Update entrypoint.sh

entrypoint.sh

@@ -1,56 +1,161 @@
-#!/bin/sh
-
-# resolve OPENCLAW_HOME
-if mkdir -p /data/.openclaw 2>/dev/null; then
-    export OPENCLAW_HOME=/data
-else
-    export OPENCLAW_HOME=/home/user
-    mkdir -p /home/user/.openclaw
-fi
-
-echo "[entrypoint] OPENCLAW_HOME=$OPENCLAW_HOME"
-
-# dynamically export all provider keys so openclaw gateway can read them
-# matches: anything ending in _API_KEY, _SECRET_KEY, _ACCESS_TOKEN, _BOT_TOKEN, _AUTH_TOKEN, _APP_KEY, _TOKEN
-# excludes: OPENCLAW_SPACE_SYSTEM_NODE_HF_TOKEN_vars
-for VAR in $(env | cut -d= -f1); do
-    case "$VAR" in
-        OPENCLAW_*|SPACE_*|SYSTEM_*|NODE_*|HF_SPACE*) continue ;;
-    esac
-    case "$VAR" in
-        *API_KEY|*SECRET_KEY|*ACCESS_TOKEN|*BOT_TOKEN|*AUTH_TOKEN|*APP_KEY|*_TOKEN)
-            eval VAL=\$VAR
-            if [ -n "$VAL" ]; then
-                export "$VAR"
-                echo "[entrypoint] exported: $VAR"
-            fi
-            ;;
-    esac
-done
-
-# also always export HF_TOKEN for dataset sync
-export HF_TOKEN="${HF_TOKEN:-}"
-
-# restore from HF Dataset (30s timeout, non-fatal)
-if [ -n "$HF_TOKEN" ] && [ -n "$HF_DATASET_ID" ]; then
-    echo "[entrypoint] Restoring from dataset ${HF_DATASET_ID}..."
-    timeout 30 sh /app/hf-sync.sh restore || echo "[entrypoint] Restore skipped (no dataset or no token)"
-fi
-
-# write openclaw config
-node /app/spaces/huggingface/setup-hf-config.mjs || true
-
-# run security check (non-fatal)
-if [ -f /app/security-check.sh ]; then
-    sh /app/security-check.sh || true
-fi
-
-echo "[entrypoint] starting gateway..."
-
-# start background sync loop
-if [ -n "$HF_TOKEN" ] && [ -n "$HF_DATASET_ID" ]; then
-    sh /app/hf-sync.sh loop &
-    echo "[entrypoint] sync loop started (interval=${HF_SYNC_INTERVAL:-3600}s)"
-fi
-
-exec node /app/openclaw.mjs gateway --allow-unconfigured --bind lan --port 7860
+import fs from "node:fs";
+import path from "node:path";
+import https from "node:https";
+
+var HOME = process.env.OPENCLAW_HOME || process.env.HOME || "/home/user";
+var STATE_DIR = path.join(HOME, ".openclaw");
+var CONFIG_PATH = path.join(STATE_DIR, "openclaw.json");
+
+console.log("[setup] Starting... HOME=" + HOME);
+
+function parseList(val) {
+    if (!val || !val.trim()) return [];
+    return val.split(",").map(function(s) { return s.trim(); }).filter(Boolean);
+}
+
+// ---- auth ----
+var gatewayToken = (process.env.OPENCLAW_GATEWAY_TOKEN || "").trim();
+var gatewayPassword = (process.env.OPENCLAW_GATEWAY_PASSWORD || "").trim();
+
+if (!gatewayToken && !gatewayPassword) {
+    console.error("[setup] ERROR: set OPENCLAW_GATEWAY_TOKEN or OPENCLAW_GATEWAY_PASSWORD");
+    process.exit(1);
+}
+
+// ---- default model ----
+var defaultModel = (process.env.OPENCLAW_HF_DEFAULT_MODEL || "").trim() || "google/gemini-2.0-flash";
+
+// ---- dynamic provider key detection ----
+// OpenClaw official mechanism: reads provider keys from process env vars.
+// We also write them into env.vars so OpenClaw injects them into its runtime.
+// Exclude internal/system vars, include only provider-shaped keys.
