traderclaw-cli 1.0.74 → 1.0.76

package/bin/installer-step-engine.mjs

@@ -1594,16 +1594,38 @@ function configureOpenClawLlmModelPrimaryOnly({ provider, model }, configPath =
   return { configPath, provider, model };
 }
 
+/**
+ * Spawns `openclaw models auth login --provider openai-codex` with a pseudo-TTY when possible.
+ * The CLI often exits immediately when stdin/stdout are plain pipes (no TTY). On Unix, `script(1)`
+ * allocates a PTY so the same flow works as in an interactive terminal.
+ */
+export function spawnOpenClawCodexAuthLoginChild() {
+  const argv = ["models", "auth", "login", "--provider", "openai-codex"];
+  if (process.platform === "win32") {
+    return spawn("openclaw", argv, { stdio: ["pipe", "pipe", "pipe"], shell: false });
+  }
+  // `unbuffer` (expect package) runs the CLI under a PTY and forwards stdin for the paste step reliably.
+  // Plain `script` often does not forward Node's stdin to the inner openclaw process, which causes hangs until timeout.
+  if (commandExists("unbuffer")) {
+    return spawn("unbuffer", ["openclaw", ...argv], { stdio: ["pipe", "pipe", "pipe"], shell: false });
+  }
+  if (commandExists("script")) {
+    const cmdline = "openclaw models auth login --provider openai-codex";
+    return spawn("script", ["-q", "-c", cmdline, "/dev/null"], {
+      stdio: ["pipe", "pipe", "pipe"],
+      shell: false,
+    });
+  }
+  return spawn("openclaw", argv, { stdio: ["pipe", "pipe", "pipe"], shell: false });
+}
+
 /**
  * Runs `openclaw models auth login --provider openai-codex` and feeds the pasted redirect URL or code on stdin
  * when the CLI prompts (with a timed fallback for non-interactive / SSH).
  */
 function runOpenClawCodexOAuthLogin(paste, emitLog) {
   return new Promise((resolve, reject) => {
-    const child = spawn("openclaw", ["models", "auth", "login", "--provider", "openai-codex"], {
-      stdio: ["pipe", "pipe", "pipe"],
-      shell: false,
-    });
+    const child = spawnOpenClawCodexAuthLoginChild();
 
     let stdout = "";
     let stderr = "";

package/bin/openclaw-trader.mjs

@@ -769,7 +769,7 @@ async function cmdSetup(args) {
       "\n  Optional: enter a referral code for bonus access time (24h extra when valid). Press Enter to skip.\n",
     );
     printInfo(
-      "  Benefits: extra trial time now; referring others later earns +8h per user who completes at least one trade with the agent.\n",
+      "  Benefits: extra trial time now; referring others later earns +24h per user who completes at least one trade with the agent.\n",
     );
     referralCodeArg = await prompt("Referral code (optional)", "");
   }
@@ -2075,6 +2075,21 @@ function wizardHtml(defaults) {
       .muted a:hover { color:#c5e5ff; }
       .info-dot { display:inline-flex; align-items:center; justify-content:center; width:18px; height:18px; border-radius:50%; background:#22315a; color:#9cb0de; font-size:11px; font-weight:700; cursor:help; flex-shrink:0; }
       @keyframes spin { to { transform:rotate(360deg); } }
+      .oauth-flow { background:#0d1530; border:1px solid #334a87; border-radius:10px; padding:14px; margin-top:10px; }
+      .oauth-flow ol { margin:8px 0 0 18px; padding:0; color:#c5d7f5; font-size:13px; line-height:1.5; }
+      .oauth-flow li { margin-bottom:8px; }
+      .oauth-row { display:flex; gap:8px; flex-wrap:wrap; align-items:center; margin-top:10px; }
+      .oauth-row input[readonly] { flex:1 1 280px; font-size:12px; }
+      .oauth-actions { display:flex; gap:8px; flex-wrap:wrap; margin-top:10px; }
+      .oauth-actions button.secondary { background:#334a87; }
+      .oauth-terminal-box { background:#0a1f2e; border:1px solid #2a7a6a; border-radius:10px; padding:14px; margin-top:8px; }
+      .oauth-terminal-box ol { margin:8px 0 0 18px; padding:0; color:#c5d7f5; font-size:13px; line-height:1.55; }
+      .oauth-terminal-box li { margin-bottom:6px; }
+      .oauth-details { margin-top:14px; border:1px solid #2a3f6a; border-radius:10px; padding:10px 14px 14px; background:#0a1224; }
