tescmd 0.3.1__py3-none-any.whl → 0.4.0__py3-none-any.whl

tescmd/cli/setup.py

@@ -29,10 +29,11 @@ TIER_FULL = "full"
 
 
 @click.command("setup")
+@click.option("--force", is_flag=True, help="Reconfigure everything from scratch.")
 @global_options
-def setup_cmd(app_ctx: AppContext) -> None:
+def setup_cmd(app_ctx: AppContext, force: bool) -> None:
     """Interactive setup wizard for first-time configuration."""
-    run_async(_cmd_setup(app_ctx))
+    run_async(_cmd_setup(app_ctx, force=force))
 
 
 # ---------------------------------------------------------------------------
@@ -40,29 +41,35 @@ def setup_cmd(app_ctx: AppContext) -> None:
 # ---------------------------------------------------------------------------
 
 
-async def _cmd_setup(app_ctx: AppContext) -> None:
+async def _cmd_setup(app_ctx: AppContext, *, force: bool = False) -> None:
     """Run the tiered onboarding wizard."""
     formatter = app_ctx.formatter
     settings = AppSettings()
 
     # Phase 0: Welcome + tier selection
-    tier = _prompt_tier(formatter, settings)
+    tier = _prompt_tier(formatter, settings, force=force)
     if not tier:
         return
 
     # Phase 1: Domain setup via GitHub Pages (must happen before developer
     # portal because Tesla requires the Allowed Origin URL to match the
     # registration domain)
-    domain = _domain_setup(formatter, settings)
+    domain = _domain_setup(formatter, settings, force=force)
     if not domain:
         return
 
     # Re-read settings after potential .env changes
     settings = AppSettings()
 
+    # Early check: warn if remote key differs from local
+    if tier == TIER_FULL:
+        _check_key_mismatch(formatter, settings, domain)
+
     # Phase 2: Developer portal walkthrough (credentials — uses domain for
     # the Allowed Origin URL instructions)
-    client_id, client_secret = _developer_portal_setup(formatter, app_ctx, settings, domain=domain)
+    client_id, client_secret = _developer_portal_setup(
+        formatter, app_ctx, settings, domain=domain, force=force, tier=tier
+    )
     if not client_id:
         return
 
@@ -71,17 +78,17 @@ async def _cmd_setup(app_ctx: AppContext) -> None:
 
     # Phase 3: Key generation + deployment (full tier only)
     if tier == TIER_FULL:
-        _key_setup(formatter, settings, domain)
+        _key_setup(formatter, settings, domain, force=force)
 
-    # Phase 3.5: Key enrollment (full tier only)
-    if tier == TIER_FULL:
-        await _enrollment_step(formatter, app_ctx, settings)
-
-    # Phase 4: Fleet API partner registration
+    # Phase 4: Fleet API partner registration (closes out the setup phases)
     await _registration_step(formatter, app_ctx, settings, client_id, client_secret, domain)
 
     # Phase 5: OAuth login
-    await _oauth_login_step(formatter, app_ctx, settings, client_id, client_secret)
+    await _oauth_login_step(formatter, app_ctx, settings, client_id, client_secret, force=force)
+
+    # Phase 3.5: Key enrollment (full tier only — after login)
+    if tier == TIER_FULL:
+        await _enrollment_step(formatter, app_ctx, settings)
 
     # Phase 6: Summary
     _print_next_steps(formatter, tier)
@@ -92,13 +99,13 @@ async def _cmd_setup(app_ctx: AppContext) -> None:
 # ---------------------------------------------------------------------------
 
 
-def _prompt_tier(formatter: OutputFormatter, settings: AppSettings) -> str:
+def _prompt_tier(formatter: OutputFormatter, settings: AppSettings, *, force: bool = False) -> str:
     """Ask the user which tier they want and persist the choice."""
     info = formatter.rich.info
 
     # If already configured, offer to keep or change
     existing_tier = settings.setup_tier
-    if existing_tier in (TIER_READONLY, TIER_FULL):
+    if existing_tier in (TIER_READONLY, TIER_FULL) and not force:
         info(f"Setup tier: [cyan]{existing_tier}[/cyan] (previously configured)")
         info("")
 
