solana-traderclaw 1.0.37 → 1.0.39

package/bin/openclaw-trader.mjs

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import { createInterface } from "readline";
-import { readFileSync, writeFileSync, mkdirSync, appendFileSync } from "fs";
+import { readFileSync, writeFileSync, mkdirSync, appendFileSync, existsSync } from "fs";
 import { join } from "path";
 import { homedir } from "os";
 import { randomUUID, createPrivateKey, sign as cryptoSign } from "crypto";
@@ -1015,11 +1015,6 @@ async function cmdSetup(args) {
   printWarn(
     `  For the OpenClaw gateway (Telegram/agent tools), the same env must be set on the gateway service — not only in this shell. See: ${TRADERCLAW_SESSION_TROUBLESHOOTING_URL}`,
   );
-  print("Next steps:");
-  print("  1. Install the plugin:     openclaw plugins install solana-traderclaw (or: npm install -g solana-traderclaw)");
-  print("  2. Restart the gateway:    openclaw gateway --restart");
-  print("  3. Start trading:          Ask OpenClaw to scan for opportunities");
-  print("");
   print("Session commands:");
   print("  traderclaw status     Check connection health (auto-refreshes session)");
   print("  traderclaw login      Re-authenticate (challenge flow)");
@@ -2596,6 +2591,242 @@ async function cmdInstall(args) {
   printInfo("Press Ctrl+C to stop the wizard server.");
 }
 
