openclaw-abacusai-auth 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 tonyhu2006
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,338 @@
+# AbacusAI Auth (OpenClaw Plugin)
+
+Third-party provider plugin that integrates **AbacusAI** models into OpenClaw via
+**direct connection** to AbacusAI's **RouteLLM** endpoint. The plugin configures
+core compatibility options (`requiresAdditionalPropertiesFalse`, `supportsStrictMode`)
+so that the OpenClaw Agent can use AbacusAI-hosted models (Claude, Gemini, GPT,
+DeepSeek, Qwen, Grok, Kimi, Llama, and more) with full **multi-tool calling** support.
+
+| Field           | Value                                       |
+| --------------- | ------------------------------------------- |
+| **Package**     | `openclaw-abacusai-auth`                    |
+| **Entry**       | `./index.ts`                                |
+| **Provider ID** | `abacusai`                                  |
+| **Aliases**     | `abacus`, `abacus-ai`, `abacusai-code-mode` |
+| **API style**   | `openai-completions` (direct connection)    |
+| **Upstream**    | `https://routellm.abacus.ai/v1`             |
+
+---
+
+## Installation
+
+### Option 1: Install from npm (recommended)
+
+```bash
+openclaw plugins install openclaw-abacusai-auth
+```
+
+### Option 2: Manual installation
+
+1. Clone this repository:
+```bash
+git clone https://github.com/tonyhu2006/openclaw-abacusai-auth.git ~/.openclaw/extensions/abacusai-auth
+```
+
+2. Install dependencies:
+```bash
+cd ~/.openclaw/extensions/abacusai-auth
+npm install
+```
+
+3. Enable the plugin:
+```bash
+openclaw plugins enable abacusai-auth
+```
+
+---
+
+## Quick Start
+
+### 1. Authenticate
+
+```bash
+openclaw models auth login --provider abacusai --set-default
+```
+
+The interactive login flow will:
+
+1. Attempt to **auto-detect** credentials from a local AbacusAI Code Mode installation.
+2. Fall back to the `ABACUSAI_API_KEY` environment variable.
+3. Prompt for **manual entry** if neither is found.
+4. **Validate** the API key against `https://api.abacus.ai/api/v0/describeUser`.
+5. Let you select which models to register (defaults to all supported models).
+6. Write the provider config to `openclaw.json` with compat options.
+
+### 2. Restart the Gateway
+
+```bash
+openclaw gateway run
+```
+
+### 3. Use AbacusAI models
+
+```bash
+openclaw send "Hello" --model abacusai/gemini-3-flash-preview
+```
+
+---
+
+## Architecture
+
+```
+┌──────────────────────────────────────────────────────────────────┐
+│  OpenClaw Agent (Pi Agent)                                       │
+│  Sends standard OpenAI-compatible requests                       │
+│  (POST /v1/chat/completions with tools[])                        │
+└──────────────┬───────────────────────────────────────────────────┘
+               │
+               ▼
+┌──────────────────────────────────────────────────────────────────┐
+│  Core Tool Schema Normalization (pi-tools.schema.ts)             │
+│                                                                  │
+│  1. Reads provider compat from config                            │
+│  2. If requiresAdditionalPropertiesFalse: true                   │
+│     → Sets additionalProperties: false in tool schemas           │
+│  3. If supportsStrictMode: false                                 │
+│     → pi-ai omits `strict` field from tool definitions           │
+└──────────────┬───────────────────────────────────────────────────┘
+               │ https://routellm.abacus.ai/v1
+               ▼
+┌──────────────────────────────────────────────────────────────────┐
+│  AbacusAI RouteLLM Endpoint                                      │
