principles-disciple 1.7.3 → 1.7.5

package/dist/hooks/subagent.js

@@ -6,6 +6,8 @@ import { acquireQueueLock } from '../service/evolution-worker.js';
 const COMPLETION_RETRY_DELAY_MS = 250;
 const COMPLETION_MAX_RETRIES = 3;
 const COMPLETION_RETRY_TTL_MS = 60 * 60 * 1000; // 1 hour TTL for retry entries
+const TASK_OUTCOME_RETRY_DELAY_MS = 250;
+const TASK_OUTCOME_MAX_RETRIES = 3;
 const DIAGNOSTICIAN_SESSION_PREFIX = 'agent:diagnostician:';
 const completionRetryCounts = new Map();
 // Cleanup expired retry entries periodically
@@ -17,7 +19,7 @@ function cleanupExpiredRetryEntries() {
         }
     }
 }
-function emitSubagentPainEvent(wctx, payload) {
+function emitSubagentPainEvent(wctx, payload, logger) {
     try {
         wctx.evolutionReducer.emitSync({
             ts: new Date().toISOString(),
@@ -29,17 +31,25 @@ function emitSubagentPainEvent(wctx, payload) {
                 reason: payload.reason,
                 score: payload.score,
                 sessionId: payload.sessionId,
+                agentId: payload.agentId,
             },
         });
     }
     catch (e) {
-        console.warn(`[PD:Subagent] failed to emit evolution event: ${String(e)}`);
+        logger.warn(`[PD:Subagent] failed to emit evolution event: ${String(e)}`);
     }
 }
 function isDiagnosticianSession(targetSessionKey) {
     return typeof targetSessionKey === 'string' && targetSessionKey.startsWith(DIAGNOSTICIAN_SESSION_PREFIX);
 }
-function cleanupPainFlagForTask(wctx, completedTaskId, queue) {
+function extractAgentIdFromSessionKey(sessionKey) {
+    // sessionKey format: "agent:{agentId}:{type}:{uuid}" or "agent:{agentId}:{uuid}"
+    if (!sessionKey)
+        return undefined;
+    const match = sessionKey.match(/^agent:([^:]+):/);
+    return match ? match[1] : undefined;
+}
+function cleanupPainFlagForTask(wctx, completedTaskId, queue, logger) {
     const painFlagPath = wctx.resolve('PAIN_FLAG');
     try {
         const painData = fs.readFileSync(painFlagPath, 'utf8');
@@ -65,7 +75,7 @@ function cleanupPainFlagForTask(wctx, completedTaskId, queue) {
     catch (e) {
         if (e.code === 'ENOENT')
             return; // File doesn't exist, nothing to clean up
-        console.error(`[PD:Subagent] Failed to cleanup pain flag: ${String(e)}`);
+        logger.error(`[PD:Subagent] Failed to cleanup pain flag: ${String(e)}`);
     }
 }
 function getCompletionRetryKey(workspaceDir, targetSessionKey) {
@@ -92,34 +102,67 @@ function scheduleCompletionRetry(event, ctx, attempt) {
         });
     }, COMPLETION_RETRY_DELAY_MS);
 }
+function scheduleTaskOutcomeRetry(wctx, payload, attempt, logger) {
+    if (attempt > TASK_OUTCOME_MAX_RETRIES) {
+        logger.error(`[PD:Subagent] Failed to persist task outcome after ${TASK_OUTCOME_MAX_RETRIES} retries: ${payload.taskId}`);
+        return;
+    }
+    setTimeout(() => {
+        try {
+            wctx.trajectory?.recordTaskOutcome?.(payload);
+        }
+        catch (error) {
+            logger.warn(`[PD:Subagent] Retrying task outcome persistence for ${payload.taskId}: ${String(error)}`);
+            scheduleTaskOutcomeRetry(wctx, payload, attempt + 1, logger);
+        }
+    }, TASK_OUTCOME_RETRY_DELAY_MS);
+}
 export async function handleSubagentEnded(event, ctx) {
     const { outcome, targetSessionKey } = event;
     const workspaceDir = ctx.workspaceDir;
     if (!workspaceDir)
         return;
     const wctx = WorkspaceContext.fromHookContext(ctx);
+    const logger = ctx.api?.logger ?? console;
     if (targetSessionKey?.startsWith('empathy_obs:')) {
         await empathyObserverManager.reap(ctx.api, targetSessionKey, workspaceDir);
         return;
     }
     const config = wctx.config;
-    if (outcome === 'error' || outcome === 'timeout') {
+    // ── Outcome-based Trust Score and Pain Signal handling ──
+    // OpenClaw v2026.3.23 fixes: timeout may be false positive (fast-finishing workers)
+    // Only penalize actual errors, not timeout/killed/reset
+    if (outcome === 'error') {
+        // Only actual errors trigger penalty
         const scoreSettings = config.get('scores');
-        const score = outcome === 'error' ? scoreSettings.subagent_error_penalty : scoreSettings.subagent_timeout_penalty;
-        const reason = `Subagent session ${targetSessionKey} ended with outcome: ${outcome}`;
+        const score = scoreSettings.subagent_error_penalty;
+        const reason = `Subagent session ${targetSessionKey} ended with error`;
         writePainFlag(workspaceDir, {
-            source: `subagent_${outcome}`,
