let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: bundle provider auth plugins

Browse Source 
Co-authored-by: ItzR3NO <ItzR3NO@users.noreply.github.com>
This commit is contained in:
Peter Steinberger
2026-01-17 09:33:56 +00:00
parent b6ea5895b6
commit a6deb0d9d5
31 changed files with 1485 additions and 542 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/cli/program/register.onboard.ts
View File

@@ -51,7 +51,7 @@ export function registerOnboardCommand(program: Command) {
.option("--mode <mode>", "Wizard mode: local|remote")
.option(
"--auth-choice <choice>",
"Auth: setup-token|claude-cli|token|chutes|openai-codex|openai-api-key|openrouter-api-key|ai-gateway-api-key|moonshot-api-key|synthetic-api-key|codex-cli|antigravity|gemini-api-key|zai-api-key|apiKey|minimax-api|minimax-api-lightning|opencode-zen|skip",
"Auth: setup-token|claude-cli|token|chutes|openai-codex|openai-api-key|openrouter-api-key|ai-gateway-api-key|moonshot-api-key|synthetic-api-key|codex-cli|gemini-api-key|zai-api-key|apiKey|minimax-api|minimax-api-lightning|opencode-zen|skip",
)
.option(
"--token-provider <id>",

384
src/commands/antigravity-oauth.ts
View File

@@ -1,384 +0,0 @@
/**
* VPS-aware Antigravity OAuth flow.
*
* On local machines: Uses the standard pi-ai loginAntigravity with local server callback.
* On VPS/SSH/headless: Shows URL and prompts user to paste the callback URL manually.
*/
import { createHash, randomBytes } from "node:crypto";
import { readFileSync } from "node:fs";
import { stdin, stdout } from "node:process";
import { createInterface } from "node:readline/promises";
import { loginAntigravity, type OAuthCredentials } from "@mariozechner/pi-ai";
// OAuth constants - decoded from pi-ai's base64 encoded values to stay in sync
const decode = (s: string) => Buffer.from(s, "base64").toString();
const CLIENT_ID = decode(
"MTA3MTAwNjA2MDU5MS10bWhzc2luMmgyMWxjcmUyMzV2dG9sb2poNGc0MDNlcC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbQ==",
);
const CLIENT_SECRET = decode("R09DU1BYLUs1OEZXUjQ4NkxkTEoxbUxCOHNYQzR6NnFEQWY=");
const REDIRECT_URI = "http://localhost:51121/oauth-callback";
const AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
const TOKEN_URL = "https://oauth2.googleapis.com/token";
// Antigravity requires these additional scopes
const SCOPES = [
"https://www.googleapis.com/auth/cloud-platform",
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/userinfo.profile",
"https://www.googleapis.com/auth/cclog",
"https://www.googleapis.com/auth/experimentsandconfigs",
];
// Fallback project ID when discovery fails (same as pi-ai)
const DEFAULT_PROJECT_ID = "rising-fact-p41fc";
/**
* Detect if running in WSL (Windows Subsystem for Linux).
*/
function isWSL(): boolean {
if (process.platform !== "linux") return false;
try {
const release = readFileSync("/proc/version", "utf8").toLowerCase();
return release.includes("microsoft") || release.includes("wsl");
} catch {
return false;
}
}
/**
* Detect if running in WSL2 specifically.
*/
function isWSL2(): boolean {
if (!isWSL()) return false;
try {
const version = readFileSync("/proc/version", "utf8").toLowerCase();
return version.includes("wsl2") || version.includes("microsoft-standard");
} catch {
return false;
}
}
/**
* Detect if running in a remote/headless environment where localhost callback won't work.
*/
export function isRemoteEnvironment(): boolean {
// SSH session indicators
if (process.env.SSH_CLIENT || process.env.SSH_TTY || process.env.SSH_CONNECTION) {
return true;
}
// Container/cloud environments
if (process.env.REMOTE_CONTAINERS || process.env.CODESPACES) {
return true;
}
// Linux without display (and not WSL which can use wslview)
if (
process.platform === "linux" &&
!process.env.DISPLAY &&
!process.env.WAYLAND_DISPLAY &&
!isWSL()
) {
return true;
}
return false;
