up

.github/workflows/docker-build.yml

@@ -0,0 +1,28 @@
+name: Docker build
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  docker-build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      # Build only (no push). If this fails, the PR breaks container builds.
+      - name: Build Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          push: false
+          tags: clawdbot-railway-template:ci
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.gitignore

@@ -0,0 +1,15 @@
+# Node
+node_modules
+npm-debug.log*
+
+# Local env
+.env
+
+# Build artifacts
+/dist
+
+# Backup exports
+*.tar.gz
+
+# OS
+.DS_Store

.planning/codebase/ARCHITECTURE.md

@@ -0,0 +1,120 @@
+# Architecture
+
+**Analysis Date:** 2026-01-29
+
+## Pattern Overview
+
+**Overall:** Wrapper Architecture with Reverse Proxy
+
+**Key Characteristics:**
+- Node.js-based wrapper around the Clawdbot CLI
+- Express.js web server with HTTP proxy functionality
+- Separate internal gateway (port 18789) and public wrapper (port 8080)
+- Configuration management through JSON files and environment variables
+- Built-in setup wizard for initial onboarding
+
+## Layers
+
+**Wrapper Layer (Public Interface):**
+- Purpose: Provides web interface and proxy to internal gateway
+- Location: `[src/server.js]`
+- Contains: Express app, HTTP proxy setup, configuration management
+- Depends on: Node.js built-ins, express, http-proxy, tar
+- Used by: End users via web browser, Railway deployment
+
+**Gateway Layer (Internal Processing):**
+- Purpose: Runs the actual Clawbot instance with CLI commands
+- Location: Spawned child process at `[src/server.js]` lines 117-124
+- Contains: Child process management, token authentication
+- Depends on: Clawdbot CLI binary (built from source)
+- Used by: Wrapper proxy via internal HTTP endpoint
+
+**Configuration Layer:**
+- Purpose: Manages application state and configuration persistence
+- Location: `[src/server.js]` lines 16-44, 62-64, 66-72
+- Contains: Path resolution, config file management, token persistence
+- Depends on: Node.js file system operations
+- Used by: All layers for configuration state
+
+**Setup Layer (Onboarding):**
+- Purpose: Web-based configuration wizard
+- Location: `[src/setup-app.js]` and endpoints in `[src/server.js]` lines 200-548
+- Contains: UI HTML, client-side JavaScript, setup API endpoints
+- Depends on: Express web server, child process execution
+- Used by: First-time users for initial setup
+
+## Data Flow
+
+**Setup Flow:**
+1. User visits `/setup` → HTML form served
+2. Form submits to `/setup/api/run` → executes `clawdbot onboard`
+3. Configuration file written to state directory
+4. Gateway started as child process on loopback:18789
+5. User redirected to `/clawdbot` → proxied to gateway
+
+**Runtime Flow:**
+1. Request to any endpoint (except `/setup`) → check if configured
+2. If not configured → redirect to `/setup`
+3. If configured → ensure gateway running
+4. Proxy request to internal gateway at `http://127.0.0.1:18789`
+
+**Gateway Management:**
+1. Gateway spawned with token authentication
+2. Health check loop monitors gateway availability
+3. On failure → restart gateway process
+4. Token persisted for stable authentication
+
+## Key Abstractions
+
+**Gateway Abstraction:**
+- Purpose: Isolate external access from internal Clawdbot execution
+- Examples: `[src/server.js]` lines 49-52, 97-153
+- Pattern: Process management with health monitoring
+
+**Configuration Abstraction:**
+- Purpose: Centralized state management with environment fallbacks
+- Examples: `[src/server.js]` lines 24-46, 62-64
+- Pattern: Resolver functions with file persistence
+
+**Authentication Abstraction:**
+- Purpose: Layered security with setup password and gateway token
+- Examples: `[src/server.js]` lines 19-21, 169-191, 24-46
+- Pattern: Basic auth for setup, token auth for gateway
+
+## Entry Points
+
+**Primary Entry:**
+- Location: `[src/server.js]` line 193
+- Triggers: Express server start on port 8080
+- Responsibilities: Initialize app, setup proxy, handle graceful shutdown
+
+**Setup Entry:**
+- Location: `[src/server.js]` line 200
+- Triggers: GET `/setup` requests
+- Responsibilities: Serve setup wizard UI, handle configuration
+
+**Health Check:**
+- Location: `[src/server.js]` line 198
+- Triggers: GET `/setup/healthz` requests
+- Responsibilities: Respond with service health status
+
+## Error Handling
+
+**Strategy:** Graceful degradation with descriptive messages
+
+**Patterns:**
+- Gateway startup failures → return 503 with error message
+- Configuration missing → redirect to setup
+- Proxy errors → log and continue serving
+- Process spawn errors → capture and return in output
+
+## Cross-Cutting Concerns
+
+**Logging:** Console logging with prefixes `[wrapper]`, `[gateway]`, `[proxy]`
+**Validation:** Environment variable parsing, file system error handling
+**Authentication:** Basic auth for setup endpoints, token auth for gateway
+**State Management:** File-based persistence with environment overrides
+
+---
+
+*Architecture analysis: 2026-01-29*

.planning/codebase/CONCERNS.md

@@ -0,0 +1,179 @@
+# Codebase Concerns
+
+**Analysis Date:** 2026-01-29
+
+## Tech Debt
+
+**Hardcoded Magic Numbers and Strings:**
+- Issue: PORT, INTERNAL_GATEWAY_PORT, timeouts hardcoded without configuration
+- Files: `C:\Users\derek\clawdbot-railway-template\src\server.js` (lines 15, 50, 82)
+- Impact: Makes deployment difficult to customize and tune
+- Fix approach: Move all magic numbers to environment variables with sensible defaults
+
+**Basic Auth Security Shortcut:**
+- Issue: SETUP_PASSWORD uses Basic Auth which sends credentials in plaintext
+- Files: `C:\Users\derek\clawdbot-railway-template\src\server.js` (lines 169-191)
+- Impact: credentials exposed in logs and network traffic
+- Fix approach: Use proper session-based authentication or HTTPS
+
+**Lack of Input Validation:**
+- Issue: No validation on auth tokens and config parameters
+- Files: `C:\Users\derek\clawdbot-railway-template\src\server.js` (lines 476, 498, 523)
+- Impact: Potential injection attacks and malformed configuration
+- Fix approach: Add validation for all input parameters before processing
+
+**State Directory Management:**
+- Issue: Multiple hardcoded state directory operations without proper error handling
+- Files: `C:\Users\derek\clawdbot-railway-template\src\server.js` (lines 38, 39, 101, 102, 586)
+- Impact: Silent failures could leave system in inconsistent state
+- Fix approach: Add proper error handling and atomic operations
+
+## Known Bugs
+
+**Race Condition in Gateway Start:**
+- Issue: Multiple concurrent requests could start multiple gateway instances
+- Files: `C:\Users\derek\clawdbot-railway-template\src\server.js` (lines 140-152)
+- Symptoms: Duplicate processes, resource exhaustion
+- Workaround: Use file-based locking or process singleton pattern
+
+**Proxy Error Handling:**
+- Issue: Proxy errors only logged to console, no graceful degradation
+- Files: `C:\Users\derek\clawdbot-railway-template\src\server.js` (lines 650-652, 694-695)
+- Symptoms: WebSocket connections may drop without proper error handling
+- Workaround: Add circuit breaker pattern and retry logic
+
+**Token File Race Condition:**
+- Issue: Gateway token file created without atomic operation
+- Files: `C:\Users\derek\clawdbot-railway-template\src\server.js` (lines 36-44)
+- Symptoms: Could create inconsistent tokens in high-concurrency scenarios
+- Workaround: Use file locking or atomic write operations
+
+## Security Considerations
+
+**Basic Auth Exposure:**
+- Risk: SETUP_PASSWORD transmitted in Base64 encoding (easily reversible)
+- Files: `C:\Users\derek\clawdbot-railway-template\src\server.js` (lines 177-189)
+- Current mitigation: Only works over HTTPS in production
+- Recommendations: Use proper session tokens or OAuth2
+
+**Token Storage on Shared Systems:**
+- Risk: Gateway token stored in user home directory with 600 permissions
+- Files: `C:\Users\derek\clawdbot-railway-template\src\server.js` (line 39)
+- Current mitigation: File mode 0600 limits access
+- Recommendations: Use encrypted storage or secret management service
+
+**Path Traversal in Export:**
+- Risk: Export function could expose sensitive files via path manipulation
+- Files: `C:\Users\derek\clawdbot-railway-template\src\server.js` (lines 605-621)
+- Current mitigation: Path sanitization logic
+- Recommendations: Validate all paths and use chroot-style isolation
+
+## Performance Bottlenecks
+
+**Synchronous File Operations:**
+- Issue: Multiple sync file operations during setup
+- Files: `C:\Users\derek\clawdbot-railway-template\src\server.js` (lines 29, 30, 68, 586)
+- Problem: Blocks event loop during configuration checks
+- Improvement path: Use async/await for all file operations
+
+**No Request Timeout on Proxy:**
+- Issue: Proxy requests have no timeout configuration
+- Files: `C:\Users\derek\clawdbot-railway-template\src\server.js` (lines 668)
+- Problem: Long-running requests could hang the proxy
+- Improvement path: Add configurable timeouts per endpoint
+
+**Memory Leaks in Child Processes:**
+- Issue: Child processes not properly cleaned up on exit
+- Files: `C:\Users\derek\clawdbot-railway-template\src\server.js` (lines 697-705)
+- Problem: SIGTERM handler doesn't wait for graceful shutdown
+- Improvement path: Implement proper process cleanup and signal handling
+
+## Fragile Areas
+
+**CLI Dependency Management:**
+- Files: `C:\Users\derek\clawdbot-railway-template\src\server.js` (lines 297, 566)
+- Why fragile: Assumes clawdbot CLI exists and is executable
+- Safe modification: Add fallback handling for missing CLI
+- Test coverage: No tests for CLI failure scenarios
+
+**Channel Feature Detection:**
+- Files: `C:\Users\derek\clawdbot-railway-template\src\server.js` (lines 469, 472, 495)
+- Why fragile: Relies on CLI help text parsing for feature detection
+- Safe modification: Use API responses instead of help text parsing
+- Test coverage: No tests for different clawdbot builds
+
+**WebSocket Proxy Implementation:**
+- Files: `C:\Users\derek\clawdbot-railway-template\src\server.js` (lines 683-695)
+- Why fragile: Custom WebSocket proxy implementation may not handle all edge cases
+- Safe modification: Use established WebSocket proxy library
+- Test coverage: No WebSocket-specific tests
+
+## Scaling Limits
+
+**Single Gateway Instance:**
+- Current capacity: Single process handling all requests
+- Limit: Memory and CPU bottlenecks under high load
+- Scaling path: Implement gateway sharding or load balancing
+
+**File-Based State Management:**
+- Current capacity: Single directory for all state
+- Limit: File system contention with concurrent access
+- Scaling path: Use database or distributed state storage
+
+**Hardcoded Port Binding:**
+- Current capacity: Single port 8080
+- Limit: Cannot scale horizontally without port conflicts
+- Scaling path: Support port range configuration and service discovery
+
+## Dependencies at Risk
+
+**express@^5.1.0:**
+- Risk: Major version 5 is alpha/beta with breaking changes
+- Impact: Entire server could break with npm updates
+- Migration plan: Pin to specific stable version or use framework-agnostic HTTP server
+
+**http-proxy@^1.18.1:**
+- Risk: Older package with potential security vulnerabilities
+- Impact: Proxy functionality could be compromised
+- Migration plan: Use modern proxy library with active maintenance
+
+## Missing Critical Features
+
+**No Health Monitoring:**
+- Problem: Limited health endpoints beyond basic check
+- Blocks: Proper observability and alerting
+- Recommendation: Add comprehensive health checks with metrics
+
+**No Rate Limiting:**
+- Problem: No protection against abuse of setup endpoints
+- Blocks: Service stability under attack
+- Recommendation: Implement rate limiting for authentication endpoints
+
+**No Audit Logging:**
+- Problem: No record of configuration changes or access
+- Blocks: Security incident investigation
+- Recommendation: Add audit logging for all administrative actions
+
+## Test Coverage Gaps
+
+**No Unit Tests:**
+- What's not tested: Server logic, proxy functionality, authentication
+- Files: `C:\Users\derek\clawdbot-railway-template\src\server.js`
+- Risk: Undiscovered bugs in core functionality
+- Priority: High - critical service components untested
+
+**No Integration Tests:**
+- What's not tested: Gateway startup process, configuration flow
+- Files: Core server flow from lines 97-167
+- Risk: Integration failures between components
+- Priority: Medium - important but not critical
+
+**No Error Scenario Tests:**
+- What's not tested: CLI failures, file permission errors, network issues
+- Files: Error handling throughout server.js
+- Risk: Graceful degradation not verified
+- Priority: Medium - affects reliability
+
+---
+
+*Concerns audit: 2026-01-29*