+      .oauth-details summary { list-style-position: outside; padding:4px 0; color:#b8cff5; font-weight:600; font-size:14px; }
+      .oauth-details[open] summary { margin-bottom:8px; }
+      .ok-banner { color:#78f0a9; font-size:13px; margin-top:8px; }
+      .err-banner { color:#ff6b6b; font-size:13px; margin-top:8px; }
     </style>
   </head>
   <body>
@@ -2120,13 +2135,53 @@ function wizardHtml(defaults) {
           <p class="muted">Written to OpenClaw <code>config.env</code> for the selected provider. If you do not choose a model manually, the installer picks a safe default.</p>
         </div>
         <div style="margin-top:12px;" id="llmOauthBlock" class="hidden">
-          <label>Paste authorization code or full redirect URL</label>
-          <textarea id="llmOAuthPaste" autocomplete="off" placeholder="After the installer prints an OAuth URL in the log, sign in locally and paste the code or full callback URL here. Leave empty if you use the option below."></textarea>
-          <label style="display:flex; align-items:flex-start; gap:8px; font-size:13px; color:#9cb0de; margin-top:8px; cursor:pointer;">
+          <p class="muted" style="margin-bottom:12px;">
+            <strong>Why doesn’t OpenClaw “just ask for a link” in the terminal?</strong> It does not need to. In the usual setup, you run OpenClaw’s login on the <strong>same machine</strong> where OpenClaw runs: ChatGPT sends your browser to <code>http://localhost:1455/…</code> and OpenClaw <strong>receives that callback automatically</strong> — no copying from the address bar. You only need to paste a long callback URL when your <strong>browser is on another computer</strong> than the one running OpenClaw (for example, you opened the sign-in page on your laptop but OpenClaw is on a VPS).
+          </p>
+          <div class="oauth-terminal-box">
+            <strong style="color:#8ef5d0;">Recommended: sign in from a terminal on this machine</strong>
+            <ol>
+              <li>Copy the command below (or type it).</li>
+              <li>Run it in a normal terminal on <strong>this</strong> host. Your browser may open; sign in with ChatGPT and approve access.</li>
+              <li>When the command finishes successfully, check <strong>“ChatGPT login is done”</strong> below — you do <strong>not</strong> need to paste a callback URL for this path.</li>
+            </ol>
+            <div class="oauth-row" style="margin-top:12px;">
+              <input type="text" id="oauthTerminalCmdDisplay" readonly value="openclaw models auth login --provider openai-codex" style="flex:1 1 320px; font-size:13px;" />
+              <button type="button" id="oauthCopyTerminalCmdBtn" class="secondary">Copy command</button>
+            </div>
+          </div>
+          <label style="display:flex; align-items:flex-start; gap:10px; font-size:14px; color:#e8eef9; margin-top:16px; cursor:pointer;">
             <input id="llmOAuthSkipLogin" type="checkbox" style="width:auto; margin-top:3px;" />
-            <span>I already ran <code>openclaw models auth login --provider openai-codex</code> on this machine</span>
+            <span><strong>ChatGPT login is done</strong> — I ran the command above in a terminal on <strong>this</strong> machine and OpenClaw completed without errors.</span>
           </label>
-          <p class="muted">If login hangs over SSH, complete OAuth in a normal shell first, then enable the checkbox above and start again. Live install logs will show the authorize URL when the CLI prints it.</p>
+          <details id="oauthWizardAltDetails" class="oauth-details">
+            <summary>Alternative: no shell on this server — sign in using this browser only</summary>
+            <p class="muted" style="margin-top:8px;">
+              Use this when you <strong>cannot</strong> run a terminal on the machine where this wizard runs (typical remote VPS + browser on your laptop). You will copy the <strong>full URL from the address bar</strong> after ChatGPT redirects — even if the page shows “connection refused”, the URL in the bar is still valid.