+│  OpenAI-compatible API with function calling                     │
+│  Routes to Claude, Gemini, GPT, DeepSeek, Llama, etc.           │
+└──────────────────────────────────────────────────────────────────┘
+```
+
+**Why core compat options instead of a local proxy?** AbacusAI's RouteLLM is
+_mostly_ OpenAI-compatible but has two schema requirements:
+
+1. Rejects the `strict` field in tool schemas → `supportsStrictMode: false`
+2. Requires `additionalProperties: false` → `requiresAdditionalPropertiesFalse: true`
+
+By using core `ModelCompatConfig` options, we:
+
+- Avoid the complexity of a local proxy
+- Enable the same fix for other providers with similar requirements
+- Let pi-ai handle the `strict` field natively (it already supports `supportsStrictMode`)
+
+---
+
+## Supported Models
+
+The following models are registered by default (verified February 2026):
+
+| Model ID                      | Family               |
+| ----------------------------- | -------------------- |
+| `gemini-3-flash-preview`      | Google Gemini        |
+| `gemini-3-pro-preview`        | Google Gemini        |
+| `gemini-2.5-flash`            | Google Gemini        |
+| `gemini-2.5-pro`              | Google Gemini        |
+| `gpt-5.2`                     | OpenAI GPT           |
+| `gpt-5.1`                     | OpenAI GPT           |
+| `gpt-5-mini`                  | OpenAI GPT           |
+| `claude-sonnet-4-5-20250929`  | Anthropic Claude     |
+| `claude-opus-4-6`             | Anthropic Claude     |
+| `claude-haiku-4-5-20251001`   | Anthropic Claude     |
+| `deepseek-ai/DeepSeek-V3.2`   | DeepSeek             |
+| `deepseek-ai/DeepSeek-R1`     | DeepSeek             |
+| `kimi-k2.5`                   | Moonshot Kimi        |
+| `qwen3-max`                   | Alibaba Qwen         |
+| `grok-4-1-fast-non-reasoning` | xAI Grok             |
+| `route-llm`                   | AbacusAI Auto-Router |
+
+All models are configured with:
+
+- **Context window**: 200,000 tokens
+- **Max output tokens**: 8,192 tokens
+- **Input modalities**: text, image
+- **API**: `openai-completions`
+
+You can customize the model list during the interactive login flow.
+
+---
+
+## Credential Resolution
+
+The plugin resolves API keys using a multi-tier fallback strategy, checked in order:
+
+### During Login (`openclaw models auth login`)
+
+1. **Local AbacusAI Code Mode installation** — scans platform-specific paths:
+   - **Windows**: `%APPDATA%\AbacusAI\User\globalStorage\credentials.json`,
+     `%APPDATA%\AbacusAI Code Mode\User\globalStorage\credentials.json`,
+     `%USERPROFILE%\.abacusai\credentials.json`, `%USERPROFILE%\.abacusai\config.json`
+   - **macOS**: `~/Library/Application Support/AbacusAI/...`, `~/.abacusai/...`
+   - **Linux**: `~/.config/AbacusAI/...`, `~/.abacusai/...`
+   - Accepts fields: `apiKey`, `api_key`, `token`, `accessToken`, `access_token`
+2. **Environment variable** — `ABACUSAI_API_KEY`
+3. **Manual entry** — interactive prompt
+
+---
+
+## Core Compatibility Options
+
+This plugin configures two core `ModelCompatConfig` options that are essential
+for AbacusAI RouteLLM compatibility:
+
+### `requiresAdditionalPropertiesFalse`
+
+AbacusAI RouteLLM requires `additionalProperties: false` in tool parameter schemas.
+When this option is set to `true`, the `normalizeToolParameters` function in
+`pi-tools.schema.ts` sets `additionalProperties: false` instead of the default `true`.
+
+### `supportsStrictMode`
+
+AbacusAI RouteLLM rejects the `strict` field in tool definitions. When this option
+is set to `false`, the pi-ai library omits the `strict` field from tool definitions.
