docs: add smoke script and auth-aware verification steps

feat(api): add bearer auth option and /v1/models endpoint
feat(plugin): add sender normalization, TTL, and one-shot decisions
2026-02-25 10:43:23 +00:00 · 2026-02-25 10:43:19 +00:00 · 2026-02-25 10:43:11 +00:00
5 changed files with 119 additions and 16 deletions
--- a/docs/CONFIG.example.json
+++ b/docs/CONFIG.example.json
@@ -20,7 +20,7 @@
  "models": {
    "providers": {
      "openai": {
-        "apiKey": "sk-xxxx",
+        "apiKey": "<AUTH_TOKEN_OR_PLACEHOLDER>",
        "baseURL": "http://127.0.0.1:8787/v1"
      }
    }
--- a/docs/VERIFY.md
+++ b/docs/VERIFY.md
@@ -4,6 +4,8 @@

 ```bash
 cd no-reply-api
+# optional: enforce bearer token checks
+# export AUTH_TOKEN='replace-with-strong-token'
 npm start
 ```

@@ -16,6 +18,14 @@ curl -sS -X POST http://127.0.0.1:8787/v1/chat/completions \
  -d '{"model":"whispergate-no-reply-v1","messages":[{"role":"user","content":"hi"}]}'
 ```

+Or run bundled smoke check:
+
+```bash
+./scripts/smoke-no-reply-api.sh
+# with auth:
+# AUTH_TOKEN='replace-with-strong-token' ./scripts/smoke-no-reply-api.sh
+```
+
 Expected assistant text: `NO_REPLY`

 ## 3) Enable plugin
--- a/no-reply-api/server.mjs
+++ b/no-reply-api/server.mjs
@@ -2,12 +2,19 @@ import http from "node:http";

 const port = Number(process.env.PORT || 8787);
 const modelName = process.env.NO_REPLY_MODEL || "whispergate-no-reply-v1";
+const authToken = process.env.AUTH_TOKEN || "";

 function sendJson(res, status, payload) {
  res.writeHead(status, { "Content-Type": "application/json; charset=utf-8" });
  res.end(JSON.stringify(payload));
 }

+function isAuthorized(req) {
+  if (!authToken) return true;
+  const header = req.headers.authorization || "";
+  return header === `Bearer ${authToken}`;
+}
+
 function noReplyChatCompletion(reqBody) {
  return {
    id: `chatcmpl_whispergate_${Date.now()}`,
@@ -42,15 +49,38 @@ function noReplyResponses(reqBody) {
  };
 }

+function listModels() {
+  return {
+    object: "list",
+    data: [
+      {
+        id: modelName,
+        object: "model",
+        created: Math.floor(Date.now() / 1000),
+        owned_by: "whispergate"
+      }
+    ]
+  };
+}
+
 const server = http.createServer((req, res) => {
  if (req.method === "GET" && req.url === "/health") {
-    return sendJson(res, 200, { ok: true, service: "whispergate-no-reply-api" });
+    return sendJson(res, 200, { ok: true, service: "whispergate-no-reply-api", model: modelName });
+  }
+
+  if (req.method === "GET" && req.url === "/v1/models") {
+    if (!isAuthorized(req)) return sendJson(res, 401, { error: "unauthorized" });
+    return sendJson(res, 200, listModels());
  }

  if (req.method !== "POST") {
    return sendJson(res, 404, { error: "not_found" });
  }

+  if (!isAuthorized(req)) {
+    return sendJson(res, 401, { error: "unauthorized" });
+  }
+
  let body = "";
  req.on("data", (chunk) => {
    body += chunk;
--- a/plugin/index.ts
+++ b/plugin/index.ts
@@ -1,8 +1,14 @@
 import type { OpenClawPluginApi } from "openclaw/plugin-sdk";
 import { evaluateDecision, type Decision, type WhisperGateConfig } from "./rules.js";

-const sessionDecision = new Map<string, Decision>();
+type DecisionRecord = {
+  decision: Decision;
+  createdAt: number;
+};
+
+const sessionDecision = new Map<string, DecisionRecord>();
 const MAX_SESSION_DECISIONS = 2000;
+const DECISION_TTL_MS = 5 * 60 * 1000;

 function normalizeChannel(ctx: Record<string, unknown>): string {
  const candidates = [ctx.commandSource, ctx.messageProvider, ctx.channelId, ctx.channel];
@@ -12,7 +18,27 @@ function normalizeChannel(ctx: Record<string, unknown>): string {
  return "";
 }

-function pruneDecisionMap() {
+function normalizeSender(event: Record<string, unknown>, ctx: Record<string, unknown>): string | undefined {
+  const direct = [ctx.senderId, ctx.from, event.from];
+  for (const v of direct) {
+    if (typeof v === "string" && v.trim()) return v.trim();
+  }
+
+  const meta = (event.metadata || ctx.metadata) as Record<string, unknown> | undefined;
