openclaw-node-harness 2.1.1 → 2.2.0

package/mission-control/package.json

@@ -26,7 +26,7 @@
     "gray-matter": "^4.0.3",
     "lucide-react": "^0.575.0",
     "nats": "^2.29.3",
-    "next": "16.1.6",
+    "next": "^16.2.1",
     "react": "19.2.3",
     "react-dom": "19.2.3",
     "react-force-graph-2d": "^1.29.1",
@@ -43,7 +43,7 @@
     "@types/node": "^20",
     "@types/react": "^19",
     "@types/react-dom": "^19",
-    "drizzle-kit": "^0.31.9",
+    "drizzle-kit": "^0.31.10",
     "eslint": "^9",
     "eslint-config-next": "16.1.6",
     "tailwindcss": "^4.2.1",

package/mission-control/src/app/api/diagnostics/route.ts

@@ -8,6 +8,7 @@ import { parseTasksMarkdown, serializeTasksMarkdown } from "@/lib/parsers/task-m
 export const dynamic = "force-dynamic";
 
 export async function GET() {
+  try {
   const raw = getRawDb();
 
   // Task stats
@@ -94,4 +95,11 @@ export async function GET() {
     nats: natsStatus,
     workspace: workspaceExists,
   });
+  } catch (err) {
+    console.error("[diagnostics] error:", err);
+    return NextResponse.json(
+      { error: err instanceof Error ? err.message : "Internal server error" },
+      { status: err instanceof SyntaxError ? 400 : 500 }
+    );
+  }
 }

package/mission-control/src/app/api/diagnostics/test-runner/route.ts

@@ -41,6 +41,7 @@ async function runTest(suite: string, name: string, fn: TestFn): Promise<TestRes
  * All test tasks use the prefix __TEST__ so they can be safely cleaned up.
  */
 export async function POST() {
+  try {
   const results: TestResult[] = [];
   const db = getDb();
   const raw = getRawDb();
@@ -987,4 +988,11 @@ export async function POST() {
     results,
     timestamp: new Date().toISOString(),
   });
+  } catch (err) {
+    console.error("[diagnostics/test-runner] error:", err);
+    return NextResponse.json(
+      { error: err instanceof Error ? err.message : "Internal server error" },
+      { status: err instanceof SyntaxError ? 400 : 500 }
+    );
+  }
 }

package/mission-control/src/app/api/memory/graph/route.ts

@@ -18,31 +18,47 @@ import {
 import { getRawDb } from "@/lib/db";
 
 export async function GET(request: Request) {
-  const url = new URL(request.url);
-  const boot = url.searchParams.get("boot");
-  const format = url.searchParams.get("format");
+  try {
+    const url = new URL(request.url);
+    const boot = url.searchParams.get("boot");
+    const format = url.searchParams.get("format");
 
-  if (boot === "true") {
-    const block = formatEntityContextBlock();
-    return NextResponse.json({ block });
-  }
+    if (boot === "true") {
+      const block = formatEntityContextBlock();
+      return NextResponse.json({ block });
+    }
 
-  if (format === "viz") {
-    return getVizData();
-  }
+    if (format === "viz") {
+      return getVizData();
+    }
 
-  const stats = getGraphStats();
-  const topEntities = getTopEntities(10).map((entity) => {
-    const relations = getEntityRelations(entity.id, 3);
-    return { ...entity, relations };
-  });
+    const stats = getGraphStats();
+    const topEntities = getTopEntities(10).map((entity) => {
+      const relations = getEntityRelations(entity.id, 3);
+      return { ...entity, relations };
+    });
 
-  return NextResponse.json({ stats, topEntities });
+    return NextResponse.json({ stats, topEntities });
+  } catch (err) {
+    console.error("[memory/graph] GET error:", err);
+    return NextResponse.json(
+      { error: err instanceof Error ? err.message : "Internal server error" },
+      { status: err instanceof SyntaxError ? 400 : 500 }
+    );
+  }
 }
 
 export async function POST() {
-  const seeded = seedKnownEntities();
-  return NextResponse.json({ seeded, message: `${seeded} entities seeded` });
+  try {
+    const seeded = seedKnownEntities();
+    return NextResponse.json({ seeded, message: `${seeded} entities seeded` });
+  } catch (err) {
+    console.error("[memory/graph] POST error:", err);
+    return NextResponse.json(
+      { error: err instanceof Error ? err.message : "Internal server error" },
+      { status: err instanceof SyntaxError ? 400 : 500 }
+    );
+  }
 }
 