@@ -157,6 +164,47 @@ def _prompt_tier(formatter: OutputFormatter, settings: AppSettings) -> str:
     return tier
 
 
+# ---------------------------------------------------------------------------
+# Key mismatch warning (between Phase 1 and Phase 2)
+# ---------------------------------------------------------------------------
+
+
+def _check_key_mismatch(
+    formatter: OutputFormatter,
+    settings: AppSettings,
+    domain: str,
+) -> None:
+    """Warn early if the remote public key differs from the local key."""
+    info = formatter.rich.info
+    key_dir = Path(settings.config_dir).expanduser() / "keys"
+
+    from tescmd.crypto.keys import has_key_pair, load_public_key_pem
+
+    if not has_key_pair(key_dir):
+        return
+
+    pem = load_public_key_pem(key_dir)
+
+    # Fetch remote key (method-aware)
+    if settings.hosting_method == "tailscale":
+        from tescmd.deploy.tailscale_serve import fetch_tailscale_key_pem, get_key_url
+
+        url = get_key_url(domain)
+        remote_pem = fetch_tailscale_key_pem(domain)
+    else:
+        from tescmd.deploy.github_pages import fetch_key_pem, get_key_url
+
+        url = get_key_url(domain)
+        remote_pem = fetch_key_pem(domain)
+
+    if remote_pem is not None and remote_pem != pem.strip():
+        info("[yellow]The public key on your domain differs from your local key.[/yellow]")
+        info(f"  Remote: {url}")
+        info("  This can happen after regenerating your key pair.")
+        info("  The key will be redeployed in Phase 3.")
+        info("")
+
+
 # ---------------------------------------------------------------------------
 # Phase 2: Developer portal walkthrough
 # ---------------------------------------------------------------------------
@@ -168,6 +216,8 @@ def _developer_portal_setup(
     settings: AppSettings,
     *,
     domain: str = "",
+    force: bool = False,
+    tier: str = "",
 ) -> tuple[str, str]:
     """Walk through Tesla Developer Portal setup if credentials are missing."""
     info = formatter.rich.info
@@ -175,7 +225,7 @@ def _developer_portal_setup(
     client_id = settings.client_id
     client_secret = settings.client_secret
 
-    if client_id:
+    if client_id and not force:
         info(f"Client ID: [cyan]{client_id[:8]}...[/cyan] (already configured)")
         return (client_id, client_secret or "")
 
@@ -196,7 +246,13 @@ def _developer_portal_setup(
     from tescmd.cli.auth import _interactive_setup
 
     return _interactive_setup(
-        formatter, port, redirect_uri, domain=domain, tailscale_hostname=ts_hostname
+        formatter,
+        port,
+        redirect_uri,
+        domain=domain,
+        tailscale_hostname=ts_hostname,
+        full_tier=(tier == TIER_FULL),
+        force=force,
     )
 
 
@@ -205,11 +261,13 @@ def _developer_portal_setup(
 # ---------------------------------------------------------------------------
 
 
-def _domain_setup(formatter: OutputFormatter, settings: AppSettings) -> str:
+def _domain_setup(
+    formatter: OutputFormatter, settings: AppSettings, *, force: bool = False
+) -> str:
     """Set up a domain via GitHub Pages, Tailscale Funnel, or manual entry."""
     info = formatter.rich.info
 
-    if settings.domain:
+    if settings.domain and not force:
         info(f"Domain: [cyan]{settings.domain}[/cyan] (already configured)")
         info("")
         return settings.domain
@@ -256,10 +314,10 @@ def _automated_domain_setup(formatter: OutputFormatter, settings: AppSettings) -
     info(f"GitHub CLI detected. Logged in as [cyan]{username}[/cyan].")
     info(f"Suggested domain: [cyan]{suggested_domain}[/cyan]")
     info("")
-    info("[dim]Note: GitHub Pages provides always-on key hosting but cannot[/dim]")
-    info("[dim]serve as a Fleet Telemetry server. If you plan to use telemetry[/dim]")
-    info("[dim]streaming, choose Tailscale instead (install Tailscale, then[/dim]")
-    info("[dim]re-run setup).[/dim]")
+    info("[dim]Note: GitHub Pages provides always-on key hosting. For Fleet[/dim]")
+    info("[dim]Telemetry streaming, Tailscale will also be used alongside[/dim]")
+    info("[dim]GitHub Pages — just add your Tailscale hostname as an extra[/dim]")
+    info("[dim]Allowed Origin URL in the developer portal.[/dim]")
     info("")
 