+            source: `subagent_error`,
             score: String(score),
             time: new Date().toISOString(),
             reason,
-            is_risky: 'true'
+            is_risky: 'true',
+            session_id: ctx.sessionId || '',
+            agent_id: ctx.agentId || extractAgentIdFromSessionKey(targetSessionKey) || '',
         });
         emitSubagentPainEvent(wctx, {
-            source: `subagent_${outcome}`,
+            source: `subagent_error`,
             reason,
             score,
             sessionId: ctx.sessionId,
-        });
+            agentId: ctx.agentId || extractAgentIdFromSessionKey(targetSessionKey),
+        }, logger);
+    }
+    if (outcome === 'timeout') {
+        // OpenClaw v2026.3.23 fix: timeout may be false positive
+        // Fast-finishing workers are no longer incorrectly reported as timed out
+        // Do not penalize - the task may have actually succeeded
+        logger.warn(`[PD:Subagent] Session ${targetSessionKey} timed out - not penalizing (OpenClaw fix applied)`);
+    }
+    if (outcome === 'killed' || outcome === 'reset') {
+        // User-initiated termination or system reset - not an agent failure
+        logger.info(`[PD:Subagent] Session ${targetSessionKey} ended with ${outcome} - no penalty (user/system action)`);
     }
     if (outcome === 'ok' || outcome === 'deleted') {
         wctx.trust.recordSuccess('subagent_success', {
@@ -138,31 +181,170 @@ export async function handleSubagentEnded(event, ctx) {
     const attempt = retryEntry?.count || 0;
     let releaseLock = null;
     try {
-        releaseLock = await acquireQueueLock(queuePath, console);
+        releaseLock = await acquireQueueLock(queuePath, logger);
         const queue = JSON.parse(fs.readFileSync(queuePath, 'utf8'));
         let completedTaskId = null;
-        const matchedTask = queue.find((task) => task?.status === 'in_progress'
-            && typeof task?.assigned_session_key === 'string'
-            && task.assigned_session_key === targetSessionKey);
+        // Improved matching logic: support both direct session key match and HEARTBEAT placeholder match
+        // This fixes task_outcomes being empty for HEARTBEAT-triggered diagnostician runs
+        const matchedTask = queue.find((task) => {
+            if (task?.status !== 'in_progress')
+                return false;
+            const taskSessionKey = task?.assigned_session_key;
+            // 1. Exact match: direct session key assignment
+            if (typeof taskSessionKey === 'string' && taskSessionKey === targetSessionKey) {
+                return true;
+            }
+            // 2. HEARTBEAT placeholder match: for diagnostician sessions
+            // Tasks started via HEARTBEAT have placeholder like "heartbeat:diagnostician:{taskId}"
+            if (isDiagnosticianSession(targetSessionKey)) {
+                // Match tasks with HEARTBEAT placeholder
+                if (typeof taskSessionKey === 'string' && taskSessionKey.startsWith('heartbeat:diagnostician')) {
+                    return true;
+                }
+                // Backward compatibility: match tasks with no assigned_session_key (legacy behavior)
+                // Only match tasks started within 2 hours to avoid stale task matching
+                if (taskSessionKey === undefined || taskSessionKey === null) {
+                    const taskStartedAt = task?.started_at ? new Date(task.started_at).getTime() : 0;
+                    const taskAge = taskStartedAt > 0 ? Date.now() - taskStartedAt : Infinity;
+                    const LEGACY_FALLBACK_MAX_AGE_MS = 2 * 60 * 60 * 1000; // 2 hours
+                    if (taskAge < LEGACY_FALLBACK_MAX_AGE_MS) {
+                        return true;
+                    }
+                }
+            }
+            return false;
+        });
         if (matchedTask) {
+            // Enhanced observability: log match type for debugging
+            const matchType = matchedTask.assigned_session_key === targetSessionKey
+                ? 'exact'
+                : matchedTask.assigned_session_key?.startsWith('heartbeat:diagnostician')
+                    ? 'heartbeat_placeholder'
+                    : 'legacy_fallback';
+            logger.info(`[PD:Subagent] Matched session ${targetSessionKey} to task ${matchedTask.id} (match_type: ${matchType})`);
             matchedTask.status = 'completed';
             matchedTask.completed_at = new Date().toISOString();
             delete matchedTask.assigned_session_key;
