mtmsdk 0.0.41 → 0.0.43

package/src/openclaw/client-info.ts

@@ -0,0 +1,63 @@
+export const GATEWAY_CLIENT_IDS = {
+  WEBCHAT_UI: "webchat-ui",
+  CONTROL_UI: "openclaw-control-ui",
+  WEBCHAT: "webchat",
+  CLI: "cli",
+  GATEWAY_CLIENT: "gateway-client",
+  MACOS_APP: "openclaw-macos",
+  IOS_APP: "openclaw-ios",
+  ANDROID_APP: "openclaw-android",
+  NODE_HOST: "node-host",
+  TEST: "test",
+  FINGERPRINT: "fingerprint",
+  PROBE: "openclaw-probe",
+  CLAWDBOT_CONTROL_UI: "clawdbot-control-ui",
+} as const;
+
+export type GatewayClientId = (typeof GATEWAY_CLIENT_IDS)[keyof typeof GATEWAY_CLIENT_IDS];
+
+// Back-compat naming (internal): these values are IDs, not display names.
+export const GATEWAY_CLIENT_NAMES = GATEWAY_CLIENT_IDS;
+export type GatewayClientName = GatewayClientId;
+
+export const GATEWAY_CLIENT_MODES = {
+  WEBCHAT: "webchat",
+  CLI: "cli",
+  UI: "ui",
+  BACKEND: "backend",
+  NODE: "node",
+  PROBE: "probe",
+  TEST: "test",
+} as const;
+
+export type GatewayClientMode = (typeof GATEWAY_CLIENT_MODES)[keyof typeof GATEWAY_CLIENT_MODES];
+
+export type GatewayClientInfo = {
+  id: GatewayClientId;
+  displayName?: string;
+  version: string;
+  platform: string;
+  deviceFamily?: string;
+  modelIdentifier?: string;
+  mode: GatewayClientMode;
+  instanceId?: string;
+};
+
+const GATEWAY_CLIENT_ID_SET = new Set<GatewayClientId>(Object.values(GATEWAY_CLIENT_IDS));
+const GATEWAY_CLIENT_MODE_SET = new Set<GatewayClientMode>(Object.values(GATEWAY_CLIENT_MODES));
+
+export function normalizeGatewayClientId(raw?: string | null): GatewayClientId | undefined {
+  const normalized = raw?.trim().toLowerCase();
+  if (!normalized) return undefined;
+  return GATEWAY_CLIENT_ID_SET.has(normalized as GatewayClientId) ? (normalized as GatewayClientId) : undefined;
+}
+
+export function normalizeGatewayClientName(raw?: string | null): GatewayClientName | undefined {
+  return normalizeGatewayClientId(raw);
+}
+
+export function normalizeGatewayClientMode(raw?: string | null): GatewayClientMode | undefined {
+  const normalized = raw?.trim().toLowerCase();
+  if (!normalized) return undefined;
+  return GATEWAY_CLIENT_MODE_SET.has(normalized as GatewayClientMode) ? (normalized as GatewayClientMode) : undefined;
+}

package/src/openclaw/device-auth-utils.ts

@@ -0,0 +1,31 @@
+export interface DeviceAuthPayloadParams {
+  version?: string;
+  nonce?: string;
+  scopes: string[];
+  token?: string;
+  deviceId: string;
+  clientId: string;
+  clientMode: string;
+  role: string;
+  signedAtMs: number;
+}
+
+export function buildDeviceAuthPayload(params: DeviceAuthPayloadParams) {
+  const version = params.version ?? (params.nonce ? "v2" : "v1");
+  const scopes = params.scopes.join(",");
+  const token = params.token ?? "";
+  const base = [
+    version,
+    params.deviceId,
+    params.clientId,
+    params.clientMode,
+    params.role,
+    scopes,
+    String(params.signedAtMs),
+    token,
+  ];
+  if (version === "v2") {
+    base.push(params.nonce ?? "");
+  }
+  return base.join("|");
+}