     try:
@@ -350,7 +408,9 @@ def _manual_domain_setup(formatter: OutputFormatter) -> str:
 # ---------------------------------------------------------------------------
 
 
-def _key_setup(formatter: OutputFormatter, settings: AppSettings, domain: str) -> None:
+def _key_setup(
+    formatter: OutputFormatter, settings: AppSettings, domain: str, *, force: bool = False
+) -> None:
     """Generate keys and deploy via the configured hosting method (full tier only)."""
     info = formatter.rich.info
 
@@ -365,12 +425,12 @@ def _key_setup(formatter: OutputFormatter, settings: AppSettings, domain: str) -
         has_key_pair,
     )
 
-    # Generate keys if needed
-    if has_key_pair(key_dir):
+    # Generate keys if needed (force → overwrite existing keys)
+    if has_key_pair(key_dir) and not force:
         info(f"Key pair: [cyan]exists[/cyan] (fingerprint: {get_key_fingerprint(key_dir)})")
     else:
         info("Generating EC P-256 key pair...")
-        generate_ec_key_pair(key_dir)
+        generate_ec_key_pair(key_dir, overwrite=force)
         info("[green]Key pair generated.[/green]")
         info(f"  Fingerprint: {get_key_fingerprint(key_dir)}")
 
@@ -380,9 +440,9 @@ def _key_setup(formatter: OutputFormatter, settings: AppSettings, domain: str) -
     hosting = settings.hosting_method
 
     if hosting == "tailscale":
-        _deploy_key_tailscale(formatter, settings, key_dir, domain)
+        _deploy_key_tailscale(formatter, settings, key_dir, domain, force=force)
     else:
-        _deploy_key_github(formatter, settings, key_dir, domain)
+        _deploy_key_github(formatter, settings, key_dir, domain, force=force)
 
 
 def _deploy_key_tailscale(
@@ -390,6 +450,8 @@ def _deploy_key_tailscale(
     settings: AppSettings,
     key_dir: Path,
     domain: str,
+    *,
+    force: bool = False,
 ) -> None:
     """Deploy key via Tailscale Funnel."""
     info = formatter.rich.info
@@ -404,7 +466,7 @@ def _deploy_key_tailscale(
     )
 
     # Check if key is already deployed
-    if run_async(validate_tailscale_key_url(domain)):
+    if run_async(validate_tailscale_key_url(domain)) and not force:
         info(f"Public key: [green]already accessible[/green] at {get_key_url(domain)}")
         info("")
         return
@@ -434,6 +496,8 @@ def _deploy_key_github(
     settings: AppSettings,
     key_dir: Path,
     domain: str,
+    *,
+    force: bool = False,
 ) -> None:
     """Deploy key via GitHub Pages."""
     info = formatter.rich.info
@@ -441,10 +505,10 @@ def _deploy_key_github(
     from tescmd.crypto.keys import load_public_key_pem
     from tescmd.deploy.github_pages import (
         deploy_public_key,
+        fetch_key_pem,
         get_key_url,
         is_gh_authenticated,
         is_gh_available,
-        validate_key_url,
         wait_for_pages_deployment,
     )
 
@@ -461,14 +525,33 @@ def _deploy_key_github(
         info("")
         return
 
-    # Check if key is already deployed
-    if validate_key_url(domain):
-        info(f"Public key: [green]already accessible[/green] at {get_key_url(domain)}")
+    # Compare remote key to local key
+    pem = load_public_key_pem(key_dir)
+    remote_pem = fetch_key_pem(domain)
+
+    if remote_pem is not None and remote_pem == pem.strip() and not force:
+        info(f"Public key: [green]matches GitHub[/green] at {get_key_url(domain)}")
         info("")
         return
 