             completedTaskId = matchedTask.id;
         }
         else {
-            console.warn(`[PD:Subagent] No in-progress evolution task matched subagent session ${targetSessionKey}`);
+            logger.warn(`[PD:Subagent] No in-progress evolution task matched subagent session ${targetSessionKey}`);
         }
+        let taskOutcomePayload = null;
         if (completedTaskId) {
             fs.writeFileSync(queuePath, JSON.stringify(queue, null, 2), 'utf8');
-            cleanupPainFlagForTask(wctx, completedTaskId, queue);
+            cleanupPainFlagForTask(wctx, completedTaskId, queue, logger);
+            taskOutcomePayload = {
+                sessionId: targetSessionKey,
+                taskId: completedTaskId,
+                outcome,
+                summary: `Diagnostician session ${targetSessionKey} completed evolution task ${completedTaskId}.`,
+            };
+        }
+        if (taskOutcomePayload) {
+            try {
+                wctx.trajectory?.recordTaskOutcome?.(taskOutcomePayload);
+            }
+            catch (error) {
+                logger.warn(`[PD:Subagent] Failed to persist task outcome for ${taskOutcomePayload.taskId}: ${String(error)}`);
+                scheduleTaskOutcomeRetry(wctx, taskOutcomePayload, 1, logger);
+            }
+        }
+        // Read diagnostician output and create principle with generalized pattern
+        if (completedTaskId && ctx.api?.runtime?.subagent) {
+            try {
+                const messages = await ctx.api?.runtime?.subagent?.getSessionMessages?.({
+                    sessionKey: targetSessionKey,
+                    limit: 50
+                });
+                const assistantText = extractAssistantText(messages);
+                const report = parseDiagnosticianReport(assistantText);
+                if (report?.principle) {
+                    const principleId = wctx.evolutionReducer.createPrincipleFromDiagnosis({
+                        painId: matchedTask?.id || completedTaskId,
+                        painType: 'tool_failure', // Default, could be extracted from task
+                        triggerPattern: report.principle.trigger_pattern,
+                        action: report.principle.action,
+                        source: matchedTask?.source || 'diagnostician'
+                    });
+                    if (principleId) {
+                        logger.warn(`[PD:Subagent] Created principle ${principleId} from diagnostician analysis for task ${completedTaskId}`);
+                    }
+                }
+            }
+            catch (e) {
+                logger.warn(`[PD:Subagent] Failed to read diagnostician output: ${String(e)}`);
+            }
         }
     }
     catch (e) {
-        console.error(`[PD:Subagent] Failed to update evolution queue: ${String(e)}`);
+        logger.error(`[PD:Subagent] Failed to update evolution queue: ${String(e)}`);
         scheduleCompletionRetry(event, ctx, attempt);
     }
     finally {
         releaseLock?.();
     }
 }
+/**
+ * Extract text content from assistant messages
+ */
+function extractAssistantText(messages) {
+    if (!messages || !Array.isArray(messages))
+        return '';
+    const texts = [];
+    for (const msg of messages) {
+        if (msg?.role !== 'assistant')
+            continue;
+        const content = msg?.content;
+        if (Array.isArray(content)) {
+            for (const block of content) {
+                if (block?.type === 'text' && typeof block.text === 'string') {
+                    texts.push(block.text);
+                }
+            }
+        }
+        else if (typeof content === 'string') {
+            texts.push(content);
+        }
+    }
+    return texts.join('\n');
+}
+/**
+ * Parse diagnostician JSON report from text
+ */
+function parseDiagnosticianReport(text) {
+    // Try to find JSON in markdown code block
+    const jsonMatch = text.match(/```json\n([\s\S]*?)\n```/);
+    if (jsonMatch) {
+        try {
+            const parsed = JSON.parse(jsonMatch[1]);
+            // Support both direct principle and nested phases.principle_extraction structure
+            if (parsed?.principle) {
+                return { principle: parsed.principle };
+            }
+            if (parsed?.phases?.principle_extraction?.principle) {
+                return { principle: parsed.phases.principle_extraction.principle };
+            }
+        }
+        catch {
+            // Fall through to return null
+        }
+    }
+    // Try to find raw JSON object
