oomi-ai 0.2.5 → 0.2.7

package/README.md

@@ -72,6 +72,7 @@ Agent-intent mapping (recommended):
 Important distinction:
 - `pairCode` is one-time and used internally by the pair/bootstrap flow.
 - Invite auth links are the required user flow.
+- Managed chat connect now uses OpenClaw challenge auth (`connect.challenge` nonce + signed device payload) in the local bridge path.
 
 Sync personas from the repo into the backend registry:
 ```
@@ -109,6 +110,8 @@ Restart OpenClaw after running `oomi init` or `oomi openclaw install`.
   - `OOMI_SKIP_UPDATE_CHECK=1` disables checks
   - `OOMI_UPDATE_CHECK_INTERVAL_MS=<ms>` changes check interval
   - `OOMI_UPDATE_CHECK_TIMEOUT_MS=<ms>` changes network timeout
+  - `OOMI_BRIDGE_GATEWAY_CONNECT_TIMEOUT_MS=<ms>` changes local gateway socket connect timeout
+  - `OOMI_BRIDGE_CONNECT_CHALLENGE_TIMEOUT_MS=<ms>` changes wait timeout for gateway `connect.challenge` nonce
 
 ## Package Audit + Publish (pnpm)
 ```

package/bin/oomi-ai.js

@@ -3,7 +3,7 @@ import fs from 'fs';
 import os from 'os';
 import path from 'path';
 import { spawn } from 'child_process';
-import { randomUUID } from 'crypto';
+import { createPrivateKey, createPublicKey, randomUUID, sign as cryptoSign } from 'crypto';
 import net from 'net';
 import { lookup as dnsLookup } from 'dns/promises';
 import WebSocket from 'ws';
@@ -18,6 +18,16 @@ const DEFAULT_UPDATE_CHECK_INTERVAL_MS = 12 * 60 * 60 * 1000;
 const DEFAULT_UPDATE_CHECK_TIMEOUT_MS = 1200;
 const BRIDGE_RECONNECT_BASE_MS = 2000;
 const BRIDGE_RECONNECT_MAX_MS = 60000;
+const BRIDGE_GATEWAY_CONNECT_TIMEOUT_MS = parsePositiveInteger(
+  process.env.OOMI_BRIDGE_GATEWAY_CONNECT_TIMEOUT_MS,
+  10000
+);
+const BRIDGE_CONNECT_CHALLENGE_TIMEOUT_MS = parsePositiveInteger(
+  process.env.OOMI_BRIDGE_CONNECT_CHALLENGE_TIMEOUT_MS,
+  3000
+);
+const DEVICE_IDENTITY_PATH = path.join(os.homedir(), '.openclaw', 'identity', 'device.json');
+const ED25519_SPKI_PREFIX = Buffer.from('302a300506032b6570032100', 'hex');
 
 function parsePositiveInteger(value, fallback) {
   const num = Number(value);
@@ -666,13 +676,124 @@ async function fetchManagedGatewayConfig({ appUrl }) {
   return payload;
 }
 
