env-builder improvements, gateway/browser robustness, and key-rotator fixes

health-server.js

@@ -72,7 +72,6 @@ if (_spacPrivacyEnv === "public") {
   SPACE_IS_PRIVATE = false;
   _privacyDetectionDone = true;
   console.log("[health-server] Space privacy: public (SPACE_PRIVACY env var override)");
-  privacyDetectionReady.then ? void 0 : null;
   _privacyDetectionResolve && _privacyDetectionResolve();
 } else if (_spacPrivacyEnv === "private") {
   // User explicitly set SPACE_PRIVACY=private — skip API call entirely

jupyter-devdata-sync.py

@@ -174,6 +174,7 @@ def is_jupyter_running(port: int = 8888) -> bool:
         return False
 
 def restore_once(api, rid: str):
+    from huggingface_hub import snapshot_download
     from huggingface_hub.errors import RepositoryNotFoundError
     tmp = Path(tempfile.mkdtemp(prefix="devdata-restore-"))
     try:

multi-provider-key-rotator.cjs

@@ -192,6 +192,12 @@ const PROVIDERS = [
     envPlural:  'MODELSTUDIO_API_KEYS',
     envSingular:'MODELSTUDIO_API_KEY',
   },
+  {
+    name:        'synthetic',
+    hostname:    /(?:^|\.)synthetic\.local$/i,
+    envPlural:   'SYNTHETIC_API_KEYS',
+    envSingular: 'SYNTHETIC_API_KEY',
+  },
 
 ];
 
@@ -320,7 +326,25 @@ function patchFetch() {
             // Gemini: key URL query param mein jaata hai, Bearer nahi
             const url = new URL(typeof input === 'string' ? input : input.url);
             url.searchParams.set('key', key);
-            input = typeof input === 'string' ? url.toString() : new Request(url.toString(), input);
+            if (typeof input === 'string') {
+              input = url.toString();
+            } else {
+              // Do NOT pass the Request object as init — that clones (consumes) the body stream.
+              // Instead patch only the URL via init object; fetch spec merges headers from Request.
+              init = {
+                method: input.method,
+                headers: input.headers,
+                body: input.body,
+                mode: input.mode,
+                credentials: input.credentials,
+                cache: input.cache,
+                redirect: input.redirect,
+                referrer: input.referrer,
+                integrity: input.integrity,
+                ...init,
+              };
+              input = url.toString();
+            }
           } else {
             const headers        = init.headers || (input && input.headers) || undefined;
             const patchedHeaders = setAuthHeader(headers, key);

start.sh

@@ -359,8 +359,10 @@ CONFIG_JSON=$(jq \
   --arg fileLevel "$OPENCLAW_FILE_LOG_LEVEL" \
   --arg consoleLevel "$OPENCLAW_CONSOLE_LOG_LEVEL" \
   --arg consoleStyle "$OPENCLAW_CONSOLE_LOG_STYLE" \
+  --arg port "$GATEWAY_PORT" \
   '.gateway.auth.token = $token
    | .agents.defaults.model = $model
+   | .gateway.port = ($port | tonumber)
    | .logging.level = $fileLevel
    | .logging.consoleLevel = $consoleLevel
    | .logging.consoleStyle = $consoleStyle' <<<"$CONFIG_JSON")
@@ -373,7 +375,7 @@ CUSTOM_MODEL_NAME="${CUSTOM_MODEL_NAME:-$CUSTOM_MODEL_ID}"
 CUSTOM_API_KEY="${CUSTOM_API_KEY:-$LLM_API_KEY}"
 CUSTOM_API_TYPE="${CUSTOM_API_TYPE:-openai-completions}"
 CUSTOM_CONTEXT_WINDOW="${CUSTOM_CONTEXT_WINDOW:-128000}"
-CUSTOM_MAX_TOKENS="${CUSTOM_MAX_TOKENS:-500}"
+CUSTOM_MAX_TOKENS="${CUSTOM_MAX_TOKENS:-8192}"
 
