Merge pull request #31 from anurag162008/codex/find-automatic-package-installation-method-d90k9g

.env.example

@@ -247,6 +247,10 @@ LLM_API_KEY_FALLBACK_ENABLED=true
 # Generate: openssl rand -hex 32
 GATEWAY_TOKEN=your_gateway_token_here
 
+# [OPTIONAL] JupyterLab terminal token for /terminal/
+# Defaults to "huggingface" if unset. Set a strong token for private deployments.
+JUPYTER_TOKEN=huggingface
+
 # (Optional) Password auth — simpler alternative to token for casual users
 # If set, users can log in with this password instead of the token
 # OPENCLAW_PASSWORD=your_password_here

.gitattributes

@@ -0,0 +1,34 @@
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.arrow filter=lfs diff=lfs merge=lfs -text
+*.bin filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.ckpt filter=lfs diff=lfs merge=lfs -text
+*.ftz filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.h5 filter=lfs diff=lfs merge=lfs -text
+*.joblib filter=lfs diff=lfs merge=lfs -text
+*.lfs.* filter=lfs diff=lfs merge=lfs -text
+*.mlmodel filter=lfs diff=lfs merge=lfs -text
+*.model filter=lfs diff=lfs merge=lfs -text
+*.msgpack filter=lfs diff=lfs merge=lfs -text
+*.npy filter=lfs diff=lfs merge=lfs -text
+*.npz filter=lfs diff=lfs merge=lfs -text
+*.onnx filter=lfs diff=lfs merge=lfs -text
+*.ot filter=lfs diff=lfs merge=lfs -text
+*.parquet filter=lfs diff=lfs merge=lfs -text
+*.pb filter=lfs diff=lfs merge=lfs -text
+*.pickle filter=lfs diff=lfs merge=lfs -text
+*.pkl filter=lfs diff=lfs merge=lfs -text
+*.pt filter=lfs diff=lfs merge=lfs -text
+*.pth filter=lfs diff=lfs merge=lfs -text
+*.rar filter=lfs diff=lfs merge=lfs -text
+*.safetensors filter=lfs diff=lfs merge=lfs -text
+saved_model/**/* filter=lfs diff=lfs merge=lfs -text
+*.tar.* filter=lfs diff=lfs merge=lfs -text
+*.tflite filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.wasm filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
+*tfevents* filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -1,21 +1,20 @@
-# personal workflows
-.github/workflows/
-.git*
 # env/secrets
 .env
 .env.*
+!.env.example
 *.pem
 *.key
 
 # node
 node_modules/
+gui/node_modules/
 npm-debug.log*
 yarn-debug.log*
 pnpm-debug.log*
 
 # python
 __pycache__/
-*.pyc
+*.py[cod]
 .venv/
 venv/
 
@@ -33,12 +32,10 @@ build/
 .cache/
 
 # temp
+.tmp/
 tmp/
 temp/
 
 # os junk
 .DS_Store
 Thumbs.db
-
-# gitignore itself
-.gitignore

CHANGELOG.md

@@ -2,6 +2,19 @@
 
 All notable changes to this project will be documented in this file.
 
+## [1.6.0] - 2026-05-14
+
+### Added
+
+- **Merged JupyterLab terminal** — added the Hugging Face JupyterLab template login page and `/terminal/` routing alongside the HuggingClaw dashboard and `/app/` OpenClaw Control UI.
+- **HF template parity files** — restored Git LFS defaults and project metadata/docs that were missing from the merged repository.
+
+### Fixed
+
+- **HF Spaces subpath routing** — normalized internal redirects and WebSocket forwarding so `/app/` and `/terminal/` stay mounted behind the single public Spaces port.
+- **Startup log noise** — removed the stale disabled `plugins.entries.acpx` config entry, switched Jupyter token/cookie options to `IdentityProvider.*`, and printed `/app/` with the trailing slash.
+- **Private Space navigation** — dashboard buttons now stay in-frame and startup logs print relative routes, avoiding raw `.hf.space` links that can show Hugging Face's outer 404 page on private Spaces.
+
 ## [1.5.0] - 2026-05-13
 
 ### Added

CONTRIBUTING.md

@@ -17,7 +17,7 @@ Thanks for your interest in contributing! 🦞
 1. Fork the repo
 2. Create a feature branch: `git checkout -b feature/my-feature`
 3. Make your changes
-4. Test locally with Docker: `docker build -t huggingclaw . && docker run -p 7860:7860 --env-file .env huggingclaw`
+4. Test locally with Docker: `docker build -t huggingclaw . && docker run -p 7861:7861 --env-file .env huggingclaw`
 5. Commit with a clear message
 6. Push and open a PR
 
@@ -27,6 +27,7 @@ Thanks for your interest in contributing! 🦞
 - No unnecessary dependencies
 
