [${step}/${total}] config validate${c.reset}`.padEnd(60));
   const validateResult = runOpenClaw(['config', 'validate'], { stdio: 'pipe' });
   if (validateResult.status !== 0) {
+    console.log('');
     process.stdout.write(validateResult.stdout || '');
     process.stderr.write(validateResult.stderr || '');
     die(t(cfg.language, 'configFlowFailed'));
   }
 
+  process.stdout.write('\r' + ' '.repeat(60) + '\r');
   ok(t(cfg.language, 'configFlowDone'));
 }
 
-// Strip all ANSI/VT100 escape sequences from a string.
-// Uses standards-based ECMA-48 byte ranges:
-//   CSI: ESC [ <param bytes 0x30-0x3F>* <intermediate bytes 0x20-0x2F>* <final byte 0x40-0x7E>
-//   Two-char ESC: ESC <0x40-0x5F>  (e.g. ESC M, ESC =, ESC 7/8 save/restore cursor)
-//   OSC: ESC ] <any> BEL|ST
-// Covers private-mode sequences like \x1b[?25l (hide cursor) that the old [0-9;]* missed.
-const stripAnsi = (str) => str
-  .replace(/\x1b\[[0-?]*[ -/]*[@-~]/g, '')  // CSI sequences (all parameter byte combos)
-  .replace(/\x1b[@-Z\\-_]/g, '')             // two-char ESC sequences
-  .replace(/\x1b\][^\x07\x1b]*(?:\x07|\x1b\\)/g, '') // OSC sequences
-  .replace(/\r/g, '');
-
-// Spawn OpenClaw auth with filtered output: extract OAuth URLs, suppress branding.
-// --tty is required so openclaw sees a TTY inside the container and runs the auth wizard.
-// We pipe stdout/stderr to filter content while the container gets a proper PTY allocation.
-// onUrl: optional callback invoked with each unique URL as it appears (e.g. to auto-open browser).
-function streamFilteredAuth(dockerArgs, onUrl = null) {
-  return new Promise((resolve) => {
-    const proc = spawn('docker', dockerArgs, {
-      cwd: LIMBO_DIR,
-      stdio: ['inherit', 'pipe', 'pipe'],
-    });
-
-    const urlRe = /https?:\/\/[^\s"'<>\]]+/g;
-    const seenUrls = new Set();
-    let buf = '';
-
-    const handleData = (data) => {
-      buf += data.toString();
-      // Split on \r\n, \n, or bare \r — TUIs use carriage returns for in-place redraws
-      const lines = buf.split(/\r?\n|\r/);
-      buf = lines.pop(); // hold incomplete last line
-      for (const line of lines) emitLine(line);
-    };
+// ─── Native OAuth (PKCE) for OpenAI Codex ───────────────────────────────────
+// Implements the full OAuth flow locally so we never need OpenClaw's interactive TUI.
 
-    const emitLine = (rawLine) => {
-      const line = stripAnsi(rawLine);
-      const urls = line.match(urlRe) || [];
-      if (urls.length > 0) {
-        for (const url of urls) {
-          if (!seenUrls.has(url)) {
-            seenUrls.add(url);
-            console.log(`\n  ${c.cyan}${c.bold}→  ${url}${c.reset}\n`);
-            if (onUrl) onUrl(url);
-          }
-        }
-        return; // don't double-print the line containing the URL
-      }
-      // Suppress OpenClaw branding
-      if (/openclaw/i.test(line)) return;
-      // Suppress TUI chrome: lines that are only spinner/decoration/box-drawing chars.
-      // OpenClaw's TUI writes animation frames separated by \r — after our \r-split, each
-      // frame becomes a short line (often a single char). We filter these out so they don't
-      // scatter across the terminal as individual console.log lines.
