nav/Fabric.OpenclawPlugin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: nav:2acb084ee4cb27924ce05ed6cdef4ebc9b7f6eb9
Branches Tags
nav:main nav:feat/dynamic-account-subscription nav:fix/routing-use-binding-accountid nav:fix/describe-account-stops-default-restart-loop nav:fix/socket-auth-callback-refresh nav:fix/presence-sync-tick-mutex nav:fix/presence-sync-api-prefix nav:fix/fabric-dm-routing-by-xtype nav:feat/expose-channel-type nav:feat/fabric-send-and-discover-tools nav:feat/triage-on-call-gate-and-queue nav:feat/inbound-listen-push-events nav:fix/inbound-dynamic-channel-sync
...
compare: nav:fix/socket-auth-callback-refresh
Branches Tags
nav:main nav:feat/dynamic-account-subscription nav:fix/routing-use-binding-accountid nav:fix/describe-account-stops-default-restart-loop nav:fix/socket-auth-callback-refresh nav:fix/presence-sync-tick-mutex nav:fix/presence-sync-api-prefix nav:fix/fabric-dm-routing-by-xtype nav:feat/expose-channel-type nav:feat/fabric-send-and-discover-tools nav:feat/triage-on-call-gate-and-queue nav:feat/inbound-listen-push-events nav:fix/inbound-dynamic-channel-sync

1 Commits
2acb084ee4 ... fix/socket

Author SHA1 Message Date
hzhang
7dc70522d1 fix(inbound): refresh socket.io auth on (re)connect via callback 
Backend issues short-lived guildAccessToken (TTL=900s). The previous
`auth: { token: tok }` shape captured the JWT once in connectAgent's
closure: after socket.io's auto-reconnect the backend kept getting the
same expired JWT and silently rejected the handshake at the application
layer (RealtimeGateway logs 'socket rejected: <id>'). The client's
'connect' event still fired (TCP succeeded) so the plugin happily ran
the channel-resync, emitted join_channel into the void, and logged
'joined N channel(s)' while the backend was actually broadcasting
message.created to a room with zero subscribers. End-user symptom:
DMs/group messages to agents silently dropped 15 min after gateway
start, with no error anywhere on the agent side.

Switch to the callback form, which socket.io re-evaluates on every
(re)connect — same call site we already use for the HTTP path via
freshGuildToken/tokenCache.

Verified in sim (commit 2acb084 + this patch):
1. Connect new DM channel + post msg -> dispatch + reply ✓
2. `docker restart fabric-backend-guild` to force socket disconnect
3. Plugin reconnects automatically and logs
   'fabric: agent recruiter joined 12 channel(s) on sim-guild-1' ✓
   (without the fix this reconnect was silently rejected; sim used to
    log 'WARN socket rejected: <id>' on the guild backend)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-26 13:50:24 +01:00
2 changed files with 36 additions and 2 deletions
Expand all files Collapse all files

19
dist/fabric/src/inbound.js vendored
View File

@@ -261,9 +261,26 @@ export class FabricInbound {
const tok = session.guildAccessTokens.find((t) => t.guildNodeId === g.nodeId)?.token;
if (!tok)
continue;
// Use the *callback* form of `auth` so socket.io re-evaluates the JWT
// on every (re)connect. The single-shot `auth: { token: tok }` shape
// captured the token in closure: after socket.io's silent auto-reconnect
// the backend got the same JWT that expired ~15 min into the session
// (guildAccessToken TTL = 900s) and silently rejected the handshake at
// the application layer. The client's `connect` event still fired (TCP
// succeeded), so the plugin happily ran the channel-resync, emitted
// `join_channel` into the void, and logged "joined N channel(s)" while
// the backend was actually broadcasting message.created to a room with
// zero subscribers. End user symptom: DMs to agents silently dropped.
const socket = io(`${g.endpoint}/realtime`, {
transports: ['websocket'],
auth: { token: tok },
auth: (cb) => {
// Best-effort fresh token; on transient failure fall back to the
// last known good one. tokenCache also keeps HTTP calls (attachment
// download / reply post) from 401'ing in the same window.
this.freshGuildToken(agentId, g.nodeId, session)
.then((fresh) => cb({ token: fresh ?? tok }))
.catch(() => cb({ token: tok }));
},
autoConnect: false,
});
// Tracked socket.io rooms for this (agent, guild). The initial fetch

19
src/inbound.ts
View File

@@ -325,9 +325,26 @@ export class FabricInbound {
for (const g of session.guilds) {
const tok = session.guildAccessTokens.find((t) => t.guildNodeId === g.nodeId)?.token;
if (!tok) continue;
// Use the *callback* form of `auth` so socket.io re-evaluates the JWT
// on every (re)connect. The single-shot `auth: { token: tok }` shape
// captured the token in closure: after socket.io's silent auto-reconnect
// the backend got the same JWT that expired ~15 min into the session
// (guildAccessToken TTL = 900s) and silently rejected the handshake at
// the application layer. The client's `connect` event still fired (TCP
// succeeded), so the plugin happily ran the channel-resync, emitted
// `join_channel` into the void, and logged "joined N channel(s)" while
// the backend was actually broadcasting message.created to a room with
// zero subscribers. End user symptom: DMs to agents silently dropped.
const socket = io(`${g.endpoint}/realtime`, {
transports: ['websocket'],
auth: { token: tok },
auth: (cb) => {
// Best-effort fresh token; on transient failure fall back to the
// last known good one. tokenCache also keeps HTTP calls (attachment
// download / reply post) from 401'ing in the same window.
this.freshGuildToken(agentId, g.nodeId, session)
.then((fresh) => cb({ token: fresh ?? tok }))
.catch(() => cb({ token: tok }));
},
autoConnect: false,
});
// Tracked socket.io rooms for this (agent, guild). The initial fetch