Update setup-hf-config.mjs

setup-hf-config.mjs

@@ -5,22 +5,18 @@ import https from "node:https";
 // ============================================================
 // OpenClaw HF Spaces - Production Config Writer
 //
-// Storage: HF Storage Bucket mounted at /data (100 GB persistent).
-// All data lives in /data/.openclaw/ and survives restarts natively.
-// No Dataset sync needed.
+// Storage: HF Storage Bucket at /data (100 GB persistent).
+// All runtime data lives in OPENCLAW_HOME/.openclaw/.
 //
-// Priority order for base config:
-//   1. /data/.openclaw/openclaw.json exists (bucket, persistent) -> PATCH only
-//   2. /app/openclaw-template.json exists (from Space repo)      -> use as base
-//   3. neither                                                    -> write minimal fresh
+// Config priority:
+//   1. Existing openclaw.json in bucket  -> PATCH env vars only
+//   2. /app/openclaw-template.json       -> use as base + patch
+//   3. Neither                           -> minimal fresh + patch
 //
-// What ALWAYS gets patched (from env vars):
-//   gateway.auth          <- OPENCLAW_GATEWAY_TOKEN
-//   gateway.trustedProxies
-//   agents.defaults.workspace
-//   env.vars              <- all API keys
-//   channels.telegram     <- TELEGRAM_BOT_TOKEN
-//   models.providers.*.apiKey  <- matching API key env vars
+// Always patched from env vars (never lost on restart):
+//   gateway.auth, gateway.controlUi, gateway.trustedProxies
+//   agents.defaults.workspace, agents.defaults.model
+//   env.vars, models.providers.*.apiKey, channels.telegram
 // ============================================================
 
 var HOME        = process.env.OPENCLAW_HOME || process.env.HOME || "/home/user";
@@ -30,26 +26,39 @@ var WORKSPACE   = path.join(STATE_DIR, "workspace");
 var SPACE_HOST  = (process.env.SPACE_HOST || "").trim();
 var TEMPLATE    = "/app/openclaw-template.json";
 
-console.log("[setup] Starting... HOME=" + HOME);
+function log(msg)  { console.log("[setup] " + msg); }
+function err(msg)  { console.error("[setup] ERROR: " + msg); }
+
+log("Starting... HOME=" + HOME);
+
+// ----------------------------------------------------------------
+// Helpers
+// ----------------------------------------------------------------
+function envStr(key) { return (process.env[key] || "").trim(); }
 
 function parseList(val) {
   if (!val || !val.trim()) return [];
-  return val.split(",").map(function(s) { return s.trim(); }).filter(Boolean);
+  return val.split(",").map(function(s){ return s.trim(); }).filter(Boolean);
 }
-function envStr(key) { return (process.env[key] || "").trim(); }
 
-// -- auth ---------------------------------------------------------
+// ----------------------------------------------------------------
+// Auth (required)
+// ----------------------------------------------------------------
 var gatewayToken    = envStr("OPENCLAW_GATEWAY_TOKEN");
 var gatewayPassword = envStr("OPENCLAW_GATEWAY_PASSWORD");
 if (!gatewayToken && !gatewayPassword) {
-  console.error("[setup] FATAL: set OPENCLAW_GATEWAY_TOKEN in Secrets");
+  err("FATAL: set OPENCLAW_GATEWAY_TOKEN in Secrets");
   process.exit(0);
 }
 
-// -- model --------------------------------------------------------
+// ----------------------------------------------------------------
+// Default model
+// ----------------------------------------------------------------
 var defaultModel = envStr("OPENCLAW_HF_DEFAULT_MODEL") || "google/gemini-2.0-flash";
 
-// -- provider keys ------------------------------------------------
+// ----------------------------------------------------------------
+// Provider API key detection
+// ----------------------------------------------------------------
 var EXCLUDE_PREFIXES = [
   "OPENCLAW_", "SPACE_", "SYSTEM_", "HF_",
   "NODE_", "PATH", "HOME", "USER", "PWD", "LANG", "LC_",
@@ -59,6 +68,7 @@ var INCLUDE_SUFFIXES = [
   "_API_KEY", "_SECRET_KEY", "_ACCESS_TOKEN",
   "_BOT_TOKEN", "_AUTH_TOKEN", "_APP_KEY"
 ];
+
 function isProviderKey(k) {
   var i;
   for (i = 0; i < EXCLUDE_PREFIXES.length; i++) {
@@ -70,76 +80,71 @@ function isProviderKey(k) {
   }
   return false;
 }
+
 var providerKeys = Object.keys(process.env).filter(function(k) {
-  return isProviderKey(k) && (process.env[k] || "").trim();
+  return isProviderKey(k) && envStr(k);
 }).sort();
 
