openclaw/src/gateway/server-runtime-config.ts

import type {
  GatewayAuthConfig,
  GatewayBindMode,
  GatewayTailscaleConfig,
  loadConfig,
} from "../config/config.js";
import {
  assertGatewayAuthConfigured,
  type ResolvedGatewayAuth,
  resolveGatewayAuth,
} from "./auth.js";
import { normalizeControlUiBasePath } from "./control-ui-shared.js";
import { resolveHooksConfig } from "./hooks.js";
import { isLoopbackHost, resolveGatewayBindHost } from "./net.js";

export type GatewayRuntimeConfig = {
  bindHost: string;
  controlUiEnabled: boolean;
  openAiChatCompletionsEnabled: boolean;
  openResponsesEnabled: boolean;
  openResponsesConfig?: import("../config/types.gateway.js").GatewayHttpResponsesConfig;
  controlUiBasePath: string;
  controlUiRoot?: string;
  resolvedAuth: ResolvedGatewayAuth;
  authMode: ResolvedGatewayAuth["mode"];
  tailscaleConfig: GatewayTailscaleConfig;
  tailscaleMode: "off" | "serve" | "funnel";
  hooksConfig: ReturnType<typeof resolveHooksConfig>;
  canvasHostEnabled: boolean;
};

export async function resolveGatewayRuntimeConfig(params: {
  cfg: ReturnType<typeof loadConfig>;
  port: number;
  bind?: GatewayBindMode;
  host?: string;
  controlUiEnabled?: boolean;
  openAiChatCompletionsEnabled?: boolean;
  openResponsesEnabled?: boolean;
  auth?: GatewayAuthConfig;
  tailscale?: GatewayTailscaleConfig;
}): Promise<GatewayRuntimeConfig> {
  const bindMode = params.bind ?? params.cfg.gateway?.bind ?? "loopback";
  const customBindHost = params.cfg.gateway?.customBindHost;
  const bindHost = params.host ?? (await resolveGatewayBindHost(bindMode, customBindHost));
  const controlUiEnabled =
    params.controlUiEnabled ?? params.cfg.gateway?.controlUi?.enabled ?? true;
  const openAiChatCompletionsEnabled =
    params.openAiChatCompletionsEnabled ??
    params.cfg.gateway?.http?.endpoints?.chatCompletions?.enabled ??
    false;
  const openResponsesConfig = params.cfg.gateway?.http?.endpoints?.responses;
  const openResponsesEnabled = params.openResponsesEnabled ?? openResponsesConfig?.enabled ?? false;
  const controlUiBasePath = normalizeControlUiBasePath(params.cfg.gateway?.controlUi?.basePath);
  const controlUiRootRaw = params.cfg.gateway?.controlUi?.root;
  const controlUiRoot =
    typeof controlUiRootRaw === "string" && controlUiRootRaw.trim().length > 0
      ? controlUiRootRaw.trim()
      : undefined;
  const authBase = params.cfg.gateway?.auth ?? {};
  const authOverrides = params.auth ?? {};
  const authConfig = {
    ...authBase,
    ...authOverrides,
  };
  const tailscaleBase = params.cfg.gateway?.tailscale ?? {};
  const tailscaleOverrides = params.tailscale ?? {};
  const tailscaleConfig = {
    ...tailscaleBase,
    ...tailscaleOverrides,
  };
  const tailscaleMode = tailscaleConfig.mode ?? "off";
  const resolvedAuth = resolveGatewayAuth({
    authConfig,
    env: process.env,
    tailscaleMode,
  });
  const authMode: ResolvedGatewayAuth["mode"] = resolvedAuth.mode;
  const hasToken = typeof resolvedAuth.token === "string" && resolvedAuth.token.trim().length > 0;
  const hasPassword =
    typeof resolvedAuth.password === "string" && resolvedAuth.password.trim().length > 0;
  const hasSharedSecret =
    (authMode === "token" && hasToken) || (authMode === "password" && hasPassword);
  const hooksConfig = resolveHooksConfig(params.cfg);
  const canvasHostEnabled =
    process.env.OPENCLAW_SKIP_CANVAS_HOST !== "1" && params.cfg.canvasHost?.enabled !== false;