-      const tuiChrome = /^[\s\u2500-\u257f\u2580-\u259f\u25a0-\u25ff\u2600-\u26ff◇◆●○◈→←↑↓⠀-\u28ff]*$/u;
-      if (tuiChrome.test(line)) return;
-      if (line.trim()) console.log(`   ${line}`);
+const OPENAI_OAUTH = {
+  clientId: 'app_EMoamEEZ73f0CkXaXp7hrann',
+  authorizeUrl: 'https://auth.openai.com/oauth/authorize',
+  tokenUrl: 'https://auth.openai.com/oauth/token',
+  redirectUri: 'http://localhost:1455/auth/callback',
+  scopes: 'openid profile email offline_access',
+};
+
+function generatePKCE() {
+  const verifier = crypto.randomBytes(32).toString('base64url');
+  const challenge = crypto.createHash('sha256').update(verifier).digest('base64url');
+  return { verifier, challenge };
+}
+
+function buildOAuthUrl(pkce, state) {
+  const params = new URLSearchParams({
+    response_type: 'code',
+    client_id: OPENAI_OAUTH.clientId,
+    redirect_uri: OPENAI_OAUTH.redirectUri,
+    scope: OPENAI_OAUTH.scopes,
+    code_challenge: pkce.challenge,
+    code_challenge_method: 'S256',
+    state,
+    id_token_add_organizations: 'true',
+    codex_cli_simplified_flow: 'true',
+    originator: 'pi',
+  });
+  return `${OPENAI_OAUTH.authorizeUrl}?${params}`;
+}
+
+function parseCallbackInput(input) {
+  const trimmed = input.trim();
+  // Accept full URL, just the code, or code#state / code=XXX&state=YYY
+  try {
+    const url = new URL(trimmed);
+    return {
+      code: url.searchParams.get('code'),
+      state: url.searchParams.get('state'),
     };
+  } catch {}
+  // Try as query string
+  if (trimmed.includes('code=')) {
+    const params = new URLSearchParams(trimmed.replace(/^\?/, ''));
+    return { code: params.get('code'), state: params.get('state') };
+  }
+  // Bare code
+  return { code: trimmed, state: null };
+}
+
+async function exchangeCodeForTokens(code, pkceVerifier) {
+  const body = new URLSearchParams({
+    grant_type: 'authorization_code',
+    client_id: OPENAI_OAUTH.clientId,
+    code,
+    code_verifier: pkceVerifier,
+    redirect_uri: OPENAI_OAUTH.redirectUri,
+  });
+  const res = await fetch(OPENAI_OAUTH.tokenUrl, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: body.toString(),
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(`Token exchange failed (${res.status}): ${text}`);
+  }
+  return res.json();
+}
+
+function decodeJwtPayload(token) {
+  const parts = token.split('.');
+  if (parts.length < 2) return {};
+  return JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+}
+
+function writeAuthProfilesToDocker(profile) {
+  // Write auth-profiles.json into the OpenClaw Docker volume via a temp container
+  const profileId = profile.email ? `openai-codex:${profile.email}` : 'openai-codex:default';
+  const store = {
+    version: 1,
+    profiles: {
+      [profileId]: {
+        type: 'oauth',
+        provider: 'openai-codex',
+        access: profile.access,
+        refresh: profile.refresh,
+        expires: profile.expires,
+        accountId: profile.accountId,
+      },
+    },
+    order: {},
+    lastGood: {},
+    usageStats: {},
+  };
+  const json = JSON.stringify(store, null, 2);
+  const destDir = '/home/limbo/.openclaw/agents/main/agent';
+  const destFile = `${destDir}/auth-profiles.json`;
+  // Use a one-shot container to write into the named volume
+  spawnSync('docker', [
+    'compose', 'run', '--rm', '--no-deps', '--entrypoint', 'sh', 'limbo',
+    '-c', `mkdir -p "${destDir}" && cat > "${destFile}"`,
+  ], {
+    cwd: LIMBO_DIR,
+    stdio: ['pipe', 'pipe', 'pipe'],
+    input: json,
+    encoding: 'utf8',
+  });
+}
 
-    proc.stdout.on('data', handleData);
-    proc.stderr.on('data', handleData);
-    proc.on('close', (code) => {
-      if (buf.trim()) emitLine(buf);
-      resolve(code ?? 1);
-    });
-    proc.on('error', () => resolve(1));
+async function runCodexOAuth(language) {
+  const pkce = generatePKCE();
+  const state = crypto.randomBytes(16).toString('hex');
+  const authUrl = buildOAuthUrl(pkce, state);
+
+  // Open browser automatically
+  const openCmd = process.platform === 'darwin' ? 'open'
+    : process.platform === 'win32' ? 'start' : 'xdg-open';
+  try { execSync(`${openCmd} "${authUrl}"`, { stdio: 'ignore' }); } catch {}
+
+  console.log(`\n  ${c.cyan}${c.bold}→  ${authUrl}${c.reset}\n`);
+  log(t(language, 'oauthPasteHint'));
+
+  const callbackRaw = await promptValidated(
+    t(language, 'oauthCallbackPrompt'),
+    (value) => {
+      if (!value) return { ok: false, message: t(language, 'requiredField') };
+      const parsed = parseCallbackInput(value);
+      if (!parsed.code) return { ok: false, message: t(language, 'oauthInvalidCallback') };
+      return { ok: true, value };
+    },
