Spaces:

Tonic
/

hugging-claw

Running

App Files Files Community

Tonic commited on 15 days ago

Commit

0c183d5

verified ·

1 Parent(s): 6bf4bed

Update setup-hf-config.mjs

Browse files

Files changed (1) hide show

setup-hf-config.mjs +47 -12

setup-hf-config.mjs CHANGED Viewed

@@ -5,7 +5,7 @@
  * - agents.defaults.model.primary from OPENCLAW_HF_DEFAULT_MODEL (default: DeepSeek-R1).
  * - gateway.auth: OPENCLAW_GATEWAY_TOKEN (token) or OPENCLAW_GATEWAY_PASSWORD (password); token wins if both set.
  * - gateway.controlUi.dangerouslyDisableDeviceAuth when auth is set (no device pairing in Spaces).
- * - gateway.trustedProxies from OPENCLAW_GATEWAY_TRUSTED_PROXIES (comma-separated IPs).
  * - gateway.controlUi.allowedOrigins from OPENCLAW_CONTROL_UI_ALLOWED_ORIGINS (comma-separated origins).
  * HF_TOKEN is read by the gateway at runtime; this script only writes the above into config.
  */
@@ -16,15 +16,40 @@ const home = process.env.OPENCLAW_HOME || process.env.HOME || "/home/user";
 const stateDir = path.join(home, ".openclaw");
 const configPath = path.join(stateDir, "openclaw.json");
 const defaultModel =
   process.env.OPENCLAW_HF_DEFAULT_MODEL?.trim() || "huggingface/deepseek-ai/DeepSeek-R1";
-const gatewayToken = process.env.OPENCLAW_GATEWAY_TOKEN?.trim();
 const gatewayPassword = process.env.OPENCLAW_GATEWAY_PASSWORD?.trim();
-// Comma-separated list of proxy IPs (e.g. HF Space proxy); written into gateway.trustedProxies
 const trustedProxiesRaw = process.env.OPENCLAW_GATEWAY_TRUSTED_PROXIES?.trim();
-const trustedProxies = trustedProxiesRaw
-  ? trustedProxiesRaw.split(",").map((s) => s.trim()).filter(Boolean)
-  : [];
 // Comma-separated origins allowed for Control UI/WebSocket (e.g. https://your-space.hf.space)
 const allowedOriginsRaw = process.env.OPENCLAW_CONTROL_UI_ALLOWED_ORIGINS?.trim();
 const allowedOrigins = allowedOriginsRaw
@@ -66,10 +91,9 @@ if (useTokenAuth || usePasswordAuth) {
   config.gateway.controlUi.dangerouslyDisableDeviceAuth = true;
 }
-if (trustedProxies.length > 0) {
-  if (!config.gateway) config.gateway = {};
-  config.gateway.trustedProxies = trustedProxies;
-}
 if (allowedOrigins.length > 0) {
   if (!config.gateway) config.gateway = {};
@@ -80,7 +104,18 @@ if (allowedOrigins.length > 0) {
 fs.mkdirSync(stateDir, { recursive: true });
 fs.writeFileSync(configPath, JSON.stringify(config, null, 2), "utf-8");
-// One-line startup log so you can confirm env was applied (e.g. in Space logs)
 const authKind = useTokenAuth ? "token" : usePasswordAuth ? "password" : "none";
-const parts = [`auth=${authKind}`, `trustedProxies=${trustedProxies.length}`, `allowedOrigins=${allowedOrigins.length}`];
 console.log(`[openclaw-hf-setup] ${parts.join(" ")} -> ${configPath}`);