  assertGatewayAuthConfigured(resolvedAuth);
  if (tailscaleMode === "funnel" && authMode !== "password") {
    throw new Error(
      "tailscale funnel requires gateway auth mode=password (set gateway.auth.password or OPENCLAW_GATEWAY_PASSWORD)",
    );
  }
  if (tailscaleMode !== "off" && !isLoopbackHost(bindHost)) {
    throw new Error("tailscale serve/funnel requires gateway bind=loopback (127.0.0.1)");
  }
  if (!isLoopbackHost(bindHost) && !hasSharedSecret) {
    throw new Error(
      `refusing to bind gateway to ${bindHost}:${params.port} without auth (set gateway.auth.token/password, or set OPENCLAW_GATEWAY_TOKEN/OPENCLAW_GATEWAY_PASSWORD)`,
    );
  }

  return {
    bindHost,
    controlUiEnabled,
    openAiChatCompletionsEnabled,
    openResponsesEnabled,
    openResponsesConfig: openResponsesConfig
      ? { ...openResponsesConfig, enabled: openResponsesEnabled }
      : undefined,
    controlUiBasePath,
    controlUiRoot,
    resolvedAuth,
    authMode,
    tailscaleConfig,
    tailscaleMode,
    hooksConfig,
    canvasHostEnabled,
  };
}
fix: resolve format/build failures 2026-01-19 11:32:15 +00:00			`import type {`
			`GatewayAuthConfig,`
			`GatewayBindMode,`
			`GatewayTailscaleConfig,`
			`loadConfig,`
			`} from "../config/config.js";`
refactor(gateway): split server runtime 2026-01-14 09:11:21 +00:00			`import {`
			`assertGatewayAuthConfigured,`
			`type ResolvedGatewayAuth,`
			`resolveGatewayAuth,`
			`} from "./auth.js";`
refactor: centralize control ui avatar helpers 2026-01-22 23:41:28 +00:00			`import { normalizeControlUiBasePath } from "./control-ui-shared.js";`
refactor(gateway): split server runtime 2026-01-14 09:11:21 +00:00			`import { resolveHooksConfig } from "./hooks.js";`
			`import { isLoopbackHost, resolveGatewayBindHost } from "./net.js";`

			`export type GatewayRuntimeConfig = {`
			`bindHost: string;`
			`controlUiEnabled: boolean;`
			`openAiChatCompletionsEnabled: boolean;`
feat(gateway): add OpenResponses /v1/responses endpoint Add a new `/v1/responses` endpoint implementing the OpenResponses API standard for agentic workflows. This provides: - Item-based input (messages, function_call_output, reasoning) - Semantic streaming events (response.created, response.output_text.delta, response.completed, etc.) - Full SSE event support with both event: and data: lines - Configuration via gateway.http.endpoints.responses.enabled The endpoint is disabled by default and can be enabled independently from the existing Chat Completions endpoint. Phase 1 implementation supports: - String or ItemParam[] input - system/developer/user/assistant message roles - function_call_output items - instructions parameter - Agent routing via headers or model parameter - Session key management Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-19 10:44:48 +01:00			`openResponsesEnabled: boolean;`
fix: expand /v1/responses inputs (#1229) (thanks @RyanLisse) 2026-01-20 07:35:29 +00:00			`openResponsesConfig?: import("../config/types.gateway.js").GatewayHttpResponsesConfig;`
refactor(gateway): split server runtime 2026-01-14 09:11:21 +00:00			`controlUiBasePath: string;`
fix(ui): fix web UI after tsdown migration and typing changes 2026-02-03 13:56:20 -05:00			`controlUiRoot?: string;`
refactor(gateway): split server runtime 2026-01-14 09:11:21 +00:00			`resolvedAuth: ResolvedGatewayAuth;`
			`authMode: ResolvedGatewayAuth["mode"];`
			`tailscaleConfig: GatewayTailscaleConfig;`
			`tailscaleMode: "off" \| "serve" \| "funnel";`
			`hooksConfig: ReturnType<typeof resolveHooksConfig>;`
			`canvasHostEnabled: boolean;`
			`};`

