npm - openclaw-mcp - Versions diffs - 1.0.0 - Mend

openclaw-mcp 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/README.md +140 -0
package/dist/index.js +1326 -0
package/docs/configuration.md +63 -0
package/docs/deployment.md +78 -0
package/docs/development.md +98 -0
package/docs/installation.md +102 -0
package/package.json +74 -0
package/plugins/claude/openclaw/.claude-plugin/plugin.json +11 -0
package/plugins/claude/openclaw/.mcp.json +8 -0
package/plugins/claude/openclaw/README.md +66 -0
package/plugins/claude/openclaw/agents/task-delegator.md +33 -0
package/plugins/claude/openclaw/commands/chat.md +27 -0
package/plugins/claude/openclaw/commands/status.md +18 -0
package/plugins/claude/openclaw/skills/openclaw-management/SKILL.md +59 -0

package/dist/index.js ADDED Viewed

@@ -0,0 +1,1326 @@
+#!/usr/bin/env node
+// src/index.ts
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+// src/config/constants.ts
+var SERVER_NAME = "openclaw-mcp";
+var SERVER_VERSION = "1.0.0";
+var DEFAULT_OPENCLAW_URL = "http://127.0.0.1:18789";
+var SERVER_ICON_SVG_BASE64 = "PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIxMjgiIGhlaWdodD0iMTI4IiB2aWV3Qm94PSIwIDAgMTI4IDEyOCIgZmlsbD0ibm9uZSI+PGRlZnM+PGxpbmVhckdyYWRpZW50IGlkPSJiZyIgeDE9IjAlIiB5MT0iMCUiIHgyPSIxMDAlIiB5Mj0iMTAwJSI+PHN0b3Agb2Zmc2V0PSIwJSIgc3RvcC1jb2xvcj0iIzFhMWEyZSIvPjxzdG9wIG9mZnNldD0iMTAwJSIgc3RvcC1jb2xvcj0iIzE2MjEzZSIvPjwvbGluZWFyR3JhZGllbnQ+PGxpbmVhckdyYWRpZW50IGlkPSJjbGF3IiB4MT0iMCUiIHkxPSIwJSIgeDI9IjEwMCUiIHkyPSIxMDAlIj48c3RvcCBvZmZzZXQ9IjAlIiBzdG9wLWNvbG9yPSIjZmYzMzMzIi8+PHN0b3Agb2Zmc2V0PSIxMDAlIiBzdG9wLWNvbG9yPSIjY2MwMDAwIi8+PC9saW5lYXJHcmFkaWVudD48L2RlZnM+PHJlY3Qgd2lkdGg9IjEyOCIgaGVpZ2h0PSIxMjgiIHJ4PSIyNCIgZmlsbD0idXJsKCNiZykiLz48ZyB0cmFuc2Zvcm09InRyYW5zbGF0ZSg2NCA2NCkiIHN0cm9rZT0idXJsKCNjbGF3KSIgc3Ryb2tlLXdpZHRoPSI3IiBzdHJva2UtbGluZWNhcD0icm91bmQiIHN0cm9rZS1saW5lam9pbj0icm91bmQiIGZpbGw9Im5vbmUiPjxwYXRoIGQ9Ik0tMjggLTM4YzAgMCAtMTAgMjAgMCAzMiIvPjxwYXRoIGQ9Ik0tMTIgLTQwYzAgMCAtNiAyMiA0IDM0Ii8+PHBhdGggZD0iTTI4IC0zOGMwIDAgMTAgMjAgMCAzMiIvPjxwYXRoIGQ9Ik0xMiAtNDBjMCAwIDYgMjIgLTQgMzQiLz48Y2lyY2xlIGN4PSIwIiBjeT0iMTAiIHI9IjIwIiBzdHJva2Utd2lkdGg9IjYiLz48cGF0aCBkPSJNLTEwIDR2LTQiIHN0cm9rZS13aWR0aD0iNCIvPjxwYXRoIGQ9Ik0xMCA0di00IiBzdHJva2Utd2lkdGg9IjQiLz48cGF0aCBkPSJNLTggMjBjNCA2IDEyIDYgMTYgMCIgc3Ryb2tlLXdpZHRoPSIzIi8+PC9nPjwvc3ZnPg==";
+// src/utils/logger.ts
+var DEBUG = process.env.DEBUG === "true" || process.env.NODE_ENV === "development";
+var SENSITIVE_PATTERNS = [
+  /Bearer\s+[A-Za-z0-9\-._~+/]+=*/gi,
+  /api[_-]?key["\s:=]+[A-Za-z0-9\-._~+/]{8,}/gi,
+  /token["\s:=]+[A-Za-z0-9\-._~+/]{8,}/gi,
+  /secret["\s:=]+[A-Za-z0-9\-._~+/]{8,}/gi,
+  /password["\s:=]+\S+/gi
+];
+function sanitizeLogMessage(message) {
+  let sanitized = message;
+  for (const pattern of SENSITIVE_PATTERNS) {
+    sanitized = sanitized.replace(pattern, "[REDACTED]");
+  }
+  return sanitized;
+}
+function log(message) {
+  console.error(`[openclaw-mcp] ${sanitizeLogMessage(message)}`);
+}
+function logError(message, error) {
+  console.error(`[openclaw-mcp] ERROR: ${sanitizeLogMessage(message)}`);
+  if (error) {
+    if (error instanceof Error) {
+      console.error(`[openclaw-mcp] ${sanitizeLogMessage(error.message)}`);
+    } else {
+      console.error("[openclaw-mcp] (non-Error object thrown)");
+    }
+  }
+}
+// src/cli.ts
+import yargs from "yargs";
+import { hideBin } from "yargs/helpers";
+function parseArguments(version) {
+  const argv = yargs(hideBin(process.argv)).version(version).option("openclaw-url", {
+    alias: "u",
+    type: "string",
+    description: "OpenClaw gateway URL",
+    default: process.env.OPENCLAW_URL || DEFAULT_OPENCLAW_URL
+  }).option("gateway-token", {
+    type: "string",
+    description: "Bearer token for OpenClaw gateway authentication",
+    default: process.env.OPENCLAW_GATEWAY_TOKEN || void 0
+  }).option("transport", {
+    alias: "t",
+    type: "string",
+    choices: ["stdio", "sse"],
+    description: "Transport mode (stdio for local, sse for remote)",
+    default: "stdio"
+  }).option("port", {
+    alias: "p",
+    type: "number",
+    description: "Port for SSE server",
+    default: parseInt(process.env.PORT || "3000", 10)
+  }).option("host", {
+    type: "string",
+    description: "Host for SSE server",
+    default: process.env.HOST || "0.0.0.0"
+  }).option("auth", {
+    type: "boolean",
+    description: "Enable OAuth authentication (SSE mode)",
+    default: process.env.AUTH_ENABLED === "true" || process.env.OAUTH_ENABLED === "true"
+  }).option("client-id", {
+    type: "string",
+    description: "MCP OAuth client ID",
+    default: process.env.MCP_CLIENT_ID || void 0
+  }).option("client-secret", {
+    type: "string",
+    description: "MCP OAuth client secret",
+    default: process.env.MCP_CLIENT_SECRET || void 0
+  }).option("issuer-url", {
+    type: "string",
