lobstakit-cloud 1.0.0

package/server.js

@@ -0,0 +1,1357 @@
+/**
+ * LobstaKit Cloud — Express Server
+ * 
+ * Setup wizard and management proxy for LobstaCloud gateways.
+ * 
+ * When unconfigured: serves the setup wizard UI
+ * When configured: reverse-proxies to the OpenClaw gateway on port 3001
+ *                  except /manage routes which always serve the dashboard
+ */
+
+const express = require('express');
+const path = require('path');
+const { execSync, exec } = require('child_process');
+const fs = require('fs');
+const crypto = require('crypto');
+const config = require('./lib/config');
+const gateway = require('./lib/gateway');
+const proxyMiddleware = require('./lib/proxy');
+
+const app = express();
+const PORT = process.env.PORT || 3000;
+
+// ─── Dashboard Authentication ────────────────────────────────────────────────
+
+const LOBSTAKIT_CONFIG_PATH = require('os').homedir() + '/.lobstakit/config.json';
+const LOBSTAKIT_PROVISION_PATH = require('os').homedir() + '/.lobstakit/provision.json';
+
+function getLobstaKitConfig() {
+  try {
+    return JSON.parse(fs.readFileSync(LOBSTAKIT_CONFIG_PATH, 'utf8'));
+  } catch(e) {
+    return {};
+  }
+}
+
+function getProvisionData() {
+  try {
+    return JSON.parse(fs.readFileSync(LOBSTAKIT_PROVISION_PATH, 'utf8'));
+  } catch(e) {
+    return null;
+  }
+}
+
+function saveLobstaKitConfig(cfg) {
+  const dir = path.dirname(LOBSTAKIT_CONFIG_PATH);
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+  fs.writeFileSync(LOBSTAKIT_CONFIG_PATH, JSON.stringify(cfg, null, 2));
+}
+
+// Active sessions (in-memory, cleared on restart)
+const activeSessions = new Map();
+
+// Auth middleware — protect API routes (except auth endpoints, health, and static files)
+function requireAuth(req, res, next) {
+  const publicPaths = ['/api/auth/login', '/api/auth/setup', '/api/auth/status', '/api/health', '/api/provision'];
+  if (publicPaths.some(p => req.path === p)) return next();
+
+  // Only protect API routes
+  if (!req.path.startsWith('/api/')) return next();
+
+  const lobstaConfig = getLobstaKitConfig();
+  // If no password set yet, allow all (setup flow)
+  if (!lobstaConfig.passwordHash) return next();
+
+  const token = req.headers.authorization?.replace('Bearer ', '');
+  if (!token || !activeSessions.has(token)) {
+    return res.status(401).json({ error: 'Authentication required' });
+  }
+  next();
+}
+
+// Parse JSON bodies
+app.use(express.json());
+
+// ─── Static Files (before auth — login page must be accessible) ──────────────
+
+app.use(express.static(path.join(__dirname, 'public')));
+
+// ─── Auth API Routes (no auth required) ──────────────────────────────────────
+
+// POST /api/auth/setup — set initial email + password (only works if no password set)
+app.post('/api/auth/setup', (req, res) => {
+  const lobstaConfig = getLobstaKitConfig();
+  if (lobstaConfig.passwordHash) {
+    return res.status(403).json({ error: 'Account already set up. Use /api/auth/change to update.' });
+  }
+  let { email, password } = req.body;
+
+  // Fallback to provision email if not provided
+  if (!email) {
+    const provision = getProvisionData();
+    if (provision && provision.email) {
+      email = provision.email;
+    }
+  }
+
+  if (!email || !email.includes('@')) {
+    return res.status(400).json({ error: 'A valid email address is required' });
+  }
+  if (!password || password.length < 6) {
+    return res.status(400).json({ error: 'Password must be at least 6 characters' });
+  }
+  const salt = crypto.randomBytes(16).toString('hex');
+  const hash = crypto.scryptSync(password, salt, 64).toString('hex');
+  lobstaConfig.email = email.toLowerCase().trim();
+  lobstaConfig.passwordHash = hash;
+  lobstaConfig.passwordSalt = salt;
+  lobstaConfig.sessionSecret = crypto.randomBytes(32).toString('hex');
+  lobstaConfig.setupComplete = true;
+  saveLobstaKitConfig(lobstaConfig);
+
+  // Auto-login after setup
+  const sessionToken = crypto.randomBytes(32).toString('hex');
+  activeSessions.set(sessionToken, { created: Date.now(), ip: req.ip });
+
+  res.json({ status: 'ok', token: sessionToken });
+});
+
+// POST /api/auth/login — authenticate with email + password
+app.post('/api/auth/login', (req, res) => {
+  const lobstaConfig = getLobstaKitConfig();
+  if (!lobstaConfig.passwordHash) {
+    return res.status(400).json({ error: 'No account set up. Complete setup first.' });
+  }
+  const { email, password } = req.body;
+
+  // Verify email matches (case-insensitive)
+  const storedEmail = (lobstaConfig.email || '').toLowerCase().trim();
+  const providedEmail = (email || '').toLowerCase().trim();
+  if (!providedEmail || providedEmail !== storedEmail) {
+    return res.status(401).json({ error: 'Incorrect email or password' });
+  }
+
+  // Verify password
+  const hash = crypto.scryptSync(password || '', lobstaConfig.passwordSalt, 64).toString('hex');
+  if (hash !== lobstaConfig.passwordHash) {
+    return res.status(401).json({ error: 'Incorrect email or password' });
+  }
+
+  const sessionToken = crypto.randomBytes(32).toString('hex');
+  activeSessions.set(sessionToken, { created: Date.now(), ip: req.ip });
+
+  // Clean old sessions (keep max 10)
+  if (activeSessions.size > 10) {
+    const oldest = [...activeSessions.entries()].sort((a, b) => a[1].created - b[1].created);
+    activeSessions.delete(oldest[0][0]);
+  }
+
+  res.json({ status: 'ok', token: sessionToken });
+});
+
+// POST /api/auth/logout
+app.post('/api/auth/logout', (req, res) => {
+  const token = req.headers.authorization?.replace('Bearer ', '');
+  if (token) activeSessions.delete(token);
+  res.json({ status: 'ok' });
+});
+