 ### Testing
+- If touching routing or Docker startup, verify both `/app/` (OpenClaw UI) and `/terminal/` (JupyterLab terminal).
 - Test with at least one LLM provider (Anthropic, OpenAI, or Google)
 - Test with and without Telegram enabled
 - Test with and without workspace backup enabled
@@ -38,7 +39,7 @@ Thanks for your interest in contributing! 🦞
 cp .env.example .env
 # Fill in your values
 docker build -t huggingclaw .
-docker run -p 7860:7860 --env-file .env huggingclaw
+docker run -p 7861:7861 --env-file .env huggingclaw
 ```
 
 ## Questions?

Dockerfile

@@ -1,7 +1,11 @@
 # ════════════════════════════════════════════════════════════════
-# 🦞 HuggingClaw — OpenClaw Gateway for HuggingFace Spaces
+# 🦞 HuggingClaw + 💻 JupyterLab Terminal
+# ════════════════════════════════════════════════════════════════
+# Port 7861 (exposed): Dashboard + reverse proxy
+#   /          → HuggingClaw dashboard
+#   /app/      → OpenClaw gateway (internal :7860)
+#   /terminal/ → JupyterLab terminal (internal :8888)
 # ════════════════════════════════════════════════════════════════
-# Multi-stage build: uses pre-built OpenClaw image for fast builds
 
 # ── Stage 1: Pull pre-built OpenClaw ──
 ARG OPENCLAW_VERSION=latest
@@ -10,8 +14,10 @@ FROM ghcr.io/openclaw/openclaw:${OPENCLAW_VERSION} AS openclaw
 # ── Stage 2: Runtime ──
 FROM node:22-slim
 ARG OPENCLAW_VERSION=latest
+ARG DEV_MODE=false
+ENV DEV_MODE=${DEV_MODE}
 
-# Install system dependencies
+# Install system dependencies (+ optional JupyterLab deps in DEV_MODE)
 RUN apt-get update && apt-get install -y \
     git \
     sudo \
@@ -43,11 +49,17 @@ RUN apt-get update && apt-get install -y \
     xfonts-scalable \
     --no-install-recommends && \
     pip3 install --no-cache-dir --break-system-packages huggingface_hub && \
+    case "$(printf '%s' "${DEV_MODE}" | tr '[:upper:]' '[:lower:]')" in \
+      true|1|yes|on) \
+        pip3 install --no-cache-dir --break-system-packages \
+          jupyterlab==4.5.7 \
+          tornado==6.5.5 \
+          ipywidgets==8.1.8 ;; \
+    esac && \
     rm -rf /var/lib/apt/lists/*
 
 # Reuse existing node user (UID 1000). Allow passwordless package-manager
-# commands only so runtime apt installs can be replayed after HF Space restarts
-# without granting unrestricted sudo access.
+# commands only so runtime apt installs can be replayed after HF Space restarts.
 RUN mkdir -p /home/node/app /home/node/.openclaw && \
     chown -R 1000:1000 /home/node && \
     printf '%s\n' \
@@ -60,8 +72,7 @@ RUN mkdir -p /home/node/app /home/node/.openclaw && \
 # Copy pre-built OpenClaw (skips npm install entirely — much faster!)
 COPY --from=openclaw --chown=1000:1000 /app /home/node/.openclaw/openclaw-app
 
-# Add Playwright in an isolated sidecar node_modules so we do not mutate the
-# bundled OpenClaw app dependency tree.
+# Add Playwright in an isolated sidecar node_modules
 RUN mkdir -p /home/node/browser-deps && \
     cd /home/node/browser-deps && \
     npm init -y && \
@@ -75,14 +86,30 @@ RUN ln -s /home/node/.openclaw/openclaw-app/openclaw.mjs /usr/local/bin/openclaw
 COPY --chown=1000:1000 cloudflare-proxy.js /opt/cloudflare-proxy.js
 COPY --chown=1000:1000 cloudflare-proxy-setup.py /home/node/app/cloudflare-proxy-setup.py
 COPY --chown=1000:1000 health-server.js /home/node/app/health-server.js
+COPY --chown=1000:1000 login.html /home/node/app/login.html
 COPY --chown=1000:1000 iframe-fix.cjs /home/node/app/iframe-fix.cjs
 COPY --chown=1000:1000 start.sh /home/node/app/start.sh
 COPY --chown=1000:1000 wa-guardian.js /home/node/app/wa-guardian.js
 COPY --chown=1000:1000 cloudflare-keepalive-setup.py /home/node/app/cloudflare-keepalive-setup.py
 COPY --chown=1000:1000 openclaw-sync.py /home/node/app/openclaw-sync.py
-RUN chmod +x /home/node/app/start.sh /home/node/app/cloudflare-proxy-setup.py /home/node/app/cloudflare-keepalive-setup.py /home/node/app/openclaw-sync.py
 COPY --chown=1000:1000 multi-provider-key-rotator.cjs /home/node/app/multi-provider-key-rotator.cjs
-RUN chmod +x /home/node/app/start.sh /home/node/app/cloudflare-proxy-setup.py /home/node/app/cloudflare-keepalive-setup.py /home/node/app/openclaw-sync.py /home/node/app/multi-provider-key-rotator.cjs
+RUN printf '%s\n' \
+  '#!/usr/bin/env bash' \
+  'set -euo pipefail' \
+  'case "$(printf "%s" "${DEV_MODE}" | tr "[:upper:]" "[:lower:]")" in' \
+  '  true|1|yes|on)' \
+  "    python3 -c \"from pathlib import Path; import shutil, jupyter_server; template_dir = Path(jupyter_server.__file__).parent / 'templates'; template_dir.mkdir(parents=True, exist_ok=True); shutil.copyfile('/home/node/app/login.html', template_dir / 'login.html')\"" \
+  '    ;;' \
+  'esac' \
+  > /tmp/setup-jupyter-template.sh && \
+  chmod +x /tmp/setup-jupyter-template.sh && \
+  /tmp/setup-jupyter-template.sh && \
+  rm -f /tmp/setup-jupyter-template.sh
+RUN chmod +x /home/node/app/start.sh \
+              /home/node/app/cloudflare-proxy-setup.py \
+              /home/node/app/cloudflare-keepalive-setup.py \
+              /home/node/app/openclaw-sync.py \
+              /home/node/app/multi-provider-key-rotator.cjs
 
 USER node
 
@@ -94,10 +121,9 @@ ENV HOME=/home/node \
 
 WORKDIR /home/node/app
 
+# 7861 = public entrypoint (dashboard + proxy for both OpenClaw and JupyterLab)
 EXPOSE 7861
 
-# health-server.js exposes /health on 7861 and proxies to the gateway on 7860.
-# 90s start period covers OpenClaw's plugin install + gateway boot on cold start.
 HEALTHCHECK --interval=30s --timeout=5s --start-period=90s \
   CMD curl -fsS http://localhost:7861/health || exit 1
 

README.md

@@ -1,12 +1,17 @@
 ---
 title: HuggingClaw
 emoji: 🦞
-colorFrom: blue
-colorTo: purple
+colorFrom: red
+colorTo: blue
 sdk: docker
 app_port: 7861
-pinned: true
+pinned: false
 license: mit
+tags:
+  - openclaw
+  - jupyterlab
+  - terminal
+  - llm-gateway
 secrets:
   - name: LLM_API_KEY
     description: "Your LLM provider API key (e.g. Anthropic, OpenAI, Google, OpenRouter)."
@@ -14,6 +19,8 @@ secrets:
     description: "Model ID to use, e.g. google/gemini-2.5-flash or openai/gpt-4o."
   - name: GATEWAY_TOKEN
     description: "Strong token to secure your OpenClaw Control UI (generate: openssl rand -hex 32)."
+  - name: JUPYTER_TOKEN
+    description: "Optional strong token for the JupyterLab terminal at /terminal/ (defaults to huggingface)."
   - name: CLOUDFLARE_WORKERS_TOKEN
     description: "Cloudflare API token — auto-creates a Worker proxy and KeepAlive monitor."
   - name: TELEGRAM_ALLOWED_USERS
@@ -32,7 +39,7 @@ secrets:
 [![HF Space](https://img.shields.io/badge/🤗%20HuggingFace-Space-blue?style=flat-square)](https://huggingface.co/spaces)
 [![OpenClaw](https://img.shields.io/badge/OpenClaw-Gateway-red?style=flat-square)](https://github.com/openclaw/openclaw)
 
-**Your always-on AI assistant — free, no server needed.** HuggingClaw runs [OpenClaw](https://openclaw.ai) on HuggingFace Spaces, giving you a 24/7 AI chat assistant on Telegram and WhatsApp. It works with *any* large language model (LLM) – Claude, ChatGPT, Gemini, etc. – and even supports custom models via [OpenRouter](https://openrouter.ai). Deploy in minutes on the free HF Spaces tier (2 vCPU, 16GB RAM, 50GB) with automatic workspace backup to a HuggingFace Dataset so your chat history and settings persist across restarts.
+**Your always-on AI assistant — free, no server needed.** This merged Space runs [OpenClaw](https://openclaw.ai) plus a Hugging Face-style JupyterLab terminal on one HF Spaces port, giving you a 24/7 AI chat assistant on Telegram and WhatsApp. It works with *any* large language model (LLM) – Claude, ChatGPT, Gemini, etc. – and even supports custom models via [OpenRouter](https://openrouter.ai). Deploy in minutes on the free HF Spaces tier (2 vCPU, 16GB RAM, 50GB) with automatic workspace backup to a HuggingFace Dataset so your chat history and settings persist across restarts.
 
 ## Table of Contents
 
@@ -49,6 +56,8 @@ secrets:
 - [🤖 LLM Providers](#-llm-providers)
 - [💻 Local Development](#-local-development)
 - [🔗 CLI Access](#-cli-access)
+- [💻 JupyterLab Terminal](#-jupyterlab-terminal)
+- [🔍 Merge Comparison](#-merge-comparison)
 - [🏗️ Architecture](#-architecture)
 - [💓 Staying Alive](#-staying-alive)
 - [🐛 Troubleshooting](#-troubleshooting)
@@ -69,6 +78,7 @@ secrets:
 - 📊 **Visual Dashboard:** Beautiful Web UI to monitor uptime, sync status, and active models.
 - 🔔 **Webhooks:** Get notified on restarts or backup failures via standard webhooks.
 - 🔐 **Flexible Auth:** Secure the Control UI with either a gateway token or password.
+- 💻 **Optional Dev Terminal:** JupyterLab is available at `/terminal/` only when `DEV_MODE=true` (disabled by default).
 - 🏠 **100% HF-Native:** Runs entirely on HuggingFace’s free infrastructure (2 vCPU, 16GB RAM).
 
 ## 🎥 Video Tutorial
@@ -94,7 +104,7 @@ Navigate to your new Space's **Settings**, scroll down to the **Variables and se
 > [!TIP]
 > HuggingClaw is completely flexible! You only need these three secrets to get started. You can set other secrets later.
 
-Optional: if you want to pin a specific OpenClaw release instead of `latest`, add `OPENCLAW_VERSION` under **Variables** in your Space settings. For Docker Spaces, HF passes Variables as build args during image build, so this should be a Variable, not a Secret.
+Optional: set `DEV_MODE=true` (Variable) to enable JupyterLab support and install Jupyter dependencies at build time. You can also set `JUPYTER_TOKEN` as a Secret to replace the default terminal token (`huggingface`). If you want to pin a specific OpenClaw release instead of `latest`, add `OPENCLAW_VERSION` under **Variables** in your Space settings. For Docker Spaces, HF passes Variables as build args during image build, so these should be Variables, not Secrets (except tokens).
 
 ### Step 3: Deploy & Run
 
@@ -348,6 +358,30 @@ openclaw channels login --gateway https://YOUR_SPACE_NAME.hf.space
 # When prompted, enter your GATEWAY_TOKEN
 ```
 
+## 💻 JupyterLab Terminal
+
+The merged Space includes the Hugging Face JupyterLab template behavior inside the same container:
+
+| Path | Service | Internal Port | Notes |
+| :--- | :--- | :--- | :--- |
+| `/` | HuggingClaw dashboard | `7861` | Public HF Spaces entrypoint |
+| `/app/` | OpenClaw Control UI | `7860` | Mounted behind the local reverse proxy |
+| `/terminal/` | JupyterLab terminal (DEV_MODE only) | `8888` | Available only when `DEV_MODE=true`; token login uses `JUPYTER_TOKEN` (default `huggingface`) |
+
+When enabled, the terminal notebook root is `/home/node`, so you can inspect HuggingClaw files, logs, workspace state, and runtime scripts from the browser.
+
+> [!IMPORTANT]
+> For real deployments, set a strong `JUPYTER_TOKEN` secret. The `huggingface` default exists only to match the duplicateable Hugging Face JupyterLab template.
+
+## 🔍 Merge Comparison
+
+This repository is a merge of two sources:
+
+- `anurag162008/HuggingClaw`: OpenClaw gateway, dashboard, Cloudflare proxy/keep-alive, Telegram/WhatsApp helpers, backup sync, key rotation, docs, and security metadata.
+- Hugging Face `SpacesExamples/jupyterlab` template: JupyterLab Docker behavior, token login UX, Hugging Face-branded login template, pinned Jupyter packages, and Git LFS defaults for large model/data artifacts.
+
+The main merge-specific change is the single-port router: HF Spaces exposes `7861`, while the router keeps OpenClaw at `/app/` and JupyterLab at `/terminal/` without leaking internal redirects such as `http://127.0.0.1:8888/...`.
+
 ## 🏗️ Architecture
 
 HuggingClaw uses a multi-layered approach to ensure stability and persistence on Hugging Face's ephemeral infrastructure.
@@ -355,8 +389,9 @@ HuggingClaw uses a multi-layered approach to ensure stability and persistence on
 <details>
 <summary><b>Click to view technical details</b></summary>
 
-- **Dashboard (`/`)**: Management, monitoring, and keep-alive tools.
-- **Control UI (`/gateway`)**: Secure interface for managing agents and channels.
+- **Dashboard (`/`)**: Management, monitoring, and keep-alive tools (terminal controls appear only in DEV mode).
+- **Control UI (`/app/`)**: Secure interface for managing agents and channels, proxied to the OpenClaw gateway on internal port `7860`.
+- **JupyterLab Terminal (`/terminal/`)**: Browser terminal/notebook server on internal port `8888` (DEV mode only).
 - **Health Check (`/health`)**: Endpoint for uptime monitoring and readiness probes.
 - **Sync Engine**: Python background process managing HF Dataset persistence.
 - **Transparent Proxy**: Interceptor for requests to blocked domains (Telegram, etc.).
@@ -367,12 +402,15 @@ HuggingClaw uses a multi-layered approach to ensure stability and persistence on
 2. Resolve backup namespace and restore workspace from HF Dataset.
 3. Generate `openclaw.json` configuration.
 4. Launch background tasks (auto-sync, channel helpers).
-5. Start OpenClaw gateway and listen for connections.
+5. Start the local dashboard/reverse proxy and OpenClaw gateway (JupyterLab starts only when `DEV_MODE=true`).
 
