opencami 1.8.2 → 1.8.3

package/README.md

@@ -15,16 +15,28 @@ A beautiful web client for [OpenClaw](https://github.com/openclaw/openclaw).
 curl -fsSL https://opencami.xyz/install.sh | bash
 ```
 
-Or via npm:
+Then open `http://localhost:3000` (or your configured host/port).
+
+---
+
+## Install (curl)
+
+The recommended install flow is:
+
+```bash
+curl -fsSL https://opencami.xyz/install.sh | bash
+```
+
+This installs OpenCami and prints next-step instructions for required environment variables.
+
+Alternative install:
 
 ```bash
 npm install -g opencami
 opencami
 ```
 
-Opens your browser to the chat interface.
-
-### Options
+CLI options:
 
 | Flag | Description | Default |
 |------|-------------|---------|
@@ -33,13 +45,159 @@ Opens your browser to the chat interface.
 | `--host` | Bind address | `localhost` |
 | `--no-open` | Don't open browser | — |
 
-### Docker
+> Note: `--gateway` sets `OPENCLAW_GATEWAY` internally. For predictable deployments, set `CLAWDBOT_GATEWAY_URL` explicitly in environment.
+
+---
+
+## Configuration (OpenCami environment)
+
+Set these in your shell, service manager, or container environment.
+
+### Required
+
+```bash
+CLAWDBOT_GATEWAY_URL=ws://127.0.0.1:18789
+# pick ONE auth method:
+CLAWDBOT_GATEWAY_TOKEN=...
+# or
+CLAWDBOT_GATEWAY_PASSWORD=...
+```
+
+### Required for remote Tailnet / origin allowlist setups
+
+```bash
+# Must exactly match the browser origin used to access OpenCami
+# Example: https://openclaw-server.tailXXXX.ts.net:3001
+OPENCAMI_ORIGIN=https://openclaw-server.tailXXXX.ts.net:3001
+```
+
+### Optional
+
+```bash
+# Enables compatibility fallback if strict device-auth connect fails
+# Default is strict mode (fallback disabled)
+OPENCAMI_DEVICE_AUTH_FALLBACK=true
+
+FILES_ROOT=/path/to/workspace
+OPENAI_API_KEY=sk-...
+```
+
+---
+
+## Remote Tailnet setup (OpenClaw + OpenCami)
+
+If OpenCami loads remotely but you see **"origin not allowed"** or gateway connect failures, configure both sides.
+
+### 1) OpenClaw gateway config (`gateway.controlUi.allowedOrigins`)
+
+In your OpenClaw config, allow the exact OpenCami browser origin:
+
+```json
+{
+  "gateway": {
+    "controlUi": {
+      "allowedOrigins": [
+        "https://openclaw-server.tailXXXX.ts.net:3001"
+      ]
+    }
+  }
+}
+```
+
+### 2) OpenCami server env (`OPENCAMI_ORIGIN`)
+
+Set `OPENCAMI_ORIGIN` to the same exact value:
+
+```bash
+OPENCAMI_ORIGIN=https://openclaw-server.tailXXXX.ts.net:3001
+```
+
+### 3) Restart gateway
+
+```bash
+openclaw gateway restart
+```
+
+> If you access OpenCami via multiple hostnames/ports, each distinct origin must be listed in `allowedOrigins`.
+
+---
+
+## Device auth notes (strict vs fallback)
+
+OpenCami uses strict device-auth-compatible connect params by default.
+
+- **Strict mode (default):** `OPENCAMI_DEVICE_AUTH_FALLBACK` unset/false
+- **Fallback mode (compatibility):** set `OPENCAMI_DEVICE_AUTH_FALLBACK=true`
+
+Fallback mode retries connect without device identity metadata if strict handshake fails.
+Use fallback only when needed for compatibility, and prefer strict mode long-term.
+
+---
+
+## Security notes
+
+- Prefer `wss://` for remote connections.
+- Prefer token auth (`CLAWDBOT_GATEWAY_TOKEN`) over password.
+- Keep `allowedOrigins` minimal (exact origins only, no wildcards).
+- Treat `OPENCAMI_DEVICE_AUTH_FALLBACK=true` as temporary compatibility mode.
+- Do **not** expose OpenCami directly to the public internet without TLS + access controls.