+// GET /api/auth/status — check if auth is configured and if current session is valid
+app.get('/api/auth/status', (req, res) => {
+  const lobstaConfig = getLobstaKitConfig();
+  const token = req.headers.authorization?.replace('Bearer ', '');
+  const isAuthenticated = token && activeSessions.has(token);
+  const response = {
+    setupComplete: !!lobstaConfig.setupComplete,
+    passwordSet: !!lobstaConfig.passwordHash,
+    authenticated: isAuthenticated
+  };
+  // Include email for login pre-fill (always — it's just an email, not a secret)
+  if (lobstaConfig.email) {
+    response.email = lobstaConfig.email;
+  }
+  res.json(response);
+});
+
+// POST /api/auth/change — change password and/or email (requires current password)
+app.post('/api/auth/change', (req, res) => {
+  const lobstaConfig = getLobstaKitConfig();
+  const token = req.headers.authorization?.replace('Bearer ', '');
+  if (!token || !activeSessions.has(token)) {
+    return res.status(401).json({ error: 'Authentication required' });
+  }
+
+  const { currentPassword, newPassword, newEmail } = req.body;
+  if (!lobstaConfig.passwordHash) return res.status(400).json({ error: 'No account set up' });
+
+  const hash = crypto.scryptSync(currentPassword, lobstaConfig.passwordSalt, 64).toString('hex');
+  if (hash !== lobstaConfig.passwordHash) return res.status(401).json({ error: 'Incorrect current password' });
+
+  // Update email if provided
+  if (newEmail !== undefined && newEmail !== null) {
+    if (!newEmail || !newEmail.includes('@')) {
+      return res.status(400).json({ error: 'Invalid email address' });
+    }
+    lobstaConfig.email = newEmail.toLowerCase().trim();
+  }
+
+  // Update password if provided
+  if (newPassword) {
+    if (newPassword.length < 6) return res.status(400).json({ error: 'New password must be at least 6 characters' });
+    const salt = crypto.randomBytes(16).toString('hex');
+    lobstaConfig.passwordHash = crypto.scryptSync(newPassword, salt, 64).toString('hex');
+    lobstaConfig.passwordSalt = salt;
+  }
+
+  saveLobstaKitConfig(lobstaConfig);
+
+  // Invalidate all sessions if password changed
+  if (newPassword) {
+    activeSessions.clear();
+  }
+
+  res.json({ status: 'ok' });
+});
+
+// GET /api/provision — return provisioning data (email, subdomain, plan) if available
+app.get('/api/provision', (req, res) => {
+  const provision = getProvisionData();
+  if (provision) {
+    res.json({ provisioned: true, email: provision.email || null, subdomain: provision.subdomain || null, plan: provision.plan || null });
+  } else {
+    res.json({ provisioned: false });
+  }
+});
+
+// ─── Auth Middleware (protects all subsequent API routes) ─────────────────────
+
+app.use(requireAuth);
+
+// ─── API Routes (always available) ──────────────────────────────────────────
+
+/**
+ * GET /api/status — Current configuration and gateway status
+ */
+app.get('/api/status', (req, res) => {
+  const configured = config.isConfigured();
+  const running = gateway.isGatewayRunning();
+  const subdomain = config.getSubdomain();
+  const currentConfig = config.readConfig();
+
+  // Detect active channels
+  let channel = 'web';
+  if (currentConfig?.channels?.telegram?.enabled) channel = 'telegram';
+  else if (currentConfig?.channels?.discord?.enabled) channel = 'discord';
+
+  res.json({
+    configured,
+    gatewayRunning: running,
+    subdomain,
+    model: currentConfig?.agents?.defaults?.model?.primary || null,
+    channel
+  });
+});
+
+/**
+ * POST /api/setup — Accept wizard data, write config, start gateway
+ */
+app.post('/api/setup', async (req, res) => {
+  try {
+    const { apiKey, model, channel, telegramBotToken, telegramUserId, discordBotToken, discordServerId, privateMemory } = req.body;
+
+    // Validate required fields
+    if (!apiKey || !model) {
+      return res.status(400).json({
+        error: 'Missing required fields',
+        details: {
+          apiKey: !apiKey ? 'Required' : null,
+          model: !model ? 'Required' : null
+        }
+      });
+    }
+
+    const selectedChannel = channel || 'web';
+
+    // Validate channel-specific fields
+    if (selectedChannel === 'telegram') {
+      if (!telegramBotToken || !telegramUserId) {
+        return res.status(400).json({
+          error: 'Telegram bot token and user ID are required'
+        });
+      }
+      if (!/^\d+:[A-Za-z0-9_-]+$/.test(telegramBotToken)) {
+        return res.status(400).json({
+          error: 'Invalid Telegram bot token format'
+        });
+      }
+    } else if (selectedChannel === 'discord') {
+      if (!discordBotToken || !discordServerId) {
+        return res.status(400).json({
+          error: 'Discord bot token and server ID are required'
+        });
+      }
+    }
+
+    // Write the config
+    config.writeConfig({ apiKey, model, channel: selectedChannel, telegramBotToken, telegramUserId, discordBotToken, discordServerId, privateMemory });
+
+    // Restart the gateway to pick up the new config
+    const result = gateway.restartGateway();
+
+    if (!result.success) {
+      // Config is written but gateway failed to start
+      return res.status(500).json({
+        error: 'Config saved but gateway failed to start',
+        details: result.error
+      });
+    }
+
+    // Wait a moment for the gateway to initialize
+    await new Promise(resolve => setTimeout(resolve, 2000));
+
+    const running = gateway.isGatewayRunning();
+
+    res.json({
+      success: true,
+      gatewayRunning: running,
+      message: running
+        ? 'Configuration saved and gateway started successfully!'
+        : 'Configuration saved. Gateway is starting up...'