+    const objectMatch = text.match(/\{[\s\S]*"principle"[\s\S]*\}/);
+    if (objectMatch) {
+        try {
+            const parsed = JSON.parse(objectMatch[0]);
+            if (parsed?.principle) {
+                return { principle: parsed.principle };
+            }
+            if (parsed?.phases?.principle_extraction?.principle) {
+                return { principle: parsed.phases.principle_extraction.principle };
+            }
+        }
+        catch {
+            // Fall through to return null
+        }
+    }
+    return null;
+}

package/dist/http/principles-console-route.d.ts

@@ -1,2 +1,9 @@
 import type { OpenClawPluginApi, OpenClawPluginHttpRouteParams } from '../openclaw-sdk.js';
+/**
+ * Create routes for Principles Console.
+ * Returns an array of routes:
+ * 1. Static files route (no auth required for HTML/CSS/JS)
+ * 2. API route (gateway auth required)
+ */
+export declare function createPrinciplesConsoleRoutes(api: OpenClawPluginApi): OpenClawPluginHttpRouteParams[];
 export declare function createPrinciplesConsoleRoute(api: OpenClawPluginApi): OpenClawPluginHttpRouteParams;

package/dist/http/principles-console-route.js

@@ -1,6 +1,9 @@
 import fs from 'fs';
 import path from 'path';
 import { ControlUiQueryService } from '../service/control-ui-query-service.js';
+import { getEvolutionQueryService } from '../service/evolution-query-service.js';
+import { TrajectoryRegistry } from '../core/trajectory.js';
+import { getCentralDatabase } from '../service/central-database.js';
 const ROUTE_PREFIX = '/plugins/principles';
 const API_PREFIX = `${ROUTE_PREFIX}/api`;
 const ASSETS_PREFIX = `${ROUTE_PREFIX}/assets`;
@@ -80,6 +83,11 @@ function createService(api) {
     return new ControlUiQueryService(workspaceDir);
 }
 function handleApiRoute(api, pathname, req, res) {
+    // Check authentication for API routes
+    if (!validateGatewayAuth(req)) {
+        json(res, 401, { error: 'unauthorized', message: 'Valid Gateway token required.' });
+        return true;
+    }
     const service = createService(api);
     const url = new URL(req.url || pathname, 'http://127.0.0.1');
     const method = (req.method || 'GET').toUpperCase();
@@ -101,6 +109,153 @@ function handleApiRoute(api, pathname, req, res) {
     if (pathname === `${API_PREFIX}/overview` && method === 'GET') {
         return done(() => service.getOverview());
     }
+    if (pathname === `${API_PREFIX}/central/overview` && method === 'GET') {
+        return done(() => {
+            const centralDb = getCentralDatabase();
+            const stats = centralDb.getOverviewStats();
+            const trend = centralDb.getDailyTrend(14);
+            const regressions = centralDb.getTopRegressions(5);
+            const thinkingStats = centralDb.getThinkingModelStats();
+            const workspaces = centralDb.getWorkspaces();
+            return {
+                workspaceDir: 'central',
+                generatedAt: new Date().toISOString(),
+                dataFreshness: workspaces.length > 0 ? (workspaces[0].lastSync ?? null) : null,
+                dataSource: 'central_aggregated_db',
+                runtimeControlPlaneSource: 'all_workspaces',
+                summary: {
+                    repeatErrorRate: stats.totalToolCalls > 0
+                        ? stats.totalFailures / stats.totalToolCalls
+                        : 0,
+                    userCorrectionRate: stats.totalToolCalls > 0
+                        ? stats.totalCorrections / stats.totalToolCalls
+                        : 0,
+                    pendingSamples: stats.pendingSamples,
+                    approvedSamples: stats.approvedSamples,
+                    thinkingCoverageRate: stats.totalToolCalls > 0
+                        ? stats.totalThinkingEvents / stats.totalToolCalls
+                        : 0,
+                    painEvents: stats.totalPainEvents,
+                    principleEventCount: 0,
+                    gateBlocks: 0,
+                    taskOutcomes: 0,
+                },
+                dailyTrend: trend,
+                topRegressions: regressions,
+                sampleQueue: {
+                    counters: {
+                        pending: stats.pendingSamples,
+                        approved: stats.approvedSamples,
+                        rejected: stats.rejectedSamples,
+                    },
+                    preview: [],
+                },
+                thinkingSummary: {
+                    activeModels: thinkingStats.activeModels,