package/src/openclaw/device-auth.ts

@@ -0,0 +1,96 @@
+export type DeviceAuthEntry = {
+  token: string;
+  role: string;
+  scopes: string[];
+  updatedAtMs: number;
+};
+
+type DeviceAuthStore = {
+  version: 1;
+  deviceId: string;
+  tokens: Record<string, DeviceAuthEntry>;
+};
+
+const STORAGE_KEY = "moltbot.device.auth.v1";
+
+function normalizeRole(role: string): string {
+  return role.trim();
+}
+
+function normalizeScopes(scopes: string[] | undefined): string[] {
+  if (!Array.isArray(scopes)) return [];
+  const out = new Set<string>();
+  for (const scope of scopes) {
+    const trimmed = scope.trim();
+    if (trimmed) out.add(trimmed);
+  }
+  return [...out].sort();
+}
+
+function readStore(): DeviceAuthStore | null {
+  try {
+    const raw = window.localStorage.getItem(STORAGE_KEY);
+    if (!raw) return null;
+    const parsed = JSON.parse(raw) as DeviceAuthStore;
+    if (!parsed || parsed.version !== 1) return null;
+    if (!parsed.deviceId || typeof parsed.deviceId !== "string") return null;
+    if (!parsed.tokens || typeof parsed.tokens !== "object") return null;
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+
+function writeStore(store: DeviceAuthStore) {
+  try {
+    window.localStorage.setItem(STORAGE_KEY, JSON.stringify(store));
+  } catch {
+    // best-effort
+  }
+}
+
+export function loadDeviceAuthToken(params: { deviceId: string; role: string }): DeviceAuthEntry | null {
+  const store = readStore();
+  if (!store || store.deviceId !== params.deviceId) return null;
+  const role = normalizeRole(params.role);
+  const entry = store.tokens[role];
+  if (!entry || typeof entry.token !== "string") return null;
+  return entry;
+}
+
+export function storeDeviceAuthToken(params: {
+  deviceId: string;
+  role: string;
+  token: string;
+  scopes?: string[];
+}): DeviceAuthEntry {
+  const role = normalizeRole(params.role);
+  const next: DeviceAuthStore = {
+    version: 1,
+    deviceId: params.deviceId,
+    tokens: {},
+  };
+  const existing = readStore();
+  if (existing && existing.deviceId === params.deviceId) {
+    next.tokens = { ...existing.tokens };
+  }
+  const entry: DeviceAuthEntry = {
+    token: params.token,
+    role,
+    scopes: normalizeScopes(params.scopes),
+    updatedAtMs: Date.now(),
+  };
+  next.tokens[role] = entry;
+  writeStore(next);
+  return entry;
+}
+
+export function clearDeviceAuthToken(params: { deviceId: string; role: string }) {
+  const store = readStore();
+  if (!store || store.deviceId !== params.deviceId) return;
+  const role = normalizeRole(params.role);
+  if (!store.tokens[role]) return;
+  const next = { ...store, tokens: { ...store.tokens } };
+  delete next.tokens[role];
+  writeStore(next);
+}

package/src/openclaw/device-identity.ts

@@ -0,0 +1,108 @@
+import { getPublicKeyAsync, signAsync, utils } from "@noble/ed25519";
+
+type StoredIdentity = {
+  version: 1;
+  deviceId: string;
+  publicKey: string;
+  privateKey: string;
+  createdAtMs: number;
+};
+
+export type DeviceIdentity = {
+  deviceId: string;
+  publicKey: string;
+  privateKey: string;
+};
+
+const STORAGE_KEY = "moltbot-device-identity-v1";
+
+function base64UrlEncode(bytes: Uint8Array): string {
+  let binary = "";
+  for (const byte of bytes) binary += String.fromCharCode(byte);
+  return btoa(binary).replaceAll("+", "-").replaceAll("/", "_").replace(/=+$/g, "");
+}
+
+function base64UrlDecode(input: string): Uint8Array {
+  const normalized = input.replaceAll("-", "+").replaceAll("_", "/");
+  const padded = normalized + "=".repeat((4 - (normalized.length % 4)) % 4);
+  const binary = atob(padded);
+  const out = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i += 1) out[i] = binary.charCodeAt(i);
+  return out;
+}
+
+function bytesToHex(bytes: Uint8Array): string {
+  return Array.from(bytes)
+    .map((b) => b.toString(16).padStart(2, "0"))
+    .join("");
+}
+
+async function fingerprintPublicKey(publicKey: Uint8Array): Promise<string> {
+  const hash = await crypto.subtle.digest("SHA-256", publicKey as unknown as BufferSource);
+  return bytesToHex(new Uint8Array(hash));
+}
+
+async function generateIdentity(): Promise<DeviceIdentity> {
+  const privateKey = utils.randomSecretKey();
+  const publicKey = await getPublicKeyAsync(privateKey);
+  const deviceId = await fingerprintPublicKey(publicKey);
+  return {
+    deviceId,
+    publicKey: base64UrlEncode(publicKey),
+    privateKey: base64UrlEncode(privateKey),
+  };
+}
+
+export async function loadOrCreateDeviceIdentity(): Promise<DeviceIdentity> {
+  try {
+    const raw = localStorage.getItem(STORAGE_KEY);
+    if (raw) {
+      const parsed = JSON.parse(raw) as StoredIdentity;
+      if (
+        parsed?.version === 1 &&
+        typeof parsed.deviceId === "string" &&
+        typeof parsed.publicKey === "string" &&
+        typeof parsed.privateKey === "string"
+      ) {
+        const derivedId = await fingerprintPublicKey(base64UrlDecode(parsed.publicKey));
+        if (derivedId !== parsed.deviceId) {
+          const updated: StoredIdentity = {
+            ...parsed,
+            deviceId: derivedId,
+          };
+          localStorage.setItem(STORAGE_KEY, JSON.stringify(updated));
+          return {
+            deviceId: derivedId,
+            publicKey: parsed.publicKey,
+            privateKey: parsed.privateKey,
+          };
+        }
+        return {
+          deviceId: parsed.deviceId,
+          publicKey: parsed.publicKey,
+          privateKey: parsed.privateKey,
+        };
+      }
+    }
+  } catch {
+    // fall through to regenerate
+  }
+
+  const identity = await generateIdentity();
+  const stored: StoredIdentity = {
+    version: 1,
+    deviceId: identity.deviceId,
+    publicKey: identity.publicKey,
+    privateKey: identity.privateKey,
+    createdAtMs: Date.now(),
+  };
+  localStorage.setItem(STORAGE_KEY, JSON.stringify(stored));
+  return identity;
+}
+
+export async function signDevicePayload(privateKeyBase64Url: string, payload: string) {
+  const key = base64UrlDecode(privateKeyBase64Url);
+  const data = new TextEncoder().encode(payload);
+  const sig = await signAsync(data, key);
+  return base64UrlEncode(sig);
+}