			`export async function resolveGatewayRuntimeConfig(params: {`
			`cfg: ReturnType<typeof loadConfig>;`
			`port: number;`
refactor: remove bridge protocol 2026-01-19 04:50:07 +00:00			`bind?: GatewayBindMode;`
refactor(gateway): split server runtime 2026-01-14 09:11:21 +00:00			`host?: string;`
			`controlUiEnabled?: boolean;`
			`openAiChatCompletionsEnabled?: boolean;`
feat(gateway): add OpenResponses /v1/responses endpoint Add a new `/v1/responses` endpoint implementing the OpenResponses API standard for agentic workflows. This provides: - Item-based input (messages, function_call_output, reasoning) - Semantic streaming events (response.created, response.output_text.delta, response.completed, etc.) - Full SSE event support with both event: and data: lines - Configuration via gateway.http.endpoints.responses.enabled The endpoint is disabled by default and can be enabled independently from the existing Chat Completions endpoint. Phase 1 implementation supports: - String or ItemParam[] input - system/developer/user/assistant message roles - function_call_output items - instructions parameter - Agent routing via headers or model parameter - Session key management Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-19 10:44:48 +01:00			`openResponsesEnabled?: boolean;`
refactor(gateway): split server runtime 2026-01-14 09:11:21 +00:00			`auth?: GatewayAuthConfig;`
			`tailscale?: GatewayTailscaleConfig;`
			`}): Promise<GatewayRuntimeConfig> {`
			`const bindMode = params.bind ?? params.cfg.gateway?.bind ?? "loopback";`
			`const customBindHost = params.cfg.gateway?.customBindHost;`
chore: migrate to oxlint and oxfmt Co-authored-by: Christoph Nakazawa <christoph.pojer@gmail.com> 2026-01-14 14:31:43 +00:00			`const bindHost = params.host ?? (await resolveGatewayBindHost(bindMode, customBindHost));`
refactor(gateway): split server runtime 2026-01-14 09:11:21 +00:00			`const controlUiEnabled =`
			`params.controlUiEnabled ?? params.cfg.gateway?.controlUi?.enabled ?? true;`
			`const openAiChatCompletionsEnabled =`
			`params.openAiChatCompletionsEnabled ??`
			`params.cfg.gateway?.http?.endpoints?.chatCompletions?.enabled ??`
			`false;`
fix: expand /v1/responses inputs (#1229) (thanks @RyanLisse) 2026-01-20 07:35:29 +00:00			`const openResponsesConfig = params.cfg.gateway?.http?.endpoints?.responses;`
			`const openResponsesEnabled = params.openResponsesEnabled ?? openResponsesConfig?.enabled ?? false;`
chore: migrate to oxlint and oxfmt Co-authored-by: Christoph Nakazawa <christoph.pojer@gmail.com> 2026-01-14 14:31:43 +00:00			`const controlUiBasePath = normalizeControlUiBasePath(params.cfg.gateway?.controlUi?.basePath);`
fix(ui): fix web UI after tsdown migration and typing changes 2026-02-03 13:56:20 -05:00			`const controlUiRootRaw = params.cfg.gateway?.controlUi?.root;`
			`const controlUiRoot =`
			`typeof controlUiRootRaw === "string" && controlUiRootRaw.trim().length > 0`
			`? controlUiRootRaw.trim()`
			`: undefined;`
refactor(gateway): split server runtime 2026-01-14 09:11:21 +00:00			`const authBase = params.cfg.gateway?.auth ?? {};`
			`const authOverrides = params.auth ?? {};`
			`const authConfig = {`
			`...authBase,`
			`...authOverrides,`
			`};`
			`const tailscaleBase = params.cfg.gateway?.tailscale ?? {};`
			`const tailscaleOverrides = params.tailscale ?? {};`
			`const tailscaleConfig = {`
			`...tailscaleBase,`
			`...tailscaleOverrides,`
			`};`
			`const tailscaleMode = tailscaleConfig.mode ?? "off";`
			`const resolvedAuth = resolveGatewayAuth({`
			`authConfig,`
			`env: process.env,`
			`tailscaleMode,`
			`});`
			`const authMode: ResolvedGatewayAuth["mode"] = resolvedAuth.mode;`
fix: require gateway auth by default 2026-01-26 12:56:33 +00:00			`const hasToken = typeof resolvedAuth.token === "string" && resolvedAuth.token.trim().length > 0;`
			`const hasPassword =`
			`typeof resolvedAuth.password === "string" && resolvedAuth.password.trim().length > 0;`
			`const hasSharedSecret =`
			`(authMode === "token" && hasToken) \|\| (authMode === "password" && hasPassword);`
refactor(gateway): split server runtime 2026-01-14 09:11:21 +00:00			`const hooksConfig = resolveHooksConfig(params.cfg);`
			`const canvasHostEnabled =`
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`process.env.OPENCLAW_SKIP_CANVAS_HOST !== "1" && params.cfg.canvasHost?.enabled !== false;`
refactor(gateway): split server runtime 2026-01-14 09:11:21 +00:00
			`assertGatewayAuthConfigured(resolvedAuth);`
			`if (tailscaleMode === "funnel" && authMode !== "password") {`
			`throw new Error(`
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`"tailscale funnel requires gateway auth mode=password (set gateway.auth.password or OPENCLAW_GATEWAY_PASSWORD)",`
refactor(gateway): split server runtime 2026-01-14 09:11:21 +00:00			`);`
			`}`
			`if (tailscaleMode !== "off" && !isLoopbackHost(bindHost)) {`
chore: migrate to oxlint and oxfmt Co-authored-by: Christoph Nakazawa <christoph.pojer@gmail.com> 2026-01-14 14:31:43 +00:00			`throw new Error("tailscale serve/funnel requires gateway bind=loopback (127.0.0.1)");`
refactor(gateway): split server runtime 2026-01-14 09:11:21 +00:00			`}`
fix: require gateway auth by default 2026-01-26 12:56:33 +00:00			`if (!isLoopbackHost(bindHost) && !hasSharedSecret) {`
refactor(gateway): split server runtime 2026-01-14 09:11:21 +00:00			`throw new Error(`
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`refusing to bind gateway to ${bindHost}:${params.port} without auth (set gateway.auth.token/password, or set OPENCLAW_GATEWAY_TOKEN/OPENCLAW_GATEWAY_PASSWORD)`,
refactor(gateway): split server runtime 2026-01-14 09:11:21 +00:00			`);`
			`}`