+                    dormantModels: thinkingStats.totalModels - thinkingStats.activeModels,
+                    effectiveModels: thinkingStats.models.filter(m => m.coverageRate > 0.1).length,
+                    coverageRate: stats.totalToolCalls > 0
+                        ? stats.totalThinkingEvents / stats.totalToolCalls
+                        : 0,
+                },
+                centralInfo: {
+                    workspaceCount: stats.workspaceCount,
+                    enabledWorkspaceCount: stats.enabledWorkspaceCount,
+                    workspaces: stats.workspaceNames,
+                    enabledWorkspaces: stats.enabledWorkspaceNames,
+                },
+            };
+        });
+    }
+    if (pathname === `${API_PREFIX}/central/sync` && method === 'POST') {
+        return done(() => {
+            const centralDb = getCentralDatabase();
+            const results = centralDb.syncEnabled();
+            const summary = {};
+            results.forEach((count, name) => {
+                summary[name] = count;
+            });
+            return { synced: summary, timestamp: new Date().toISOString() };
+        });
+    }
+    if (pathname === `${API_PREFIX}/central/workspaces` && method === 'GET') {
+        return done(() => {
+            const centralDb = getCentralDatabase();
+            const configs = centralDb.getWorkspaceConfigs();
+            const workspaces = centralDb.getWorkspaces();
+            return {
+                configs,
+                workspaces: workspaces.map(ws => ({
+                    name: ws.name,
+                    path: ws.path,
+                    lastSync: ws.lastSync,
+                    config: configs.find(c => c.workspaceName === ws.name) ?? null,
+                })),
+            };
+        });
+    }
+    const workspaceConfigMatch = pathname.match(/^\/plugins\/principles\/api\/central\/workspaces\/([^/]+)$/);
+    if (workspaceConfigMatch && method === 'GET') {
+        return done(() => {
+            const centralDb = getCentralDatabase();
+            const workspaceName = decodeURIComponent(workspaceConfigMatch[1]);
+            const configs = centralDb.getWorkspaceConfigs();
+            const config = configs.find(c => c.workspaceName === workspaceName);
+            return config ?? { workspaceName, enabled: true, displayName: workspaceName, syncEnabled: true };
+        });
+    }
+    if (workspaceConfigMatch && method === 'PATCH') {
+        return (async () => {
+            try {
+                const body = await readJsonBody(req);
+                const centralDb = getCentralDatabase();
+                const workspaceName = decodeURIComponent(workspaceConfigMatch[1]);
+                centralDb.updateWorkspaceConfig(workspaceName, {
+                    enabled: body.enabled,
+                    displayName: body.displayName,
+                    syncEnabled: body.syncEnabled,
+                });
+                const configs = centralDb.getWorkspaceConfigs();
+                json(res, 200, configs.find(c => c.workspaceName === workspaceName));
+                return true;
+            }
+            catch (error) {
+                if (error instanceof Error && error.message === 'invalid_json') {
+                    json(res, 400, { error: 'bad_request', message: 'Request body must be valid JSON.' });
+                    return true;
+                }
+                api.logger.warn(`[PD:ControlUI] Workspace config update failed: ${String(error)}`);
+                json(res, 500, { error: 'internal_error', message: String(error) });
+                return true;
+            }
+        })();
+    }
+    if (pathname === `${API_PREFIX}/central/workspaces` && method === 'POST') {
+        return (async () => {
+            try {
+                const body = await readJsonBody(req);
+                const name = typeof body.name === 'string' ? body.name : '';
+                const workspacePath = typeof body.path === 'string' ? body.path : '';
+                if (!name || !workspacePath) {
+                    json(res, 400, { error: 'bad_request', message: 'name and path are required.' });
+                    return true;
+                }
+                const centralDb = getCentralDatabase();
+                centralDb.addCustomWorkspace(name, workspacePath);
+                json(res, 201, { success: true, workspace: name });
+                return true;
+            }
+            catch (error) {
+                if (error instanceof Error && error.message === 'invalid_json') {