+    description: "OAuth issuer URL (for HTTPS behind reverse proxy)",
+    default: process.env.MCP_ISSUER_URL || void 0
+  }).option("redirect-uris", {
+    type: "string",
+    description: "Allowed OAuth redirect URIs (comma-separated)",
+    default: process.env.MCP_REDIRECT_URIS || void 0
+  }).help().parseSync();
+  return {
+    openclawUrl: argv["openclaw-url"],
+    gatewayToken: argv["gateway-token"],
+    transport: argv.transport,
+    port: argv.port,
+    host: argv.host,
+    authEnabled: argv.auth,
+    clientId: argv["client-id"],
+    clientSecret: argv["client-secret"],
+    issuerUrl: argv["issuer-url"],
+    redirectUris: argv["redirect-uris"] ? argv["redirect-uris"].split(",").map((s) => s.trim()).filter(Boolean) : void 0
+  };
+}
+// src/utils/errors.ts
+var OpenClawError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "OpenClawError";
+  }
+};
+var OpenClawConnectionError = class extends OpenClawError {
+  constructor(message) {
+    super(message);
+    this.name = "OpenClawConnectionError";
+  }
+};
+var OpenClawApiError = class extends OpenClawError {
+  statusCode;
+  constructor(message, statusCode) {
+    super(message);
+    this.name = "OpenClawApiError";
+    this.statusCode = statusCode;
+  }
+};
+// src/openclaw/client.ts
+var DEFAULT_TIMEOUT_MS = 3e4;
+var MAX_RESPONSE_SIZE_BYTES = 10 * 1024 * 1024;
+var OpenClawClient = class {
+  baseUrl;
+  gatewayToken;
+  timeoutMs;
+  constructor(baseUrl, gatewayToken, timeoutMs = DEFAULT_TIMEOUT_MS) {
+    this.baseUrl = baseUrl.replace(/\/$/, "");
+    this.gatewayToken = gatewayToken;
+    this.timeoutMs = timeoutMs;
+  }
+  buildHeaders() {
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    if (this.gatewayToken) {
+      headers["Authorization"] = `Bearer ${this.gatewayToken}`;
+    }
+    return headers;
+  }
+  async request(path, options = {}) {
+    const url = `${this.baseUrl}${path}`;
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), this.timeoutMs);
+    try {
+      const response = await fetch(url, {
+        ...options,
+        signal: controller.signal,
+        headers: {
+          ...this.buildHeaders(),
+          ...options.headers || {}
+        }
+      });
+      if (!response.ok) {
+        throw new OpenClawApiError(
+          `API request failed: ${response.status} ${response.statusText}`,
+          response.status
+        );
+      }
+      const contentLength = response.headers.get("content-length");
+      if (contentLength && parseInt(contentLength, 10) > MAX_RESPONSE_SIZE_BYTES) {
+        throw new OpenClawApiError("Response exceeds maximum allowed size (10MB)", 413);
+      }
+      const text = await response.text();
+      if (text.length > MAX_RESPONSE_SIZE_BYTES) {
+        throw new OpenClawApiError("Response exceeds maximum allowed size (10MB)", 413);
+      }
+      return JSON.parse(text);
+    } catch (error) {
+      if (error instanceof OpenClawApiError) {
+        throw error;
+      }
+      if (error instanceof DOMException && error.name === "AbortError") {
+        throw new OpenClawConnectionError(
+          `Request to OpenClaw timed out after ${this.timeoutMs}ms`
+        );
+      }
+      throw new OpenClawConnectionError(
+        `Failed to connect to OpenClaw at ${this.baseUrl}: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    } finally {
+      clearTimeout(timeout);
+    }
+  }
+  /**
+   * Check gateway health by sending a minimal chat completion request.
+   * A 400 Bad Request means the gateway is alive (it parsed JSON, rejected input).
+   * A successful response also means healthy.
+   * Connection errors mean the gateway is down.
+   */
+  async health() {
+    const url = `${this.baseUrl}/v1/chat/completions`;
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), this.timeoutMs);
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        signal: controller.signal,
+        headers: this.buildHeaders(),
+        body: JSON.stringify({
+          model: "health-check",
+          messages: [],
+          max_tokens: 1
+        })
+      });
+      if (response.status >= 200 && response.status < 500) {
+        return { status: "ok", message: `Gateway responding (HTTP ${response.status})` };
+      }
+      return { status: "error", message: `Gateway error (HTTP ${response.status})` };
+    } catch (error) {
+      if (error instanceof DOMException && error.name === "AbortError") {
+        throw new OpenClawConnectionError(
+          `Request to OpenClaw timed out after ${this.timeoutMs}ms`
+        );
+      }
+      throw new OpenClawConnectionError(
+        `Failed to connect to OpenClaw at ${this.baseUrl}: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    } finally {
+      clearTimeout(timeout);
+    }
+  }
+  /**
+   * Send a chat message via the OpenAI-compatible /v1/chat/completions endpoint.