 </details>
 
 ## 🐛 Troubleshooting
 
+- **Private Space 404:** If your Space is private, raw `https://<space>.hf.space/app/` or `/terminal/` links can show Hugging Face's own 404 page when opened outside the embedded App session. Open the Space's **App** tab first, then use the in-page dashboard buttons for `/app/` and `/terminal/`.
+- **Terminal 404 or redirect loop:** Open `/terminal/` with the trailing slash from the dashboard/App tab, rebuild after Dockerfile changes, and confirm `JUPYTER_TOKEN` is set correctly if you changed the default.
+- **Control UI 404:** Open `/app/` with the trailing slash from the dashboard/App tab; the reverse proxy rewrites backend redirects into this mount path.
 - **Missing secrets:** Ensure `LLM_API_KEY`, `LLM_MODEL`, and `GATEWAY_TOKEN` are set in your Space **Settings → Secrets**.
 - **Telegram bot issues:** Verify your `TELEGRAM_BOT_TOKEN`. Check Space logs for lines like `📱 Enabling Telegram`.
 - **Backup restore failing:** Make sure `HF_TOKEN` is valid and has write access to your HF account dataset. Set `HF_USERNAME` only if auto-detection is not available in your environment.
@@ -397,9 +435,9 @@ Similar projects by [@somratpro](https://github.com/somratpro) — all free, one
 
 ## 📚 Links
 
-- [OpenClaw Docs](https://docs.openclaw.ai)  
-- [OpenClaw GitHub](https://github.com/openclaw/openclaw)  
-- [HuggingFace Spaces Docs](https://huggingface.co/docs/hub/spaces)  
+- [OpenClaw Docs](https://docs.openclaw.ai)
+- [OpenClaw GitHub](https://github.com/openclaw/openclaw)
+- [HuggingFace Spaces Docs](https://huggingface.co/docs/hub/spaces)
 
 ## ❤️ Support
 
@@ -422,4 +460,4 @@ Contributions are welcome! Please see [CONTRIBUTING.md](CONTRIBUTING.md) for gui
 
 MIT — see [LICENSE](LICENSE) for details.
 
-*Made with ❤️ by [@somratpro](https://github.com/somratpro) for the OpenClaw community.*  
+*Made with ❤️ by [@somratpro](https://github.com/somratpro) for the OpenClaw community.*

SECURITY.md

@@ -16,6 +16,7 @@ When deploying HuggingClaw:
 
 - **Set your Space to Private** — prevents unauthorized access to your gateway
 - **Use a strong `GATEWAY_TOKEN`** — generate with `openssl rand -hex 32`
+- **Set a strong `JUPYTER_TOKEN`** — the `/terminal/` JupyterLab login defaults to `huggingface` only for template convenience
 - **Keep your HF token scoped** — use fine-grained tokens with minimum permissions
 - **Don't commit `.env` files** — the `.gitignore` already excludes them
 - **Use `TELEGRAM_ALLOWED_USERS`** — restricts bot access to your account only

health-server.js

@@ -1,4 +1,4 @@
-// Single public entrypoint for HF Spaces: local dashboard + reverse proxy to OpenClaw.
+// Single public entrypoint for HF Spaces: dashboard + reverse proxy to OpenClaw + JupyterLab.
 const http = require("http");
 const fs = require("fs");
 const net = require("net");
@@ -6,6 +6,13 @@ const net = require("net");
 const PORT = 7861;
 const GATEWAY_PORT = 7860;
 const GATEWAY_HOST = "127.0.0.1";
+const JUPYTER_PORT = 8888;
+const JUPYTER_HOST = "127.0.0.1";
+const JUPYTER_BASE = "/terminal";
+const DEV_MODE_ENABLED = /^(true|1|yes|on)$/i.test(process.env.DEV_MODE || "");
+const JUPYTER_ENABLED = /^(true|1|yes|on)$/i.test(
+  process.env.HUGGINGCLAW_JUPYTER_ENABLED || (DEV_MODE_ENABLED ? "true" : "false")
+);
 const startTime = Date.now();
 const LLM_MODEL = process.env.LLM_MODEL || "Not Set";
 const TELEGRAM_ENABLED = !!process.env.TELEGRAM_BOT_TOKEN;
@@ -19,40 +26,26 @@ const CLOUDFLARE_KEEPALIVE_STATUS_FILE =
   "/tmp/huggingclaw-cloudflare-keepalive-status.json";
 
 function parseRequestUrl(url) {
-  try {
-    return new URL(url, "http://localhost");
-  } catch {
-    return new URL("http://localhost/");
-  }
+  try { return new URL(url, "http://localhost"); }
+  catch { return new URL("http://localhost/"); }
 }
 
 function getSyncStatus() {
   try {
-    if (fs.existsSync(SYNC_STATUS_FILE)) {
+    if (fs.existsSync(SYNC_STATUS_FILE))
       return JSON.parse(fs.readFileSync(SYNC_STATUS_FILE, "utf8"));
-    }
   } catch {}
-  if (HF_BACKUP_ENABLED) {
-    return {
-      status: "configured",
-      message: `Backup is enabled. Waiting for sync window (${SYNC_INTERVAL}s).`,
-    };
-  }
+  if (HF_BACKUP_ENABLED)
+    return { status: "configured", message: `Backup enabled. Waiting for sync window (${SYNC_INTERVAL}s).` };
   return { status: "unknown", message: "No sync data yet" };
 }
 
 function readGuardianStatus() {
-  if (!WHATSAPP_ENABLED) {
-    return { configured: false, connected: false, pairing: false };
-  }
+  if (!WHATSAPP_ENABLED) return { configured: false, connected: false, pairing: false };
   try {
     if (fs.existsSync(WHATSAPP_STATUS_FILE)) {
-      const parsed = JSON.parse(fs.readFileSync(WHATSAPP_STATUS_FILE, "utf8"));
-      return {
-        configured: parsed.configured !== false,
-        connected: parsed.connected === true,
-        pairing: parsed.pairing === true,
-      };
+      const p = JSON.parse(fs.readFileSync(WHATSAPP_STATUS_FILE, "utf8"));
+      return { configured: p.configured !== false, connected: p.connected === true, pairing: p.pairing === true };
     }
   } catch {}
   return { configured: true, connected: false, pairing: false };
@@ -60,71 +53,42 @@ function readGuardianStatus() {
 
 function getKeepaliveStatus() {
   try {
-    if (fs.existsSync(CLOUDFLARE_KEEPALIVE_STATUS_FILE)) {
-      return JSON.parse(
-        fs.readFileSync(CLOUDFLARE_KEEPALIVE_STATUS_FILE, "utf8"),
-      );
-    }
+    if (fs.existsSync(CLOUDFLARE_KEEPALIVE_STATUS_FILE))
+      return JSON.parse(fs.readFileSync(CLOUDFLARE_KEEPALIVE_STATUS_FILE, "utf8"));
   } catch {}
   return null;
 }
 
-function probeGatewayHealth(timeoutMs = 1500) {
+function probePort(host, port, path, timeoutMs = 1500) {
   return new Promise((resolve) => {
-    const request = http.get(
-      {
-        hostname: GATEWAY_HOST,
-        port: GATEWAY_PORT,
-        path: "/health",
-        timeout: timeoutMs,
-      },
-      (response) => {
-        response.resume();
-        resolve(response.statusCode >= 200 && response.statusCode < 400);
-      },
-    );
-    request.on("timeout", () => {
-      request.destroy();
-      resolve(false);
+    const req = http.get({ hostname: host, port, path, timeout: timeoutMs }, (res) => {
+      res.resume();
+      resolve(res.statusCode >= 200 && res.statusCode < 500);
     });
-    request.on("error", () => resolve(false));
+    req.on("timeout", () => { req.destroy(); resolve(false); });
+    req.on("error", () => resolve(false));
   });
 }
 
 function formatUptime(ms) {
-  const total = Math.floor(ms / 1000);
-  const days = Math.floor(total / 86400);
-  const hours = Math.floor((total % 86400) / 3600);
-  const minutes = Math.floor((total % 3600) / 60);
-  if (days) return `${days}d ${hours}h ${minutes}m`;
-  if (hours) return `${hours}h ${minutes}m`;
-  return `${minutes}m`;
+  const t = Math.floor(ms / 1000);
+  const d = Math.floor(t / 86400), h = Math.floor((t % 86400) / 3600), m = Math.floor((t % 3600) / 60);
+  if (d) return `${d}d ${h}h ${m}m`;
+  if (h) return `${h}h ${m}m`;
+  return `${m}m`;
 }
 