 /**

package/mission-control/src/app/api/memory/search/route.ts

@@ -57,7 +57,7 @@ export async function GET(request: NextRequest) {
     const source = searchParams.get("source");
     const category = searchParams.get("category");
     const limit = Math.min(parseInt(searchParams.get("limit") || "20", 10), 100);
-    const offset = parseInt(searchParams.get("offset") || "0", 10);
+    const offset = Math.max(0, Math.min(parseInt(searchParams.get("offset") || "0", 10) || 0, 10000));
     const useDecay = searchParams.get("decay") !== "false"; // default: true
     const decayRate = parseFloat(searchParams.get("decay_rate") || "0.01");
 
@@ -141,6 +141,7 @@ export async function GET(request: NextRequest) {
     console.error("GET /api/memory/search error:", err);
     const message =
       err instanceof Error ? err.message : "Failed to search memory";
-    return NextResponse.json({ error: message }, { status: 500 });
+    const status = err instanceof SyntaxError || err instanceof RangeError ? 400 : 500;
+    return NextResponse.json({ error: message }, { status });
   }
 }

package/mission-control/src/app/api/mesh/identity/route.ts

@@ -3,9 +3,17 @@ import { NODE_ID, NODE_ROLE, NODE_PLATFORM } from "@/lib/config";
 export const dynamic = "force-dynamic";
 
 export async function GET() {
-  return Response.json({
-    nodeId: NODE_ID,
-    role: NODE_ROLE,
-    platform: NODE_PLATFORM,
-  });
+  try {
+    return Response.json({
+      nodeId: NODE_ID,
+      role: NODE_ROLE,
+      platform: NODE_PLATFORM,
+    });
+  } catch (err) {
+    console.error("[mesh/identity] error:", err);
+    return Response.json(
+      { error: err instanceof Error ? err.message : "Internal server error" },
+      { status: 500 }
+    );
+  }
 }

package/mission-control/src/app/api/mesh/nodes/route.ts

@@ -85,6 +85,7 @@ const KNOWN_NODES = [
  *   No synchronous round-trips to nodes. No timeout races. No flickering.
  */
 export async function GET() {
+  try {
   const kv = await getHealthKv();
   const db = getDb();
   const now = Date.now();
@@ -218,4 +219,11 @@ export async function GET() {
   }
 
   return NextResponse.json({ nodes, tokenStats });
+  } catch (err) {
+    console.error("[mesh/nodes] error:", err);
+    return NextResponse.json(
+      { error: err instanceof Error ? err.message : "Internal server error" },
+      { status: err instanceof SyntaxError ? 400 : 500 }
+    );
+  }
 }