+var EXCLUDE_PREFIXES = [
+    "OPENCLAW_", "SPACE_", "SYSTEM_", "HF_SPACE",
+    "NODE_", "PATH", "HOME", "USER", "PWD", "LANG", "LC_"
+];
+var INCLUDE_SUFFIXES = [
+    "_API_KEY", "_SECRET_KEY", "_ACCESS_TOKEN",
+    "_BOT_TOKEN", "_AUTH_TOKEN", "_APP_KEY", "_TOKEN"
+];
+
+function isProviderKey(k) {
+    for (var i = 0; i < EXCLUDE_PREFIXES.length; i++) {
+        if (k.indexOf(EXCLUDE_PREFIXES[i]) === 0) return false;
+    }
+    for (var j = 0; j < INCLUDE_SUFFIXES.length; j++) {
+        var s = INCLUDE_SUFFIXES[j];
+        if (k.length > s.length && k.indexOf(s) === k.length - s.length) return true;
+    }
+    return false;
+}
+
+var detectedKeys = Object.keys(process.env)
+    .filter(function(k) { return isProviderKey(k) && (process.env[k] || "").trim(); })
+    .sort();
+
+console.log("[setup] Detected provider keys (" + detectedKeys.length + "):");
+detectedKeys.forEach(function(k) { console.log("  + " + k); });
+
+// ---- proxies ----
+var envProxies = parseList(process.env.OPENCLAW_GATEWAY_TRUSTED_PROXIES);
+var trustedProxies = envProxies.length > 0 ? envProxies : [
+    "10.16.4.123", "10.16.7.92",  "10.16.18.232",
+    "10.16.34.155", "10.16.43.133", "10.16.1.206",
+    "10.20.1.9",   "10.20.1.222",
+    "10.20.26.157", "10.20.31.87",
+    "10.20.0.1",   "172.17.0.1"
+];
+
+// ---- build config ----
+var config = {
+    gateway: {
+        auth: gatewayToken
+            ? { mode: "token",    token:    gatewayToken }
+            : { mode: "password", password: gatewayPassword },
+        controlUi: {
+            allowInsecureAuth: true,
+            dangerouslyAllowHostHeaderOriginFallback: true
+        },
+        trustedProxies: trustedProxies
+    },
+    agents: {
+        defaults: {
+            model: defaultModel
+        }
+    },
+    // Write detected keys into env.vars so OpenClaw injects them into its runtime.
+    // This is the official OpenClaw mechanism for env-based provider auth.
+    env: { vars: {} }
+};
+
+detectedKeys.forEach(function(k) {
+    config.env.vars[k] = (process.env[k] || "").trim();
+});
+
+// ---- Telegram - auto detect best reachable node ----
+async function detectTelegramNode(nodes, token) {
+    for (var i = 0; i < nodes.length; i++) {
+        var node = nodes[i];
+        try {
+            await new Promise(function(resolve, reject) {
+                var req = https.get(node + "/bot" + token + "/getMe", function(res) {
+                    if (res.statusCode === 200) resolve(true);
+                    else reject(new Error("HTTP " + res.statusCode));
+                });
+                req.on("error", reject);
+                req.setTimeout(4000, function() { req.destroy(); reject(new Error("Timeout")); });
+            });
+            console.log("[setup] Telegram node reachable: " + node);
+            // Strip trailing slash
+            return node.replace(/\/$/, "");
+        } catch (e) {
+            console.log("[setup] Telegram node unreachable: " + node + " (" + e.message + ")");
+        }
+    }
+    return null;
+}
+
+var TELEGRAM_NODES = [
+    "https://api.telegram.org",
+    "https://tg-api.vercel.app",
+    "https://telegram-bot-api.vercel.app"
+];
+
+async function setupTelegram() {
+    var token = (process.env.TELEGRAM_BOT_TOKEN || "").trim();
+    if (!token) { console.log("[setup] Telegram: disabled"); return; }
+    var apiRoot = await detectTelegramNode(TELEGRAM_NODES, token);
+    var finalRoot = apiRoot || TELEGRAM_NODES[0];
+    config.channels = {
+        telegram: {
+            enabled: true,
+            accounts: { main: { botToken: token, apiRoot: finalRoot } }
+        }
+    };
+    console.log("[setup] Telegram: enabled, apiRoot=" + finalRoot);
+}
+
+// ---- main ----
+async function main() {
+    await setupTelegram();
+
+    try {
+        fs.mkdirSync(STATE_DIR, { recursive: true });
+        if (fs.existsSync(CONFIG_PATH)) {
+            fs.copyFileSync(CONFIG_PATH, CONFIG_PATH + ".bak");
+        }
+        fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), "utf-8");
+    } catch (e) {
+        console.error("[setup] Write failed: " + e.message);
+        process.exit(1);
+    }
+
+    console.log("[setup] Done. auth=" + (gatewayToken ? "token" : "password") +
+        " model=" + defaultModel + " proxies=" + trustedProxies.length +
+        " env.vars=" + detectedKeys.length);
+}
+
+main().then(() => process.exit(0)).catch(function(e) {
+    console.error("[setup] Fatal: " + e.message);
+    process.exit(1);
+});