package/src/openclaw/gateway.ts

@@ -0,0 +1,351 @@
+import {
+  GATEWAY_CLIENT_MODES,
+  GATEWAY_CLIENT_NAMES,
+  type GatewayClientMode,
+  type GatewayClientName,
+} from "./client-info";
+import { generateUUID } from "./uuid";
+
+export type GatewayEventFrame = {
+  type: "event";
+  event: string;
+  payload?: unknown;
+  seq?: number;
+  stateVersion?: { presence: number; health: number };
+};
+
+export type GatewayResponseFrame = {
+  type: "res";
+  id: string;
+  ok: boolean;
+  payload?: unknown;
+  error?: { code: string; message: string; details?: unknown };
+};
+
+export type GatewayHelloOk = {
+  type: "hello-ok";
+  protocol: number;
+  features?: { methods?: string[]; events?: string[] };
+  snapshot?: unknown;
+  auth?: {
+    deviceToken?: string;
+    role?: string;
+    scopes?: string[];
+    issuedAtMs?: number;
+  };
+  policy?: { tickIntervalMs?: number };
+};
+
+type Pending = {
+  resolve: (value: unknown) => void;
+  reject: (err: unknown) => void;
+};
+
+export type GatewayBrowserClientOptions = {
+  url: string;
+  password?: string;
+  clientName?: GatewayClientName;
+  clientVersion?: string;
+  platform?: string;
+  mode?: GatewayClientMode;
+  instanceId?: string;
+  onHello?: (hello: GatewayHelloOk) => void;
+  onEvent?: (evt: GatewayEventFrame) => void;
+  onClose?: (info: { code: number; reason: string }) => void;
+  onGap?: (info: { expected: number; received: number }) => void;
+  autoReconnect?: boolean;
+  disableDeviceAuth?: boolean;
+  supabaseToken?: string;
+  skipConnectHandshake?: boolean;
+};
+
+// 4008 = application-defined code (browser rejects 1008 "Policy Violation")
+const CONNECT_FAILED_CLOSE_CODE = 4008;
+
+export class GatewayBrowserClient {
+  private ws: WebSocket | null = null;
+  private pending = new Map<string, Pending>();
+  private closed = false;
+  private lastSeq: number | null = null;
+  private connectNonce: string | null = null;
+  private connectSent = false;
+  private connectTimer: number | null = null;
+  private backoffMs = 800;
+
+  constructor(private opts: GatewayBrowserClientOptions) {}
+
+  start() {
+    this.closed = false;
+    this.connect();
+  }
+
+  stop() {
+    this.closed = true;
+    this.ws?.close();
+    this.ws = null;
+    this.flushPending(new Error("gateway client stopped"));
+  }
+
+  get connected() {
+    return this.ws?.readyState === WebSocket.OPEN;
+  }
+
+  private connect() {
+    if (this.closed) return;
+    try {
+      const protocols: string[] = [];
+      if (this.opts.supabaseToken) {
+        protocols.push(`sb_token.${this.opts.supabaseToken}`);
+      }
+
+      this.ws = new WebSocket(this.opts.url, protocols.length > 0 ? protocols : undefined);
+      this.ws.onopen = () => this.queueConnect();
+      this.ws.onmessage = (ev) => this.handleMessage(String(ev.data ?? ""));
+      this.ws.onclose = (ev) => {
+        const reason = String(ev.reason ?? "");
+        this.ws = null;
+        this.flushPending(new Error(`gateway closed (${ev.code}): ${reason}`));
+        this.opts.onClose?.({ code: ev.code, reason });
+        this.scheduleReconnect();
+      };
+      this.ws.onerror = () => {
+        // ignored; close handler will fire
+      };
+    } catch (err) {
+      console.error("[gateway] Failed to create WebSocket instance:", err);
+      // Simulate a close event for the UI to handle
+      this.opts.onClose?.({
+        code: 1006,
+        reason: err instanceof Error ? err.message : "Connect failed",
+      });
+      this.scheduleReconnect();
+    }
+  }
+
+  private scheduleReconnect() {
+    if (this.closed || this.opts.autoReconnect === false) return;