+  );
+
+  const { code, state: returnedState } = parseCallbackInput(callbackRaw);
+  if (returnedState && returnedState !== state) {
+    warn(t(language, 'oauthStateMismatch'));
+  }
+
+  log(t(language, 'oauthExchanging'));
+  const tokens = await exchangeCodeForTokens(code, pkce.verifier);
+
+  // Extract account info from JWT
+  const jwt = decodeJwtPayload(tokens.access_token);
+  const authClaim = jwt['https://api.openai.com/auth'] || {};
+  const accountId = authClaim.chatgpt_account_id || '';
+  const email = jwt.email || '';
+
+  writeAuthProfilesToDocker({
+    access: tokens.access_token,
+    refresh: tokens.refresh_token,
+    expires: Date.now() + (tokens.expires_in * 1000),
+    accountId,
+    email,
   });
+
+  return 0;
 }
 
+// ─── Subscription auth flow ──────────────────────────────────────────────────
+
 async function runSubscriptionAuthFlow(cfg) {
   header(t(cfg.language, 'subscriptionSetup'));
+
   if (cfg.providerFamily === 'openai') {
     log(t(cfg.language, 'openaiSubscriptionIntro'));
+    log(t(cfg.language, 'authFlowStart'));
+    try {
+      await runCodexOAuth(cfg.language);
+    } catch (err) {
+      die(`${t(cfg.language, 'authFlowFailed')}: ${err.message}`);
+    }
+    // Native OAuth — tokens verified by successful exchange, no status check needed
+    ok(t(cfg.language, 'authFlowDone'));
   } else {
     log(t(cfg.language, 'anthropicSubscriptionIntro'));
-  }
-  log(t(cfg.language, 'authFlowStart'));
-
-  const authArgs = cfg.providerFamily === 'openai'
-    ? ['models', 'auth', 'login', '--provider', 'openai-codex']
-    : ['models', 'auth', 'paste-token', '--provider', 'anthropic'];
-
-  let exitCode;
-  if (cfg.providerFamily === 'openai') {
-    // --tty allocates a PTY inside the container so openclaw's auth wizard runs correctly.
-    // -p exposes the OAuth callback port so the browser redirect reaches the in-container server.
-    // We still pipe stdout/stderr to filter out branding and highlight the OAuth URL.
-    const opener = process.platform === 'darwin' ? 'open' : 'xdg-open';
-    exitCode = await streamFilteredAuth(
-      ['compose', 'run', '--tty', '--rm', '-p', `${OPENCLAW_AUTH_PORT}:${OPENCLAW_AUTH_PORT}`, '--entrypoint', 'openclaw', 'limbo', ...authArgs],
-      (url) => {
-        // Auto-open the browser so the user doesn't need to copy/paste the URL
-        try { spawnSync(opener, [url], { stdio: 'ignore', timeout: 3000 }); } catch {}
-      },
-    );
-  } else {
+    log(t(cfg.language, 'authFlowStart'));
     // Anthropic paste-token is interactive (user pastes a token); keep stdio inherited
-    const authResult = runOpenClaw(authArgs);
-    exitCode = authResult.status;
-  }
-
-  if (exitCode !== 0) die(t(cfg.language, 'authFlowFailed'));
-
-  const statusResult = runOpenClaw(
-    ['models', 'status', '--check', '--probe-provider', cfg.provider],
-    { stdio: 'pipe' },
-  );
+    const authResult = runOpenClaw(['models', 'auth', 'paste-token', '--provider', 'anthropic']);
+    if (authResult.status !== 0) die(t(cfg.language, 'authFlowFailed'));
 
-  if (statusResult.status !== 0) {
-    process.stdout.write(statusResult.stdout || '');
-    process.stderr.write(statusResult.stderr || '');
-    die(t(cfg.language, 'authStatusFailed'));
+    const statusResult = runOpenClaw(
+      ['models', 'status', '--check', '--probe-provider', cfg.provider],
+      { stdio: 'pipe' },
+    );
+    if (statusResult.status !== 0) {
+      process.stdout.write(statusResult.stdout || '');
+      process.stderr.write(statusResult.stderr || '');
+      die(t(cfg.language, 'authStatusFailed'));
+    }
+    ok(t(cfg.language, 'authFlowDone'));
   }
-
-  ok(t(cfg.language, 'modelConnected', `${cfg.provider}/${cfg.modelName}`));
 }
 
 function printSuccess(cfg, gatewayToken) {
@@ -1003,6 +1123,7 @@ async function cmdStart() {
   }
 
   pullOrBuildImage(cfg.language);
+  ensureVolumePermissions();
 
   if (cfg.authMode === 'subscription' && (process.argv.includes('--reconfigure') || !alreadyHasEnv)) {
     await runSubscriptionAuthFlow(cfg);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "limbo-ai",
-  "version": "1.9.4",
+  "version": "1.10.0",
   "description": "Your personal AI memory agent — install and manage Limbo via npx",
   "type": "commonjs",
   "bin": {
@@ -13,7 +13,8 @@
     "@clack/prompts": "^1.1.0"
   },
   "scripts": {
-    "start": "node cli.js start"
+    "start": "node cli.js start",
+    "test": "node --test test/**/*.test.js"
   },
   "keywords": [
     "limbo",

package/test/cli-auth.test.js

@@ -0,0 +1,250 @@
+// test/cli-auth.test.js
+// Unit tests for the streamFilteredAuth pure-logic functions exported from cli.js.