-function escapeHtml(value) {
-  return String(value)
-    .replace(/&/g, "&amp;")
-    .replace(/</g, "&lt;")
-    .replace(/>/g, "&gt;")
-    .replace(/"/g, "&quot;");
+function escapeHtml(v) {
+  return String(v).replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;").replace(/"/g,"&quot;");
 }
 
-function toneBadge(label, tone = "neutral") {
+function badge(label, tone = "neutral") {
   return `<span class="badge ${tone}">${escapeHtml(label)}</span>`;
 }
 
-function renderTile({
-  title,
-  value,
-  detail = "",
-  tone = "neutral",
-  meta = "",
-}) {
+function tile({ title, value, detail = "", tone = "neutral", meta = "" }) {
   return `<article class="tile ${tone}">
-    <div class="tile-head">
-      <span class="tile-title">${escapeHtml(title)}</span>
-      <span class="tile-dot"></span>
-    </div>
+    <div class="tile-head"><span class="tile-title">${escapeHtml(title)}</span><span class="tile-dot"></span></div>
     <div class="tile-value">${value}</div>
     ${detail ? `<div class="tile-detail">${detail}</div>` : ""}
     ${meta ? `<div class="tile-meta">${meta}</div>` : ""}
@@ -133,276 +97,239 @@ function renderTile({
 
 function renderDashboard(data) {
   const syncStatus = String(data.sync?.status || "unknown");
-  const syncTone = ["success", "restored", "synced", "configured"].includes(
-    syncStatus,
-  )
-    ? "ok"
-    : syncStatus === "disabled"
-      ? "warn"
-      : "neutral";
-  const backupDetail = data.sync?.message
-    ? escapeHtml(data.sync.message)
-    : "No status yet";
-
-  const keepaliveConfigured = data.keepalive?.configured === true;
-  const keepaliveStatus = String(
-    data.keepalive?.status ||
-      (process.env.CLOUDFLARE_WORKERS_TOKEN ? "pending" : "not configured"),
-  );
-  const keepAliveTone = keepaliveConfigured
-    ? "ok"
-    : process.env.CLOUDFLARE_WORKERS_TOKEN
-      ? "warn"
-      : "neutral";
-  const keepAliveDetail = keepaliveConfigured
-    ? `Pinging <code>${escapeHtml(data.keepalive.targetUrl || "/health")}</code>`
-    : process.env.CLOUDFLARE_WORKERS_TOKEN
-      ? "Worker pending or failed"
-      : "Not configured";
+  const syncTone = ["success","restored","synced","configured"].includes(syncStatus) ? "ok" : syncStatus === "disabled" ? "warn" : "neutral";
+  const kaConf = data.keepalive?.configured === true;
+  const kaStatus = String(data.keepalive?.status || (process.env.CLOUDFLARE_WORKERS_TOKEN ? "pending" : "not configured"));
+  const kaTone = kaConf ? "ok" : process.env.CLOUDFLARE_WORKERS_TOKEN ? "warn" : "neutral";
 