+
+### Provider Configuration
+
+The plugin configures the AbacusAI provider with these compat options:
+
+```json
+{
+  "baseUrl": "https://routellm.abacus.ai/v1",
+  "api": "openai-completions",
+  "auth": "token",
+  "compat": {
+    "requiresAdditionalPropertiesFalse": true,
+    "supportsStrictMode": false
+  }
+}
+```
+
+---
+
+## Configuration Reference
+
+After login, the plugin writes the following to `~/.openclaw/openclaw.json`:
+
+```jsonc
+{
+  "models": {
+    "providers": {
+      "abacusai": {
+        "baseUrl": "https://routellm.abacus.ai/v1",
+        "api": "openai-completions",
+        "auth": "token",
+        "compat": {
+          "requiresAdditionalPropertiesFalse": true,
+          "supportsStrictMode": false,
+        },
+        "models": [
+          {
+            "id": "gemini-3-flash-preview",
+            "name": "gemini-3-flash-preview",
+            "api": "openai-completions",
+            "reasoning": false,
+            "input": ["text", "image"],
+            "cost": { "input": 0, "output": 0, "cacheRead": 0, "cacheWrite": 0 },
+            "contextWindow": 200000,
+            "maxTokens": 8192,
+          },
+          // ... other models
+        ],
+      },
+    },
+  },
+}
+```
+
+Credentials are stored separately in `~/.openclaw/agents/<agent>/agent/auth-profiles.json`:
+
+```jsonc
+{
+  "profiles": {
+    "abacusai:<email-or-default>": {
+      "type": "token",
+      "provider": "abacusai",
+      "token": "<api-key>",
+    },
+  },
+}
+```
+
+### Environment Variables
+
+| Variable             | Description                                                    |
+| -------------------- | -------------------------------------------------------------- |
+| `ABACUSAI_API_KEY`   | API key fallback (used if no saved profile is found)           |
+| `OPENCLAW_STATE_DIR` | Override the OpenClaw state directory (default: `~/.openclaw`) |
+
+---
+
+## Troubleshooting
+
+### Tool calling not working
+
+If tool calls fail with schema-related errors, ensure the provider has the
+correct compat options configured:
+
+```json
+"compat": {
+  "requiresAdditionalPropertiesFalse": true,
+  "supportsStrictMode": false
+}
+```
+
+### API key validation failed
+
+Your API key may have been revoked or expired. Generate a new one at
+<https://abacus.ai/app/profile/apikey> and re-authenticate:
+
+```bash
+openclaw models auth login --provider abacusai --set-default
+```
+
+### Plugin not found
+
+If AbacusAI models are not available, ensure the plugin is installed:
+
+```bash
+openclaw plugins install openclaw-abacusai-auth
+```
+
+---
+
+## Getting an API Key
+
+1. Sign in at <https://abacus.ai>
+2. Navigate to **Profile → API Keys** (<https://abacus.ai/app/profile/apikey>)
+3. Click **Generate new API Key**
+4. Copy the key (starts with `s2_...`)
+
+---
+
+## File Structure
+
+```
+openclaw-abacusai-auth/
+├── index.ts              # Plugin source (auth, credential detection, model definitions)
+├── package.json          # Package metadata
+├── openclaw.plugin.json  # Plugin manifest
+└── README.md             # This file
+```
+
+## Key Constants
+
+| Constant                 | Value                           | Description                            |
+| ------------------------ | ------------------------------- | -------------------------------------- |
+| `ROUTELLM_BASE`          | `https://routellm.abacus.ai/v1` | Upstream RouteLLM endpoint             |
+| `ABACUS_API`             | `https://api.abacus.ai/api/v0`  | AbacusAI REST API (for key validation) |
+| `DEFAULT_CONTEXT_WINDOW` | 200,000                         | Default context window for all models  |
+| `DEFAULT_MAX_TOKENS`     | 8,192                           | Default max output tokens              |
+
+---
+
+## License
+
+MIT
+
+## Author
+
+[tonyhu2006](https://github.com/tonyhu2006)
+
+## Contributing
+
+Issues and PRs welcome at <https://github.com/tonyhu2006/openclaw-abacusai-auth>

package/index.ts

@@ -0,0 +1,683 @@
+import { readFileSync, readdirSync } from "node:fs";
+import { createServer, type IncomingMessage, type ServerResponse } from "node:http";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { emptyPluginConfigSchema, fetchWithSsrFGuard } from "openclaw/plugin-sdk";
+
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+
+const ABACUS_API = "https://api.abacus.ai/api/v0";
+const ROUTELLM_BASE = "https://routellm.abacus.ai/v1";
+const DEFAULT_CONTEXT_WINDOW = 200_000;
+const DEFAULT_MAX_TOKENS = 8192;
+
+// Proxy configuration
+const PROXY_PORT = 18790;
+const PROXY_HOST = "127.0.0.1";
+
+// Models available on AbacusAI RouteLLM endpoint (OpenAI-compatible, with
+// function calling support). Verified 2026-02.