+// Run with: node --test test/cli-auth.test.js
+'use strict';
+
+const { test } = require('node:test');
+const assert = require('node:assert/strict');
+
+const { stripAnsi, AUTH_URL_RE, TUI_CHROME_RE, flushStreamLines } = require('../cli.js');
+
+// ─── stripAnsi ────────────────────────────────────────────────────────────────
+
+test('stripAnsi: strips standard CSI sequences', () => {
+  assert.equal(stripAnsi('\x1b[32mgreen\x1b[0m'), 'green');
+  assert.equal(stripAnsi('\x1b[1;31mbold red\x1b[0m'), 'bold red');
+  assert.equal(stripAnsi('\x1b[2Kclear line'), 'clear line');
+});
+
+test('stripAnsi: strips ?-prefixed private-mode CSI sequences', () => {
+  // \x1b[?25l hide cursor, \x1b[?25h show cursor
+  assert.equal(stripAnsi('\x1b[?25lhello\x1b[?25h'), 'hello');
+  // \x1b[?2004h / \x1b[?2004l bracketed paste mode
+  assert.equal(stripAnsi('\x1b[?2004htext\x1b[?2004l'), 'text');
+});
+
+test('stripAnsi: strips two-char ESC sequences (0x40-0x5F range)', () => {
+  // ESC M (0x4D) — reverse index (cursor up with scroll)
+  assert.equal(stripAnsi('\x1bMline'), 'line');
+  // ESC E (0x45) — next line
+  assert.equal(stripAnsi('text\x1bEafter'), 'textafter');
+  // ESC ^ (0x5E) — privacy message (PM)
+  assert.equal(stripAnsi('before\x1b^after'), 'beforeafter');
+});
+
+test('stripAnsi: strips OSC sequences (BEL-terminated)', () => {
+  // OSC 0 ; title BEL — window title sequence
+  assert.equal(stripAnsi('\x1b]0;My Terminal Title\x07visible'), 'visible');
+});
+
+test('stripAnsi: strips OSC sequences (ST-terminated)', () => {
+  assert.equal(stripAnsi('\x1b]0;title\x1b\\visible'), 'visible');
+});
+
+test('stripAnsi: strips bare carriage returns', () => {
+  assert.equal(stripAnsi('line1\rline2'), 'line1line2');
+  assert.equal(stripAnsi('\r'), '');
+});
+
+test('stripAnsi: leaves plain text untouched', () => {
+  const plain = 'Hello, world! 123 !@#';
+  assert.equal(stripAnsi(plain), plain);
+});
+
+test('stripAnsi: handles empty string', () => {
+  assert.equal(stripAnsi(''), '');
+});
+
+test('stripAnsi: strips mixed sequences in one pass', () => {
+  // CSI (?25l hide cursor) + CSI (32m color) + OSC (window title) + bare CR
+  const input = '\x1b[?25l\x1b[32mProcessing\x1b[0m...\x1b]0;term\x07done\r';
+  assert.equal(stripAnsi(input), 'Processing...done');
+  // CSI + two-char ESC (M) mixed with real text
+  const input2 = '\x1b[1mbold\x1b[0m\x1bMnext';
+  assert.equal(stripAnsi(input2), 'boldnext');
+});
+
+// ─── TUI_CHROME_RE ────────────────────────────────────────────────────────────
+
+test('TUI_CHROME_RE: suppresses Braille spinner chars', () => {
+  // Common clack/openclaw spinner frames
+  for (const ch of ['⠋', '⠙', '⠹', '⠸', '⠼', '⠴', '⠦', '⠧', '⠇', '⠏']) {
+    assert.equal(TUI_CHROME_RE.test(ch), true, `expected ${ch} to match TUI_CHROME_RE`);
+  }
+});
+
+test('TUI_CHROME_RE: suppresses box-drawing chars', () => {
+  assert.equal(TUI_CHROME_RE.test('─'), true);
+  assert.equal(TUI_CHROME_RE.test('│'), true);
+  assert.equal(TUI_CHROME_RE.test('┌┐└┘'), true);
+  assert.equal(TUI_CHROME_RE.test('═══'), true);
+});
+
+test('TUI_CHROME_RE: suppresses clack decoration chars', () => {
+  assert.equal(TUI_CHROME_RE.test('◇'), true);
+  assert.equal(TUI_CHROME_RE.test('●'), true);