   const tiles = [
-    renderTile({
-      title: "Gateway",
-      value: toneBadge(
-        data.gatewayReady ? "Online" : "Offline",
-        data.gatewayReady ? "ok" : "off",
-      ),
-      detail: `Internal Port ${GATEWAY_PORT}`,
-      tone: data.gatewayReady ? "ok" : "off",
-    }),
-    renderTile({
-      title: "Model",
-      value: `<code>${escapeHtml(LLM_MODEL)}</code>`,
-      detail: `Primary LLM Configured`,
-      tone: "neutral",
-    }),
-    renderTile({
-      title: "Runtime",
-      value: escapeHtml(data.uptimeHuman),
-      detail: `Public Port ${PORT}`,
-      tone: "neutral",
-    }),
-    renderTile({
-      title: "Telegram",
-      value: toneBadge(
-        TELEGRAM_ENABLED ? "Enabled" : "Disabled",
-        TELEGRAM_ENABLED ? "ok" : "neutral",
-      ),
-      detail: TELEGRAM_ENABLED ? "Bot Channel active" : "Not configured",
-      tone: TELEGRAM_ENABLED ? "ok" : "neutral",
-    }),
-    renderTile({
-      title: "Backup",
-      value: toneBadge(syncStatus.toUpperCase(), syncTone),
-      detail: backupDetail,
-      tone: syncTone,
-      meta: data.sync?.timestamp
-        ? `<span class="local-time" data-iso="${data.sync.timestamp}"></span>`
-        : "",
-    }),
-    renderTile({
-      title: "Keep Awake",
-      value: toneBadge(
-        keepaliveConfigured ? "CF Cron" : keepaliveStatus.toUpperCase(),
-        keepAliveTone,
-      ),
-      detail: keepAliveDetail,
-      tone: keepAliveTone,
-    }),
-  ].join("");
-
-  return `<!doctype html>
-<html lang="en">
-<head>
-  <meta charset="utf-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1" />
+    tile({ title: "Gateway", value: badge(data.gatewayReady ? "Online" : "Offline", data.gatewayReady ? "ok" : "off"), detail: `OpenClaw on internal port ${GATEWAY_PORT}`, tone: data.gatewayReady ? "ok" : "off" }),
+    tile({ title: "Model", value: `<code>${escapeHtml(LLM_MODEL)}</code>`, detail: "Primary LLM configured", tone: "neutral" }),
+    tile({ title: "Runtime", value: escapeHtml(data.uptimeHuman), detail: `Public port ${PORT}`, tone: "neutral" }),
+    tile({ title: "Telegram", value: badge(TELEGRAM_ENABLED ? "Enabled" : "Disabled", TELEGRAM_ENABLED ? "ok" : "neutral"), detail: TELEGRAM_ENABLED ? "Bot channel active" : "Not configured", tone: TELEGRAM_ENABLED ? "ok" : "neutral" }),
+    tile({ title: "Backup", value: badge(syncStatus.toUpperCase(), syncTone), detail: escapeHtml(data.sync?.message || "No status yet"), tone: syncTone, meta: data.sync?.timestamp ? `<span class="local-time" data-iso="${data.sync.timestamp}"></span>` : "" }),
+    tile({ title: "Keep Awake", value: badge(kaConf ? "CF Cron" : kaStatus.toUpperCase(), kaTone), detail: kaConf ? `Pinging <code>${escapeHtml(data.keepalive?.targetUrl || "/health")}</code>` : process.env.CLOUDFLARE_WORKERS_TOKEN ? "Worker pending or failed" : "Not configured", tone: kaTone }),
+  ];
+
+  if (JUPYTER_ENABLED) {
+    tiles.push(tile({ title: "Terminal", value: badge(data.jupyterReady ? "Online" : "Starting…", data.jupyterReady ? "ok" : "warn"), detail: `JupyterLab at <a href="${JUPYTER_BASE}/" style="color:inherit">${JUPYTER_BASE}/</a>`, tone: data.jupyterReady ? "ok" : "warn" }));
+  }
+
+  const tilesHtml = tiles.join("");
+
+  return `<!doctype html><html lang="en"><head>
+  <meta charset="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/>
   <title>HuggingClaw</title>
   <style>
-    :root { color-scheme: dark; --bg:#08080f; --panel:#12111b; --line:#26243a; --text:#f6f4ff; --muted:#7f7a9e; --soft:#b8b3d7; --good:#22c55e; --warn:#f5c542; --bad:#fb7185;  }
-    * { box-sizing:border-box; }
-    body { margin:0; min-height:100vh; font-family:Inter, ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; background:var(--bg); color:var(--text); font-size:13px; }
-    main { width:min(720px, calc(100% - 32px)); margin:0 auto; padding:36px 0 44px; }
-    header { text-align:center; margin-bottom:22px; }
-    h1 { margin:0; font-size:1.65rem; line-height:1; letter-spacing:0; }
-    .subtitle { margin-top:12px; color:var(--muted); font-size:.72rem; text-transform:uppercase; letter-spacing:.14em; font-weight:800; }
-    .hero-action { display:flex; width:100%; min-height:46px; align-items:center; justify-content:center; border-radius:8px; background:#fff; color:#000; text-decoration:none; font-weight:850; font-size:.98rem; margin:24px 0 20px; transition: opacity 0.15s ease; }
-    .hero-action:hover { opacity: 0.9; }
-    .overview { display:grid; grid-template-columns:repeat(2, minmax(0, 1fr)); gap:10px; margin-bottom:10px; }
-    .tile { border:1px solid var(--line); background:var(--panel); border-radius:11px; padding:18px; min-height:124px; display:flex; flex-direction:column; gap:10px; position:relative; }
-    .tile.ok { border-color:rgba(34,197,94,.22); }
-    .tile.warn { border-color:rgba(245,197,66,.24); }
-    .tile.off { border-color:rgba(251,113,133,.28); }
-    .tile-head { display:flex; align-items:center; justify-content:space-between; gap:12px; }
-    .tile-title { color:var(--muted); font-size:.67rem; letter-spacing:.18em; text-transform:uppercase; font-weight:850; }
-    .tile-dot { width:7px; height:7px; border-radius:50%; background:var(--line); }
-    .tile.ok .tile-dot { background:var(--good); }
-    .tile.warn .tile-dot { background:var(--warn); }
-    .tile.off .tile-dot { background:var(--bad); }
-    .tile-value { font-size:1.12rem; font-weight:850; overflow-wrap:anywhere; }
-    .tile-detail { color:var(--soft); line-height:1.45; font-size:.83rem; }
-    .tile-meta { color:var(--muted); line-height:1.4; font-size:.75rem; margin-top:auto; overflow-wrap:anywhere; }
-
-    code { background:#232234; border:1px solid #34324c; border-radius:6px; padding:2px 6px; color:var(--text); font-size:.9em; }
-    .badge { display:inline-flex; align-items:center; width:max-content; border:1px solid var(--line); border-radius:999px; padding:5px 10px; font-size:.72rem; font-weight:850; line-height:1; text-transform:uppercase; }
-    .badge.ok { color:var(--good); border-color:rgba(34,197,94,.34); background:rgba(34,197,94,.11); }
-    .badge.warn { color:var(--warn); border-color:rgba(245,197,66,.34); background:rgba(245,197,66,.11); }
-    .badge.off { color:var(--bad); border-color:rgba(251,113,133,.34); background:rgba(251,113,133,.11); }
-    .badge.neutral { color:var(--soft); }
-    footer { color:var(--muted); text-align:center; font-size:.74rem; margin-top:18px; }
-    footer .live { color:var(--good); }
-    @media (max-width: 700px) { .overview { grid-template-columns:1fr; } main { width:min(100% - 22px, 720px); padding-top:28px; } }
-  </style>
-</head>
-<body>
-  <main>
-    <header>
-      <h1>🦞 HuggingClaw</h1>
-      <div class="subtitle">OpenClaw Gateway Dashboard</div>
-    </header>
-    <a class="hero-action" href="${APP_BASE}/" target="_blank" rel="noopener noreferrer">Open Control UI -></a>
-    <section class="overview">
-      ${tiles}
-    </section>
-    <footer>Built by <a href="https://github.com/somratpro" target="_blank" rel="noopener noreferrer" style="color: var(--accent); text-decoration: none;">@somratpro</a></footer>
+    :root{color-scheme:dark;--bg:#08080f;--panel:#12111b;--line:#26243a;--text:#f6f4ff;--muted:#7f7a9e;--soft:#b8b3d7;--good:#22c55e;--warn:#f5c542;--bad:#fb7185}
+    *{box-sizing:border-box}body{margin:0;min-height:100vh;font-family:Inter,ui-sans-serif,system-ui,-apple-system,sans-serif;background:var(--bg);color:var(--text);font-size:13px}
+    main{width:min(720px,calc(100% - 32px));margin:0 auto;padding:36px 0 44px}
+    header{text-align:center;margin-bottom:22px}h1{margin:0;font-size:1.65rem;line-height:1}
+    .subtitle{margin-top:12px;color:var(--muted);font-size:.72rem;text-transform:uppercase;letter-spacing:.14em;font-weight:800}
+    .btn-row{display:flex;gap:12px;margin:24px 0 20px}
+    .hero-action{display:flex;flex:1;min-height:46px;align-items:center;justify-content:center;border-radius:8px;background:#fff;color:#000;text-decoration:none;font-weight:850;font-size:.98rem;transition:opacity .15s}
+    .hero-action:hover{opacity:.9}.hero-action.terminal{background:#1e1e2e;color:#cdd6f4;border:1px solid #45475a}
+    .overview{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:10px;margin-bottom:10px}
+    .tile{border:1px solid var(--line);background:var(--panel);border-radius:11px;padding:18px;min-height:124px;display:flex;flex-direction:column;gap:10px}
+    .tile.ok{border-color:rgba(34,197,94,.22)}.tile.warn{border-color:rgba(245,197,66,.24)}.tile.off{border-color:rgba(251,113,133,.28)}
+    .tile-head{display:flex;align-items:center;justify-content:space-between;gap:12px}
+    .tile-title{color:var(--muted);font-size:.67rem;letter-spacing:.18em;text-transform:uppercase;font-weight:850}
+    .tile-dot{width:7px;height:7px;border-radius:50%;background:var(--line)}
+    .tile.ok .tile-dot{background:var(--good)}.tile.warn .tile-dot{background:var(--warn)}.tile.off .tile-dot{background:var(--bad)}
+    .tile-value{font-size:1.12rem;font-weight:850;overflow-wrap:anywhere}.tile-detail{color:var(--soft);line-height:1.45;font-size:.83rem}
+    .tile-meta{color:var(--muted);line-height:1.4;font-size:.75rem;margin-top:auto;overflow-wrap:anywhere}
+    code{background:#232234;border:1px solid #34324c;border-radius:6px;padding:2px 6px;color:var(--text);font-size:.9em}
+    .badge{display:inline-flex;align-items:center;width:max-content;border:1px solid var(--line);border-radius:999px;padding:5px 10px;font-size:.72rem;font-weight:850;line-height:1;text-transform:uppercase}
+    .badge.ok{color:var(--good);border-color:rgba(34,197,94,.34);background:rgba(34,197,94,.11)}
+    .badge.warn{color:var(--warn);border-color:rgba(245,197,66,.34);background:rgba(245,197,66,.11)}
+    .badge.off{color:var(--bad);border-color:rgba(251,113,133,.34);background:rgba(251,113,133,.11)}
+    .badge.neutral{color:var(--soft)}
+    footer{color:var(--muted);text-align:center;font-size:.74rem;margin-top:18px}
+    @media(max-width:700px){.overview{grid-template-columns:1fr}main{width:min(100% - 22px,720px);padding-top:28px}.btn-row{flex-direction:column}}
+  </style></head><body><main>
+  <header><h1>🦞 HuggingClaw</h1><div class="subtitle">OpenClaw Gateway</div></header>
+  <div class="btn-row">
+    <a class="hero-action" href="${APP_BASE}/">Open Control UI →</a>
+    ${JUPYTER_ENABLED ? `<a class="hero-action terminal" href="${JUPYTER_BASE}/">💻 Open Terminal →</a>` : ""}
+  </div>
+  <section class="overview">${tilesHtml}</section>
+  <footer>Built by <a href="https://github.com/somratpro" target="_blank" rel="noopener noreferrer" style="color:inherit;text-decoration:none">@somratpro</a>${JUPYTER_ENABLED ? " · Terminal by JupyterLab" : ""}<br><span>Public Spaces can be opened directly via <code>.hf.space</code>; private Spaces require the App tab session.</span></footer>
   </main>
-  <script>
-    document.querySelectorAll('.local-time').forEach(el => {
-      const date = new Date(el.getAttribute('data-iso'));
-      if (!isNaN(date)) {
-        el.textContent = 'At ' + date.toLocaleTimeString();
+  <script>document.querySelectorAll('.local-time').forEach(el=>{const d=new Date(el.getAttribute('data-iso'));if(!isNaN(d))el.textContent='At '+d.toLocaleTimeString()});</script>
+</body></html>`;
+}
+
+// ── Generic proxy ──
+function proxiedPath(url, { stripPrefix = "" } = {}) {
+  if (!stripPrefix) return url.pathname + url.search;
+  if (url.pathname === stripPrefix) return "/" + url.search;
+  if (url.pathname.startsWith(stripPrefix + "/")) {
+    return url.pathname.slice(stripPrefix.length) + url.search;
+  }
+  return url.pathname + url.search;
+}
+
+function rewriteProxyHeaders(headers, { publicPrefix = "", targetHost = "", targetPort = "" } = {}) {
+  const next = { ...headers };
+
+  // Keep browser redirects inside the public HF Space path. Backends may emit
+  // root-relative redirects ("/login") or absolute redirects pointing at their
+  // internal listener ("http://127.0.0.1:8888/..."). Both break from a browser
+  // if we do not normalize them back to the public mount path.
+  if (publicPrefix && typeof next.location === "string") {
+    try {
+      const internalOrigins = new Set([
+        "http://huggingclaw.local",
+        `http://${targetHost}:${targetPort}`,
+        `http://localhost:${targetPort}`,
+        `http://127.0.0.1:${targetPort}`,
+      ]);
+      const location = new URL(next.location, "http://huggingclaw.local");
+      if (internalOrigins.has(location.origin)) {
+        let path = location.pathname;
+        if (path !== publicPrefix && !path.startsWith(publicPrefix + "/")) {
+          path = publicPrefix + (path.startsWith("/") ? path : `/${path}`);
+        }
+        next.location = path + location.search + location.hash;
+      }
+    } catch {}
+  }
+
+  return next;
+}
+
+function sendServiceUnavailable(res) {
+  if (!res.headersSent) {
+    res.writeHead(503, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ status: "starting", message: "Service is initializing… please wait." }));
+  } else {
+    res.end();
+  }
+}
+
+function proxyHTTP(req, res, targetHost, targetPort, options = {}) {
+  const url = parseRequestUrl(req.url);
+  const headers = {
+    ...req.headers,
+    host: `${targetHost}:${targetPort}`,
+    "x-forwarded-for": req.socket.remoteAddress,
+    "x-forwarded-host": req.headers.host,
+    "x-forwarded-proto": "https",
+    "x-forwarded-prefix": options.publicPrefix || "",
+  };
+
+  const canReplayRequest = req.method === "GET" || req.method === "HEAD";
+  const proxyOnce = (path, retryOn404) => {
+    const pr = http.request({ hostname: targetHost, port: targetPort, path, method: req.method, headers }, (pres) => {
+      if (canReplayRequest && retryOn404 && pres.statusCode === 404 && options.stripPrefix) {
+        pres.resume();
+        return proxyOnce(proxiedPath(url, { stripPrefix: options.stripPrefix }), false);
       }
+      res.writeHead(pres.statusCode, rewriteProxyHeaders(pres.headers, { ...options, targetHost, targetPort }));
+      pres.pipe(res);
+      pres.on("error", () => res.end());
     });
-  </script>
-</body>
-</html>`;
+    req.on("error", () => pr.destroy());
+    res.on("error", () => pr.destroy());
+    pr.on("error", () => sendServiceUnavailable(res));
+    req.pipe(pr);
+  };
+
+  // First try the public path as-is because OpenClaw and JupyterLab are both
+  // configured with base paths. If a backend still returns 404, retry with the
+  // mount prefix stripped; that covers images built before the base-path config
+  // took effect and avoids the common HF Spaces "404 at /app or /terminal" trap.
+  proxyOnce(url.pathname + url.search, !!options.retryWithoutPrefixOn404);
 }
 
