mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-21 18:14:49 +00:00
f91de52f0d
* refactor: remove stale file-backed shims * fix: harden sqlite state ci boundaries * refactor: store matrix idb snapshots in sqlite * fix: satisfy rebased CI guardrails * refactor: store current conversation bindings in sqlite table * refactor: store tui last sessions in sqlite table * refactor: reset sqlite schema history * refactor: drop unshipped sqlite table migration * refactor: remove plugin index file rollback * refactor: drop unshipped sqlite sidecar migrations * refactor: remove runtime commitments kv migration * refactor: preserve kysely sync result types * refactor: drop unshipped sqlite schema migration table * test: keep session usage coverage sqlite-backed * refactor: keep sqlite migration doctor-only * refactor: isolate device legacy imports * refactor: isolate push voicewake legacy imports * refactor: isolate remaining runtime legacy imports * refactor: tighten sqlite migration guardrails * test: cover sqlite persisted enum parsing * refactor: isolate legacy update and tui imports * refactor: tighten sqlite state ownership * refactor: move legacy imports behind doctor * refactor: remove legacy session row lookup * refactor: canonicalize memory transcript locators * refactor: drop transcript path scope fallbacks * refactor: drop runtime legacy session delivery pruning * refactor: store tts prefs only in sqlite * refactor: remove cron store path runtime * refactor: use cron sqlite store keys * refactor: rename telegram message cache scope * refactor: read memory dreaming status from sqlite * refactor: rename cron status store key * refactor: stop remembering transcript file paths * test: use sqlite locators in agent fixtures * refactor: remove file-shaped commitments and cron store surfaces * refactor: keep compaction transcript handles out of session rows * refactor: derive transcript handles from session identity * refactor: derive runtime transcript handles * refactor: remove gateway session locator reads * refactor: remove transcript locator from session rows * refactor: store raw stream diagnostics in sqlite * refactor: remove file-shaped transcript rotation * refactor: hide legacy trajectory paths from runtime * refactor: remove runtime transcript file bridges * refactor: repair database-first rebase fallout * refactor: align tests with database-first state * refactor: remove transcript file handoffs * refactor: sync post-compaction memory by transcript scope * refactor: run codex app-server sessions by id * refactor: bind codex runtime state by session id * refactor: pass memory transcripts by sqlite scope * refactor: remove transcript locator cleanup leftovers * test: remove stale transcript file fixtures * refactor: remove transcript locator test helper * test: make cron sqlite keys explicit * test: remove cron runtime store paths * test: remove stale session file fixtures * test: use sqlite cron keys in diagnostics * refactor: remove runtime delivery queue backfill * test: drop fake export session file mocks * refactor: rename acp session read failure flag * refactor: rename acp row session key * refactor: remove session store test seams * refactor: move legacy session parser tests to doctor * refactor: reindex managed memory in place * refactor: drop stale session store wording * refactor: rename session row helpers * refactor: rename sqlite session entry modules * refactor: remove transcript locator leftovers * refactor: trim file-era audit wording * refactor: clean managed media through sqlite * fix: prefer explicit agent for exports * fix: use prepared agent for session resets * fix: canonicalize legacy codex binding import * test: rename state cleanup helper * docs: align backup docs with sqlite state * refactor: drop legacy Pi usage auth fallback * refactor: move legacy auth profile imports to doctor * refactor: keep Pi model discovery auth in memory * refactor: remove MSTeams legacy learning key fallback * refactor: store model catalog config in sqlite * refactor: use sqlite model catalog at runtime * refactor: remove model json compatibility aliases * refactor: store auth profiles in sqlite * refactor: seed copied auth profiles in sqlite * refactor: make auth profile runtime sqlite-addressed * refactor: migrate hermes secrets into sqlite auth store * refactor: move plugin install config migration to doctor * refactor: rename plugin index audit checks * test: drop auth file assumptions * test: remove legacy transcript file assertions * refactor: drop legacy cli session aliases * refactor: store skill uploads in sqlite * refactor: keep subagent attachments in sqlite vfs * refactor: drop subagent attachment cleanup state * refactor: move legacy session aliases to doctor * refactor: require node 24 for sqlite state runtime * refactor: move provider caches into sqlite state * fix: harden virtual agent filesystem * refactor: enforce database-first runtime state * refactor: rename compaction transcript rotation setting * test: clean sqlite refactor test types * refactor: consolidate sqlite runtime state * refactor: model session conversations in sqlite * refactor: stop deriving cron delivery from session keys * refactor: stop classifying sessions from key shape * refactor: hydrate announce targets from typed delivery * refactor: route heartbeat delivery from typed sqlite context * refactor: tighten typed sqlite session routing * refactor: remove session origin routing shadow * refactor: drop session origin shadow fixtures * perf: query sqlite vfs paths by prefix * refactor: use typed conversation metadata for sessions * refactor: prefer typed session routing metadata * refactor: require typed session routing metadata * refactor: resolve group tool policy from typed sessions * refactor: delete dead session thread info bridge * Show Codex subscription reset times in channel errors (#80456) * feat(plugin-sdk): consolidate session workflow APIs * fix(agents): allow read-only agent mount reads * [codex] refresh plugin regression fixtures * fix(agents): restore compaction gateway logs * test: tighten gateway startup assertions * Redact persisted secret-shaped payloads [AI] (#79006) * test: tighten device pair notify assertions * test: tighten hermes secret assertions * test: assert matrix client error shapes * test: assert config compat warnings * fix(heartbeat): remap cron-run exec events to session keys (#80214) * fix(codex): route btw through native side threads * fix(auth): accept friendly OpenAI order for Codex profiles * fix(codex): rotate auth profiles inside harness * fix: keep browser status page probe within timeout * test: assert agents add outputs * test: pin cron read status * fix(agents): avoid Pi resource discovery stalls Co-authored-by: dataCenter430 <titan032000@gmail.com> * fix: retire timed-out codex app-server clients * test: tighten qa lab runtime assertions * test: check security fix outputs * test: verify extension runtime messages * feat(wake): expose typed sessionKey on wake protocol + system event CLI * fix(gateway): await session_end during shutdown drain and track channel + compaction lifecycle paths (#57790) * test: guard talk consult call helper * fix(codex): scale context engine projection (#80761) * fix(codex): scale context engine projection * fix: document Codex context projection