package/mission-control/src/app/api/settings/gateway/route.ts

@@ -52,9 +52,63 @@ export async function GET() {
  * Update gateway-related settings. Accepts partial updates.
  * Body: { heartbeat?: { target, every? }, maxConcurrent?: number }
  */
+const ALLOWED_TOP_LEVEL_KEYS = new Set([
+  "heartbeat", "maxConcurrent", "compaction", "gateway",
+]);
+const ALLOWED_GATEWAY_KEYS = new Set(["port", "mode", "bind"]);
+const VALID_MODES = new Set(["local", "remote", "hybrid"]);
+const VALID_BINDS = new Set(["loopback", "tailscale", "any"]);
+
 export async function PATCH(request: NextRequest) {
   try {
     const body = await request.json();
+
+    // Reject unknown top-level keys
+    const unknownKeys = Object.keys(body).filter((k) => !ALLOWED_TOP_LEVEL_KEYS.has(k));
+    if (unknownKeys.length > 0) {
+      return NextResponse.json(
+        { error: `Unknown keys: ${unknownKeys.join(", ")}` },
+        { status: 400 }
+      );
+    }
+
+    // Validate gateway sub-object if present
+    if (body.gateway !== undefined) {
+      if (typeof body.gateway !== "object" || body.gateway === null || Array.isArray(body.gateway)) {
+        return NextResponse.json(
+          { error: "gateway must be an object" },
+          { status: 400 }
+        );
+      }
+      const unknownGw = Object.keys(body.gateway).filter((k) => !ALLOWED_GATEWAY_KEYS.has(k));
+      if (unknownGw.length > 0) {
+        return NextResponse.json(
+          { error: `Unknown gateway keys: ${unknownGw.join(", ")}` },
+          { status: 400 }
+        );
+      }
+      if (body.gateway.port !== undefined) {
+        if (!Number.isInteger(body.gateway.port) || body.gateway.port < 1 || body.gateway.port > 65535) {
+          return NextResponse.json(
+            { error: "gateway.port must be an integer between 1 and 65535" },
+            { status: 400 }
+          );
+        }
+      }
+      if (body.gateway.mode !== undefined && !VALID_MODES.has(body.gateway.mode)) {
+        return NextResponse.json(
+          { error: `gateway.mode must be one of: ${[...VALID_MODES].join(", ")}` },
+          { status: 400 }
+        );
+      }
+      if (body.gateway.bind !== undefined && !VALID_BINDS.has(body.gateway.bind)) {
+        return NextResponse.json(
+          { error: `gateway.bind must be one of: ${[...VALID_BINDS].join(", ")}` },
+          { status: 400 }
+        );
+      }
+    }
+
     const config = await loadConfig();
 
     if (!config.agents) config.agents = {};
@@ -79,6 +133,14 @@ export async function PATCH(request: NextRequest) {
       config.agents.defaults.compaction = body.compaction;
     }
 
+    // Gateway settings
+    if (body.gateway !== undefined) {
+      if (!config.gateway) config.gateway = {};
+      if (body.gateway.port !== undefined) config.gateway.port = body.gateway.port;
+      if (body.gateway.mode !== undefined) config.gateway.mode = body.gateway.mode;
+      if (body.gateway.bind !== undefined) config.gateway.bind = body.gateway.bind;
+    }
+
     await saveConfig(config);
 
     return NextResponse.json({ ok: true });

package/mission-control/src/app/api/souls/[id]/evolution/route.ts

@@ -69,7 +69,10 @@ export async function GET(
       const lines = content.trim().split("\n").filter(Boolean);
       fullEvents = lines.map((line) => JSON.parse(line));
     } catch (error) {
-      // events.jsonl might be empty or not exist yet
+      // events.jsonl might be empty, not exist yet, or contain malformed lines
+      if ((error as NodeJS.ErrnoException).code !== "ENOENT") {
+        console.warn("Failed to parse events.jsonl:", error);
+      }
     }
 
     // Merge DB records with full event details
@@ -174,11 +177,20 @@ export async function PATCH(
         "events.jsonl"
       );
       const content = await fs.readFile(eventsPath, "utf-8");
-      const events = content
-        .trim()
-        .split("\n")
-        .filter(Boolean)
-        .map((line) => JSON.parse(line));
+      let events: EvolutionEvent[];
+      try {
+        events = content
+          .trim()
+          .split("\n")
+          .filter(Boolean)
+          .map((line) => JSON.parse(line));
+      } catch (parseErr) {
+        console.error("Malformed JSONL in events.jsonl:", parseErr);
+        return NextResponse.json(
+          { error: "Failed to parse evolution events file (malformed JSONL)" },
+          { status: 500 }
+        );
+      }
       const event = events.find((e: EvolutionEvent) => e.eventId === eventId);
 
       if (!event) {
@@ -195,7 +207,16 @@ export async function PATCH(
       );
 