+- For Tailnet deployments, limit Tailnet device/user access.
+
+---
+
+## Troubleshooting
+
+### "origin not allowed"
+
+Cause: gateway rejected browser origin.
+
+Fix:
+1. Add origin to `gateway.controlUi.allowedOrigins`
+2. Set identical `OPENCAMI_ORIGIN` in OpenCami env
+3. Restart gateway (`openclaw gateway restart`)
+
+### Missing scope `operator.read`
+
+Cause: gateway auth succeeded but token/permissions did not include required operator scope.
+
+Fix:
+- Use a token/password with operator access
+- Verify gateway auth/scopes in OpenClaw
+- Reconnect after updating credentials
+
+### Pairing required / device auth connect issues
+
+If strict connect fails in your deployment:
+
+```bash
+OPENCAMI_DEVICE_AUTH_FALLBACK=true
+```
+
+Then restart OpenCami and retry. Keep this as a compatibility fallback, not the default.
+
+### Can’t connect to gateway at all
+
+Checks:
+
+```bash
+openclaw gateway status
+echo "$CLAWDBOT_GATEWAY_URL"
+echo "$CLAWDBOT_GATEWAY_TOKEN"
+```
+
+Also verify URL scheme (`ws://` local, `wss://` remote).
+
+---
+
+## Docker
 
 ```bash
 docker build -t opencami .
 docker run -p 3000:3000 opencami
 ```
 
+---
+
 ## Features
 
 ### 💬 Chat & Communication

package/bin/opencami.js

@@ -18,6 +18,9 @@ function getArg(name, def) {
 const port = parseInt(getArg('port', '3000'), 10);
 const host = getArg('host', '127.0.0.1');
 const gateway = getArg('gateway', 'ws://127.0.0.1:18789');
+const token = getArg('token', '');
+const password = getArg('password', '');
+const origin = getArg('origin', '');
 const noOpen = args.includes('--no-open');
 
 if (args.includes('--help') || args.includes('-h')) {
@@ -27,17 +30,23 @@ if (args.includes('--help') || args.includes('-h')) {
   Usage: opencami [options]
 
   Options:
-    --port <n>       Port to listen on (default: 3000)
-    --host <addr>    Host to bind to (default: 127.0.0.1)
-    --gateway <url>  OpenClaw gateway URL (default: ws://127.0.0.1:18789)
-    --no-open        Don't open browser on start
-    -h, --help       Show this help
+    --port <n>        Port to listen on (default: 3000)
+    --host <addr>     Host to bind to (default: 127.0.0.1)
+    --gateway <url>   OpenClaw gateway URL (default: ws://127.0.0.1:18789)
+    --token <token>   Gateway token (sets CLAWDBOT_GATEWAY_TOKEN)
+    --password <pw>   Gateway password (sets CLAWDBOT_GATEWAY_PASSWORD)
+    --origin <url>    Origin to send in backend WS (sets OPENCAMI_ORIGIN)
+    --no-open         Don't open browser on start
+    -h, --help        Show this help
 `);
   process.exit(0);
 }
 
 // Set gateway env for the app
-process.env.OPENCLAW_GATEWAY = gateway;
+process.env.CLAWDBOT_GATEWAY_URL = gateway;
+if (token) process.env.CLAWDBOT_GATEWAY_TOKEN = token;
+if (password) process.env.CLAWDBOT_GATEWAY_PASSWORD = password;
+if (origin) process.env.OPENCAMI_ORIGIN = origin;
 
 const MIME_TYPES = {
   '.html': 'text/html',

package/dist/server/assets/{_sessionKey-Bq_fl7uv.js → _sessionKey-C9o7YfxA.js}

@@ -19,7 +19,7 @@ import { u as useChatSettings$1 } from "./index-Dl2BOKP7.js";
 import { create } from "zustand";
 import { persist } from "zustand/middleware";
 import { createPortal } from "react-dom";
-import { a as Route } from "./router-bN_iTo0B.js";
+import { a as Route } from "./router-DCjikH21.js";
 function deriveFriendlyIdFromKey(key) {
   if (!key) return "main";
   const trimmed = key.trim();
@@ -1681,7 +1681,7 @@ function areSidebarSessionsEqual(prev, next) {
   return true;
 }
 const SettingsDialog = lazy(
