refactor: condense code formatting and add OpenClaw scope-clearing patch to startup script

start.sh

@@ -264,6 +264,41 @@ chmod 600 /home/node/.openclaw/openclaw.json
 # This preload script keeps iframe embedding working on HF Spaces.
 export NODE_OPTIONS="${NODE_OPTIONS:+$NODE_OPTIONS }--require /home/node/app/iframe-fix.cjs"
 
+# ── Patch OpenClaw scope-clearing bug for headless HF auth ──
+# OpenClaw can clear requested operator scopes after allowing a token-auth
+# connection without device identity, which breaks the WhatsApp guardian's
+# web.login.wait / channels.status calls on Spaces.
+patch_openclaw_scope_bug() {
+  local roots=(
+    "/home/node/.openclaw/openclaw-app"
+    "/usr/local/lib/node_modules/openclaw"
+  )
+  local target=""
+  local updated=0
+
+  for root in "${roots[@]}"; do
+    [ -d "$root/dist" ] || continue
+    target=$(find "$root/dist" -maxdepth 1 -type f -name 'gateway-cli-*.js' | head -n 1)
+    [ -n "$target" ] || continue
+
+    if grep -q 'return params.decision.kind !== "allow" || !params.controlUiAuthPolicy.allowBypass' "$target"; then
+      perl -0pi -e 's@return params\.decision\.kind !== "allow" \|\| !params\.controlUiAuthPolicy\.allowBypass && !params\.preserveInsecureLocalControlUiScopes && \(params\.authMethod === "token" \|\| params\.authMethod === "password" \|\| params\.authMethod === "trusted-proxy" \|\| params\.trustedProxyAuthOk === true\);@return params.decision.kind !== "allow";@g' "$target"
+
+      if grep -q 'return params.decision.kind !== "allow";' "$target"; then
+        echo "🔧 Patched OpenClaw scope-clearing bug in $(basename "$target")"
+        updated=1
+        break
+      fi
+    fi
+  done
+
+  if [ "$updated" -eq 0 ]; then
+    echo "⚠️  OpenClaw scope patch not applied (bundle format may have changed)"
+  fi
+}
+
+patch_openclaw_scope_bug
+
 # ── Startup Summary ──
 echo ""
 echo "  ┌──────────────────────────────────────────┐"

wa-guardian.js

@@ -9,10 +9,8 @@
 
 const fs = require("fs");
 const path = require("path");
-const {
-  WebSocket,
-} = require("/home/node/.openclaw/openclaw-app/node_modules/ws");
-const { randomUUID } = require("node:crypto");
+const { WebSocket } = require('/home/node/.openclaw/openclaw-app/node_modules/ws');
+const { randomUUID } = require('node:crypto');
 
 const GATEWAY_URL = "ws://127.0.0.1:7860";
 const GATEWAY_TOKEN = process.env.GATEWAY_TOKEN || "huggingclaw";
@@ -33,8 +31,7 @@ let last515At = 0;
 function extractErrorMessage(msg) {
   if (!msg || typeof msg !== "object") return "Unknown error";
   if (typeof msg.error === "string") return msg.error;
-  if (msg.error && typeof msg.error.message === "string")
-    return msg.error.message;
+  if (msg.error && typeof msg.error.message === "string") return msg.error.message;
   if (typeof msg.message === "string") return msg.message;
   return "Unknown error";
 }
@@ -43,13 +40,9 @@ function writeResetMarker() {
   try {
     fs.mkdirSync(path.dirname(RESET_MARKER_PATH), { recursive: true });
     fs.writeFileSync(RESET_MARKER_PATH, "reset\n");
-    console.log(
-      `[guardian] Created backup reset marker at ${RESET_MARKER_PATH}`,
-    );
+    console.log(`[guardian] Created backup reset marker at ${RESET_MARKER_PATH}`);
   } catch (error) {
-    console.log(
-      `[guardian] Failed to write backup reset marker: ${error.message}`,
-    );
+    console.log(`[guardian] Failed to write backup reset marker: ${error.message}`);
   }
 }
 
@@ -62,32 +55,25 @@ async function createConnection() {
       const msg = JSON.parse(data.toString());
 
       if (msg.type === "event" && msg.event === "connect.challenge") {
-        ws.send(
-          JSON.stringify({
-            type: "req",
-            id: randomUUID(),
-            method: "connect",
-            params: {
-              minProtocol: 3,
-              maxProtocol: 3,
-              client: {
-                id: "gateway-client",
-                version: "1.0.0",
-                platform: "linux",
-                mode: "backend",
-              },
-              caps: [],
-              auth: { token: GATEWAY_TOKEN },
-              role: "operator",
-              scopes: [
-                "operator.read",
-                "operator.write",
-                "operator.admin",
-                "operator.pairing",
-              ],
+        ws.send(JSON.stringify({
+          type: "req",
+          id: randomUUID(),
+          method: "connect",
+          params: {
+            minProtocol: 3,
+            maxProtocol: 3,
+            client: {
+              id: "gateway-client",
+              version: "1.0.0",
+              platform: "linux",
+              mode: "backend",
             },
-          }),
-        );
+            caps: [],
+            auth: { token: GATEWAY_TOKEN },
+            role: "operator",
+            scopes: ["operator.read", "operator.write", "operator.admin", "operator.pairing"],
+          },
+        }));
         return;
       }
 