-console.log("[setup] Provider keys (" + providerKeys.length + "): " + providerKeys.join(", "));
+log("Provider keys (" + providerKeys.length + "): " + providerKeys.join(", "));
 
-// -- trusted proxies ----------------------------------------------
-var envProxies     = parseList(envStr("OPENCLAW_GATEWAY_TRUSTED_PROXIES"));
+// ----------------------------------------------------------------
+// Trusted proxies (HF internal + standard RFC1918)
+// ----------------------------------------------------------------
+var envProxies = parseList(envStr("OPENCLAW_GATEWAY_TRUSTED_PROXIES"));
 var trustedProxies = envProxies.length > 0 ? envProxies : [
   "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16",
-  "10.16.0.0/12",   "10.20.0.0/12",
-  "10.16.4.123",    "10.16.7.92",   "10.16.18.232",
-  "10.16.34.155",   "10.16.43.133", "10.16.1.206",
-  "10.16.37.110",   "10.16.43.246",
-  "10.20.1.9",      "10.20.1.222",
-  "10.20.26.157",   "10.20.31.87",
-  "10.20.0.1",      "172.17.0.1",   "127.0.0.1"
+  "10.16.0.0/12",  "10.20.0.0/12",
+  "10.16.4.123",   "10.16.7.92",   "10.16.18.232",
+  "10.16.34.155",  "10.16.43.133", "10.16.1.206",
+  "10.16.37.110",  "10.16.43.246",
+  "10.20.1.9",     "10.20.1.222",  "10.20.26.157",  "10.20.31.87",
+  "10.20.0.1",     "172.17.0.1",   "127.0.0.1"
 ];
 
-// -- helpers ------------------------------------------------------
-function buildAuth() {
-  return gatewayToken
-    ? { mode: "token",    token:    gatewayToken    }
-    : { mode: "password", password: gatewayPassword };
-}
-function buildEnvVars() {
-  var vars = {};
-  providerKeys.forEach(function(pk) { vars[pk] = (process.env[pk] || "").trim(); });
-  return vars;
-}
-
-// Patch model provider API keys from env vars
+// ----------------------------------------------------------------
+// Provider -> env var mapping
+// ----------------------------------------------------------------
 var PROVIDER_KEY_MAP = {
-  "openrouter":   "OPENROUTER_API_KEY",
-  "siliconflow":  "SILICONFLOW_API_KEY",
-  "deepseek":     "DEEPSEEK_API_KEY",
-  "groq":         "GROQ_API_KEY",
-  "google":       "GOOGLE_API_KEY",
-  "gemini":       "GEMINI_API_KEY",
-  "minimax":      "MINIMAX_API_KEY",
-  "zai":          "ZAI_API_KEY",
-  "github":       "GITHUB_MODELS_API_KEY",
-  "openai":       "OPENAI_API_KEY",
-  "anthropic":    "ANTHROPIC_API_KEY"
+  "openrouter":  "OPENROUTER_API_KEY",
+  "siliconflow": "SILICONFLOW_API_KEY",
+  "deepseek":    "DEEPSEEK_API_KEY",
+  "groq":        "GROQ_API_KEY",
+  "google":      "GOOGLE_API_KEY",
+  "gemini":      "GEMINI_API_KEY",
+  "minimax":     "MINIMAX_API_KEY",
+  "zai":         "ZAI_API_KEY",
+  "github":      "GITHUB_MODELS_API_KEY",
+  "openai":      "OPENAI_API_KEY",
+  "anthropic":   "ANTHROPIC_API_KEY"
 };
 