-  () => import("./settings-dialog-BUOrQN3Z.js").then((m) => ({ default: m.SettingsDialog }))
+  () => import("./settings-dialog-ClKFnZ1x.js").then((m) => ({ default: m.SettingsDialog }))
 );
 const SessionExportDialog = lazy(
   () => import("./session-export-dialog-C53RRAah.js").then((m) => ({
@@ -6596,7 +6596,7 @@ const KeyboardShortcutsDialog = lazy(
   }))
 );
 const SearchDialog = lazy(
-  () => import("./search-dialog-DReM5ZD2.js").then((m) => ({
+  () => import("./search-dialog-BnwiXpdA.js").then((m) => ({
     default: m.SearchDialog
   }))
 );

package/dist/server/assets/{index-C2hVqxBl.js → index-Bw-bA_2M.js}

@@ -1,13 +1,13 @@
 import { jsx } from "react/jsx-runtime";
 import { useEffect } from "react";
-import { R as Route } from "./router-bN_iTo0B.js";
+import { R as Route } from "./router-DCjikH21.js";
 import "@tanstack/react-router";
 import "@tanstack/react-query";
 import "node:crypto";
-import "ws";
 import "node:fs";
-import "node:path";
 import "node:os";
+import "node:path";
+import "ws";
 import "@tanstack/router-core/ssr/client";
 import "node:stream";
 import "node:child_process";

package/dist/server/assets/{router-bN_iTo0B.js → router-DCjikH21.js}

@@ -1,11 +1,11 @@
 import { createRootRoute, Outlet, HeadContent, Scripts, createFileRoute, lazyRouteComponent, redirect, createRouter } from "@tanstack/react-router";
 import { jsx, jsxs } from "react/jsx-runtime";
 import { QueryClientProvider, QueryClient } from "@tanstack/react-query";
-import { randomUUID } from "node:crypto";
-import WebSocket from "ws";
-import { readFileSync, existsSync } from "node:fs";
-import path, { join, resolve, relative, extname } from "node:path";
+import crypto, { randomUUID } from "node:crypto";
+import fs, { readFileSync, existsSync } from "node:fs";
 import os, { homedir } from "node:os";
+import path, { join, resolve, relative, extname } from "node:path";
+import WebSocket from "ws";
 import { json } from "@tanstack/router-core/ssr/client";
 import { PassThrough, Readable } from "node:stream";
 import { execSync } from "node:child_process";
@@ -369,11 +369,11 @@ const $$splitComponentImporter$2 = () => import("./agents-CmQ4vvXm.js");
 const Route$t = createFileRoute("/agents")({
   component: lazyRouteComponent($$splitComponentImporter$2, "component")
 });
-const $$splitComponentImporter$1 = () => import("./index-C2hVqxBl.js");
+const $$splitComponentImporter$1 = () => import("./index-Bw-bA_2M.js");
 const Route$s = createFileRoute("/")({
   component: lazyRouteComponent($$splitComponentImporter$1, "component")
 });
-const $$splitComponentImporter = () => import("./_sessionKey-Bq_fl7uv.js").then((n) => n.$);
+const $$splitComponentImporter = () => import("./_sessionKey-C9o7YfxA.js").then((n) => n.$);
 const Route$r = createFileRoute("/chat/$sessionKey")({
   component: lazyRouteComponent($$splitComponentImporter, "component")
 });
@@ -388,24 +388,150 @@ function getGatewayConfig() {
   }
   return { url, token, password };
 }
-function buildConnectParams(token, password) {
+const ED25519_SPKI_PREFIX = Buffer.from("302a300506032b6570032100", "hex");
+function base64UrlEncode(buf) {
+  return buf.toString("base64").replaceAll("+", "-").replaceAll("/", "_").replace(/=+$/g, "");
+}
+function derivePublicKeyRaw(publicKeyPem) {
+  const spki = crypto.createPublicKey(publicKeyPem).export({ type: "spki", format: "der" });
+  if (spki.length === ED25519_SPKI_PREFIX.length + 32 && spki.subarray(0, ED25519_SPKI_PREFIX.length).equals(ED25519_SPKI_PREFIX)) {
+    return spki.subarray(ED25519_SPKI_PREFIX.length);
+  }