       if (event.proposedChange.action === "add") {
-        const existing = JSON.parse(await fs.readFile(targetPath, "utf-8"));
+        let existing;
+        try {
+          existing = JSON.parse(await fs.readFile(targetPath, "utf-8"));
+        } catch (parseErr) {
+          console.error(`Malformed JSON in ${targetPath}:`, parseErr);
+          return NextResponse.json(
+            { error: `Failed to parse ${event.proposedChange.target} (malformed JSON)` },
+            { status: 500 }
+          );
+        }
         if (event.proposedChange.target === "genes.json") {
           existing.genes.push(event.proposedChange.content);
         }

package/mission-control/src/app/api/souls/[id]/propagate/route.ts

@@ -75,10 +75,17 @@ export async function POST(
       const lines = content.trim().split("\n").filter(Boolean);
       const events: EvolutionEventEntry[] = lines.map((line) => JSON.parse(line));
       sourceEvent = events.find((e) => e.eventId === sourceEventId) ?? null;
-    } catch {
+    } catch (error) {
+      if ((error as NodeJS.ErrnoException).code === "ENOENT") {
+        return NextResponse.json(
+          { error: "Source events file not found" },
+          { status: 404 }
+        );
+      }
+      console.error("Failed to parse source events.jsonl:", error);
       return NextResponse.json(
-        { error: "Source events file not found" },
-        { status: 404 }
+        { error: "Failed to parse source events file (malformed JSONL)" },
+        { status: 500 }
       );
     }
 

package/mission-control/src/app/api/souls/route.ts

@@ -94,9 +94,10 @@ export async function POST(request: NextRequest) {
     return NextResponse.json(newSoul, { status: 201 });
   } catch (error) {
     console.error("Failed to register soul:", error);
+    const status = error instanceof SyntaxError ? 400 : 500;
     return NextResponse.json(
-      { error: "Failed to register soul" },
-      { status: 500 }
+      { error: status === 400 ? String(error) : "Failed to register soul" },
+      { status }
     );
   }
 }
@@ -133,9 +134,10 @@ export async function PATCH(request: NextRequest) {
     return NextResponse.json(registry.souls[soulIndex]);
   } catch (error) {
     console.error("Failed to update soul:", error);
+    const status = error instanceof SyntaxError ? 400 : 500;
     return NextResponse.json(
-      { error: "Failed to update soul" },
-      { status: 500 }
+      { error: status === 400 ? String(error) : "Failed to update soul" },
+      { status }
     );
   }
 }

package/mission-control/src/app/api/tasks/[id]/route.ts

@@ -9,6 +9,12 @@ import { gatewayNotify } from "@/lib/gateway-notify";
 import { AGENT_NAME, HUMAN_NAME } from "@/lib/config";
 import { getNats, sc } from "@/lib/nats";
 
+/** Safely parse a JSON string from a DB field, returning fallback on failure. */
+function safeParse(json: string | null, fallback: unknown = []): unknown {
+  if (!json) return fallback;
+  try { return JSON.parse(json); } catch { return fallback; }
+}
+
 /**
  * Push a notification message to the OpenClaw TUI via gateway chat.send + abort.
  * Fire-and-forget — does not block the API response.
@@ -130,6 +136,18 @@ export async function PATCH(
     const body = await request.json();
     const now = new Date().toISOString();
 
+    // Status validation
+    const VALID_STATUSES = new Set([
+      "not started", "queued", "ready", "submitted", "running",
+      "blocked", "waiting-user", "done", "cancelled", "archived",
+    ]);
+    if (body.status && !VALID_STATUSES.has(body.status)) {
+      return NextResponse.json(
+        { error: `Invalid status: ${body.status}` },
+        { status: 400 }
+      );
+    }
+
     // Transition guard: block execution mode changes on in-flight mesh tasks
     if (body.execution !== undefined && body.execution !== existing.execution) {
       if (existing.meshTaskId) {
@@ -337,10 +355,8 @@ export async function PATCH(
 
     return NextResponse.json({
       ...updated,
-      successCriteria: updated?.successCriteria
-        ? JSON.parse(updated.successCriteria)
-        : [],
-      artifacts: updated?.artifacts ? JSON.parse(updated.artifacts) : [],
+      successCriteria: safeParse(updated?.successCriteria ?? null),
+      artifacts: safeParse(updated?.artifacts ?? null),
     });
   } catch (err) {
     console.error("PATCH /api/tasks/[id] error:", err);

package/mission-control/src/app/api/tasks/route.ts

@@ -12,6 +12,12 @@ import { getNats, sc } from "@/lib/nats";
 import { WORKSPACE_ROOT, AGENT_NAME } from "@/lib/config";
 import path from "path";
 