+   */
+  async chat(message, _sessionId) {
+    const completion = await this.request("/v1/chat/completions", {
+      method: "POST",
+      body: JSON.stringify({
+        model: "claude-opus-4-5",
+        messages: [{ role: "user", content: message }],
+        max_tokens: 4096
+      })
+    });
+    const content = completion.choices?.[0]?.message?.content ?? "";
+    return {
+      response: content,
+      model: completion.model,
+      usage: completion.usage
+    };
+  }
+};
+// src/server/tools-registration.ts
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js";
+// src/utils/response-helpers.ts
+function successResponse(text) {
+  return {
+    content: [{ type: "text", text }]
+  };
+}
+function errorResponse(message) {
+  return {
+    content: [{ type: "text", text: `Error: ${message}` }],
+    isError: true
+  };
+}
+function jsonResponse(data) {
+  return successResponse(JSON.stringify(data, null, 2));
+}
+// src/utils/validation.ts
+var CONTROL_CHAR_RE = /[\x00-\x08\x0B\x0C\x0E-\x1F\x7F-\x9F]/;
+var MAX_MESSAGE_LENGTH = 1e5;
+var MAX_ID_LENGTH = 256;
+function validateInputIsObject(input) {
+  return input !== null && input !== void 0 && typeof input === "object" && !Array.isArray(input);
+}
+function validateString(value, fieldName, maxLength) {
+  if (typeof value !== "string") {
+    return { valid: false, value: "", error: `${fieldName} must be a string` };
+  }
+  const trimmed = value.trim();
+  if (trimmed.length === 0) {
+    return { valid: false, value: "", error: `${fieldName} must not be empty` };
+  }
+  if (trimmed.length > maxLength) {
+    return {
+      valid: false,
+      value: "",
+      error: `${fieldName} exceeds maximum length of ${maxLength} characters`
+    };
+  }
+  if (CONTROL_CHAR_RE.test(trimmed)) {
+    return { valid: false, value: "", error: `${fieldName} contains invalid control characters` };
+  }
+  return { valid: true, value: trimmed, error: "" };
+}
+function validateMessage(value) {
+  return validateString(value, "message", MAX_MESSAGE_LENGTH);
+}
+function validateId(value, fieldName) {
+  return validateString(value, fieldName, MAX_ID_LENGTH);
+}
+// src/mcp/tools/chat.ts
+var openclawChatTool = {
+  name: "openclaw_chat",
+  description: "Send a message to OpenClaw and get a response",
+  inputSchema: {
+    type: "object",
+    properties: {
+      message: {
+        type: "string",
+        description: "The message to send to OpenClaw"
+      },
+      session_id: {
+        type: "string",
+        description: "Optional session ID for conversation context"
+      }
+    },
+    required: ["message"]
+  }
+};
+async function handleOpenclawChat(client2, input) {
+  if (!validateInputIsObject(input)) {
+    return errorResponse("Invalid input: expected an object");
+  }
+  const msgResult = validateMessage(input.message);
+  if (msgResult.valid === false) {
+    return errorResponse(msgResult.error);
+  }
+  let sessionId;
+  if (input.session_id !== void 0) {
+    const sidResult = validateId(input.session_id, "session_id");
+    if (sidResult.valid === false) {
+      return errorResponse(sidResult.error);
+    }
+    sessionId = sidResult.value;
+  }
+  try {
+    const response = await client2.chat(msgResult.value, sessionId);
+    return successResponse(response.response);
+  } catch (error) {
+    return errorResponse(error instanceof Error ? error.message : "Failed to chat with OpenClaw");
+  }
+}
+// src/mcp/tools/status.ts
+var openclawStatusTool = {
+  name: "openclaw_status",
+  description: "Get OpenClaw gateway status and health information",
+  inputSchema: {
+    type: "object",
+    properties: {}
+  }
+};
+async function handleOpenclawStatus(client2, input) {
+  if (!validateInputIsObject(input)) {
+    return errorResponse("Invalid input: expected an object");
+  }
+  try {
+    const response = await client2.health();
+    return jsonResponse(response);
+  } catch (error) {
+    return errorResponse(
+      error instanceof Error ? error.message : "Failed to get status from OpenClaw"
+    );
+  }
+}
+// src/mcp/tasks/manager.ts
+var MAX_TASKS = 1e3;
+var CLEANUP_INTERVAL_MS = 10 * 60 * 1e3;
+var CLEANUP_MAX_AGE_MS = 60 * 60 * 1e3;
+var TaskManager = class {
+  tasks = /* @__PURE__ */ new Map();
+  taskCounter = 0;
+  cleanupInterval;
+  constructor() {
+    this.cleanupInterval = setInterval(() => this.cleanup(CLEANUP_MAX_AGE_MS), CLEANUP_INTERVAL_MS);
+    if (this.cleanupInterval.unref) {
+      this.cleanupInterval.unref();
+    }
+  }
+  /**
+   * Generate unique task ID
+   */
+  generateId() {
+    this.taskCounter++;
+    const timestamp = Date.now().toString(36);
+    const counter = this.taskCounter.toString(36).padStart(4, "0");
+    return `task_${timestamp}_${counter}`;
+  }
+  /**
+   * Create a new task
+   */
+  create(options) {
+    if (this.tasks.size >= MAX_TASKS) {
+      throw new Error(
+        `Task limit reached (${MAX_TASKS}). Wait for tasks to complete or cancel pending ones.`
+      );
+    }
+    const id = this.generateId();
+    const task = {
+      id,
+      type: options.type,
+      status: "pending",
+      input: options.input,
+      createdAt: /* @__PURE__ */ new Date(),
+      sessionId: options.sessionId,
+      priority: options.priority ?? 0
+    };
+    this.tasks.set(id, task);
+    log(`Task created: ${id} (type: ${task.type})`);
+    return task;
+  }
+  /**
+   * Get task by ID
+   */
+  get(id) {
+    return this.tasks.get(id);
+  }
+  /**
+   * List all tasks, optionally filtered by status
+   */
+  list(filter) {
+    let tasks = Array.from(this.tasks.values());
+    if (filter?.status) {
+      tasks = tasks.filter((t) => t.status === filter.status);
+    }
+    if (filter?.sessionId) {
+      tasks = tasks.filter((t) => t.sessionId === filter.sessionId);
+    }
+    return tasks.sort((a, b) => {
+      if (b.priority !== a.priority) return b.priority - a.priority;
+      return a.createdAt.getTime() - b.createdAt.getTime();
+    });
+  }
+  /**
+   * Update task status
+   */
+  updateStatus(id, status, result, error) {
+    const task = this.tasks.get(id);
+    if (!task) return false;
+    task.status = status;
