Merge branch 'main' into main

Dockerfile

@@ -15,7 +15,9 @@ FROM ghcr.io/openclaw/openclaw:${OPENCLAW_VERSION} AS openclaw
 FROM node:22-slim
 ARG OPENCLAW_VERSION=latest
 ARG DEV_MODE=false
-ENV DEV_MODE=${DEV_MODE}
+# DEV_MODE intentionally not baked into runtime ENV — defaults to unset so
+# start.sh can auto-enable terminal when GATEWAY_TOKEN is present. Users can
+# override by setting DEV_MODE=false as an HF Space Variable to opt out.
 
 # Install system dependencies (+ optional JupyterLab deps in DEV_MODE)
 RUN apt-get update && apt-get install -y \

env-builder.js

@@ -853,11 +853,11 @@ const FIELDS = [
     "k": "JUPYTER_TOKEN",
     "lbl": "Jupyter access token (Must NOT be 'huggingface'. Run: openssl rand -hex 32)",
     "type": "password",
-    "ph": "change_this_to_a_strong_token",
-    "common": 1,
-    "tag": "credential"
+    "secret": 1,
+    "ph": "huggingface",
+    "common": 1
   },
-{
+  {
     "g": "Core",
     "icon": "⚡",
     "k": "OPENCLAW_DISABLE_BONJOUR",
@@ -965,7 +965,7 @@ const FIELDS = [
     "ph": "/home/node",
     "tag": "advanced"
   },
-{
+  {
     "g": "Provider Keys",
     "icon": "🔑",
     "k": "ANTHROPIC_API_KEY",

health-server.js

@@ -22,11 +22,10 @@ const JUPYTER_HOST = "127.0.0.1";
 const JUPYTER_BASE = normalizeBase(process.env.JUPYTER_BASE, "/terminal");
 const GATEWAY_TOKEN = (process.env.GATEWAY_TOKEN || "").trim();
 const DEV_MODE_ENABLED = isTrue(process.env.DEV_MODE);
-// Auto-enable Jupyter when DEV_MODE=true, HUGGINGCLAW_JUPYTER_ENABLED=true, or GATEWAY_TOKEN is set.
-// GATEWAY_TOKEN doubles as JUPYTER_TOKEN in start.sh — no extra secret needed.
-const JUPYTER_ENABLED = /^(true|1|yes|on)$/i.test(
-  process.env.HUGGINGCLAW_JUPYTER_ENABLED || (DEV_MODE_ENABLED ? "true" : GATEWAY_TOKEN ? "true" : "false")
-);
+// Default true. Only false when DEV_MODE=false or HUGGINGCLAW_JUPYTER_ENABLED=false is explicitly set.
+const JUPYTER_ENABLED =
+  !/^(false|0|no|off)$/i.test(String(process.env.DEV_MODE || "").trim()) &&
+  !/^(false|0|no|off)$/i.test(String(process.env.HUGGINGCLAW_JUPYTER_ENABLED || "").trim());
 const startTime = Date.now();
 const LLM_MODEL = process.env.LLM_MODEL || "Not Set";
 const TELEGRAM_ENABLED = !!process.env.TELEGRAM_BOT_TOKEN;
@@ -240,6 +239,65 @@ function escapeHtml(v) {
   return String(v).replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;").replace(/"/g,"&quot;");
 }
 
