feat: implement real-time channel status monitoring and add authentication failure cooldowns to guardian and health server

README.md

@@ -289,6 +289,7 @@ HuggingClaw keeps the Space awake without external cron tools:
 - **Backup restore failing:** Make sure `HF_USERNAME` and `HF_TOKEN` are correct (token needs write access to your Dataset).
 - **Space keeps sleeping:** Check logs for `Keep-alive` messages. Ensure `KEEP_ALIVE_INTERVAL` isn’t set to `0`.
 - **Auth errors / proxy:** If you see reverse-proxy auth errors, add the logged IPs under `TRUSTED_PROXIES` (from logs `remote=x.x.x.x`).
+- **Control UI says too many failed authentication attempts:** Wait for the retry window to expire, then open the Space in an incognito window or clear site storage for your Space before entering the current `GATEWAY_TOKEN` again.
 - **UI blocked (CORS):** Set `ALLOWED_ORIGINS=https://your-space-name.hf.space`.
 - **Version mismatches:** Pin a specific OpenClaw build with the `OPENCLAW_VERSION` Variable in HF Spaces, or `--build-arg OPENCLAW_VERSION=...` locally.
 

health-server.js

@@ -2,13 +2,24 @@
 const http = require("http");
 const fs = require("fs");
 const net = require("net");
+const { randomUUID } = require("node:crypto");
 
 const PORT = 7861;
 const GATEWAY_PORT = 7860;
 const GATEWAY_HOST = "127.0.0.1";
 const startTime = Date.now();
 const LLM_MODEL = process.env.LLM_MODEL || "Not Set";
+const GATEWAY_TOKEN = process.env.GATEWAY_TOKEN || "";
 const TELEGRAM_ENABLED = !!process.env.TELEGRAM_BOT_TOKEN;
+const GATEWAY_STATUS_CACHE_MS = 5000;
+
+let gatewayStatusCache = {
+  expiresAt: 0,
+  value: {
+    whatsapp: { configured: true, connected: false },
+    telegram: { configured: TELEGRAM_ENABLED, connected: false },
+  },
+};
 
 function getPathname(url) {
   try {
@@ -60,6 +71,117 @@ function readSyncStatus() {
   return { status: "unknown", message: "No sync data yet" };
 }
 