+  if (!meta) return undefined;
+  const metaCandidates = [meta.senderId, meta.sender_id, meta.userId, meta.user_id];
+  for (const v of metaCandidates) {
+    if (typeof v === "string" && v.trim()) return v.trim();
+  }
+
+  return undefined;
+}
+
+function pruneDecisionMap(now = Date.now()) {
+  for (const [k, v] of sessionDecision.entries()) {
+    if (now - v.createdAt > DECISION_TTL_MS) sessionDecision.delete(k);
+  }
+
  if (sessionDecision.size <= MAX_SESSION_DECISIONS) return;
  const keys = sessionDecision.keys();
  while (sessionDecision.size > MAX_SESSION_DECISIONS) {
@@ -35,20 +61,16 @@ export default {
        const sessionKey = typeof c.sessionKey === "string" ? c.sessionKey : undefined;
        if (!sessionKey) return;

-        const senderId =
-          typeof c.senderId === "string"
-            ? c.senderId
-            : typeof e.from === "string"
-              ? e.from
-              : undefined;
-
+        const senderId = normalizeSender(e, c);
        const content = typeof e.content === "string" ? e.content : "";
        const channel = normalizeChannel(c);

        const decision = evaluateDecision({ config, channel, senderId, content });
-        sessionDecision.set(sessionKey, decision);
+        sessionDecision.set(sessionKey, { decision, createdAt: Date.now() });
        pruneDecisionMap();
-        api.logger.debug?.(`whispergate: session=${sessionKey} decision=${decision.reason}`);
+        api.logger.debug?.(
+          `whispergate: session=${sessionKey} sender=${senderId ?? "unknown"} channel=${channel || "unknown"} decision=${decision.reason}`,
+        );
      } catch (err) {
        api.logger.warn(`whispergate: message hook failed: ${String(err)}`);
      }
@@ -57,11 +79,20 @@ export default {
    api.on("before_model_resolve", async (_event, ctx) => {
      const key = ctx.sessionKey;
      if (!key) return;
-      const decision = sessionDecision.get(key);
-      if (!decision?.shouldUseNoReply) return;
+
+      const rec = sessionDecision.get(key);
+      if (!rec) return;
+      if (Date.now() - rec.createdAt > DECISION_TTL_MS) {
+        sessionDecision.delete(key);
+        return;
+      }
+
+      // one-shot decision per inbound turn
+      sessionDecision.delete(key);
+      if (!rec.decision.shouldUseNoReply) return;

      api.logger.info(
-        `whispergate: override model for session=${key}, provider=${config.noReplyProvider}, model=${config.noReplyModel}, reason=${decision.reason}`,
+        `whispergate: override model for session=${key}, provider=${config.noReplyProvider}, model=${config.noReplyModel}, reason=${rec.decision.reason}`,
      );

      return {
--- a/scripts/smoke-no-reply-api.sh
+++ b/scripts/smoke-no-reply-api.sh
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+BASE_URL="${BASE_URL:-http://127.0.0.1:8787}"
+AUTH_TOKEN="${AUTH_TOKEN:-}"
+
+AUTH_HEADER=()
+if [[ -n "$AUTH_TOKEN" ]]; then
+  AUTH_HEADER=(-H "Authorization: Bearer ${AUTH_TOKEN}")
+fi
+
+echo "[1] health"
+curl -sS "${BASE_URL}/health" | sed -n '1,3p'
+
+echo "[2] models"
+curl -sS "${BASE_URL}/v1/models" "${AUTH_HEADER[@]}" | sed -n '1,8p'
+
+echo "[3] chat/completions"
+curl -sS -X POST "${BASE_URL}/v1/chat/completions" \
+  -H 'Content-Type: application/json' \
+  "${AUTH_HEADER[@]}" \
+  -d '{"model":"whispergate-no-reply-v1","messages":[{"role":"user","content":"hello"}]}' \
+  | sed -n '1,20p'
+
+echo "[4] responses"
+curl -sS -X POST "${BASE_URL}/v1/responses" \
+  -H 'Content-Type: application/json' \
+  "${AUTH_HEADER[@]}" \
+  -d '{"model":"whispergate-no-reply-v1","input":"hello"}' \
+  | sed -n '1,20p'
+
+echo "smoke ok"
Author	SHA1	Message	Date
orion	d1f4252f37	docs: add smoke script and auth-aware verification steps	2026-02-25 10:43:23 +00:00
orion	32af5fde6d	feat(api): add bearer auth option and /v1/models endpoint	2026-02-25 10:43:19 +00:00
orion	f09972c083	feat(plugin): add sender normalization, TTL, and one-shot decisions	2026-02-25 10:43:11 +00:00