 if [ -n "$CUSTOM_PROVIDER_NAME" ] || [ -n "$CUSTOM_BASE_URL" ] || [ -n "$CUSTOM_MODEL_ID" ]; then
   CUSTOM_PROVIDER_NORMALIZED=$(printf '%s' "$CUSTOM_PROVIDER_NAME" | tr '[:upper:]' '[:lower:]')
@@ -715,6 +717,10 @@ WHATSAPP_CONFIG_ENABLED=false
 if [ "$WHATSAPP_ENABLED_NORMALIZED" = "true" ]; then
   WHATSAPP_CONFIG_ENABLED=true
 fi
+TELEGRAM_CONFIG_ENABLED=false
+if [ -n "${TELEGRAM_BOT_TOKEN:-}" ]; then
+  TELEGRAM_CONFIG_ENABLED=true
+fi
 if [ -f "$EXISTING_CONFIG" ]; then
   echo "Restored config found — patching required fields and runtime channel/plugin toggles..."
   PATCHED=$(jq \
@@ -729,6 +735,7 @@ if [ -f "$EXISTING_CONFIG" ]; then
     --argjson consoleStyleConfigured "$OPENCLAW_CONSOLE_LOG_STYLE_CONFIGURED" \
     --argjson whatsappConfigured "$WHATSAPP_ENABLED_CONFIGURED" \
     --argjson whatsappEnabled "$WHATSAPP_CONFIG_ENABLED" \
+    --argjson telegramConfigured "$TELEGRAM_CONFIG_ENABLED" \
     '(.channels.whatsapp // {}) as $existingWhatsapp
      | .gateway.auth.token = $token
      | .agents.defaults.model = $model
@@ -750,6 +757,13 @@ if [ -f "$EXISTING_CONFIG" ]; then
          | del(.channels.whatsapp)
        else
          .
+       end
+     | if $telegramConfigured then
+         .channels.telegram = (($desired.channels.telegram // {}) * (.channels.telegram // {}))
+         | .channels.telegram.botToken = $desired.channels.telegram.botToken
+       else
+         del(.channels.telegram)
+         | .plugins.entries.telegram.enabled = false
        end' \
     "$EXISTING_CONFIG" 2>/dev/null)
 

wa-guardian.js

@@ -125,7 +125,8 @@ async function createConnection() {
   });
 }
 
-async function callRpc(ws, method, params) {
+async function callRpc(ws, method, params, timeoutMs) {
+  const ms = timeoutMs !== undefined ? timeoutMs : 10000; // default 10s for normal calls
   return new Promise((resolve, reject) => {
     const id = randomUUID();
     const handler = (data) => {
@@ -148,7 +149,7 @@ async function callRpc(ws, method, params) {
       reject(sendErr);
       return;
     }
-    setTimeout(() => { ws.removeListener("message", handler); reject(new Error("RPC Timeout")); }, WAIT_TIMEOUT + 5000);
+    setTimeout(() => { ws.removeListener("message", handler); reject(new Error("RPC Timeout")); }, ms);
   });
 }
 
@@ -188,7 +189,7 @@ async function checkStatus() {
     }
 
     console.log("[guardian] Waiting for pairing completion...");
-    const waitRes = await callRpc(ws, "web.login.wait", { timeoutMs: WAIT_TIMEOUT });
+    const waitRes = await callRpc(ws, "web.login.wait", { timeoutMs: WAIT_TIMEOUT }, WAIT_TIMEOUT + 5000);
     const result = waitRes.payload || waitRes.result;
     const message = result?.message || "";
     const linkedAfter515 = !result?.connected && message.includes("515");
@@ -202,19 +203,27 @@ async function checkStatus() {
       lastConnectedAt = Date.now();
       writeStatus({ configured: true, connected: true, pairing: false });
 
+      // Set shouldStop BEFORE config.apply — gateway restart during apply must not
+      // leave guardian running (it would then incorrectly wipe valid credentials).
+      shouldStop = true;
+
       if (linkedAfter515) {
         console.log("[guardian] 515 after scan: credentials saved, reloading config to start WhatsApp...");
       } else {
         console.log("[guardian] Pairing completed! Reloading config...");
       }
 
-      const getRes = await callRpc(ws, "config.get", {});
-      if (getRes.payload?.raw && getRes.payload?.hash) {
-        await callRpc(ws, "config.apply", { raw: getRes.payload.raw, baseHash: getRes.payload.hash });
-        console.log("[guardian] Configuration re-applied.");
+      try {
+        const getRes = await callRpc(ws, "config.get", {});
+        if (getRes.payload?.raw && getRes.payload?.hash) {
+          await callRpc(ws, "config.apply", { raw: getRes.payload.raw, baseHash: getRes.payload.hash });
+          console.log("[guardian] Configuration re-applied.");
+        }
+      } catch (applyErr) {
+        // Gateway restarted during config.apply — that is expected and fine.
+        // shouldStop is already true so we will not retry or attempt logout.
+        console.log(`[guardian] Config re-apply interrupted (gateway restarting): ${applyErr.message}`);
       }
-
-      shouldStop = true;
       setTimeout(() => process.exit(0), 1000);
     } else if (!message.includes("No active") && !message.includes("Still waiting")) {
       console.log(`[guardian] Wait result: ${message}`);