}
/**
* Whether to skip the local OAuth callback server.
*/
export function shouldUseManualOAuthFlow(): boolean {
return isWSL2() || isRemoteEnvironment();
}
/**
* Generate PKCE verifier and challenge using Node.js crypto.
*/
function generatePKCESync(): { verifier: string; challenge: string } {
const verifier = randomBytes(32).toString("hex");
const challenge = createHash("sha256").update(verifier).digest("base64url");
return { verifier, challenge };
}
/**
* Build the Antigravity OAuth authorization URL.
*/
function buildAuthUrl(challenge: string, verifier: string): string {
const params = new URLSearchParams({
client_id: CLIENT_ID,
response_type: "code",
redirect_uri: REDIRECT_URI,
scope: SCOPES.join(" "),
code_challenge: challenge,
code_challenge_method: "S256",
state: verifier,
access_type: "offline",
prompt: "consent",
});
return `${AUTH_URL}?${params.toString()}`;
}
/**
* Parse the OAuth callback URL or code input.
*/
function parseCallbackInput(
input: string,
expectedState: string,
): { code: string; state: string } | { error: string } {
const trimmed = input.trim();
if (!trimmed) {
return { error: "No input provided" };
}
try {
// Try parsing as full URL
const url = new URL(trimmed);
const code = url.searchParams.get("code");
const state = url.searchParams.get("state") ?? expectedState;
if (!code) {
return { error: "Missing 'code' parameter in URL" };
}
if (!state) {
return { error: "Missing 'state' parameter. Paste the full URL." };
}
return { code, state };
} catch {
// Not a URL - treat as raw code (need state from original request)
if (!expectedState) {
return { error: "Paste the full redirect URL, not just the code." };
}
return { code: trimmed, state: expectedState };
}
}
/**
* Exchange authorization code for tokens.
*/
async function exchangeCodeForTokens(code: string, verifier: string): Promise<OAuthCredentials> {
const response = await fetch(TOKEN_URL, {
method: "POST",
headers: {
"Content-Type": "application/x-www-form-urlencoded",
},
body: new URLSearchParams({
client_id: CLIENT_ID,
client_secret: CLIENT_SECRET,
code,
grant_type: "authorization_code",
redirect_uri: REDIRECT_URI,
code_verifier: verifier,
}),
});
if (!response.ok) {
const errorText = await response.text();
throw new Error(`Token exchange failed: ${errorText}`);
}
const data = (await response.json()) as {
access_token: string;
refresh_token: string;
expires_in: number;
};
if (!data.refresh_token) {
throw new Error("No refresh token received. Please try again.");
}
// Fetch user email
const email = await getUserEmail(data.access_token);
// Fetch project ID
const projectId = await fetchProjectId(data.access_token);
// Calculate expiry time (same as pi-ai: current time + expires_in - 5 min buffer)
const expiresAt = Date.now() + data.expires_in * 1000 - 5 * 60 * 1000;
return {
refresh: data.refresh_token,
access: data.access_token,
expires: expiresAt,
projectId,
email,
};
}
/**
* Get user email from access token.
*/
async function getUserEmail(accessToken: string): Promise<string | undefined> {
try {
const response = await fetch("https://www.googleapis.com/oauth2/v1/userinfo?alt=json", {
headers: {
Authorization: `Bearer ${accessToken}`,
},
});
if (response.ok) {
const data = (await response.json()) as { email?: string };
return data.email;
}
} catch {
// Ignore errors, email is optional
}
return undefined;
}
/**
* Fetch the Antigravity project ID using the access token.
*/
async function fetchProjectId(accessToken: string): Promise<string> {
const headers = {
Authorization: `Bearer ${accessToken}`,
"Content-Type": "application/json",
"User-Agent": "google-api-nodejs-client/9.15.1",
"X-Goog-Api-Client": "google-cloud-sdk vscode_cloudshelleditor/0.1",
"Client-Metadata": JSON.stringify({
ideType: "IDE_UNSPECIFIED",
platform: "PLATFORM_UNSPECIFIED",