+    if (status === "running" && !task.startedAt) {
+      task.startedAt = /* @__PURE__ */ new Date();
+    }
+    if (status === "completed" || status === "failed" || status === "cancelled") {
+      task.completedAt = /* @__PURE__ */ new Date();
+    }
+    if (result !== void 0) task.result = result;
+    if (error !== void 0) task.error = error;
+    log(`Task ${id} status: ${status}`);
+    return true;
+  }
+  /**
+   * Cancel a pending task
+   */
+  cancel(id) {
+    const task = this.tasks.get(id);
+    if (!task) return false;
+    if (task.status !== "pending") {
+      return false;
+    }
+    task.status = "cancelled";
+    task.completedAt = /* @__PURE__ */ new Date();
+    log(`Task cancelled: ${id}`);
+    return true;
+  }
+  /**
+   * Delete a task (cleanup)
+   */
+  delete(id) {
+    return this.tasks.delete(id);
+  }
+  /**
+   * Get next pending task (for workers)
+   */
+  getNextPending() {
+    const pending = this.list({ status: "pending" });
+    return pending[0];
+  }
+  /**
+   * Clean up old completed/failed tasks
+   */
+  cleanup(maxAgeMs = 36e5) {
+    const now = Date.now();
+    let cleaned = 0;
+    for (const [id, task] of this.tasks) {
+      if (task.completedAt && now - task.completedAt.getTime() > maxAgeMs) {
+        this.tasks.delete(id);
+        cleaned++;
+      }
+    }
+    if (cleaned > 0) {
+      log(`Cleaned up ${cleaned} old tasks`);
+    }
+    return cleaned;
+  }
+  /**
+   * Get statistics
+   */
+  stats() {
+    const byStatus = {
+      pending: 0,
+      running: 0,
+      completed: 0,
+      failed: 0,
+      cancelled: 0
+    };
+    for (const task of this.tasks.values()) {
+      byStatus[task.status]++;
+    }
+    return {
+      total: this.tasks.size,
+      byStatus
+    };
+  }
+};
+var taskManager = new TaskManager();
+// src/mcp/tools/tasks.ts
+var openclawChatAsyncTool = {
+  name: "openclaw_chat_async",
+  description: "Send a message to OpenClaw asynchronously. Returns a task_id immediately that can be polled for results. Use this for potentially long-running conversations.",
+  inputSchema: {
+    type: "object",
+    properties: {
+      message: {
+        type: "string",
+        description: "The message to send to OpenClaw"
+      },
+      session_id: {
+        type: "string",
+        description: "Optional session ID for conversation context"
+      },
+      priority: {
+        type: "number",
+        description: "Task priority (higher = processed first). Default: 0"
+      }
+    },
+    required: ["message"]
+  }
+};
+var openclawTaskStatusTool = {
+  name: "openclaw_task_status",
+  description: "Check the status of an async task. Returns status, and result if completed.",
+  inputSchema: {
+    type: "object",
+    properties: {
+      task_id: {
+        type: "string",
+        description: "The task ID returned from openclaw_chat_async"
+      }
+    },
+    required: ["task_id"]
+  }
+};
+var openclawTaskListTool = {
+  name: "openclaw_task_list",
+  description: "List all tasks. Optionally filter by status or session.",
+  inputSchema: {
+    type: "object",
+    properties: {
+      status: {
+        type: "string",
+        enum: ["pending", "running", "completed", "failed", "cancelled"],
+        description: "Filter by task status"
+      },
+      session_id: {
+        type: "string",
+        description: "Filter by session ID"
+      }
+    },
+    required: []
+  }
+};
+var openclawTaskCancelTool = {
+  name: "openclaw_task_cancel",
+  description: "Cancel a pending task. Only works for tasks that haven't started yet.",
+  inputSchema: {
+    type: "object",
+    properties: {
+      task_id: {
+        type: "string",
+        description: "The task ID to cancel"
+      }
+    },
+    required: ["task_id"]
+  }
+};
+var processorRunning = false;
+var processorClient = null;
+async function processTask(task, client2) {
+  taskManager.updateStatus(task.id, "running");
+  try {
+    if (task.type === "chat") {
+      const input = task.input;
+      const response = await client2.chat(input.message, input.session_id);
+      taskManager.updateStatus(task.id, "completed", response.response);
+    } else {
+      taskManager.updateStatus(task.id, "failed", void 0, "Unknown task type");
+    }
+  } catch (error) {
+    const errorMsg = error instanceof Error ? error.message : "Unknown error";
+    taskManager.updateStatus(task.id, "failed", void 0, errorMsg);
+  }
+}
+async function taskProcessor() {
+  if (!processorClient) return;
+  while (processorRunning) {
+    const task = taskManager.getNextPending();
+    if (task) {
+      await processTask(task, processorClient);
+    } else {
+      await new Promise((resolve) => setTimeout(resolve, 100));
+    }
+  }
+}
+function startTaskProcessor(client2) {
+  if (processorRunning) return;
+  processorClient = client2;
+  processorRunning = true;
+  taskProcessor().catch(() => {
+    processorRunning = false;
+  });
+  log("Task processor started");
+}
+async function handleOpenclawChatAsync(client2, input) {
+  if (!validateInputIsObject(input)) {
+    return errorResponse("Invalid input: expected an object");
+  }
+  const msgResult = validateMessage(input.message);
+  if (msgResult.valid === false) {
+    return errorResponse(msgResult.error);
+  }
+  let sessionId;
+  if (input.session_id !== void 0) {
+    const sidResult = validateId(input.session_id, "session_id");
+    if (sidResult.valid === false) {
+      return errorResponse(sidResult.error);
+    }
+    sessionId = sidResult.value;
+  }
+  let priority = 0;
+  if (input.priority !== void 0) {
+    if (typeof input.priority !== "number" || !Number.isInteger(input.priority)) {
+      return errorResponse("priority must be an integer");
+    }
+    priority = input.priority;
+  }
+  startTaskProcessor(client2);
+  const task = taskManager.create({
+    type: "chat",
+    input: { message: msgResult.value, session_id: sessionId },
+    sessionId,
+    priority
+  });
+  return successResponse(
+    JSON.stringify(
+      {
+        task_id: task.id,
+        status: task.status,
+        message: "Task queued. Use openclaw_task_status to check progress."