+    });
+  } catch (err) {
+    console.error('[setup] Error:', err);
+    res.status(500).json({ error: 'Setup failed', details: err.message });
+  }
+});
+
+/**
+ * POST /api/restart — Restart the gateway service
+ */
+app.post('/api/restart', (req, res) => {
+  const result = gateway.restartGateway();
+  res.json({
+    success: result.success,
+    gatewayRunning: gateway.isGatewayRunning(),
+    error: result.error || null
+  });
+});
+
+/**
+ * GET /api/gateway-status — Check if gateway is running
+ */
+app.get('/api/gateway-status', (req, res) => {
+  res.json({
+    running: gateway.isGatewayRunning()
+  });
+});
+
+/**
+ * GET /api/logs — Get recent gateway logs
+ */
+app.get('/api/logs', (req, res) => {
+  const lines = parseInt(req.query.lines) || 50;
+  const logs = gateway.getGatewayLogs(Math.min(lines, 200));
+  res.json({ logs });
+});
+
+// ─── Security API Routes ─────────────────────────────────────────────────────
+
+/**
+ * GET /api/security/status — Check all security components
+ */
+app.get('/api/security/status', (req, res) => {
+  const status = {};
+
+  // Check UFW firewall
+  try {
+    const ufwOutput = execSync('ufw status 2>/dev/null', { stdio: 'pipe', timeout: 5000 }).toString();
+    status.firewall = { installed: true, active: ufwOutput.includes('Status: active') };
+  } catch {
+    try {
+      execSync('command -v ufw', { stdio: 'pipe' });
+      status.firewall = { installed: true, active: false };
+    } catch {
+      status.firewall = { installed: false, active: false };
+    }
+  }
+
+  // Check fail2ban
+  try {
+    const f2bState = execSync('systemctl is-active fail2ban 2>/dev/null', { stdio: 'pipe', timeout: 5000 }).toString().trim();
+    status.fail2ban = { installed: true, active: f2bState === 'active' };
+  } catch {
+    try {
+      execSync('command -v fail2ban-client', { stdio: 'pipe' });
+      status.fail2ban = { installed: true, active: false };
+    } catch {
+      status.fail2ban = { installed: false, active: false };
+    }
+  }
+
+  // Check SSH hardened (our config file exists)
+  try {
+    status.ssh = { hardened: fs.existsSync('/etc/ssh/sshd_config.d/lobstacloud.conf') };
+  } catch {
+    status.ssh = { hardened: false };
+  }
+
+  // Check kernel hardening
+  try {
+    status.kernel = { hardened: fs.existsSync('/etc/sysctl.d/99-lobstacloud.conf') };
+  } catch {
+    status.kernel = { hardened: false };
+  }
+
+  // Check unattended-upgrades
+  try {
+    execSync('dpkg -l unattended-upgrades 2>/dev/null | grep -q "^ii"', { stdio: 'pipe', timeout: 5000 });
+    status.autoUpdates = { installed: true };
+  } catch {
+    status.autoUpdates = { installed: false };
+  }
+
+  // Check Tailscale
+  try {
+    execSync('command -v tailscale', { stdio: 'pipe' });
+    status.tailscale = { installed: true };
+  } catch {
+    status.tailscale = { installed: false };
+  }
+
+  // Calculate score
+  const checks = [
+    status.firewall.active,
+    status.fail2ban.active,
+    status.ssh.hardened,
+    status.kernel.hardened,
+    status.autoUpdates.installed,
+    status.tailscale.installed
+  ];
+  status.score = { passed: checks.filter(Boolean).length, total: checks.length };
+
+  res.json(status);
+});
+
+/**
+ * POST /api/security/harden — Run the full hardening script on demand
+ */
+app.post('/api/security/harden', (req, res) => {
+  const results = [];
+  const { installTailscale = true } = req.body || {};
+  const aptEnv = { ...process.env, DEBIAN_FRONTEND: 'noninteractive' };
+
+  function runStep(label, fn) {
+    try {
+      fn();
+      results.push({ step: label, success: true });
+    } catch (e) {
+      const errStr = e.stderr ? e.stderr.toString() : e.message;
+      results.push({ step: label, success: false, error: errStr.slice(0, 300) });
+    }
+  }
+
+  // 1. SSH Hardening
+  runStep('SSH Hardening', () => {
+    const sshConfig = [
+      'PermitRootLogin prohibit-password',
+      'PasswordAuthentication no',
+      'PermitEmptyPasswords no',
+      'PubkeyAuthentication yes',
+      'MaxAuthTries 3',
+      'LoginGraceTime 30',
+      'ClientAliveInterval 300',
+      'ClientAliveCountMax 2',
+      'X11Forwarding no',
+      'AllowAgentForwarding no',
+      'AllowTcpForwarding no'
+    ].join('\n') + '\n';
+    fs.mkdirSync('/etc/ssh/sshd_config.d', { recursive: true });
+    fs.writeFileSync('/etc/ssh/sshd_config.d/lobstacloud.conf', sshConfig);
+    execSync('sshd -t && systemctl reload ssh', { stdio: 'pipe', timeout: 10000 });
+  });
+
+  // 2. Firewall (UFW)
+  runStep('Firewall (UFW)', () => {
+    execSync('apt-get install -y -qq ufw', { stdio: 'pipe', timeout: 120000, env: aptEnv });
+    execSync('ufw default deny incoming', { stdio: 'pipe', timeout: 5000 });
+    execSync('ufw default allow outgoing', { stdio: 'pipe', timeout: 5000 });
+    execSync("ufw allow 22/tcp comment 'SSH'", { stdio: 'pipe', timeout: 5000 });
+    execSync("ufw allow 80/tcp comment 'HTTP (Caddy)'", { stdio: 'pipe', timeout: 5000 });
+    execSync("ufw allow 443/tcp comment 'HTTPS (Caddy)'", { stdio: 'pipe', timeout: 5000 });
+    execSync('ufw --force enable', { stdio: 'pipe', timeout: 10000 });
+  });
+
+  // 3. Fail2ban
+  runStep('Fail2ban', () => {
+    execSync('apt-get install -y -qq fail2ban', { stdio: 'pipe', timeout: 120000, env: aptEnv });
+    const f2bConfig = [
+      '[DEFAULT]',
+      'bantime = 1h',
+      'findtime = 10m',
+      'maxretry = 3',
+      '',
+      '[sshd]',
+      'enabled = true',
+      'port = ssh',
+      'logpath = /var/log/auth.log',
+      'maxretry = 3',
+      'bantime = 24h'
+    ].join('\n') + '\n';
+    fs.writeFileSync('/etc/fail2ban/jail.local', f2bConfig);
+    execSync('systemctl enable --now fail2ban', { stdio: 'pipe', timeout: 15000 });
+  });