+const DEFAULT_MODEL_IDS = [
+  // Google Gemini
+  "gemini-3-flash-preview",
+  "gemini-3-pro-preview",
+  "gemini-2.5-flash",
+  "gemini-2.5-pro",
+  // OpenAI GPT
+  "gpt-5.2",
+  "gpt-5.2-codex",
+  "gpt-5.1",
+  "gpt-5.1-codex",
+  "gpt-5.1-codex-max",
+  "gpt-5",
+  "gpt-5-codex",
+  "gpt-5-mini",
+  "gpt-5-nano",
+  // OpenAI o-series (reasoning)
+  "o3-pro",
+  "o3",
+  "o3-mini",
+  "o4-mini",
+  // Anthropic Claude
+  "claude-sonnet-4-5-20250929",
+  "claude-opus-4-6",
+  "claude-opus-4-5-20251101",
+  "claude-sonnet-4-20250514",
+  "claude-haiku-4-5-20251001",
+  // DeepSeek
+  "deepseek-ai/DeepSeek-V3.2",
+  "deepseek-ai/DeepSeek-V3.1-Terminus",
+  "deepseek-ai/DeepSeek-R1",
+  // xAI Grok
+  "grok-4-0709",
+  "grok-4-1-fast-non-reasoning",
+  "grok-4-fast-non-reasoning",
+  "grok-code-fast-1",
+  // Meta Llama
+  "meta-llama/Llama-4-Maverick-17B-128E-Instruct-FP8",
+  "meta-llama/Meta-Llama-3.1-405B-Instruct-Turbo",
+  "llama-3.3-70b-versatile",
+  // Qwen
+  "qwen3-max",
+  "Qwen/Qwen3-235B-A22B-Instruct-2507",
+  "Qwen/Qwen3-32B",
+  "qwen/qwen3-coder-480b-a35b-instruct",
+  // Moonshot Kimi
+  "kimi-k2.5",
+  "kimi-k2-turbo-preview",
+  // Z.AI GLM
+  "zai-org/glm-4.7",
+  "zai-org/glm-4.6",
+  // Other
+  "openai/gpt-oss-120b",
+  // AbacusAI auto-router
+  "route-llm",
+];
+
+// ---------------------------------------------------------------------------
+// Credential detection (Code Mode / env / manual)
+// ---------------------------------------------------------------------------
+
+const CODE_MODE_CREDENTIAL_PATHS = {
+  win32: [
+    join(homedir(), "AppData", "Roaming", "AbacusAI", "User", "globalStorage", "credentials.json"),
+    join(
+      homedir(),
+      "AppData",
+      "Roaming",
+      "AbacusAI Code Mode",
+      "User",
+      "globalStorage",
+      "credentials.json",
+    ),
+    join(homedir(), ".abacusai", "credentials.json"),
+    join(homedir(), ".abacusai", "config.json"),
+  ],
+  darwin: [
+    join(
+      homedir(),
+      "Library",
+      "Application Support",
+      "AbacusAI",
+      "User",
+      "globalStorage",
+      "credentials.json",
+    ),
+    join(
+      homedir(),
+      "Library",
+      "Application Support",
+      "AbacusAI Code Mode",
+      "User",
+      "globalStorage",
+      "credentials.json",
+    ),
+    join(homedir(), ".abacusai", "credentials.json"),
+    join(homedir(), ".abacusai", "config.json"),
+  ],
+  linux: [
+    join(homedir(), ".config", "AbacusAI", "User", "globalStorage", "credentials.json"),
+    join(homedir(), ".config", "AbacusAI Code Mode", "User", "globalStorage", "credentials.json"),
+    join(homedir(), ".abacusai", "credentials.json"),
+    join(homedir(), ".abacusai", "config.json"),
+  ],
+};
+
+type CredentialFile = {
+  apiKey?: string;
+  api_key?: string;
+  token?: string;
+  accessToken?: string;
+  access_token?: string;
+};
+
+function tryReadLocalCredential(): string | null {
+  const platform = process.platform as "win32" | "darwin" | "linux";
+  const paths = CODE_MODE_CREDENTIAL_PATHS[platform] ?? CODE_MODE_CREDENTIAL_PATHS.linux;
+  for (const credPath of paths) {
+    try {
+      const raw = readFileSync(credPath, "utf8");
+      const data = JSON.parse(raw) as CredentialFile;
+      const key =
+        data.apiKey?.trim() ||
+        data.api_key?.trim() ||
+        data.token?.trim() ||
+        data.accessToken?.trim() ||
+        data.access_token?.trim();
+      if (key) {
+        return key;
+      }
+    } catch {
+      // not found — try next
+    }
+  }
+  return null;
+}
+
+// ---------------------------------------------------------------------------