+            </p>
+            <div class="oauth-flow" style="margin-top:10px;">
+              <strong style="color:#9ee6ff;">Steps</strong>
+              <ol>
+                <li>Click <strong>Get ChatGPT sign-in link</strong> — we run the same OpenClaw login process and show the <code>https://auth.openai.com/oauth/authorize?…</code> URL.</li>
+                <li>Open that URL, sign in, and let the browser redirect toward <code>localhost:1455</code>.</li>
+                <li>Paste the <strong>entire callback URL</strong> from the address bar into the box below, then click <strong>Submit to OpenClaw</strong>.</li>
+              </ol>
+              <div class="oauth-actions">
+                <button type="button" id="oauthGetLinkBtn" class="secondary">Get ChatGPT sign-in link</button>
+                <button type="button" id="oauthSubmitBtn" class="secondary" disabled>Submit to OpenClaw</button>
+              </div>
+              <div id="oauthUrlRow" class="oauth-row hidden">
+                <label style="flex:1 1 100%; font-size:12px; color:#9cb0de;">Sign-in URL (open in browser — not what you paste back)</label>
+                <input type="text" id="oauthUrlDisplay" readonly placeholder="Click “Get ChatGPT sign-in link” first" />
+                <button type="button" id="oauthCopyUrlBtn" class="secondary" disabled>Copy URL</button>
+                <a id="oauthOpenUrlBtn" class="secondary" href="#" target="_blank" rel="noopener noreferrer" style="display:inline-block;padding:10px 14px;border-radius:8px;background:#2d7dff;color:#fff;text-decoration:none;font-weight:600;">Open in browser</a>
+              </div>
+              <p id="oauthFlowStatus" class="muted" style="margin-top:8px;" aria-live="polite"></p>
+            </div>
+            <label style="display:block; margin-top:14px;">Paste redirect URL or authorization code</label>
+            <textarea id="llmOAuthPaste" autocomplete="off" placeholder="Example: http://localhost:1455/auth/callback?code=… (full URL from address bar). You can paste only the code if that is all you have."></textarea>
+          </details>
+          <p class="muted" style="margin-top:12px;"><strong>SSH tip:</strong> To make your laptop’s browser hit OpenClaw on the server, you can run <code>ssh -L 1455:127.0.0.1:1455 user@this-server</code> before signing in so <code>localhost:1455</code> on your machine forwards to the wizard host.</p>
         </div>
         <p class="muted" id="llmLoadState" aria-live="polite">Loading LLM provider catalog...</p>
         <div id="llmLoadingHint" class="loading-hint" role="status" aria-live="polite">
@@ -2174,10 +2229,10 @@ function wizardHtml(defaults) {
         </div>
         <div style="margin-top:12px;">
           <label style="display:flex;align-items:center;gap:8px;">Referral code (optional)
-            <span class="info-dot" title="Included access: 24 hours for every new account. Add a valid referral code for an extra 24 hours. Refer others: when they complete at least one trade with the agent, you earn +8 hours per active referral. When your access window ends, you will need to stake or keep referring to continue.">i</span>
+            <span class="info-dot" title="Included access: 24 hours for every new account. Add a valid referral code for an extra 24 hours. Refer others: when they complete at least one trade with the agent, you earn +24 hours per active referral. When your access window ends, you will need to stake or keep referring to continue.">i</span>
           </label>
           <input id="referralCode" type="text" maxlength="16" autocomplete="off" placeholder="e.g. ABCD1234" />
-          <p class="muted">If you have a friend’s code, enter it here. The setup command below will include it for <code>traderclaw setup</code>. If the server rejects the code, clear this field or fix it and copy the updated command — or run <code>traderclaw setup</code> again and enter a valid code or leave referral blank when prompted.</p>