+    const delay = this.backoffMs;
+    this.backoffMs = Math.min(this.backoffMs * 1.7, 15_000);
+    window.setTimeout(() => this.connect(), delay);
+  }
+
+  private flushPending(err: Error) {
+    for (const [, p] of this.pending) p.reject(err);
+    this.pending.clear();
+  }
+
+  private async sendConnect() {
+    if (this.connectSent) return;
+    this.connectSent = true;
+    if (this.connectTimer !== null) {
+      window.clearTimeout(this.connectTimer);
+      this.connectTimer = null;
+    }
+    const { disableDeviceAuth } = this.opts;
+
+    const isSecureContext = typeof crypto !== "undefined" && !!crypto.subtle;
+
+    const scopes = ["operator.admin", "operator.approvals", "operator.pairing"];
+    const role = "operator";
+
+    // Dynamic import types for correct typing
+    type DeviceIdentityLib = typeof import("./device-identity");
+    let deviceIdentity: Awaited<ReturnType<DeviceIdentityLib["loadOrCreateDeviceIdentity"]>> | null = null;
+    let authToken: string | undefined;
+
+    // Dynamically import device auth logic only if needed and in secure context
+    if (!disableDeviceAuth && isSecureContext) {
+      try {
+        const { loadOrCreateDeviceIdentity } = await import("./device-identity");
+        const { loadDeviceAuthToken } = await import("./device-auth");
+
+        deviceIdentity = await loadOrCreateDeviceIdentity();
+        authToken = loadDeviceAuthToken({
+          deviceId: deviceIdentity.deviceId,
+          role,
+        })?.token;
+      } catch (e) {
+        console.warn("[gateway] Failed to load device identity libs", e);
+      }
+    }
+
+    const auth =
+      authToken || this.opts.password
+        ? {
+            token: authToken,
+            password: this.opts.password,
+          }
+        : undefined;
+
+    let device:
+      | {
+          id: string;
+          publicKey: string;
+          signature: string;
+          signedAt: number;
+          nonce: string | undefined;
+        }
+      | undefined;
+
+    if (!disableDeviceAuth && isSecureContext && deviceIdentity) {
+      const signedAtMs = Date.now();
+      const nonce = this.connectNonce ?? undefined;
+
+      try {
+        const { buildDeviceAuthPayload } = await import("./device-auth-utils");
+        const { signDevicePayload } = await import("./device-identity");
+
+        const payload = buildDeviceAuthPayload({
+          deviceId: deviceIdentity.deviceId,
+          clientId: this.opts.clientName ?? GATEWAY_CLIENT_NAMES.CONTROL_UI,
+          clientMode: this.opts.mode ?? GATEWAY_CLIENT_MODES.WEBCHAT,
+          role,
+          scopes,
+          signedAtMs,
+          token: authToken ?? undefined,
+          nonce,
+        });
+        const signature = await signDevicePayload(deviceIdentity.privateKey, payload);
+        device = {
+          id: deviceIdentity.deviceId,
+          publicKey: deviceIdentity.publicKey,
+          signature,
+          signedAt: signedAtMs,
+          nonce,
+        };
+      } catch (e) {
+        console.error("[gateway] Failed to sign device payload", e);
+      }
+    }
+
+    const params = {
+      minProtocol: 3,
+      maxProtocol: 3,
+      client: {
+        id: this.opts.clientName ?? GATEWAY_CLIENT_NAMES.CONTROL_UI,
+        version: this.opts.clientVersion ?? "dev",
+        platform: this.opts.platform ?? navigator.platform ?? "web",
+        mode: this.opts.mode ?? GATEWAY_CLIENT_MODES.WEBCHAT,
+        instanceId: this.opts.instanceId,
+      },
+      role,
+      scopes,
+      device,
+      caps: [],
+      auth,
+      userAgent: navigator.userAgent,
+      locale: navigator.language,