+function parseCookies(req) {
+  const h = req.headers.cookie || "";
+  return Object.fromEntries(h.split(";").map(c => c.trim().split("=")).filter(p => p.length >= 2).map(([k, ...v]) => [k.trim(), decodeURIComponent(v.join("=").trim())]));
+}
+
+// Constant-time comparison — prevent timing attacks on token check
+function safeEqual(a, b) {
+  if (typeof a !== "string" || typeof b !== "string" || a.length !== b.length) return false;
+  let d = 0;
+  for (let i = 0; i < a.length; i++) d |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  return d === 0;
+}
+
+function isEnvBuilderAuthed(req) {
+  if (!GATEWAY_TOKEN) return true; // unprotected when no token set
+  return safeEqual(parseCookies(req).hc_env_auth || "", GATEWAY_TOKEN);
+}
+
+function readBody(req) {
+  return new Promise((resolve) => {
+    let body = "";
+    req.on("data", chunk => { body += chunk; if (body.length > 4096) { body = ""; req.destroy(); } });
+    req.on("end", () => resolve(body));
+    req.on("error", () => resolve(""));
+  });
+}
+
+function renderEnvBuilderLogin(error = false) {
+  return `<!doctype html><html lang="en"><head>
+  <meta charset="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/>
+  <title>HuggingClaw — Env Builder</title>
+  <style>
+    :root{color-scheme:dark;--bg:#08080f;--panel:#12111b;--line:#26243a;--text:#f6f4ff;--muted:#7f7a9e;--bad:#fb7185}
+    *{box-sizing:border-box}body{margin:0;min-height:100vh;display:flex;align-items:center;justify-content:center;font-family:Inter,ui-sans-serif,system-ui,-apple-system,sans-serif;background:var(--bg);color:var(--text);padding:24px}
+    .card{border:1px solid var(--line);background:var(--panel);border-radius:14px;padding:36px 32px;max-width:400px;width:100%;text-align:center}
+    h1{margin:0 0 8px;font-size:1.4rem}
+    .sub{color:var(--muted);font-size:.82rem;margin:0 0 24px}
+    .row{display:flex;gap:8px;margin-top:16px}
+    input{flex:1;background:#0d0c18;border:1px solid var(--line);border-radius:7px;padding:10px 12px;color:var(--text);font-size:.95rem;outline:none}
+    input:focus{border-color:#6366f1}
+    button{background:#fff;color:#000;border:none;border-radius:7px;padding:10px 20px;font-weight:700;font-size:.95rem;cursor:pointer;transition:opacity .15s}
+    button:hover{opacity:.85}
+    .err{color:var(--bad);font-size:.82rem;margin-top:10px}
+    code{background:#232234;border:1px solid #34324c;border-radius:5px;padding:2px 6px;font-size:.88em}
+  </style></head><body>
+  <div class="card">
+    <h1>⚙️ Env Builder</h1>
+    <p class="sub">Enter your <code>GATEWAY_TOKEN</code> to continue</p>
+    <form method="post" action="/env-builder/login">
+      <div class="row">
+        <input type="password" name="token" placeholder="GATEWAY_TOKEN" autofocus autocomplete="current-password">
+        <button type="submit">Unlock</button>
+      </div>
+      ${error ? '<p class="err">Invalid token — try again</p>' : ""}
+    </form>
+  </div>
+</body></html>`;
+}
+
 function badge(label, tone = "neutral") {
   return `<span class="badge ${tone}">${escapeHtml(label)}</span>`;
 }
@@ -599,16 +657,45 @@ const server = http.createServer(async (req, res) => {
     !isSameOriginNav &&
     !isFromHFApp;
 
+  if (pathname === "/env-builder/login") {
+    if (req.method === "POST") {
+      const body = await readBody(req);
+      const token = decodeURIComponent((body.match(/(?:^|&)token=([^&]*)/) || [])[1] || "").replace(/\+/g, " ");
+      if (safeEqual(token, GATEWAY_TOKEN)) {
+        const cookie = `hc_env_auth=${encodeURIComponent(GATEWAY_TOKEN)}; Path=/env-builder; HttpOnly; SameSite=Strict; Max-Age=86400`;
+        res.writeHead(302, { Location: "/env-builder", "Set-Cookie": cookie, "Cache-Control": "no-store" });
+        return res.end();
+      }
+      res.writeHead(200, { "Content-Type": "text/html" });
+      return res.end(renderEnvBuilderLogin(true));
+    }
+    res.writeHead(302, { Location: "/env-builder", "Cache-Control": "no-store" });
+    return res.end();
+  }
+
+  if (pathname === "/env-builder/logout") {
+    res.writeHead(302, { Location: "/env-builder", "Set-Cookie": "hc_env_auth=; Path=/env-builder; HttpOnly; Max-Age=0", "Cache-Control": "no-store" });
+    return res.end();
+  }
+
   if (pathname === "/env-builder" || pathname === "/env-builder/") {
     if (isDirectHfSpaceRequest) {
       res.writeHead(200, { "Content-Type": "text/html" });
       return res.end(renderPrivateRedirect(HF_SPACE_URL));
     }
+    if (!isEnvBuilderAuthed(req)) {
+      res.writeHead(200, { "Content-Type": "text/html" });
+      return res.end(renderEnvBuilderLogin(false));
+    }
     res.writeHead(200, { "Content-Type": "text/html" });
     return res.end(renderEnvBuilder());
   }
 
