fix(bridge): resolve real bridge key past OpenClaw redaction; sane provider timeout

Three install/bridge bugs that made every OpenClaw model call to the
bridge fail when driven by a non-bundled channel plugin (e.g. Fabric):

1. OpenClaw redacts secret-like keys before exposing pluginConfig to a
   plugin, so config.bridgeApiKey was the literal __OPENCLAW_REDACTED__
   sentinel. The bridge then validated Authorization against the
   sentinel while the model provider sent the real key -> permanent
   HTTP 401. Resolve the real shared secret from the raw on-disk config
   (same pattern resolveAgent already uses); if still missing/redacted,
   treat as no-auth on the loopback-only bridge instead of 401-locking.

2. install.mjs set the provider apiKey authoritatively but only
   setIfMissing the plugin bridgeApiKey, so a stale prior value desynced
   the pair. Make bridgeApiKey authoritative too (they must match).

3. The provider had no timeoutSeconds; a full bridged agent turn far
   exceeds OpenClaw's default model-fetch timeout, so OpenClaw aborted
   mid-turn and no reply was ever delivered. Default timeoutSeconds=600
   (preserves a user override).

Verified live: bridge now returns 200 for the real key and a valid
OpenAI SSE completion; the fetch-timeout abort is gone.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

plugin/index.ts

@@ -18,6 +18,45 @@ const SERVER_KEY = "_contractorAgentBridgeServer";
 /** Key for the live OpenClaw config accessor (getter fn) shared via globalThis. */
 const OPENCLAW_CONFIG_KEY = "_contractorOpenClawConfig";
 
+/** OpenClaw replaces secret-like config values with this before exposing
+ * pluginConfig to plugins. */
+const OPENCLAW_REDACTION_SENTINEL = "__OPENCLAW_REDACTED__";
+
+/**
+ * OpenClaw redacts any secret-like key (anything containing "apiKey") before
+ * handing `api.pluginConfig` to the plugin, so `pluginConfig.bridgeApiKey` is
+ * the redaction sentinel — never the real value. The bridge server validates
+ * inbound requests against this key, while the OpenClaw model provider sends
+ * the real `models.providers.contractor-agent.apiKey`; using the redacted
+ * value therefore guarantees a permanent HTTP 401.
+ *
+ * Resolve the real shared secret from the raw on-disk config instead (same
+ * pattern `resolveAgent` already uses). If it is still missing or redacted,
+ * return "" so the loopback-only bridge skips auth rather than hard-locking.
+ */
+function resolveBridgeApiKey(fallback: string): string {
+  try {
+    const configPath = path.join(
+      process.env.HOME ?? "/root",
+      ".openclaw",
+      "openclaw.json",
+    );
+    const raw = JSON.parse(fs.readFileSync(configPath, "utf8")) as {
+      plugins?: {
+        entries?: Record<string, { config?: { bridgeApiKey?: string } }>;
+      };
+    };
+    const k = raw.plugins?.entries?.["contractor-agent"]?.config?.bridgeApiKey;
+    if (typeof k === "string" && k && k !== OPENCLAW_REDACTION_SENTINEL) {
+      return k;
+    }
+  } catch {
+    /* fall through to fallback handling */
+  }
+  if (fallback && fallback !== OPENCLAW_REDACTION_SENTINEL) return fallback;
+  return ""; // loopback-only bridge: skip auth instead of 401-locking
+}
+
 // ── Plugin entry ─────────────────────────────────────────────────────────────
 
 export default definePluginEntry({
@@ -69,7 +108,7 @@ export default definePluginEntry({
       api.on("gateway_start", () => {
         const server = createBridgeServer({
           port: config.bridgePort,
-          apiKey: config.bridgeApiKey,
+          apiKey: resolveBridgeApiKey(config.bridgeApiKey),
           permissionMode: config.permissionMode,
           resolveAgent,
           logger: api.logger,

scripts/install.mjs

@@ -79,6 +79,11 @@ function install() {
     baseUrl: `http://127.0.0.1:${BRIDGE_PORT}/v1`,
     apiKey: BRIDGE_API_KEY,
     api: "openai-completions",
+    // The bridge wraps a full Claude/Gemini agent turn (tool use, multi-step),
+    // which routinely takes far longer than OpenClaw's default model-fetch
+    // timeout. Without a generous timeout OpenClaw aborts the request mid-turn
+    // and no reply is ever delivered. Preserve a user override if set.
+    timeoutSeconds: existingProvider.timeoutSeconds ?? 600,
     models: [
       {
         id: "contractor-claude-bridge",
@@ -120,11 +125,16 @@ function install() {
   cfg.plugins.entries[PLUGIN_ID] = cfg.plugins.entries[PLUGIN_ID] ?? {};
   cfg.plugins.entries[PLUGIN_ID].enabled = true;
 
-  // Set default config — setIfMissing so user values are preserved
+  // Set default config — setIfMissing so user values are preserved.
   const pluginCfg = cfg.plugins.entries[PLUGIN_ID].config ?? {};
   setIfMissing(pluginCfg, "bridgePort", BRIDGE_PORT);
-  setIfMissing(pluginCfg, "bridgeApiKey", BRIDGE_API_KEY);
   setIfMissing(pluginCfg, "permissionMode", "bypassPermissions");
+  // bridgeApiKey is the shared secret between the bridge server (this plugin)
+  // and the model provider written above. The provider apiKey is set
+  // authoritatively (= BRIDGE_API_KEY); the bridge side MUST stay in lockstep
+  // or every request 401s. Set it authoritatively too — never setIfMissing
+  // (a stale prior value would desync the pair).
+  pluginCfg.bridgeApiKey = BRIDGE_API_KEY;
   cfg.plugins.entries[PLUGIN_ID].config = pluginCfg;
 
   writeConfig(cfg);