+async function cmdTestSession(args) {
+  const config = readConfig();
+  const pluginConfig = getPluginConfig(config);
+
+  if (!pluginConfig) {
+    printError("No plugin configuration found. Run 'traderclaw setup' first.");
+    process.exit(1);
+  }
+
+  const orchestratorUrl = pluginConfig.orchestratorUrl;
+  if (!orchestratorUrl) {
+    printError("orchestratorUrl not set in config. Run 'traderclaw setup' to fix.");
+    process.exit(1);
+  }
+
+  const dataDir = pluginConfig.dataDir || join(process.cwd(), ".traderclaw-v1-data");
+  const sessionTokensPath = join(dataDir, "session-tokens.json");
+
+  let sidecar = null;
+  try {
+    if (existsSync(sessionTokensPath)) {
+      sidecar = JSON.parse(readFileSync(sessionTokensPath, "utf-8"));
+    }
+  } catch { /* ignore */ }
+
+  const effectiveRefreshToken =
+    (sidecar?.refreshToken && sidecar.refreshToken.length > 0)
+      ? sidecar.refreshToken
+      : pluginConfig.refreshToken;
+
+  const walletPrivateKeyInput = args.includes("--wallet-private-key")
+    ? args[args.indexOf("--wallet-private-key") + 1] || ""
+    : "";
+
+  print("\nTraderClaw V1 — Session Auth Test\n");
+  print("=".repeat(50));
+  printInfo(`  Orchestrator:     ${orchestratorUrl}`);
+  printInfo(`  API key:          ${pluginConfig.apiKey ? maskKey(pluginConfig.apiKey) : "MISSING"}`);
+  printInfo(`  Refresh token:    ${effectiveRefreshToken ? maskKey(effectiveRefreshToken) : "MISSING"}`);
+  printInfo(`  Sidecar file:     ${sidecar ? sessionTokensPath : "not found"}`);
+  printInfo(`  Wallet pub key:   ${pluginConfig.walletPublicKey || "not set"}`);
+  printInfo(`  Wallet priv key:  ${getRuntimeWalletPrivateKey(walletPrivateKeyInput) ? "available" : "NOT AVAILABLE"}`);
+  print("");
+
+  const results = [];
+  let currentAccessToken = null;
+  let currentRefreshToken = effectiveRefreshToken;
+
+  // --- Test 1: Initial refresh ---
+  print("  [1/5] Token refresh...");
+  const t1Start = Date.now();
+  try {
+    if (!currentRefreshToken) {
+      throw new Error("No refresh token available — skip to challenge flow test");
+    }
+    const tokens = await doRefresh(orchestratorUrl, currentRefreshToken);
+    if (!tokens) {
+      printWarn("        Refresh returned null (token revoked/expired) — will test challenge flow");
+      results.push({ test: "initial_refresh", status: "expired", ms: Date.now() - t1Start });
+      currentRefreshToken = null;
+    } else {
+      const ms = Date.now() - t1Start;
+      currentAccessToken = tokens.accessToken;
+      currentRefreshToken = tokens.refreshToken;
+      printSuccess(`        OK (${ms}ms) — accessTokenTtl: ${tokens.accessTokenTtlSeconds}s, refreshTokenTtl: ${tokens.refreshTokenTtlSeconds}s`);
+      results.push({
+        test: "initial_refresh",
+        status: "ok",
+        ms,
+        accessTokenTtl: tokens.accessTokenTtlSeconds,
+        refreshTokenTtl: tokens.refreshTokenTtlSeconds,
+        tier: tokens.session?.tier,
+      });
+    }
+  } catch (err) {
+    printError(`        FAIL: ${err.message}`);
+    results.push({ test: "initial_refresh", status: "fail", ms: Date.now() - t1Start, error: err.message });
+    currentRefreshToken = null;
+  }
+
+  // --- Test 2: Second refresh (verifies rotation worked) ---
+  print("  [2/5] Second refresh (token rotation check)...");
+  const t2Start = Date.now();
+  try {
+    if (!currentRefreshToken) {
+      throw new Error("No refresh token — skipped (previous test failed)");
+    }
+    const tokens2 = await doRefresh(orchestratorUrl, currentRefreshToken);
+    if (!tokens2) {
+      printError("        FAIL: second refresh returned null — rotation may be broken");
+      results.push({ test: "rotation_check", status: "fail", ms: Date.now() - t2Start, error: "null response" });
+    } else {
+      const ms = Date.now() - t2Start;
+      const rotated = tokens2.refreshToken !== currentRefreshToken;
+      currentAccessToken = tokens2.accessToken;
+      currentRefreshToken = tokens2.refreshToken;
+      if (rotated) {
+        printSuccess(`        OK (${ms}ms) — refresh token rotated correctly`);
+      } else {
+        printWarn(`        OK (${ms}ms) — refresh token NOT rotated (server may use static tokens)`);
+      }
+      results.push({ test: "rotation_check", status: "ok", ms, rotated });
+    }
+  } catch (err) {
+    printError(`        FAIL: ${err.message}`);
+    results.push({ test: "rotation_check", status: "fail", ms: Date.now() - t2Start, error: err.message });
+  }
+
+  // --- Test 3: API call with access token ---
+  print("  [3/5] Authenticated API call (/healthz)...");
+  const t3Start = Date.now();
+  try {
+    if (!currentAccessToken) {
+      throw new Error("No access token — skipped");
+    }
+    const health = await httpRequest(`${orchestratorUrl}/healthz`, {
+      accessToken: currentAccessToken,
+      timeout: 8000,
+    });
+    const ms = Date.now() - t3Start;
+    if (health.ok) {
+      printSuccess(`        OK (${ms}ms) — orchestrator healthy`);
+      results.push({ test: "api_call", status: "ok", ms });
+    } else {
+      printError(`        FAIL: HTTP ${health.status}`);
+      results.push({ test: "api_call", status: "fail", ms, error: `HTTP ${health.status}` });
+    }
+  } catch (err) {
+    printError(`        FAIL: ${err.message}`);
