From 453dab32710b38b739645e6370e089e93500f85e Mon Sep 17 00:00:00 2001 From: hzhang Date: Sat, 16 May 2026 09:57:32 +0100 Subject: [PATCH] fix(bridge): resolve real bridge key past OpenClaw redaction; sane provider timeout Three install/bridge bugs that made every OpenClaw model call to the bridge fail when driven by a non-bundled channel plugin (e.g. Fabric): 1. OpenClaw redacts secret-like keys before exposing pluginConfig to a plugin, so config.bridgeApiKey was the literal __OPENCLAW_REDACTED__ sentinel. The bridge then validated Authorization against the sentinel while the model provider sent the real key -> permanent HTTP 401. Resolve the real shared secret from the raw on-disk config (same pattern resolveAgent already uses); if still missing/redacted, treat as no-auth on the loopback-only bridge instead of 401-locking. 2. install.mjs set the provider apiKey authoritatively but only setIfMissing the plugin bridgeApiKey, so a stale prior value desynced the pair. Make bridgeApiKey authoritative too (they must match). 3. The provider had no timeoutSeconds; a full bridged agent turn far exceeds OpenClaw's default model-fetch timeout, so OpenClaw aborted mid-turn and no reply was ever delivered. Default timeoutSeconds=600 (preserves a user override). Verified live: bridge now returns 200 for the real key and a valid OpenAI SSE completion; the fetch-timeout abort is gone. Co-Authored-By: Claude Opus 4.7 (1M context) --- plugin/index.ts | 41 ++++++++++++++++++++++++++++++++++++++++- scripts/install.mjs | 14 ++++++++++++-- 2 files changed, 52 insertions(+), 3 deletions(-) diff --git a/plugin/index.ts b/plugin/index.ts index 253e768..c8e162d 100644 --- a/plugin/index.ts +++ b/plugin/index.ts @@ -18,6 +18,45 @@ const SERVER_KEY = "_contractorAgentBridgeServer"; /** Key for the live OpenClaw config accessor (getter fn) shared via globalThis. */ const OPENCLAW_CONFIG_KEY = "_contractorOpenClawConfig"; +/** OpenClaw replaces secret-like config values with this before exposing + * pluginConfig to plugins. */ +const OPENCLAW_REDACTION_SENTINEL = "__OPENCLAW_REDACTED__"; + +/** + * OpenClaw redacts any secret-like key (anything containing "apiKey") before + * handing `api.pluginConfig` to the plugin, so `pluginConfig.bridgeApiKey` is + * the redaction sentinel — never the real value. The bridge server validates + * inbound requests against this key, while the OpenClaw model provider sends + * the real `models.providers.contractor-agent.apiKey`; using the redacted + * value therefore guarantees a permanent HTTP 401. + * + * Resolve the real shared secret from the raw on-disk config instead (same + * pattern `resolveAgent` already uses). If it is still missing or redacted, + * return "" so the loopback-only bridge skips auth rather than hard-locking. + */ +function resolveBridgeApiKey(fallback: string): string { + try { + const configPath = path.join( + process.env.HOME ?? "/root", + ".openclaw", + "openclaw.json", + ); + const raw = JSON.parse(fs.readFileSync(configPath, "utf8")) as { + plugins?: { + entries?: Record; + }; + }; + const k = raw.plugins?.entries?.["contractor-agent"]?.config?.bridgeApiKey; + if (typeof k === "string" && k && k !== OPENCLAW_REDACTION_SENTINEL) { + return k; + } + } catch { + /* fall through to fallback handling */ + } + if (fallback && fallback !== OPENCLAW_REDACTION_SENTINEL) return fallback; + return ""; // loopback-only bridge: skip auth instead of 401-locking +} + // ── Plugin entry ───────────────────────────────────────────────────────────── export default definePluginEntry({ @@ -69,7 +108,7 @@ export default definePluginEntry({ api.on("gateway_start", () => { const server = createBridgeServer({ port: config.bridgePort, - apiKey: config.bridgeApiKey, + apiKey: resolveBridgeApiKey(config.bridgeApiKey), permissionMode: config.permissionMode, resolveAgent, logger: api.logger, diff --git a/scripts/install.mjs b/scripts/install.mjs index 77785a2..90e7b8c 100644 --- a/scripts/install.mjs +++ b/scripts/install.mjs @@ -79,6 +79,11 @@ function install() { baseUrl: `http://127.0.0.1:${BRIDGE_PORT}/v1`, apiKey: BRIDGE_API_KEY, api: "openai-completions", + // The bridge wraps a full Claude/Gemini agent turn (tool use, multi-step), + // which routinely takes far longer than OpenClaw's default model-fetch + // timeout. Without a generous timeout OpenClaw aborts the request mid-turn + // and no reply is ever delivered. Preserve a user override if set. + timeoutSeconds: existingProvider.timeoutSeconds ?? 600, models: [ { id: "contractor-claude-bridge", @@ -120,11 +125,16 @@ function install() { cfg.plugins.entries[PLUGIN_ID] = cfg.plugins.entries[PLUGIN_ID] ?? {}; cfg.plugins.entries[PLUGIN_ID].enabled = true; - // Set default config — setIfMissing so user values are preserved + // Set default config — setIfMissing so user values are preserved. const pluginCfg = cfg.plugins.entries[PLUGIN_ID].config ?? {}; setIfMissing(pluginCfg, "bridgePort", BRIDGE_PORT); - setIfMissing(pluginCfg, "bridgeApiKey", BRIDGE_API_KEY); setIfMissing(pluginCfg, "permissionMode", "bypassPermissions"); + // bridgeApiKey is the shared secret between the bridge server (this plugin) + // and the model provider written above. The provider apiKey is set + // authoritatively (= BRIDGE_API_KEY); the bridge side MUST stay in lockstep + // or every request 401s. Set it authoritatively too — never setIfMissing + // (a stale prior value would desync the pair). + pluginCfg.bridgeApiKey = BRIDGE_API_KEY; cfg.plugins.entries[PLUGIN_ID].config = pluginCfg; writeConfig(cfg);