+          <p class="muted">Included access: 24 hours for every new account. Add a valid referral code for an extra 24 hours. Refer others: when they complete at least one trade with the agent, you earn +24 hours per active referral. When your access window ends, you will need to stake or keep referring to continue.</p>
         </div>
         <button id="start" disabled>Start Installation</button>
       </div>
@@ -2300,6 +2355,51 @@ function wizardHtml(defaults) {
       let pollIntervalMs = 1200;
       let installLocked = false;
       let savedApiKeyProvider = "";
+      let oauthSessionId = null;
+      let oauthWizardLoginDone = false;
+
+      const oauthGetLinkBtn = document.getElementById("oauthGetLinkBtn");
+      const oauthSubmitBtn = document.getElementById("oauthSubmitBtn");
+      const oauthUrlRow = document.getElementById("oauthUrlRow");
+      const oauthUrlDisplay = document.getElementById("oauthUrlDisplay");
+      const oauthCopyUrlBtn = document.getElementById("oauthCopyUrlBtn");
+      const oauthOpenUrlBtn = document.getElementById("oauthOpenUrlBtn");
+      const oauthFlowStatus = document.getElementById("oauthFlowStatus");
+
+      async function cancelOauthSession() {
+        if (!oauthSessionId) {
+          try {
+            await fetch("/api/llm/oauth/cancel", { method: "POST", headers: { "content-type": "application/json" }, body: "{}" });
+          } catch {
+            /* ignore */
+          }
+          return;
+        }
+        try {
+          await fetch("/api/llm/oauth/cancel", {
+            method: "POST",
+            headers: { "content-type": "application/json" },
+            body: JSON.stringify({ sessionId: oauthSessionId }),
+          });
+        } catch {
+          /* ignore */
+        }
+        oauthSessionId = null;
+      }
+
+      function resetOauthWizardState() {
+        oauthSessionId = null;
+        oauthWizardLoginDone = false;
+        if (oauthUrlRow) oauthUrlRow.classList.add("hidden");
+        if (oauthUrlDisplay) oauthUrlDisplay.value = "";
+        if (oauthCopyUrlBtn) oauthCopyUrlBtn.disabled = true;
+        if (oauthOpenUrlBtn) {
+          oauthOpenUrlBtn.href = "#";
+          oauthOpenUrlBtn.setAttribute("aria-disabled", "true");
+        }
+        if (oauthSubmitBtn) oauthSubmitBtn.disabled = true;
+        if (oauthFlowStatus) oauthFlowStatus.textContent = "";
+      }
 
       (function initLlmAuthDefaults() {
         const mode = ${JSON.stringify(defaults.llmAuthMode || "api_key")};
@@ -2332,6 +2432,8 @@ function wizardHtml(defaults) {
           llmApiKeyBlock.classList.add("hidden");
           llmOauthBlock.classList.remove("hidden");
         } else {
+          void cancelOauthSession();
+          resetOauthWizardState();
           llmProviderWrap.classList.remove("hidden");
           llmOauthProviderNote.classList.add("hidden");
           llmApiKeyBlock.classList.remove("hidden");
@@ -2350,6 +2452,7 @@ function wizardHtml(defaults) {
       function hasRequiredInputs() {
         if (!llmCatalogReady || !Boolean(telegramTokenEl.value.trim())) return false;
         if (isOauthMode()) {
+          if (oauthWizardLoginDone) return true;
           if (llmOAuthSkipLoginEl.checked) return true;
           return Boolean(llmOAuthPasteEl.value.trim());
         }
@@ -2542,12 +2645,16 @@ function wizardHtml(defaults) {
           xAccessTokenMain: xAccessTokenMainEl.value.trim(),
           xAccessTokenMainSecret: xAccessTokenMainSecretEl.value.trim(),
         };
+        if (oauth && oauthWizardLoginDone) {
+          payload.llmOAuthSkipLogin = true;
+          payload.llmOAuthPaste = "";
+        }
         if (oauth) {
-          if (!payload.llmOAuthSkipLogin && !payload.llmOAuthPaste) {
+          if (!payload.llmOAuthSkipLogin && !payload.llmOAuthPaste && !oauthWizardLoginDone) {
             stateEl.textContent = "blocked";
             readyEl.textContent = "";
             manualEl.textContent =
-              "Codex OAuth: paste the authorization code or full redirect URL, or check the box if you already ran openclaw models auth login on this machine.";