+                    json(res, 400, { error: 'bad_request', message: 'Request body must be valid JSON.' });
+                    return true;
+                }
+                api.logger.warn(`[PD:ControlUI] Add workspace failed: ${String(error)}`);
+                json(res, 500, { error: 'internal_error', message: String(error) });
+                return true;
+            }
+        })();
+    }
     if (pathname === `${API_PREFIX}/samples` && method === 'GET') {
         return done(() => service.listSamples({
             status: url.searchParams.get('status') ?? undefined,
@@ -185,6 +340,62 @@ function handleApiRoute(api, pathname, req, res) {
             service.dispose();
         }
     }
+    // === Evolution API ===
+    const evolutionService = () => {
+        const workspaceDir = api.resolvePath('.');
+        const trajectory = TrajectoryRegistry.get(workspaceDir);
+        return getEvolutionQueryService(trajectory);
+    };
+    if (pathname === `${API_PREFIX}/evolution/tasks` && method === 'GET') {
+        return done(() => {
+            const evoService = evolutionService();
+            return evoService.getTasks({
+                status: url.searchParams.get('status') ?? undefined,
+                dateFrom: url.searchParams.get('dateFrom') ?? undefined,
+                dateTo: url.searchParams.get('dateTo') ?? undefined,
+                page: url.searchParams.has('page') ? Number(url.searchParams.get('page')) : undefined,
+                pageSize: url.searchParams.has('pageSize') ? Number(url.searchParams.get('pageSize')) : undefined,
+            });
+        });
+    }
+    if (pathname === `${API_PREFIX}/evolution/events` && method === 'GET') {
+        return done(() => {
+            const evoService = evolutionService();
+            return evoService.getEvents({
+                traceId: url.searchParams.get('traceId') ?? undefined,
+                stage: url.searchParams.get('stage') ?? undefined,
+                limit: url.searchParams.has('limit') ? Number(url.searchParams.get('limit')) : undefined,
+                offset: url.searchParams.has('offset') ? Number(url.searchParams.get('offset')) : undefined,
+            });
+        });
+    }
+    if (pathname === `${API_PREFIX}/evolution/stats` && method === 'GET') {
+        return done(() => {
+            const evoService = evolutionService();
+            return evoService.getStats();
+        });
+    }
+    const evolutionTraceMatch = pathname.match(/^\/plugins\/principles\/api\/evolution\/trace\/([^/]+)$/);
+    if (evolutionTraceMatch && method === 'GET') {
+        const evoService = evolutionService();
+        try {
+            const trace = evoService.getTrace(decodeURIComponent(evolutionTraceMatch[1]));
+            if (!trace) {
+                json(res, 404, { error: 'not_found', message: 'Evolution trace not found.' });
+                return true;
+            }
+            json(res, 200, trace);
+            return true;
+        }
+        catch (error) {
+            api.logger.warn(`[PD:ControlUI] Evolution trace request failed for ${pathname}: ${String(error)}`);
+            json(res, 500, { error: 'internal_error', message: String(error) });
+            return true;
+        }
+        finally {
+            evoService.dispose();
+        }
+    }
     if (pathname === `${API_PREFIX}/export/corrections` && method === 'GET') {
         try {
             const mode = url.searchParams.get('mode') === 'redacted' ? 'redacted' : 'raw';
@@ -217,10 +428,93 @@ function handleApiRoute(api, pathname, req, res) {
     json(res, 404, { error: 'not_found', message: 'Unknown Principles Console API route.' });
     return true;
 }
+function getGatewayToken() {
+    try {
+        const configPath = path.join(process.env.HOME || '', '.openclaw', 'openclaw.json');
+        if (!fs.existsSync(configPath))
+            return null;
+        const config = JSON.parse(fs.readFileSync(configPath, 'utf-8'));
+        return config?.gateway?.auth?.token || null;
+    }
+    catch {
+        return null;
+    }
+}
+function validateGatewayAuth(req) {
+    const gatewayToken = getGatewayToken();
+    if (!gatewayToken) {
+        // No token configured, allow all requests
+        return true;
+    }
+    const authHeader = req.headers?.['authorization'] || '';
+    const tokenMatch = authHeader.match(/^Bearer\s+(.+)$/i);
+    const providedToken = tokenMatch?.[1];
+    return providedToken === gatewayToken;
+}
+/**
+ * Create routes for Principles Console.