			`return {`
			`bindHost,`
			`controlUiEnabled,`
			`openAiChatCompletionsEnabled,`
feat(gateway): add OpenResponses /v1/responses endpoint Add a new `/v1/responses` endpoint implementing the OpenResponses API standard for agentic workflows. This provides: - Item-based input (messages, function_call_output, reasoning) - Semantic streaming events (response.created, response.output_text.delta, response.completed, etc.) - Full SSE event support with both event: and data: lines - Configuration via gateway.http.endpoints.responses.enabled The endpoint is disabled by default and can be enabled independently from the existing Chat Completions endpoint. Phase 1 implementation supports: - String or ItemParam[] input - system/developer/user/assistant message roles - function_call_output items - instructions parameter - Agent routing via headers or model parameter - Session key management Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-19 10:44:48 +01:00			`openResponsesEnabled,`
fix: expand /v1/responses inputs (#1229) (thanks @RyanLisse) 2026-01-20 07:35:29 +00:00			`openResponsesConfig: openResponsesConfig`
			`? { ...openResponsesConfig, enabled: openResponsesEnabled }`
			`: undefined,`
refactor(gateway): split server runtime 2026-01-14 09:11:21 +00:00			`controlUiBasePath,`
fix(ui): fix web UI after tsdown migration and typing changes 2026-02-03 13:56:20 -05:00			`controlUiRoot,`
refactor(gateway): split server runtime 2026-01-14 09:11:21 +00:00			`resolvedAuth,`
			`authMode,`
			`tailscaleConfig,`
			`tailscaleMode,`
			`hooksConfig,`
			`canvasHostEnabled,`
			`};`
			`}`