pluginType: "GEMINI",
}),
};
// Try endpoints in order: prod first, then sandbox
const endpoints = [
"https://cloudcode-pa.googleapis.com",
"https://daily-cloudcode-pa.sandbox.googleapis.com",
];
for (const endpoint of endpoints) {
try {
const response = await fetch(`${endpoint}/v1internal:loadCodeAssist`, {
method: "POST",
headers,
body: JSON.stringify({
metadata: {
ideType: "IDE_UNSPECIFIED",
platform: "PLATFORM_UNSPECIFIED",
pluginType: "GEMINI",
},
}),
});
if (!response.ok) continue;
const data = (await response.json()) as {
cloudaicompanionProject?: string | { id?: string };
};
if (typeof data.cloudaicompanionProject === "string") {
return data.cloudaicompanionProject;
}
if (
data.cloudaicompanionProject &&
typeof data.cloudaicompanionProject === "object" &&
data.cloudaicompanionProject.id
) {
return data.cloudaicompanionProject.id;
}
} catch {
// ignore failed endpoint, try next
}
}
// Use fallback project ID
return DEFAULT_PROJECT_ID;
}
/**
* Prompt user for input via readline.
*/
async function promptInput(message: string): Promise<string> {
const rl = createInterface({ input: stdin, output: stdout });
try {
return (await rl.question(message)).trim();
} finally {
rl.close();
}
}
/**
* VPS-aware Antigravity OAuth login.
*
* On local machines: Uses the standard pi-ai flow with automatic localhost callback.
* On VPS/SSH: Shows URL and prompts user to paste the callback URL manually.
*/
export async function loginAntigravityVpsAware(
onUrl: (url: string) => void | Promise<void>,
onProgress?: (message: string) => void,
): Promise<OAuthCredentials | null> {
// Check if we're in a remote environment
if (shouldUseManualOAuthFlow()) {
return loginAntigravityManual(onUrl, onProgress);
}
// Use the standard pi-ai flow for local environments
try {
return await loginAntigravity(
async ({ url, instructions }) => {
await onUrl(url);
onProgress?.(instructions ?? "Complete sign-in in browser...");
},
(msg) => onProgress?.(msg),
);
} catch (err) {
// If the local server fails (e.g., port in use), fall back to manual
if (
err instanceof Error &&
(err.message.includes("EADDRINUSE") ||
err.message.includes("port") ||
err.message.includes("listen"))
) {
onProgress?.("Local callback server failed. Switching to manual mode...");
return loginAntigravityManual(onUrl, onProgress);
}
throw err;
}
}
/**
* Manual Antigravity OAuth login for VPS/headless environments.
*
* Shows the OAuth URL and prompts user to paste the callback URL.
*/
export async function loginAntigravityManual(
onUrl: (url: string) => void | Promise<void>,
onProgress?: (message: string) => void,
): Promise<OAuthCredentials | null> {
const { verifier, challenge } = generatePKCESync();
const authUrl = buildAuthUrl(challenge, verifier);
// Show the URL to the user
await onUrl(authUrl);
onProgress?.("Waiting for you to paste the callback URL...");
console.log("\n");
console.log("=".repeat(60));
console.log("VPS/Remote Mode - Manual OAuth");
console.log("=".repeat(60));
console.log("\n1. Open the URL above in your LOCAL browser");
console.log("2. Complete the Google sign-in");
console.log("3. Your browser will redirect to a localhost URL that won't load");
console.log("4. Copy the ENTIRE URL from your browser's address bar");
console.log("5. Paste it below\n");
console.log("The URL will look like:");
console.log("http://localhost:51121/oauth-callback?code=xxx&state=yyy\n");
const callbackInput = await promptInput("Paste the redirect URL here: ");
const parsed = parseCallbackInput(callbackInput, verifier);
if ("error" in parsed) {
throw new Error(parsed.error);
}
// Verify state matches
if (parsed.state !== verifier) {
throw new Error("OAuth state mismatch - please try again");
}
onProgress?.("Exchanging authorization code for tokens...");
return exchangeCodeForTokens(parsed.code, verifier);
}