+      },
+      null,
+      2
+    )
+  );
+}
+async function handleOpenclawTaskStatus(_client, input) {
+  if (!validateInputIsObject(input)) {
+    return errorResponse("Invalid input: expected an object");
+  }
+  const tidResult = validateId(input.task_id, "task_id");
+  if (tidResult.valid === false) {
+    return errorResponse(tidResult.error);
+  }
+  const task_id = tidResult.value;
+  const task = taskManager.get(task_id);
+  if (!task) {
+    return errorResponse(`Task not found: ${task_id}`);
+  }
+  const response = {
+    task_id: task.id,
+    type: task.type,
+    status: task.status,
+    created_at: task.createdAt.toISOString()
+  };
+  if (task.startedAt) {
+    response.started_at = task.startedAt.toISOString();
+  }
+  if (task.completedAt) {
+    response.completed_at = task.completedAt.toISOString();
+  }
+  if (task.status === "completed" && task.result) {
+    response.result = task.result;
+  }
+  if (task.status === "failed" && task.error) {
+    response.error = task.error;
+  }
+  return successResponse(JSON.stringify(response, null, 2));
+}
+var VALID_TASK_STATUSES = ["pending", "running", "completed", "failed", "cancelled"];
+async function handleOpenclawTaskList(_client, input) {
+  if (!validateInputIsObject(input)) {
+    return errorResponse("Invalid input: expected an object");
+  }
+  let status;
+  if (input.status !== void 0) {
+    if (typeof input.status !== "string" || !VALID_TASK_STATUSES.includes(input.status)) {
+      return errorResponse(`status must be one of: ${VALID_TASK_STATUSES.join(", ")}`);
+    }
+    status = input.status;
+  }
+  let session_id;
+  if (input.session_id !== void 0) {
+    const sidResult = validateId(input.session_id, "session_id");
+    if (sidResult.valid === false) {
+      return errorResponse(sidResult.error);
+    }
+    session_id = sidResult.value;
+  }
+  const tasks = taskManager.list({ status, sessionId: session_id });
+  const stats = taskManager.stats();
+  const taskList = tasks.map((t) => ({
+    task_id: t.id,
+    type: t.type,
+    status: t.status,
+    priority: t.priority,
+    created_at: t.createdAt.toISOString(),
+    has_result: t.status === "completed" && !!t.result
+  }));
+  return successResponse(
+    JSON.stringify(
+      {
+        stats,
+        tasks: taskList
+      },
+      null,
+      2
+    )
+  );
+}
+async function handleOpenclawTaskCancel(_client, input) {
+  if (!validateInputIsObject(input)) {
+    return errorResponse("Invalid input: expected an object");
+  }
+  const tidResult = validateId(input.task_id, "task_id");
+  if (tidResult.valid === false) {
+    return errorResponse(tidResult.error);
+  }
+  const task_id = tidResult.value;
+  const task = taskManager.get(task_id);
+  if (!task) {
+    return errorResponse(`Task not found: ${task_id}`);
+  }
+  if (task.status !== "pending") {
+    return errorResponse(
+      `Cannot cancel task with status: ${task.status}. Only pending tasks can be cancelled.`
+    );
+  }
+  const cancelled = taskManager.cancel(task_id);
+  if (!cancelled) {
+    return errorResponse("Failed to cancel task");
+  }
+  return successResponse(
+    JSON.stringify(
+      {
+        task_id,
+        status: "cancelled",
+        message: "Task cancelled successfully"
+      },
+      null,
+      2
+    )
+  );
+}
+// src/server/tools-registration.ts
+function createMcpServer(deps2) {
+  const server = new Server(
+    {
+      name: deps2.serverName,
+      version: deps2.serverVersion,
+      icons: [
+        {
+          src: `data:image/svg+xml;base64,${SERVER_ICON_SVG_BASE64}`,
+          mimeType: "image/svg+xml",
+          sizes: ["128x128"]
+        }
+      ]
+    },
+    { capabilities: { tools: {} } }
+  );
+  registerTools(server, deps2);
+  return server;
+}
+function registerTools(server, deps2) {
+  const { client: client2 } = deps2;
+  const toolHandlers = /* @__PURE__ */ new Map([
+    ["openclaw_chat", (input) => handleOpenclawChat(client2, input)],
+    ["openclaw_status", (input) => handleOpenclawStatus(client2, input)],
+    ["openclaw_chat_async", (input) => handleOpenclawChatAsync(client2, input)],
+    ["openclaw_task_status", (input) => handleOpenclawTaskStatus(client2, input)],
+    ["openclaw_task_list", (input) => handleOpenclawTaskList(client2, input)],
+    ["openclaw_task_cancel", (input) => handleOpenclawTaskCancel(client2, input)]
+  ]);
+  const allTools = [
+    openclawChatTool,
+    openclawStatusTool,
+    openclawChatAsyncTool,
+    openclawTaskStatusTool,
+    openclawTaskListTool,
+    openclawTaskCancelTool
+  ];
+  server.setRequestHandler(ListToolsRequestSchema, async () => {
+    return { tools: allTools };
+  });
+  server.setRequestHandler(CallToolRequestSchema, async (request) => {
+    const { name, arguments: toolArgs } = request.params;
+    log(`Executing tool: ${name}`);
+    const handler = toolHandlers.get(name);
+    if (!handler) {
+      throw new Error(`Unknown tool: ${name}`);
+    }
+    try {
+      return await handler(toolArgs);
+    } catch (error) {
+      logError(`Error executing tool ${name}`, error);
+      throw error;
+    }
+  });
+}
+// src/server/sse.ts
+import { randomUUID as randomUUID2 } from "crypto";
+import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { createMcpExpressApp } from "@modelcontextprotocol/sdk/server/express.js";
+import { mcpAuthRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";
+import { requireBearerAuth } from "@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js";
+// src/auth/provider.ts
+import { randomUUID } from "crypto";
+import {
+  InvalidRequestError,