 function patchProviderKeys(config) {
   if (!config.models || !config.models.providers) return;
   var providers = config.models.providers;
-  Object.keys(providers).forEach(function(providerName) {
-    var lower = providerName.toLowerCase();
+  Object.keys(providers).forEach(function(name) {
+    var lower  = name.toLowerCase();
     var envKey = PROVIDER_KEY_MAP[lower];
-    if (envKey && process.env[envKey]) {
-      providers[providerName].apiKey = process.env[envKey].trim();
-      console.log("[setup] Provider key set: " + providerName + " <- " + envKey);
-    } else {
+    var val    = envKey ? envStr(envKey) : "";
+    if (!val) {
+      // fuzzy match: find any provider key whose name contains the provider name
       var found = providerKeys.find(function(k) {
         return k.toLowerCase().indexOf(lower) >= 0;
       });
-      if (found) {
-        providers[providerName].apiKey = process.env[found].trim();
-        console.log("[setup] Provider key set: " + providerName + " <- " + found);
-      } else if (providers[providerName].apiKey === "WILL_BE_SET_BY_ENV") {
-        delete providers[providerName].apiKey;
-      }
+      if (found) val = envStr(found);
+    }
+    if (val) {
+      providers[name].apiKey = val;
+      log("Provider key set: " + name + " <- " + (envKey || "fuzzy"));
+    } else if (providers[name].apiKey === "WILL_BE_SET_BY_ENV") {
+      delete providers[name].apiKey;
+      log("Provider key missing (skipped): " + name);
     }
   });
 }
 
-// -- Telegram -----------------------------------------------------
+// ----------------------------------------------------------------
+// Telegram webhook helpers
+// ----------------------------------------------------------------
 function tgRequest(token, method, body) {
   return new Promise(function(resolve) {
     var data = JSON.stringify(body || {});
@@ -147,150 +152,211 @@ function tgRequest(token, method, body) {
       hostname: "api.telegram.org",
       path:     "/bot" + token + "/" + method,
       method:   "POST",
-      headers:  { "Content-Type": "application/json", "Content-Length": Buffer.byteLength(data) }
+      headers:  {
+        "Content-Type":   "application/json",
+        "Content-Length": Buffer.byteLength(data)
+      }
     }, function(res) {
       var buf = "";
       res.on("data", function(c) { buf += c; });
-      res.on("end",  function() { try { resolve(JSON.parse(buf)); } catch (e) { resolve(null); } });
+      res.on("end",  function() {
+        try { resolve(JSON.parse(buf)); } catch(e) { resolve(null); }
+      });
     });
-    req.on("error", function() { resolve(null); });
-    req.setTimeout(8000, function() { req.destroy(); resolve(null); });
+    req.on("error",   function() { resolve(null); });
+    req.setTimeout(10000, function() { req.destroy(); resolve(null); });
     req.write(data);
     req.end();
   });
 }
 
 async function setupWebhook(token) {
-  if (!SPACE_HOST) { console.log("[setup] Telegram: no SPACE_HOST for webhook"); return; }
-  var url = "https://" + SPACE_HOST + "/tg-webhook";
+  if (!SPACE_HOST) {
+    log("Telegram: no SPACE_HOST - webhook skipped");
+    return;
+  }
+  var targetUrl = "https://" + SPACE_HOST + "/tg-webhook";
+
+  // Check if webhook already points to our URL - skip if already set
+  var info = await tgRequest(token, "getWebhookInfo", {});
+  if (info && info.ok && info.result && info.result.url === targetUrl) {
+    log("Telegram: webhook already set -> " + targetUrl);
+    return;
+  }
+
   var r = await tgRequest(token, "setWebhook", {
-    url: url, drop_pending_updates: true, max_connections: 10
+    url: targetUrl, drop_pending_updates: true, max_connections: 10
   });
   if (r && r.ok) {
-    console.log("[setup] Telegram: webhook -> " + url);
+    log("Telegram: webhook registered -> " + targetUrl);
   } else {
-    console.log("[setup] Telegram: webhook failed. Open in browser:");
-    console.log("  https://api.telegram.org/bot" + token + "/setWebhook?url=" + url + "&drop_pending_updates=true");
+    var desc = r && r.description ? r.description : "unknown error";
+    log("Telegram: webhook failed (" + desc + ")");
+    log("Telegram: set manually at:");
+    log("  https://api.telegram.org/bot" + token + "/setWebhook?url=" + targetUrl + "&drop_pending_updates=true");
   }
 }
 