8
src/commands/auth-choice-options.ts
View File

@@ -61,8 +61,8 @@ const AUTH_CHOICE_GROUP_DEFS: {
{
value: "google",
label: "Google",
hint: "Antigravity + Gemini API key",
choices: ["antigravity", "gemini-api-key"],
hint: "Gemini API key",
choices: ["gemini-api-key"],
},
{
value: "openrouter",
@@ -181,10 +181,6 @@ export function buildAuthChoiceOptions(params: {
});
options.push({ value: "moonshot-api-key", label: "Moonshot AI API key" });
options.push({ value: "synthetic-api-key", label: "Synthetic API key" });
options.push({
value: "antigravity",
label: "Google Antigravity (Claude Opus 4.5, Gemini 3, etc.)",
});
options.push({
value: "github-copilot",
label: "GitHub Copilot (GitHub device login)",

103
src/commands/auth-choice.apply.oauth.ts
View File

@@ -1,5 +1,4 @@
import type { OAuthCredentials } from "@mariozechner/pi-ai";
import { isRemoteEnvironment, loginAntigravityVpsAware } from "./antigravity-oauth.js";
import { isRemoteEnvironment } from "./oauth-env.js";
import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
import { loginChutes } from "./chutes-oauth.js";
import { createVpsAwareOAuthHandlers } from "./oauth-flow.js";
@@ -94,105 +93,5 @@ export async function applyAuthChoiceOAuth(
return { config: nextConfig };
}
if (params.authChoice === "antigravity") {
let nextConfig = params.config;
let agentModelOverride: string | undefined;
const noteAgentModel = async (model: string) => {
if (!params.agentId) return;
await params.prompter.note(
`Default model set to ${model} for agent "${params.agentId}".`,
"Model configured",
);
};
const isRemote = isRemoteEnvironment();
await params.prompter.note(
isRemote
? [
"You are running in a remote/VPS environment.",
"A URL will be shown for you to open in your LOCAL browser.",
"After signing in, copy the redirect URL and paste it back here.",
].join("\n")
: [
"Browser will open for Google authentication.",
"Sign in with your Google account that has Antigravity access.",
"The callback will be captured automatically on localhost:51121.",
].join("\n"),
"Google Antigravity OAuth",
);
const spin = params.prompter.progress("Starting OAuth flow…");
let oauthCreds: OAuthCredentials | null = null;
try {
oauthCreds = await loginAntigravityVpsAware(
async (url) => {
if (isRemote) {
spin.stop("OAuth URL ready");
params.runtime.log(`\nOpen this URL in your LOCAL browser:\n\n${url}\n`);
} else {
spin.update("Complete sign-in in browser…");
await openUrl(url);
params.runtime.log(`Open: ${url}`);
}
},
(msg) => spin.update(msg),
);
spin.stop("Antigravity OAuth complete");
if (oauthCreds) {
await writeOAuthCredentials("google-antigravity", oauthCreds, params.agentDir);
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId: `google-antigravity:${oauthCreds.email ?? "default"}`,
provider: "google-antigravity",
mode: "oauth",
});
const modelKey = "google-antigravity/claude-opus-4-5-thinking";
nextConfig = {
...nextConfig,
agents: {
...nextConfig.agents,
defaults: {
...nextConfig.agents?.defaults,
models: {
...nextConfig.agents?.defaults?.models,
[modelKey]: nextConfig.agents?.defaults?.models?.[modelKey] ?? {},
},
},
},
};
if (params.setDefaultModel) {
const existingModel = nextConfig.agents?.defaults?.model;
nextConfig = {
...nextConfig,
agents: {
...nextConfig.agents,
defaults: {
...nextConfig.agents?.defaults,
model: {
...(existingModel && "fallbacks" in (existingModel as Record<string, unknown>)
? {
fallbacks: (existingModel as { fallbacks?: string[] }).fallbacks,
}
: undefined),
primary: modelKey,
},
},
},
};
await params.prompter.note(`Default model set to ${modelKey}`, "Model configured");
} else {
agentModelOverride = modelKey;
await noteAgentModel(modelKey);
}
}
} catch (err) {
spin.stop("Antigravity OAuth failed");
params.runtime.error(String(err));
await params.prompter.note(
"Trouble with OAuth? See https://docs.clawd.bot/start/faq",
"OAuth help",
);
}
return { config: nextConfig, agentModelOverride };
}
return null;
}