scaling * fix: document Codex context projection scaling * fix: document Codex context projection scaling * fix: document Codex context projection scaling * chore: align Codex projection changelog * chore: realign Codex projection changelog * fix: isolate Codex projection patch --------- Co-authored-by: Eva (agent) <eva+agent-78055@100yen.org> Co-authored-by: Josh Lehman <josh@martian.engineering> * refactor: move agent runtime state toward piless * refactor: remove cron session reaper * refactor: move session management to sqlite * refactor: finish database-first state migration * chore: refresh generated sqlite db types * refactor: remove stale file-backed shims * test: harden kysely type coverage # Conflicts: # .agents/skills/kysely-database-access/SKILL.md # src/infra/kysely-sync.types.test.ts # src/proxy-capture/store.sqlite.test.ts # src/state/openclaw-agent-db.test.ts # src/state/openclaw-state-db.test.ts * refactor: remove cron store path runtime * refactor: keep compaction transcript handles out of session rows * refactor: derive embedded transcripts from sqlite identity * refactor: remove embedded transcript locator handoff * refactor: remove runtime transcript file bridges * refactor: remove transcript file handoffs * refactor: remove MSTeams legacy learning key fallback * refactor: store model catalog config in sqlite * refactor: use sqlite model catalog at runtime # Conflicts: # docs/cli/secrets.md # docs/gateway/authentication.md # docs/gateway/secrets.md * fix: keep oauth sibling sync sqlite-local # Conflicts: # src/commands/onboard-auth.test.ts * refactor: remove task session store maintenance # Conflicts: # src/commands/tasks.ts * refactor: keep diagnostics in state sqlite * refactor: enforce database-first runtime state * refactor: consolidate sqlite runtime state * Show Codex subscription reset times in channel errors (#80456) * fix(codex): refresh subscription limit resets * fix(codex): format reset times for channels * Update CHANGELOG with latest changes and fixes Updated CHANGELOG with recent fixes and improvements. * fix(codex): keep command load failures on codex surface * fix(codex): format account rate limits as rows * fix(codex): summarize account limits as usage status * fix(codex): simplify account limit status * test: tighten subagent announce queue assertion * test: tighten session delete lifecycle assertions * test: tighten cron ops assertions * fix: track cron execution milestones * test: tighten hermes secret assertions * test: assert matrix sync store payloads * test: assert config compat warnings * fix(codex): align btw side thread semantics * fix(codex): honor codex fallback blocking * fix(agents): avoid Pi resource discovery stalls * test: tighten codex event assertions * test: tighten cron assertions * Fix Codex app-server OAuth harness auth * refactor: move agent runtime state toward piless * refactor: move device and push state to sqlite * refactor: move runtime json state imports to doctor * refactor: finish database-first state migration * chore: refresh generated sqlite db types * refactor: clarify cron sqlite store keys * refactor: remove stale file-backed shims * refactor: bind codex runtime state by session id * test: expect sqlite trajectory branch export * refactor: rename session row helpers * fix: keep legacy device identity import in doctor * refactor: enforce database-first runtime state * refactor: consolidate sqlite runtime state * build: align pi contract wrappers * chore: repair database-first rebase * refactor: remove session file test contracts * test: update gateway session expectations * refactor: stop routing from session compatibility shadows * refactor: stop persisting session route shadows * refactor: use typed delivery context in clients * refactor: stop echoing session route shadows * refactor: repair embedded runner rebase imports # Conflicts: # src/agents/pi-embedded-runner/run/attempt.tool-call-argument-repair.ts * refactor: align pi contract imports * refactor: satisfy kysely sync helper guard * refactor: remove file transcript bridge remnants * refactor: remove session locator compatibility * refactor: remove session file test contracts * refactor: keep rebase database-first clean * refactor: remove session file assumptions from e2e * docs: clarify database-first goal state * test: remove legacy store markers from sqlite runtime tests * refactor: remove legacy store assumptions from runtime seams * refactor: align sqlite runtime helper seams * test: update memory recall sqlite audit mock * refactor: align database-first runtime type seams * test: clarify doctor cron legacy store names * fix: preserve sqlite session route projections * test: fix copilot token cache test syntax * docs: update database-first proof status * test: align database-first test fixtures * docs: update database-first proof status * refactor: clean extension database-first drift * test: align agent session route proof * test: clarify doctor legacy path fixtures * chore: clean database-first changed checks * chore: repair database-first rebase markers * build: allow baileys git subdependency * chore: repair exp-vfs rebase drift * chore: finish exp-vfs rebase cleanup * chore: satisfy rebase lint drift * chore: fix qqbot rebase type seam * chore: fix rebase drift leftovers * fix: keep auth profile oauth secrets out of sqlite * fix: repair rebase drift tests * test: stabilize pairing request ordering * test: use source manifests in plugin contract checks * fix: restore gateway session metadata after rebase * fix: repair database-first rebase drift * fix: clean up database-first rebase fallout * test: stabilize line quick reply receipt time * fix: repair extension rebase drift * test: keep transcript redaction tests sqlite-backed * fix: carry injected transcript redaction through sqlite * chore: clean database branch rebase residue * fix: repair database branch CI drift * fix: repair database branch CI guard drift * fix: stabilize oauth tls preflight test * test: align database branch fast guards * test: repair build artifact boundary guards * chore: clean changelog rebase markers --------- Co-authored-by: pashpashpash <nik@vault77.ai> Co-authored-by: Eva <eva@100yen.org> Co-authored-by: stainlu <stainlu@newtype-ai.org> Co-authored-by: Jason Zhou <jason.zhou.design@gmail.com> Co-authored-by: Ruben Cuevas <hi@rubencu.com> Co-authored-by: Pavan Kumar Gondhi <pavangondhi@gmail.com> Co-authored-by: Shakker <shakkerdroid@gmail.com> Co-authored-by: Kaspre <36520309+Kaspre@users.noreply.github.com> Co-authored-by: dataCenter430 <titan032000@gmail.com> Co-authored-by: Kaspre <kaspre@gmail.com> Co-authored-by: pandadev66 <nova.full.stack@outlook.com> Co-authored-by: Eva <admin@100yen.org> Co-authored-by: Eva (agent) <eva+agent-78055@100yen.org> Co-authored-by: Josh Lehman <josh@martian.engineering> Co-authored-by: jeffjhunter <support@aipersonamethod.com>
1091 lines
46 KiB
Swift
1091 lines
46 KiB
Swift
import AppKit
|
|
import Foundation
|
|
import OpenClawIPC
|
|
import OpenClawKit
|
|
|
|
actor MacNodeRuntime {
|
|
private let cameraCapture = CameraCaptureService()
|
|
private let makeMainActorServices: () async -> any MacNodeRuntimeMainActorServices
|
|
private let browserProxyRequest: @Sendable (String?) async throws -> String
|
|
private let canvasSurfaceUrl: @Sendable () async -> String?