.planning/codebase/CONVENTIONS.md

@@ -0,0 +1,116 @@
+# Coding Conventions
+
+**Analysis Date:** 2024-01-29
+
+## Naming Patterns
+
+**Files:**
+- kebab-case for server files: `src/server.js`
+- kebab-case for utility scripts: `scripts/smoke.js`
+- descriptive names reflecting purpose
+
+**Functions:**
+- camelCase for function names: `startGateway()`, `ensureGatewayRunning()`, `resolveGatewayToken()`
+- predicate functions: `isConfigured()`
+- async functions: `waitForGatewayReady()`, `buildOnboardArgs()`
+
+**Variables:**
+- UPPER_SNAKE_CASE for constants: `PORT`, `STATE_DIR`, `WORKSPACE_DIR`, `INTERNAL_GATEWAY_PORT`
+- camelCase for regular variables: `gatewayProc`, `gatewayStarting`, `setupPayload`
+- prefix with `_` for private variables (limited usage)
+
+**Types:**
+- Not applicable - no TypeScript in codebase
+
+## Code Style
+
+**Formatting:**
+- Standard JavaScript formatting (no linter config found)
+- 2-space indentation
+- Line length varies (pragmatic approach for long configurations)
+- Semicolons used consistently
+- Mixed quotes (single and double)
+
+**Linting:**
+- Minimal linting: `node -c src/server.js` (basic syntax check only)
+- No ESLint/Prettier configuration
+- No automated code style enforcement
+
+## Import Organization
+
+**Order:**
+1. Node.js core imports (first group)
+2. Third-party imports (second group)
+3. Relative imports (third group - not used)
+
+**Path Aliases:**
+- Not used
+- Relative imports not needed due to flat structure
+
+## Error Handling
+
+**Patterns:**
+- try/catch blocks with specific error handling
+- Error propagation with meaningful messages
+- Logging errors to console with prefixes: `[gateway]`, `[proxy]`, `[/setup/api/run]`
+- Graceful degradation (ignore errors in non-critical paths)
+
+```javascript
+try {
+  fs.writeFileSync(tokenPath, generated, { encoding: "utf8", mode: 0o600 });
+} catch {
+  // best-effort
+}
+```
+
+## Logging
+
+**Framework:** console.log
+
+**Patterns:**
+- Bracketed prefixes for log sources: `[wrapper]`, `[gateway]`, `[proxy]`
+- Status messages during startup
+- Error logging with context
+- No structured logging framework
+
+## Comments
+
+**When to Comment:**
+- Complex configuration logic (auth groups, channel setup)
+- Gateway management explanations
+- Proxy setup details
+- Environment variable explanations
+
+**JSDoc/TSDoc:**
+- Not used
+- Function documentation limited to inline comments
+
+## Function Design
+
+**Size:**
+- Mix of small (helper functions) and large (server.js handlers) functions
+- `server.js` contains many nested functions and complex handlers
+
+**Parameters:**
+- Consistent use of default parameters: `opts = {}`
+- Optional chaining: `req.body?.{}`
+- Nullish coalescing: `process.env.CLAWDBOT_PUBLIC_PORT ?? process.env.PORT ?? "8080"`
+
+**Return Values:**
+- Object returns for status: `{ ok: true }`, `{ ok: false, reason: "..." }`
+- Promise-based async returns
+- Direct returns for simple cases
+
+## Module Design
+
+**Exports:**
+- No explicit exports (single application entry points)
+- IIFE pattern for setup-app.js: `(function () { ... })();`
+
+**Barrel Files:**
+- Not used
+
+---
+
+*Convention analysis: 2024-01-29*
+*Note: Limited formal conventions - pragmatic Node.js approach*

.planning/codebase/INTEGRATIONS.md

@@ -0,0 +1,113 @@
+# External Integrations
+
+**Analysis Date:** 2026-01-29
+
+## APIs & External Services
+
+**AI Provider Groups:**
+- **OpenAI** - Codex OAuth + API key
+  - Options: Codex CLI, ChatGPT OAuth, API key
+- **Anthropic** - Claude Code CLI + API key
+  - Options: Claude Code token, setup-token, API key
+- **Google** - Gemini API key + OAuth
+  - Options: Gemini API key, Antigravity OAuth, Gemini CLI OAuth
+- **OpenRouter** - API key
+- **Vercel AI Gateway** - API key
+- **Moonshot AI** - Kimi K2 + Kimi Code
+  - Options: API key, Kimi Code API key
+- **Z.AI (GLM 4.7)** - API key
+- **MiniMax** - M2.1 (recommended)
+  - Options: M2.1, M2.1 Lightning
+- **Qwen** - OAuth
+  - Options: Qwen OAuth
+- **Copilot** - GitHub + local proxy
+  - Options: GitHub Copilot (device login), Copilot Proxy
+- **Synthetic** - Anthropic-compatible (multi-model)
+- **OpenCode Zen** - API key
+
+**Messaging Platforms:**
+- **Telegram** - Bot tokens for channel integration
+- **Discord** - Bot tokens with message content intent
+- **Slack** - Bot tokens and app tokens
+
+## Data Storage
+
+**Databases:**
+- None detected (clawdbot likely handles its own data)
+
+**File Storage:**
+- Local filesystem for state and workspace directories
+- Export functionality creates .tar.gz archives
+
+**Caching:**
+- Not detected in codebase
+
+## Authentication & Identity
+
+**Auth Provider:**
+- Custom token-based authentication for gateway
+- Basic auth for setup endpoint
+- Support for multiple AI provider authentication methods
+
+**Implementation:**
+- Gateway tokens persisted to filesystem
+- Setup password protection via HTTP Basic Auth
+- Environment variable configuration
+
+## Monitoring & Observability
+
+**Error Tracking:**
+- Console logging for errors
+- Custom error handling in proxy and gateway processes
+
+**Logs:**
+- Console output from wrapper and clawdbot processes
+- Error logging for proxy and gateway issues
+- Debug endpoints for troubleshooting
+
+## CI/CD & Deployment
+
+**Hosting:**
+- Railway platform deployment
+- Docker containerization
+
+**CI Pipeline:**
+- GitHub Actions for Docker builds
+- Automated builds on PR and push to main
+
+**Health Checks:**
+- Railway healthcheck endpoint at /setup/healthz
+- Gateway readiness monitoring
+
+## Environment Configuration
+
+**Required env vars:**
+- `PORT` - HTTP server port (8080 default)
+- `CLAWDBOT_PUBLIC_PORT` - Override port for Railway
+- `SETUP_PASSWORD` - Password for setup endpoint
+- `CLAWDBOT_GATEWAY_TOKEN` - Authentication token
+- `CLAWDBOT_STATE_DIR` - State directory path
+- `CLAWDBOT_WORKSPACE_DIR` - Workspace directory path
+- `CLAWDBOT_ENTRY` - Path to clawdbot executable
+- `CLAWDBOT_NODE` - Node.js executable path
+
+**Secrets location:**
+- Environment variables
+- Token persistence in state directory (gateway.token)
+
+## Webhooks & Callbacks
+
+**Incoming:**
+- `/setup` - Configuration wizard
+- `/setup/api/*` - Setup API endpoints
+- `/setup/healthz` - Health check
+
+**Outgoing:**
+- Proxy requests to internal gateway
+- External AI provider API calls
+- Messaging platform API calls
+
+---
+
+*Integration audit: 2026-01-29*
+```

.planning/codebase/STACK.md

@@ -0,0 +1,83 @@
+# Technology Stack
+
+**Analysis Date:** 2026-01-29
+
+## Languages
+
+**Primary:**
+- JavaScript (ES Modules) - Node.js runtime
+- TypeScript (not detected in codebase, but Dockerfile references Node.js)
+
+**Secondary:**
+- Dockerfile uses shell scripts
+- HTML served for setup UI
+
+## Runtime
+
+**Environment:**
+- Node.js >=22 (enforced in package.json)
+- Railway deployment platform
+- Docker containerized
+
+**Package Manager:**
+- npm (used for wrapper dependencies)
+- pnpm (used for clawdbot build dependencies - not in this repo)
+
+**Type System:**
+- JavaScript with ES Modules
+- No TypeScript compilation detected
+
+## Frameworks
+
+**Core:**
+- Express.js ^5.1.0 - HTTP server and routing
+- Native Node.js modules for core functionality
+
+**Testing:**
+- No testing framework detected
+- Custom smoke test script
+
+**Build/Dev:**
+- Docker multi-stage build
+- Railway.toml for deployment configuration
+- GitHub Actions for CI/CD
+
+## Key Dependencies
+
+**Critical:**
+- express ^5.1.0 - Web server framework
+- http-proxy ^1.18.1 - HTTP proxying to clawdbot gateway
+- tar ^7.5.4 - Archive creation for backups
+
+**Infrastructure:**
+- Node.js runtime >=22
+- Docker for containerization
+
+## Configuration
+
+**Environment:**
+- Railway deployment variables (PORT, CLAWDBOT_PUBLIC_PORT)
+- Setup password protection (SETUP_PASSWORD)
+- Gateway token management (CLAWDBOT_GATEWAY_TOKEN)
+- State and workspace directories (CLAWDBOT_STATE_DIR, CLAWDBOT_WORKSPACE_DIR)
+
+**Build:**
+- Dockerfile for multi-stage build
+- railway.toml for Railway deployment configuration
+- package.json for dependency management
+
+## Platform Requirements
+
+**Development:**
+- Node.js >=22
+- npm package manager
+
+**Production:**
+- Railway platform deployment
+- Docker container runtime
+- HTTP proxy setup
+
+---
+
+*Stack analysis: 2026-01-29*
+```

.planning/codebase/STRUCTURE.md

@@ -0,0 +1,114 @@
+# Codebase Structure
+
+**Analysis Date:** 2026-01-29
+
+## Directory Layout
+
+```
+clawdbot-railway-template/
+├── .github/              # CI/CD workflows
+│   └── workflows/
+│       └── docker-build.yml
+├── src/                  # Application source
+│   ├── server.js        # Main server and proxy logic
+│   └── setup-app.js      # Setup wizard client
+├── scripts/              # Utility scripts
+│   └── smoke.js         # Basic sanity check
+├── .planning/           # Analysis documents (auto-generated)
+│   └── codebase/
+├── Dockerfile            # Multi-stage container build
+├── package.json          # Node.js dependencies
+├── railway.toml         # Railway deployment config
+└── README.md             # Project documentation
+```
+
+## Directory Purposes
+
+**Root Directory:**
+- Purpose: Project root containing configuration and deployment files
+- Contains: Dockerfile, package.json, CI config, Railway config
+- Key files: `package.json`, `Dockerfile`, `.github/workflows/docker-build.yml`
+
+**`src/` Directory:**
+- Purpose: Application source code
+- Contains: Express server and setup client
+- Key files: `src/server.js` (main server), `src/setup-app.js` (setup UI)
+
+**`scripts/` Directory:**
+- Purpose: Development and maintenance scripts
+- Contains: Testing and verification utilities
+- Key files: `scripts/smoke.js` (sanity check)
+
+**`.github/workflows/` Directory:**
+- Purpose: Continuous integration and deployment
+- Contains: Docker build workflow
+- Key files: `.github/workflows/docker-build.yml`
+
+## Key File Locations
+
+**Entry Points:**
+- `src/server.js`: Main application entry point
+- `src/setup-app.js`: Setup wizard client-side code
+- `scripts/smoke.js`: Development/testing utility
+
+**Configuration:**
+- `package.json`: Node.js dependencies and scripts
+- `Dockerfile`: Container build configuration
+- `.github/workflows/docker-build.yml`: CI/CD pipeline
+
+**Core Logic:**
+- `src/server.js`: All server, proxy, and gateway management logic
+- `src/setup-app.js`: Client-side setup wizard functionality
+
+## Naming Conventions
+
+**Files:**
+- server.js: Main server application
+- setup-app.js: Setup wizard client
+- snake_case for configuration files (package.json, docker-build.yml)
+
+**Variables:**
+- PORT, STATE_DIR, WORKSPACE_DIR: Environment constants
+- CLAWDBOT_*: Clawdbot-specific environment variables
+- gatewayProc: Process management variables
+- camelCase for function names and local variables
+
+## Where to Add New Code
+
+**New Feature:**
+- Server endpoints: Add to `src/server.js`
+- Setup UI additions: Modify `src/server.html` (inline) and `src/setup-app.js`
+
+**New Channel Integration:**
+- Setup API: Add to `/setup/api/run` endpoint in `src/server.js`
+- Client updates: Modify `src/setup-app.js` form and payload
+
+**New Configuration Option:**
+- Environment variables: Add to `src/server.js` configuration section
+- Client support: Update `src/setup-app.js` if UI needed
+
+**Utilities and Helpers:**
+- Server utilities: Add to `src/server.js` or separate module if complex
+- Client utilities: Add to `src/setup-app.js` or separate module
+- Build/deployment scripts: Add to `scripts/` directory
+
+## Special Directories
+
+**`.planning/codebase/`:**
+- Purpose: Auto-generated analysis documents
+- Generated: Yes
+- Committed: Yes (for tracking)
+
+**`src/`:**
+- Purpose: Application source code
+- Generated: No
+- Committed: Yes
+
+**`.github/workflows/`:**
+- Purpose: CI/CD configuration
+- Generated: No
+- Committed: Yes
+
+---
+
+*Structure analysis: 2026-01-29*