+function normalizeChannelStatus(channel, configured) {
+  return {
+    configured: configured || !!channel,
+    connected: !!(channel && channel.connected),
+  };
+}
+
+function extractErrorMessage(msg) {
+  if (!msg || typeof msg !== "object") return "Unknown error";
+  if (typeof msg.error === "string") return msg.error;
+  if (msg.error && typeof msg.error.message === "string") return msg.error.message;
+  if (typeof msg.message === "string") return msg.message;
+  return "Unknown error";
+}
+
+function createGatewayConnection() {
+  return new Promise((resolve, reject) => {
+    const { WebSocket } = require("/home/node/.openclaw/openclaw-app/node_modules/ws");
+    const ws = new WebSocket(`ws://${GATEWAY_HOST}:${GATEWAY_PORT}`);
+    let resolved = false;
+
+    ws.on("message", (data) => {
+      const msg = JSON.parse(data.toString());
+
+      if (msg.type === "event" && msg.event === "connect.challenge") {
+        ws.send(JSON.stringify({
+          type: "req",
+          id: randomUUID(),
+          method: "connect",
+          params: {
+            auth: { token: GATEWAY_TOKEN },
+            client: { id: "health-server", platform: "linux", mode: "backend", version: "1.0.0" },
+            scopes: ["operator.read"],
+          },
+        }));
+        return;
+      }
+
+      if (!resolved && msg.type === "res" && msg.ok === false) {
+        resolved = true;
+        ws.close();
+        reject(new Error(extractErrorMessage(msg)));
+        return;
+      }
+
+      if (!resolved && msg.type === "res" && msg.ok) {
+        resolved = true;
+        resolve(ws);
+      }
+    });
+
+    ws.on("error", (error) => {
+      if (!resolved) reject(error);
+    });
+
+    setTimeout(() => {
+      if (!resolved) {
+        ws.close();
+        reject(new Error("Timeout"));
+      }
+    }, 10000);
+  });
+}
+
+function callGatewayRpc(ws, method, params) {
+  return new Promise((resolve, reject) => {
+    const id = randomUUID();
+    const handler = (data) => {
+      const msg = JSON.parse(data.toString());
+      if (msg.id === id) {
+        ws.removeListener("message", handler);
+        resolve(msg);
+      }
+    };
+
+    ws.on("message", handler);
+    ws.send(JSON.stringify({ type: "req", id, method, params }));
+
+    setTimeout(() => {
+      ws.removeListener("message", handler);
+      reject(new Error("RPC Timeout"));
+    }, 15000);
+  });
+}
+
+async function getGatewayChannelStatus() {
+  if (Date.now() < gatewayStatusCache.expiresAt) {
+    return gatewayStatusCache.value;
+  }
+
+  let ws;
+  try {
+    ws = await createGatewayConnection();
+    const statusRes = await callGatewayRpc(ws, "channels.status", {});
+    const channels = (statusRes.payload || statusRes.result)?.channels || {};
+    const value = {
+      whatsapp: normalizeChannelStatus(channels.whatsapp, true),
+      telegram: normalizeChannelStatus(channels.telegram, TELEGRAM_ENABLED),
+    };
+    gatewayStatusCache = {
+      expiresAt: Date.now() + GATEWAY_STATUS_CACHE_MS,
+      value,
+    };
+    return value;
+  } catch {
+    return gatewayStatusCache.value;
+  } finally {
+    if (ws) ws.close();
+  }
+}
+
 function renderDashboard() {
   return `
 <!DOCTYPE html>
@@ -286,13 +408,18 @@ function renderDashboard() {
                 document.getElementById('model-id').textContent = data.model;
                 document.getElementById('uptime').textContent = data.uptime;
 
-                document.getElementById('wa-status').innerHTML = data.whatsapp
-                    ? '<div class="status-badge status-online"><div class="pulse"></div>Active</div>'
-                    : '<div class="status-badge status-offline">Disabled</div>';
+                function renderChannelStatus(channel, configuredLabel) {
+                    if (channel && channel.connected) {
+                        return '<div class="status-badge status-online"><div class="pulse"></div>Active</div>';
+                    }
+                    if (channel && channel.configured) {
+                        return '<div class="status-badge status-syncing">' + configuredLabel + '</div>';
+                    }
+                    return '<div class="status-badge status-offline">Disabled</div>';
+                }
 
-                document.getElementById('tg-status').innerHTML = data.telegram
-                    ? '<div class="status-badge status-online"><div class="pulse"></div>Active</div>'
-                    : '<div class="status-badge status-offline">Disabled</div>';
+                document.getElementById('wa-status').innerHTML = renderChannelStatus(data.whatsapp, 'Ready to pair');
+                document.getElementById('tg-status').innerHTML = renderChannelStatus(data.telegram, 'Configured');
 
                 const syncData = data.sync;
                 let badgeClass = 'status-offline';
@@ -436,16 +563,19 @@ const server = http.createServer((req, res) => {
   }
 
   if (pathname === "/status") {
-    res.writeHead(200, { "Content-Type": "application/json" });
-    res.end(
-      JSON.stringify({
-        model: LLM_MODEL,
-        whatsapp: true,
-        telegram: TELEGRAM_ENABLED,
-        sync: readSyncStatus(),
-        uptime: uptimeHuman,
-      }),
-    );
+    void (async () => {
+      const channelStatus = await getGatewayChannelStatus();
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(
+        JSON.stringify({
+          model: LLM_MODEL,
+          whatsapp: channelStatus.whatsapp,
+          telegram: channelStatus.telegram,
+          sync: readSyncStatus(),
+          uptime: uptimeHuman,
+        }),
+      );
+    })();
     return;
   }
 

start.sh

@@ -176,7 +176,7 @@ CONFIG_JSON=$(cat <<'CONFIGEOF'
     "controlUi": {
       "allowInsecureAuth": true
     },
-    "trustedProxies": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+    "trustedProxies": ["127.0.0.1/8", "::1/128", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
   },
   "channels": {},
   "plugins": {
@@ -206,10 +206,11 @@ if [ -n "$OPENCLAW_PASSWORD" ]; then
 fi
 