+// ── HTTP server ──
 const server = http.createServer(async (req, res) => {
-  const url = parseRequestUrl(req.url);
-  const pathname = url.pathname;
+  const { pathname } = parseRequestUrl(req.url);
 
-  // 1. Dashboard Routes
   if (pathname === "/health") {
-    const gatewayReady = await probeGatewayHealth();
-    res.writeHead(gatewayReady ? 200 : 503, {
-      "Content-Type": "application/json",
-    });
-    return res.end(
-      JSON.stringify({
-        status: gatewayReady ? "ok" : "degraded",
-        gatewayReady,
-        uptime: formatUptime(Date.now() - startTime),
-        sync: getSyncStatus(),
-        keepalive: getKeepaliveStatus(),
-      }),
-    );
+    const gatewayReady = await probePort(GATEWAY_HOST, GATEWAY_PORT, "/health");
+    res.writeHead(gatewayReady ? 200 : 503, { "Content-Type": "application/json" });
+    return res.end(JSON.stringify({ status: gatewayReady ? "ok" : "degraded", gatewayReady, uptime: formatUptime(Date.now() - startTime), sync: getSyncStatus(), keepalive: getKeepaliveStatus() }));
   }
 
   if (pathname === "/status") {
-    const gatewayReady = await probeGatewayHealth();
+    const [gatewayReady, jupyterReady] = await Promise.all([
+      probePort(GATEWAY_HOST, GATEWAY_PORT, "/health"),
+      JUPYTER_ENABLED ? probePort(JUPYTER_HOST, JUPYTER_PORT, `${JUPYTER_BASE}/api`) : Promise.resolve(false),
+    ]);
     res.writeHead(200, { "Content-Type": "application/json" });
-    return res.end(
-      JSON.stringify({
-        model: LLM_MODEL,
-        uptime: formatUptime(Date.now() - startTime),
-        gatewayReady,
-        sync: getSyncStatus(),
-        whatsapp: readGuardianStatus(),
-        keepalive: getKeepaliveStatus(),
-      }),
-    );
+    return res.end(JSON.stringify({ model: LLM_MODEL, uptime: formatUptime(Date.now() - startTime), gatewayReady, jupyterReady, sync: getSyncStatus(), whatsapp: readGuardianStatus(), keepalive: getKeepaliveStatus() }));
   }
 
   if (pathname === "/" || pathname === "/dashboard") {
-    const gatewayReady = await probeGatewayHealth();
+    const [gatewayReady, jupyterReady] = await Promise.all([
+      probePort(GATEWAY_HOST, GATEWAY_PORT, "/health"),
+      JUPYTER_ENABLED ? probePort(JUPYTER_HOST, JUPYTER_PORT, `${JUPYTER_BASE}/api`) : Promise.resolve(false),
+    ]);
     res.writeHead(200, { "Content-Type": "text/html" });
-    return res.end(
-      renderDashboard({
-        uptimeHuman: formatUptime(Date.now() - startTime),
-        gatewayReady,
-        sync: getSyncStatus(),
-        whatsapp: readGuardianStatus(),
-        keepalive: getKeepaliveStatus(),
-      }),
-    );
+    return res.end(renderDashboard({ uptimeHuman: formatUptime(Date.now() - startTime), gatewayReady, jupyterReady, sync: getSyncStatus(), whatsapp: readGuardianStatus(), keepalive: getKeepaliveStatus() }));
   }
 
-  // 2. OpenClaw Proxy Logic
-  const proxyHeaders = {
-    ...req.headers,
-    host: `${GATEWAY_HOST}:${GATEWAY_PORT}`,
-    "x-forwarded-for": req.socket.remoteAddress,
-    "x-forwarded-host": req.headers.host,
-    "x-forwarded-proto": "https",
-  };
-
-  const proxyReq = http.request(
-    {
-      hostname: GATEWAY_HOST,
-      port: GATEWAY_PORT,
-      path: pathname + url.search,
-      method: req.method,
-      headers: proxyHeaders,
-    },
-    (proxyRes) => {
-      res.writeHead(proxyRes.statusCode, proxyRes.headers);
-      proxyRes.pipe(res);
-      proxyRes.on("error", (err) => {
-        console.error("proxyRes error:", err);
-        res.end();
-      });
-    },
-  );
-
-  req.on("error", (err) => {
-    console.error("req error:", err);
-    proxyReq.destroy();
-  });
-
-  res.on("error", (err) => {
-    console.error("res error:", err);
-    proxyReq.destroy();
-  });
-
-  proxyReq.on("error", (err) => {
-    console.error("proxyReq error:", err);
-    if (!res.headersSent) {
-      res.writeHead(503, { "Content-Type": "application/json" });
-      res.end(
-        JSON.stringify({
-          status: "starting",
-          message: "Gateway is initializing... or connection failed",
-        }),
-      );
-    } else {
-      res.end();
+  // JupyterLab terminal
+  if (pathname === JUPYTER_BASE || pathname.startsWith(JUPYTER_BASE + "/")) {
+    if (!JUPYTER_ENABLED) {
+      res.writeHead(404, { "Content-Type": "application/json" });
+      return res.end(JSON.stringify({ status: "disabled", message: "JupyterLab terminal is disabled. Set DEV_MODE=true to enable /terminal/." }));
     }
-  });
+    return proxyHTTP(req, res, JUPYTER_HOST, JUPYTER_PORT, {
+      publicPrefix: JUPYTER_BASE,
+      // Jupyter is started with --ServerApp.base_url=/terminal/, so keep the
+      // /terminal prefix when proxying. Stripping it breaks static/theme URLs.
+      stripPrefix: "",
+      retryWithoutPrefixOn404: false,
+    });
+  }
+
+  // OpenClaw Control UI mounted under /app. Retry without the mount prefix on
+  // 404 so deployments keep working across OpenClaw basePath behavior changes.
+  if (pathname === APP_BASE || pathname.startsWith(APP_BASE + "/")) {
+    return proxyHTTP(req, res, GATEWAY_HOST, GATEWAY_PORT, {
+      publicPrefix: APP_BASE,
+      stripPrefix: APP_BASE,
+      retryWithoutPrefixOn404: true,
+    });
+  }
 
-  req.pipe(proxyReq);
+  // OpenClaw gateway API/static fallback (everything else)
+  proxyHTTP(req, res, GATEWAY_HOST, GATEWAY_PORT);
 });
 
+// ── WebSocket upgrade (JupyterLab kernels + terminals need this) ──
 server.on("upgrade", (req, socket, head) => {
-  const url = parseRequestUrl(req.url);
-  const proxyPath = url.pathname;
-  const proxySocket = net.connect(GATEWAY_PORT, GATEWAY_HOST, () => {
-    proxySocket.write(
-      `${req.method} ${proxyPath}${url.search} HTTP/${req.httpVersion}\r\n`,
-    );
+  const { pathname, search } = parseRequestUrl(req.url);
+  const isJupyter = JUPYTER_ENABLED && (pathname === JUPYTER_BASE || pathname.startsWith(JUPYTER_BASE + "/"));
+  const isApp = pathname === APP_BASE || pathname.startsWith(APP_BASE + "/");
+  const [targetHost, targetPort] = isJupyter ? [JUPYTER_HOST, JUPYTER_PORT] : [GATEWAY_HOST, GATEWAY_PORT];
+  const publicPrefix = isJupyter ? JUPYTER_BASE : isApp ? APP_BASE : "";
+  const targetPath = pathname + search;
+
+  const ps = net.connect(targetPort, targetHost, () => {
+    ps.write(`${req.method} ${targetPath} HTTP/${req.httpVersion}\r\n`);
+    ps.write(`Host: ${targetHost}:${targetPort}\r\n`);
+    ps.write(`X-Forwarded-For: ${req.socket.remoteAddress || ""}\r\n`);
+    ps.write(`X-Forwarded-Host: ${req.headers.host || ""}\r\n`);
+    ps.write("X-Forwarded-Proto: https\r\n");
+    if (publicPrefix) ps.write(`X-Forwarded-Prefix: ${publicPrefix}\r\n`);
     for (let i = 0; i < req.rawHeaders.length; i += 2) {
-      proxySocket.write(`${req.rawHeaders[i]}: ${req.rawHeaders[i + 1]}\r\n`);
+      const header = req.rawHeaders[i];
+      const lower = header.toLowerCase();
+      if (["host", "x-forwarded-for", "x-forwarded-host", "x-forwarded-proto", "x-forwarded-prefix"].includes(lower)) continue;
+      ps.write(`${header}: ${req.rawHeaders[i + 1]}\r\n`);
     }
-    proxySocket.write("\r\n");
-    if (head && head.length) proxySocket.write(head);
-    proxySocket.pipe(socket).pipe(proxySocket);
+    ps.write("\r\n");
+    if (head && head.length) ps.write(head);
+    ps.pipe(socket).pipe(ps);
   });
-  proxySocket.on("error", () => socket.destroy());
+  ps.on("error", () => socket.destroy());
 });
 