+// Saved credential recovery (for proxy auto-restart after reboot)
+// ---------------------------------------------------------------------------
+
+function resolveOpenClawStateDir(): string {
+  const override = process.env.OPENCLAW_STATE_DIR?.trim() || process.env.CLAWDBOT_STATE_DIR?.trim();
+  if (override) {
+    return override;
+  }
+  return join(homedir(), ".openclaw");
+}
+
+function tryRecoverApiKey(): string | null {
+  const stateDir = resolveOpenClawStateDir();
+
+  // Helper: extract abacusai API key from an auth-profiles.json file
+  function extractFromAuthFile(authPath: string): string | null {
+    try {
+      const raw = JSON.parse(readFileSync(authPath, "utf8")) as {
+        profiles?: Record<string, { token?: string; key?: string; provider?: string }>;
+      };
+      if (raw.profiles) {
+        for (const [id, profile] of Object.entries(raw.profiles)) {
+          if (!id.startsWith("abacusai:")) {
+            continue;
+          }
+          // Credentials may use "token" or "key" field depending on auth flow
+          const secret = profile.token?.trim() || profile.key?.trim();
+          if (secret) {
+            return secret;
+          }
+        }
+      }
+    } catch {
+      // file not found or unreadable
+    }
+    return null;
+  }
+
+  // Primary: search agents/*/agent/auth-profiles.json (actual storage location)
+  try {
+    const agentsDir = join(stateDir, "agents");
+    for (const agentName of readdirSync(agentsDir)) {
+      const authPath = join(agentsDir, agentName, "agent", "auth-profiles.json");
+      const key = extractFromAuthFile(authPath);
+      if (key) {
+        return key;
+      }
+    }
+  } catch {
+    // agents dir not found
+  }
+
+  // Fallback: try root-level auth-profiles.json (legacy or future layout)
+  const rootKey = extractFromAuthFile(join(stateDir, "auth-profiles.json"));
+  if (rootKey) {
+    return rootKey;
+  }
+
+  // Fallback: try environment variable
+  const envKey = process.env.ABACUSAI_API_KEY?.trim();
+  if (envKey) {
+    return envKey;
+  }
+  // Fallback: try local Code Mode credentials
+  return tryReadLocalCredential();
+}
+
+// ---------------------------------------------------------------------------
+// AbacusAI API helpers
+// ---------------------------------------------------------------------------
+
+async function validateApiKey(
+  apiKey: string,
+): Promise<{ valid: boolean; email?: string; error?: string }> {
+  try {
+    const { response: r, release } = await fetchWithSsrFGuard({
+      url: `${ABACUS_API}/describeUser`,
+      init: {
+        method: "GET",
+        headers: { apiKey, "Content-Type": "application/json" },
+      },
+      timeoutMs: 15_000,
+    });
+    try {
+      if (!r.ok) {
+        return { valid: false, error: r.status === 403 ? "Invalid API key" : `HTTP ${r.status}` };
+      }
+      const d = (await r.json()) as { success?: boolean; result?: { email?: string } };
+      if (!d.success) {
+        return { valid: false, error: "API returned unsuccessful response" };
+      }
+      return { valid: true, email: d.result?.email?.trim() };
+    } finally {
+      await release();
+    }
+  } catch (err) {
+    return {
+      valid: false,
+      error: `Validation failed: ${err instanceof Error ? err.message : String(err)}`,
+    };
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Local proxy for RouteLLM response normalization
+// ---------------------------------------------------------------------------
+// RouteLLM responses are missing `id` and `object` fields that OpenAI SDK expects.
+// This proxy adds those fields to ensure compatibility.