.planning/codebase/TESTING.md

@@ -0,0 +1,119 @@
+# Testing Patterns
+
+**Analysis Date:** 2024-01-29
+
+## Test Framework
+
+**Runner:**
+- No test framework detected
+- No test scripts in package.json
+
+**Assertion Library:**
+- Not used
+- Manual testing only
+
+**Run Commands:**
+```bash
+# No automated testing available
+npm run lint          # Basic syntax check only
+npm run smoke         # Basic CLI sanity check
+```
+
+## Test File Organization
+
+**Location:**
+- No test directory structure
+- No test files present
+
+**Naming:**
+- No test naming convention detected
+
+**Structure:**
+- No test structure
+
+## Test Structure
+
+**Suite Organization:**
+- Not applicable
+
+**Patterns:**
+- Not applicable
+
+## Mocking
+
+**Framework:** Not used
+
+**Patterns:**
+- Not applicable
+
+**What to Mock:**
+- Not applicable
+
+**What NOT to Mock:**
+- Not applicable
+
+## Fixtures and Factories
+
+**Test Data:**
+- Not applicable
+
+**Location:**
+- Not applicable
+
+## Coverage
+
+**Requirements:** Not enforced
+
+**View Coverage:**
+- No coverage tool available
+- No coverage reports
+
+## Test Types
+
+**Unit Tests:**
+- Not present
+
+**Integration Tests:**
+- Not present
+
+**E2E Tests:**
+- Not present
+
+## Common Patterns
+
+**Async Testing:**
+- Not applicable
+
+**Error Testing:**
+- Not applicable
+
+## Manual Testing Approach
+
+The codebase relies on manual testing with the following patterns:
+
+**Smoke Testing:**
+- `scripts/smoke.js` verifies CLI is accessible
+- Basic command: `clawdbot --version`
+
+**Functional Testing:**
+- Manual verification of web interface at `/setup`
+- Manual verification of proxy functionality
+- Manual channel setup verification
+
+**Health Checks:**
+- `/setup/healthz` endpoint for basic availability
+- Gateway readiness checks in `waitForGatewayReady()`
+
+**Setup Flow Testing:**
+- Manual walkthrough of web-based setup wizard
+- Configuration verification via API endpoints
+
+**Gateway Testing:**
+- Manual verification of proxy to internal gateway
+- WebSocket proxy functionality
+- Error handling when gateway is unavailable
+
+---
+
+*Testing analysis: 2024-01-29*
+*Note: No automated testing - entirely manual approach*

Dockerfile

@@ -0,0 +1,69 @@
+# Build moltbot from source to avoid npm packaging gaps (some dist files are not shipped).
+FROM node:22-bookworm AS moltbot-build
+
+# Dependencies needed for moltbot build
+RUN apt-get update \
+  && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+    git \
+    ca-certificates \
+    curl \
+    python3 \
+    make \
+    g++ \
+  && rm -rf /var/lib/apt/lists/*
+
+# Install Bun (moltbot build uses it)
+RUN curl -fsSL https://bun.sh/install | bash
+ENV PATH="/root/.bun/bin:${PATH}"
+
+RUN corepack enable
+
+WORKDIR /moltbot
+
+# Pin to a known ref (tag/branch). If it doesn't exist, fall back to main.
+ARG MOLTBOT_GIT_REF=main
+RUN git clone --depth 1 --branch "${MOLTBOT_GIT_REF}" https://github.com/moltbot/moltbot.git .
+
+# Patch: relax version requirements for packages that may reference unpublished versions.
+# Apply to all extension package.json files to handle workspace protocol (workspace:*).
+RUN set -eux; \
+  find ./extensions -name 'package.json' -type f | while read -r f; do \
+    sed -i -E 's/"moltbot"[[:space:]]*:[[:space:]]*">=[^"]+"/"moltbot": "*"/g' "$f"; \
+    sed -i -E 's/"moltbot"[[:space:]]*:[[:space:]]*"workspace:[^"]+"/"moltbot": "*"/g' "$f"; \
+  done
+
+RUN pnpm install --no-frozen-lockfile
+RUN pnpm build
+ENV MOLTBOT_PREFER_PNPM=1
+RUN pnpm ui:install && pnpm ui:build
+
+
+# Runtime image
+FROM node:22-bookworm
+ENV NODE_ENV=production
+
+RUN apt-get update \
+  && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+    ca-certificates \
+  && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+# Wrapper deps
+COPY package.json ./
+RUN npm install --omit=dev && npm cache clean --force
+
+# Copy built moltbot
+COPY --from=moltbot-build /moltbot /moltbot
+
+# Provide a moltbot executable
+RUN printf '%s\n' '#!/usr/bin/env bash' 'exec node /moltbot/dist/entry.js "$@"' > /usr/local/bin/moltbot \
+  && chmod +x /usr/local/bin/moltbot
+
+COPY src ./src
+
+# The wrapper listens on this port.
+ENV MOLTBOT_PUBLIC_PORT=8080
+ENV PORT=8080
+EXPOSE 8080
+CMD ["node", "src/server.js"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Vignesh
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package-lock.json

@@ -0,0 +1,942 @@
+{
+  "name": "clawdbot-railway-template",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "clawdbot-railway-template",
+      "dependencies": {
+        "express": "^5.1.0",
+        "http-proxy": "^1.18.1",
+        "tar": "^7.5.4"
+      },
+      "engines": {
+        "node": ">=22"
+      }
+    },
+    "node_modules/@isaacs/fs-minipass": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/@isaacs/fs-minipass/-/fs-minipass-4.0.1.tgz",
+      "integrity": "sha512-wgm9Ehl2jpeqP3zw/7mo3kRHFp5MEDhqAdwy1fTGkHAwnkGOVsgpvQhL8B5n1qlb01jV3n/bI0ZfZp5lWA1k4w==",
+      "license": "ISC",
+      "dependencies": {
+        "minipass": "^7.0.4"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/accepts": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/accepts/-/accepts-2.0.0.tgz",
+      "integrity": "sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng==",
+      "license": "MIT",
+      "dependencies": {
+        "mime-types": "^3.0.0",
+        "negotiator": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/body-parser": {
+      "version": "2.2.2",
+      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-2.2.2.tgz",
+      "integrity": "sha512-oP5VkATKlNwcgvxi0vM0p/D3n2C3EReYVX+DNYs5TjZFn/oQt2j+4sVJtSMr18pdRr8wjTcBl6LoV+FUwzPmNA==",
+      "license": "MIT",
+      "dependencies": {
+        "bytes": "^3.1.2",
+        "content-type": "^1.0.5",
+        "debug": "^4.4.3",
+        "http-errors": "^2.0.0",
+        "iconv-lite": "^0.7.0",
+        "on-finished": "^2.4.1",
+        "qs": "^6.14.1",
+        "raw-body": "^3.0.1",
+        "type-is": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/bytes": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz",
+      "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/call-bind-apply-helpers": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz",
+      "integrity": "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "function-bind": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/call-bound": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/call-bound/-/call-bound-1.0.4.tgz",
+      "integrity": "sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.2",
+        "get-intrinsic": "^1.3.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/chownr": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/chownr/-/chownr-3.0.0.tgz",
+      "integrity": "sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g==",
+      "license": "BlueOak-1.0.0",
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/content-disposition": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-1.0.1.tgz",
+      "integrity": "sha512-oIXISMynqSqm241k6kcQ5UwttDILMK4BiurCfGEREw6+X9jkkpEe5T9FZaApyLGGOnFuyMWZpdolTXMtvEJ08Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/content-type": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz",
+      "integrity": "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/cookie": {
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
+      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/cookie-signature": {
+      "version": "1.2.2",
+      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.2.2.tgz",
+      "integrity": "sha512-D76uU73ulSXrD1UXF4KE2TMxVVwhsnCgfAyTg9k8P6KGZjlXKrOLe4dJQKI3Bxi5wjesZoFXJWElNWBjPZMbhg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.6.0"
+      }
+    },
+    "node_modules/debug": {
+      "version": "4.4.3",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
+      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
+      "license": "MIT",
+      "dependencies": {
+        "ms": "^2.1.3"
+      },
+      "engines": {
+        "node": ">=6.0"
+      },
+      "peerDependenciesMeta": {
+        "supports-color": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/depd": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz",
+      "integrity": "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/dunder-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz",
+      "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.1",
+        "es-errors": "^1.3.0",
+        "gopd": "^1.2.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/ee-first": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
+      "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==",
+      "license": "MIT"
+    },
+    "node_modules/encodeurl": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz",
+      "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/es-define-property": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz",
+      "integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-errors": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz",
+      "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-object-atoms": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz",
+      "integrity": "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/escape-html": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz",
+      "integrity": "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==",
+      "license": "MIT"
+    },
+    "node_modules/etag": {
+      "version": "1.8.1",
+      "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz",
+      "integrity": "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/eventemitter3": {
+      "version": "4.0.7",
+      "resolved": "https://registry.npmjs.org/eventemitter3/-/eventemitter3-4.0.7.tgz",
+      "integrity": "sha512-8guHBZCwKnFhYdHr2ysuRWErTwhoN2X8XELRlrRwpmfeY2jjuUN4taQMsULKUVo1K4DvZl+0pgfyoysHxvmvEw==",
+      "license": "MIT"
+    },
+    "node_modules/express": {
+      "version": "5.2.1",
+      "resolved": "https://registry.npmjs.org/express/-/express-5.2.1.tgz",
+      "integrity": "sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==",
+      "license": "MIT",
+      "dependencies": {
+        "accepts": "^2.0.0",
+        "body-parser": "^2.2.1",
+        "content-disposition": "^1.0.0",
+        "content-type": "^1.0.5",
+        "cookie": "^0.7.1",
+        "cookie-signature": "^1.2.1",
+        "debug": "^4.4.0",
+        "depd": "^2.0.0",
+        "encodeurl": "^2.0.0",
+        "escape-html": "^1.0.3",
+        "etag": "^1.8.1",
+        "finalhandler": "^2.1.0",
+        "fresh": "^2.0.0",
+        "http-errors": "^2.0.0",
+        "merge-descriptors": "^2.0.0",
+        "mime-types": "^3.0.0",
+        "on-finished": "^2.4.1",
+        "once": "^1.4.0",
+        "parseurl": "^1.3.3",
+        "proxy-addr": "^2.0.7",
+        "qs": "^6.14.0",
+        "range-parser": "^1.2.1",
+        "router": "^2.2.0",
+        "send": "^1.1.0",
+        "serve-static": "^2.2.0",
+        "statuses": "^2.0.1",
+        "type-is": "^2.0.1",
+        "vary": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/finalhandler": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-2.1.1.tgz",
+      "integrity": "sha512-S8KoZgRZN+a5rNwqTxlZZePjT/4cnm0ROV70LedRHZ0p8u9fRID0hJUZQpkKLzro8LfmC8sx23bY6tVNxv8pQA==",
+      "license": "MIT",
+      "dependencies": {
+        "debug": "^4.4.0",
+        "encodeurl": "^2.0.0",
+        "escape-html": "^1.0.3",
+        "on-finished": "^2.4.1",
+        "parseurl": "^1.3.3",
+        "statuses": "^2.0.1"
+      },
+      "engines": {
+        "node": ">= 18.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/follow-redirects": {
+      "version": "1.15.11",
+      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz",
+      "integrity": "sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==",
+      "funding": [
+        {
+          "type": "individual",
+          "url": "https://github.com/sponsors/RubenVerborgh"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=4.0"
+      },
+      "peerDependenciesMeta": {
+        "debug": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/forwarded": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz",
+      "integrity": "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/fresh": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/fresh/-/fresh-2.0.0.tgz",
+      "integrity": "sha512-Rx/WycZ60HOaqLKAi6cHRKKI7zxWbJ31MhntmtwMoaTeF7XFH9hhBp8vITaMidfljRQ6eYWCKkaTK+ykVJHP2A==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/function-bind": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz",
+      "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/get-intrinsic": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz",
+      "integrity": "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.2",
+        "es-define-property": "^1.0.1",
+        "es-errors": "^1.3.0",
+        "es-object-atoms": "^1.1.1",
+        "function-bind": "^1.1.2",
+        "get-proto": "^1.0.1",
+        "gopd": "^1.2.0",
+        "has-symbols": "^1.1.0",
+        "hasown": "^2.0.2",
+        "math-intrinsics": "^1.1.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/get-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/get-proto/-/get-proto-1.0.1.tgz",
+      "integrity": "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==",
+      "license": "MIT",
+      "dependencies": {
+        "dunder-proto": "^1.0.1",
+        "es-object-atoms": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/gopd": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz",
+      "integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/has-symbols": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz",
+      "integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/hasown": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz",
+      "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==",
+      "license": "MIT",
+      "dependencies": {
+        "function-bind": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/http-errors": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz",
+      "integrity": "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==",
+      "license": "MIT",
+      "dependencies": {
+        "depd": "~2.0.0",
+        "inherits": "~2.0.4",
+        "setprototypeof": "~1.2.0",
+        "statuses": "~2.0.2",
+        "toidentifier": "~1.0.1"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/http-proxy": {
+      "version": "1.18.1",
+      "resolved": "https://registry.npmjs.org/http-proxy/-/http-proxy-1.18.1.tgz",
+      "integrity": "sha512-7mz/721AbnJwIVbnaSv1Cz3Am0ZLT/UBwkC92VlxhXv/k/BBQfM2fXElQNC27BVGr0uwUpplYPQM9LnaBMR5NQ==",
+      "license": "MIT",
+      "dependencies": {
+        "eventemitter3": "^4.0.0",
+        "follow-redirects": "^1.0.0",
+        "requires-port": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=8.0.0"
+      }
+    },
+    "node_modules/iconv-lite": {
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.7.2.tgz",
+      "integrity": "sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw==",
+      "license": "MIT",
+      "dependencies": {
+        "safer-buffer": ">= 2.1.2 < 3.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/inherits": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
+      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==",
+      "license": "ISC"
+    },
+    "node_modules/ipaddr.js": {
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz",
+      "integrity": "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.10"
+      }
+    },
+    "node_modules/is-promise": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/is-promise/-/is-promise-4.0.0.tgz",
+      "integrity": "sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ==",
+      "license": "MIT"
+    },
+    "node_modules/math-intrinsics": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz",
+      "integrity": "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/media-typer": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-1.1.0.tgz",
+      "integrity": "sha512-aisnrDP4GNe06UcKFnV5bfMNPBUw4jsLGaWwWfnH3v02GnBuXX2MCVn5RbrWo0j3pczUilYblq7fQ7Nw2t5XKw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/merge-descriptors": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-2.0.0.tgz",
+      "integrity": "sha512-Snk314V5ayFLhp3fkUREub6WtjBfPdCPY1Ln8/8munuLuiYhsABgBVWsozAG+MWMbVEvcdcpbi9R7ww22l9Q3g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/mime-db": {
+      "version": "1.54.0",
+      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.54.0.tgz",
+      "integrity": "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/mime-types": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-3.0.2.tgz",
+      "integrity": "sha512-Lbgzdk0h4juoQ9fCKXW4by0UJqj+nOOrI9MJ1sSj4nI8aI2eo1qmvQEie4VD1glsS250n15LsWsYtCugiStS5A==",
+      "license": "MIT",
+      "dependencies": {
+        "mime-db": "^1.54.0"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/minipass": {
+      "version": "7.1.2",
+      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
+      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
+      "license": "ISC",
+      "engines": {
+        "node": ">=16 || 14 >=14.17"
+      }
+    },
+    "node_modules/minizlib": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/minizlib/-/minizlib-3.1.0.tgz",
+      "integrity": "sha512-KZxYo1BUkWD2TVFLr0MQoM8vUUigWD3LlD83a/75BqC+4qE0Hb1Vo5v1FgcfaNXvfXzr+5EhQ6ing/CaBijTlw==",
+      "license": "MIT",
+      "dependencies": {
+        "minipass": "^7.1.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/ms": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
+      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
+      "license": "MIT"
+    },
+    "node_modules/negotiator": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-1.0.0.tgz",
+      "integrity": "sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/object-inspect": {
+      "version": "1.13.4",
+      "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz",
+      "integrity": "sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/on-finished": {
+      "version": "2.4.1",
+      "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.4.1.tgz",
+      "integrity": "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg==",
+      "license": "MIT",
+      "dependencies": {
+        "ee-first": "1.1.1"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/once": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
+      "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==",
+      "license": "ISC",
+      "dependencies": {
+        "wrappy": "1"
+      }
+    },
+    "node_modules/parseurl": {
+      "version": "1.3.3",
+      "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
+      "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/path-to-regexp": {
+      "version": "8.3.0",
+      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.3.0.tgz",
+      "integrity": "sha512-7jdwVIRtsP8MYpdXSwOS0YdD0Du+qOoF/AEPIt88PcCFrZCzx41oxku1jD88hZBwbNUIEfpqvuhjFaMAqMTWnA==",
+      "license": "MIT",
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/proxy-addr": {
+      "version": "2.0.7",
+      "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz",
+      "integrity": "sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==",
+      "license": "MIT",
+      "dependencies": {
+        "forwarded": "0.2.0",
+        "ipaddr.js": "1.9.1"
+      },
+      "engines": {
+        "node": ">= 0.10"
+      }
+    },
+    "node_modules/qs": {
+      "version": "6.14.1",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.1.tgz",
+      "integrity": "sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==",
+      "license": "BSD-3-Clause",
+      "dependencies": {
+        "side-channel": "^1.1.0"
+      },
+      "engines": {
+        "node": ">=0.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/range-parser": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz",
+      "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/raw-body": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-3.0.2.tgz",
+      "integrity": "sha512-K5zQjDllxWkf7Z5xJdV0/B0WTNqx6vxG70zJE4N0kBs4LovmEYWJzQGxC9bS9RAKu3bgM40lrd5zoLJ12MQ5BA==",
+      "license": "MIT",
+      "dependencies": {
+        "bytes": "~3.1.2",
+        "http-errors": "~2.0.1",
+        "iconv-lite": "~0.7.0",
+        "unpipe": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.10"
+      }
+    },
+    "node_modules/requires-port": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/requires-port/-/requires-port-1.0.0.tgz",
+      "integrity": "sha512-KigOCHcocU3XODJxsu8i/j8T9tzT4adHiecwORRQ0ZZFcp7ahwXuRU1m+yuO90C5ZUyGeGfocHDI14M3L3yDAQ==",
+      "license": "MIT"
+    },
+    "node_modules/router": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/router/-/router-2.2.0.tgz",
+      "integrity": "sha512-nLTrUKm2UyiL7rlhapu/Zl45FwNgkZGaCpZbIHajDYgwlJCOzLSk+cIPAnsEqV955GjILJnKbdQC1nVPz+gAYQ==",
+      "license": "MIT",
+      "dependencies": {
+        "debug": "^4.4.0",
+        "depd": "^2.0.0",
+        "is-promise": "^4.0.0",
+        "parseurl": "^1.3.3",
+        "path-to-regexp": "^8.0.0"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/safer-buffer": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
+      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==",
+      "license": "MIT"
+    },
+    "node_modules/send": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/send/-/send-1.2.1.tgz",
+      "integrity": "sha512-1gnZf7DFcoIcajTjTwjwuDjzuz4PPcY2StKPlsGAQ1+YH20IRVrBaXSWmdjowTJ6u8Rc01PoYOGHXfP1mYcZNQ==",
+      "license": "MIT",
+      "dependencies": {
+        "debug": "^4.4.3",
+        "encodeurl": "^2.0.0",
+        "escape-html": "^1.0.3",
+        "etag": "^1.8.1",
+        "fresh": "^2.0.0",
+        "http-errors": "^2.0.1",
+        "mime-types": "^3.0.2",
+        "ms": "^2.1.3",
+        "on-finished": "^2.4.1",
+        "range-parser": "^1.2.1",
+        "statuses": "^2.0.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/serve-static": {
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-2.2.1.tgz",
+      "integrity": "sha512-xRXBn0pPqQTVQiC8wyQrKs2MOlX24zQ0POGaj0kultvoOCstBQM5yvOhAVSUwOMjQtTvsPWoNCHfPGwaaQJhTw==",
+      "license": "MIT",
+      "dependencies": {
+        "encodeurl": "^2.0.0",
+        "escape-html": "^1.0.3",
+        "parseurl": "^1.3.3",
+        "send": "^1.2.0"
+      },
+      "engines": {
+        "node": ">= 18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/setprototypeof": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.2.0.tgz",
+      "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==",
+      "license": "ISC"
+    },
+    "node_modules/side-channel": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.1.0.tgz",
+      "integrity": "sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "object-inspect": "^1.13.3",
+        "side-channel-list": "^1.0.0",
+        "side-channel-map": "^1.0.1",
+        "side-channel-weakmap": "^1.0.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/side-channel-list": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.0.tgz",
+      "integrity": "sha512-FCLHtRD/gnpCiCHEiJLOwdmFP+wzCmDEkc9y7NsYxeF4u7Btsn1ZuwgwJGxImImHicJArLP4R0yX4c2KCrMrTA==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "object-inspect": "^1.13.3"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/side-channel-map": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/side-channel-map/-/side-channel-map-1.0.1.tgz",
+      "integrity": "sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bound": "^1.0.2",
+        "es-errors": "^1.3.0",
+        "get-intrinsic": "^1.2.5",
+        "object-inspect": "^1.13.3"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/side-channel-weakmap": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz",
+      "integrity": "sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bound": "^1.0.2",
+        "es-errors": "^1.3.0",
+        "get-intrinsic": "^1.2.5",
+        "object-inspect": "^1.13.3",
+        "side-channel-map": "^1.0.1"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/statuses": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz",
+      "integrity": "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/tar": {
+      "version": "7.5.6",
+      "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.6.tgz",
+      "integrity": "sha512-xqUeu2JAIJpXyvskvU3uvQW8PAmHrtXp2KDuMJwQqW8Sqq0CaZBAQ+dKS3RBXVhU4wC5NjAdKrmh84241gO9cA==",
+      "license": "BlueOak-1.0.0",
+      "dependencies": {
+        "@isaacs/fs-minipass": "^4.0.0",
+        "chownr": "^3.0.0",
+        "minipass": "^7.1.2",
+        "minizlib": "^3.1.0",
+        "yallist": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/toidentifier": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz",
+      "integrity": "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.6"
+      }
+    },
+    "node_modules/type-is": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/type-is/-/type-is-2.0.1.tgz",
+      "integrity": "sha512-OZs6gsjF4vMp32qrCbiVSkrFmXtG/AZhY3t0iAMrMBiAZyV9oALtXO8hsrHbMXF9x6L3grlFuwW2oAz7cav+Gw==",
+      "license": "MIT",
+      "dependencies": {
+        "content-type": "^1.0.5",
+        "media-typer": "^1.1.0",
+        "mime-types": "^3.0.0"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/unpipe": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
+      "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/vary": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz",
+      "integrity": "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/wrappy": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
+      "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==",
+      "license": "ISC"
+    },
+    "node_modules/yallist": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/yallist/-/yallist-5.0.0.tgz",
+      "integrity": "sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==",
+      "license": "BlueOak-1.0.0",
+      "engines": {
+        "node": ">=18"
+      }
+    }
+  }
+}