+    results.push({ test: "api_call", status: "fail", ms: Date.now() - t3Start, error: err.message });
+  }
+
+  // --- Test 4: Challenge flow (re-auth from scratch) ---
+  print("  [4/5] Challenge flow (full re-authentication)...");
+  const t4Start = Date.now();
+  try {
+    if (!pluginConfig.apiKey) {
+      throw new Error("No API key — cannot test challenge flow");
+    }
+    const challenge = await doChallenge(orchestratorUrl, pluginConfig.apiKey, pluginConfig.walletPublicKey);
+    const ms = Date.now() - t4Start;
+    if (challenge.walletProofRequired) {
+      const wpk = getRuntimeWalletPrivateKey(walletPrivateKeyInput);
+      if (wpk) {
+        try {
+          const walletSig = signChallengeLocally(challenge.challenge, wpk);
+          const tokens = await doSessionStart(
+            orchestratorUrl,
+            pluginConfig.apiKey,
+            challenge.challengeId,
+            challenge.walletPublicKey || pluginConfig.walletPublicKey,
+            walletSig,
+          );
+          const totalMs = Date.now() - t4Start;
+          currentAccessToken = tokens.accessToken;
+          currentRefreshToken = tokens.refreshToken;
+          printSuccess(`        OK (${totalMs}ms) — challenge + wallet proof succeeded`);
+          results.push({ test: "challenge_flow", status: "ok", ms: totalMs, walletProof: true });
+        } catch (sigErr) {
+          printError(`        FAIL (wallet signing): ${sigErr.message}`);
+          results.push({ test: "challenge_flow", status: "fail", ms: Date.now() - t4Start, error: sigErr.message });
+        }
+      } else {
+        printWarn(`        PARTIAL (${ms}ms) — challenge OK but wallet proof needed and TRADERCLAW_WALLET_PRIVATE_KEY not available`);
+        printWarn("        Set TRADERCLAW_WALLET_PRIVATE_KEY env var or pass --wallet-private-key to test fully");
+        results.push({ test: "challenge_flow", status: "partial", ms, walletProofRequired: true, keyAvailable: false });
+      }
+    } else {
+      const tokens = await doSessionStart(orchestratorUrl, pluginConfig.apiKey, challenge.challengeId);
+      const totalMs = Date.now() - t4Start;
+      currentAccessToken = tokens.accessToken;
+      currentRefreshToken = tokens.refreshToken;
+      printSuccess(`        OK (${totalMs}ms) — challenge flow succeeded (no wallet proof needed)`);
+      results.push({ test: "challenge_flow", status: "ok", ms: totalMs, walletProof: false });
+    }
+  } catch (err) {
+    printError(`        FAIL: ${err.message}`);
+    results.push({ test: "challenge_flow", status: "fail", ms: Date.now() - t4Start, error: err.message });
+  }
+
+  // --- Test 5: Persist rotated tokens back to sidecar ---
+  print("  [5/5] Persist tokens to sidecar...");
+  try {
+    if (currentRefreshToken && currentAccessToken) {
+      mkdirSync(dataDir, { recursive: true });
+      const payload = {
+        refreshToken: currentRefreshToken,
+        accessToken: currentAccessToken,
+        accessTokenExpiresAt: Date.now() + 900_000,
+        walletPublicKey: pluginConfig.walletPublicKey || undefined,
+      };
+      const tmp = `${sessionTokensPath}.${process.pid}.${Date.now()}.tmp`;
+      writeFileSync(tmp, JSON.stringify(payload, null, 2) + "\n", "utf-8");
+      const { renameSync } = await import("fs");
+      renameSync(tmp, sessionTokensPath);
+      printSuccess(`        OK — written to ${sessionTokensPath}`);
+      results.push({ test: "persist_sidecar", status: "ok" });
+
+      pluginConfig.refreshToken = currentRefreshToken;
+      removeLegacyWalletPrivateKey(pluginConfig);
+      setPluginConfig(config, pluginConfig);
+      writeConfig(config);
+      printSuccess("        Config updated with latest refresh token");
+    } else {
+      printWarn("        SKIP — no valid tokens to persist");
+      results.push({ test: "persist_sidecar", status: "skip" });
+    }
+  } catch (err) {
+    printError(`        FAIL: ${err.message}`);
+    results.push({ test: "persist_sidecar", status: "fail", error: err.message });
+  }
+
+  // --- Summary ---
+  print("\n" + "=".repeat(50));
+  const passed = results.filter((r) => r.status === "ok").length;
+  const failed = results.filter((r) => r.status === "fail").length;
+  const partial = results.filter((r) => r.status === "partial" || r.status === "expired" || r.status === "skip").length;
+
+  if (failed === 0 && passed > 0) {
+    printSuccess(`\n  ALL TESTS PASSED (${passed}/${results.length})`);
+  } else if (failed > 0) {
+    printError(`\n  ${failed} FAILED, ${passed} passed, ${partial} skipped/partial`);
+  } else {
+    printWarn(`\n  ${passed} passed, ${partial} skipped/partial`);
+  }
+
+  print("\n  Build-and-test workflow (no reinstall):");
+  printInfo("    cd /path/to/plugin && npm run build");
+  printInfo("    npm link");
+  printInfo("    sudo systemctl restart openclaw");
+  printInfo("    traderclaw test-session");
+  print("");
+
+  if (failed > 0) process.exit(1);
+}
+
 function printHelp() {
   print(`
 TraderClaw V1 CLI v${VERSION}
@@ -2612,6 +2843,7 @@ Commands:
   logout             Revoke current session and clear tokens
   status             Check connection health and wallet status
   config             View and manage configuration
+  test-session       Test session auth flow (refresh, rotation, challenge) without reinstalling
 