-    info("Deploying public key to GitHub Pages...")
-    pem = load_public_key_pem(key_dir)
+    if remote_pem is not None:
+        # Remote key exists but differs — confirm before overwriting
+        info("[yellow]The public key on GitHub differs from your local key.[/yellow]")
+        info(f"  Remote: {get_key_url(domain)}")
+        info("  This can happen after regenerating your key pair.")
+        info("")
+        try:
+            answer = input("Update GitHub with the local key? [y/N] ").strip()
+        except (EOFError, KeyboardInterrupt):
+            answer = "n"
+        if answer.lower() != "y":
+            info("[dim]Skipped — GitHub key left unchanged.[/dim]")
+            info("")
+            return
+        info("Updating public key on GitHub Pages...")
+    else:
+        info("Deploying public key to GitHub Pages...")
+
     deploy_public_key(pem, github_repo)
 
     info("[green]Key committed and pushed.[/green]")
@@ -550,34 +633,24 @@ async def _enrollment_step(
     info(f"  Public key:  [green]accessible[/green] at {key_url}")
     info("")
 
-    try:
-        answer = input("  Open enrollment URL in your browser? [Y/n] ").strip()
-    except (EOFError, KeyboardInterrupt):
-        info("")
-        return
-
-    if answer.lower() not in ("n", "no"):
-        info("")
-        info(f"  Opening [link={enroll_url}]{enroll_url}[/link]…")
-        webbrowser.open(enroll_url)
-        info("")
+    info(f"  Opening [link={enroll_url}]{enroll_url}[/link]…")
+    webbrowser.open(enroll_url)
+    info("")
 
     info("  " + "━" * 49)
     info("    [bold yellow]ACTION REQUIRED: Add virtual key in the Tesla app[/bold yellow]")
     info("")
-    info(f"    Enrollment URL: {enroll_url}")
-    info("")
-    info("    1. Open the URL above [bold]on your phone[/bold]")
+    info("    1. Scan the QR code with your phone (iOS / Android)")
     info("    2. Tap [bold]Finish Setup[/bold] on the web page")
     info("    3. The Tesla app shows an [bold]Add Virtual Key[/bold] prompt")
     info("    4. Approve it")
     info("")
-    info("    [dim]If the prompt doesn't appear, force-quit the Tesla app,[/dim]")
-    info("    [dim]go back to your browser, and tap Finish Setup again.[/dim]")
+    info(
+        "    [dim]If the prompt doesn't appear, force-quit the Tesla app,"
+        " scan the QR code again, and tap Finish Setup.[/dim]"
+    )
     info("  " + "━" * 49)
     info("")
-    info("  After approving, try: [cyan]tescmd charge status --wake[/cyan]")
-    info("")
 
 
 # ---------------------------------------------------------------------------
@@ -626,7 +699,10 @@ async def _registration_step(
             domain=domain,
             region=region,
         )
-        info("[green]Registration successful.[/green]")
+        if _result.get("already_registered"):
+            info("[green]Already registered — no action needed.[/green]")
+        else:
+            info("[green]Registration successful.[/green]")
     except Exception as exc:
         status_code = getattr(exc, "status_code", None)
         exc_text = str(exc)
@@ -895,6 +971,8 @@ async def _oauth_login_step(
     settings: AppSettings,
     client_id: str,
     client_secret: str,
+    *,
+    force: bool = False,
 ) -> None:
     """Run the OAuth2 login flow."""
     info = formatter.rich.info
@@ -908,7 +986,7 @@ async def _oauth_login_step(
         config_dir=settings.config_dir,
     )
 
-    if store.has_token:
+    if store.has_token and not force:
         # Check whether the stored scopes cover what we need.
         # A readonly→full upgrade requires vehicle_cmds + vehicle_charging_cmds
         # that the original readonly token may not have.