+
+let proxyServer: ReturnType<typeof createServer> | null = null;
+let proxyApiKey = "";
+
+function readBody(req: IncomingMessage): Promise<Buffer> {
+  return new Promise((resolve, reject) => {
+    const chunks: Buffer[] = [];
+    req.on("data", (chunk: Buffer) => chunks.push(chunk));
+    req.on("end", () => resolve(Buffer.concat(chunks)));
+    req.on("error", reject);
+  });
+}
+
+function sendJsonResponse(res: ServerResponse, status: number, data: unknown) {
+  const body = JSON.stringify(data);
+  res.writeHead(status, { "Content-Type": "application/json" });
+  res.end(body);
+}
+
+function generateChunkId(): string {
+  return `chatcmpl-${crypto.randomUUID()}`;
+}
+
+/**
+ * Normalize SSE chunk to add missing id and object fields
+ */
+function normalizeSseChunk(line: string, chunkId: string): string {
+  if (!line.startsWith("data: ") || line === "data: [DONE]") {
+    return line;
+  }
+  try {
+    const json = JSON.parse(line.slice(6)) as Record<string, unknown>;
+    if (!("id" in json)) {
+      json.id = chunkId;
+    }
+    if (!("object" in json)) {
+      json.object = "chat.completion.chunk";
+    }
+    return `data: ${JSON.stringify(json)}`;
+  } catch {
+    return line;
+  }
+}
+
+/**
+ * Strip `strict` field from tools - RouteLLM doesn't support it
+ */
+function stripStrictFromTools(tools: unknown[]): unknown[] {
+  return tools.map((t) => {
+    if (!t || typeof t !== "object") {
+      return t;
+    }
+    const copy = { ...(t as Record<string, unknown>) };
+    delete copy.strict;
+    if (copy.function && typeof copy.function === "object") {
+      const fn = { ...(copy.function as Record<string, unknown>) };
+      delete fn.strict;
+      copy.function = fn;
+    }
+    return copy;
+  });
+}
+
+async function handleProxyRequest(req: IncomingMessage, res: ServerResponse) {
+  const path = req.url ?? "/";
+  const target = `${ROUTELLM_BASE}${path}`;
+  const headers: Record<string, string> = {
+    Authorization: `Bearer ${proxyApiKey}`,
+    "Content-Type": "application/json",
+  };
+
+  let body: string | undefined;
+  if (req.method === "POST") {
+    const raw = await readBody(req);
+    const parsed = JSON.parse(raw.toString()) as Record<string, unknown>;
+    // Strip `strict` field from tools - RouteLLM doesn't support it
+    if (Array.isArray(parsed.tools)) {
+      parsed.tools = stripStrictFromTools(parsed.tools);
+    }
+    body = JSON.stringify(parsed);
+  }
+
+  const { response: upstream, release } = await fetchWithSsrFGuard({
+    url: target,
+    init: {
+      method: req.method ?? "GET",
+      headers: body ? headers : { Authorization: headers.Authorization },
+      body: body ?? undefined,
+    },
+    timeoutMs: 180_000,
+  });
+
+  // Detect expired/revoked API key at runtime
+  if (upstream.status === 401 || upstream.status === 403) {
+    const errBody = await upstream.text().catch(() => "");
+    await release();
+    console.error(
+      `[abacusai] Upstream returned ${upstream.status} — API key may be expired or revoked.`,
+    );
+    sendJsonResponse(res, upstream.status, {
+      error: {
+        message: `AbacusAI API key expired or invalid (HTTP ${upstream.status}).`,
+        type: "auth_expired",
+        upstream_body: errBody.slice(0, 500),
+      },
+    });
+    return;
+  }
+
+  const ct = upstream.headers.get("content-type") ?? "application/json";
+  const chunkId = generateChunkId();
+
+  // Stream SSE response with normalization
+  if (ct.includes("text/event-stream") && upstream.body) {
+    res.writeHead(upstream.status, {
+      "Content-Type": "text/event-stream",
+      "Cache-Control": "no-cache",
+      Connection: "keep-alive",
+    });
+    const reader = (upstream.body as ReadableStream<Uint8Array>).getReader();
+    const decoder = new TextDecoder();
+    let buffer = "";
+
+    const pump = async () => {
+      for (;;) {
+        const { done, value } = await reader.read();
+        if (done) {
+          // Process any remaining buffer
+          if (buffer.trim()) {
+            const normalized = normalizeSseChunk(buffer.trim(), chunkId);
+            res.write(normalized + "\n\n");
+          }
+          res.end();
+          await release();
+          return;
+        }
+        buffer += decoder.decode(value, { stream: true });
+        const lines = buffer.split("\n");
+        buffer = lines.pop() ?? "";
+        for (const line of lines) {
+          if (line.trim()) {
+            const normalized = normalizeSseChunk(line, chunkId);
+            res.write(normalized + "\n");
+          } else {
+            res.write("\n");
+          }
+        }
+      }
+    };
+    pump().catch(async () => {
+      res.end();
+      await release();
+    });
+  } else {
+    // Non-streaming response - add id and object fields
+    const data = await upstream.text();
+    await release();