2
src/commands/auth-choice.apply.openai.ts
View File

@@ -2,7 +2,7 @@ import { loginOpenAICodex } from "@mariozechner/pi-ai";
import { CODEX_CLI_PROFILE_ID, ensureAuthProfileStore } from "../agents/auth-profiles.js";
import { resolveEnvApiKey } from "../agents/model-auth.js";
import { upsertSharedEnvVar } from "../infra/env-file.js";
import { isRemoteEnvironment } from "./antigravity-oauth.js";
import { isRemoteEnvironment } from "./oauth-env.js";
import {
formatApiKeyPreview,
normalizeApiKeyInput,

1
src/commands/auth-choice.preferred-provider.ts
View File

@@ -15,7 +15,6 @@ const PREFERRED_PROVIDER_BY_AUTH_CHOICE: Partial<Record<AuthChoice, string>> = {
"moonshot-api-key": "moonshot",
"gemini-api-key": "google",
"zai-api-key": "zai",
antigravity: "google-antigravity",
"synthetic-api-key": "synthetic",
"github-copilot": "github-copilot",
"minimax-cloud": "minimax",

2
src/commands/models/auth.ts
View File

@@ -23,7 +23,7 @@ import {
import type { RuntimeEnv } from "../../runtime.js";
import { stylePromptHint, stylePromptMessage } from "../../terminal/prompt-style.js";
import { applyAuthProfileConfig } from "../onboard-auth.js";
import { isRemoteEnvironment } from "../antigravity-oauth.js";
import { isRemoteEnvironment } from "../oauth-env.js";
import { openUrl } from "../onboard-helpers.js";
import { createVpsAwareOAuthHandlers } from "../oauth-flow.js";
import { updateConfig } from "./shared.js";

32
src/commands/oauth-env.ts Normal file
View File

@@ -0,0 +1,32 @@
import { readFileSync } from "node:fs";
function isWSL(): boolean {
if (process.platform !== "linux") return false;
try {
const release = readFileSync("/proc/version", "utf8").toLowerCase();
return release.includes("microsoft") || release.includes("wsl");
} catch {
return false;
}
}
export function isRemoteEnvironment(): boolean {
if (process.env.SSH_CLIENT || process.env.SSH_TTY || process.env.SSH_CONNECTION) {
return true;
}
if (process.env.REMOTE_CONTAINERS || process.env.CODESPACES) {
return true;
}
if (
process.platform === "linux" &&
!process.env.DISPLAY &&
!process.env.WAYLAND_DISPLAY &&
!isWSL()
) {
return true;
}
return false;
}

6
src/commands/onboard-non-interactive/local/auth-choice.ts
View File

@@ -334,11 +334,9 @@ export async function applyNonInteractiveAuthChoice(params: {
if (
authChoice === "oauth" ||
authChoice === "chutes" ||
authChoice === "openai-codex" ||
authChoice === "antigravity"
authChoice === "openai-codex"
) {
const label = authChoice === "antigravity" ? "Antigravity" : "OAuth";
runtime.error(`${label} requires interactive mode.`);
runtime.error("OAuth requires interactive mode.");
runtime.exit(1);
return null;
}

1
src/commands/onboard-types.ts
View File

@@ -16,7 +16,6 @@ export type AuthChoice =
| "moonshot-api-key"
| "synthetic-api-key"
| "codex-cli"
| "antigravity"
| "apiKey"
| "gemini-api-key"
| "zai-api-key"

33
src/plugins/bundled-dir.ts Normal file
View File

@@ -0,0 +1,33 @@
import fs from "node:fs";
import path from "node:path";
import { fileURLToPath } from "node:url";
export function resolveBundledPluginsDir(): string | undefined {
const override = process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR?.trim();
if (override) return override;
// bun --compile: ship a sibling `extensions/` next to the executable.
try {
const execDir = path.dirname(process.execPath);
const sibling = path.join(execDir, "extensions");
if (fs.existsSync(sibling)) return sibling;
} catch {
// ignore
}
// npm/dev: walk up from this module to find `extensions/` at the package root.
try {
let cursor = path.dirname(fileURLToPath(import.meta.url));
for (let i = 0; i < 6; i += 1) {
const candidate = path.join(cursor, "extensions");
if (fs.existsSync(candidate)) return candidate;
const parent = path.dirname(cursor);
if (parent === cursor) break;
cursor = parent;
}
} catch {
// ignore
}
return undefined;
}

7
src/plugins/discovery.test.ts
View File

@@ -15,7 +15,9 @@ function makeTempDir() {
async function withStateDir<T>(stateDir: string, fn: () => Promise<T>) {
const prev = process.env.CLAWDBOT_STATE_DIR;
const prevBundled = process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR;
process.env.CLAWDBOT_STATE_DIR = stateDir;
process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR = "/nonexistent/bundled/plugins";
vi.resetModules();
try {
return await fn();
@@ -25,6 +27,11 @@ async function withStateDir<T>(stateDir: string, fn: () => Promise<T>) {
} else {
process.env.CLAWDBOT_STATE_DIR = prev;
}
if (prevBundled === undefined) {
delete process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR;
} else {
process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR = prevBundled;
}
vi.resetModules();
}
}

55
src/plugins/discovery.ts
View File

@@ -2,6 +2,7 @@ import fs from "node:fs";
import path from "node:path";
import { CONFIG_DIR, resolveUserPath } from "../utils.js";
import { resolveBundledPluginsDir } from "./bundled-dir.js";
import type { PluginDiagnostic, PluginOrigin } from "./types.js";
const EXTENSION_EXTS = new Set([".ts", ".js", ".mts", ".cts", ".mjs", ".cjs"]);
@@ -271,29 +272,7 @@ export function discoverClawdbotPlugins(params: {
const candidates: PluginCandidate[] = [];
const diagnostics: PluginDiagnostic[] = [];
const seen = new Set<string>();
const globalDir = path.join(CONFIG_DIR, "extensions");
discoverInDirectory({
dir: globalDir,
origin: "global",
candidates,
diagnostics,
seen,
});
const workspaceDir = params.workspaceDir?.trim();
if (workspaceDir) {
const workspaceRoot = resolveUserPath(workspaceDir);
const workspaceExt = path.join(workspaceRoot, ".clawdbot", "extensions");
discoverInDirectory({
dir: workspaceExt,
origin: "workspace",
workspaceDir: workspaceRoot,
candidates,
diagnostics,
seen,
});
}
const extra = params.extraPaths ?? [];
for (const extraPath of extra) {
@@ -309,6 +288,38 @@ export function discoverClawdbotPlugins(params: {
seen,
});
}
if (workspaceDir) {
const workspaceRoot = resolveUserPath(workspaceDir);
const workspaceExt = path.join(workspaceRoot, ".clawdbot", "extensions");
discoverInDirectory({
dir: workspaceExt,
origin: "workspace",
workspaceDir: workspaceRoot,
candidates,
diagnostics,
seen,
});
}
const globalDir = path.join(CONFIG_DIR, "extensions");
discoverInDirectory({
dir: globalDir,
origin: "global",
candidates,
diagnostics,
seen,
});
const bundledDir = resolveBundledPluginsDir();
if (bundledDir) {
discoverInDirectory({
dir: bundledDir,
origin: "bundled",
candidates,
diagnostics,
seen,
});
}
return { candidates, diagnostics };
}

65
src/plugins/loader.test.ts
View File

@@ -9,6 +9,7 @@ import { loadClawdbotPlugins } from "./loader.js";
type TempPlugin = { dir: string; file: string; id: string };
const tempDirs: string[] = [];
const prevBundledDir = process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR;
function makeTempDir() {
const dir = path.join(os.tmpdir(), `clawdbot-plugin-${randomUUID()}`);
@@ -32,10 +33,49 @@ afterEach(() => {
// ignore cleanup failures
}
}
if (prevBundledDir === undefined) {
delete process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR;
} else {
process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR = prevBundledDir;
}
});
describe("loadClawdbotPlugins", () => {
it("disables bundled plugins by default", () => {
const bundledDir = makeTempDir();
const bundledPath = path.join(bundledDir, "bundled.ts");
fs.writeFileSync(bundledPath, "export default function () {}", "utf-8");
process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR = bundledDir;
const registry = loadClawdbotPlugins({
cache: false,
config: {
plugins: {
allow: ["bundled"],
},
},
});
const bundled = registry.plugins.find((entry) => entry.id === "bundled");
expect(bundled?.status).toBe("disabled");
const enabledRegistry = loadClawdbotPlugins({
cache: false,
config: {
plugins: {
allow: ["bundled"],
entries: {
bundled: { enabled: true },
},
},
},
});
const enabled = enabledRegistry.plugins.find((entry) => entry.id === "bundled");
expect(enabled?.status).toBe("loaded");
});
it("loads plugins from config paths", () => {
process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR = "/nonexistent/bundled/plugins";
const plugin = writePlugin({
id: "allowed",
body: `export default function (api) { api.registerGatewayMethod("allowed.ping", ({ respond }) => respond(true, { ok: true })); }`,
@@ -52,12 +92,13 @@ describe("loadClawdbotPlugins", () => {
},
});
expect(registry.plugins.length).toBe(1);
expect(registry.plugins[0]?.status).toBe("loaded");
const loaded = registry.plugins.find((entry) => entry.id === "allowed");
expect(loaded?.status).toBe("loaded");
expect(Object.keys(registry.gatewayHandlers)).toContain("allowed.ping");
});
it("denylist disables plugins even if allowed", () => {
process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR = "/nonexistent/bundled/plugins";
const plugin = writePlugin({
id: "blocked",
body: `export default function () {}`,
@@ -75,10 +116,12 @@ describe("loadClawdbotPlugins", () => {
},
});
expect(registry.plugins[0]?.status).toBe("disabled");
const blocked = registry.plugins.find((entry) => entry.id === "blocked");
expect(blocked?.status).toBe("disabled");
});
it("fails fast on invalid plugin config", () => {
process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR = "/nonexistent/bundled/plugins";
const plugin = writePlugin({
id: "configurable",
body: `export default {\n id: "configurable",\n configSchema: {\n parse(value) {\n if (!value || typeof value !== "object" || Array.isArray(value)) {\n throw new Error("bad config");\n }\n return value;\n }\n },\n register() {}\n};`,
@@ -99,11 +142,13 @@ describe("loadClawdbotPlugins", () => {
},
});
expect(registry.plugins[0]?.status).toBe("error");
const configurable = registry.plugins.find((entry) => entry.id === "configurable");
expect(configurable?.status).toBe("error");
expect(registry.diagnostics.some((d) => d.level === "error")).toBe(true);
});
it("registers channel plugins", () => {
process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR = "/nonexistent/bundled/plugins";
const plugin = writePlugin({
id: "channel-demo",
body: `export default function (api) {
@@ -139,11 +184,12 @@ describe("loadClawdbotPlugins", () => {
},
});
expect(registry.channels.length).toBe(1);
expect(registry.channels[0]?.plugin.id).toBe("demo");
const channel = registry.channels.find((entry) => entry.plugin.id === "demo");
expect(channel).toBeDefined();
});
it("registers http handlers", () => {
process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR = "/nonexistent/bundled/plugins";
const plugin = writePlugin({
id: "http-demo",
body: `export default function (api) {
@@ -162,8 +208,9 @@ describe("loadClawdbotPlugins", () => {
},
});
expect(registry.httpHandlers.length).toBe(1);
expect(registry.httpHandlers[0]?.pluginId).toBe("http-demo");
expect(registry.plugins[0]?.httpHandlers).toBe(1);
const handler = registry.httpHandlers.find((entry) => entry.pluginId === "http-demo");
expect(handler).toBeDefined();
const httpPlugin = registry.plugins.find((entry) => entry.id === "http-demo");
expect(httpPlugin?.httpHandlers).toBe(1);
});
});