+  InvalidTokenError
+} from "@modelcontextprotocol/sdk/server/auth/errors.js";
+var TOKEN_TTL_MS = 60 * 60 * 1e3;
+var AUTH_CODE_TTL_MS = 10 * 60 * 1e3;
+var REFRESH_TOKEN_TTL_MS = 24 * 60 * 60 * 1e3;
+var REAPER_INTERVAL_MS = 5 * 60 * 1e3;
+var ALLOW_ANY_REDIRECT = new Proxy([], {
+  get(target, prop) {
+    if (prop === "includes") return () => true;
+    if (prop === "length") return 1;
+    return Reflect.get(target, prop);
+  }
+});
+var OpenClawClientsStore = class {
+  client;
+  constructor(config) {
+    if (config.clientId && config.clientSecret) {
+      const redirectUris = config.redirectUris && config.redirectUris.length > 0 ? config.redirectUris : ALLOW_ANY_REDIRECT;
+      this.client = {
+        client_id: config.clientId,
+        client_secret: config.clientSecret,
+        redirect_uris: redirectUris,
+        token_endpoint_auth_method: "client_secret_post",
+        grant_types: ["authorization_code", "refresh_token"],
+        response_types: ["code"],
+        client_name: "OpenClaw MCP Client",
+        client_id_issued_at: Math.floor(Date.now() / 1e3)
+      };
+    }
+  }
+  async getClient(clientId) {
+    if (this.client && this.client.client_id === clientId) {
+      return this.client;
+    }
+    return void 0;
+  }
+  // No registerClient — dynamic client registration is intentionally disabled.
+  // Only the pre-configured client from MCP_CLIENT_ID + MCP_CLIENT_SECRET can authenticate.
+  // This prevents anyone who knows the server URL from self-registering and bypassing auth.
+};
+var OpenClawAuthProvider = class {
+  clientsStore;
+  codes = /* @__PURE__ */ new Map();
+  tokens = /* @__PURE__ */ new Map();
+  refreshTokens = /* @__PURE__ */ new Map();
+  reaperInterval;
+  constructor(config) {
+    this.clientsStore = new OpenClawClientsStore(config);
+    this.reaperInterval = setInterval(() => this.reapExpired(), REAPER_INTERVAL_MS);
+    if (this.reaperInterval.unref) {
+      this.reaperInterval.unref();
+    }
+  }
+  /**
+   * Clean up expired auth codes, access tokens, and refresh tokens.
+   */
+  reapExpired() {
+    const now = Date.now();
+    for (const [code, data] of this.codes) {
+      if (now - data.createdAt > AUTH_CODE_TTL_MS) {
+        this.codes.delete(code);
+      }
+    }
+    for (const [token, data] of this.tokens) {
+      if (data.expiresAt < now) {
+        this.tokens.delete(token);
+      }
+    }
+    for (const [token, data] of this.refreshTokens) {
+      if (data.expiresAt < now) {
+        this.refreshTokens.delete(token);
+      }
+    }
+  }
+  /**
+   * Auto-approve: generate auth code and redirect immediately.
+   */
+  async authorize(client2, params, res) {
+    const code = randomUUID();
+    this.codes.set(code, { client: client2, params, createdAt: Date.now() });
+    const searchParams = new URLSearchParams({ code });
+    if (params.state !== void 0) {
+      searchParams.set("state", params.state);
+    }
+    const targetUrl = new URL(params.redirectUri);
+    targetUrl.search = searchParams.toString();
+    res.redirect(targetUrl.toString());
+  }
+  async challengeForAuthorizationCode(_client, authorizationCode) {
+    const codeData = this.codes.get(authorizationCode);
+    if (!codeData || Date.now() - codeData.createdAt > AUTH_CODE_TTL_MS) {
+      if (codeData) this.codes.delete(authorizationCode);
+      throw new InvalidRequestError("Invalid authorization code");
+    }
+    return codeData.params.codeChallenge;
+  }
+  async exchangeAuthorizationCode(client2, authorizationCode, _codeVerifier, _redirectUri, resource) {
+    const codeData = this.codes.get(authorizationCode);
+    if (!codeData || Date.now() - codeData.createdAt > AUTH_CODE_TTL_MS) {
+      if (codeData) this.codes.delete(authorizationCode);
+      throw new InvalidRequestError("Invalid authorization code");
+    }
+    if (codeData.client.client_id !== client2.client_id) {
+      throw new InvalidRequestError("Authorization code was not issued to this client");
+    }
+    this.codes.delete(authorizationCode);
+    const accessToken = randomUUID();
+    const refreshToken = randomUUID();
+    const scopes = codeData.params.scopes || [];
+    this.tokens.set(accessToken, {
+      token: accessToken,
+      clientId: client2.client_id,
+      scopes,
+      expiresAt: Date.now() + TOKEN_TTL_MS,
+      resource: resource || codeData.params.resource
+    });
+    this.refreshTokens.set(refreshToken, {
+      clientId: client2.client_id,
+      scopes,
+      expiresAt: Date.now() + REFRESH_TOKEN_TTL_MS,
+      resource: resource || codeData.params.resource
+    });
+    return {
+      access_token: accessToken,
+      token_type: "bearer",
+      expires_in: TOKEN_TTL_MS / 1e3,
+      refresh_token: refreshToken,
+      scope: scopes.join(" ")
+    };
+  }
+  async exchangeRefreshToken(client2, refreshToken, scopes, resource) {
+    const data = this.refreshTokens.get(refreshToken);
+    if (!data || data.expiresAt < Date.now()) {
+      if (data) this.refreshTokens.delete(refreshToken);
+      throw new InvalidRequestError("Invalid refresh token");
+    }
+    if (data.clientId !== client2.client_id) {
+      throw new InvalidRequestError("Refresh token was not issued to this client");
+    }
+    this.refreshTokens.delete(refreshToken);
+    const accessToken = randomUUID();
+    const newRefreshToken = randomUUID();
+    const tokenScopes = scopes || data.scopes;
+    this.tokens.set(accessToken, {
+      token: accessToken,
+      clientId: client2.client_id,
+      scopes: tokenScopes,
+      expiresAt: Date.now() + TOKEN_TTL_MS,
+      resource: resource || data.resource