 # Trusted proxies (optional — fixes "Proxy headers detected from untrusted address" on HF Spaces)
-# Set TRUSTED_PROXIES as comma-separated IPs, e.g. "10.20.31.87,10.20.26.157"
+# Set TRUSTED_PROXIES as comma-separated IPs/CIDRs, e.g. "10.20.31.87,10.20.26.157"
+# Loopback proxies stay trusted by default so the local dashboard reverse proxy works correctly.
 if [ -n "$TRUSTED_PROXIES" ]; then
   PROXIES_JSON=$(echo "$TRUSTED_PROXIES" | tr ',' '\n' | sed 's/^ *//;s/ *$//' | jq -R . | jq -s .)
-  CONFIG_JSON=$(echo "$CONFIG_JSON" | jq ".gateway.trustedProxies = $PROXIES_JSON")
+  CONFIG_JSON=$(echo "$CONFIG_JSON" | jq ".gateway.trustedProxies += $PROXIES_JSON | .gateway.trustedProxies |= unique")
 fi
 
 # Allowed origins (optional — lock down Control UI to specific URLs)

wa-guardian.js

@@ -14,9 +14,20 @@ const GATEWAY_URL = "ws://127.0.0.1:7860";
 const GATEWAY_TOKEN = process.env.GATEWAY_TOKEN || "huggingclaw";
 const CHECK_INTERVAL = 5000;
 const WAIT_TIMEOUT = 120000;
+const AUTH_FAILURE_COOLDOWN = 5 * 60 * 1000;
 
 let isWaiting = false;
 let hasShownWaitMessage = false;
+let authFailureUntil = 0;
+let authFailureLogged = false;
+
+function extractErrorMessage(msg) {
+  if (!msg || typeof msg !== "object") return "Unknown error";
+  if (typeof msg.error === "string") return msg.error;
+  if (msg.error && typeof msg.error.message === "string") return msg.error.message;
+  if (typeof msg.message === "string") return msg.message;
+  return "Unknown error";
+}
 
 async function createConnection() {
   return new Promise((resolve, reject) => {
@@ -40,6 +51,13 @@ async function createConnection() {
         return;
       }
 
+      if (!resolved && msg.type === "res" && msg.ok === false) {
+        resolved = true;
+        ws.close();
+        reject(new Error(extractErrorMessage(msg)));
+        return;
+      }
+
       if (!resolved && msg.type === "res" && msg.ok) {
         resolved = true;
         resolve(ws);
@@ -69,10 +87,13 @@ async function callRpc(ws, method, params) {
 
 async function checkStatus() {
   if (isWaiting) return;
+  if (Date.now() < authFailureUntil) return;
 
   let ws;
   try {
     ws = await createConnection();
+    authFailureUntil = 0;
+    authFailureLogged = false;
 
     // Check if WhatsApp channel exists and its status
     const statusRes = await callRpc(ws, "channels.status", {});
@@ -114,6 +135,14 @@ async function checkStatus() {
     }
 
   } catch (e) {
+    const message = e && e.message ? e.message : "";
+    if (/unauthorized|authentication|too many failed/i.test(message)) {
+      authFailureUntil = Date.now() + AUTH_FAILURE_COOLDOWN;
+      if (!authFailureLogged) {
+        console.log(`[guardian] Authentication failed (${message}). Pausing guardian retries for ${AUTH_FAILURE_COOLDOWN / 60000} minutes.`);
+        authFailureLogged = true;
+      }
+    }
     // Normal timeout or gateway starting up
   } finally {
     isWaiting = false;