+
+  // 4. Auto security updates
+  runStep('Auto Security Updates', () => {
+    execSync('apt-get install -y -qq unattended-upgrades', { stdio: 'pipe', timeout: 120000, env: aptEnv });
+    const autoConfig = [
+      'APT::Periodic::Update-Package-Lists "1";',
+      'APT::Periodic::Unattended-Upgrade "1";',
+      'APT::Periodic::AutocleanInterval "7";'
+    ].join('\n') + '\n';
+    fs.writeFileSync('/etc/apt/apt.conf.d/20auto-upgrades', autoConfig);
+  });
+
+  // 5. Kernel hardening
+  runStep('Kernel Hardening', () => {
+    const sysctlConfig = [
+      'net.ipv4.ip_forward = 0',
+      'net.ipv4.conf.all.accept_redirects = 0',
+      'net.ipv4.conf.default.accept_redirects = 0',
+      'net.ipv4.conf.all.send_redirects = 0',
+      'net.ipv4.tcp_syncookies = 1',
+      'net.ipv4.conf.all.log_martians = 1',
+      'net.ipv4.conf.all.accept_source_route = 0',
+      'net.ipv4.conf.all.rp_filter = 1'
+    ].join('\n') + '\n';
+    fs.writeFileSync('/etc/sysctl.d/99-lobstacloud.conf', sysctlConfig);
+    execSync('sysctl -p /etc/sysctl.d/99-lobstacloud.conf 2>/dev/null', { stdio: 'pipe', timeout: 10000 });
+  });
+
+  // 6. Tailscale (optional)
+  if (installTailscale) {
+    runStep('Install Tailscale', () => {
+      try {
+        execSync('command -v tailscale', { stdio: 'pipe' });
+        // Already installed — skip
+      } catch {
+        execSync('curl -fsSL https://tailscale.com/install.sh | sh', { stdio: 'pipe', timeout: 120000 });
+      }
+    });
+  }
+
+  const passed = results.filter(r => r.success).length;
+  console.log(`[security] Harden complete: ${passed}/${results.length} steps succeeded`);
+
+  res.json({
+    success: passed === results.length,
+    results,
+    summary: `${passed}/${results.length} steps completed successfully`
+  });
+});
+
+// ─── Memory API Routes ────────────────────────────────────────────────────────
+
+/**
+ * GET /api/memory/status — Check current memory embedding config
+ */
+app.get('/api/memory/status', (req, res) => {
+  try {
+    const currentConfig = config.readConfig();
+    const memorySearch = currentConfig?.agents?.defaults?.memorySearch;
+    const provider = memorySearch?.provider || 'auto';
+    const isPrivate = provider === 'local';
+
+    // Check if local model file exists
+    const modelPath = '/root/.node-llama-cpp/models/hf_ggml-org_embeddinggemma-300M-GGUF/embeddinggemma-300M-Q8_0.gguf';
+    const modelDownloaded = fs.existsSync(modelPath);
+
+    let modelSize = '313MB';
+    if (modelDownloaded) {
+      try {
+        const stats = fs.statSync(modelPath);
+        modelSize = Math.round(stats.size / 1024 / 1024) + 'MB';
+      } catch {}
+    }
+
+    // Check if memory plugin is active
+    const memoryPlugin = currentConfig?.plugins?.slots?.memory;
+    const memoryEnabled = memoryPlugin === 'memory-core' || memoryPlugin === undefined; // default is memory-core
+
+    res.json({
+      provider,
+      isPrivate,
+      modelDownloaded,
+      modelSize,
+      memoryEnabled,
+      modelName: 'embeddinggemma-300M'
+    });
+  } catch (err) {
+    console.error('[memory] Status check error:', err);
+    res.status(500).json({ error: 'Failed to check memory status' });
+  }
+});
+
+/**
+ * POST /api/memory/toggle — Switch between local and remote memory embeddings
+ */
+app.post('/api/memory/toggle', (req, res) => {
+  try {
+    const { mode } = req.body;
+
+    if (!mode || !['local', 'remote'].includes(mode)) {
+      return res.status(400).json({ error: 'Mode must be "local" or "remote"' });
+    }
+
+    const currentConfig = config.readConfig();
+    if (!currentConfig) {
+      return res.status(400).json({ error: 'Gateway not configured. Run setup first.' });
+    }
+
+    // Ensure agents.defaults exists
+    if (!currentConfig.agents) currentConfig.agents = {};
+    if (!currentConfig.agents.defaults) currentConfig.agents.defaults = {};
+
+    if (mode === 'local') {
+      currentConfig.agents.defaults.memorySearch = {
+        provider: 'local',
+        fallback: 'none',
+        local: {
+          modelPath: 'hf:ggml-org/embeddinggemma-300M-GGUF/embeddinggemma-300M-Q8_0.gguf'
+        },
+        query: {
+          hybrid: {
+            enabled: true,
+            vectorWeight: 0.7,
+            textWeight: 0.3
+          }
+        },
+        cache: {
+          enabled: true,
+          maxEntries: 50000
+        }
+      };
+    } else {
+      // Remote mode — remove memorySearch entirely (auto-detect)
+      delete currentConfig.agents.defaults.memorySearch;
+    }
+
+    // Write config
+    config.writeRawConfig(currentConfig);
+
+    // Restart gateway to pick up changes
+    const result = gateway.restartGateway();
+
+    console.log(`[memory] Switched to ${mode} mode`);
+
+    res.json({
+      success: true,
+      mode,
+      isPrivate: mode === 'local',
+      message: `Memory embeddings switched to ${mode === 'local' ? 'private (local)' : 'cloud'} mode` +
+        (result.success ? ' and gateway restarted' : ' (gateway restart pending)')
+    });
+  } catch (err) {
+    console.error('[memory] Toggle error:', err);
+    res.status(500).json({ error: 'Failed to toggle memory mode', details: err.message });
+  }
+});
+
+/**
+ * POST /api/memory/download — Trigger model download
+ */
+app.post('/api/memory/download', (req, res) => {
+  const os = require('os');
+  const modelDir = path.join(os.homedir(), '.node-llama-cpp', 'models', 'hf_ggml-org_embeddinggemma-300M-GGUF');
+  const modelFile = path.join(modelDir, 'embeddinggemma-300M-Q8_0.gguf');
+  const partFile = modelFile + '.part';
+
+  if (fs.existsSync(modelFile)) {
+    const size = fs.statSync(modelFile).size;
+    return res.json({ status: 'already_downloaded', size });
+  }
+