 server.timeout = 0;
 server.keepAliveTimeout = 65000;
 server.listen(PORT, "0.0.0.0", () =>
-  console.log(
-    `🦞 HuggingClaw Dashboard on ${PORT} -> Gateway on ${GATEWAY_PORT}`,
-  ),
+  console.log(`🦞 HuggingClaw :${PORT} → Gateway :${GATEWAY_PORT}${JUPYTER_ENABLED ? ` | Terminal :${JUPYTER_PORT} at ${JUPYTER_BASE}/` : " | Terminal disabled"}`),
 );

login.html

@@ -0,0 +1,59 @@
+{% extends "page.html" %}
+
+{% block stylesheet %}
+{% endblock %}
+
+{% block site %}
+<div id="jupyter-main-app" class="container" style="text-align:center; max-width: 760px; margin-top: 40px;">
+  <img src="https://huggingface.co/front/assets/huggingface_logo-noborder.svg" alt="Hugging Face Logo" style="max-width: 120px; margin-bottom: 24px;">
+  <h3>HuggingClaw Terminal</h3>
+  <h4>Welcome to JupyterLab</h4>
+  <h5>The default token is <span style="color:orange;">huggingface</span></h5>
+  <p style="color:#666;">This terminal is mounted at <code>/terminal/</code> inside the same Hugging Face Space as the OpenClaw UI.</p>
+
+  {% if login_available %}
+  <div class="row" style="display:flex; justify-content:center; margin-top:24px;">
+    <div class="navbar col-sm-8">
+      <div class="navbar-inner">
+        <div class="container">
+          <div class="center-nav">
+            <form action="{{base_url}}login?next={{next}}" method="post" class="navbar-form pull-left">
+              {{ xsrf_form_html() | safe }}
+              {% if token_available %}
+              <label for="password_input"><strong>{% trans %}Jupyter token <span title="This is the secret you set up when deploying your JupyterLab terminal">ⓘ</span> {% endtrans %}</strong></label>
+              {% else %}
+              <label for="password_input"><strong>{% trans %}Jupyter password:{% endtrans %}</strong></label>
+              {% endif %}
+              <input type="password" name="password" id="password_input" class="form-control">
+              <button type="submit" class="btn btn-default" id="login_submit">{% trans %}Log in{% endtrans %}</button>
+            </form>
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+  {% else %}
+  <p>{% trans %}No login available, you shouldn't be seeing this page.{% endtrans %}</p>
+  {% endif %}
+
+  <h5 style="margin-top:28px;"><a href="/dashboard">Back to HuggingClaw dashboard</a></h5>
+  <p>This login page is based on the Hugging Face JupyterLab Space template.</p>
+
+  {% if message %}
+  <div class="row">
+    {% for key in message %}
+    <div class="message {{key}}">
+      {{message[key]}}
+    </div>
+    {% endfor %}
+  </div>
+  {% endif %}
+  {% if token_available %}
+  {% block token_message %}
+  {% endblock token_message %}
+  {% endif %}
+</div>
+{% endblock %}
+
+{% block script %}
+{% endblock %}

openclaw-sync.py

@@ -483,10 +483,7 @@ def _sync_once_unlocked(
                 commit_message=f"HuggingClaw sync {time.strftime('%Y-%m-%dT%H:%M:%SZ', time.gmtime())}",
                 ignore_patterns=[".git/*", ".git"],
             )
-        try:
-            prune_remote_deleted_files(repo_id, snapshot_dir)
-        except Exception as prune_exc:
-            print(f"Warning: could not prune stale remote files: {prune_exc}")
+        prune_remote_deleted_files(repo_id, snapshot_dir)
     finally:
         shutil.rmtree(snapshot_dir, ignore_errors=True)
 

start.sh

@@ -21,6 +21,13 @@ WHATSAPP_ENABLED_CONFIGURED=false
 [ "${WHATSAPP_ENABLED+x}" = "x" ] && WHATSAPP_ENABLED_CONFIGURED=true
 WHATSAPP_ENABLED="${WHATSAPP_ENABLED:-false}"
 WHATSAPP_ENABLED_NORMALIZED=$(printf '%s' "$WHATSAPP_ENABLED" | tr '[:upper:]' '[:lower:]')
+DEV_MODE_RAW="${DEV_MODE:-false}"
+DEV_MODE_NORMALIZED=$(printf '%s' "$DEV_MODE_RAW" | tr '[:upper:]' '[:lower:]')
+DEV_MODE_ENABLED=false
+case "$DEV_MODE_NORMALIZED" in
+  true|1|yes|on) DEV_MODE_ENABLED=true ;;
+  *) DEV_MODE_ENABLED=false ;;
+esac
 SYNC_INTERVAL="${SYNC_INTERVAL:-180}"
 if [ -n "${SPACE_HOST:-}" ]; then
   OPENCLAW_CONSOLE_LOG_LEVEL="${OPENCLAW_CONSOLE_LOG_LEVEL:-warn}"
@@ -39,7 +46,7 @@ else
 fi
 echo ""
 echo "  ╔══════════════════════════════════════════╗"
-echo "  ║          🦞 HuggingClaw Gateway          ║"
+echo "  ║     🦞 HuggingClaw + 💻 JupyterLab      ║"
 echo "  ╚══════════════════════════════════════════╝"
 echo ""
 
@@ -433,6 +440,8 @@ fi
 #          plugins that the Control UI/dashboard needs to render correctly
 #          on HF Spaces. Without these the UI shows blank panels.
 #          telegram/whatsapp/browser/acpx are added conditionally below.
+#          Do not create a disabled acpx entry when the plugin is absent;
+#          OpenClaw reports that as a config warning on HF Spaces.
 #   DENY:  lmstudio crashes on boot when no local server is reachable;
 #          xai PLUGIN (separate from the xai model PROVIDER) is broken in
 #          current OpenClaw releases and prevents gateway start. Disabling
@@ -452,20 +461,17 @@ if [ "$WHATSAPP_ENABLED_NORMALIZED" = "true" ]; then
 fi
 
 # Apply plugin allow/deny + per-entry toggles in one jq pass.
-ACPX_DISABLED=false
-if [ "$ACP_PLUGIN_MODE" = "disabled" ]; then ACPX_DISABLED=true; fi
 BROWSER_DISABLED=true
 if [ "$BROWSER_SHOULD_ENABLE" = "true" ]; then BROWSER_DISABLED=false; fi
 
 CONFIG_JSON=$(jq \
   --argjson allow "$PLUGIN_ALLOW_JSON" \
-  --argjson acpxDisabled "$ACPX_DISABLED" \
   --argjson browserDisabled "$BROWSER_DISABLED" \
   '.plugins.allow = $allow
    | .plugins.deny = ["lmstudio","xai"]
    | .plugins.entries.lmstudio.enabled = false
    | .plugins.entries.xai.enabled = false
-   | (if $acpxDisabled then .plugins.entries.acpx.enabled = false else . end)
+   | del(.plugins.entries.acpx)
    | (if $browserDisabled then
         .plugins.entries.browser.enabled = false | .browser.enabled = false
       else . end)' <<<"$CONFIG_JSON")
@@ -649,8 +655,29 @@ fi
 if [ -n "${CLOUDFLARE_PROXY_URL:-}" ]; then
   echo "Proxy     : ${CLOUDFLARE_PROXY_URL}"
 fi
+RUNTIME_JUPYTER_ENABLED="$DEV_MODE_ENABLED"
+if [ "$DEV_MODE_ENABLED" = "true" ] && ! command -v jupyter-lab >/dev/null 2>&1; then
+  echo "DEV_MODE enabled but jupyter-lab is missing; attempting runtime install..."
+  if python3 -m pip install --user --no-cache-dir --break-system-packages jupyterlab==4.5.7 tornado==6.5.5 ipywidgets==8.1.8; then
+    echo "Runtime Jupyter install complete."
+  else
+    echo "WARNING: Runtime Jupyter install failed; disabling terminal for this boot."
+    RUNTIME_JUPYTER_ENABLED=false
+  fi
+fi
+if [ "$RUNTIME_JUPYTER_ENABLED" = "true" ] && ! command -v jupyter-lab >/dev/null 2>&1; then
+  echo "WARNING: jupyter-lab still unavailable; disabling terminal for this boot."
+  RUNTIME_JUPYTER_ENABLED=false
+fi
+export HUGGINGCLAW_JUPYTER_ENABLED="$RUNTIME_JUPYTER_ENABLED"
+
 if [ -n "${SPACE_HOST:-}" ]; then
-  echo "Control UI: https://${SPACE_HOST}/app"
+  if [ "$RUNTIME_JUPYTER_ENABLED" = "true" ]; then
+    echo "Routes    : /app/ (Control UI), /terminal/ (JupyterLab)"
+  else
+    echo "Routes    : /app/ (Control UI)"
+  fi
+  echo "Private   : open the Hugging Face App tab first; raw https://${SPACE_HOST}/... links can show HF 404 without the embedded Space session."
 fi
 echo ""
 
@@ -709,6 +736,47 @@ export LLM_MODEL="$LLM_MODEL"
 node /home/node/app/health-server.js &
 HEALTH_PID=$!
 