package.json

@@ -0,0 +1,19 @@
+{
+  "name": "moltbot-railway-template",
+  "private": true,
+  "type": "module",
+  "engines": {
+    "node": ">=22"
+  },
+  "scripts": {
+    "dev": "node src/server.js",
+    "start": "node src/server.js",
+    "lint": "node -c src/server.js",
+    "smoke": "node scripts/smoke.js"
+  },
+  "dependencies": {
+    "express": "^5.1.0",
+    "http-proxy": "^1.18.1",
+    "tar": "^7.5.4"
+  }
+}

railway.toml

@@ -0,0 +1,10 @@
+[build]
+builder = "dockerfile"
+
+[deploy]
+healthcheckPath = "/setup/healthz"
+healthcheckTimeout = 300
+restartPolicyType = "on_failure"
+
+[variables]
+PORT = "8080"

scripts/smoke.js

@@ -0,0 +1,9 @@
+import { spawnSync } from "node:child_process";
+
+// Basic sanity: ensure the wrapper starts and the CLI exists.
+const r = spawnSync("moltbot", ["--version"], { encoding: "utf8" });
+if (r.status !== 0) {
+  console.error(r.stdout || r.stderr);
+  process.exit(r.status ?? 1);
+}
+console.log("moltbot ok:", r.stdout.trim());