+  // Respond immediately, download in background
+  res.json({ status: 'downloading' });
+
+  // Download to .part file, then rename on completion
+  const url = 'https://huggingface.co/ggml-org/embeddinggemma-300M-GGUF/resolve/main/embeddinggemma-300M-Q8_0.gguf';
+  exec(`mkdir -p "${modelDir}" && curl -L -o "${partFile}" "${url}" && mv "${partFile}" "${modelFile}"`, (err) => {
+    if (err) {
+      console.error('[memory] Model download failed:', err.message);
+      try { fs.unlinkSync(partFile); } catch (e) {}
+    } else {
+      console.log('[memory] Model downloaded successfully to', modelFile);
+    }
+  });
+});
+
+/**
+ * GET /api/memory/download/status — Check model download progress
+ */
+app.get('/api/memory/download/status', (req, res) => {
+  const os = require('os');
+  const modelDir = path.join(os.homedir(), '.node-llama-cpp', 'models', 'hf_ggml-org_embeddinggemma-300M-GGUF');
+  const modelFile = path.join(modelDir, 'embeddinggemma-300M-Q8_0.gguf');
+  const partFile = modelFile + '.part';
+
+  if (fs.existsSync(modelFile)) {
+    const size = fs.statSync(modelFile).size;
+    return res.json({
+      status: 'downloaded',
+      size,
+      sizeHuman: (size / 1024 / 1024).toFixed(0) + 'MB'
+    });
+  }
+
+  if (fs.existsSync(partFile)) {
+    try {
+      const size = fs.statSync(partFile).size;
+      const total = 328576992; // known file size ~313MB
+      const progress = Math.min(99, Math.round((size / total) * 100));
+      return res.json({
+        status: 'downloading',
+        progress,
+        downloaded: size,
+        total
+      });
+    } catch (e) {
+      return res.json({ status: 'downloading', progress: 0 });
+    }
+  }
+
+  return res.json({ status: 'not_downloaded' });
+});
+
+// ─── Channel Management API Routes ───────────────────────────────────────────
+
+/**
+ * GET /api/channels — List all available channels with status
+ */
+app.get('/api/channels', (req, res) => {
+  const currentConfig = config.readConfig();
+  const channels = currentConfig?.channels || {};
+
+  const channelList = [
+    {
+      id: 'web',
+      name: 'Web Chat',
+      icon: '🌐',
+      configured: true,
+      status: 'connected',
+      details: { summary: 'Built-in — always active' }
+    },
+    {
+      id: 'telegram',
+      name: 'Telegram',
+      icon: '📱',
+      configured: !!channels.telegram?.enabled,
+      status: channels.telegram?.enabled ? 'connected' : 'not_configured',
+      details: channels.telegram?.enabled ? {
+        summary: 'Bot token configured',
+        allowFrom: channels.telegram.allowFrom || []
+      } : {}
+    },
+    {
+      id: 'discord',
+      name: 'Discord',
+      icon: '🎮',
+      configured: !!channels.discord?.enabled,
+      status: channels.discord?.enabled ? 'connected' : 'not_configured',
+      details: channels.discord?.enabled ? {
+        summary: 'Bot connected',
+        allowedGuilds: channels.discord.allowedGuilds || []
+      } : {}
+    }
+  ];
+
+  res.json({ channels: channelList });
+});
+
+/**
+ * POST /api/channels/:type — Configure a channel
+ */
+app.post('/api/channels/:type', async (req, res) => {
+  try {
+    const { type } = req.params;
+
+    if (!['telegram', 'discord'].includes(type)) {
+      return res.status(400).json({ error: 'Unsupported channel type: ' + type });
+    }
+
+    const currentConfig = config.readConfig();
+    if (!currentConfig) {
+      return res.status(400).json({ error: 'Gateway not configured. Run setup first.' });
+    }
+
+    if (!currentConfig.channels) {
+      currentConfig.channels = {};
+    }
+
+    if (type === 'telegram') {
+      const { botToken, userId } = req.body;
+      if (!botToken || !userId) {
+        return res.status(400).json({ error: 'Bot token and user ID are required' });
+      }
+      if (!/^\d+:[A-Za-z0-9_-]+$/.test(botToken)) {
+        return res.status(400).json({ error: 'Invalid Telegram bot token format' });
+      }
+      currentConfig.channels.telegram = {
+        enabled: true,
+        botToken,
+        allowFrom: [userId],
+        dmPolicy: 'allowlist'
+      };
+    } else if (type === 'discord') {
+      const { botToken, serverId } = req.body;
+      if (!botToken || !serverId) {
+        return res.status(400).json({ error: 'Bot token and server ID are required' });
+      }
+      currentConfig.channels.discord = {
+        enabled: true,
+        botToken,
+        allowedGuilds: [serverId]
+      };
+    }
+
+    // Write updated config
+    config.writeRawConfig(currentConfig);
+
+    // Restart gateway to pick up changes
+    const result = gateway.restartGateway();
+
+    res.json({
+      success: true,
+      message: type.charAt(0).toUpperCase() + type.slice(1) + ' channel configured' + (result.success ? ' and gateway restarted' : ' (gateway restart pending)')
+    });
+  } catch (err) {
+    console.error('[channels] POST error:', err);
+    res.status(500).json({ error: 'Failed to configure channel', details: err.message });
+  }
+});
+
+/**
+ * DELETE /api/channels/:type — Remove a channel
+ */
+app.delete('/api/channels/:type', async (req, res) => {
+  try {
+    const { type } = req.params;
+
+    if (!['telegram', 'discord'].includes(type)) {
+      return res.status(400).json({ error: 'Unsupported channel type: ' + type });
+    }
+
+    const currentConfig = config.readConfig();
+    if (!currentConfig || !currentConfig.channels) {
+      return res.status(400).json({ error: 'No channels configured' });
+    }
+
+    if (currentConfig.channels[type]) {
+      delete currentConfig.channels[type];
+    }
+
+    // Write updated config
+    config.writeRawConfig(currentConfig);
+
+    // Restart gateway
+    const result = gateway.restartGateway();
+
+    res.json({
+      success: true,