+# 10.5. Start JupyterLab Terminal on internal port 8888 (DEV_MODE only)
+# Accessible via /terminal/ path through the health-server proxy
+if [ "$RUNTIME_JUPYTER_ENABLED" = "true" ]; then
+  JUPYTER_TOKEN="${JUPYTER_TOKEN:-huggingface}"
+  JUPYTER_ROOT_DIR="${JUPYTER_ROOT_DIR:-/home/node}"
+  mkdir -p "$JUPYTER_ROOT_DIR"
+  if [ "$JUPYTER_ROOT_DIR" != "/home/node/app" ]; then
+    if [ -L "$JUPYTER_ROOT_DIR/HuggingClaw" ] || [ ! -e "$JUPYTER_ROOT_DIR/HuggingClaw" ]; then
+      ln -sfn /home/node/app "$JUPYTER_ROOT_DIR/HuggingClaw"
+    fi
+  fi
+  if [ "$JUPYTER_ROOT_DIR" != "/home/node/.openclaw/workspace" ]; then
+    if [ -L "$JUPYTER_ROOT_DIR/HuggingClaw-Workspace" ] || [ ! -e "$JUPYTER_ROOT_DIR/HuggingClaw-Workspace" ]; then
+      ln -sfn /home/node/.openclaw/workspace "$JUPYTER_ROOT_DIR/HuggingClaw-Workspace"
+    fi
+  fi
+
+  echo "DEV_MODE enabled (${DEV_MODE_RAW}) — starting JupyterLab terminal on internal port 8888 (path: /terminal/) with root: $JUPYTER_ROOT_DIR"
+  jupyter-lab \
+      --ip 127.0.0.1 \
+      --port 8888 \
+      --no-browser \
+      --IdentityProvider.token="$JUPYTER_TOKEN" \
+      --ServerApp.base_url=/terminal/ \
+      --ServerApp.terminals_enabled=True \
+      --ServerApp.allow_origin='*' \
+      --ServerApp.allow_remote_access=True \
+      --ServerApp.trust_xheaders=True \
+      --ServerApp.tornado_settings="{'headers': {'Content-Security-Policy': 'frame-ancestors *'}}" \
+      --IdentityProvider.cookie_options="{'SameSite': 'None', 'Secure': True}" \
+      --ServerApp.disable_check_xsrf=True \
+      --LabApp.news_url=None \
+      --LabApp.check_for_updates_class="jupyterlab.NeverCheckForUpdate" \
+      --notebook-dir="$JUPYTER_ROOT_DIR" \
+      2>&1 | tee -a /tmp/jupyterlab.log &
+  JUPYTER_PID=$!
+  echo "JupyterLab started (PID: $JUPYTER_PID)"
+else
+  echo "Jupyter terminal disabled for this boot (DEV_MODE=${DEV_MODE_RAW})."
+fi
+
 if [ -n "${CLOUDFLARE_WORKERS_TOKEN:-}" ]; then
   echo "Setting up Cloudflare KeepAlive monitor..."
   python3 /home/node/app/cloudflare-keepalive-setup.py || true
@@ -730,6 +798,9 @@ export PYTHONUSERBASE="${PYTHONUSERBASE:-/home/node/.local}"
 export DEBIAN_FRONTEND="${DEBIAN_FRONTEND:-noninteractive}"
 STARTUP_FILE="/home/node/.openclaw/workspace/startup.sh"
 _hc_append() {
+  if [ "${HUGGINGCLAW_CAPTURE_DISABLE:-0}" = "1" ]; then
+    return 0
+  fi
   local line="$*"
   mkdir -p "$(dirname "$STARTUP_FILE")"
   touch "$STARTUP_FILE"
@@ -756,6 +827,28 @@ _hc_append_cmd() {
     _hc_append "$cmd"
   fi
 }
+_hc_args_without_flags() {
+  local out=()
+  local arg
+  for arg in "$@"; do
+    case "$arg" in
+      ''|-) ;;
+      --*) ;;
+      -*) ;;
+      *) out+=("$arg") ;;
+    esac
+  done
+  printf '%s\n' "${out[@]}"
+}
+_hc_has_install_targets() {
+  local item
+  while IFS= read -r item; do
+    [ -n "$item" ] && return 0
+  done <<EOF
+$(_hc_args_without_flags "$@")
+EOF
+  return 1
+}
 _hc_allow_openclaw_plugins() {
   local config="/home/node/.openclaw/openclaw.json"
   [ -f "$config" ] || return 0
@@ -807,7 +900,7 @@ apt-get() {
       _hc_apt_install "$@"
       local rc=$?
       if [ $rc -eq 0 ]; then
-        _hc_append_cmd "sudo apt-get update && sudo apt-get install -y" "$@"
+        _hc_has_install_targets "$@" && _hc_append_cmd "sudo apt-get update && sudo apt-get install -y" "$@"
       fi
       return $rc
       ;;
@@ -834,7 +927,7 @@ apt() {
       _hc_apt_install "$@"
       local rc=$?
       if [ $rc -eq 0 ]; then
-        _hc_append_cmd "sudo apt-get update && sudo apt-get install -y" "$@"
+        _hc_has_install_targets "$@" && _hc_append_cmd "sudo apt-get update && sudo apt-get install -y" "$@"
       fi
       return $rc
       ;;
@@ -861,7 +954,7 @@ pip() {
     command pip "$@"
   fi
   local rc=$?
-  if [ $rc -eq 0 ] && [ "${1:-}" = "install" ]; then
+  if [ $rc -eq 0 ] && [ "${1:-}" = "install" ] && _hc_has_install_targets "${@:2}"; then
     _hc_append_cmd "python3 -m pip install --user" "${@:2}"
   fi
   return $rc
@@ -873,15 +966,39 @@ pip3() {
     command pip3 "$@"
   fi
   local rc=$?
-  if [ $rc -eq 0 ] && [ "${1:-}" = "install" ]; then
+  if [ $rc -eq 0 ] && [ "${1:-}" = "install" ] && _hc_has_install_targets "${@:2}"; then
     _hc_append_cmd "python3 -m pip install --user" "${@:2}"
   fi
   return $rc
 }
+python() {
+  if [ "${1:-}" = "-m" ] && [ "${2:-}" = "pip" ] && [ "${3:-}" = "install" ] && [ -z "${VIRTUAL_ENV:-}" ] && ! _hc_has_arg --user "${@:3}" && ! _hc_has_arg --prefix "${@:3}"; then
+    command python -m pip install --user "${@:4}"
+  else
+    command python "$@"
+  fi
+  local rc=$?
+  if [ $rc -eq 0 ] && [ "${1:-}" = "-m" ] && [ "${2:-}" = "pip" ] && [ "${3:-}" = "install" ] && _hc_has_install_targets "${@:4}"; then
+    _hc_append_cmd "python3 -m pip install --user" "${@:4}"
+  fi
+  return $rc
+}
+python3() {
+  if [ "${1:-}" = "-m" ] && [ "${2:-}" = "pip" ] && [ "${3:-}" = "install" ] && [ -z "${VIRTUAL_ENV:-}" ] && ! _hc_has_arg --user "${@:3}" && ! _hc_has_arg --prefix "${@:3}"; then
+    command python3 -m pip install --user "${@:4}"
+  else
+    command python3 "$@"
+  fi
+  local rc=$?
+  if [ $rc -eq 0 ] && [ "${1:-}" = "-m" ] && [ "${2:-}" = "pip" ] && [ "${3:-}" = "install" ] && _hc_has_install_targets "${@:4}"; then
+    _hc_append_cmd "python3 -m pip install --user" "${@:4}"
+  fi
+  return $rc
+}
 npm() {
   command npm "$@"
   local rc=$?
-  if [ $rc -eq 0 ] && [ "${1:-}" = "install" ] && { [ "${2:-}" = "-g" ] || [ "${2:-}" = "--global" ]; }; then
+  if [ $rc -eq 0 ] && { [ "${1:-}" = "install" ] || [ "${1:-}" = "i" ]; } && { [ "${2:-}" = "-g" ] || [ "${2:-}" = "--global" ]; } && _hc_has_install_targets "${@:3}"; then
     _hc_append_cmd "npm install -g" "${@:3}"
   fi
   return $rc
@@ -889,7 +1006,7 @@ npm() {
 openclaw() {
   command openclaw "$@"
   local rc=$?
-  if [ $rc -eq 0 ] && [ "${1:-}" = "plugins" ] && [ "${2:-}" = "install" ]; then
+  if [ $rc -eq 0 ] && [ "${1:-}" = "plugins" ] && [ "${2:-}" = "install" ] && _hc_has_install_targets "${@:3}"; then
     _hc_allow_openclaw_plugins "${@:3}"
     _hc_append_cmd "openclaw plugins install" "${@:3}"
   fi
@@ -935,7 +1052,7 @@ hc_run_startup_command() {
 
   echo "[startup:${source_label}] $command_text"
   set +e
-  bash -lc "$command_text"
+  HUGGINGCLAW_CAPTURE_DISABLE=1 bash -lc "$command_text"
   local rc=$?
   set -e
   if [ "$rc" -eq 0 ]; then
@@ -959,6 +1076,7 @@ hc_run_startup_script() {
     # Load HuggingClaw's install wrappers for env-provided scripts too, so
     # `apt install`, `pip install`, `npm install -g`, and OpenClaw plugin
     # installs behave the same way as they do in the interactive shell.
+    echo 'export HUGGINGCLAW_CAPTURE_DISABLE=1'
     echo '[ -f /home/node/.bashrc ] && . /home/node/.bashrc'
     printf '%s\n' "$script_text"
   } > "$script_file"