-// -- seed workspace files (first boot only) -----------------------
+// ----------------------------------------------------------------
+// Seed workspace (first boot only - bucket persists after)
+// ----------------------------------------------------------------
 function seedWorkspace() {
   var soul = path.join(WORKSPACE, "SOUL.md");
   if (!fs.existsSync(soul)) {
     fs.writeFileSync(soul, [
-      "# Soul", "",
-      "You are a helpful, warm, concise AI assistant.", "",
-      "## Language", "",
+      "# Soul",
+      "",
+      "You are a helpful, warm, concise AI assistant.",
+      "",
+      "## Language",
+      "",
       "Default language: Simplified Chinese.",
-      "Always reply in Chinese unless the user writes in another language first.", "",
-      "## Tone", "",
+      "Always reply in Chinese unless the user writes in another language first.",
+      "",
+      "## Tone",
+      "",
       "- Natural and friendly, not overly formal",
       "- Concise and to the point"
     ].join("\n") + "\n", "utf-8");
-    console.log("[setup] Seeded SOUL.md");
+    log("Seeded SOUL.md");
   }
   var mem = path.join(WORKSPACE, "MEMORY.md");
   if (!fs.existsSync(mem)) {
     fs.writeFileSync(mem, [
-      "# Long-term Memory", "",
+      "# Long-term Memory",
+      "",
       "<!-- OpenClaw writes important facts here. -->"
     ].join("\n") + "\n", "utf-8");
-    console.log("[setup] Seeded MEMORY.md");
+    log("Seeded MEMORY.md");
   }
 }
 
-// -- apply all env patches to a config object ---------------------
-function applyEnvPatches(config, token) {
-  config.gateway             = config.gateway         || {};
-  config.gateway.auth        = buildAuth();
-  config.gateway.controlUi   = config.gateway.controlUi || {};
+// ----------------------------------------------------------------
+// Apply all env-derived patches to a config object
+// ----------------------------------------------------------------
+function applyEnvPatches(config, tgToken) {
+  // Auth
+  config.gateway = config.gateway || {};
+  config.gateway.auth = gatewayToken
+    ? { mode: "token",    token:    gatewayToken    }
+    : { mode: "password", password: gatewayPassword };
+
+  // Control UI flags required for HF Spaces iframe embedding
+  config.gateway.controlUi = config.gateway.controlUi || {};
   config.gateway.controlUi.allowInsecureAuth                        = true;
   config.gateway.controlUi.allowedOrigins                           = ["*"];
   config.gateway.controlUi.dangerouslyDisableDeviceAuth             = true;
   config.gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback = true;
-  if (!config.gateway.trustedProxies || config.gateway.trustedProxies.length < 5) {
-    config.gateway.trustedProxies = trustedProxies;
-  }
-  config.agents              = config.agents          || {};
-  config.agents.defaults     = config.agents.defaults || {};
+
+  // Always refresh trusted proxies (HF pod IPs can change)
+  config.gateway.trustedProxies = trustedProxies;
+
+  // Agents
+  config.agents = config.agents || {};
+  config.agents.defaults = config.agents.defaults || {};
   config.agents.defaults.workspace = WORKSPACE;
-  if (config.agents.defaults.model === "WILL_BE_SET_BY_ENV") {
+  if (!config.agents.defaults.model ||
+      config.agents.defaults.model === "WILL_BE_SET_BY_ENV") {
     config.agents.defaults.model = defaultModel;
   }
-  config.env                 = config.env             || {};
-  config.env.vars            = buildEnvVars();
+
+  // Env vars (all provider keys available inside agent tools)
+  config.env = config.env || {};
+  config.env.vars = {};
+  providerKeys.forEach(function(k) { config.env.vars[k] = envStr(k); });
+
+  // Model provider API keys
   patchProviderKeys(config);
-  if (token) {
+
+  // Telegram channel
+  if (tgToken) {
     config.channels = config.channels || {};
     config.channels.telegram = config.channels.telegram || {};
     config.channels.telegram.enabled  = true;
     config.channels.telegram.accounts = config.channels.telegram.accounts || {};
     config.channels.telegram.accounts.main = {
-      botToken: token,
+      botToken: tgToken,
       apiRoot:  "https://api.telegram.org"
     };
   }
+
   return config;
 }
 