+      message: type.charAt(0).toUpperCase() + type.slice(1) + ' channel removed' + (result.success ? ' and gateway restarted' : '')
+    });
+  } catch (err) {
+    console.error('[channels] DELETE error:', err);
+    res.status(500).json({ error: 'Failed to remove channel', details: err.message });
+  }
+});
+
+// ─── Tailscale API Routes ────────────────────────────────────────────────────
+
+/**
+ * GET /api/tailscale/status — Check Tailscale connection status
+ */
+app.get('/api/tailscale/status', (req, res) => {
+  try {
+    // Check if tailscale is installed
+    try {
+      execSync('command -v tailscale', { stdio: 'pipe' });
+    } catch {
+      return res.json({
+        installed: false,
+        connected: false,
+        status: 'not_installed',
+        message: 'Tailscale is not installed'
+      });
+    }
+
+    // Get tailscale status
+    try {
+      const output = execSync('tailscale status --json 2>/dev/null', {
+        stdio: 'pipe',
+        timeout: 10000
+      }).toString();
+      const statusData = JSON.parse(output);
+
+      const backendState = statusData.BackendState || 'Unknown';
+      const connected = backendState === 'Running';
+      const selfNode = statusData.Self || {};
+      const hostname = selfNode.HostName || null;
+      const tailscaleIPs = selfNode.TailscaleIPs || [];
+      const online = selfNode.Online || false;
+
+      // Build response
+      const response = {
+        installed: true,
+        connected,
+        online,
+        status: backendState.toLowerCase(),
+        hostname,
+        tailscaleIPs,
+        message: connected ? `Connected as ${hostname || 'unknown'}` : `State: ${backendState}`
+      };
+
+      // Add serve info if connected
+      if (connected) {
+        let serveActive = false;
+        try {
+          const serveOutput = execSync('tailscale serve status 2>&1', {
+            stdio: 'pipe',
+            timeout: 5000
+          }).toString().trim();
+          serveActive = serveOutput && !serveOutput.includes('No serve config');
+        } catch (e) {
+          // serve status command failed — treat as not active
+        }
+
+        const dnsName = (selfNode.DNSName || '').replace(/\.$/, '') || null;
+
+        let gatewayToken = null;
+        const os = require('os');
+        const cfgPaths = [
+          os.homedir() + '/.clawdbot/clawdbot.json',
+          os.homedir() + '/.openclaw/openclaw.json'
+        ];
+        const cfgPath = cfgPaths.find(p => fs.existsSync(p));
+        if (cfgPath) {
+          try {
+            const cfg = JSON.parse(fs.readFileSync(cfgPath, 'utf8'));
+            gatewayToken = cfg.gateway?.auth?.token || null;
+          } catch (e) {}
+        }
+
+        response.serve = {
+          active: serveActive,
+          dnsName,
+          url: dnsName ? `https://${dnsName}/` : null,
+          webchatUrl: dnsName && gatewayToken
+            ? `https://${dnsName}/?token=${gatewayToken}`
+            : (dnsName ? `https://${dnsName}/` : null)
+        };
+      }
+
+      return res.json(response);
+    } catch (e) {
+      // tailscale installed but not running / not logged in
+      return res.json({
+        installed: true,
+        connected: false,
+        status: 'stopped',
+        message: 'Tailscale is installed but not connected'
+      });
+    }
+  } catch (err) {
+    console.error('[tailscale] Status check error:', err);
+    res.status(500).json({ error: 'Failed to check Tailscale status' });
+  }
+});
+
+/**
+ * POST /api/tailscale/connect — Connect Tailscale with an auth key
+ */
+app.post('/api/tailscale/connect', (req, res) => {
+  try {
+    const { authKey } = req.body;
+
+    if (!authKey || typeof authKey !== 'string') {
+      return res.status(400).json({ error: 'Auth key is required' });
+    }
+
+    // Validate auth key format (tskey-auth-...)
+    if (!authKey.startsWith('tskey-auth-') && !authKey.startsWith('tskey-')) {
+      return res.status(400).json({
+        error: 'Invalid auth key format. Tailscale auth keys start with tskey-auth-'
+      });
+    }
+
+    // Check if tailscale is installed — auto-install if not
+    try {
+      execSync('command -v tailscale', { stdio: 'pipe' });
+    } catch {
+      try {
+        console.log('[tailscale] Not installed, auto-installing...');
+        execSync('curl -fsSL https://tailscale.com/install.sh | sh', {
+          stdio: 'pipe',
+          timeout: 120000
+        });
+        console.log('[tailscale] Auto-install completed');
+      } catch (installErr) {
+        const errMsg = installErr.stderr ? installErr.stderr.toString() : installErr.message;
+        return res.status(400).json({
+          error: 'Tailscale is not installed and auto-install failed.',
+          details: errMsg.slice(0, 300),
+          hint: 'Run manually: curl -fsSL https://tailscale.com/install.sh | sh'
+        });
+      }
+    }
+
+    // Run tailscale up with the auth key
+    try {
+      execSync(`tailscale up --authkey=${authKey} --accept-routes --accept-dns`, {
+        stdio: 'pipe',
+        timeout: 30000
+      });
+
+      // Verify connection and get self info
+      let connected = false;
+      let statusData = null;
+      try {
+        const output = execSync('tailscale status --json', {
+          stdio: 'pipe',
+          timeout: 10000
+        }).toString();
+        statusData = JSON.parse(output);
+        connected = statusData.BackendState === 'Running';
+      } catch (e) {
+        // Status check failed but connect might have succeeded
+      }
+
+      if (!connected || !statusData) {
+        return res.json({
+          success: true,
+          connected: false,
+          message: 'Tailscale auth key accepted. Connection establishing...'