 Setup options:
   --api-key, -k      API key (skip interactive prompt)
@@ -2658,6 +2890,8 @@ Examples:
   traderclaw status
   traderclaw config show
   traderclaw config set apiTimeout 60000
+  traderclaw test-session
+  traderclaw test-session --wallet-private-key <base58_key>
 `);
 }
 
@@ -2703,6 +2937,9 @@ async function main() {
     case "config":
       await cmdConfig(args.slice(1));
       break;
+    case "test-session":
+      await cmdTestSession(args.slice(1));
+      break;
     default:
       printError(`Unknown command: ${command}`);
       printHelp();

package/dist/{chunk-QSICXLW7.js → chunk-GYXPEC7O.js}

@@ -144,6 +144,8 @@ var SessionManager = class {
   log;
   refreshInFlight = null;
   refreshTokenTtlMs = 0;
+  accessTokenTtlMs = 0;
+  tokenGeneration = 0;
   proactiveRefreshTimer = null;
   proactiveRefreshRunning = false;
   constructor(config) {
@@ -224,6 +226,7 @@ var SessionManager = class {
     if (!this.refreshTokenValue) {
       throw new Error("No refresh token available. Must authenticate via challenge flow.");
     }
+    const genBefore = this.tokenGeneration;
     const res = await rawFetch(
       `${this.baseUrl}/api/session/refresh`,
       "POST",
@@ -233,9 +236,13 @@ var SessionManager = class {
     );
     if (!res.ok) {
       if (res.status === 401 || res.status === 403) {
-        this.accessToken = null;
-        this.refreshTokenValue = null;
-        this.accessTokenExpiresAt = 0;
+        if (this.tokenGeneration === genBefore) {
+          this.accessToken = null;
+          this.refreshTokenValue = null;
+          this.accessTokenExpiresAt = 0;
+        } else {
+          this.log.info("[session] Stale 401/403 ignored \u2014 tokens already rotated by concurrent call.");
+        }
         throw new Error("Refresh token expired or revoked. Must re-authenticate via challenge flow.");
       }
       throw new Error(`Token refresh failed (HTTP ${res.status}): ${JSON.stringify(res.data)}`);
@@ -303,14 +310,7 @@ var SessionManager = class {
     if (this.accessToken && Date.now() < this.accessTokenExpiresAt - 12e4) {
       return this.accessToken;
     }
-    if (!this.refreshInFlight) {
-      this.refreshInFlight = this.ensureRefreshed();
-    }
-    try {
-      await this.refreshInFlight;
-    } finally {
-      this.refreshInFlight = null;
-    }
+    await this.unifiedRefresh();
     if (!this.accessToken) {
       throw new Error(
         `Session expired and could not be refreshed. Re-authentication required. Troubleshooting: ${TRADERCLAW_SESSION_TROUBLESHOOTING}`
@@ -321,14 +321,7 @@ var SessionManager = class {
   async handleUnauthorized() {
     this.accessToken = null;
     this.accessTokenExpiresAt = 0;
-    if (!this.refreshInFlight) {
-      this.refreshInFlight = this.ensureRefreshed();
-    }
-    try {
-      await this.refreshInFlight;
-    } finally {
-      this.refreshInFlight = null;
-    }
+    await this.unifiedRefresh();
     if (!this.accessToken) {
       throw new Error(
         `Session expired and could not be refreshed. Re-authentication required. Troubleshooting: ${TRADERCLAW_SESSION_TROUBLESHOOTING}`
@@ -336,6 +329,20 @@ var SessionManager = class {
     }
     return this.accessToken;
   }
+  /**
+   * Single-mutex refresh: all paths (proactive timer, on-demand getAccessToken,
+   * handleUnauthorized) funnel through here so only one refresh HTTP call is
+   * ever in-flight. Prevents the race where two concurrent refresh() calls
+   * with the same rotating refresh token kill the session.
+   */
+  async unifiedRefresh() {
+    if (!this.refreshInFlight) {
+      this.refreshInFlight = this.ensureRefreshed().finally(() => {
+        this.refreshInFlight = null;
+      });
+    }
+    await this.refreshInFlight;
+  }
   isAuthenticated() {
     return !!this.accessToken;
   }
@@ -357,9 +364,11 @@ var SessionManager = class {
     return this.walletPublicKey;
   }