+              "Codex OAuth: check “ChatGPT login is done” after running the terminal command on this machine, or expand “Alternative” and use Get link + paste + Submit, or finish wizard Submit if you already used those buttons.";
             return;
           }
         } else if (!payload.llmProvider || !payload.llmCredential) {
@@ -2800,6 +2907,152 @@ function wizardHtml(defaults) {
       llmCredentialEl.addEventListener("input", updateStartButtonState);
       llmOAuthPasteEl.addEventListener("input", updateStartButtonState);
       llmOAuthSkipLoginEl.addEventListener("change", updateStartButtonState);
+
+      if (oauthGetLinkBtn) {
+        oauthGetLinkBtn.addEventListener("click", async () => {
+          oauthWizardLoginDone = false;
+          if (oauthFlowStatus) {
+            oauthFlowStatus.className = "muted";
+            oauthFlowStatus.textContent = "Starting OpenClaw (same as running models auth login in a terminal)...";
+          }
+          oauthGetLinkBtn.disabled = true;
+          try {
+            const res = await fetch("/api/llm/oauth/start", { method: "POST" });
+            const data = await res.json().catch(() => ({}));
+            if (!res.ok) {
+              if (oauthFlowStatus) {
+                oauthFlowStatus.className = "err-banner";
+                let errText = data.message || data.error || "Could not get sign-in URL.";
+                if (data.detail) {
+                  const d = String(data.detail).replace(/\s+/g, " ").trim();
+                  errText += d ? " " + d.slice(0, 700) : "";
+                }
+                oauthFlowStatus.textContent = errText;
+              }
+              oauthGetLinkBtn.disabled = false;
+              return;
+            }
+            oauthSessionId = data.sessionId;
+            if (oauthUrlDisplay) oauthUrlDisplay.value = data.authUrl || "";
+            if (oauthUrlRow) oauthUrlRow.classList.remove("hidden");
+            if (oauthCopyUrlBtn) oauthCopyUrlBtn.disabled = !data.authUrl;
+            if (oauthOpenUrlBtn && data.authUrl) {
+              oauthOpenUrlBtn.href = data.authUrl;
+              oauthOpenUrlBtn.removeAttribute("aria-disabled");
+            }
+            if (oauthSubmitBtn) oauthSubmitBtn.disabled = false;
+            const altDetails = document.getElementById("oauthWizardAltDetails");
+            if (altDetails) altDetails.open = true;
+            if (oauthFlowStatus) {
+              oauthFlowStatus.className = "muted";
+              oauthFlowStatus.textContent =
+                "Open this URL in your browser. After ChatGPT redirects, copy the full callback URL from the address bar (localhost:1455?code=…) — even if the page says connection refused — then paste it below and click Submit.";
+            }
+          } catch (err) {
+            if (oauthFlowStatus) {
+              oauthFlowStatus.className = "err-banner";
+              oauthFlowStatus.textContent = err && err.message ? String(err.message) : "Request failed.";
+            }
+          }
+          oauthGetLinkBtn.disabled = false;
+        });
+      }
+
+      if (oauthSubmitBtn) {
+        oauthSubmitBtn.addEventListener("click", async () => {
+          const paste = llmOAuthPasteEl.value.trim();
+          if (!paste) {
+            if (oauthFlowStatus) {
+              oauthFlowStatus.className = "err-banner";
+              oauthFlowStatus.textContent = "Paste the redirect URL (from the browser address bar) or the authorization code first.";
+            }
+            return;
+          }
+          if (!oauthSessionId) {
+            if (oauthFlowStatus) {
+              oauthFlowStatus.className = "err-banner";
+              oauthFlowStatus.textContent = "Click “Get ChatGPT sign-in link” first, or check “ChatGPT login is done” if you already signed in via the terminal command.";
+            }
+            return;
+          }
+          oauthSubmitBtn.disabled = true;
+          if (oauthFlowStatus) {
+            oauthFlowStatus.className = "muted";