|
|
private let refreshCanvasSurfaceUrl: @Sendable () async -> String?
|
|
private var cachedMainActorServices: (any MacNodeRuntimeMainActorServices)?
|
|
private var mainSessionKey: String = "main"
|
|
private var eventSender: (@Sendable (String, String?) async -> Void)?
|
|
|
|
init(
|
|
makeMainActorServices: @escaping () async -> any MacNodeRuntimeMainActorServices = {
|
|
await MainActor.run { LiveMacNodeRuntimeMainActorServices() }
|
|
},
|
|
browserProxyRequest: @escaping @Sendable (String?) async throws -> String = { paramsJSON in
|
|
try await MacNodeBrowserProxy.shared.request(paramsJSON: paramsJSON)
|
|
},
|
|
canvasSurfaceUrl: @escaping @Sendable () async -> String? = {
|
|
await GatewayConnection.shared.canvasPluginSurfaceUrl()
|
|
},
|
|
refreshCanvasSurfaceUrl: @escaping @Sendable () async -> String? = { nil })
|
|
{
|
|
self.makeMainActorServices = makeMainActorServices
|
|
self.browserProxyRequest = browserProxyRequest
|
|
self.canvasSurfaceUrl = canvasSurfaceUrl
|
|
self.refreshCanvasSurfaceUrl = refreshCanvasSurfaceUrl
|
|
}
|
|
|
|
func updateMainSessionKey(_ sessionKey: String) {
|
|
let trimmed = sessionKey.trimmingCharacters(in: .whitespacesAndNewlines)
|
|
guard !trimmed.isEmpty else { return }
|
|
self.mainSessionKey = trimmed
|
|
}
|
|
|
|
func setEventSender(_ sender: (@Sendable (String, String?) async -> Void)?) {
|
|
self.eventSender = sender
|
|
}
|
|
|
|
func handleInvoke(_ req: BridgeInvokeRequest) async -> BridgeInvokeResponse {
|
|
let command = req.command
|
|
if self.isCanvasCommand(command), !Self.canvasEnabled() {
|
|
return BridgeInvokeResponse(
|
|
id: req.id,
|
|
ok: false,
|
|
error: OpenClawNodeError(
|
|
code: .unavailable,
|
|
message: "CANVAS_DISABLED: enable Canvas in Settings"))
|
|
}
|
|
do {
|
|
switch command {
|
|
case OpenClawCanvasCommand.present.rawValue,
|
|
OpenClawCanvasCommand.hide.rawValue,
|
|
OpenClawCanvasCommand.navigate.rawValue,
|
|
OpenClawCanvasCommand.evalJS.rawValue,
|
|
OpenClawCanvasCommand.snapshot.rawValue:
|
|
return try await self.handleCanvasInvoke(req)
|
|
case OpenClawCanvasA2UICommand.reset.rawValue,
|
|
OpenClawCanvasA2UICommand.push.rawValue,
|
|
OpenClawCanvasA2UICommand.pushJSONL.rawValue:
|
|
return try await self.handleA2UIInvoke(req)
|
|
case OpenClawBrowserCommand.proxy.rawValue:
|
|
return try await self.handleBrowserProxyInvoke(req)
|
|
case OpenClawCameraCommand.snap.rawValue,
|
|
OpenClawCameraCommand.clip.rawValue,
|
|
OpenClawCameraCommand.list.rawValue:
|
|
return try await self.handleCameraInvoke(req)
|
|
case OpenClawLocationCommand.get.rawValue:
|
|
return try await self.handleLocationInvoke(req)
|
|
case MacNodeScreenCommand.snapshot.rawValue:
|
|
return try await self.handleScreenSnapshotInvoke(req)
|
|
case MacNodeScreenCommand.record.rawValue:
|
|
return try await self.handleScreenRecordInvoke(req)
|
|
case OpenClawSystemCommand.run.rawValue:
|
|
return try await self.handleSystemRun(req)
|
|
case OpenClawSystemCommand.which.rawValue:
|
|
return try await self.handleSystemWhich(req)
|
|
case OpenClawSystemCommand.notify.rawValue:
|
|
return try await self.handleSystemNotify(req)
|
|
case OpenClawSystemCommand.execApprovalsGet.rawValue:
|
|
return try await self.handleSystemExecApprovalsGet(req)
|
|
case OpenClawSystemCommand.execApprovalsSet.rawValue:
|
|
return try await self.handleSystemExecApprovalsSet(req)
|
|
default:
|
|
return Self.errorResponse(req, code: .invalidRequest, message: "INVALID_REQUEST: unknown command")
|
|
}
|
|
} catch {
|
|
return Self.errorResponse(req, code: .unavailable, message: error.localizedDescription)
|
|
}
|
|
}
|
|
|
|
private func isCanvasCommand(_ command: String) -> Bool {
|
|
command.hasPrefix("canvas.") || command.hasPrefix("canvas.a2ui.")