-function injectGatewayAuth(frameText, gatewayAuth) {
+function base64UrlEncode(value) {
+  return Buffer.from(value)
+    .toString('base64')
+    .replaceAll('+', '-')
+    .replaceAll('/', '_')
+    .replace(/=+$/g, '');
+}
+
+function normalizeDeviceMetadataForAuth(value) {
+  if (typeof value !== 'string') return '';
+  const trimmed = value.trim();
+  if (!trimmed) return '';
+  return trimmed.replace(/[A-Z]/g, (char) => String.fromCharCode(char.charCodeAt(0) + 32));
+}
+
+function publicKeyRawBase64UrlFromPem(publicKeyPem) {
+  const der = createPublicKey(publicKeyPem).export({ type: 'spki', format: 'der' });
+  const raw =
+    der.length === ED25519_SPKI_PREFIX.length + 32 &&
+    der.subarray(0, ED25519_SPKI_PREFIX.length).equals(ED25519_SPKI_PREFIX)
+      ? der.subarray(ED25519_SPKI_PREFIX.length)
+      : der;
+  return base64UrlEncode(raw);
+}
+
+function signDevicePayload(privateKeyPem, payload) {
+  const key = createPrivateKey(privateKeyPem);
+  return base64UrlEncode(cryptoSign(null, Buffer.from(payload, 'utf8'), key));
+}
+
+function buildDeviceAuthPayloadV3({
+  deviceId,
+  clientId,
+  clientMode,
+  role,
+  scopes,
+  signedAtMs,
+  token,
+  nonce,
+  platform,
+  deviceFamily,
+}) {
+  return [
+    'v3',
+    deviceId,
+    clientId,
+    clientMode,
+    role,
+    scopes.join(','),
+    String(signedAtMs),
+    token || '',
+    nonce,
+    normalizeDeviceMetadataForAuth(platform),
+    normalizeDeviceMetadataForAuth(deviceFamily),
+  ].join('|');
+}
+
+function loadGatewayDeviceIdentity() {
+  if (!fs.existsSync(DEVICE_IDENTITY_PATH)) {
+    return null;
+  }
+  try {
+    const parsed = JSON.parse(readFile(DEVICE_IDENTITY_PATH));
+    if (
+      parsed &&
+      parsed.version === 1 &&
+      typeof parsed.deviceId === 'string' &&
+      typeof parsed.publicKeyPem === 'string' &&
+      typeof parsed.privateKeyPem === 'string'
+    ) {
+      return {
+        deviceId: parsed.deviceId.trim(),
+        publicKeyPem: parsed.publicKeyPem,
+        privateKeyPem: parsed.privateKeyPem,
+      };
+    }
+  } catch {
+    // no-op
+  }
+  return null;
+}
+
+function prepareGatewayFrameForLocalGateway(frameText, gatewayAuth, options = {}) {
+  const connectNonce = typeof options.connectNonce === 'string' ? options.connectNonce.trim() : '';
+  const deviceIdentity = options.deviceIdentity || null;
+
   try {
     const frame = JSON.parse(frameText);
     if (frame?.type !== 'req' || frame?.method !== 'connect') {
-      return frameText;
+      return { frameText, waitForChallenge: false };
     }
+
     const params = frame.params && typeof frame.params === 'object' ? frame.params : {};
+
+    const client = params.client && typeof params.client === 'object' ? params.client : {};
+    const incomingClientId = typeof client.id === 'string' ? client.id.trim().toLowerCase() : '';
+    const incomingClientMode = typeof client.mode === 'string' ? client.mode.trim().toLowerCase() : '';
+    const proxiedBrowserClient =
+      incomingClientMode === 'webchat' ||
+      incomingClientId === 'webchat-ui' ||
+      incomingClientId === 'webchat' ||
+      incomingClientId === 'clawdbot-control-ui';
+
+    // Frames relayed by this bridge originate from a local Node websocket, not a browser.
+    // Keep gateway auth/nonce flow, but normalize browser-mode connects to backend identity
+    // so Control UI/webchat Origin checks don't reject proxied sessions.
+    client.id = proxiedBrowserClient
+      ? 'node-host'
+      : (typeof client.id === 'string' && client.id.trim() ? client.id.trim() : 'node-host');
+    client.version = typeof client.version === 'string' && client.version.trim() ? client.version.trim() : '0.1.0';
+    client.platform = typeof client.platform === 'string' && client.platform.trim() ? client.platform.trim() : process.platform;
+    client.mode = proxiedBrowserClient
+      ? 'backend'
+      : (typeof client.mode === 'string' && client.mode.trim() ? client.mode.trim() : 'backend');
+    params.client = client;
+
+    params.role = typeof params.role === 'string' && params.role.trim() ? params.role.trim() : 'operator';
+
     const existingScopes = Array.isArray(params.scopes)
       ? params.scopes.filter((value) => typeof value === 'string' && value.trim())
       : [];
@@ -684,17 +805,63 @@ function injectGatewayAuth(frameText, gatewayAuth) {
     }
     params.scopes = existingScopes;
 