36
src/plugins/loader.ts
View File

@@ -86,6 +86,7 @@ function buildCacheKey(params: {
function resolveEnableState(
id: string,
origin: PluginRecord["origin"],
config: NormalizedPluginsConfig,
): { enabled: boolean; reason?: string } {
if (!config.enabled) {
@@ -98,9 +99,15 @@ function resolveEnableState(
return { enabled: false, reason: "not in allowlist" };
}
const entry = config.entries[id];
if (entry?.enabled === true) {
return { enabled: true };
}
if (entry?.enabled === false) {
return { enabled: false, reason: "disabled in config" };
}
if (origin === "bundled") {
return { enabled: false, reason: "bundled (disabled by default)" };
}
return { enabled: true };
}
@@ -237,8 +244,29 @@ export function loadClawdbotPlugins(options: PluginLoadOptions = {}): PluginRegi
interopDefault: true,
});
const seenIds = new Map<string, PluginRecord["origin"]>();
for (const candidate of discovery.candidates) {
const enableState = resolveEnableState(candidate.idHint, normalized);
const existingOrigin = seenIds.get(candidate.idHint);
if (existingOrigin) {
const record = createPluginRecord({
id: candidate.idHint,
name: candidate.packageName ?? candidate.idHint,
description: candidate.packageDescription,
version: candidate.packageVersion,
source: candidate.source,
origin: candidate.origin,
workspaceDir: candidate.workspaceDir,
enabled: false,
configSchema: false,
});
record.status = "disabled";
record.error = `overridden by ${existingOrigin} plugin`;
registry.plugins.push(record);
continue;
}
const enableState = resolveEnableState(candidate.idHint, candidate.origin, normalized);
const entry = normalized.entries[candidate.idHint];
const record = createPluginRecord({
id: candidate.idHint,
@@ -256,6 +284,7 @@ export function loadClawdbotPlugins(options: PluginLoadOptions = {}): PluginRegi
record.status = "disabled";
record.error = enableState.reason;
registry.plugins.push(record);
seenIds.set(candidate.idHint, candidate.origin);
continue;
}
@@ -266,6 +295,7 @@ export function loadClawdbotPlugins(options: PluginLoadOptions = {}): PluginRegi
record.status = "error";
record.error = String(err);
registry.plugins.push(record);
seenIds.set(candidate.idHint, candidate.origin);
registry.diagnostics.push({
level: "error",
pluginId: record.id,
@@ -324,6 +354,7 @@ export function loadClawdbotPlugins(options: PluginLoadOptions = {}): PluginRegi
record.status = "error";
record.error = `invalid config: ${validatedConfig.errors?.join(", ")}`;
registry.plugins.push(record);
seenIds.set(candidate.idHint, candidate.origin);
registry.diagnostics.push({
level: "error",
pluginId: record.id,
@@ -337,6 +368,7 @@ export function loadClawdbotPlugins(options: PluginLoadOptions = {}): PluginRegi
record.status = "error";
record.error = "plugin export missing register/activate";
registry.plugins.push(record);
seenIds.set(candidate.idHint, candidate.origin);
registry.diagnostics.push({
level: "error",
pluginId: record.id,
@@ -362,10 +394,12 @@ export function loadClawdbotPlugins(options: PluginLoadOptions = {}): PluginRegi
});
}
registry.plugins.push(record);
seenIds.set(candidate.idHint, candidate.origin);
} catch (err) {
record.status = "error";
record.error = String(err);
registry.plugins.push(record);
seenIds.set(candidate.idHint, candidate.origin);
registry.diagnostics.push({
level: "error",
pluginId: record.id,

2
src/plugins/types.ts
View File

@@ -175,7 +175,7 @@ export type ClawdbotPluginApi = {
resolvePath: (input: string) => string;
};
export type PluginOrigin = "global" | "workspace" | "config";
export type PluginOrigin = "bundled" | "global" | "workspace" | "config";
export type PluginDiagnostic = {
level: "warn" | "error";