tescmd/deploy/github_pages.py

@@ -223,12 +223,23 @@ def get_key_url(domain: str) -> str:
 
 def validate_key_url(domain: str) -> bool:
     """Return True if the public key is accessible at the expected URL."""
+    return fetch_key_pem(domain) is not None
+
+
+def fetch_key_pem(domain: str) -> str | None:
+    """Fetch the public key PEM from the hosted ``.well-known`` URL.
+
+    Returns the PEM string (stripped), or ``None`` if the key is not
+    accessible or does not look like a PEM public key.
+    """
     url = get_key_url(domain)
     try:
         resp = httpx.get(url, follow_redirects=True, timeout=10)
-        return resp.status_code == 200 and "BEGIN PUBLIC KEY" in resp.text
+        if resp.status_code == 200 and "BEGIN PUBLIC KEY" in resp.text:
+            return resp.text.strip()
     except httpx.HTTPError:
-        return False
+        pass
+    return None
 
 
 def wait_for_pages_deployment(

tescmd/deploy/tailscale_serve.py

@@ -9,7 +9,9 @@ from __future__ import annotations
 
 import asyncio
 import logging
+import threading
 import time
+from http.server import BaseHTTPRequestHandler, HTTPServer
 from pathlib import Path
 
 import httpx
@@ -27,6 +29,71 @@ DEFAULT_DEPLOY_TIMEOUT = 60  # seconds (faster than GitHub Pages)
 POLL_INTERVAL = 3  # seconds
 
 
+# ---------------------------------------------------------------------------
+# In-process key server (used by interactive setup)
+# ---------------------------------------------------------------------------
+
+
+class _KeyRequestHandler(BaseHTTPRequestHandler):
+    """Serve the root (200 OK) and the ``.well-known`` PEM path."""
+
+    server: KeyServer  # type: ignore[assignment]
+
+    def do_GET(self) -> None:
+        if self.path == "/":
+            self._respond(200, "")
+        elif self.path == f"/{WELL_KNOWN_PATH}":
+            self._respond(
+                200,
+                self.server.pem_content,
+                content_type="application/x-pem-file",
+            )
+        else:
+            self._respond(404, "Not found")
+
+    def _respond(
+        self,
+        status: int,
+        body: str,
+        content_type: str = "text/html; charset=utf-8",
+    ) -> None:
+        encoded = body.encode()
+        self.send_response(status)
+        self.send_header("Content-Type", content_type)
+        self.send_header("Content-Length", str(len(encoded)))
+        self.end_headers()
+        self.wfile.write(encoded)
+
+    def log_message(self, format: str, *args: object) -> None:
+        """Silence default stderr logging."""
+
+
+class KeyServer(HTTPServer):
+    """Ephemeral HTTP server that serves a PEM public key.
+
+    Runs in a daemon thread so the main process can continue interacting
+    with the user.  Tailscale Funnel proxies external HTTPS traffic to
+    this local server.
+    """
+
+    def __init__(self, pem_content: str, port: int) -> None:
+        super().__init__(("127.0.0.1", port), _KeyRequestHandler)
+        self.pem_content = pem_content
+        self._thread: threading.Thread | None = None
+
+    def start(self) -> None:
+        """Start serving in a background daemon thread."""
+        self._thread = threading.Thread(target=self.serve_forever, daemon=True)
+        self._thread.start()
+
+    def stop(self) -> None:
+        """Shut down the server and wait for the thread to exit."""
+        self.shutdown()
+        self.server_close()
+        if self._thread is not None:
+            self._thread.join(timeout=5)
+
+
 # ---------------------------------------------------------------------------
 # Key file management
 # ---------------------------------------------------------------------------
@@ -46,6 +113,7 @@ async def deploy_public_key_tailscale(
     key_path = base / WELL_KNOWN_PATH
     key_path.parent.mkdir(parents=True, exist_ok=True)
     key_path.write_text(public_key_pem)
+
     logger.info("Public key written to %s", key_path)
     return key_path
 
@@ -56,7 +124,11 @@ async def deploy_public_key_tailscale(
 
 
 async def start_key_serving(serve_dir: Path | None = None) -> str:
-    """Start ``tailscale serve`` for ``.well-known`` and enable Funnel.
+    """Start ``tailscale serve`` with Funnel for ``.well-known``.
+
+    Uses a single ``tailscale serve --bg --funnel --set-path / <dir>``
+    command so that the static-file handler and public Funnel access are
+    configured atomically on HTTPS port 443.
 