+    try {
+      const json = JSON.parse(data) as Record<string, unknown>;
+      if (!("id" in json)) {
+        json.id = chunkId;
+      }
+      if (!("object" in json)) {
+        json.object = "chat.completion";
+      }
+      res.writeHead(upstream.status, { "Content-Type": "application/json" });
+      res.end(JSON.stringify(json));
+    } catch {
+      res.writeHead(upstream.status, { "Content-Type": ct });
+      res.end(data);
+    }
+  }
+}
+
+function startProxy(apiKey: string): Promise<void> {
+  return new Promise((resolve, reject) => {
+    if (proxyServer) {
+      proxyApiKey = apiKey;
+      resolve();
+      return;
+    }
+    proxyApiKey = apiKey;
+    proxyServer = createServer((req, res) => {
+      handleProxyRequest(req, res).catch((err) => {
+        console.error("[abacusai] proxy error:", err);
+        sendJsonResponse(res, 500, { error: { message: String(err) } });
+      });
+    });
+    proxyServer.listen(PROXY_PORT, PROXY_HOST, () => {
+      console.log(`[abacusai] proxy listening on http://${PROXY_HOST}:${PROXY_PORT}`);
+      resolve();
+    });
+    proxyServer.on("error", (err: NodeJS.ErrnoException) => {
+      if (err.code === "EADDRINUSE") {
+        // Port already in use, assume proxy is already running
+        proxyServer = null;
+        resolve();
+      } else {
+        reject(err);
+      }
+    });
+  });
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function parseModelIds(input: string): string[] {
+  return Array.from(
+    new Set(
+      input
+        .split(/[\n,]/)
+        .map((m) => m.trim())
+        .filter(Boolean),
+    ),
+  );
+}
+
+function buildModelDefinition(modelId: string) {
+  return {
+    id: modelId,
+    name: modelId,
+    api: "openai-completions",
+    reasoning: false,
+    input: ["text", "image"],
+    cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+    contextWindow: DEFAULT_CONTEXT_WINDOW,
+    maxTokens: DEFAULT_MAX_TOKENS,
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Plugin
+// ---------------------------------------------------------------------------
+
+// Type definitions for plugin API
+interface PluginPrompter {
+  progress: (msg: string) => { update: (msg: string) => void; stop: (msg: string) => void };
+  confirm: (opts: { message: string; initialValue: boolean }) => Promise<boolean>;
+  text: (opts: {
+    message: string;
+    placeholder?: string;
+    initialValue?: string;
+    validate?: (v: string) => string | undefined;
+  }) => Promise<string>;
+}
+
+interface PluginAuthContext {
+  prompter: PluginPrompter;
+}
+
+const abacusaiPlugin = {
+  id: "abacusai-auth",
+  name: "AbacusAI Auth",
+  description: "AbacusAI RouteLLM provider plugin with direct connection and schema normalization",
+  configSchema: emptyPluginConfigSchema(),
+  register(api: unknown) {
+    const pluginApi = api as {
+      registerProvider: (config: unknown) => void;
+      config?: {
+        models?: { providers?: { abacusai?: { compat?: { supportsStrictMode?: boolean } } } };
+      };
+    };
+
+    // Direct connection mode - no proxy needed
+    // Core code handles schema cleaning via requiresCleanSchema compat option
+
+    pluginApi.registerProvider({
+      id: "abacusai",
+      label: "AbacusAI",
+      docsPath: "/providers/models",
+      aliases: ["abacus", "abacus-ai", "abacusai-code-mode"],
+      envVars: ["ABACUSAI_API_KEY"],
+      auth: [
+        {
+          id: "api-key",
+          label: "AbacusAI API key",
+          hint: "Enter your AbacusAI API key or auto-detect from Code Mode",
+          kind: "custom",
+          run: async (ctx: PluginAuthContext) => {
+            const spin = ctx.prompter.progress("Setting up AbacusAI…");
+
+            try {
+              // --- Credential resolution (3-tier) ---
+              const localKey = tryReadLocalCredential();
+              let apiKey = "";
+
+              if (localKey) {
+                spin.update("Found local AbacusAI credentials…");
+                const useLocal = await ctx.prompter.confirm({
+                  message: `Found AbacusAI credentials locally (${localKey.slice(0, 8)}…). Use them?`,
+                  initialValue: true,
+                });
+                if (useLocal) {
+                  apiKey = localKey;
+                }
+              }
+
+              if (!apiKey) {
+                const envKey = process.env.ABACUSAI_API_KEY?.trim();
+                if (envKey) {
+                  spin.update("Found ABACUSAI_API_KEY environment variable…");
+                  const useEnv = await ctx.prompter.confirm({
+                    message: "Found ABACUSAI_API_KEY in environment. Use it?",
+                    initialValue: true,
+                  });
+                  if (useEnv) {
+                    apiKey = envKey;
+                  }
+                }