+/** Safely parse a JSON string from a DB field, returning fallback on failure. */
+function safeParse(json: string | null, fallback: unknown = []): unknown {
+  if (!json) return fallback;
+  try { return JSON.parse(json); } catch { return fallback; }
+}
+
 /**
  * Parse .companion-state.md to extract current active task.
  * Returns a synthetic task object if there's active work, null otherwise.
@@ -121,11 +127,11 @@ export async function GET(request: NextRequest) {
         .all();
     }
 
-    // Parse JSON fields for the response
+    // Parse JSON fields for the response (per-row guard against corrupt data)
     const result = rows.map((t) => ({
       ...t,
-      successCriteria: t.successCriteria ? JSON.parse(t.successCriteria) : [],
-      artifacts: t.artifacts ? JSON.parse(t.artifacts) : [],
+      successCriteria: safeParse(t.successCriteria),
+      artifacts: safeParse(t.artifacts),
     }));
 
     return NextResponse.json(result);
@@ -155,6 +161,60 @@ export async function POST(request: NextRequest) {
       );
     }
 
+    if (body.title.length > 500) {
+      return NextResponse.json(
+        { error: "title must be 500 characters or fewer" },
+        { status: 400 }
+      );
+    }
+
+    if (body.success_criteria !== undefined) {
+      if (!Array.isArray(body.success_criteria)) {
+        if (typeof body.success_criteria === "string") {
+          try {
+            const parsed = JSON.parse(body.success_criteria);
+            if (!Array.isArray(parsed)) {
+              return NextResponse.json(
+                { error: "success_criteria must be a JSON array" },
+                { status: 400 }
+              );
+            }
+          } catch {
+            return NextResponse.json(
+              { error: "success_criteria must be a valid JSON array string" },
+              { status: 400 }
+            );
+          }
+        } else {
+          return NextResponse.json(
+            { error: "success_criteria must be an array or JSON array string" },
+            { status: 400 }
+          );
+        }
+      }
+    }
+
+    const VALID_STATUSES = [
+      "not started", "queued", "ready", "submitted", "running",
+      "blocked", "waiting-user", "done", "cancelled", "archived",
+    ];
+    if (body.status && !VALID_STATUSES.includes(body.status)) {
+      return NextResponse.json(
+        { error: `status must be one of: ${VALID_STATUSES.join(", ")}` },
+        { status: 400 }
+      );
+    }
+
+    if (body.scheduled_date) {
+      const d = new Date(body.scheduled_date);
+      if (isNaN(d.getTime())) {
+        return NextResponse.json(
+          { error: "scheduled_date must be a valid ISO date string" },
+          { status: 400 }
+        );
+      }
+    }
+
     const status = body.status || "not started";
     const now = new Date();
     // Allow custom IDs for projects/pipelines/phases; auto-generate for tasks
@@ -227,18 +287,17 @@ export async function POST(request: NextRequest) {
     return NextResponse.json(
       {
         ...created,
-        successCriteria: created?.successCriteria
-          ? JSON.parse(created.successCriteria)
-          : [],
-        artifacts: created?.artifacts ? JSON.parse(created.artifacts) : [],
+        successCriteria: safeParse(created?.successCriteria ?? null),
+        artifacts: safeParse(created?.artifacts ?? null),
       },
       { status: 201 }
     );
   } catch (err) {
     console.error("POST /api/tasks error:", err);
+    const status = err instanceof SyntaxError ? 400 : 500;
     return NextResponse.json(
-      { error: "Failed to create task" },
-      { status: 500 }
+      { error: status === 400 ? String(err) : "Failed to create task" },
+      { status }
     );
   }
 }

package/mission-control/src/lib/config.ts

@@ -1,7 +1,8 @@
 import path from "path";
+import { hostname, homedir } from "os";
 
 export const WORKSPACE_ROOT =
-  process.env.WORKSPACE_ROOT || "/Users/moltymac/.openclaw/workspace";
+  process.env.WORKSPACE_ROOT || path.join(homedir(), ".openclaw", "workspace");
 
 export const DB_PATH =
   process.env.DB_PATH ||
@@ -75,7 +76,6 @@ export function validatePathParam(param: string): string {
 }
 