src/server.js

@@ -0,0 +1,1181 @@
+import childProcess from "node:child_process";
+import crypto from "node:crypto";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+
+import express from "express";
+import httpProxy from "http-proxy";
+import * as tar from "tar";
+
+// Railway deployments sometimes inject PORT=3000 by default. We want the wrapper to
+// reliably listen on 8080 unless explicitly overridden.
+//
+// Prefer MOLTBOT_PUBLIC_PORT (set in the Dockerfile / template) over PORT.
+// Backwards compatible: also supports CLAWDBOT_PUBLIC_PORT.
+const PORT = Number.parseInt(
+  process.env.MOLTBOT_PUBLIC_PORT ??
+  process.env.CLAWDBOT_PUBLIC_PORT ??
+  process.env.PORT ?? "8080", 10
+);
+const STATE_DIR =
+  process.env.MOLTBOT_STATE_DIR?.trim() ||
+  process.env.CLAWDBOT_STATE_DIR?.trim() ||
+  path.join(os.homedir(), ".moltbot");
+const WORKSPACE_DIR =
+  process.env.MOLTBOT_WORKSPACE_DIR?.trim() ||
+  process.env.CLAWDBOT_WORKSPACE_DIR?.trim() ||
+  path.join(STATE_DIR, "workspace");
+
+// Protect /setup with a user-provided password.
+const SETUP_PASSWORD = process.env.SETUP_PASSWORD?.trim();
+
+// Gateway admin token (protects Moltbot gateway + Control UI).
+// Must be stable across restarts. If not provided via env, persist it in the state dir.
+// Backwards compatible: also supports CLAWDBOT_GATEWAY_TOKEN.
+function resolveGatewayToken() {
+  const envTok =
+    process.env.MOLTBOT_GATEWAY_TOKEN?.trim() ||
+    process.env.CLAWDBOT_GATEWAY_TOKEN?.trim();
+  if (envTok) return envTok;
+
+  const tokenPath = path.join(STATE_DIR, "gateway.token");
+  try {
+    const existing = fs.readFileSync(tokenPath, "utf8").trim();
+    if (existing) return existing;
+  } catch {
+    // ignore
+  }
+
+  const generated = crypto.randomBytes(32).toString("hex");
+  try {
+    fs.mkdirSync(STATE_DIR, { recursive: true });
+    fs.writeFileSync(tokenPath, generated, { encoding: "utf8", mode: 0o600 });
+  } catch {
+    // best-effort
+  }
+  return generated;
+}
+
+const MOLTBOT_GATEWAY_TOKEN = resolveGatewayToken();
+process.env.MOLTBOT_GATEWAY_TOKEN = MOLTBOT_GATEWAY_TOKEN;
+// Also set CLAWDBOT_GATEWAY_TOKEN for backwards compat with gateway
+process.env.CLAWDBOT_GATEWAY_TOKEN = MOLTBOT_GATEWAY_TOKEN;
+
+// Where the gateway will listen internally (we proxy to it).
+const INTERNAL_GATEWAY_PORT = Number.parseInt(process.env.INTERNAL_GATEWAY_PORT ?? "18789", 10);
+const INTERNAL_GATEWAY_HOST = process.env.INTERNAL_GATEWAY_HOST ?? "127.0.0.1";
+const GATEWAY_TARGET = `http://${INTERNAL_GATEWAY_HOST}:${INTERNAL_GATEWAY_PORT}`;
+
+// Always run the built-from-source CLI entry directly to avoid PATH/global-install mismatches.
+// Backwards compatible: also supports CLAWDBOT_ENTRY and CLAWDBOT_NODE.
+const MOLTBOT_ENTRY = process.env.MOLTBOT_ENTRY?.trim() || process.env.CLAWDBOT_ENTRY?.trim() || "/moltbot/dist/entry.js";
+const MOLTBOT_NODE = process.env.MOLTBOT_NODE?.trim() || process.env.CLAWDBOT_NODE?.trim() || "node";
+
+function moltArgs(args) {
+  return [MOLTBOT_ENTRY, ...args];
+}
+
+function configPath() {
+  return process.env.MOLTBOT_CONFIG_PATH?.trim() ||
+    process.env.CLAWDBOT_CONFIG_PATH?.trim() ||
+    path.join(STATE_DIR, "moltbot.json");
+}
+
+function isConfigured() {
+  try {
+    return fs.existsSync(configPath());
+  } catch {
+    return false;
+  }
+}
+
+let gatewayProc = null;
+let gatewayStarting = null;
+
+function sleep(ms) {
+  return new Promise((r) => setTimeout(r, ms));
+}
+
+async function waitForGatewayReady(opts = {}) {
+  const timeoutMs = opts.timeoutMs ?? 20_000;
+  const start = Date.now();
+  while (Date.now() - start < timeoutMs) {
+    try {
+      const res = await fetch(`${GATEWAY_TARGET}/moltbot`, { method: "GET" });
+      // Any HTTP response means the port is open.
+      if (res) return true;
+    } catch {
+      // not ready
+    }
+    await sleep(250);
+  }
+  return false;
+}
+
+async function startGateway() {
+  if (gatewayProc) return;
+  if (!isConfigured()) throw new Error("Gateway cannot start: not configured");
+
+  fs.mkdirSync(STATE_DIR, { recursive: true });
+  fs.mkdirSync(WORKSPACE_DIR, { recursive: true });
+
+  const args = [
+    "gateway",
+    "run",
+    "--bind",
+    "loopback",
+    "--port",
+    String(INTERNAL_GATEWAY_PORT),
+    "--auth",
+    "token",
+    "--token",
+    MOLTBOT_GATEWAY_TOKEN,
+  ];
+
+  gatewayProc = childProcess.spawn(MOLTBOT_NODE, moltArgs(args), {
+    stdio: "inherit",
+    env: {
+      ...process.env,
+      MOLTBOT_STATE_DIR: STATE_DIR,
+      MOLTBOT_WORKSPACE_DIR: WORKSPACE_DIR,
+      // Also set CLAWDBOT_* for backwards compat
+      CLAWDBOT_STATE_DIR: STATE_DIR,
+      CLAWDBOT_WORKSPACE_DIR: WORKSPACE_DIR,
+    },
+  });
+
+  gatewayProc.on("error", (err) => {
+    console.error(`[gateway] spawn error: ${String(err)}`);
+    gatewayProc = null;
+  });
+
+  gatewayProc.on("exit", (code, signal) => {
+    console.error(`[gateway] exited code=${code} signal=${signal}`);
+    gatewayProc = null;
+  });
+}
+
+async function ensureGatewayRunning() {
+  if (!isConfigured()) return { ok: false, reason: "not configured" };
+  if (gatewayProc) return { ok: true };
+  if (!gatewayStarting) {
+    gatewayStarting = (async () => {
+      await startGateway();
+      const ready = await waitForGatewayReady({ timeoutMs: 20_000 });
+      if (!ready) {
+        throw new Error("Gateway did not become ready in time");
+      }
+    })().finally(() => {
+      gatewayStarting = null;
+    });
+  }
+  await gatewayStarting;
+  return { ok: true };
+}
+
+async function restartGateway() {
+  if (gatewayProc) {
+    try {
+      gatewayProc.kill("SIGTERM");
+    } catch {
+      // ignore
+    }
+    // Give it a moment to exit and release the port.
+    await sleep(750);
+    gatewayProc = null;
+  }
+  return ensureGatewayRunning();
+}
+
+function requireSetupAuth(req, res, next) {
+  if (!SETUP_PASSWORD) {
+    return res
+      .status(500)
+      .type("text/plain")
+      .send("SETUP_PASSWORD is not set. Set it in Railway Variables before using /setup.");
+  }
+
+  const header = req.headers.authorization || "";
+  const [scheme, encoded] = header.split(" ");
+  if (scheme !== "Basic" || !encoded) {
+    res.set("WWW-Authenticate", 'Basic realm="Moltbot Setup"');
+    return res.status(401).send("Auth required");
+  }
+  const decoded = Buffer.from(encoded, "base64").toString("utf8");
+  const idx = decoded.indexOf(":");
+  const password = idx >= 0 ? decoded.slice(idx + 1) : "";
+  if (password !== SETUP_PASSWORD) {
+    res.set("WWW-Authenticate", 'Basic realm="Moltbot Setup"');
+    return res.status(401).send("Invalid password");
+  }
+  return next();
+}
+
+const app = express();
+app.disable("x-powered-by");
+app.use(express.json({ limit: "1mb" }));
+
+// Minimal health endpoint for Railway.
+app.get("/setup/healthz", (_req, res) => res.json({ ok: true }));
+
+// Provider templates for one-click setup
+const PROVIDER_TEMPLATES = {
+  openai: {
+    name: "OpenAI",
+    description: "GPT-4 and GPT-3.5 models",
+    authChoice: "openai-api-key",
+    placeholder: "sk-...",
+    fields: {
+      authSecret: {
+        label: "API Key",
+        type: "password",
+        help: "Get your key from https://platform.openai.com/api-keys",
+        helpUrl: "https://platform.openai.com/api-keys"
+      }
+    },
+    icon: "🤖"
+  },
+  anthropic: {
+    name: "Anthropic Claude",
+    description: "Claude 3.5 Sonnet, Opus, and Haiku",
+    authChoice: "anthropic-api-key",
+    placeholder: "sk-ant-...",
+    fields: {
+      authSecret: {
+        label: "API Key",
+        type: "password",
+        help: "Get your key from https://console.anthropic.com/",
+        helpUrl: "https://console.anthropic.com/"
+      }
+    },
+    icon: "🧠"
+  },
+  google: {
+    name: "Google Gemini",
+    description: "Gemini Pro and Ultra models",
+    authChoice: "gemini-api-key",
+    placeholder: "AIza...",
+    fields: {
+      authSecret: {
+        label: "API Key",
+        type: "password",
+        help: "Get your key from https://makersuite.google.com/app/apikey",
+        helpUrl: "https://makersuite.google.com/app/apikey"
+      }
+    },
+    icon: "💎"
+  },
+  atlascloud: {
+    name: "Atlas Cloud",
+    description: "Multi-provider API with OpenAI, Anthropic, and more",
+    authChoice: "atlascloud-api-key",
+    placeholder: "aat_...",
+    fields: {
+      authSecret: {
+        label: "API Key",
+        type: "password",
+        help: "Get your key from your Atlas Cloud dashboard",
+        helpUrl: "https://atlascloud.ai"
+      },
+      baseUrl: {
+        label: "Base URL (optional)",
+        type: "text",
+        placeholder: "https://api.atlascloud.ai/v1",
+        default: "https://api.atlascloud.ai/v1"
+      }
+    },
+    icon: "☁️"
+  },
+  openrouter: {
+    name: "OpenRouter",
+    description: "Access to 100+ AI models through one API",
+    authChoice: "openrouter-api-key",
+    placeholder: "sk-or-...",
+    fields: {
+      authSecret: {
+        label: "API Key",
+        type: "password",
+        help: "Get your key from https://openrouter.ai/keys",
+        helpUrl: "https://openrouter.ai/keys"
+      }
+    },
+    icon: "🔀"
+  }
+};
+
+app.get("/setup/api/templates", requireSetupAuth, (_req, res) => {
+  res.json({ templates: PROVIDER_TEMPLATES });
+});
+
+app.get("/setup/api/templates/:provider", requireSetupAuth, (req, res) => {
+  const template = PROVIDER_TEMPLATES[req.params.provider];
+  if (!template) {
+    return res.status(404).json({ error: "Template not found" });
+  }
+  res.json(template);
+});
+
+// Pre-flight validation checks
+app.get("/setup/api/check", requireSetupAuth, async (_req, res) => {
+  const checks = [];
+
+  // Check Moltbot CLI
+  try {
+    const versionResult = await runCmd(MOLTBOT_NODE, moltArgs(["--version"]));
+    checks.push({
+      name: "Moltbot CLI",
+      status: "ok",
+      message: `Version ${versionResult.output.trim()}`
+    });
+  } catch (err) {
+    checks.push({
+      name: "Moltbot CLI",
+      status: "error",
+      message: `CLI not accessible: ${String(err)}`
+    });
+  }
+
+  // Check state directory
+  try {
+    fs.mkdirSync(STATE_DIR, { recursive: true });
+    const stateAccessible = fs.accessSync(STATE_DIR, fs.constants.W_OK);
+    checks.push({
+      name: "State Directory",
+      status: "ok",
+      message: `Writable: ${STATE_DIR}`
+    });
+  } catch (err) {
+    checks.push({
+      name: "State Directory",
+      status: "error",
+      message: `Cannot write to ${STATE_DIR}: ${String(err)}`
+    });
+  }
+
+  // Check workspace directory
+  try {
+    fs.mkdirSync(WORKSPACE_DIR, { recursive: true });
+    checks.push({
+      name: "Workspace Directory",
+      status: "ok",
+      message: `Writable: ${WORKSPACE_DIR}`
+    });
+  } catch (err) {
+    checks.push({
+      name: "Workspace Directory",
+      status: "error",
+      message: `Cannot write to ${WORKSPACE_DIR}: ${String(err)}`
+    });
+  }
+
+  // Check memory
+  const totalMem = Math.round(os.totalmem() / 1024 / 1024);
+  const freeMem = Math.round(os.freemem() / 1024 / 1024);
+  checks.push({
+    name: "Available Memory",
+    status: freeMem > 256 ? "ok" : "warning",
+    message: `${freeMem}MB available (512MB+ recommended)`,
+    value: freeMem
+  });
+
+  // Check disk space
+  try {
+    const stats = await fs.promises.statfs(STATE_DIR);
+    // Validate statfs values exist and are valid numbers
+    if (stats && typeof stats.bavail === 'number' && typeof stats.frsize === 'number' && stats.bavail > 0 && stats.frsize > 0) {
+      const freeSpace = Math.round(stats.bavail * stats.frsize / 1024 / 1024);
+      checks.push({
+        name: "Disk Space",
+        status: freeSpace > 100 ? "ok" : "warning",
+        message: `${freeSpace}MB available`,
+        value: freeSpace
+      });
+    } else {
+      // statfs succeeded but returned invalid data (common in some container environments)
+      // Don't fail the check - Railway volumes are typically large enough
+      checks.push({
+        name: "Disk Space",
+        status: "ok",
+        message: "OK (could not measure, Railway volumes typically 1GB+)"
+      });
+    }
+  } catch (err) {
+    // statfs not available or failed (common in Windows/some containers)
+    // Don't fail the check - this is expected in some environments
+    checks.push({
+      name: "Disk Space",
+      status: "ok",
+      message: "OK (could not measure, Railway volumes typically 1GB+)"
+    });
+  }
+
+  const allOk = checks.every(c => c.status === "ok");
+  res.json({
+    ready: allOk,
+    checks,
+    summary: allOk ? "All checks passed. Ready to setup." : "Some checks failed. Please fix issues before proceeding."
+  });
+});
+
+// Token validation endpoint
+app.post("/setup/api/validate-token", requireSetupAuth, async (req, res) => {
+  const { provider, token, baseUrl } = req.body || {};
+
+  if (!provider || !token) {
+    return res.status(400).json({ valid: false, error: "Provider and token are required" });
+  }
+
+  // Validate token format first (quick check)
+  let formatValid = true;
+  let formatError = "";
+
+  switch (provider) {
+    case "openai-api-key":
+      if (!token.startsWith("sk-")) {
+        formatValid = false;
+        formatError = "OpenAI API keys should start with 'sk-'";
+      }
+      break;
+    case "anthropic-api-key":
+      if (!token.startsWith("sk-ant-")) {
+        formatValid = false;
+        formatError = "Anthropic API keys should start with 'sk-ant-'";
+      }
+      break;
+    case "gemini-api-key":
+      if (!token.startsWith("AIza")) {
+        formatValid = false;
+        formatError = "Gemini API keys should start with 'AIza'";
+      }
+      break;
+    case "atlascloud-api-key":
+      if (!token.startsWith("aat_")) {
+        formatValid = false;
+        formatError = "Atlas Cloud API keys should start with 'aat_'";
+      }
+      break;
+    case "openrouter-api-key":
+      if (!token.startsWith("sk-or-")) {
+        formatValid = false;
+        formatError = "OpenRouter API keys should start with 'sk-or-'";
+      }
+      break;
+  }
+
+  if (!formatValid) {
+    return res.json({ valid: false, error: formatError });
+  }
+
+  // Quick validation by attempting to use the token
+  try {
+    let validationOk = false;
+    let providerName = "";
+
+    if (provider === "openai-api-key") {
+      // Test with a minimal API call
+      const response = await fetch("https://api.openai.com/v1/models", {
+        headers: { "Authorization": `Bearer ${token}` },
+        signal: AbortSignal.timeout(5000)
+      });
+      validationOk = response.ok;
+      providerName = "OpenAI";
+    } else if (provider === "anthropic-api-key") {
+      const response = await fetch("https://api.anthropic.com/v1/messages", {
+        method: "POST",
+        headers: {
+          "x-api-key": token,
+          "anthropic-version": "2023-06-01",
+          "content-type": "application/json"
+        },
+        body: JSON.stringify({
+          model: "claude-3-haiku-20240307",
+          max_tokens: 1,
+          messages: [{ role: "user", content: "test" }]
+        }),
+        signal: AbortSignal.timeout(5000)
+      });
+      validationOk = response.status !== 401;
+      providerName = "Anthropic";
+    } else if (provider === "atlascloud-api-key") {
+      const apiUrl = baseUrl || "https://api.atlascloud.ai/v1";
+      const response = await fetch(`${apiUrl}/models`, {
+        headers: { "Authorization": `Bearer ${token}` },
+        signal: AbortSignal.timeout(5000)
+      });
+      validationOk = response.ok;
+      providerName = "Atlas Cloud";
+    } else {
+      // For other providers, just verify format
+      validationOk = true;
+    }
+
+    res.json({
+      valid: validationOk,
+      provider: providerName,
+      message: validationOk ? "Token validated successfully" : "Token validation failed"
+    });
+  } catch (err) {
+    res.json({
+      valid: false,
+      error: `Validation failed: ${err.message}`
+    });
+  }
+});
+
+// SSE endpoint for streaming setup progress
+app.get("/setup/api/progress", requireSetupAuth, async (req, res) => {
+  res.setHeader("Content-Type", "text/event-stream");
+  res.setHeader("Cache-Control", "no-cache");
+  res.setHeader("Connection", "keep-alive");
+
+  const sendEvent = (event, data) => {
+    res.write(`event: ${event}\ndata: ${JSON.stringify(data)}\n\n`);
+  };
+
+  try {
+    // Check if already configured
+    if (isConfigured()) {
+      sendEvent("progress", { stage: "complete", message: "Already configured" });
+      await ensureGatewayRunning();
+      sendEvent("done", { success: true, message: "Setup already complete" });
+      return res.end();
+    }
+
+    sendEvent("progress", { stage: "starting", message: "Initializing setup..." });
+
+    // Create directories
+    fs.mkdirSync(STATE_DIR, { recursive: true });
+    fs.mkdirSync(WORKSPACE_DIR, { recursive: true });
+    sendEvent("progress", { stage: "directories", message: "Created state directories" });
+
+    // Get the setup payload from query or session
+    // For simplicity, we'll expect the client to POST to run first, then poll for progress
+    sendEvent("progress", { stage: "waiting", message: "Waiting for setup parameters..." });
+
+  } catch (err) {
+    sendEvent("error", { error: String(err) });
+    res.end();
+  }
+});
+
+app.get("/setup/app.js", requireSetupAuth, (_req, res) => {
+  // Serve JS for /setup (kept external to avoid inline encoding/template issues)
+  res.type("application/javascript");
+  res.send(fs.readFileSync(path.join(process.cwd(), "src", "setup-app.js"), "utf8"));
+});
+
+app.get("/setup", requireSetupAuth, (_req, res) => {
+  // No inline <script>: serve JS from /setup/app.js to avoid any encoding/template-literal issues.
+  res.type("html").send(`<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Moltbot Setup</title>
+  <style>
+    body { font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Helvetica, Arial; margin: 2rem; max-width: 900px; }
+    .card { border: 1px solid #ddd; border-radius: 12px; padding: 1.25rem; margin: 1rem 0; }
+    label { display:block; margin-top: 0.75rem; font-weight: 600; }
+    input, select { width: 100%; padding: 0.6rem; margin-top: 0.25rem; }
+    button { padding: 0.8rem 1.2rem; border-radius: 10px; border: 0; background: #111; color: #fff; font-weight: 700; cursor: pointer; }
+    code { background: #f6f6f6; padding: 0.1rem 0.3rem; border-radius: 6px; }
+    .muted { color: #555; }
+  </style>
+</head>
+<body>
+  <h1>Moltbot Setup</h1>
+  <p class="muted">This wizard configures Moltbot by running the same onboarding command it uses in the terminal, but from the browser.</p>
+
+  <div class="card">
+    <h2>Status</h2>
+    <div id="status">Loading...</div>
+    <div style="margin-top: 0.75rem">
+      <a href="/moltbot" target="_blank">Open Moltbot UI</a>
+      &nbsp;|&nbsp;
+      <a href="/setup/export" target="_blank">Download backup (.tar.gz)</a>
+    </div>
+  </div>
+
+  <div class="card">
+    <h2>🚀 Quick Setup</h2>
+    <p class="muted">Click a provider to auto-fill configuration:</p>
+    <div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(140px, 1fr)); gap: 0.5rem; margin: 1rem 0;">
+      <button onclick="useProvider('openai')" style="background:#10a37f; padding:0.6rem;">🤖 OpenAI</button>
+      <button onclick="useProvider('anthropic')" style="background:#d4a573; color:white; padding:0.6rem;">🧠 Anthropic</button>
+      <button onclick="useProvider('google')" style="background:#4285f4; color:white; padding:0.6rem;">💎 Gemini</button>
+      <button onclick="useProvider('atlascloud')" style="background:#8b5cf6; color:white; padding:0.6rem;">☁️ Atlas Cloud</button>
+      <button onclick="useProvider('openrouter')" style="background:#6366f1; color:white; padding:0.6rem;">🔀 OpenRouter</button>
+    </div>
+  </div>
+
+  <div class="card">
+    <h2>✅ Pre-flight Checks</h2>
+    <button onclick="runPreflightChecks()" style="margin-bottom: 0.75rem;">Run Checks</button>
+    <div id="preflightResults" style="margin-top: 0.75rem;"></div>
+  </div>
+
+  <div class="card">
+    <h2>1) Model/auth provider</h2>
+    <p class="muted">Matches the groups shown in the terminal onboarding.</p>
+    <label>Provider group</label>
+    <select id="authGroup"></select>
+
+    <label>Auth method</label>
+    <select id="authChoice"></select>
+
+    <label>Key / Token (if required)</label>
+    <input id="authSecret" type="password" placeholder="Paste API key / token if applicable" onblur="validateToken()" />
+    <button id="validateBtn" onclick="validateToken()" type="button" style="margin-top:0.5rem; padding:0.5rem 1rem; background:#6b7280; font-size:0.9rem;">Validate Token</button>
+    <div id="authSecretHelp" class="muted" style="margin-top: 0.5rem; display:none;"></div>
+
+    <label>Base URL (optional, for Atlas Cloud)</label>
+    <input id="baseUrl" type="text" placeholder="https://api.atlascloud.ai/v1" />
+    <div class="muted" style="margin-top: 0.25rem;">Leave blank to use provider default</div>
+
+    <label>Wizard flow</label>
+    <select id="flow">
+      <option value="quickstart">quickstart</option>
+      <option value="advanced">advanced</option>
+      <option value="manual">manual</option>
+    </select>
+  </div>
+
+  <div class="card">
+    <h2>2) Optional: Channels</h2>
+    <p class="muted">You can also add channels later inside Moltbot, but this helps you get messaging working immediately.</p>
+
+    <label>Telegram bot token (optional)</label>
+    <input id="telegramToken" type="password" placeholder="123456:ABC..." />
+    <div class="muted" style="margin-top: 0.25rem">
+      Get it from BotFather: open Telegram, message <code>@BotFather</code>, run <code>/newbot</code>, then copy the token.
+    </div>
+
+    <label>Discord bot token (optional)</label>
+    <input id="discordToken" type="password" placeholder="Bot token" />
+    <div class="muted" style="margin-top: 0.25rem">
+      Get it from the Discord Developer Portal: create an application, add a Bot, then copy the Bot Token.<br/>
+      <strong>Important:</strong> Enable <strong>MESSAGE CONTENT INTENT</strong> in Bot → Privileged Gateway Intents, or the bot will crash on startup.
+    </div>
+
+    <label>Slack bot token (optional)</label>
+    <input id="slackBotToken" type="password" placeholder="xoxb-..." />
+
+    <label>Slack app token (optional)</label>
+    <input id="slackAppToken" type="password" placeholder="xapp-..." />
+  </div>
+
+  <div class="card">
+    <h2>3) Run onboarding</h2>
+    <button id="run">Run setup</button>
+    <button id="pairingApprove" style="background:#1f2937; margin-left:0.5rem">Approve pairing</button>
+    <button id="reset" style="background:#444; margin-left:0.5rem">Reset setup</button>
+    <button id="debug" style="background:#1f2937; margin-left:0.5rem">Debug info</button>
+    <button id="test" style="background:#059669; margin-left:0.5rem">Test endpoint</button>
+    <pre id="log" style="white-space:pre-wrap"></pre>
+    <p class="muted">Reset deletes the Moltbot config file so you can rerun onboarding. Pairing approval lets you grant DM access when dmPolicy=pairing. Debug info shows current system state. Test endpoint verifies routing works.</p>
+  </div>
+
+  <script src="/setup/app.js"></script>
+</body>
+</html>`);
+});
+
+app.get("/setup/api/status", requireSetupAuth, async (_req, res) => {
+  const version = await runCmd(MOLTBOT_NODE, moltArgs(["--version"]));
+  const channelsHelp = await runCmd(MOLTBOT_NODE, moltArgs(["channels", "add", "--help"]));
+
+  // We reuse Moltbot's own auth-choice grouping logic indirectly by hardcoding the same group defs.
+  // This is intentionally minimal; later we can parse the CLI help output to stay perfectly in sync.
+  const authGroups = [
+    { value: "openai", label: "OpenAI", hint: "Codex OAuth + API key", options: [
+      { value: "codex-cli", label: "OpenAI Codex OAuth (Codex CLI)" },
+      { value: "openai-codex", label: "OpenAI Codex (ChatGPT OAuth)" },
+      { value: "openai-api-key", label: "OpenAI API key" }
+    ]},
+    { value: "anthropic", label: "Anthropic", hint: "Claude Code CLI + API key", options: [
+      { value: "claude-cli", label: "Anthropic token (Claude Code CLI)" },
+      { value: "token", label: "Anthropic token (paste setup-token)" },
+      { value: "apiKey", label: "Anthropic API key" }
+    ]},
+    { value: "google", label: "Google", hint: "Gemini API key + OAuth", options: [
+      { value: "gemini-api-key", label: "Google Gemini API key" },
+      { value: "google-antigravity", label: "Google Antigravity OAuth" },
+      { value: "google-gemini-cli", label: "Google Gemini CLI OAuth" }
+    ]},
+    { value: "openrouter", label: "OpenRouter", hint: "API key", options: [
+      { value: "openrouter-api-key", label: "OpenRouter API key" }
+    ]},
+    { value: "atlascloud", label: "Atlas Cloud", hint: "Multi-provider API", options: [
+      { value: "atlascloud-api-key", label: "Atlas Cloud API key" }
+    ]},
+    { value: "ai-gateway", label: "Vercel AI Gateway", hint: "API key", options: [
+      { value: "ai-gateway-api-key", label: "Vercel AI Gateway API key" }
+    ]},
+    { value: "moonshot", label: "Moonshot AI", hint: "Kimi K2 + Kimi Code", options: [
+      { value: "moonshot-api-key", label: "Moonshot AI API key" },
+      { value: "kimi-code-api-key", label: "Kimi Code API key" }
+    ]},
+    { value: "zai", label: "Z.AI (GLM 4.7)", hint: "API key", options: [
+      { value: "zai-api-key", label: "Z.AI (GLM 4.7) API key" }
+    ]},
+    { value: "minimax", label: "MiniMax", hint: "M2.1 (recommended)", options: [
+      { value: "minimax-api", label: "MiniMax M2.1" },
+      { value: "minimax-api-lightning", label: "MiniMax M2.1 Lightning" }
+    ]},
+    { value: "qwen", label: "Qwen", hint: "OAuth", options: [
+      { value: "qwen-portal", label: "Qwen OAuth" }
+    ]},
+    { value: "copilot", label: "Copilot", hint: "GitHub + local proxy", options: [
+      { value: "github-copilot", label: "GitHub Copilot (GitHub device login)" },
+      { value: "copilot-proxy", label: "Copilot Proxy (local)" }
+    ]},
+    { value: "synthetic", label: "Synthetic", hint: "Anthropic-compatible (multi-model)", options: [
+      { value: "synthetic-api-key", label: "Synthetic API key" }
+    ]},
+    { value: "opencode-zen", label: "OpenCode Zen", hint: "API key", options: [
+      { value: "opencode-zen", label: "OpenCode Zen (multi-model proxy)" }
+    ]}
+  ];
+
+  res.json({
+    configured: isConfigured(),
+    gatewayTarget: GATEWAY_TARGET,
+    moltbotVersion: version.output.trim(),
+    channelsAddHelp: channelsHelp.output,
+    authGroups,
+  });
+});
+
+function buildOnboardArgs(payload) {
+  const args = [
+    "onboard",
+    "--non-interactive",
+    "--accept-risk",
+    "--json",
+    "--no-install-daemon",
+    "--skip-health",
+    "--workspace",
+    WORKSPACE_DIR,
+    // The wrapper owns public networking; keep the gateway internal.
+    "--gateway-bind",
+    "loopback",
+    "--gateway-port",
+    String(INTERNAL_GATEWAY_PORT),
+    "--gateway-auth",
+    "token",
+    "--gateway-token",
+    MOLTBOT_GATEWAY_TOKEN,
+    "--flow",
+    payload.flow || "quickstart"
+  ];
+
+  if (payload.authChoice) {
+    args.push("--auth-choice", payload.authChoice);
+
+    // Map secret to correct flag for common choices.
+    const secret = (payload.authSecret || "").trim();
+    const map = {
+      "openai-api-key": "--openai-api-key",
+      "apiKey": "--anthropic-api-key",
+      "atlascloud-api-key": "--atlascloud-api-key",
+      "openrouter-api-key": "--openrouter-api-key",
+      "ai-gateway-api-key": "--ai-gateway-api-key",
+      "moonshot-api-key": "--moonshot-api-key",
+      "kimi-code-api-key": "--kimi-code-api-key",
+      "gemini-api-key": "--gemini-api-key",
+      "zai-api-key": "--zai-api-key",
+      "minimax-api": "--minimax-api-key",