-// -- main ---------------------------------------------------------
+// ----------------------------------------------------------------
+// Main
+// ----------------------------------------------------------------
 (async function() {
-  fs.mkdirSync(STATE_DIR, { recursive: true });
-  fs.mkdirSync(WORKSPACE,  { recursive: true });
-  fs.mkdirSync(path.join(WORKSPACE, "memory"), { recursive: true });
+  // Ensure directories exist
+  fs.mkdirSync(STATE_DIR,                        { recursive: true });
+  fs.mkdirSync(WORKSPACE,                        { recursive: true });
+  fs.mkdirSync(path.join(WORKSPACE, "memory"),   { recursive: true });
 
-  // Seed workspace files on first boot (bucket persists them after that)
+  // Seed workspace on first boot
   seedWorkspace();
 
-  var token = envStr("TELEGRAM_BOT_TOKEN");
-  if (token) await setupWebhook(token);
-  else console.log("[setup] Telegram: disabled (no TELEGRAM_BOT_TOKEN)");
+  // Telegram webhook
+  var tgToken = envStr("TELEGRAM_BOT_TOKEN");
+  if (tgToken) {
+    await setupWebhook(tgToken);
+  } else {
+    log("Telegram: disabled (no TELEGRAM_BOT_TOKEN)");
+  }
 
+  // Load base config
   var config = null;
   var mode   = "";
 
-  // Priority 1: existing config from bucket (persisted across restarts)
   if (fs.existsSync(CONFIG_PATH)) {
     try {
       config = JSON.parse(fs.readFileSync(CONFIG_PATH, "utf-8").trim());
-      mode = "patch (restored from bucket)";
-    } catch (e) { config = null; }
+      mode = "patch (existing bucket config)";
+    } catch(e) {
+      log("Existing config unreadable (" + e.message + ") - falling back to template");
+    }
   }
 
-  // Priority 2: Space repo template
   if (!config && fs.existsSync(TEMPLATE)) {
     try {
       config = JSON.parse(fs.readFileSync(TEMPLATE, "utf-8").trim());
-      mode = "template (from Space repo openclaw.json)";
-    } catch (e) { config = null; }
+      mode = "template (Space repo openclaw.json)";
+    } catch(e) {
+      log("Template unreadable (" + e.message + ")");
+    }
   }
 
-  // Priority 3: minimal fresh config
   if (!config) {
-    config = {
-      gateway: {}, agents: { defaults: {} }, env: { vars: {} }
-    };
-    mode = "fresh (no template found)";
+    config = { gateway: {}, agents: { defaults: {} }, env: { vars: {} } };
+    mode   = "fresh (no template found)";
   }
 
-  config = applyEnvPatches(config, token);
+  // Apply env patches
+  config = applyEnvPatches(config, tgToken);
 
+  // Atomic write: backup then overwrite
   if (fs.existsSync(CONFIG_PATH)) {
     fs.copyFileSync(CONFIG_PATH, CONFIG_PATH + ".bak");
   }
   fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), "utf-8");
 
-  console.log("[setup] Done. Mode: " + mode);
-  console.log("[setup]   auth      = " + (gatewayToken ? "token" : "password"));
-  console.log("[setup]   model     = " + (config.agents.defaults.model || defaultModel));
-  console.log("[setup]   workspace = " + WORKSPACE);
-  console.log("[setup]   proxies   = " + trustedProxies.length);
-  console.log("[setup]   env.vars  = " + providerKeys.length);
-  var provCount = config.models && config.models.providers ? Object.keys(config.models.providers).length : 0;
-  console.log("[setup]   providers = " + provCount);
-  console.log("[setup]   storage   = bucket at /data (100 GB persistent)");
+  // Summary
+  var provCount = config.models && config.models.providers
+    ? Object.keys(config.models.providers).length : 0;
+  var modelCount = config.models && config.models.providers
+    ? Object.values(config.models.providers).reduce(function(n, p) {
+        return n + (p.models ? p.models.length : 0);
+      }, 0) : 0;
+
+  log("Done. Mode: " + mode);
+  log("  auth      = " + (gatewayToken ? "token" : "password"));
+  log("  model     = " + (config.agents.defaults.model || defaultModel));
+  log("  workspace = " + WORKSPACE);
+  log("  proxies   = " + trustedProxies.length);
+  log("  env.vars  = " + providerKeys.length);
+  log("  providers = " + provCount + " (" + modelCount + " models)");
+  log("  storage   = bucket at /data (100 GB persistent)");
+
 })().catch(function(e) {
-  console.error("[setup] Fatal: " + e.message);
+  err("Fatal: " + e.message);
   process.exit(0);
-});
+});