+  return spki;
+}
+function fingerprintPublicKey(publicKeyPem) {
+  const raw = derivePublicKeyRaw(publicKeyPem);
+  return crypto.createHash("sha256").update(raw).digest("hex");
+}
+function ensureDir(filePath) {
+  fs.mkdirSync(path.dirname(filePath), { recursive: true });
+}
+function resolveDeviceIdentityPath() {
+  return path.join(os.homedir(), ".opencami", "identity", "device.json");
+}
+function loadOrCreateDeviceIdentity(filePath = resolveDeviceIdentityPath()) {
+  try {
+    if (fs.existsSync(filePath)) {
+      const raw = fs.readFileSync(filePath, "utf8");
+      const parsed = JSON.parse(raw);
+      if (parsed?.version === 1 && typeof parsed.deviceId === "string" && typeof parsed.publicKeyPem === "string" && typeof parsed.privateKeyPem === "string") {
+        const derivedId = fingerprintPublicKey(parsed.publicKeyPem);
+        if (derivedId && derivedId !== parsed.deviceId) {
+          const updated = { ...parsed, deviceId: derivedId };
+          fs.writeFileSync(filePath, `${JSON.stringify(updated, null, 2)}
+`, { mode: 384 });
+          try {
+            fs.chmodSync(filePath, 384);
+          } catch {
+          }
+          return { deviceId: derivedId, publicKeyPem: parsed.publicKeyPem, privateKeyPem: parsed.privateKeyPem };
+        }
+        return { deviceId: parsed.deviceId, publicKeyPem: parsed.publicKeyPem, privateKeyPem: parsed.privateKeyPem };
+      }
+    }
+  } catch {
+  }
+  const { publicKey, privateKey } = crypto.generateKeyPairSync("ed25519");
+  const publicKeyPem = publicKey.export({ type: "spki", format: "pem" }).toString();
+  const privateKeyPem = privateKey.export({ type: "pkcs8", format: "pem" }).toString();
+  const deviceId = fingerprintPublicKey(publicKeyPem);
+  ensureDir(filePath);
+  const stored = {
+    version: 1,
+    deviceId,
+    publicKeyPem,
+    privateKeyPem,
+    createdAtMs: Date.now()
+  };
+  fs.writeFileSync(filePath, `${JSON.stringify(stored, null, 2)}
+`, { mode: 384 });
+  try {
+    fs.chmodSync(filePath, 384);
+  } catch {
+  }
+  return { deviceId, publicKeyPem, privateKeyPem };
+}
+function signDevicePayload(privateKeyPem, payload) {
+  const key = crypto.createPrivateKey(privateKeyPem);
+  return base64UrlEncode(crypto.sign(null, Buffer.from(payload, "utf8"), key));
+}
+function publicKeyRawBase64UrlFromPem(publicKeyPem) {
+  return base64UrlEncode(derivePublicKeyRaw(publicKeyPem));
+}
+function buildDeviceAuthPayload(args) {
+  const scopes = args.scopes.join(",");
+  const token = args.token ?? "";
+  return ["v2", args.deviceId, args.clientId, args.clientMode, args.role, scopes, String(args.signedAtMs), token, args.nonce].join("|");
+}
+function loadOrCreateInstanceId() {
+  const filePath = path.join(os.homedir(), ".opencami", "identity", "instance-id.txt");
+  try {
+    if (fs.existsSync(filePath)) {
+      const v2 = fs.readFileSync(filePath, "utf8").trim();
+      if (v2) return v2;
+    }
+  } catch {
+  }
+  const v = randomUUID();
+  ensureDir(filePath);
+  fs.writeFileSync(filePath, `${v}
+`, { mode: 384 });
+  try {
+    fs.chmodSync(filePath, 384);
+  } catch {
+  }
+  return v;
+}
+function buildConnectParams(token, password, nonce) {
+  const clientId = "openclaw-control-ui";
+  const clientMode = "webchat";
+  const role = "operator";
+  const scopes = ["operator.read", "operator.write"];
+  if (!nonce) {
+    throw new Error(
+      "OpenClaw did not send connect.challenge nonce in time. If you are connecting cross-origin, ensure your origin is allowed (gateway.controlUi.allowedOrigins)."