+            oauthFlowStatus.textContent = "Sending to OpenClaw...";
+          }
+          try {
+            const res = await fetch("/api/llm/oauth/submit", {
+              method: "POST",
+              headers: { "content-type": "application/json" },
+              body: JSON.stringify({ sessionId: oauthSessionId, paste }),
+            });
+            const data = await res.json().catch(() => ({}));
+            if (!res.ok) {
+              if (oauthFlowStatus) {
+                oauthFlowStatus.className = "err-banner";
+                oauthFlowStatus.textContent = data.message || data.error || "Login failed.";
+              }
+              oauthSubmitBtn.disabled = false;
+              return;
+            }
+            oauthWizardLoginDone = true;
+            oauthSessionId = null;
+            llmOAuthSkipLoginEl.checked = true;
+            if (oauthFlowStatus) {
+              oauthFlowStatus.className = "ok-banner";
+              oauthFlowStatus.textContent = "OpenClaw saved your ChatGPT login. You can start installation below.";
+            }
+            oauthSubmitBtn.disabled = true;
+            updateStartButtonState();
+          } catch (err) {
+            if (oauthFlowStatus) {
+              oauthFlowStatus.className = "err-banner";
+              oauthFlowStatus.textContent = err && err.message ? String(err.message) : "Request failed.";
+            }
+            oauthSubmitBtn.disabled = false;
+          }
+        });
+      }
+
+      if (oauthCopyUrlBtn && oauthUrlDisplay) {
+        oauthCopyUrlBtn.addEventListener("click", async () => {
+          const v = oauthUrlDisplay.value;
+          if (!v) return;
+          try {
+            await navigator.clipboard.writeText(v);
+            oauthCopyUrlBtn.textContent = "Copied";
+            setTimeout(() => {
+              oauthCopyUrlBtn.textContent = "Copy URL";
+            }, 1500);
+          } catch {
+            oauthCopyUrlBtn.textContent = "Copy failed";
+            setTimeout(() => {
+              oauthCopyUrlBtn.textContent = "Copy URL";
+            }, 1500);
+          }
+        });
+      }
+
+      const oauthTerminalCmdDisplay = document.getElementById("oauthTerminalCmdDisplay");
+      const oauthCopyTerminalCmdBtn = document.getElementById("oauthCopyTerminalCmdBtn");
+      if (oauthCopyTerminalCmdBtn && oauthTerminalCmdDisplay) {
+        oauthCopyTerminalCmdBtn.addEventListener("click", async () => {
+          const v = oauthTerminalCmdDisplay.value || "openclaw models auth login --provider openai-codex";
+          try {
+            await navigator.clipboard.writeText(v);
+            oauthCopyTerminalCmdBtn.textContent = "Copied";
+            setTimeout(() => {
+              oauthCopyTerminalCmdBtn.textContent = "Copy command";
+            }, 1500);
+          } catch {
+            oauthCopyTerminalCmdBtn.textContent = "Copy failed";
+            setTimeout(() => {
+              oauthCopyTerminalCmdBtn.textContent = "Copy command";
+            }, 1500);
+          }
+        });
+      }
+
       telegramTokenEl.addEventListener("input", updateStartButtonState);
       xConsumerKeyEl.addEventListener("input", updateStartButtonState);
       xConsumerSecretEl.addEventListener("input", updateStartButtonState);
@@ -2821,7 +3074,8 @@ async function cmdInstall(args) {
   }
 
   const defaults = parseInstallWizardArgs(args);
-  const { createInstallerStepEngine, assertWizardXCredentials } = await import("./installer-step-engine.mjs");
+  const { createInstallerStepEngine, assertWizardXCredentials, spawnOpenClawCodexAuthLoginChild } =
+    await import("./installer-step-engine.mjs");
   const modeConfig = {
     pluginPackage: "solana-traderclaw",
     pluginId: "solana-trader",
@@ -2841,6 +3095,31 @@ async function cmdInstall(args) {
   let running = false;
   let shuttingDown = false;
 
+  /** In-browser Codex OAuth: one pending `openclaw models auth login` child waiting for stdin (same flow as CLI). */
+  const oauthSessions = new Map();