+    if (!Array.isArray(params.caps)) {
+      params.caps = [];
+    }
+    if (!Array.isArray(params.commands)) {
+      params.commands = [];
+    }
+    if (!params.permissions || typeof params.permissions !== 'object') {
+      params.permissions = {};
+    }
+
     const auth = {};
-    if (gatewayAuth.token) auth.token = gatewayAuth.token;
-    else if (gatewayAuth.password) auth.password = gatewayAuth.password;
+    if (gatewayAuth.token) {
+      auth.token = gatewayAuth.token;
+    } else if (gatewayAuth.password) {
+      auth.password = gatewayAuth.password;
+    }
     if (Object.keys(auth).length > 0) {
       params.auth = auth;
-      frame.params = params;
-      return JSON.stringify(frame);
     }
-    return frameText;
+
+    if (deviceIdentity) {
+      if (!connectNonce) {
+        return { frameText: null, waitForChallenge: true };
+      }
+
+      const signedAtMs = Date.now();
+      const tokenForSignature =
+        typeof auth.token === 'string' && auth.token.trim()
+          ? auth.token.trim()
+          : (typeof auth.deviceToken === 'string' && auth.deviceToken.trim() ? auth.deviceToken.trim() : '');
+
+      const payload = buildDeviceAuthPayloadV3({
+        deviceId: deviceIdentity.deviceId,
+        clientId: client.id,
+        clientMode: client.mode,
+        role: params.role,
+        scopes: existingScopes,
+        signedAtMs,
+        token: tokenForSignature,
+        nonce: connectNonce,
+        platform: client.platform,
+        deviceFamily: typeof client.deviceFamily === 'string' ? client.deviceFamily : '',
+      });
+      const signature = signDevicePayload(deviceIdentity.privateKeyPem, payload);
+      params.device = {
+        id: deviceIdentity.deviceId,
+        publicKey: publicKeyRawBase64UrlFromPem(deviceIdentity.publicKeyPem),
+        signature,
+        signedAt: signedAtMs,
+        nonce: connectNonce,
+      };
+    }
+
+    frame.params = params;
+    return { frameText: JSON.stringify(frame), waitForChallenge: false };
   } catch {
-    return frameText;
+    return { frameText, waitForChallenge: false };
   }
 }
 
@@ -952,6 +1119,12 @@ async function startOpenclawBridge(flags) {
   if (!gateway.token && !gateway.password) {
     throw new Error(`Gateway auth token/password not found in ${gateway.configPath}.`);
   }
+  const gatewayDeviceIdentity = loadGatewayDeviceIdentity();
+  if (!gatewayDeviceIdentity) {
+    console.warn(
+      `[bridge] OpenClaw device identity not found at ${DEVICE_IDENTITY_PATH}; device-signed connect may fail on newer gateways.`
+    );
+  }
 
   if (runtimeConfig.managedConfigUsed && runtimeConfig.appUrl) {
     console.log(`[bridge] refreshed broker URLs from ${runtimeConfig.appUrl}`);
@@ -1099,21 +1272,157 @@ async function startOpenclawBridge(flags) {
 