   applyTokens(tokens) {
+    this.tokenGeneration++;
     this.accessToken = tokens.accessToken;
     this.refreshTokenValue = tokens.refreshToken;
     this.accessTokenExpiresAt = Date.now() + tokens.accessTokenTtlSeconds * 1e3;
+    this.accessTokenTtlMs = tokens.accessTokenTtlSeconds * 1e3;
     this.refreshTokenTtlMs = (tokens.refreshTokenTtlSeconds || 0) * 1e3;
     this.sessionId = tokens.session.id;
     this.tier = tokens.session.tier;
@@ -375,14 +384,19 @@ var SessionManager = class {
     this.scheduleProactiveRefresh();
   }
   /**
-   * Schedule a background token refresh well before the refresh token expires.
-   * Uses 50% of refresh token TTL (clamped between 2 min and 20 min).
-   * Each successful refresh rotates both tokens, keeping the chain alive
-   * even when no tool calls are happening (idle heartbeat gaps, gateway restarts).
+   * Schedule a repeating background token refresh. Uses setInterval so the
+   * chain cannot silently break if a single cycle fails to re-schedule.
+   *
+   * Interval = min(50% refresh-token TTL, accessTokenTtl - 2.5 min buffer),
+   * clamped between 2 min and 20 min. Falls back to 10 min when TTLs unknown.
+   *
+   * Goes through unifiedRefresh() so it shares the same mutex as on-demand
+   * callers and can fall back to the full challenge flow when refresh tokens
+   * are permanently revoked.
    */
   scheduleProactiveRefresh() {
     if (this.proactiveRefreshTimer) {
-      clearTimeout(this.proactiveRefreshTimer);
+      clearInterval(this.proactiveRefreshTimer);
       this.proactiveRefreshTimer = null;
     }
     const MIN_INTERVAL_MS = 2 * 60 * 1e3;
@@ -394,17 +408,20 @@ var SessionManager = class {
     } else {
       intervalMs = DEFAULT_INTERVAL_MS;
     }
-    this.proactiveRefreshTimer = setTimeout(async () => {
+    if (this.accessTokenTtlMs > 0) {
+      const accessBasedMs = Math.max(MIN_INTERVAL_MS, this.accessTokenTtlMs - 15e4);
+      intervalMs = Math.min(intervalMs, accessBasedMs);
+    }
+    this.log.info(`[session] Proactive refresh scheduled every ${Math.round(intervalMs / 1e3)}s`);
+    this.proactiveRefreshTimer = setInterval(async () => {
       if (this.proactiveRefreshRunning) return;
       this.proactiveRefreshRunning = true;
       try {
-        if (!this.refreshTokenValue) return;
         this.log.info(`[session] Proactive token refresh (interval: ${Math.round(intervalMs / 1e3)}s)...`);
-        await this.refresh();
+        await this.unifiedRefresh();
         this.log.info("[session] Proactive refresh succeeded \u2014 token chain extended.");
       } catch (err) {
-        this.log.warn(`[session] Proactive refresh failed: ${err.message}. Will retry next cycle or on-demand.`);
-        this.scheduleProactiveRefresh();
+        this.log.warn(`[session] Proactive refresh failed: ${err.message}. Will retry next interval or on-demand.`);
       } finally {
         this.proactiveRefreshRunning = false;
       }
@@ -415,7 +432,7 @@ var SessionManager = class {
   }
   destroy() {
     if (this.proactiveRefreshTimer) {
-      clearTimeout(this.proactiveRefreshTimer);
+      clearInterval(this.proactiveRefreshTimer);
       this.proactiveRefreshTimer = null;
     }
   }

package/dist/index.js

@@ -9,7 +9,7 @@ import {
 } from "./chunk-T4YWGIIR.js";
 import {
   SessionManager
-} from "./chunk-QSICXLW7.js";
+} from "./chunk-GYXPEC7O.js";
 
 // index.ts
 import { Type } from "@sinclair/typebox";

package/dist/src/session-manager.js

@@ -1,6 +1,6 @@
 import {
   SessionManager
-} from "../chunk-QSICXLW7.js";
+} from "../chunk-GYXPEC7O.js";
 export {
   SessionManager
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "solana-traderclaw",
-  "version": "1.0.37",
+  "version": "1.0.39",
   "description": "TraderClaw V1 — autonomous Solana memecoin trading for OpenClaw (team edition: X/Twitter journal and engagement tools)",
   "type": "module",
   "main": "./dist/index.js",