   if (pathname === "/env-builder.js") {
+    if (!isEnvBuilderAuthed(req)) {
+      res.writeHead(401, { "Content-Type": "text/plain" });
+      return res.end("Unauthorized");
+    }
     try {
       const js = fs.readFileSync(require("path").join(__dirname, "env-builder.js"), "utf8");
       res.writeHead(200, { "Content-Type": "application/javascript" });
@@ -637,7 +724,7 @@ const server = http.createServer(async (req, res) => {
   if (pathname === JUPYTER_BASE || pathname.startsWith(JUPYTER_BASE + "/")) {
     if (!JUPYTER_ENABLED) {
       res.writeHead(404, { "Content-Type": "application/json" });
-      return res.end(JSON.stringify({ status: "disabled", message: "JupyterLab terminal is disabled. Set GATEWAY_TOKEN or DEV_MODE=true to enable /terminal/ (or set HUGGINGCLAW_JUPYTER_ENABLED=true)." }));
+      return res.end(JSON.stringify({ status: "disabled", message: "JupyterLab terminal is disabled. Remove DEV_MODE=false to re-enable." }));
     }
     if (isDirectHfSpaceRequest) {
       res.writeHead(200, { "Content-Type": "text/html" });

login.html

@@ -8,36 +8,26 @@
   <img src="https://huggingface.co/front/assets/huggingface_logo-noborder.svg" alt="Hugging Face Logo" style="max-width: 120px; margin-bottom: 24px;">
   <h3>HuggingClaw Terminal</h3>
   <h4>Welcome to JupyterLab</h4>
-  <p style="color:#666;">Enter the <strong>JUPYTER_TOKEN</strong> you set in your Space secrets to access the terminal.</p>
-  <p style="color:#666;">This terminal is mounted at <code>/terminal/</code> inside the same Hugging Face Space as the OpenClaw UI.</p>
+  <p style="color:#666;">Token defaults to your <code>GATEWAY_TOKEN</code>. Set <code>JUPYTER_TOKEN</code> to override.</p>
 
   {% if login_available %}
-  <div class="row" style="display:flex; justify-content:center; margin-top:24px;">
-    <div class="navbar col-sm-8">
-      <div class="navbar-inner">
-        <div class="container">
-          <div class="center-nav">
-            <form action="{{base_url}}login?next={{next}}" method="post" class="navbar-form pull-left">
-              {{ xsrf_form_html() | safe }}
-              {% if token_available %}
-              <label for="password_input"><strong>{% trans %}Jupyter token <span title="This is the secret you set up when deploying your JupyterLab terminal">ⓘ</span> {% endtrans %}</strong></label>
-              {% else %}
-              <label for="password_input"><strong>{% trans %}Jupyter password:{% endtrans %}</strong></label>
-              {% endif %}
-              <input type="password" name="password" id="password_input" class="form-control">
-              <button type="submit" class="btn btn-default" id="login_submit">{% trans %}Log in{% endtrans %}</button>
-            </form>
-          </div>
-        </div>
-      </div>
-    </div>
+  <div style="display:flex; justify-content:center; margin-top:24px;">
+    <form action="{{base_url}}login?next={{next}}" method="post" style="display:flex; align-items:center; gap:8px;">
+      {{ xsrf_form_html() | safe }}
+      {% if token_available %}
+      <label for="password_input"><strong>{% trans %}Jupyter token <span title="Your GATEWAY_TOKEN (or JUPYTER_TOKEN if set)">ⓘ</span>{% endtrans %}</strong></label>
+      {% else %}
+      <label for="password_input"><strong>{% trans %}Jupyter password:{% endtrans %}</strong></label>
+      {% endif %}
+      <input type="password" name="password" id="password_input" class="form-control">
+      <button type="submit" class="btn btn-default" id="login_submit">{% trans %}Log in{% endtrans %}</button>
+    </form>
   </div>
   {% else %}
   <p>{% trans %}No login available, you shouldn't be seeing this page.{% endtrans %}</p>
   {% endif %}
 