@@ -104,15 +90,8 @@ async function createConnection() {
       }
     });
 
-    ws.on("error", (e) => {
-      if (!resolved) reject(e);
-    });
-    setTimeout(() => {
-      if (!resolved) {
-        ws.close();
-        reject(new Error("Timeout"));
-      }
-    }, 10000);
+    ws.on("error", (e) => { if (!resolved) reject(e); });
+    setTimeout(() => { if (!resolved) { ws.close(); reject(new Error("Timeout")); } }, 10000);
   });
 }
 
@@ -132,10 +111,7 @@ async function callRpc(ws, method, params) {
     };
     ws.on("message", handler);
     ws.send(JSON.stringify({ type: "req", id, method, params }));
-    setTimeout(() => {
-      ws.removeListener("message", handler);
-      reject(new Error("RPC Timeout"));
-    }, WAIT_TIMEOUT + 5000);
+    setTimeout(() => { ws.removeListener("message", handler); reject(new Error("RPC Timeout")); }, WAIT_TIMEOUT + 5000);
   });
 }
 
@@ -147,16 +123,12 @@ async function checkStatus() {
     ws = await createConnection();
     isWaiting = true;
     if (!hasShownWaitMessage) {
-      console.log(
-        "\n[guardian] 📱 WhatsApp pairing in progress. Please scan the QR code in the Control UI.",
-      );
+      console.log("\n[guardian] 📱 WhatsApp pairing in progress. Please scan the QR code in the Control UI.");
       hasShownWaitMessage = true;
     }
 
     console.log("[guardian] Waiting for pairing completion...");
-    const waitRes = await callRpc(ws, "web.login.wait", {
-      timeoutMs: WAIT_TIMEOUT,
-    });
+    const waitRes = await callRpc(ws, "web.login.wait", { timeoutMs: WAIT_TIMEOUT });
     const result = waitRes.payload || waitRes.result;
     const message = result?.message || "";
     const linkedAfter515 = !result?.connected && message.includes("515");
@@ -169,36 +141,27 @@ async function checkStatus() {
       hasShownWaitMessage = false;
 
       if (linkedAfter515) {
-        console.log(
-          "[guardian] 515 after scan: credentials saved, reloading config to start WhatsApp...",
-        );
+        console.log("[guardian] 515 after scan: credentials saved, reloading config to start WhatsApp...");
       } else {
         console.log("[guardian] ✅ Pairing completed! Reloading config...");
       }
 
       const getRes = await callRpc(ws, "config.get", {});
       if (getRes.payload?.raw && getRes.payload?.hash) {
-        await callRpc(ws, "config.apply", {
-          raw: getRes.payload.raw,
-          baseHash: getRes.payload.hash,
-        });
+        await callRpc(ws, "config.apply", { raw: getRes.payload.raw, baseHash: getRes.payload.hash });
         console.log("[guardian] Configuration re-applied.");
       }
-    } else if (
-      !message.includes("No active") &&
-      !message.includes("Still waiting")
-    ) {
+    } else if (!message.includes("No active") && !message.includes("Still waiting")) {
       console.log(`[guardian] Wait result: ${message}`);
     }
+
   } catch (e) {
     const message = e && e.message ? e.message : "";
     if (
       /401|unauthorized|logged out|440|conflict/i.test(message) &&
       Date.now() - last515At >= POST_515_NO_LOGOUT_MS
     ) {
-      console.log(
-        "[guardian] Clearing invalid WhatsApp session so a fresh QR can be used...",
-      );
+      console.log("[guardian] Clearing invalid WhatsApp session so a fresh QR can be used...");
       try {
         if (ws) {
           await callRpc(ws, "channels.logout", { channel: "whatsapp" });
@@ -207,9 +170,7 @@ async function checkStatus() {
           console.log("[guardian] Logged out invalid WhatsApp session.");
         }
       } catch (error) {
-        console.log(
-          `[guardian] Failed to log out invalid session: ${error.message}`,
-        );
+        console.log(`[guardian] Failed to log out invalid session: ${error.message}`);
       }
     }
     // Normal timeout or gateway starting up; retry on the next interval.
@@ -219,8 +180,6 @@ async function checkStatus() {
   }
 }
 
-console.log(
-  "[guardian] ⚔️ WhatsApp Guardian active. Monitoring pairing status...",
-);
+console.log("[guardian] ⚔️ WhatsApp Guardian active. Monitoring pairing status...");
 setInterval(checkStatus, CHECK_INTERVAL);
 setTimeout(checkStatus, 15000);