+    );
+  }
+  const identity = loadOrCreateDeviceIdentity();
+  const signedAtMs = Date.now();
+  const payload = buildDeviceAuthPayload({
+    deviceId: identity.deviceId,
+    clientId,
+    clientMode,
+    role,
+    scopes,
+    signedAtMs,
+    token: token || null,
+    nonce
+  });
+  const signature = signDevicePayload(identity.privateKeyPem, payload);
   return {
     minProtocol: 3,
     maxProtocol: 3,
     client: {
-      id: "gateway-client",
+      id: clientId,
       displayName: "OpenCami",
       version: "dev",
       platform: process.platform,
-      mode: "ui",
-      instanceId: randomUUID()
+      mode: clientMode,
+      instanceId: loadOrCreateInstanceId()
     },
+    caps: [],
     auth: {
       token: token || void 0,
       password: password || void 0
     },
     role: "operator",
-    scopes: ["operator.read", "operator.write", "operator.admin"]
+    scopes,
+    device: {
+      id: identity.deviceId,
+      publicKey: publicKeyRawBase64UrlFromPem(identity.publicKeyPem),
+      signature,
+      signedAt: signedAtMs,
+      nonce
+    },
+    userAgent: `opencami/${process.env.npm_package_version ?? "dev"} (node ${process.version})`,
+    locale: process.env.LANG || "en"
   };
 }
 class PersistentGatewayConnection {
@@ -440,7 +566,8 @@ class PersistentGatewayConnection {
   async _connect() {
     if (this.destroyed) throw new Error("Connection destroyed");
     const { url, token, password } = getGatewayConfig();
-    const ws = new WebSocket(url);
+    const origin = process.env.OPENCAMI_ORIGIN?.trim();
+    const ws = origin ? new WebSocket(url, { headers: { Origin: origin } }) : new WebSocket(url);
     this.ws = ws;
     await new Promise((resolve2, reject) => {
       const onOpen = () => {
@@ -458,19 +585,93 @@ class PersistentGatewayConnection {
       ws.on("open", onOpen);
       ws.on("error", onError);
     });
+    const nonce = await new Promise((resolve2) => {
+      let done = false;
+      const timer = setTimeout(() => {
+        if (done) return;
+        done = true;
+        resolve2("");
+      }, 3e3);
+      const onMessage = (data) => {
+        try {
+          const str = typeof data === "string" ? data : data.toString();
+          const parsed = JSON.parse(str);
+          if (parsed.type === "event" && parsed.event === "connect.challenge") {
+            const n = parsed.payload?.nonce;
+            if (typeof n === "string" && n.length > 0) {
+              clearTimeout(timer);
+              ws.off("message", onMessage);
+              if (done) return;
+              done = true;
+              resolve2(n);
+            }
+          }
+        } catch {
+        }
+      };
+      ws.on("message", onMessage);
+    });
     ws.on("message", (data) => this._onMessage(data));
     ws.on("close", () => this._onClose());
     ws.on("error", () => {
     });
     const connectId = randomUUID();
-    const connectParams = buildConnectParams(token, password);
-    ws.send(JSON.stringify({
-      type: "req",
-      id: connectId,
-      method: "connect",
-      params: connectParams
-    }));
-    await this._waitForRes(connectId, 1e4);
+    const shouldFallback = process.env.OPENCAMI_DEVICE_AUTH_FALLBACK === "1" || process.env.OPENCAMI_DEVICE_AUTH_FALLBACK === "true";
+    try {
+      const connectParams = buildConnectParams(token, password, nonce);
+      ws.send(
+        JSON.stringify({
+          type: "req",
+          id: connectId,
+          method: "connect",
+          params: connectParams
+        })
+      );
+      const hello = await this._waitForRes(connectId, 1e4);
+      const grantedScopes = hello?.auth?.scopes;
+      if (Array.isArray(grantedScopes) && !grantedScopes.includes("operator.read")) {
+        throw new Error(
+          `Gateway connected but missing required scope: operator.read (granted: ${grantedScopes.join(", ")})`
+        );
+      }
+    } catch (err) {
+      if (!shouldFallback) throw err;
+      console.warn(