   <h5 style="margin-top:28px;"><a href="/dashboard">Back to HuggingClaw dashboard</a></h5>
-  <p>This login page is based on the Hugging Face JupyterLab Space template.</p>
 
   {% if message %}
   <div class="row">

start.sh

@@ -97,7 +97,7 @@ fi
 # GATEWAY_TOKEN doubles as JUPYTER_TOKEN (see start_jupyter_once) — no extra secret required.
 if [ "$DEV_MODE_ENABLED" != "true" ] && [ -z "${DEV_MODE:-}" ] && [ -n "${GATEWAY_TOKEN:-}" ]; then
   DEV_MODE_ENABLED=true
-  echo "GATEWAY_TOKEN set and DEV_MODE not explicitly configured — auto-enabling terminal (set DEV_MODE=false to opt out)"
+  : # auto-enable is silent; set DEV_MODE=false to opt out
 fi
 SYNC_INTERVAL="$(trim_var "${SYNC_INTERVAL:-180}")"
 DEVDATA_DATASET_NAME="$(trim_var "${DEVDATA_DATASET_NAME:-huggingclaw-devdata}")"
@@ -875,12 +875,12 @@ export PATH="$HOME/.local/bin:$PATH"
 
 # Runtime install fallback: only attempt if DEV_MODE is enabled but install failed during build
 if [ "$DEV_MODE_ENABLED" = "true" ] && ! python3 -c "import jupyterlab" >/dev/null 2>&1; then
-  echo "DEV_MODE enabled but jupyter-lab is missing; attempting runtime install..."
-  if python3 -m pip install --user --no-cache-dir --break-system-packages "jupyterlab>=4.2,<5" "tornado>=6.3" "ipywidgets>=8.1"; then
-    echo "Runtime Jupyter install complete."
+  echo "Terminal  : installing JupyterLab..."
+  if python3 -m pip install -q --user --no-cache-dir --break-system-packages "jupyterlab>=4.2,<5" "tornado>=6.3" "ipywidgets>=8.1" >/dev/null 2>&1; then
+    echo "Terminal  : installed"
     python3 -c "from pathlib import Path; import shutil, jupyter_server; d=Path(jupyter_server.__file__).parent/'templates'; d.mkdir(parents=True,exist_ok=True); shutil.copyfile('/home/node/app/login.html', d/'login.html')" || true
   else
-    echo "WARNING: Runtime Jupyter install failed; disabling terminal for this boot."
+    echo "Terminal  : install failed — disabling for this boot"
     RUNTIME_JUPYTER_ENABLED=false
   fi
 fi
@@ -896,7 +896,6 @@ if [ -n "${SPACE_HOST:-}" ]; then
   else
     echo "Routes    : /app/ (Control UI)"
   fi
-  echo "Private   : open the Hugging Face App tab first; raw https://${SPACE_HOST}/... links can show HF 404 without the embedded Space session."
 fi
 echo ""
 