     const brokerSocket = new WebSocket(wsUrl.toString());
     let actionCableHeartbeat = null;
+
+    const clearChallengeTimer = (sessionBridge) => {
+      if (sessionBridge && sessionBridge.connectChallengeTimer) {
+        clearTimeout(sessionBridge.connectChallengeTimer);
+        sessionBridge.connectChallengeTimer = null;
+      }
+    };
+
+    const queueConnectUntilChallenge = (sessionId, sessionBridge, frame) => {
+      if (!sessionBridge || typeof frame !== 'string' || !frame) return;
+      if (!Array.isArray(sessionBridge.pendingConnectFrames)) {
+        sessionBridge.pendingConnectFrames = [];
+      }
+      if (sessionBridge.pendingConnectFrames.includes(frame)) {
+        return;
+      }
+      sessionBridge.pendingConnectFrames.push(frame);
+
+      if (sessionBridge.connectChallengeTimer) {
+        return;
+      }
+
+      sessionBridge.connectChallengeTimer = setTimeout(() => {
+        sessionBridge.connectChallengeTimer = null;
+        const hasPending = Array.isArray(sessionBridge.pendingConnectFrames)
+          ? sessionBridge.pendingConnectFrames.length > 0
+          : false;
+        if (!hasPending || sessionBridge.connectNonce) {
+          return;
+        }
+        console.error(
+          `[bridge] gateway.connect_challenge_timeout ${sessionId} (${String(BRIDGE_CONNECT_CHALLENGE_TIMEOUT_MS)}ms)`
+        );
+        sendBrokerPayload(brokerSocket, {
+          action: 'log',
+          type: 'log',
+          sessionId,
+          level: 'error',
+          message: `Gateway challenge timeout (${String(BRIDGE_CONNECT_CHALLENGE_TIMEOUT_MS)}ms) for session ${sessionId}`,
+        });
+        try {
+          sessionBridge.socket?.close(4009, 'connect_challenge_timeout');
+        } catch {
+          // no-op
+        }
+      }, BRIDGE_CONNECT_CHALLENGE_TIMEOUT_MS);
+    };
+
+    const flushPendingConnectFrames = (sessionId, sessionBridge) => {
+      if (!sessionBridge || !sessionBridge.connectNonce) return;
+      const pending = Array.isArray(sessionBridge.pendingConnectFrames)
+        ? sessionBridge.pendingConnectFrames.splice(0, sessionBridge.pendingConnectFrames.length)
+        : [];
+      if (pending.length === 0) {
+        clearChallengeTimer(sessionBridge);
+        return;
+      }
+
+      clearChallengeTimer(sessionBridge);
+      for (const pendingFrame of pending) {
+        const prepared = prepareGatewayFrameForLocalGateway(pendingFrame, gateway, {
+          connectNonce: sessionBridge.connectNonce,
+          deviceIdentity: gatewayDeviceIdentity,
+        });
+        if (!prepared.frameText || prepared.waitForChallenge) {
+          continue;
+        }
+        const result = forwardFrameToSession(sessionBridge, prepared.frameText);
+        if (result === 'queued') {
+          console.log(`[bridge] client.frame queued after challenge ${sessionId}`);
+        } else if (result === 'dropped') {
+          console.log(`[bridge] client.frame dropped after challenge ${sessionId}`);
+        } else {
+          console.log(`[bridge] client.frame sent after challenge ${sessionId}`);
+        }
+      }
+    };
+
     const setupGatewaySession = (sessionId, sessionBridge) => {
       if (!sessionBridge || !sessionBridge.socket) return;
       const gatewaySocket = sessionBridge.socket;
+      if (typeof sessionBridge.connectNonce !== 'string') {
+        sessionBridge.connectNonce = '';
+      }
+      if (!Array.isArray(sessionBridge.pendingConnectFrames)) {
+        sessionBridge.pendingConnectFrames = [];
+      }
+      let connectTimeout = setTimeout(() => {
+        if (gatewaySocket.readyState !== WebSocket.CONNECTING) return;
+        console.error(
+          `[bridge] gateway.connect_timeout ${sessionId} (${String(BRIDGE_GATEWAY_CONNECT_TIMEOUT_MS)}ms)`
+        );
+        sendBrokerPayload(brokerSocket, {
+          action: 'log',
+          type: 'log',
+          sessionId,
+          level: 'error',
+          message: `Gateway connect timeout (${String(BRIDGE_GATEWAY_CONNECT_TIMEOUT_MS)}ms) for session ${sessionId}`,
+        });
+        try {
+          gatewaySocket.close(4008, 'gateway_connect_timeout');
+        } catch {
+          // no-op
+        }
+      }, BRIDGE_GATEWAY_CONNECT_TIMEOUT_MS);
 
       gatewaySocket.on('open', () => {
+        if (connectTimeout) {
+          clearTimeout(connectTimeout);
+          connectTimeout = null;
+        }
         console.log(`[bridge] gateway.open ${sessionId}`);
         flushSessionQueue(sessionBridge);
       });
 
       gatewaySocket.on('message', (gatewayRaw) => {
         const frame = typeof gatewayRaw === 'string' ? gatewayRaw : gatewayRaw.toString();
+        const gatewayPayload = parseJsonPayload(frame);
+        if (gatewayPayload?.event === 'connect.challenge') {
+          const nonce =
+            gatewayPayload.payload && typeof gatewayPayload.payload.nonce === 'string'
+              ? gatewayPayload.payload.nonce.trim()
+              : '';
+          if (!nonce) {
+            console.error(`[bridge] gateway.connect.challenge missing nonce for ${sessionId}`);
+            sendBrokerPayload(brokerSocket, {
+              action: 'log',
+              type: 'log',
+              sessionId,
+              level: 'error',
+              message: `Gateway connect challenge missing nonce for session ${sessionId}`,
+            });
+            try {
+              gatewaySocket.close(1008, 'connect_challenge_missing_nonce');
+            } catch {
+              // no-op
+            }
+          } else {
+            sessionBridge.connectNonce = nonce;
+            flushPendingConnectFrames(sessionId, sessionBridge);
+          }
+        }
         sendBrokerPayload(brokerSocket, { action: 'gateway_frame', type: 'gateway.frame', sessionId, frame });
       });
 
       gatewaySocket.on('close', (code, reason) => {
+        if (connectTimeout) {
+          clearTimeout(connectTimeout);
+          connectTimeout = null;
+        }
+        clearChallengeTimer(sessionBridge);
         const reasonText = reason ? reason.toString() : '';
         console.log(
           `[bridge] gateway.close ${sessionId} code=${String(code)}${reasonText ? ` reason=${reasonText}` : ''}`
@@ -1129,6 +1438,10 @@ async function startOpenclawBridge(flags) {
       });
 
       gatewaySocket.on('error', (err) => {
+        if (connectTimeout && gatewaySocket.readyState !== WebSocket.CONNECTING) {
+          clearTimeout(connectTimeout);
+          connectTimeout = null;
+        }
         console.error(`[bridge] gateway.error ${sessionId}: ${String(err)}`);
         sendBrokerPayload(brokerSocket, {
           action: 'log',
@@ -1270,8 +1583,19 @@ async function startOpenclawBridge(flags) {
         console.log(`[bridge] client.frame ${sessionId}`);
         const sessionBridge = getOrCreateGatewaySession(sessionId);
         if (!sessionBridge) return;
-        const frameWithAuth = injectGatewayAuth(frame, gateway);
-        const result = forwardFrameToSession(sessionBridge, frameWithAuth);
+        const prepared = prepareGatewayFrameForLocalGateway(frame, gateway, {
+          connectNonce: sessionBridge.connectNonce,
+          deviceIdentity: gatewayDeviceIdentity,
+        });
+        if (prepared.waitForChallenge) {
+          queueConnectUntilChallenge(sessionId, sessionBridge, frame);
+          console.log(`[bridge] client.frame waiting for challenge ${sessionId}`);
+          return;
+        }
+        if (!prepared.frameText) {
+          return;
+        }
+        const result = forwardFrameToSession(sessionBridge, prepared.frameText);
         if (result === 'queued') {
           console.log(`[bridge] client.frame queued ${sessionId}`);
         } else if (result === 'dropped') {
@@ -1285,6 +1609,7 @@ async function startOpenclawBridge(flags) {
         console.log(`[bridge] client.close ${sessionId}`);
         const sessionBridge = activeGatewaySockets.get(sessionId);
         if (sessionBridge && sessionBridge.socket) {
+          clearChallengeTimer(sessionBridge);
           activeGatewaySockets.delete(sessionId);
           sessionBridge.socket.close(1000, 'client_closed');
         }
@@ -1300,6 +1625,7 @@ async function startOpenclawBridge(flags) {
       const reasonText = reason ? reason.toString() : '';
       console.log(`[bridge] Broker disconnected (${code}) ${reasonText}`);
       for (const [sessionId, sessionBridge] of activeGatewaySockets.entries()) {
+        clearChallengeTimer(sessionBridge);
         activeGatewaySockets.delete(sessionId);
         try {
           sessionBridge.socket.close(1001, 'broker_disconnected');

package/openclaw.plugin.json

@@ -2,7 +2,7 @@
   "id": "oomi-ai",
   "name": "Oomi Channel Plugin",
   "description": "Managed Oomi channel integration for OpenClaw.",
-  "version": "0.2.4",
+  "version": "0.2.6",
   "author": "Oomi",
   "license": "MIT",
   "openclawVersion": ">=0.5.0",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oomi-ai",
-  "version": "0.2.5",
+  "version": "0.2.7",
   "description": "Oomi CLI for OpenClaw setup",
   "bin": {
     "oomi": "bin/oomi-ai.js"