+        "[gateway-ws] Device auth connect failed; retrying without device identity (fallback enabled):",
+        err instanceof Error ? err.message : err
+      );
+      const fallbackId = randomUUID();
+      const fallbackParams = {
+        minProtocol: 3,
+        maxProtocol: 3,
+        client: {
+          id: "openclaw-control-ui",
+          displayName: "OpenCami",
+          version: "dev",
+          platform: process.platform,
+          mode: "webchat",
+          instanceId: loadOrCreateInstanceId()
+        },
+        caps: [],
+        auth: {
+          token: token || void 0,
+          password: password || void 0
+        },
+        role: "operator",
+        scopes: ["operator.read", "operator.write"],
+        userAgent: `opencami/${process.env.npm_package_version ?? "dev"} (node ${process.version})`,
+        locale: process.env.LANG || "en"
+      };
+      ws.send(
+        JSON.stringify({
+          type: "req",
+          id: fallbackId,
+          method: "connect",
+          params: fallbackParams
+        })
+      );
+      await this._waitForRes(fallbackId, 1e4);
+    }
     this.connected = true;
     this.reconnectDelay = 1e3;
     console.log("[gateway-ws] Persistent connection established");

package/dist/server/assets/{search-dialog-DReM5ZD2.js → search-dialog-BnwiXpdA.js}

@@ -5,7 +5,7 @@ import { HugeiconsIcon } from "@hugeicons/react";
 import { Search01Icon, Cancel01Icon, Loading03Icon } from "@hugeicons/core-free-icons";
 import { D as DialogRoot, a as DialogContent } from "./use-file-explorer-state-s7CS50ho.js";
 import { useQueryClient } from "@tanstack/react-query";
-import { c as chatQueryKeys } from "./_sessionKey-Bq_fl7uv.js";
+import { c as chatQueryKeys } from "./_sessionKey-C9o7YfxA.js";
 import { c as cn } from "./button-CwY2OHFj.js";
 import "@base-ui/react/dialog";
 import "zustand";
@@ -26,12 +26,12 @@ import "remark-gfm";
 import "./index-Dl2BOKP7.js";
 import "zustand/middleware";
 import "react-dom";
-import "./router-bN_iTo0B.js";
+import "./router-DCjikH21.js";
 import "node:crypto";
-import "ws";
 import "node:fs";
-import "node:path";
 import "node:os";
+import "node:path";
+import "ws";
 import "@tanstack/router-core/ssr/client";
 import "node:stream";
 import "node:child_process";

package/dist/server/assets/{settings-dialog-BUOrQN3Z.js → settings-dialog-ClKFnZ1x.js}

@@ -8,7 +8,7 @@ import { D as DialogRoot, a as DialogContent, b as DialogTitle, c as DialogDescr
 import { S as Switch } from "./switch-BbkUeVDV.js";
 import { T as Tabs, a as TabsList, b as TabsTab } from "./tabs-DDFZob0m.js";
 import { u as useChatSettings } from "./index-Dl2BOKP7.js";
-import { u as useLlmSettings, g as getLlmProviderDefaults } from "./_sessionKey-Bq_fl7uv.js";
+import { u as useLlmSettings, g as getLlmProviderDefaults } from "./_sessionKey-C9o7YfxA.js";
 import "@base-ui/react/merge-props";
 import "@base-ui/react/use-render";
 import "class-variance-authority";
@@ -35,12 +35,12 @@ import "react-markdown";
 import "remark-breaks";
 import "remark-gfm";
 import "react-dom";
-import "./router-bN_iTo0B.js";
+import "./router-DCjikH21.js";
 import "node:crypto";
-import "ws";
 import "node:fs";
-import "node:path";
 import "node:os";
+import "node:path";
+import "ws";
 import "@tanstack/router-core/ssr/client";
 import "node:stream";
 import "node:child_process";

package/dist/server/server.js

@@ -656,7 +656,7 @@ function getStartResponseHeaders(opts) {
 let entriesPromise;
 let manifestPromise;
 async function loadEntries() {
-  const routerEntry = await import("./assets/router-bN_iTo0B.js").then((n) => n.r);
+  const routerEntry = await import("./assets/router-DCjikH21.js").then((n) => n.r);
   const startEntry = await import("./assets/start-HYkvq4Ni.js");
   return { startEntry, routerEntry };
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencami",
-  "version": "1.8.2",
+  "version": "1.8.3",
   "type": "module",
   "description": "OpenCami - A beautiful web client for OpenClaw",
   "bin": {