     Returns the public hostname (e.g. ``machine.tailnet.ts.net``).
 
@@ -75,20 +147,20 @@ async def start_key_serving(serve_dir: Path | None = None) -> str:
     await ts.check_available()
     hostname = await ts.get_hostname()
 
-    # Serve the .well-known directory at /.well-known/
-    await ts.start_serve("/.well-known/", str(well_known_dir))
-
-    # Enable Funnel to make it publicly accessible
-    await ts.enable_funnel()
+    # Serve the entire base directory at / with Funnel enabled so that:
+    #   - The origin URL (https://host/) returns 200
+    #   - The key at /.well-known/appspecific/com.tesla.3p.public-key.pem is reachable
+    # Tesla verifies both during Developer Portal app configuration.
+    await ts.start_serve("/", str(base), funnel=True)
 
     logger.info("Key serving started at https://%s/%s", hostname, WELL_KNOWN_PATH)
     return hostname
 
 
 async def stop_key_serving() -> None:
-    """Remove the ``.well-known`` serve handler."""
+    """Remove the key-serving handler."""
     ts = TailscaleManager()
-    await ts.stop_serve("/.well-known/")
+    await ts.stop_serve("/")
     logger.info("Key serving stopped")
 
 
@@ -121,6 +193,22 @@ def get_key_url(hostname: str) -> str:
     return f"https://{hostname}/{WELL_KNOWN_PATH}"
 
 
+def fetch_tailscale_key_pem(hostname: str) -> str | None:
+    """Fetch the public key PEM from a Tailscale Funnel ``.well-known`` URL.
+
+    Returns the PEM string (stripped), or ``None`` if the key is not
+    accessible or does not look like a PEM public key.
+    """
+    url = get_key_url(hostname)
+    try:
+        resp = httpx.get(url, follow_redirects=True, timeout=10)
+        if resp.status_code == 200 and "BEGIN PUBLIC KEY" in resp.text:
+            return resp.text.strip()
+    except httpx.HTTPError:
+        pass
+    return None
+
+
 async def validate_tailscale_key_url(hostname: str) -> bool:
     """HTTP GET to verify key is accessible.
 

tescmd/openclaw/dispatcher.py

@@ -424,10 +424,17 @@ class CommandDispatcher:
 
         Accepts both OpenClaw-style (``door.lock``) and API-style
         (``door_lock``) method names via :data:`_METHOD_ALIASES`.
+
+        The target method can be specified as ``method`` or ``command``
+        (the latter mirrors the gateway protocol's field name).
         """
-        method = params.get("method", "")
+        raw = params.get("method", "") or params.get("command", "")
+        # Normalize: bots may send a list like ["door.lock"] instead of a string
+        if isinstance(raw, list):
+            raw = raw[0] if raw else ""
+        method = str(raw).strip() if raw else ""
         if not method:
-            raise ValueError("system.run requires 'method' parameter")
+            raise ValueError("system.run requires 'method' (or 'command') parameter")
         resolved = _METHOD_ALIASES.get(method, method)
         if resolved == "system.run":
             raise ValueError("system.run cannot invoke itself")

tescmd/openclaw/gateway.py

@@ -280,8 +280,21 @@ class GatewayClient:
         so gateways that enforce authentication at the transport layer
         accept the connection before the OpenClaw handshake begins.
 
+        If a receive loop is already running (e.g. from a previous
+        connection or a concurrent reconnect attempt), it is cancelled
+        before establishing the new connection to prevent duplicate
+        ``recv()`` calls on the same WebSocket.
+
         Raises :class:`GatewayConnectionError` on failure.
         """
+        import contextlib
+
+        if self._recv_task is not None and not self._recv_task.done():
+            self._recv_task.cancel()
+            with contextlib.suppress(asyncio.CancelledError):
+                await self._recv_task
+            self._recv_task = None
+
         await self._establish_connection()
 
         if self._on_request is not None: