fix: revert auth to password mode, add Telegram API auto-probe, background DNS

1. Revert auth from token back to password (fixes token_mismatch on Control UI)
2. Add Telegram API base auto-probe: probes api.telegram.org, mirrors, and
Cloudflare Pages proxy at startup; selects first working endpoint
3. Revert DNS resolution from blocking (141s delay) to background
4. Add TELEGRAM_BOT_TOKEN and TELEGRAM_API_BASE env vars to README

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

README.md

@@ -116,6 +116,8 @@ Fine-tune persistence and performance. Set these as **Repository Secrets** in HF
 | `AUTO_CREATE_DATASET` | `false` | **Auto-create the Dataset repo.** Default is `false` for security. Set to `true` to let HuggingClaw automatically create a **private** Dataset repo on first startup (and auto-derive the repo name from your `HF_TOKEN` if `OPENCLAW_DATASET_REPO` is not set). Accepted values: `true`, `1`, `yes` / `false`, `0`, `no`. |
 | `SYNC_INTERVAL` | `60` | **Backup interval in seconds.** How often HuggingClaw syncs `~/.openclaw` to the Dataset repo. Lower = safer but more API calls. Recommended: `60`–`300`. |
 | `NODE_MEMORY_LIMIT` | `512` | **Node.js heap memory limit in MB.** HF free tier provides 16 GB RAM; 512 MB is enough for most cases. Increase for complex agent workflows. |
+| `TELEGRAM_BOT_TOKEN` | — | **Telegram bot token.** If set, HuggingClaw auto-probes Telegram API endpoints at startup and selects a working one (HF Spaces blocks `api.telegram.org`). You can also configure the bot token in the Control UI. |
+| `TELEGRAM_API_BASE` | — | **Force a specific Telegram API base URL.** Skips auto-probe. Example: `https://telegram-api.mykdigi.com`. Only needed if auto-probe doesn't find a working endpoint. |
 | `TZ` | `UTC` | **Timezone** for log timestamps. Example: `Asia/Shanghai`, `America/New_York`. |
 
 > For the full list (including `OPENAI_BASE_URL`, `OLLAMA_HOST`, proxy settings, etc.), see [`.env.example`](.env.example).
@@ -126,6 +128,8 @@ Visit your Space URL. Click the settings icon, enter your password, and connect.
 
 Messaging integrations (Telegram, WhatsApp) can be configured directly inside the Control UI after connecting.
 
+> **Telegram note:** HF Spaces blocks `api.telegram.org` DNS. HuggingClaw automatically probes alternative API endpoints at startup and selects one that works — no manual configuration needed.
+
 ## Configuration
 
 HuggingClaw supports **all OpenClaw environment variables** — it passes the entire environment to the OpenClaw process (`env=os.environ.copy()`), so any variable from the [OpenClaw docs](https://openclawdoc.com/docs/reference/environment-variables) works out of the box in HF Spaces. This includes:

openclaw.json

@@ -3,7 +3,7 @@
     "mode": "local",
     "bind": "lan",
     "port": 7860,
-    "auth": { "token": "__OPENCLAW_PASSWORD__" },
+    "auth": { "password": "__OPENCLAW_PASSWORD__" },
     "trustedProxies": [
       "0.0.0.0/0"
     ],

scripts/entrypoint.sh

@@ -6,12 +6,13 @@ BOOT_START=$(date +%s)
 echo "[entrypoint] OpenClaw HuggingFace Spaces Entrypoint"
 echo "[entrypoint] ======================================="
 
-# ── DNS pre-resolution (BLOCKING — needed before app starts) ──────────────
-echo "[entrypoint] Resolving WhatsApp & Telegram domains via DNS-over-HTTPS..."
-DNS_START=$(date +%s)
-python3 /home/node/scripts/dns-resolve.py /tmp/dns-resolved.json 2>&1
-DNS_END=$(date +%s)
-echo "[TIMER] DNS pre-resolve: $((DNS_END - DNS_START))s"
+# ── DNS pre-resolution (background — non-blocking) ───────────────────────
+# Resolves WhatsApp domains via DoH for dns-fix.cjs to consume.
+# Telegram connectivity is handled by API base auto-probe in sync_hf.py.
+echo "[entrypoint] Starting DNS resolution in background..."
+python3 /home/node/scripts/dns-resolve.py /tmp/dns-resolved.json 2>&1 &
+DNS_PID=$!
+echo "[entrypoint] DNS resolver PID: $DNS_PID"
 
 # ── Node.js memory limit (only if explicitly set) ─────────────────────────
 if [ -n "$NODE_MEMORY_LIMIT" ]; then

scripts/sync_hf.py

@@ -22,6 +22,8 @@ import shutil
 import tempfile
 import traceback
 import re
+import urllib.request
+import ssl
 from pathlib import Path
 from datetime import datetime
 # Set timeout BEFORE importing huggingface_hub
@@ -100,6 +102,73 @@ log_dir.mkdir(parents=True, exist_ok=True)
 sys.stdout = TeeLogger(log_dir / "sync.log", sys.stdout)
 sys.stderr = sys.stdout
 
+# ── Telegram API Base Auto-Probe ────────────────────────────────────────────
+
+# HF Spaces blocks DNS for api.telegram.org. Probe multiple API bases at
+# startup and pick the first one that responds to getMe.  The working base
+# is then injected into the OpenClaw Telegram channel config.
+
+# User can force a specific base via env var (skip auto-probe)
+TELEGRAM_API_BASE = os.environ.get("TELEGRAM_API_BASE", "")
+
+TELEGRAM_API_BASES = [
+    "https://api.telegram.org",                         # official
+    "https://telegram-api.mykdigi.com",                 # known mirror
+    "https://telegram-api-proxy-anonymous.pages.dev/api",  # Cloudflare Pages proxy
+]
+
+def probe_telegram_api(bot_token: str, timeout: int = 10) -> str:
+    """Probe multiple Telegram API base URLs and return the first working one.
+    Returns the working base URL (without trailing slash), or empty string if none work.
+    """
+    if not bot_token:
+        return ""
+
+    ctx = ssl.create_default_context()
+    for base in TELEGRAM_API_BASES:
+        url = f"{base}/bot{bot_token}/getMe"
+        try:
+            req = urllib.request.Request(url, method="GET")
+            resp = urllib.request.urlopen(req, timeout=timeout, context=ctx)
+            data = json.loads(resp.read().decode())
+            if data.get("ok"):
+                bot_name = data.get("result", {}).get("username", "unknown")
+                print(f"[TELEGRAM] ✓ API base works: {base} (bot: @{bot_name})")
+                return base.rstrip("/")
+        except Exception as e:
+            reason = str(e)[:80]
+            print(f"[TELEGRAM] ✗ API base failed: {base} ({reason})")
+            continue
+
+    print("[TELEGRAM] WARNING: All API bases failed! Telegram will not work.")
+    return ""
+
+def get_telegram_bot_token() -> str:
+    """Extract Telegram bot token from OpenClaw config or environment."""
+    # 1. Environment variable
+    token = os.environ.get("TELEGRAM_BOT_TOKEN", "")
+    if token:
+        return token
+
+    # 2. From openclaw.json channels config
+    config_path = OPENCLAW_HOME / "openclaw.json"
+    if config_path.exists():
+        try:
+            with open(config_path) as f:
+                cfg = json.load(f)
+            # Check channels.telegram.botToken (single account)
+            tg = cfg.get("channels", {}).get("telegram", {})
+            if tg.get("botToken"):
+                return tg["botToken"]
+            # Check channels.telegram.accounts.*.botToken (multi account)
+            for acc in tg.get("accounts", {}).values():
+                if isinstance(acc, dict) and acc.get("botToken"):
+                    return acc["botToken"]
+        except Exception:
+            pass
+    return ""
+
+
 # ── Sync Manager ────────────────────────────────────────────────────────────
 