+  const OPENAI_OAUTH_AUTHORIZE_RE = /https:\/\/auth\.openai\.com\/oauth\/authorize\S*/;
+  const oauthSessionTtlMs = 15 * 60 * 1000;
+
+  function killOauthSession(sessionId, signal = "SIGTERM") {
+    const s = oauthSessions.get(sessionId);
+    if (!s) return;
+    try {
+      s.child.kill(signal);
+    } catch {
+      /* ignore */
+    }
+    oauthSessions.delete(sessionId);
+  }
+
+  function pruneExpiredOauthSessions() {
+    const now = Date.now();
+    for (const [id, s] of oauthSessions) {
+      if (now - s.createdAt > oauthSessionTtlMs) {
+        killOauthSession(id);
+      }
+    }
+  }
+
   const server = createServer(async (req, res) => {
     const respondJson = (code, payload) => {
       res.statusCode = code;
@@ -2904,6 +3183,190 @@ async function cmdInstall(args) {
       return;
     }
 
+    if (req.method === "POST" && req.url === "/api/llm/oauth/start") {
+      pruneExpiredOauthSessions();
+      if (running) {
+        respondJson(409, { ok: false, error: "install_in_progress" });
+        return;
+      }
+      if (!commandExists("openclaw")) {
+        respondJson(503, {
+          ok: false,
+          error: "openclaw_not_in_path",
+          message: "Install OpenClaw on this machine first (e.g. npm install -g openclaw), then try again.",
+        });
+        return;
+      }
+      for (const id of [...oauthSessions.keys()]) {
+        killOauthSession(id);
+      }
+
+      const sessionId = randomUUID();
+      const child = spawnOpenClawCodexAuthLoginChild();
+
+      let combined = "";
+      let responded = false;
+      const urlTimeout = setTimeout(() => {
+        if (responded) return;
+        responded = true;
+        try {
+          child.kill("SIGTERM");
+        } catch {
+          /* ignore */
+        }
+        oauthSessions.delete(sessionId);
+        respondJson(504, {
+          ok: false,
+          error: "oauth_url_timeout",
+          message:
+            "OpenClaw did not print a ChatGPT sign-in URL in time. Run `openclaw models auth login --provider openai-codex` in a terminal on this machine, then use the checkbox below.",
+        });
+      }, 45_000);
+
+      const trySendUrl = () => {
+        if (responded) return;
+        const m = combined.match(OPENAI_OAUTH_AUTHORIZE_RE);
+        if (!m || !m[0]) return;
+        clearTimeout(urlTimeout);
+        responded = true;
+        oauthSessions.set(sessionId, { child, createdAt: Date.now(), submitted: false });
+        respondJson(200, { ok: true, sessionId, authUrl: m[0] });
+      };
+
+      child.stdout?.on("data", (d) => {
+        combined += d.toString();
+        trySendUrl();
+      });
+      child.stderr?.on("data", (d) => {
+        combined += d.toString();
+        trySendUrl();
+      });
+      child.on("error", (err) => {
+        clearTimeout(urlTimeout);
+        if (responded) return;
+        responded = true;
+        oauthSessions.delete(sessionId);
+        respondJson(500, { ok: false, error: "spawn_failed", message: err.message });
+      });
+      child.on("close", (code) => {
+        clearTimeout(urlTimeout);
+        if (!responded) {
+          responded = true;
+          oauthSessions.delete(sessionId);
+          respondJson(500, {
+            ok: false,
+            error: "oauth_login_exited_early",
+            exitCode: code,
+            message:
+              "OpenClaw exited before showing a sign-in URL. Try again; or run `openclaw models auth login --provider openai-codex` in a terminal on this machine and use the checkbox below.",
+            detail: stripAnsi(combined).slice(-4000),
+          });
+          return;
+        }
+        const pending = oauthSessions.get(sessionId);
+        if (pending && !pending.submitted) {
+          oauthSessions.delete(sessionId);
+        }
+      });
+      return;
+    }
+
+    if (req.method === "POST" && req.url === "/api/llm/oauth/submit") {
+      const body = await parseJsonBody(req).catch(() => ({}));
+      const sessionId = typeof body.sessionId === "string" ? body.sessionId : "";