@@ -984,7 +983,6 @@ start_jupyter_once() {
   # reuse GATEWAY_TOKEN. Both protect the same Space, so the credential is equivalent.
   if { [ -z "${JUPYTER_TOKEN:-}" ] || [ "${JUPYTER_TOKEN}" = "huggingface" ]; } && [ -n "${GATEWAY_TOKEN:-}" ]; then
     JUPYTER_TOKEN="$GATEWAY_TOKEN"
-    echo "JUPYTER_TOKEN not set — using GATEWAY_TOKEN as terminal auth token"
   fi
 
   # Security guard: refuse to start JupyterLab with the insecure default token.
@@ -1017,7 +1015,7 @@ start_jupyter_once() {
   # Pre-create runtime directory
   mkdir -p "$JUPYTER_ROOT_DIR/.jupyter"
 
-  echo "DEV_MODE enabled (${DEV_MODE_RAW}) — starting JupyterLab terminal on internal port 8888 (path: /terminal/) with root: $JUPYTER_ROOT_DIR"
+  echo "Terminal  : starting (root: $JUPYTER_ROOT_DIR)"
   JUPYTER_LOG_FILE="/tmp/jupyterlab.log"
   
   # Use explicit Python to avoid PATH issues; set memory-friendly limits
@@ -1043,7 +1041,7 @@ start_jupyter_once() {
       >> "$JUPYTER_LOG_FILE" 2>&1 &
   JUPYTER_PID=$!
   export JUPYTER_PID
-  echo "JupyterLab started (PID: $JUPYTER_PID)"
+  echo "Terminal  : started (PID: $JUPYTER_PID)"
 }
 
 # BUG FIX #3: DevData restore must happen BEFORE JupyterLab starts.
@@ -1056,9 +1054,9 @@ if [ "$RUNTIME_JUPYTER_ENABLED" = "true" ] && \
    [ -n "${HF_TOKEN:-}" ] && \
    [ -f "/home/node/app/jupyter-devdata-sync.py" ] && \
    [ "${DEVDATA_DATASET_NAME:-huggingclaw-devdata}" != "${BACKUP_DATASET_NAME:-huggingclaw-backup}" ]; then
-  echo "DevData  : restoring workspace from ${DEVDATA_DATASET_NAME:-huggingclaw-devdata} (before JupyterLab starts)..."
-  python3 /home/node/app/jupyter-devdata-sync.py --restore || \
-    echo "DevData  : restore warning (non-fatal); continuing startup."
+  echo "DevData   : restoring workspace..."
+  python3 /home/node/app/jupyter-devdata-sync.py --restore 2>/dev/null || \
+    echo "DevData   : restore warning (non-fatal); continuing startup."
 fi
 
 # Fix: reinstall jsonschema AFTER devdata restore — restore can overwrite a broken
@@ -1066,9 +1064,7 @@ fi
 # JupyterLab to crash with a circular import error on every boot.
 if [ "$DEV_MODE_ENABLED" = "true" ]; then
   if ! python3 -c "import jsonschema" >/dev/null 2>&1; then
-    echo "DevData  : jsonschema broken after restore — reinstalling (circular import fix)..."
-    python3 -m pip install --force-reinstall --no-cache-dir --break-system-packages "jsonschema>=4.0" >/dev/null 2>&1 || true
-    echo "DevData  : jsonschema reinstall done."
+    python3 -m pip install -q --force-reinstall --no-cache-dir --break-system-packages "jsonschema>=4.0" >/dev/null 2>&1 || true
   fi
 fi
 
@@ -1076,8 +1072,6 @@ fi
 # Accessible via /terminal/ path through the health-server proxy
 if [ "$RUNTIME_JUPYTER_ENABLED" = "true" ]; then
   start_jupyter_once
-else
-  echo "Jupyter terminal disabled for this boot (DEV_MODE=${DEV_MODE_RAW})."
 fi
 
 if [ -n "${CLOUDFLARE_WORKERS_TOKEN:-}" ]; then