fix: use fixed auth token + python-based token injection + restore entrypoint inject

openclaw.json

@@ -3,7 +3,7 @@
     "mode": "local",
     "bind": "lan",
     "port": 7860,
-    "auth": { "mode": "none" },
+    "auth": { "token": "hf-space-public-token" },
     "trustedProxies": [
       "0.0.0.0/0"
     ],

scripts/entrypoint.sh

@@ -48,6 +48,13 @@ touch /home/node/logs/app.log
 ENTRYPOINT_END=$(date +%s)
 echo "[TIMER] Entrypoint (before sync_hf.py): $((ENTRYPOINT_END - BOOT_START))s"
 
+# ── Inject auth token into Control UI HTML ─────────────────────────────────
+INJECT_START=$(date +%s)
+if [ -x /home/node/scripts/inject-token.sh ]; then
+  bash /home/node/scripts/inject-token.sh
+fi
+echo "[TIMER] Token inject: $(($(date +%s) - INJECT_START))s"
+
 # ── Start OpenClaw via sync_hf.py (don't wait for DNS — it runs in bg) ─────
 echo "[entrypoint] Starting OpenClaw via sync_hf.py..."
 echo "[entrypoint] DNS resolution running in background (PID $DNS_PID), app will use it when ready"

scripts/inject-token.sh

@@ -1,15 +1,30 @@
 #!/bin/sh
 # Inject auto-token config into Control UI so the browser auto-connects
-TOKEN_SCRIPT='<script>!function(){var K="openclaw.control.settings.v1";try{var s=JSON.parse(localStorage.getItem(K)||"{}")||{};if(!s.token){s.token="openclaw-space-default";localStorage.setItem(K,JSON.stringify(s))}}catch(e){}}()</script>'
+# The token must match gateway.auth.token in openclaw.json
+TOKEN="hf-space-public-token"
 
-OPENCLAW_APP_DIR="${OPENCLAW_APP_DIR:-/usr/local/lib/node_modules/openclaw}"
+INDEX_HTML="/app/openclaw/dist/control-ui/index.html"
 
-for f in "$OPENCLAW_APP_DIR/dist/control-ui/index.html" "$OPENCLAW_APP_DIR/control-ui/index.html" /app/openclaw/dist/control-ui/index.html; do
-  if [ -f "$f" ]; then
-    sed -i "s|</head>|${TOKEN_SCRIPT}</head>|" "$f"
-    echo "[build] Token auto-config injected into $f"
-    exit 0
-  fi
-done
+if [ ! -f "$INDEX_HTML" ]; then
+  echo "[inject-token] WARNING: $INDEX_HTML not found, skipping"
+  exit 0
+fi
 
-echo "[build] WARNING: control-ui/index.html not found, skipping token injection"
+# Create the injection script
+INJECT_SCRIPT="<script>!function(){var K='openclaw.control.settings.v1';try{var s=JSON.parse(localStorage.getItem(K)||'{}');if(!s.token||s.token===''){s.token='${TOKEN}';localStorage.setItem(K,JSON.stringify(s))}}catch(e){}}()</script>"
+
+# Use python3 for reliable string replacement (avoids sed delimiter issues)
+python3 -c "
+import sys
+f = '${INDEX_HTML}'
+with open(f, 'r') as fh:
+    html = fh.read()
+inject = '''${INJECT_SCRIPT}'''
+if '</head>' in html and inject not in html:
+    html = html.replace('</head>', inject + '</head>')
+    with open(f, 'w') as fh:
+        fh.write(html)
+    print('[inject-token] Token injected into ' + f)
+else:
+    print('[inject-token] Skipped (already injected or no </head> found)')
+"

scripts/sync_hf.py

@@ -327,7 +327,7 @@ class OpenClawFullSync:
                 "mode": "local",
                 "bind": "lan",
                 "port": 7860,
-                "auth": {"mode": "none"},
+                "auth": {"token": "hf-space-public-token"},
                 "trustedProxies": ["0.0.0.0/0"],
                 "controlUi": {
                     "allowInsecureAuth": True,