+        });
+      }
+
+      const selfNode = statusData.Self || {};
+      const dnsName = (selfNode.DNSName || '').replace(/\.$/, '');
+      const hostName = selfNode.HostName || null;
+
+      // Read gateway config to get port and token
+      const os = require('os');
+      const configPaths = [
+        os.homedir() + '/.clawdbot/clawdbot.json',
+        os.homedir() + '/.openclaw/openclaw.json'
+      ];
+      let configPath = configPaths.find(p => fs.existsSync(p));
+      let gatewayPort = 18789;
+      let gatewayToken = null;
+
+      if (configPath) {
+        try {
+          const gwConfig = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+          gatewayPort = gwConfig.gateway?.port || 18789;
+          gatewayToken = gwConfig.gateway?.auth?.token || null;
+        } catch (e) {
+          console.error('[tailscale] Config read error:', e.message);
+        }
+      }
+
+      // Set up Tailscale Serve to proxy gateway
+      let serveEnabled = false;
+      let serveError = null;
+      let serveEnableUrl = null;
+      try {
+        execSync(`tailscale serve --bg http://127.0.0.1:${gatewayPort} 2>&1`, {
+          stdio: 'pipe',
+          timeout: 15000
+        });
+        serveEnabled = true;
+      } catch (e) {
+        serveError = (e.stderr ? e.stderr.toString() : '') || e.message;
+        if (serveError.includes('not enabled')) {
+          const match = serveError.match(/(https:\/\/login\.tailscale\.com\/f\/serve\S+)/);
+          serveEnableUrl = match ? match[1] : 'https://login.tailscale.com/admin/settings';
+        }
+      }
+
+      // Patch gateway config for Tailscale auth
+      if (configPath) {
+        try {
+          const gwConfig = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+          if (!gwConfig.gateway) gwConfig.gateway = {};
+          if (!gwConfig.gateway.auth) gwConfig.gateway.auth = {};
+          if (!gwConfig.gateway.controlUi) gwConfig.gateway.controlUi = {};
+          if (!gwConfig.gateway.tailscale) gwConfig.gateway.tailscale = {};
+
+          gwConfig.gateway.auth.allowTailscale = true;
+          gwConfig.gateway.controlUi.allowInsecureAuth = true;
+          gwConfig.gateway.tailscale.mode = 'serve';
+
+          fs.writeFileSync(configPath, JSON.stringify(gwConfig, null, 2));
+
+          // Restart gateway to pick up new config
+          try {
+            execSync('systemctl restart openclaw-gateway 2>/dev/null || systemctl restart clawdbot-gateway 2>/dev/null', {
+              stdio: 'pipe',
+              timeout: 10000
+            });
+          } catch (e) {
+            // Non-fatal — gateway will pick up config on next restart
+          }
+        } catch (e) {
+          console.error('[tailscale] Config patch error:', e.message);
+        }
+      }
+
+      return res.json({
+        success: true,
+        connected: true,
+        hostname: hostName,
+        dnsName,
+        tailscaleIPs: selfNode.TailscaleIPs || [],
+        message: `Successfully connected to Tailscale as ${hostName || 'this device'}`,
+        serve: {
+          enabled: serveEnabled,
+          url: serveEnabled && dnsName ? `https://${dnsName}/` : null,
+          webchatUrl: serveEnabled && dnsName && gatewayToken
+            ? `https://${dnsName}/?token=${gatewayToken}`
+            : (serveEnabled && dnsName ? `https://${dnsName}/` : null),
+          enableUrl: serveEnableUrl || null,
+          error: !serveEnabled ? (serveError || 'Tailscale Serve not enabled') : null
+        },
+        gateway: {
+          port: gatewayPort,
+          configured: !!configPath
+        }
+      });
+    } catch (e) {
+      const errMsg = e.stderr ? e.stderr.toString() : e.message;
+      return res.status(500).json({
+        error: 'Failed to connect Tailscale',
+        details: errMsg
+      });
+    }
+  } catch (err) {
+    console.error('[tailscale] Connect error:', err);
+    res.status(500).json({ error: 'Failed to connect Tailscale', details: err.message });
+  }
+});
+
+/**
+ * POST /api/tailscale/install — Install Tailscale on demand (self-install users)
+ */
+app.post('/api/tailscale/install', (req, res) => {
+  try {
+    // Check if already installed
+    try {
+      execSync('command -v tailscale', { stdio: 'pipe' });
+      return res.json({ success: true, message: 'Tailscale is already installed' });
+    } catch {
+      // Not installed — proceed
+    }
+
+    console.log('[tailscale] Installing Tailscale...');
+    execSync('curl -fsSL https://tailscale.com/install.sh | sh', {
+      stdio: 'pipe',
+      timeout: 120000
+    });
+
+    // Verify install
+    try {
+      execSync('command -v tailscale', { stdio: 'pipe' });
+    } catch {
+      return res.status(500).json({ error: 'Install script ran but tailscale binary not found' });
+    }
+
+    console.log('[tailscale] Installed successfully');
+    res.json({ success: true, message: 'Tailscale installed successfully' });
+  } catch (err) {
+    const errMsg = err.stderr ? err.stderr.toString() : err.message;
+    console.error('[tailscale] Install failed:', errMsg);
+    res.status(500).json({
+      error: 'Failed to install Tailscale',
+      details: errMsg.slice(0, 500)
+    });
+  }
+});
+
+/**
+ * POST /api/tailscale/disconnect — Disconnect Tailscale
+ */
+app.post('/api/tailscale/disconnect', (req, res) => {
+  try {
+    execSync('tailscale down', { stdio: 'pipe', timeout: 10000 });