  * - agents.defaults.model.primary from OPENCLAW_HF_DEFAULT_MODEL (default: DeepSeek-R1).
  * - gateway.auth: OPENCLAW_GATEWAY_TOKEN (token) or OPENCLAW_GATEWAY_PASSWORD (password); token wins if both set.
  * - gateway.controlUi.dangerouslyDisableDeviceAuth when auth is set (no device pairing in Spaces).
+ * - gateway.trustedProxies from OPENCLAW_GATEWAY_TRUSTED_PROXIES, or default HF proxy IPs so the UI works without extra config.
  * - gateway.controlUi.allowedOrigins from OPENCLAW_CONTROL_UI_ALLOWED_ORIGINS (comma-separated origins).
  * HF_TOKEN is read by the gateway at runtime; this script only writes the above into config.
  */
 const stateDir = path.join(home, ".openclaw");
 const configPath = path.join(stateDir, "openclaw.json");
+// Token: env var, or read from file if OPENCLAW_GATEWAY_TOKEN_FILE is set (for platforms that mount secrets as files)
+function readGatewayToken() {
+  const fromEnv = process.env.OPENCLAW_GATEWAY_TOKEN?.trim();
+  if (fromEnv) return fromEnv;
+  const filePath = process.env.OPENCLAW_GATEWAY_TOKEN_FILE?.trim();
+  if (filePath && fs.existsSync(filePath)) {
+    try {
+      return fs.readFileSync(filePath, "utf-8").trim();
+    } catch {
+      return "";
+    }
+  }
+  return "";
+}
 const defaultModel =
   process.env.OPENCLAW_HF_DEFAULT_MODEL?.trim() || "huggingface/deepseek-ai/DeepSeek-R1";
+const gatewayToken = readGatewayToken();
 const gatewayPassword = process.env.OPENCLAW_GATEWAY_PASSWORD?.trim();
+// Trusted proxies: from env, or default HF Space proxy IPs so the Control UI works without setting OPENCLAW_GATEWAY_TRUSTED_PROXIES
+const DEFAULT_HF_TRUSTED_PROXY_IPS = [
+  "10.16.4.123",
+  "10.16.34.155",
+  "10.20.1.9",
+  "10.20.1.222",
+  "10.20.26.157",
+  "10.20.31.87",
+];
 const trustedProxiesRaw = process.env.OPENCLAW_GATEWAY_TRUSTED_PROXIES?.trim();
+const trustedProxies =
+  trustedProxiesRaw && trustedProxiesRaw.length > 0
+    ? trustedProxiesRaw.split(",").map((s) => s.trim()).filter(Boolean)
+    : DEFAULT_HF_TRUSTED_PROXY_IPS;
 // Comma-separated origins allowed for Control UI/WebSocket (e.g. https://your-space.hf.space)
 const allowedOriginsRaw = process.env.OPENCLAW_CONTROL_UI_ALLOWED_ORIGINS?.trim();
 const allowedOrigins = allowedOriginsRaw
   config.gateway.controlUi.dangerouslyDisableDeviceAuth = true;
 }
+// Always set trustedProxies (we have a default for HF so the Control UI works behind the HF proxy)
+if (!config.gateway) config.gateway = {};
+config.gateway.trustedProxies = trustedProxies;
 if (allowedOrigins.length > 0) {
   if (!config.gateway) config.gateway = {};
 fs.mkdirSync(stateDir, { recursive: true });
 fs.writeFileSync(configPath, JSON.stringify(config, null, 2), "utf-8");
+// Startup log: confirm env was applied (check token_present=1 and auth=token so the UI can connect)
 const authKind = useTokenAuth ? "token" : usePasswordAuth ? "password" : "none";
+const parts = [
+  `token_present=${useTokenAuth ? "1" : "0"}`,
+  `password_present=${usePasswordAuth ? "1" : "0"}`,
+  `auth=${authKind}`,
+  `trustedProxies=${trustedProxies.length}`,
+  `allowedOrigins=${allowedOrigins.length}`,
+];
 console.log(`[openclaw-hf-setup] ${parts.join(" ")} -> ${configPath}`);
+if (authKind === "none") {
+  console.warn(
+    "[openclaw-hf-setup] No auth set. Add OPENCLAW_GATEWAY_TOKEN or OPENCLAW_GATEWAY_PASSWORD in Space Secrets, then restart.",
+  );
+}