|
|
}
|
|
|
|
private func handleCanvasInvoke(_ req: BridgeInvokeRequest) async throws -> BridgeInvokeResponse {
|
|
switch req.command {
|
|
case OpenClawCanvasCommand.present.rawValue:
|
|
let params = (try? Self.decodeParams(OpenClawCanvasPresentParams.self, from: req.paramsJSON)) ??
|
|
OpenClawCanvasPresentParams()
|
|
let urlTrimmed = params.url?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
|
|
let url = urlTrimmed.isEmpty ? nil : urlTrimmed
|
|
let placement = params.placement.map {
|
|
CanvasPlacement(x: $0.x, y: $0.y, width: $0.width, height: $0.height)
|
|
}
|
|
let sessionKey = self.mainSessionKey
|
|
try await MainActor.run {
|
|
_ = try CanvasManager.shared.showDetailed(
|
|
sessionKey: sessionKey,
|
|
target: url,
|
|
placement: placement)
|
|
}
|
|
return BridgeInvokeResponse(id: req.id, ok: true)
|
|
case OpenClawCanvasCommand.hide.rawValue:
|
|
let sessionKey = self.mainSessionKey
|
|
await MainActor.run {
|
|
CanvasManager.shared.hide(sessionKey: sessionKey)
|
|
}
|
|
return BridgeInvokeResponse(id: req.id, ok: true)
|
|
case OpenClawCanvasCommand.navigate.rawValue:
|
|
let params = try Self.decodeParams(OpenClawCanvasNavigateParams.self, from: req.paramsJSON)
|
|
let sessionKey = self.mainSessionKey
|
|
try await MainActor.run {
|
|
_ = try CanvasManager.shared.show(sessionKey: sessionKey, path: params.url)
|
|
}
|
|
return BridgeInvokeResponse(id: req.id, ok: true)
|
|
case OpenClawCanvasCommand.evalJS.rawValue:
|
|
let params = try Self.decodeParams(OpenClawCanvasEvalParams.self, from: req.paramsJSON)
|
|
let sessionKey = self.mainSessionKey
|
|
let result = try await CanvasManager.shared.eval(
|
|
sessionKey: sessionKey,
|
|
javaScript: params.javaScript)
|
|
let payload = try Self.encodePayload(["result": result] as [String: String])
|
|
return BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: payload)
|
|
case OpenClawCanvasCommand.snapshot.rawValue:
|
|
let params = try? Self.decodeParams(OpenClawCanvasSnapshotParams.self, from: req.paramsJSON)
|
|
let format = params?.format ?? .jpeg
|
|
let maxWidth: Int? = {
|
|
if let raw = params?.maxWidth, raw > 0 { return raw }
|
|
return switch format {
|
|
case .png: 900
|
|
case .jpeg: 1600
|
|
}
|
|
}()
|
|
let quality = params?.quality ?? 0.9
|
|
|
|
let sessionKey = self.mainSessionKey
|
|
let path = try await CanvasManager.shared.snapshot(sessionKey: sessionKey, outPath: nil)
|
|
defer { try? FileManager().removeItem(atPath: path) }
|
|
let data = try Data(contentsOf: URL(fileURLWithPath: path))
|
|
guard let image = NSImage(data: data) else {
|
|
return Self.errorResponse(req, code: .unavailable, message: "canvas snapshot decode failed")
|
|
}
|
|
let encoded = try Self.encodeCanvasSnapshot(
|
|
image: image,
|
|
format: format,
|
|
maxWidth: maxWidth,
|
|
quality: quality)
|
|
let payload = try Self.encodePayload([
|
|
"format": format == .jpeg ? "jpeg" : "png",
|
|
"base64": encoded.base64EncodedString(),
|
|
])
|
|
return BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: payload)
|
|
default:
|
|
return Self.errorResponse(req, code: .invalidRequest, message: "INVALID_REQUEST: unknown command")
|
|
}
|
|
}
|
|
|
|
private func handleA2UIInvoke(_ req: BridgeInvokeRequest) async throws -> BridgeInvokeResponse {
|
|
switch req.command {
|
|
case OpenClawCanvasA2UICommand.reset.rawValue:
|
|
try await self.handleA2UIReset(req)
|
|
case OpenClawCanvasA2UICommand.push.rawValue,
|
|
OpenClawCanvasA2UICommand.pushJSONL.rawValue:
|
|
try await self.handleA2UIPush(req)
|
|
default:
|
|
Self.errorResponse(req, code: .invalidRequest, message: "INVALID_REQUEST: unknown command")
|
|
}
|
|
}
|
|
|
|
private func handleBrowserProxyInvoke(_ req: BridgeInvokeRequest) async throws -> BridgeInvokeResponse {
|
|
guard OpenClawConfigFile.browserControlEnabled() else {
|
|
return BridgeInvokeResponse(
|
|
id: req.id,
|
|
ok: false,
|
|
error: OpenClawNodeError(
|
|
code: .unavailable,
|
|
message: "BROWSER_DISABLED: enable Browser in Settings"))
|
|
}
|
|
let payloadJSON = try await self.browserProxyRequest(req.paramsJSON)
|
|
return BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: payloadJSON)
|
|
}
|
|
|
|
private func handleCameraInvoke(_ req: BridgeInvokeRequest) async throws -> BridgeInvokeResponse {
|
|
guard Self.cameraEnabled() else {
|
|
return BridgeInvokeResponse(
|
|
id: req.id,
|
|
ok: false,
|
|
error: OpenClawNodeError(
|
|
code: .unavailable,
|
|
message: "CAMERA_DISABLED: enable Camera in Settings"))
|
|
}
|
|
switch req.command {
|
|
case OpenClawCameraCommand.snap.rawValue:
|
|
let params = (try? Self.decodeParams(OpenClawCameraSnapParams.self, from: req.paramsJSON)) ??