+  assert.equal(TUI_CHROME_RE.test('◆'), true);
+  assert.equal(TUI_CHROME_RE.test('○'), true);
+});
+
+test('TUI_CHROME_RE: suppresses whitespace-only lines', () => {
+  assert.equal(TUI_CHROME_RE.test('   '), true);
+  assert.equal(TUI_CHROME_RE.test(''), true);
+  assert.equal(TUI_CHROME_RE.test('\t'), true);
+});
+
+test('TUI_CHROME_RE: suppresses mixed chrome lines (spinner + whitespace)', () => {
+  assert.equal(TUI_CHROME_RE.test('  ⠋  '), true);
+  assert.equal(TUI_CHROME_RE.test('◇  ─  ◇'), true);
+});
+
+test('TUI_CHROME_RE: passes lines with real text content', () => {
+  assert.equal(TUI_CHROME_RE.test('Please open this URL'), false);
+  assert.equal(TUI_CHROME_RE.test('Authenticating...'), false);
+  assert.equal(TUI_CHROME_RE.test('Press Enter to continue'), false);
+  assert.equal(TUI_CHROME_RE.test('Error: invalid token'), false);
+});
+
+test('TUI_CHROME_RE: passes lines starting with decoration but containing text', () => {
+  // clack prompts often have a leading decoration glyph followed by text
+  assert.equal(TUI_CHROME_RE.test('◇ Enter your API key'), false);
+  assert.equal(TUI_CHROME_RE.test('● Model selected: claude-opus-4-6'), false);
+});
+
+// ─── AUTH_URL_RE (URL extraction) ─────────────────────────────────────────────
+
+test('AUTH_URL_RE: detects http OAuth URLs', () => {
+  const line = 'Open this URL to authenticate: http://localhost:3000/oauth/callback?code=abc123';
+  const matches = line.match(AUTH_URL_RE);
+  assert.ok(matches, 'expected URL match');
+  assert.equal(matches[0], 'http://localhost:3000/oauth/callback?code=abc123');
+});
+
+test('AUTH_URL_RE: detects https OAuth URLs', () => {
+  const line = 'Visit https://auth.anthropic.com/oauth2/authorize?client_id=limbo&state=xyz to login';
+  const matches = line.match(AUTH_URL_RE);
+  assert.ok(matches, 'expected URL match');
+  assert.equal(matches[0], 'https://auth.anthropic.com/oauth2/authorize?client_id=limbo&state=xyz');
+});
+
+test('AUTH_URL_RE: does not match plain text without URL', () => {
+  const line = 'Waiting for authentication...';
+  const matches = line.match(AUTH_URL_RE);
+  assert.equal(matches, null);
+});
+
+test('AUTH_URL_RE: stops URL at whitespace', () => {
+  const line = 'URL: https://example.com/auth and then some text';
+  const matches = line.match(AUTH_URL_RE);
+  assert.ok(matches);
+  assert.equal(matches[0], 'https://example.com/auth');
+});
+
+test('AUTH_URL_RE: stops URL at angle bracket', () => {
+  const line = 'Go to <https://example.com/auth>';
+  const matches = line.match(AUTH_URL_RE);
+  assert.ok(matches);
+  assert.equal(matches[0], 'https://example.com/auth');
+});
+
+test('AUTH_URL_RE: extracts multiple URLs from a single line', () => {
+  const line = 'Primary: https://example.com/a Fallback: https://example.com/b';
+  const matches = line.match(AUTH_URL_RE);
+  assert.ok(matches);
+  assert.equal(matches.length, 2);
+  assert.equal(matches[0], 'https://example.com/a');
+  assert.equal(matches[1], 'https://example.com/b');
+});
+
+test('AUTH_URL_RE: URL deduplication — same URL seen twice is emitted once', () => {
+  // This tests the seenUrls Set logic conceptually — we verify that running AUTH_URL_RE
+  // against the same URL twice and filtering via a Set yields a single emission.