+      const paste = typeof body.paste === "string" ? body.paste.trim() : "";
+      if (!sessionId || !oauthSessions.has(sessionId)) {
+        respondJson(400, { ok: false, error: "invalid_or_expired_session", message: "Click “Get ChatGPT sign-in link” again." });
+        return;
+      }
+      if (!paste) {
+        respondJson(400, { ok: false, error: "paste_required" });
+        return;
+      }
+      const s = oauthSessions.get(sessionId);
+      s.submitted = true;
+      const { child } = s;
+
+      await new Promise((resolve) => {
+        let settled = false;
+        let submitTimeout;
+        const finish = (httpCode, payload) => {
+          if (settled) return;
+          settled = true;
+          clearTimeout(submitTimeout);
+          oauthSessions.delete(sessionId);
+          respondJson(httpCode, payload);
+          resolve();
+        };
+
+        submitTimeout = setTimeout(() => {
+          killOauthSession(sessionId);
+          finish(504, {
+            ok: false,
+            error: "oauth_submit_timeout",
+            message: "Login did not finish in time. Try again or complete login in a normal terminal.",
+          });
+        }, 300_000);
+
+        child.once("close", (code) => {
+          if (code === 0) {
+            finish(200, { ok: true });
+          } else {
+            finish(500, {
+              ok: false,
+              error: "oauth_login_failed",
+              exitCode: code,
+              message: "OpenClaw rejected the pasted URL or code. Paste the full redirect URL from the browser address bar, or run login in a terminal.",
+            });
+          }
+        });
+
+        try {
+          const line = `${paste}\n`;
+          if (child.stdin?.writableEnded || child.stdin?.destroyed) {
+            killOauthSession(sessionId);
+            finish(500, { ok: false, error: "stdin_closed", message: "The login session closed before paste could be sent." });
+            return;
+          }
+          child.stdin.write(line, (err) => {
+            if (err) {
+              killOauthSession(sessionId);
+              finish(500, { ok: false, error: "stdin_write_failed", message: err?.message || String(err) });
+              return;
+            }
+            // End stdin so the PTY/readline layer forwards the line and the CLI can proceed (plain `script` often buffers otherwise).
+            setTimeout(() => {
+              try {
+                if (child.stdin && !child.stdin.destroyed && !child.stdin.writableEnded) {
+                  child.stdin.end();
+                }
+              } catch {
+                /* ignore */
+              }
+            }, 100);
+          });
+        } catch (err) {
+          killOauthSession(sessionId);
+          finish(500, { ok: false, error: "stdin_write_failed", message: err?.message || String(err) });
+        }
+      });
+      return;
+    }
+
+    if (req.method === "POST" && req.url === "/api/llm/oauth/cancel") {
+      const body = await parseJsonBody(req).catch(() => ({}));
+      const sessionId = typeof body.sessionId === "string" ? body.sessionId : "";
+      if (sessionId && oauthSessions.has(sessionId)) {
+        killOauthSession(sessionId);
+      } else {
+        for (const id of [...oauthSessions.keys()]) {
+          killOauthSession(id);
+        }
+      }
+      respondJson(200, { ok: true });
+      return;
+    }
+
     if (req.method === "POST" && req.url === "/api/finish") {
       if (running || runtime.status !== "completed") {
         respondJson(409, { ok: false, error: "wizard_not_completed" });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "traderclaw-cli",
-  "version": "1.0.74",
+  "version": "1.0.76",
   "description": "Global TraderClaw CLI (install --wizard, setup, precheck). Installs solana-traderclaw as a dependency for OpenClaw plugin files.",
   "type": "module",
   "bin": {
@@ -17,7 +17,7 @@
     "node": ">=22"
   },
   "dependencies": {
-    "solana-traderclaw": "^1.0.74"
+    "solana-traderclaw": "^1.0.76"
   },
   "keywords": [
     "traderclaw",