|
|
OpenClawCameraSnapParams()
|
|
let delayMs = min(10000, max(0, params.delayMs ?? 2000))
|
|
let res = try await self.cameraCapture.snap(
|
|
facing: CameraFacing(rawValue: params.facing?.rawValue ?? "") ?? .front,
|
|
maxWidth: params.maxWidth,
|
|
quality: params.quality,
|
|
deviceId: params.deviceId,
|
|
delayMs: delayMs)
|
|
struct SnapPayload: Encodable {
|
|
var format: String
|
|
var base64: String
|
|
var width: Int
|
|
var height: Int
|
|
}
|
|
let payload = try Self.encodePayload(SnapPayload(
|
|
format: (params.format ?? .jpg).rawValue,
|
|
base64: res.data.base64EncodedString(),
|
|
width: Int(res.size.width),
|
|
height: Int(res.size.height)))
|
|
return BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: payload)
|
|
case OpenClawCameraCommand.clip.rawValue:
|
|
let params = (try? Self.decodeParams(OpenClawCameraClipParams.self, from: req.paramsJSON)) ??
|
|
OpenClawCameraClipParams()
|
|
let res = try await self.cameraCapture.clip(
|
|
facing: CameraFacing(rawValue: params.facing?.rawValue ?? "") ?? .front,
|
|
durationMs: params.durationMs,
|
|
includeAudio: params.includeAudio ?? true,
|
|
deviceId: params.deviceId,
|
|
outPath: nil)
|
|
defer { try? FileManager().removeItem(atPath: res.path) }
|
|
let data = try Data(contentsOf: URL(fileURLWithPath: res.path))
|
|
struct ClipPayload: Encodable {
|
|
var format: String
|
|
var base64: String
|
|
var durationMs: Int
|
|
var hasAudio: Bool
|
|
}
|
|
let payload = try Self.encodePayload(ClipPayload(
|
|
format: (params.format ?? .mp4).rawValue,
|
|
base64: data.base64EncodedString(),
|
|
durationMs: res.durationMs,
|
|
hasAudio: res.hasAudio))
|
|
return BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: payload)
|
|
case OpenClawCameraCommand.list.rawValue:
|
|
let devices = await self.cameraCapture.listDevices()
|
|
let payload = try Self.encodePayload(["devices": devices])
|
|
return BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: payload)
|
|
default:
|
|
return Self.errorResponse(req, code: .invalidRequest, message: "INVALID_REQUEST: unknown command")
|
|
}
|
|
}
|
|
|
|
private func handleLocationInvoke(_ req: BridgeInvokeRequest) async throws -> BridgeInvokeResponse {
|
|
let mode = Self.locationMode()
|
|
guard mode != .off else {
|
|
return BridgeInvokeResponse(
|
|
id: req.id,
|
|
ok: false,
|
|
error: OpenClawNodeError(
|
|
code: .unavailable,
|
|
message: "LOCATION_DISABLED: enable Location in Settings"))
|
|
}
|
|
let params = (try? Self.decodeParams(OpenClawLocationGetParams.self, from: req.paramsJSON)) ??
|
|
OpenClawLocationGetParams()
|
|
let desired = params.desiredAccuracy ??
|
|
(Self.locationPreciseEnabled() ? .precise : .balanced)
|
|
let services = await self.mainActorServices()
|
|
let status = await services.locationAuthorizationStatus()
|
|
let hasPermission = switch mode {
|
|
case .always:
|
|
status == .authorizedAlways
|
|
case .whileUsing:
|
|
status == .authorizedAlways
|
|
case .off:
|
|
false
|
|
}
|
|
if !hasPermission {
|
|
return BridgeInvokeResponse(
|
|
id: req.id,
|
|
ok: false,
|
|
error: OpenClawNodeError(
|
|
code: .unavailable,
|
|
message: "LOCATION_PERMISSION_REQUIRED: grant Location permission"))
|
|
}
|
|
do {
|
|
let location = try await services.currentLocation(
|
|
desiredAccuracy: desired,
|
|
maxAgeMs: params.maxAgeMs,
|
|
timeoutMs: params.timeoutMs)
|
|
let isPrecise = await services.locationAccuracyAuthorization() == .fullAccuracy
|
|
let payload = OpenClawLocationPayload(
|
|
lat: location.coordinate.latitude,
|
|
lon: location.coordinate.longitude,
|
|
accuracyMeters: location.horizontalAccuracy,
|
|
altitudeMeters: location.verticalAccuracy >= 0 ? location.altitude : nil,
|
|
speedMps: location.speed >= 0 ? location.speed : nil,
|
|
headingDeg: location.course >= 0 ? location.course : nil,
|
|
timestamp: ISO8601DateFormatter().string(from: location.timestamp),
|
|
isPrecise: isPrecise,
|
|
source: nil)
|
|
let json = try Self.encodePayload(payload)
|
|
return BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: json)
|
|
} catch MacNodeLocationService.Error.timeout {
|
|
return BridgeInvokeResponse(
|
|
id: req.id,
|
|
ok: false,
|
|
error: OpenClawNodeError(
|
|
code: .unavailable,
|
|
message: "LOCATION_TIMEOUT: no fix in time"))
|
|
} catch {
|
|
return BridgeInvokeResponse(
|
|
id: req.id,
|
|
ok: false,
|
|
error: OpenClawNodeError(
|
|
code: .unavailable,
|
|
message: "LOCATION_UNAVAILABLE: \(error.localizedDescription)"))
|
|
}
|
|
}
|
|
|
|
private func handleScreenRecordInvoke(_ req: BridgeInvokeRequest) async throws -> BridgeInvokeResponse {
|
|
let params = (try? Self.decodeParams(MacNodeScreenRecordParams.self, from: req.paramsJSON)) ??