+    };
+
+    void this.request<GatewayHelloOk>("connect", params)
+      .then(async (hello) => {
+        if (!disableDeviceAuth && hello?.auth?.deviceToken && deviceIdentity) {
+          try {
+            const { storeDeviceAuthToken } = await import("./device-auth");
+            storeDeviceAuthToken({
+              deviceId: deviceIdentity.deviceId,
+              role: hello.auth.role ?? role,
+              token: hello.auth.deviceToken,
+              scopes: hello.auth.scopes ?? [],
+            });
+          } catch (e) {
+            console.warn("[gateway] Failed to store device token", e);
+          }
+        }
+        this.backoffMs = 800;
+        this.opts.onHello?.(hello);
+      })
+      .catch((err) => {
+        console.warn("[gateway] connect seq failed", err);
+        // Do not close here, let the interval handle it or the error event?
+        // Original code closed it.
+        this.ws?.close(CONNECT_FAILED_CLOSE_CODE, "connect failed");
+      });
+  }
+
+  private handleMessage(raw: string) {
+    let parsed: unknown;
+    try {
+      parsed = JSON.parse(raw);
+    } catch {
+      return;
+    }
+
+    const frame = parsed as { type?: unknown };
+    if (frame.type === "event") {
+      const evt = parsed as GatewayEventFrame;
+
+      // Handle Proxy Handshake Event
+      if (evt.event === "sys.proxy_hello") {
+        this.backoffMs = 800;
+        const hello = (evt.payload as GatewayHelloOk) || {
+          type: "hello-ok",
+          protocol: 3,
+          features: { methods: [], events: [] },
+        };
+        this.opts.onHello?.(hello);
+        return;
+      }
+
+      if (evt.event === "connect.challenge") {
+        const payload = evt.payload as { nonce?: unknown } | undefined;
+        const nonce = payload && typeof payload.nonce === "string" ? payload.nonce : null;
+        if (nonce) {
+          this.connectNonce = nonce;
+          void this.sendConnect();
+        }
+        return;
+      }
+      const seq = typeof evt.seq === "number" ? evt.seq : null;
+      if (seq !== null) {
+        if (this.lastSeq !== null && seq > this.lastSeq + 1) {
+          this.opts.onGap?.({ expected: this.lastSeq + 1, received: seq });
+        }
+        this.lastSeq = seq;
+      }
+      try {
+        this.opts.onEvent?.(evt);
+      } catch (err) {
+        console.error("[gateway] event handler error:", err);
+      }
+      return;
+    }
+
+    if (frame.type === "res") {
+      const res = parsed as GatewayResponseFrame;
+      const pending = this.pending.get(res.id);
+      if (!pending) return;
+      this.pending.delete(res.id);
+      if (res.ok) pending.resolve(res.payload);
+      else pending.reject(new Error(res.error?.message ?? "request failed"));
+      return;
+    }
+  }
+
+  request<T = unknown>(method: string, params?: unknown): Promise<T> {
+    if (!this.ws || this.ws.readyState !== WebSocket.OPEN) {
+      return Promise.reject(new Error("gateway not connected"));
+    }
+    const id = generateUUID();
+    const frame = { type: "req", id, method, params };
+    const p = new Promise<T>((resolve, reject) => {
+      this.pending.set(id, { resolve: (v) => resolve(v as T), reject });
+    });
+    this.ws.send(JSON.stringify(frame));
+    return p;
+  }
+
+  private queueConnect() {
+    this.connectNonce = null;
+    this.connectSent = false;
+    if (this.connectTimer !== null) window.clearTimeout(this.connectTimer);
+
+    if (this.opts.skipConnectHandshake) {
+      return;
+    }
+
+    this.connectTimer = window.setTimeout(() => {
+      void this.sendConnect();
+    }, 750);
+  }
+}