+  const url = 'https://auth.openai.com/oauth/callback?code=abc';
+  const lines = [
+    `Open: ${url}`,
+    `Retry: ${url}`,
+    'Different: https://example.com/other',
+  ];
+
+  const emitted = [];
+  const seenUrls = new Set();
+
+  for (const line of lines) {
+    const urls = line.match(AUTH_URL_RE) || [];
+    for (const u of urls) {
+      if (!seenUrls.has(u)) {
+        seenUrls.add(u);
+        emitted.push(u);
+      }
+    }
+  }
+
+  assert.equal(emitted.length, 2, 'duplicate URL should only be emitted once');
+  assert.equal(emitted[0], url);
+  assert.equal(emitted[1], 'https://example.com/other');
+});
+
+// ─── flushStreamLines (animation scatter regression) ──────────────────────────
+
+test('flushStreamLines: emits only final \\r frame — suppresses scatter', () => {
+  // This is the exact pattern that caused the diagonal scatter seen in the screenshot:
+  // clack's character-by-character reveal writes each progressive state separated by \r.
+  // Before the fix, every frame was emitted as a separate line causing staircase output.
+  const buf = '│ Y\r│ Yo\r│ You\r│ Your URL: https://auth.example.com\n';
+  const { lines, remaining } = flushStreamLines(buf);
+  assert.equal(remaining, '');
+  assert.equal(lines.length, 1, 'only the final frame should be emitted');
+  assert.equal(lines[0], '│ Your URL: https://auth.example.com');
+});
+
+test('flushStreamLines: handles spinner animation (pure chrome final frame)', () => {
+  // Spinner that completes and clears the line — final state is empty/chrome
+  const buf = '⠋\r⠙\r⠹\r⠸\r \n';
+  const { lines } = flushStreamLines(buf);
+  assert.equal(lines.length, 1);
+  assert.equal(lines[0], ' '); // final frame (space = cleared); TUI_CHROME_RE will suppress it
+});
+
+test('flushStreamLines: normalises \\r\\n to single newline', () => {
+  const buf = 'line one\r\nline two\r\n';
+  const { lines, remaining } = flushStreamLines(buf);
+  assert.equal(remaining, '');
+  assert.deepEqual(lines, ['line one', 'line two']);
+});
+
+test('flushStreamLines: holds incomplete segment in remaining', () => {
+  const buf = 'complete line\nstill coming';
+  const { lines, remaining } = flushStreamLines(buf);
+  assert.deepEqual(lines, ['complete line']);
+  assert.equal(remaining, 'still coming');
+});
+
+test('flushStreamLines: accumulating chunks yields same result as one chunk', () => {
+  // Simulate data arriving in two chunks mid-animation-frame
+  const chunk1 = '│ Y\r│ Yo\r';
+  const chunk2 = '│ You\r│ Your URL: https://auth.example.com\n';
+
+  // Chunk 1 alone: no complete \n-terminated line yet
+  const r1 = flushStreamLines(chunk1);
+  assert.deepEqual(r1.lines, []);
+  assert.equal(r1.remaining, '│ Y\r│ Yo\r');
+
+  // Chunk 2 appended to remaining: yields only the final frame
+  const r2 = flushStreamLines(r1.remaining + chunk2);
+  assert.equal(r2.lines.length, 1);
+  assert.equal(r2.lines[0], '│ Your URL: https://auth.example.com');
+  assert.equal(r2.remaining, '');
+});
+
+test('flushStreamLines: multiple \\n-terminated lines processed independently', () => {
+  // Two different lines, each with animation frames
+  const buf = '⠋ Loading...\r⠙ Loading...\r Done!\nEnter code: \r\n';
+  const { lines } = flushStreamLines(buf);
+  assert.deepEqual(lines, [' Done!', 'Enter code: ']);
+});
+
+test('flushStreamLines: empty buffer returns no lines', () => {
+  const { lines, remaining } = flushStreamLines('');
+  assert.deepEqual(lines, []);
+  assert.equal(remaining, '');
+});

package/test/cli-filter.test.js

@@ -0,0 +1,197 @@
+/**
+ * Unit tests for the CLI auth output filter logic.
+ *
+ * Tests stripAnsi, processLine (carriage-return collapse), and the emitLine
+ * filtering decisions in streamFilteredAuth. Zero external dependencies —
+ * uses Node.js built-in test runner (node:test, node >= 18).