|
|
MacNodeScreenRecordParams()
|
|
if let format = params.format?.lowercased(), !format.isEmpty, format != "mp4" {
|
|
return Self.errorResponse(
|
|
req,
|
|
code: .invalidRequest,
|
|
message: "INVALID_REQUEST: screen format must be mp4")
|
|
}
|
|
let services = await self.mainActorServices()
|
|
let res = try await services.recordScreen(
|
|
screenIndex: params.screenIndex,
|
|
durationMs: params.durationMs,
|
|
fps: params.fps,
|
|
includeAudio: params.includeAudio,
|
|
outPath: nil)
|
|
defer { try? FileManager().removeItem(atPath: res.path) }
|
|
let data = try Data(contentsOf: URL(fileURLWithPath: res.path))
|
|
struct ScreenPayload: Encodable {
|
|
var format: String
|
|
var base64: String
|
|
var durationMs: Int?
|
|
var fps: Double?
|
|
var screenIndex: Int?
|
|
var hasAudio: Bool
|
|
}
|
|
let payload = try Self.encodePayload(ScreenPayload(
|
|
format: "mp4",
|
|
base64: data.base64EncodedString(),
|
|
durationMs: params.durationMs,
|
|
fps: params.fps,
|
|
screenIndex: params.screenIndex,
|
|
hasAudio: res.hasAudio))
|
|
return BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: payload)
|
|
}
|
|
|
|
private func handleScreenSnapshotInvoke(_ req: BridgeInvokeRequest) async throws -> BridgeInvokeResponse {
|
|
let params = (try? Self.decodeParams(MacNodeScreenSnapshotParams.self, from: req.paramsJSON)) ??
|
|
MacNodeScreenSnapshotParams()
|
|
let services = await self.mainActorServices()
|
|
let capturedAtMs = Int64(Date().timeIntervalSince1970 * 1000)
|
|
let res = try await services.snapshotScreen(
|
|
screenIndex: params.screenIndex,
|
|
maxWidth: params.maxWidth,
|
|
quality: params.quality,
|
|
format: params.format)
|
|
struct ScreenSnapshotPayload: Encodable {
|
|
var format: String
|
|
var base64: String
|
|
var width: Int
|
|
var height: Int
|
|
var screenIndex: Int?
|
|
var capturedAtMs: Int64
|
|
}
|
|
let payload = try Self.encodePayload(ScreenSnapshotPayload(
|
|
format: res.format.rawValue,
|
|
base64: res.data.base64EncodedString(),
|
|
width: res.width,
|
|
height: res.height,
|
|
screenIndex: params.screenIndex,
|
|
capturedAtMs: capturedAtMs))
|
|
return BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: payload)
|
|
}
|
|
|
|
private func mainActorServices() async -> any MacNodeRuntimeMainActorServices {
|
|
if let cachedMainActorServices { return cachedMainActorServices }
|
|
let services = await self.makeMainActorServices()
|
|
self.cachedMainActorServices = services
|
|
return services
|
|
}
|
|
|
|
private func handleA2UIReset(_ req: BridgeInvokeRequest) async throws -> BridgeInvokeResponse {
|
|
try await self.ensureA2UIHost()
|
|
|
|
let sessionKey = self.mainSessionKey
|
|
let json = try await CanvasManager.shared.eval(sessionKey: sessionKey, javaScript: """
|
|
(() => {
|
|
const host = globalThis.openclawA2UI;
|
|
if (!host) return JSON.stringify({ ok: false, error: "missing openclawA2UI" });
|
|
return JSON.stringify(host.reset());
|
|
})()
|
|
""")
|
|
return BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: json)
|
|
}
|
|
|
|
private func handleA2UIPush(_ req: BridgeInvokeRequest) async throws -> BridgeInvokeResponse {
|
|
let command = req.command
|
|
let messages: [OpenClawKit.AnyCodable]
|
|
if command == OpenClawCanvasA2UICommand.pushJSONL.rawValue {
|
|
let params = try Self.decodeParams(OpenClawCanvasA2UIPushJSONLParams.self, from: req.paramsJSON)
|
|
messages = try OpenClawCanvasA2UIJSONL.decodeMessagesFromJSONL(params.jsonl)
|
|
} else {
|
|
do {
|
|
let params = try Self.decodeParams(OpenClawCanvasA2UIPushParams.self, from: req.paramsJSON)
|
|
messages = params.messages
|
|
} catch {
|
|
let params = try Self.decodeParams(OpenClawCanvasA2UIPushJSONLParams.self, from: req.paramsJSON)
|
|
messages = try OpenClawCanvasA2UIJSONL.decodeMessagesFromJSONL(params.jsonl)
|
|
}
|
|
}
|
|
|
|
try await self.ensureA2UIHost()
|
|
|
|
let messagesJSON = try OpenClawCanvasA2UIJSONL.encodeMessagesJSONArray(messages)
|
|
let js = """
|
|
(() => {
|
|
try {
|
|
const host = globalThis.openclawA2UI;
|
|
if (!host) return JSON.stringify({ ok: false, error: "missing openclawA2UI" });
|
|
const messages = \(messagesJSON);
|
|
return JSON.stringify(host.applyMessages(messages));
|
|
} catch (e) {
|
|
return JSON.stringify({ ok: false, error: String(e?.message ?? e) });
|
|
}
|
|
})()
|
|
"""
|
|
let sessionKey = self.mainSessionKey
|
|
let resultJSON = try await CanvasManager.shared.eval(sessionKey: sessionKey, javaScript: js)
|
|
return BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: resultJSON)
|
|
}
|
|
|
|
private func ensureA2UIHost() async throws {
|
|