+    });
+    this.refreshTokens.set(newRefreshToken, {
+      clientId: client2.client_id,
+      scopes: tokenScopes,
+      expiresAt: Date.now() + REFRESH_TOKEN_TTL_MS,
+      resource: resource || data.resource
+    });
+    return {
+      access_token: accessToken,
+      token_type: "bearer",
+      expires_in: TOKEN_TTL_MS / 1e3,
+      refresh_token: newRefreshToken,
+      scope: tokenScopes.join(" ")
+    };
+  }
+  async verifyAccessToken(token) {
+    const tokenData = this.tokens.get(token);
+    if (!tokenData || tokenData.expiresAt < Date.now()) {
+      throw new InvalidTokenError("Invalid or expired token");
+    }
+    return {
+      token,
+      clientId: tokenData.clientId,
+      scopes: tokenData.scopes,
+      expiresAt: Math.floor(tokenData.expiresAt / 1e3),
+      resource: tokenData.resource
+    };
+  }
+  async revokeToken(_client, request) {
+    this.tokens.delete(request.token);
+    this.refreshTokens.delete(request.token);
+  }
+};
+// src/server/sse.ts
+function loadCorsConfig() {
+  const corsOrigins = process.env.CORS_ORIGINS;
+  if (!corsOrigins || corsOrigins === "*") {
+    return { origins: ["*"], enabled: true };
+  }
+  if (corsOrigins.toLowerCase() === "none" || corsOrigins === "") {
+    return { origins: [], enabled: false };
+  }
+  return {
+    origins: corsOrigins.split(",").map((s) => s.trim()).filter(Boolean),
+    enabled: true
+  };
+}
+function isOriginAllowed(origin, allowedOrigins) {
+  if (!origin) return false;
+  if (allowedOrigins.includes("*")) return true;
+  return allowedOrigins.some((allowed) => {
+    if (allowed.startsWith("*.")) {
+      const domain = allowed.slice(1);
+      try {
+        const originHost = new URL(origin).hostname;
+        return originHost === domain.slice(1) || originHost.endsWith(domain);
+      } catch {
+        return false;
+      }
+    }
+    return origin === allowed || origin === `https://${allowed}` || origin === `http://${allowed}`;
+  });
+}
+async function createSSEServer(config, deps2) {
+  const authEnabled = !!config.authConfig?.clientId;
+  const corsConfig = loadCorsConfig();
+  const sseSessions = /* @__PURE__ */ new Map();
+  const streamableSessions = /* @__PURE__ */ new Map();
+  const app = createMcpExpressApp({ host: config.host });
+  app.use((req, res, next) => {
+    if (!corsConfig.enabled) {
+      next();
+      return;
+    }
+    const origin = req.headers.origin;
+    const allowedOrigin = corsConfig.origins.includes("*") ? "*" : origin && isOriginAllowed(origin, corsConfig.origins) ? origin : void 0;
+    if (allowedOrigin) {
+      res.setHeader("Access-Control-Allow-Origin", allowedOrigin);
+      res.setHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS");
+      res.setHeader(
+        "Access-Control-Allow-Headers",
+        "Content-Type, Authorization, Mcp-Session-Id, mcp-protocol-version"
+      );
+      res.setHeader("Access-Control-Expose-Headers", "Mcp-Session-Id");
+    }
+    if (req.method === "OPTIONS") {
+      res.status(204).end();
+      return;
+    }
+    next();
+  });
+  let authMiddleware;
+  if (authEnabled) {
+    const provider = new OpenClawAuthProvider(config.authConfig);
+    const issuerUrl = config.issuerUrl ? new URL(config.issuerUrl) : new URL(`http://${config.host === "0.0.0.0" ? "localhost" : config.host}:${config.port}`);
+    app.use(
+      mcpAuthRouter({
+        provider,
+        issuerUrl,
+        scopesSupported: ["mcp:tools"]
+      })
+    );
+    app.get("/.well-known/oauth-protected-resource/:path", (req, res) => {
+      res.json({
+        resource: `${issuerUrl.toString()}${req.params.path}`,
+        authorization_servers: [issuerUrl.toString().replace(/\/$/, "")],
+        scopes_supported: ["mcp:tools"]
+      });
+    });
+    authMiddleware = requireBearerAuth({ verifier: provider });
+  }
+  app.get("/health", (_req, res) => {
+    res.json({
+      status: "ok",
+      transport: "sse",
+      auth: authEnabled
+    });
+  });
+  const withAuth = (handler) => {
+    if (authMiddleware) {
+      return [authMiddleware, async (req, res) => handler(req, res)];
+    }
+    return [async (req, res) => handler(req, res)];
+  };
+  app.get(
+    "/sse",
+    ...withAuth(async (req, res) => {
+      const transport = new SSEServerTransport("/messages", res);
+      const server = createMcpServer(deps2);
+      const sessionId = transport.sessionId;
+      sseSessions.set(sessionId, { transport, server });
+      log(`SSE session connected: ${sessionId}`);
+      transport.onclose = () => {
+        sseSessions.delete(sessionId);
+        log(`SSE session disconnected: ${sessionId}`);
+      };
+      try {
+        await server.connect(transport);
+      } catch (error) {
+        sseSessions.delete(sessionId);
+        logError(`Failed to connect SSE session ${sessionId}`, error);
+      }
+    })
+  );
+  app.post(
+    "/messages",
+    ...withAuth(async (req, res) => {
+      const sessionId = req.query.sessionId;
+      const session = sseSessions.get(sessionId);
+      if (!session) {
+        res.status(404).json({ error: "Session not found" });
+        return;
+      }
+      try {
+        await session.transport.handlePostMessage(
+          req,
+          res,
+          req.body
+        );
+      } catch (error) {
+        logError(`Error handling message for session ${sessionId}`, error);
+        if (!res.headersSent) {
+          res.status(500).json({ error: "Internal server error" });
+        }
+      }
+    })
+  );
+  const handleStreamableRequest = async (req, res) => {
+    const sessionId = req.headers["mcp-session-id"];