+      "minimax-api-lightning": "--minimax-api-key",
+      "synthetic-api-key": "--synthetic-api-key",
+      "opencode-zen": "--opencode-zen-api-key"
+    };
+    const flag = map[payload.authChoice];
+    if (flag && secret) {
+      args.push(flag, secret);
+    }
+
+    if (payload.authChoice === "token" && secret) {
+      // This is the Anthropics setup-token flow.
+      args.push("--token-provider", "anthropic", "--token", secret);
+    }
+  }
+
+  return args;
+}
+
+function runCmd(cmd, args, opts = {}) {
+  return new Promise((resolve) => {
+    const proc = childProcess.spawn(cmd, args, {
+      ...opts,
+      env: {
+        ...process.env,
+        CLAWDBOT_STATE_DIR: STATE_DIR,
+        CLAWDBOT_WORKSPACE_DIR: WORKSPACE_DIR,
+      },
+    });
+
+    let out = "";
+    proc.stdout?.on("data", (d) => (out += d.toString("utf8")));
+    proc.stderr?.on("data", (d) => (out += d.toString("utf8")));
+
+    proc.on("error", (err) => {
+      out += `\n[spawn error] ${String(err)}\n`;
+      resolve({ code: 127, output: out });
+    });
+
+    proc.on("close", (code) => resolve({ code: code ?? 0, output: out }));
+  });
+}
+
+app.post("/setup/api/run", requireSetupAuth, async (req, res) => {
+  try {
+    if (isConfigured()) {
+      await ensureGatewayRunning();
+      return res.json({ ok: true, output: "Already configured.\nUse Reset setup if you want to rerun onboarding.\n" });
+    }
+
+  fs.mkdirSync(STATE_DIR, { recursive: true });
+  fs.mkdirSync(WORKSPACE_DIR, { recursive: true });
+
+  const payload = req.body || {};
+  const onboardArgs = buildOnboardArgs(payload);
+
+  // Debug logging
+  console.error('[DEBUG] Onboard args:', onboardArgs);
+  console.error('[DEBUG] Payload authChoice:', payload.authChoice);
+  console.error('[DEBUG] Payload authSecret length:', payload.authSecret?.length || 0);
+  console.error('[DEBUG] Config path:', configPath());
+
+  const onboard = await runCmd(MOLTBOT_NODE, moltArgs(onboardArgs));
+
+  console.error('[DEBUG] Onboard exit code:', onboard.code);
+  console.error('[DEBUG] isConfigured() after onboard:', isConfigured());
+  console.error('[DEBUG] Config file exists:', fs.existsSync(configPath()));
+
+  let extra = "";
+
+  const ok = onboard.code === 0 && isConfigured();
+
+  console.error('[DEBUG] Setup ok status:', ok, '(exit code:', onboard.code, ', configured:', isConfigured(), ')');
+
+  // Optional channel setup (only after successful onboarding, and only if the installed CLI supports it).
+  if (ok) {
+    console.error('[DEBUG] Configuring gateway settings...');
+
+    // Configure gateway to run in loopback mode without token authentication.
+    // The wrapper protects the gateway with SETUP_PASSWORD, so token auth is redundant
+    // and makes it difficult for the web UI to authenticate.
+    await runCmd(MOLTBOT_NODE, moltArgs(["config", "set", "gateway.auth.mode", "none"]));
+    await runCmd(MOLTBOT_NODE, moltArgs(["config", "set", "gateway.bind", "loopback"]));
+    await runCmd(MOLTBOT_NODE, moltArgs(["config", "set", "gateway.port", String(INTERNAL_GATEWAY_PORT)]));
+
+    console.error('[DEBUG] Gateway settings configured, restarting gateway...');
+
+    const channelsHelp = await runCmd(MOLTBOT_NODE, moltArgs(["channels", "add", "--help"]));
+    const helpText = channelsHelp.output || "";
+
+    const supports = (name) => helpText.includes(name);
+
+    if (payload.telegramToken?.trim()) {
+      if (!supports("telegram")) {
+        extra += "\n[telegram] skipped (this moltbot build does not list telegram in `channels add --help`)\n";
+      } else {
+        // Avoid `channels add` here (it has proven flaky across builds); write config directly.
+        const token = payload.telegramToken.trim();
+        const cfgObj = {
+          enabled: true,
+          dmPolicy: "pairing",
+          botToken: token,
+          groupPolicy: "allowlist",
+          streamMode: "partial",
+        };
+        const set = await runCmd(
+          MOLTBOT_NODE,
+          moltArgs(["config", "set", "--json", "channels.telegram", JSON.stringify(cfgObj)]),
+        );
+        const get = await runCmd(MOLTBOT_NODE, moltArgs(["config", "get", "channels.telegram"]));
+        extra += `\n[telegram config] exit=${set.code} (output ${set.output.length} chars)\n${set.output || "(no output)"}`;
+        extra += `\n[telegram verify] exit=${get.code} (output ${get.output.length} chars)\n${get.output || "(no output)"}`;
+      }
+    }
+
+    if (payload.discordToken?.trim()) {
+      if (!supports("discord")) {
+        extra += "\n[discord] skipped (this moltbot build does not list discord in `channels add --help`)\n";
+      } else {
+        const token = payload.discordToken.trim();
+        const cfgObj = {
+          enabled: true,
+          token,
+          groupPolicy: "allowlist",
+          dm: {
+            policy: "pairing",
+          },
+        };
+        const set = await runCmd(
+          MOLTBOT_NODE,
+          moltArgs(["config", "set", "--json", "channels.discord", JSON.stringify(cfgObj)]),
+        );
+        const get = await runCmd(MOLTBOT_NODE, moltArgs(["config", "get", "channels.discord"]));
+        extra += `\n[discord config] exit=${set.code} (output ${set.output.length} chars)\n${set.output || "(no output)"}`;
+        extra += `\n[discord verify] exit=${get.code} (output ${get.output.length} chars)\n${get.output || "(no output)"}`;
+      }
+    }
+
+    if (payload.slackBotToken?.trim() || payload.slackAppToken?.trim()) {
+      if (!supports("slack")) {
+        extra += "\n[slack] skipped (this moltbot build does not list slack in `channels add --help`)\n";
+      } else {
+        const cfgObj = {
+          enabled: true,
+          botToken: payload.slackBotToken?.trim() || undefined,
+          appToken: payload.slackAppToken?.trim() || undefined,
+        };
+        const set = await runCmd(
+          MOLTBOT_NODE,
+          moltArgs(["config", "set", "--json", "channels.slack", JSON.stringify(cfgObj)]),
+        );
+        const get = await runCmd(MOLTBOT_NODE, moltArgs(["config", "get", "channels.slack"]));
+        extra += `\n[slack config] exit=${set.code} (output ${set.output.length} chars)\n${set.output || "(no output)"}`;
+        extra += `\n[slack verify] exit=${get.code} (output ${get.output.length} chars)\n${get.output || "(no output)"}`;
+      }
+    }
+
+    // Apply changes immediately.
+    console.error('[DEBUG] Restarting gateway...');
+    await restartGateway();
+    console.error('[DEBUG] Gateway restarted, checking if running...');
+    const running = gatewayProc !== null;
+    console.error('[DEBUG] Gateway running after restart:', running);
+  }
+
+  console.error('[DEBUG] Returning response: ok=', ok);
+  return res.status(ok ? 200 : 500).json({
+    ok,
+    output: `${onboard.output}${extra}`,
+  });
+  } catch (err) {
+    console.error("[/setup/api/run] error:", err);
+    return res.status(500).json({ ok: false, output: `Internal error: ${String(err)}` });
+  }
+});
+
+app.get("/setup/api/debug", requireSetupAuth, async (_req, res) => {
+  const v = await runCmd(MOLTBOT_NODE, moltArgs(["--version"]));
+  const help = await runCmd(MOLTBOT_NODE, moltArgs(["channels", "add", "--help"]));
+  res.json({
+    wrapper: {
+      node: process.version,
+      port: PORT,
+      stateDir: STATE_DIR,
+      workspaceDir: WORKSPACE_DIR,
+      configPath: configPath(),
+      gatewayTokenFromEnv: Boolean(
+        process.env.MOLTBOT_GATEWAY_TOKEN?.trim() ||
+        process.env.CLAWDBOT_GATEWAY_TOKEN?.trim()
+      ),
+      gatewayTokenPersisted: fs.existsSync(path.join(STATE_DIR, "gateway.token")),
+      railwayCommit: process.env.RAILWAY_GIT_COMMIT_SHA || null,
+    },
+    moltbot: {
+      entry: MOLTBOT_ENTRY,
+      node: MOLTBOT_NODE,
+      version: v.output.trim(),
+      channelsAddHelpIncludesTelegram: help.output.includes("telegram"),
+    },
+  });
+});
+
+app.post("/setup/api/pairing/approve", requireSetupAuth, async (req, res) => {
+  const { channel, code } = req.body || {};
+  if (!channel || !code) {
+    return res.status(400).json({ ok: false, error: "Missing channel or code" });
+  }
+  const r = await runCmd(MOLTBOT_NODE, moltArgs(["pairing", "approve", String(channel), String(code)]));
+  return res.status(r.code === 0 ? 200 : 500).json({ ok: r.code === 0, output: r.output });
+});
+
+// Simple test endpoint to verify routing works
+app.get("/setup/api/test", requireSetupAuth, (_req, res) => {
+  console.error('[TEST] Test endpoint called');
+  res.json({ test: "ok", message: "Routing works!" });
+});
+
+// Debug endpoint to view config and gateway status
+app.get("/setup/api/debug", requireSetupAuth, async (_req, res) => {
+  try {
+    console.error('[DEBUG] Building debug info...');
+
+    const cfgPath = configPath();
+    console.error('[DEBUG] configPath():', cfgPath);
+
+    const cfgExists = fs.existsSync(cfgPath);
+    console.error('[DEBUG] config exists:', cfgExists);
+
+    const stateExists = fs.existsSync(STATE_DIR);
+    console.error('[DEBUG] state dir exists:', stateExists);
+
+    const workspaceExists = fs.existsSync(WORKSPACE_DIR);
+    console.error('[DEBUG] workspace dir exists:', workspaceExists);
+
+    const configured = isConfigured();
+    console.error('[DEBUG] isConfigured():', configured);
+
+    const info = {
+      configPath: cfgPath,
+      configExists: cfgExists,
+      stateDir: STATE_DIR,
+      stateDirExists: stateExists,
+      workspaceDir: WORKSPACE_DIR,
+      workspaceDirExists: workspaceExists,
+      gatewayRunning: gatewayProc !== null,
+      gatewayProcExists: gatewayProc !== null,
+      gatewayProcPid: gatewayProc?.pid || null,
+      configured: configured,
+    };
+
+    console.error('[DEBUG] Built info object:', JSON.stringify(info));
+
+    if (info.configExists) {
+      try {
+        info.configContent = JSON.parse(fs.readFileSync(cfgPath, "utf8"));
+        console.error('[DEBUG] Config content loaded');
+      } catch (e) {
+        info.configError = String(e);
+        console.error('[DEBUG] Config error:', e);
+      }
+    }
+
+    console.error('[DEBUG] Sending response');
+    res.json(info);
+  } catch (err) {
+    console.error('[DEBUG] Error in debug endpoint:', err);
+    res.status(500).json({ error: String(err), stack: err.stack });
+  }
+});
+
+app.post("/setup/api/reset", requireSetupAuth, async (_req, res) => {
+  // Minimal reset: delete the config file so /setup can rerun.
+  // Keep credentials/sessions/workspace by default.
+  try {
+    fs.rmSync(configPath(), { force: true });
+    res.type("text/plain").send("OK - deleted config file. You can rerun setup now.");
+  } catch (err) {
+    res.status(500).type("text/plain").send(String(err));
+  }
+});
+
+app.get("/setup/export", requireSetupAuth, async (_req, res) => {
+  fs.mkdirSync(STATE_DIR, { recursive: true });
+  fs.mkdirSync(WORKSPACE_DIR, { recursive: true });
+
+  res.setHeader("content-type", "application/gzip");
+  res.setHeader(
+    "content-disposition",
+    `attachment; filename="moltbot-backup-${new Date().toISOString().replace(/[:.]/g, "-")}.tar.gz"`,
+  );
+
+  // Prefer exporting from a common /data root so archives are easy to inspect and restore.
+  // This preserves dotfiles like /data/.moltbot/moltbot.json.
+  const stateAbs = path.resolve(STATE_DIR);
+  const workspaceAbs = path.resolve(WORKSPACE_DIR);
+
+  const dataRoot = "/data";
+  const underData = (p) => p === dataRoot || p.startsWith(dataRoot + path.sep);
+
+  let cwd = "/";
+  let paths = [stateAbs, workspaceAbs].map((p) => p.replace(/^\//, ""));
+
+  if (underData(stateAbs) && underData(workspaceAbs)) {
+    cwd = dataRoot;
+    // We export relative to /data so the archive contains: .moltbot/... and workspace/...
+    paths = [
+      path.relative(dataRoot, stateAbs) || ".",
+      path.relative(dataRoot, workspaceAbs) || ".",
+    ];
+  }
+
+  const stream = tar.c(
+    {
+      gzip: true,
+      portable: true,
+      noMtime: true,
+      cwd,
+      onwarn: () => {},
+    },
+    paths,
+  );
+
+  stream.on("error", (err) => {
+    console.error("[export]", err);
+    if (!res.headersSent) res.status(500);
+    res.end(String(err));
+  });
+
+  stream.pipe(res);
+});
+
+// Proxy everything else to the gateway.
+const proxy = httpProxy.createProxyServer({
+  target: GATEWAY_TARGET,
+  ws: true,
+  xfwd: true,
+});
+
+proxy.on("error", (err, _req, _res) => {
+  console.error("[proxy]", err);
+});
+
+app.use(async (req, res) => {
+  // If not configured, force users to /setup for any non-setup routes.
+  if (!isConfigured() && !req.path.startsWith("/setup")) {
+    return res.redirect("/setup");
+  }
+
+  if (isConfigured()) {
+    try {
+      await ensureGatewayRunning();
+    } catch (err) {
+      return res.status(503).type("text/plain").send(`Gateway not ready: ${String(err)}`);
+    }
+  }
+
+  return proxy.web(req, res, { target: GATEWAY_TARGET });
+});
+
+const server = app.listen(PORT, "0.0.0.0", () => {
+  console.log(`[wrapper] listening on :${PORT}`);
+  console.log(`[wrapper] state dir: ${STATE_DIR}`);
+  console.log(`[wrapper] workspace dir: ${WORKSPACE_DIR}`);
+  console.log(`[wrapper] gateway token: ${MOLTBOT_GATEWAY_TOKEN ? "(set)" : "(missing)"}`);
+  console.log(`[wrapper] gateway target: ${GATEWAY_TARGET}`);
+  if (!SETUP_PASSWORD) {
+    console.warn("[wrapper] WARNING: SETUP_PASSWORD is not set; /setup will error.");
+  }
+  // Don't start gateway unless configured; proxy will ensure it starts.
+});
+
+server.on("upgrade", async (req, socket, head) => {
+  if (!isConfigured()) {
+    socket.destroy();
+    return;
+  }
+  try {
+    await ensureGatewayRunning();
+  } catch {
+    socket.destroy();
+    return;
+  }
+  proxy.ws(req, socket, head, { target: GATEWAY_TARGET });
+});
+
+process.on("SIGTERM", () => {
+  // Best-effort shutdown
+  try {
+    if (gatewayProc) gatewayProc.kill("SIGTERM");
+  } catch {
+    // ignore
+  }
+  process.exit(0);
+});