if await self.isA2UIReady() { return }
|
|
guard let a2uiUrl = await self.resolveA2UIHostUrlWithCapabilityRefresh() else {
|
|
throw NSError(domain: "Canvas", code: 30, userInfo: [
|
|
NSLocalizedDescriptionKey: "A2UI_HOST_NOT_CONFIGURED: gateway did not advertise canvas host",
|
|
])
|
|
}
|
|
let sessionKey = self.mainSessionKey
|
|
_ = try await MainActor.run {
|
|
try CanvasManager.shared.show(sessionKey: sessionKey, path: a2uiUrl)
|
|
}
|
|
if await self.isA2UIReady(poll: true) { return }
|
|
if let refreshedUrl = await self.resolveA2UIHostUrlWithCapabilityRefresh(forceRefresh: true) {
|
|
_ = try await MainActor.run {
|
|
try CanvasManager.shared.show(sessionKey: sessionKey, path: refreshedUrl)
|
|
}
|
|
if await self.isA2UIReady(poll: true) { return }
|
|
}
|
|
throw NSError(domain: "Canvas", code: 31, userInfo: [
|
|
NSLocalizedDescriptionKey: "A2UI_HOST_UNAVAILABLE: A2UI host not reachable",
|
|
])
|
|
}
|
|
|
|
private func resolveA2UIHostUrl() async -> String? {
|
|
let canvasSurfaceUrl = await self.canvasSurfaceUrl()
|
|
return Self.resolveA2UIHostUrl(from: canvasSurfaceUrl)
|
|
}
|
|
|
|
private static func resolveA2UIHostUrl(from raw: String?) -> String? {
|
|
guard let raw else { return nil }
|
|
let trimmed = raw.trimmingCharacters(in: .whitespacesAndNewlines)
|
|
guard !trimmed.isEmpty, let baseUrl = URL(string: trimmed) else { return nil }
|
|
return baseUrl.appendingPathComponent("__openclaw__/a2ui/").absoluteString + "?platform=macos"
|
|
}
|
|
|
|
func resolveA2UIHostUrlWithCapabilityRefresh(forceRefresh: Bool = false) async -> String? {
|
|
if !forceRefresh, let current = await self.resolveA2UIHostUrl() {
|
|
return current
|
|
}
|
|
let refreshedCanvasSurfaceUrl = await self.refreshCanvasSurfaceUrl()
|
|
return Self.resolveA2UIHostUrl(from: refreshedCanvasSurfaceUrl)
|
|
}
|
|
|
|
private func isA2UIReady(poll: Bool = false) async -> Bool {
|
|
let deadline = poll ? Date().addingTimeInterval(6.0) : Date()
|
|
while true {
|
|
do {
|
|
let sessionKey = self.mainSessionKey
|
|
let ready = try await CanvasManager.shared.eval(sessionKey: sessionKey, javaScript: """
|
|
(() => {
|
|
const host = globalThis.openclawA2UI;
|
|
return String(Boolean(host));
|
|
})()
|
|
""")
|
|
let trimmed = ready.trimmingCharacters(in: .whitespacesAndNewlines)
|
|
if trimmed == "true" { return true }
|
|
} catch {
|
|
// Ignore transient eval failures while the page is loading.
|
|
}
|
|
|
|
guard poll, Date() < deadline else { return false }
|
|
try? await Task.sleep(nanoseconds: 120_000_000)
|
|
}
|
|
}
|
|
|
|
private func handleSystemRun(_ req: BridgeInvokeRequest) async throws -> BridgeInvokeResponse {
|
|
let params = try Self.decodeParams(OpenClawSystemRunParams.self, from: req.paramsJSON)
|
|
let command = params.command
|
|
guard !command.isEmpty else {
|
|
return Self.errorResponse(req, code: .invalidRequest, message: "INVALID_REQUEST: command required")
|
|
}
|
|
let sessionKey = (params.sessionKey?.trimmingCharacters(in: .whitespacesAndNewlines).isEmpty == false)
|
|
? params.sessionKey!.trimmingCharacters(in: .whitespacesAndNewlines)
|
|
: self.mainSessionKey
|
|
let providedRunId = params.runId?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
|
|
let runId = providedRunId.isEmpty ? UUID().uuidString : providedRunId
|
|
let envOverrideDiagnostics = HostEnvSanitizer.inspectOverrides(
|
|
overrides: params.env,
|
|
blockPathOverrides: true)
|
|
if !envOverrideDiagnostics.blockedKeys.isEmpty || !envOverrideDiagnostics.invalidKeys.isEmpty {
|
|
var details: [String] = []
|
|
if !envOverrideDiagnostics.blockedKeys.isEmpty {
|
|
details.append("blocked override keys: \(envOverrideDiagnostics.blockedKeys.joined(separator: ", "))")
|
|
}
|
|
if !envOverrideDiagnostics.invalidKeys.isEmpty {
|
|
details.append(
|
|
"invalid non-portable override keys: \(envOverrideDiagnostics.invalidKeys.joined(separator: ", "))")
|
|
}
|
|
return Self.errorResponse(
|
|
req,
|
|
code: .invalidRequest,
|
|
message: "SYSTEM_RUN_DENIED: environment override rejected (\(details.joined(separator: "; ")))")
|
|
}
|
|
let evaluation = await ExecApprovalEvaluator.evaluate(
|
|
command: command,
|
|
rawCommand: params.rawCommand,
|
|
cwd: params.cwd,
|
|
envOverrides: params.env,
|
|
agentId: params.agentId)
|
|
|
|
if evaluation.security == .deny {
|
|
await self.emitExecEvent(
|
|
"exec.denied",
|
|
payload: ExecEventPayload(
|
|
sessionKey: sessionKey,
|
|
runId: runId,
|
|
host: "node",
|
|
command: evaluation.displayCommand,
|
|
reason: "security=deny"))
|
|
return Self.errorResponse(
|
|
req,
|
|
code: .unavailable,
|
|