+    if (sessionId && streamableSessions.has(sessionId)) {
+      const session = streamableSessions.get(sessionId);
+      try {
+        await session.transport.handleRequest(
+          req,
+          res,
+          req.body
+        );
+      } catch (error) {
+        logError(`Error in streamable session ${sessionId}`, error);
+        if (!res.headersSent) {
+          res.status(500).json({ error: "Internal server error" });
+        }
+      }
+      return;
+    }
+    const transport = new StreamableHTTPServerTransport({
+      sessionIdGenerator: () => randomUUID2(),
+      onsessioninitialized: (newSessionId) => {
+        streamableSessions.set(newSessionId, { transport, server });
+        log(`Streamable session initialized: ${newSessionId}`);
+      }
+    });
+    transport.onclose = () => {
+      const sid = transport.sessionId;
+      if (sid) {
+        streamableSessions.delete(sid);
+        log(`Streamable session closed: ${sid}`);
+      }
+    };
+    const server = createMcpServer(deps2);
+    try {
+      await server.connect(transport);
+      await transport.handleRequest(
+        req,
+        res,
+        req.body
+      );
+    } catch (error) {
+      logError("Failed to initialize streamable session", error);
+      if (!res.headersSent) {
+        res.status(500).json({ error: "Internal server error" });
+      }
+    }
+  };
+  app.get("/mcp", ...withAuth(handleStreamableRequest));
+  app.post("/mcp", ...withAuth(handleStreamableRequest));
+  app.delete("/mcp", ...withAuth(handleStreamableRequest));
+  const httpServer = app.listen(config.port, config.host, () => {
+    log(`SSE server listening on ${config.host}:${config.port}`);
+    log(`Auth enabled: ${authEnabled}`);
+    log(`CORS origins: ${corsConfig.enabled ? corsConfig.origins.join(", ") : "disabled"}`);
+    if (authEnabled) {
+      log("OAuth 2.1 authentication is REQUIRED for all connections");
+      log("Endpoints:");
+      log("  GET  /.well-known/oauth-authorization-server          - OAuth metadata");
+      log("  GET  /.well-known/oauth-protected-resource/mcp        - Protected resource metadata");
+      log("  POST /authorize                                       - Authorization");
+      log("  POST /token                                           - Token exchange");
+    } else {
+      log("WARNING: Auth is DISABLED - server is open to anyone!");
+    }
+    log("MCP Endpoints:");
+    log("  GET  /health   - Health check (no auth)");
+    log("  GET  /sse      - Legacy SSE stream");
+    log("  POST /messages - Legacy SSE messages");
+    log("  ALL  /mcp      - Streamable HTTP");
+  });
+  const shutdown = async () => {
+    log("Shutting down SSE server...");
+    for (const [id, session] of sseSessions) {
+      try {
+        await session.server.close();
+      } catch (error) {
+        logError(`Error closing SSE session ${id}`, error);
+      }
+    }
+    sseSessions.clear();
+    for (const [id, session] of streamableSessions) {
+      try {
+        await session.server.close();
+      } catch (error) {
+        logError(`Error closing streamable session ${id}`, error);
+      }
+    }
+    streamableSessions.clear();
+    httpServer.close(() => {
+      log("SSE server stopped");
+      process.exit(0);
+    });
+    setTimeout(() => {
+      logError("Forced shutdown after timeout");
+      process.exit(1);
+    }, 5e3);
+  };
+  process.on("SIGTERM", shutdown);
+  process.on("SIGINT", shutdown);
+}
+// src/index.ts
+var args = parseArguments(SERVER_VERSION);
+var client = new OpenClawClient(args.openclawUrl, args.gatewayToken);
+var deps = {
+  client,
+  serverName: SERVER_NAME,
+  serverVersion: SERVER_VERSION
+};
+async function main() {
+  log(`Starting ${SERVER_NAME} v${SERVER_VERSION}`);
+  log(`OpenClaw URL: ${args.openclawUrl}`);
+  log(`Transport: ${args.transport}`);
+  log(`Gateway token: ${args.gatewayToken ? "configured" : "not set"}`);
+  if (args.transport === "sse") {
+    const sseConfig = {
+      port: args.port,
+      host: args.host,
+      issuerUrl: args.issuerUrl
+    };
+    if (args.authEnabled && args.clientId) {
+      const clientIdRegex = /^[a-zA-Z0-9][a-zA-Z0-9_-]{2,63}$/;
+      if (!clientIdRegex.test(args.clientId)) {
+        logError(
+          "MCP_CLIENT_ID is invalid. Must be 3-64 characters, alphanumeric/dashes/underscores, start with a letter or digit."
+        );
+        process.exit(1);
+      }
+      if (!args.clientSecret || args.clientSecret.length < 32) {
+        logError(
+          "MCP_CLIENT_SECRET must be at least 32 characters. Generate one with: openssl rand -hex 32"
+        );
+        process.exit(1);
+      }
+      sseConfig.authConfig = {
+        clientId: args.clientId,
+        clientSecret: args.clientSecret,
+        redirectUris: args.redirectUris
+      };
+      log(`OAuth client ID: ${args.clientId}`);
+      if (!args.redirectUris || args.redirectUris.length === 0) {
+        log(
+          "WARNING: MCP_REDIRECT_URIS not set \u2014 any redirect_uri will be accepted. Set MCP_REDIRECT_URIS for production."
+        );
+      }
+    } else if (args.authEnabled && !args.clientId) {
+      logError("AUTH_ENABLED=true but MCP_CLIENT_ID is not set. Refusing to start without auth.");
+      process.exit(1);
+    }
+    await createSSEServer(sseConfig, deps);
+  } else {
+    const server = createMcpServer(deps);
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+    log("OpenClaw MCP server running on stdio");
+  }
+}
+main().catch((error) => {
+  logError("Fatal error", error);
+  process.exit(1);
+});