 // ── Node Identity (Distributed MC) ──
-import { hostname } from "os";
 
 /** This node's unique identifier in the mesh */
 export const NODE_ID = process.env.OPENCLAW_NODE_ID || hostname();

package/mission-control/src/lib/sync/tasks.ts

@@ -283,7 +283,10 @@ export function syncTasksToMarkdown(db: DrizzleDb): void {
   if (!fs.existsSync(dir)) {
     fs.mkdirSync(dir, { recursive: true });
   }
-  fs.writeFileSync(tmpPath, markdown, "utf-8");
+  const fd = fs.openSync(tmpPath, "w");
+  fs.writeSync(fd, markdown, 0, "utf-8");
+  fs.fsyncSync(fd);
+  fs.closeSync(fd);
   fs.renameSync(tmpPath, ACTIVE_TASKS_MD);
 
   // Record mtime of our own write so we don't re-import it

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openclaw-node-harness",
-  "version": "2.1.1",
+  "version": "2.2.0",
   "description": "One-command installer for the OpenClaw node layer — identity, skills, souls, daemon, and Mission Control.",
   "bin": {
     "openclaw-node": "./cli.js"

package/services/launchd/ai.openclaw.lane-watchdog.plist

@@ -26,7 +26,7 @@
       <key>HOME</key>
       <string>${HOME}</string>
       <key>PATH</key>
-      <string>/usr/local/bin:/usr/bin:/bin</string>
+      <string>${HOME}/.bun/bin:${HOME}/.local/bin:${HOME}/.npm-global/bin:${HOME}/bin:${HOME}/.volta/bin:${HOME}/.asdf/shims:${HOME}/Library/Application Support/fnm/aliases/default/bin:${HOME}/.fnm/aliases/default/bin:${HOME}/Library/pnpm:${HOME}/.local/share/pnpm:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin</string>
     </dict>
   </dict>
 </plist>

package/services/launchd/ai.openclaw.mesh-agent.plist

@@ -31,6 +31,10 @@
       <string>${OPENCLAW_NATS}</string>
       <key>MESH_WORKSPACE</key>
       <string>${OPENCLAW_WORKSPACE}</string>
+      <key>OPENCLAW_NODE_ID</key>
+      <string>${OPENCLAW_NODE_ID}</string>
+      <key>OPENCLAW_NODE_ROLE</key>
+      <string>${OPENCLAW_NODE_ROLE}</string>
     </dict>
     <key>ThrottleInterval</key>
     <integer>30</integer>

package/services/launchd/ai.openclaw.mission-control.plist

@@ -11,14 +11,15 @@
     <key>ProgramArguments</key>
     <array>
         <string>${HOME}/.openclaw/bin/npm</string>
-        <string>run</string>
-        <string>dev</string>
+        <string>start</string>
     </array>
 
     <key>EnvironmentVariables</key>
     <dict>
+        <key>HOME</key>
+        <string>${HOME}</string>
         <key>PATH</key>
-        <string>/usr/local/bin:/usr/bin:/bin</string>
+        <string>${HOME}/.bun/bin:${HOME}/.local/bin:${HOME}/.npm-global/bin:${HOME}/bin:${HOME}/.volta/bin:${HOME}/.asdf/shims:${HOME}/Library/Application Support/fnm/aliases/default/bin:${HOME}/.fnm/aliases/default/bin:${HOME}/Library/pnpm:${HOME}/.local/share/pnpm:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin</string>
         <key>NODE_ENV</key>
         <string>production</string>
     </dict>