+ *
+ * Run: node --test test/cli-filter.test.js
+ */
+
+'use strict';
+
+const { test } = require('node:test');
+const assert = require('node:assert/strict');
+
+// ─── Replicated filter logic (must stay in sync with cli.js) ─────────────────
+// If these start diverging, extract to a shared module.
+
+const stripAnsi = (str) => str
+  .replace(/\x1b\[[0-?]*[ -/]*[@-~]/g, '')          // CSI sequences (all parameter byte combos)
+  .replace(/\x1b\][^\x07\x1b]*(?:\x07|\x1b\\)/g, '') // OSC sequences (before two-char — shares \x1b] prefix)
+  .replace(/\x1b[^[\]]/g, '')                         // two-char ESC sequences (e.g. ESC 7/8 save/restore)
+  .replace(/\r/g, '');
+
+const urlRe = /https?:\/\/[^\s"'<>\]]+/g;
+const tuiChrome = /^[\s\u2500-\u257f\u2580-\u259f\u25a0-\u25ff\u2600-\u26ff\u2190-\u21ff\u2700-\u27bf\u2800-\u28ff]*$/u;
+
+/** Returns last \r-frame — the final visual state of any carriage-return animation. */
+function processLine(raw) {
+  return raw.split('\r').pop() || '';
+}
+
+/**
+ * Models the emitLine decision: 'url' | 'show' | 'suppress'.
+ * Reset urlRe.lastIndex before each call since it's a global regex.
+ */
+function classify(rawLine) {
+  urlRe.lastIndex = 0;
+  const line = stripAnsi(rawLine);
+  if (urlRe.test(line)) return 'url';
+  if (/openclaw/i.test(line)) return 'suppress';
+  if (tuiChrome.test(line)) return 'suppress';
+  if (!line.trim()) return 'suppress';
+  return 'show';
+}
+
+// ─── stripAnsi ────────────────────────────────────────────────────────────────
+
+test('stripAnsi: removes standard SGR color codes', () => {
+  assert.equal(stripAnsi('\x1b[31mRed text\x1b[0m'), 'Red text');
+  assert.equal(stripAnsi('\x1b[1;32mBold green\x1b[0m'), 'Bold green');
+});
+
+test('stripAnsi: removes private-mode sequences (the original bug — ?25l hide cursor)', () => {
+  assert.equal(stripAnsi('\x1b[?25l'), '');
+  assert.equal(stripAnsi('\x1b[?25lhello\x1b[?25h'), 'hello');
+  assert.equal(stripAnsi('\x1b[?2004h bracketed paste mode \x1b[?2004l'), ' bracketed paste mode ');
+});
+
+test('stripAnsi: removes cursor movement and erase sequences', () => {
+  assert.equal(stripAnsi('\x1b[5;10HY'), 'Y');   // cursor to row 5, col 10, then char
+  assert.equal(stripAnsi('\x1b[2K'), '');          // erase entire line
+  assert.equal(stripAnsi('\x1b[1A'), '');          // cursor up 1
+  assert.equal(stripAnsi('\x1b[G'), '');           // cursor to column 1
+});
+
+test('stripAnsi: removes two-char ESC sequences (save/restore cursor)', () => {
+  assert.equal(stripAnsi('\x1b7saved\x1b8'), 'saved');
+  assert.equal(stripAnsi('\x1bcReset'), 'Reset');
+});
+
+test('stripAnsi: removes OSC sequences (window title)', () => {
+  assert.equal(stripAnsi('\x1b]0;My Terminal\x07normal'), 'normal');
+  assert.equal(stripAnsi('\x1b]2;Title\x1b\\text'), 'text');
+});
+
+test('stripAnsi: strips \\r (carriage return)', () => {
+  assert.equal(stripAnsi('hello\rworld'), 'helloworld');
+});
+
+test('stripAnsi: passes through plain text unchanged', () => {
+  assert.equal(stripAnsi('Auth complete.'), 'Auth complete.');
+  assert.equal(stripAnsi(''), '');
+});
+
+// ─── processLine (carriage-return collapse) ───────────────────────────────────
+
+test('processLine: returns last \\r-frame (final typewriter state)', () => {
+  // This is the core fix. Typewriter animation builds text with \r between frames.