src/setup-app.js

@@ -0,0 +1,302 @@
+// Served at /setup/app.js
+// No fancy syntax: keep it maximally compatible.
+
+(function () {
+  var statusEl = document.getElementById('status');
+  var authGroupEl = document.getElementById('authGroup');
+  var authChoiceEl = document.getElementById('authChoice');
+  var logEl = document.getElementById('log');
+
+  function setStatus(s) {
+    statusEl.textContent = s;
+  }
+
+  // Provider template handling
+  window.useProvider = function(providerId) {
+    httpJson('/setup/api/templates/' + providerId)
+      .then(function(tmpl) {
+        // Set auth choice
+        if (tmpl.authChoice) {
+          authChoiceEl.value = tmpl.authChoice;
+          // Trigger change to update options if needed
+          if (authGroupEl) {
+            authGroupEl.value = tmpl.authChoice.split('-')[0] || tmpl.authChoice;
+            authGroupEl.dispatchEvent(new Event('change'));
+          }
+        }
+
+        // Set placeholders and help text
+        var authSecretEl = document.getElementById('authSecret');
+        if (authSecretEl && tmpl.fields.authSecret) {
+          authSecretEl.placeholder = tmpl.fields.authSecret.placeholder || '';
+          var helpEl = document.getElementById('authSecretHelp');
+          if (helpEl) {
+            helpEl.textContent = tmpl.fields.authSecret.help || '';
+            helpEl.style.display = 'block';
+          }
+        }
+
+        // Set base URL if provided
+        if (tmpl.fields.baseUrl && tmpl.fields.baseUrl.default) {
+          var baseUrlEl = document.getElementById('baseUrl');
+          if (baseUrlEl) {
+            baseUrlEl.value = tmpl.fields.baseUrl.default;
+          }
+        }
+
+        logEl.textContent += '\nSelected provider: ' + tmpl.name + '\n';
+      })
+      .catch(function(err) {
+        logEl.textContent += '\nError loading template: ' + String(err) + '\n';
+      });
+  };
+
+  // Validate token on blur
+  window.validateToken = function() {
+    var authChoice = authChoiceEl.value;
+    var token = document.getElementById('authSecret').value.trim();
+    var baseUrl = document.getElementById('baseUrl') ? document.getElementById('baseUrl').value.trim() : '';
+
+    if (!authChoice || !token) {
+      return;
+    }
+
+    var validateBtn = document.getElementById('validateBtn');
+    if (validateBtn) {
+      validateBtn.textContent = 'Validating...';
+      validateBtn.disabled = true;
+    }
+
+    httpJson('/setup/api/validate-token', {
+      method: 'POST',
+      body: JSON.stringify({ provider: authChoice, token: token, baseUrl: baseUrl })
+    }).then(function(result) {
+      if (validateBtn) {
+        validateBtn.textContent = result.valid ? '✓ Valid' : '✗ Invalid';
+        validateBtn.disabled = false;
+        validateBtn.style.backgroundColor = result.valid ? '#28a745' : '#dc3545';
+      }
+
+      var msg = result.valid ? 'Token validated successfully for ' + result.provider : 'Validation failed: ' + result.error;
+      logEl.textContent += '\n' + msg + '\n';
+    }).catch(function(err) {
+      if (validateBtn) {
+        validateBtn.textContent = 'Validate Token';
+        validateBtn.disabled = false;
+      }
+      logEl.textContent += '\nValidation error: ' + String(err) + '\n';
+    });
+  };
+
+  // Pre-flight checks
+  window.runPreflightChecks = function() {
+    var resultsEl = document.getElementById('preflightResults');
+    resultsEl.innerHTML = 'Running checks...';
+    resultsEl.style.color = '#555';
+
+    httpJson('/setup/api/check')
+      .then(function(data) {
+        var html = '<div style="margin-top:0.75rem">';
+        html += '<strong>' + data.summary + '</strong><br><br>';
+
+        data.checks.forEach(function(check) {
+          var icon = check.status === 'ok' ? '✅' : check.status === 'warning' ? '⚠️' : '❌';
+          var color = check.status === 'ok' ? '#28a745' : check.status === 'warning' ? '#ffc107' : '#dc3545';
+          html += '<div style="margin:0.25rem 0; color:' + color + '">';
+          html += icon + ' <strong>' + check.name + ':</strong> ' + check.message;
+          html += '</div>';
+        });
+
+        html += '</div>';
+        resultsEl.innerHTML = html;
+      })
+      .catch(function(err) {
+        resultsEl.innerHTML = '<div style="color:#dc3545; margin-top:0.75rem;">Error: ' + String(err) + '</div>';
+      });
+  };
+
+  function renderAuth(groups) {
+    authGroupEl.innerHTML = '';
+    for (var i = 0; i < groups.length; i++) {
+      var g = groups[i];
+      var opt = document.createElement('option');
+      opt.value = g.value;
+      opt.textContent = g.label + (g.hint ? ' - ' + g.hint : '');
+      authGroupEl.appendChild(opt);
+    }
+
+    authGroupEl.onchange = function () {
+      var sel = null;
+      for (var j = 0; j < groups.length; j++) {
+        if (groups[j].value === authGroupEl.value) sel = groups[j];
+      }
+      authChoiceEl.innerHTML = '';
+      var opts = (sel && sel.options) ? sel.options : [];
+      for (var k = 0; k < opts.length; k++) {
+        var o = opts[k];
+        var opt2 = document.createElement('option');
+        opt2.value = o.value;
+        opt2.textContent = o.label + (o.hint ? ' - ' + o.hint : '');
+        authChoiceEl.appendChild(opt2);
+      }
+    };
+
+    authGroupEl.onchange();
+  }
+
+  function httpJson(url, opts) {
+    opts = opts || {};
+    opts.credentials = 'same-origin';
+    return fetch(url, opts).then(function (res) {
+      if (!res.ok) {
+        return res.text().then(function (t) {
+          throw new Error('HTTP ' + res.status + ': ' + (t || res.statusText));
+        });
+      }
+      return res.json();
+    });
+  }
+
+  function refreshStatus() {
+    setStatus('Loading...');
+    return httpJson('/setup/api/status').then(function (j) {
+      var ver = j.moltbotVersion ? (' | ' + j.moltbotVersion) : '';
+      setStatus((j.configured ? 'Configured - open /moltbot' : 'Not configured - run setup below') + ver);
+      renderAuth(j.authGroups || []);
+      // If channels are unsupported, surface it for debugging.
+      if (j.channelsAddHelp && j.channelsAddHelp.indexOf('telegram') === -1) {
+        logEl.textContent += '\nNote: this moltbot build does not list telegram in `channels add --help`. Telegram auto-add will be skipped.\n';
+      }
+
+    }).catch(function (e) {
+      setStatus('Error: ' + String(e));
+    });
+  }
+
+  document.getElementById('run').onclick = function () {
+    var payload = {
+      flow: document.getElementById('flow').value,
+      authChoice: authChoiceEl.value,
+      authSecret: document.getElementById('authSecret').value,
+      telegramToken: document.getElementById('telegramToken').value,
+      discordToken: document.getElementById('discordToken').value,
+      slackBotToken: document.getElementById('slackBotToken').value,
+      slackAppToken: document.getElementById('slackAppToken').value
+    };
+
+    logEl.textContent = 'Running...\n';
+
+    fetch('/setup/api/run', {
+      method: 'POST',
+      credentials: 'same-origin',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify(payload)
+    }).then(function (res) {
+      return res.text();
+    }).then(function (text) {
+      var j;
+      try { j = JSON.parse(text); } catch (_e) { j = { ok: false, output: text }; }
+      logEl.textContent += (j.output || JSON.stringify(j, null, 2));
+      return refreshStatus();
+    }).catch(function (e) {
+      logEl.textContent += '\nError: ' + String(e) + '\n';
+    });
+  };
+
+  // Pairing approve helper
+  var pairingBtn = document.getElementById('pairingApprove');
+  if (pairingBtn) {
+    pairingBtn.onclick = function () {
+      var channel = prompt('Enter channel (telegram or discord):');
+      if (!channel) return;
+      channel = channel.trim().toLowerCase();
+      if (channel !== 'telegram' && channel !== 'discord') {
+        alert('Channel must be "telegram" or "discord"');
+        return;
+      }
+      var code = prompt('Enter pairing code (e.g. 3EY4PUYS):');
+      if (!code) return;
+      logEl.textContent += '\nApproving pairing for ' + channel + '...\n';
+      fetch('/setup/api/pairing/approve', {
+        method: 'POST',
+        credentials: 'same-origin',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify({ channel: channel, code: code.trim() })
+      }).then(function (r) { return r.text(); })
+        .then(function (t) { logEl.textContent += t + '\n'; })
+        .catch(function (e) { logEl.textContent += 'Error: ' + String(e) + '\n'; });
+    };
+  }
+
+  document.getElementById('reset').onclick = function () {
+    if (!confirm('Reset setup? This deletes the config file so onboarding can run again.')) return;
+    logEl.textContent = 'Resetting...\n';
+    fetch('/setup/api/reset', { method: 'POST', credentials: 'same-origin' })
+      .then(function (res) { return res.text(); })
+      .then(function (t) { logEl.textContent += t + '\n'; return refreshStatus(); })
+      .catch(function (e) { logEl.textContent += 'Error: ' + String(e) + '\n'; });
+  };
+
+  // Debug button handler
+  var debugBtn = document.getElementById('debug');
+  if (debugBtn) {
+    debugBtn.onclick = function () {
+      logEl.textContent = 'Fetching debug info...\n';
+      httpJson('/setup/api/debug')
+        .then(function (info) {
+          // Check for error response
+          if (info.error) {
+            logEl.textContent = 'ERROR: ' + info.error + '\n';
+            if (info.stack) {
+              logEl.textContent += 'Stack: ' + info.stack + '\n';
+            }
+            return;
+          }
+
+          logEl.textContent = 'DEBUG INFO:\n';
+          logEl.textContent += '================\n';
+          logEl.textContent += 'Configured: ' + info.configured + '\n';
+          logEl.textContent += 'Config path: ' + info.configPath + '\n';
+          logEl.textContent += 'Config exists: ' + info.configExists + '\n';
+          logEl.textContent += 'State dir: ' + info.stateDir + ' (exists: ' + info.stateDirExists + ')\n';
+          logEl.textContent += 'Workspace dir: ' + info.workspaceDir + ' (exists: ' + info.workspaceDirExists + ')\n';
+          logEl.textContent += 'Gateway running: ' + info.gatewayRunning + '\n';
+          logEl.textContent += 'Gateway proc exists: ' + info.gatewayProcExists + '\n';
+          logEl.textContent += 'Gateway proc PID: ' + info.gatewayProcPid + '\n';
+          if (info.configContent) {
+            logEl.textContent += '\nConfig content:\n' + JSON.stringify(info.configContent, null, 2) + '\n';
+          } else if (info.configError) {
+            logEl.textContent += '\nConfig error: ' + info.configError + '\n';
+          }
+          logEl.textContent += '================\n';
+        })
+        .catch(function (e) { logEl.textContent += 'Error: ' + String(e) + '\n'; });
+    };
+  }
+
+  // Test endpoint button handler
+  var testBtn = document.getElementById('test');
+  if (testBtn) {
+    testBtn.onclick = function () {
+      logEl.textContent = 'Testing endpoint...\n';
+      httpJson('/setup/api/test')
+        .then(function (result) {
+          logEl.textContent = 'TEST RESULT:\n';
+          logEl.textContent += '============\n';
+          logEl.textContent += JSON.stringify(result, null, 2) + '\n';
+          logEl.textContent += '============\n';
+          if (result.test === 'ok') {
+            logEl.textContent += '\n✅ Routing and authentication work!\n';
+          }
+        })
+        .catch(function (e) { logEl.textContent += 'Error: ' + String(e) + '\n'; });
+    };
+  }
+
+  refreshStatus();
+
+  // Run pre-flight checks on load
+  setTimeout(function() {
+    runPreflightChecks();
+  }, 500);
+})();