+ * Returns an array of routes:
+ * 1. Static files route (no auth required for HTML/CSS/JS)
+ * 2. API route (gateway auth required)
+ */
+export function createPrinciplesConsoleRoutes(api) {
+    // Route 1: Static files (HTML, CSS, JS) - no auth check
+    const staticRoute = {
+        path: ROUTE_PREFIX,
+        auth: 'plugin',
+        match: 'prefix',
+        async handler(req, res) {
+            const url = new URL(req.url || ROUTE_PREFIX, 'http://127.0.0.1');
+            const pathname = url.pathname;
+            const method = (req.method || 'GET').toUpperCase();
+            // Skip API routes - they'll be handled by the API route
+            if (pathname.startsWith(API_PREFIX)) {
+                return false; // Let the API route handle this
+            }
+            // Serve assets
+            if (pathname.startsWith(ASSETS_PREFIX)) {
+                if (method !== 'GET' && method !== 'HEAD') {
+                    text(res, 405, 'Method Not Allowed');
+                    return true;
+                }
+                const assetPath = safeStaticPath(api.rootDir, pathname);
+                if (!assetPath || !serveFile(res, assetPath)) {
+                    text(res, 404, 'Asset Not Found');
+                }
+                return true;
+            }
+            // Serve index.html for the main route
+            if (method !== 'GET' && method !== 'HEAD') {
+                text(res, 405, 'Method Not Allowed');
+                return true;
+            }
+            const indexPath = path.join(api.rootDir, 'dist', 'web', 'index.html');
+            if (!serveFile(res, indexPath)) {
+                text(res, 503, 'Principles Console UI is not built yet.');
+            }
+            return true;
+        },
+    };
+    // Route 2: API endpoints - gateway auth required
+    const apiRoute = {
+        path: API_PREFIX,
+        auth: 'gateway',
+        match: 'prefix',
+        async handler(req, res) {
+            const url = new URL(req.url || API_PREFIX, 'http://127.0.0.1');
+            const pathname = url.pathname;
+            return handleApiRoute(api, pathname, req, res);
+        },
+    };
+    return [staticRoute, apiRoute];
+}
+// Legacy export for backwards compatibility
 export function createPrinciplesConsoleRoute(api) {
+    const routes = createPrinciplesConsoleRoutes(api);
+    // Return the combined behavior - this will be called from index.ts
     return {
         path: ROUTE_PREFIX,
-        auth: 'gateway',
+        auth: 'plugin',
         match: 'prefix',
         async handler(req, res) {
             const url = new URL(req.url || ROUTE_PREFIX, 'http://127.0.0.1');
@@ -229,9 +523,15 @@ export function createPrinciplesConsoleRoute(api) {
             if (!pathname.startsWith(ROUTE_PREFIX)) {
                 return false;
             }
+            // For API routes, check auth manually
             if (pathname.startsWith(API_PREFIX)) {
+                if (!validateGatewayAuth(req)) {
+                    json(res, 401, { error: 'unauthorized', message: 'Valid Gateway token required.' });
+                    return true;
+                }
                 return handleApiRoute(api, pathname, req, res);
             }
+            // Static files - no auth required
             if (pathname.startsWith(ASSETS_PREFIX)) {
                 if (method !== 'GET' && method !== 'HEAD') {
                     text(res, 405, 'Method Not Allowed');

package/dist/index.js

@@ -26,7 +26,6 @@ import { ensureWorkspaceTemplates } from './core/init.js';
 import { migrateDirectoryStructure } from './core/migration.js';
 import { SystemLogger } from './core/system-logger.js';
 import { createDeepReflectTool } from './tools/deep-reflect.js';
-import { createAgentSpawnTool } from './tools/agent-spawn.js';
 import { PathResolver } from './core/path-resolver.js';
 import { createPrinciplesConsoleRoute } from './http/principles-console-route.js';
 // Track initialization to avoid repeated calls
@@ -476,7 +475,6 @@ const plugin = {
             }
         });
         api.registerTool(createDeepReflectTool(api));
-        api.registerTool(createAgentSpawnTool(api));
     }
 };
 export default plugin;