+  const input = '│  Y\r│  Yo\r│  You\r│  You \r│  You are running in a remote environment';
+  assert.equal(processLine(input), '│  You are running in a remote environment');
+});
+
+test('processLine: collapses spinner animation to final frame', () => {
+  assert.equal(processLine('⠋ Waiting\r⠙ Waiting\r⠹ Waiting\r⠸ Done'), '⠸ Done');
+});
+
+test('processLine: returns line unchanged if no \\r present', () => {
+  assert.equal(processLine('Auth complete.'), 'Auth complete.');
+  assert.equal(processLine(''), '');
+});
+
+test('processLine: handles trailing \\r (line ending with empty final frame)', () => {
+  // \r at end → final frame is empty string; processLine returns ''
+  assert.equal(processLine('clear this\r'), '');
+});
+
+// ─── emitLine classification ──────────────────────────────────────────────────
+
+test('classify: detects OAuth URLs', () => {
+  assert.equal(classify('https://auth.openai.com/oauth/authorize?foo=bar'), 'url');
+  assert.equal(classify('  → https://auth.openai.com/oauth/authorize?foo=bar  '), 'url');
+  assert.equal(classify('\x1b[36mhttps://example.com/auth\x1b[0m'), 'url');
+});
+
+test('classify: suppresses OpenClaw branding', () => {
+  assert.equal(classify('Starting OpenClaw gateway...'), 'suppress');
+  assert.equal(classify('openclaw v1.2.3'), 'suppress');
+  assert.equal(classify('  OpenClaw ready  '), 'suppress');
+});
+
+test('classify: suppresses pure TUI chrome — spinner chars', () => {
+  assert.equal(classify('⠋'), 'suppress');
+  assert.equal(classify('⠙'), 'suppress');
+  assert.equal(classify('⠹ '), 'suppress');  // spinner + whitespace
+});
+
+test('classify: suppresses pure TUI chrome — box-drawing and clack decorations', () => {
+  assert.equal(classify('│'), 'suppress');        // box drawing
+  assert.equal(classify('◇'), 'suppress');        // clack diamond
+  assert.equal(classify('●'), 'suppress');        // clack bullet
+  assert.equal(classify('─────'), 'suppress');    // horizontal rule
+  assert.equal(classify('  '), 'suppress');       // whitespace only
+  assert.equal(classify(''), 'suppress');         // empty
+});
+
+test('classify: suppresses lines with ANSI that reduce to chrome', () => {
+  // \x1b[?25l is "hide cursor" — stripping it leaves empty string
+  assert.equal(classify('\x1b[?25l'), 'suppress');
+  assert.equal(classify('\x1b[?25l◇\x1b[?25h'), 'suppress');
+});
+
+test('classify: shows actual text prompts (the lines we want to preserve)', () => {
+  assert.equal(classify('│  You are running in a remote environment'), 'show');
+  assert.equal(classify('Auth complete. Model connected.'), 'show');
+  assert.equal(classify('If the browser did not open, paste the callback URL:'), 'show');
+  assert.equal(classify('✓ Authentication successful'), 'show');
+});
+
+// ─── Full pipeline: typewriter animation ─────────────────────────────────────
+
+test('full pipeline: typewriter animation collapses to single clean line', () => {
+  // Simulate the exact failure pattern from the bug report.
+  // OpenClaw writes text character-by-character with \r between frames,
+  // terminated by \n when the message is complete.
+  const buffer = '│  Y\r│  Yo\r│  You\r│  You \r│  You are running in a remote environment\n';
+
+  // handleData splits on \n only
+  const lines = buffer.split(/\r?\n/);
+  lines.pop(); // drop trailing empty after final \n
+
+  const results = lines.map((raw) => {
+    const frame = processLine(raw);
+    return { frame, decision: classify(frame) };
+  });
+
+  // Should produce exactly one output, fully formed
+  assert.equal(results.length, 1);
+  assert.equal(results[0].frame, '│  You are running in a remote environment');
+  assert.equal(results[0].decision, 'show');
+});
+
+test('full pipeline: spinner-only animation is suppressed after collapse', () => {
+  // Spinner that ends without a meaningful final state (pure decoration)
+  const buffer = '⠋\r⠙\r⠹\r⠸\r⠼\r\n';
+
+  const lines = buffer.split(/\r?\n/);
+  lines.pop();
+
+  const results = lines.map((raw) => {
+    const frame = processLine(raw);
+    return classify(frame);
+  });
+
+  assert.deepEqual(results, ['suppress']);
+});
+
+test('full pipeline: URL line is extracted and not double-printed', () => {
+  const buffer = 'Open: https://auth.openai.com/oauth/authorize?response_type=code&client_id=app\n';
+
+  const lines = buffer.split(/\r?\n/);
+  lines.pop();
+
+  const [raw] = lines;
+  const frame = processLine(raw);
+  assert.equal(classify(frame), 'url');
+});