+    res.json({ success: true, message: 'Tailscale disconnected' });
+  } catch (err) {
+    const errMsg = err.stderr ? err.stderr.toString() : err.message;
+    res.status(500).json({ error: 'Failed to disconnect', details: errMsg });
+  }
+});
+
+/**
+ * POST /api/tailscale/setup-serve — Retry Tailscale Serve setup
+ * Used when the user enables Serve on their tailnet and wants to retry
+ */
+app.post('/api/tailscale/setup-serve', (req, res) => {
+  try {
+    // Get gateway port from config
+    const os = require('os');
+    const configPaths = [
+      os.homedir() + '/.clawdbot/clawdbot.json',
+      os.homedir() + '/.openclaw/openclaw.json'
+    ];
+    const configPath = configPaths.find(p => fs.existsSync(p));
+    let port = 18789;
+    let gatewayToken = null;
+    if (configPath) {
+      try {
+        const gwConfig = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+        port = gwConfig.gateway?.port || 18789;
+        gatewayToken = gwConfig.gateway?.auth?.token || null;
+      } catch (e) {}
+    }
+
+    execSync(`tailscale serve --bg http://127.0.0.1:${port} 2>&1`, {
+      stdio: 'pipe',
+      timeout: 15000
+    });
+
+    // Get DNS name for URL
+    const selfJson = JSON.parse(
+      execSync('tailscale status --json 2>/dev/null', { stdio: 'pipe', timeout: 10000 }).toString()
+    );
+    const dnsName = (selfJson.Self?.DNSName || '').replace(/\.$/, '');
+
+    res.json({
+      status: 'ok',
+      url: dnsName ? `https://${dnsName}/` : null,
+      webchatUrl: dnsName && gatewayToken
+        ? `https://${dnsName}/?token=${gatewayToken}`
+        : (dnsName ? `https://${dnsName}/` : null)
+    });
+  } catch (e) {
+    const msg = (e.stderr ? e.stderr.toString() : '') || e.message;
+    if (msg.includes('not enabled')) {
+      const match = msg.match(/(https:\/\/login\.tailscale\.com\/f\/serve\S+)/);
+      res.json({
+        status: 'not_enabled',
+        enableUrl: match ? match[1] : 'https://login.tailscale.com/admin/settings',
+        error: msg
+      });
+    } else {
+      res.json({ status: 'error', error: msg });
+    }
+  }
+});
+
+// ─── Gateway Info API (for Web Chat links) ──────────────────────────────────
+
+/**
+ * GET /api/gateway/info — Returns gateway port and auth info for Web Chat links
+ */
+app.get('/api/gateway/info', (req, res) => {
+  const os = require('os');
+  const configPath = path.join(os.homedir(), '.clawdbot', 'clawdbot.json');
+  try {
+    const gwConfig = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+    const gw = gwConfig.gateway || {};
+    const port = gw.port || 18789;
+    const auth = gw.auth || {};
+    const token = auth.token || null;
+
+    // Get Tailscale IP
+    let tailscaleIP = null;
+    try {
+      const tsIP = execSync('tailscale ip -4 2>/dev/null', { stdio: 'pipe', timeout: 5000 }).toString().trim();
+      if (tsIP) tailscaleIP = tsIP;
+    } catch (e) {}
+
+    res.json({
+      port,
+      authMode: auth.mode || 'token',
+      token: token, // Full token — UI masks it
+      tailscaleIP,
+      localUrl: `http://localhost:${port}/`,
+      tailscaleUrl: tailscaleIP ? `http://${tailscaleIP}:${port}/` : null
+    });
+  } catch (e) {
+    res.json({
+      port: 18789,
+      authMode: 'unknown',
+      token: null,
+      tailscaleIP: null,
+      localUrl: 'http://localhost:18789/',
+      tailscaleUrl: null
+    });
+  }
+});
+
+// ─── Setup route (always shows wizard, even when configured — for reconfiguration) ──
+
+app.get('/setup', (req, res) => {
+  res.sendFile(path.join(__dirname, 'public', 'index.html'));
+});
+
+// ─── Management Dashboard (always available) ────────────────────────────────
+
+app.get('/manage', (req, res) => {
+  res.sendFile(path.join(__dirname, 'public', 'manage.html'));
+});
+
+app.get('/manage/*', (req, res) => {
+  res.sendFile(path.join(__dirname, 'public', 'manage.html'));
+});
+
+// ─── Root route — wizard or proxy ───────────────────────────────────────────
+
+app.get('/', (req, res, next) => {
+  if (config.isConfigured()) {
+    // Proxy to gateway
+    return proxyMiddleware(req, res, next);
+  }
+  // Serve setup wizard
+  res.sendFile(path.join(__dirname, 'public', 'index.html'));
+});
+
+// ─── Everything else — proxy if configured, 404 otherwise ───────────────────
+
+app.use((req, res, next) => {
+  // Don't proxy API routes or static assets
+  if (req.path.startsWith('/api/') || req.path.startsWith('/css/') || req.path.startsWith('/js/')) {
+    return next();
+  }
+
+  if (config.isConfigured()) {
+    return proxyMiddleware(req, res, next);
+  }
+
+  // Not configured — serve the wizard for any path
+  res.sendFile(path.join(__dirname, 'public', 'index.html'));
+});
+
+// ─── Start Server ───────────────────────────────────────────────────────────
+
+const server = app.listen(PORT, () => {
+  const configured = config.isConfigured();
+  console.log(`
+  🦞 LobstaKit Cloud v1.0.0
+  ─────────────────────────
+  Port:       ${PORT}
+  Status:     ${configured ? '✅ Configured' : '⚙️  Setup required'}
+  Gateway:    ${gateway.isGatewayRunning() ? '🟢 Running' : '🔴 Stopped'}
+  Dashboard:  http://localhost:${PORT}/manage
+  `);
+});
+
+// WebSocket upgrade support for proxy
+server.on('upgrade', (req, socket, head) => {
+  if (config.isConfigured()) {
+    proxyMiddleware.upgrade(req, socket, head);
+  } else {
+    socket.destroy();
+  }
+});
+
+module.exports = app;