+              }
+
+              if (!apiKey) {
+                const input = await ctx.prompter.text({
+                  message: "AbacusAI API key",
+                  placeholder: "Paste your API key from https://abacus.ai/app/profile/apikey",
+                  validate: (value: string) => {
+                    const t = value.trim();
+                    if (!t) {
+                      return "API key is required";
+                    }
+                    if (t.length < 10) {
+                      return "API key looks too short";
+                    }
+                    return undefined;
+                  },
+                });
+                apiKey = String(input).trim();
+              }
+
+              if (!apiKey) {
+                throw new Error("No API key provided");
+              }
+
+              // --- Validate ---
+              spin.update("Validating API key…");
+              const validation = await validateApiKey(apiKey);
+              if (!validation.valid) {
+                spin.stop("API key validation failed");
+                const saveAnyway = await ctx.prompter.confirm({
+                  message: `Validation failed: ${validation.error}\nSave this key anyway? (You can re-authenticate later)`,
+                  initialValue: false,
+                });
+                if (!saveAnyway) {
+                  throw new Error("Aborted: API key validation failed");
+                }
+              }
+
+              // --- Model selection ---
+              const modelInput = await ctx.prompter.text({
+                message: "Model IDs (comma-separated)",
+                initialValue: DEFAULT_MODEL_IDS.join(", "),
+                validate: (v: string) =>
+                  parseModelIds(v).length > 0 ? undefined : "Enter at least one model id",
+              });
+              const modelIds = parseModelIds(modelInput);
+              const defaultModelId = modelIds[0] ?? DEFAULT_MODEL_IDS[0];
+              const defaultModelRef = `abacusai/${defaultModelId}`;
+
+              const profileId = `abacusai:${validation.email ?? "default"}`;
+              spin.stop("AbacusAI configured");
+
+              return {
+                profiles: [
+                  {
+                    profileId,
+                    credential: {
+                      type: "api_key",
+                      provider: "abacusai",
+                      key: apiKey,
+                      ...(validation.email ? { email: validation.email } : {}),
+                    },
+                  },
+                ],
+                configPatch: {
+                  models: {
+                    providers: {
+                      abacusai: {
+                        baseUrl: ROUTELLM_BASE,
+                        api: "openai-completions",
+                        auth: "token",
+                        models: modelIds.map((id) => buildModelDefinition(id)),
+                        compat: {
+                          requiresAdditionalPropertiesFalse: true,
+                          supportsStrictMode: false,
+                          requiresCleanSchema: true,
+                        },
+                      },
+                    },
+                  },
+                  agents: {
+                    defaults: {
+                      models: Object.fromEntries(modelIds.map((id) => [`abacusai/${id}`, {}])),
+                    },
+                  },
+                },
+                defaultModel: defaultModelRef,
+                notes: [
+                  "Direct connection to AbacusAI RouteLLM with schema normalization.",
+                  "Full OpenAI function-calling support is enabled.",
+                  "Manage your API keys at https://abacus.ai/app/profile/apikey",
+                ],
+              };
+            } catch (err) {
+              spin.stop("AbacusAI setup failed");
+              throw err;
+            }
+          },
+        },
+      ],
+    });
+  },
+};
+
+export default abacusaiPlugin;

package/openclaw.plugin.json

@@ -0,0 +1,9 @@
+{
+  "id": "abacusai-auth",
+  "providers": ["abacusai"],
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {}
+  }
+}

package/package.json

@@ -0,0 +1,29 @@
+{
+  "name": "openclaw-abacusai-auth",
+  "version": "1.0.0",
+  "description": "OpenClaw AbacusAI provider plugin - Third-party plugin for AbacusAI RouteLLM integration",
+  "type": "module",
+  "main": "index.ts",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/tonyhu2006/openclaw-abacusai-auth.git"
+  },
+  "keywords": [
+    "openclaw",
+    "openclaw-plugin",
+    "abacusai",
+    "routellm",
+    "llm",
+    "ai"
+  ],
+  "author": "tonyhu2006",
+  "license": "MIT",
+  "peerDependencies": {
+    "openclaw": ">=2026.2.0"
+  },
+  "openclaw": {
+    "extensions": [
+      "./index.ts"
+    ]
+  }
+}