 class OpenClawFullSync:
@@ -292,8 +361,8 @@ class OpenClawFullSync:
                     cfg = json.load(f)
                 # Replace token placeholder
                 if "gateway" in cfg and "auth" in cfg["gateway"]:
-                    if cfg["gateway"]["auth"].get("token") == "__OPENCLAW_PASSWORD__":
-                        cfg["gateway"]["auth"]["token"] = OPENCLAW_PASSWORD
+                    if cfg["gateway"]["auth"].get("password") == "__OPENCLAW_PASSWORD__":
+                        cfg["gateway"]["auth"]["password"] = OPENCLAW_PASSWORD
                 if OPENAI_API_KEY and "models" in cfg and "providers" in cfg["models"] and "openai" in cfg["models"]["providers"]:
                     cfg["models"]["providers"]["openai"]["apiKey"] = OPENAI_API_KEY
                     if OPENAI_BASE_URL:
@@ -364,10 +433,9 @@ class OpenClawFullSync:
                     data["plugins"]["locations"] = [l for l in locs if l != "/dev/null"]
 
             # Force full gateway config for HF Spaces
-            # Token auth: persisted in browser localStorage after first entry
             if not OPENCLAW_PASSWORD:
                 print("[SYNC] WARNING: OPENCLAW_PASSWORD not set! Gateway will have no auth.")
-            auth = {"token": OPENCLAW_PASSWORD} if OPENCLAW_PASSWORD else {}
+            auth = {"password": OPENCLAW_PASSWORD} if OPENCLAW_PASSWORD else {}
             # Dynamic allowedOrigins from SPACE_HOST (auto-set by HF runtime)
             allowed_origins = [
                 "https://huggingface.co",
@@ -388,7 +456,7 @@ class OpenClawFullSync:
                     "allowedOrigins": allowed_origins
                 }
             }
-            print(f"[SYNC] Set gateway config (auth={'token' if OPENCLAW_PASSWORD else 'none'}, origins={len(allowed_origins)})")
+            print(f"[SYNC] Set gateway config (auth={'password' if OPENCLAW_PASSWORD else 'none'}, origins={len(allowed_origins)})")
 
             # Ensure agents defaults
             data.setdefault("agents", {}).setdefault("defaults", {}).setdefault("model", {})
@@ -428,6 +496,35 @@ class OpenClawFullSync:
             elif isinstance(data["plugins"]["entries"]["telegram"], dict):
                 data["plugins"]["entries"]["telegram"]["enabled"] = True
 
+            # ── Telegram API base auto-probe ──────────────────────────────
+            # HF Spaces blocks api.telegram.org DNS. Probe mirrors and set
+            # the working base URL in the channel config so grammY uses it.
+            if TELEGRAM_API_BASE:
+                # User explicitly set a base via env var — use it directly
+                data.setdefault("channels", {}).setdefault("telegram", {})
+                data["channels"]["telegram"]["apiRoot"] = TELEGRAM_API_BASE.rstrip("/")
+                print(f"[TELEGRAM] Using user-specified API base: {TELEGRAM_API_BASE}")
+            else:
+                bot_token = get_telegram_bot_token()
+                if bot_token:
+                    print("[TELEGRAM] Probing Telegram API bases...")
+                    working_base = probe_telegram_api(bot_token)
+                    if working_base and working_base != "https://api.telegram.org":
+                        # Set apiRoot in channels.telegram for OpenClaw/grammY
+                        data.setdefault("channels", {}).setdefault("telegram", {})
+                        data["channels"]["telegram"]["apiRoot"] = working_base
+                        print(f"[TELEGRAM] Set channels.telegram.apiRoot = {working_base}")
+                    elif working_base:
+                        # Official API works — remove any previously set mirror
+                        tg_ch = data.get("channels", {}).get("telegram", {})
+                        if tg_ch.get("apiRoot"):
+                            del tg_ch["apiRoot"]
+                            print("[TELEGRAM] Official API works — cleared apiRoot override")
+                        else:
+                            print("[TELEGRAM] Official API works — no override needed")
+                else:
+                    print("[TELEGRAM] No bot token found — skipping API probe")
+
             with open(config_path, "w") as f:
                 json.dump(data, f, indent=2)
             print("[SYNC] Config patched and saved.")