message: "SYSTEM_RUN_DISABLED: security=deny")
|
|
}
|
|
|
|
let approval = await self.resolveSystemRunApproval(
|
|
req: req,
|
|
params: params,
|
|
context: ExecRunContext(
|
|
displayCommand: evaluation.displayCommand,
|
|
security: evaluation.security,
|
|
ask: evaluation.ask,
|
|
agentId: evaluation.agentId,
|
|
resolution: evaluation.resolution,
|
|
allowlistMatch: evaluation.allowlistMatch,
|
|
skillAllow: evaluation.skillAllow,
|
|
sessionKey: sessionKey,
|
|
runId: runId))
|
|
if let response = approval.response { return response }
|
|
let approvedByAsk = approval.approvedByAsk
|
|
let persistAllowlist = approval.persistAllowlist
|
|
self.persistAllowlistPatterns(
|
|
persistAllowlist: persistAllowlist,
|
|
security: evaluation.security,
|
|
agentId: evaluation.agentId,
|
|
allowAlwaysPatterns: evaluation.allowAlwaysPatterns)
|
|
|
|
if evaluation.security == .allowlist, !evaluation.allowlistSatisfied, !evaluation.skillAllow, !approvedByAsk {
|
|
await self.emitExecEvent(
|
|
"exec.denied",
|
|
payload: ExecEventPayload(
|
|
sessionKey: sessionKey,
|
|
runId: runId,
|
|
host: "node",
|
|
command: evaluation.displayCommand,
|
|
reason: "allowlist-miss"))
|
|
return Self.errorResponse(
|
|
req,
|
|
code: .unavailable,
|
|
message: "SYSTEM_RUN_DENIED: allowlist miss")
|
|
}
|
|
|
|
self.recordAllowlistMatches(
|
|
security: evaluation.security,
|
|
allowlistSatisfied: evaluation.allowlistSatisfied,
|
|
agentId: evaluation.agentId,
|
|
allowlistMatches: evaluation.allowlistMatches,
|
|
allowlistResolutions: evaluation.allowlistResolutions,
|
|
displayCommand: evaluation.displayCommand)
|
|
|
|
if let permissionResponse = await self.validateScreenRecordingIfNeeded(
|
|
req: req,
|
|
needsScreenRecording: params.needsScreenRecording,
|
|
sessionKey: sessionKey,
|
|
runId: runId,
|
|
displayCommand: evaluation.displayCommand)
|
|
{
|
|
return permissionResponse
|
|
}
|
|
|
|
return try await self.executeSystemRun(
|
|
req: req,
|
|
params: params,
|
|
command: command,
|
|
env: evaluation.env,
|
|
sessionKey: sessionKey,
|
|
runId: runId,
|
|
displayCommand: evaluation.displayCommand)
|
|
}
|
|
|
|
private func handleSystemWhich(_ req: BridgeInvokeRequest) async throws -> BridgeInvokeResponse {
|
|
let params = try Self.decodeParams(OpenClawSystemWhichParams.self, from: req.paramsJSON)
|
|
let bins = params.bins
|
|
.map { $0.trimmingCharacters(in: .whitespacesAndNewlines) }
|
|
.filter { !$0.isEmpty }
|
|
guard !bins.isEmpty else {
|
|
return Self.errorResponse(req, code: .invalidRequest, message: "INVALID_REQUEST: bins required")
|
|
}
|
|
|
|
let searchPaths = CommandResolver.preferredPaths()
|
|
var matches: [String] = []
|
|
var paths: [String: String] = [:]
|
|
for bin in bins {
|
|
if let path = CommandResolver.findExecutable(named: bin, searchPaths: searchPaths) {
|
|
matches.append(bin)
|
|
paths[bin] = path
|
|
}
|
|
}
|
|
|
|
struct WhichPayload: Encodable {
|
|
let bins: [String]
|
|
let paths: [String: String]
|
|
}
|
|
let payload = try Self.encodePayload(WhichPayload(bins: matches, paths: paths))
|
|
return BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: payload)
|
|
}
|
|
|
|
private struct ExecApprovalOutcome {
|
|
var approvedByAsk: Bool
|
|
var persistAllowlist: Bool
|
|
var response: BridgeInvokeResponse?
|
|
}
|
|
|
|
private struct ExecRunContext {
|
|
var displayCommand: String
|
|
var security: ExecSecurity
|
|
var ask: ExecAsk
|
|
var agentId: String?
|
|
var resolution: ExecCommandResolution?
|
|
var allowlistMatch: ExecAllowlistEntry?
|
|
var skillAllow: Bool
|
|
var sessionKey: String
|
|
var runId: String
|
|
}
|
|
|
|
private func resolveSystemRunApproval(
|
|
req: BridgeInvokeRequest,
|
|
params: OpenClawSystemRunParams,
|
|
context: ExecRunContext) async -> ExecApprovalOutcome
|
|
{
|
|
let requiresAsk = ExecApprovalHelpers.requiresAsk(
|
|
ask: context.ask,
|
|
security: context.security,
|
|
allowlistMatch: context.allowlistMatch,
|
|
skillAllow: context.skillAllow)
|
|
|
|
let decisionFromParams = ExecApprovalHelpers.parseDecision(params.approvalDecision)
|
|
var approvedByAsk = params.approved == true || decisionFromParams != nil
|
|
var persistAllowlist = decisionFromParams == .allowAlways
|
|
if decisionFromParams == .deny {
|
|
await self.emitExecEvent(
|
|
"exec.denied",
|
|
payload: ExecEventPayload(
|
|
sessionKey: context.sessionKey,
|
|
runId: context.runId,
|
|
host: "node",
|
|
command: context.displayCommand,
|
|
reason: "user-denied"))
|
|
return ExecApprovalOutcome(
|
|
approvedByAsk: approvedByAsk,
|
|
persistAllowlist: persistAllowlist,
|
|
response: Self.errorResponse(
|
|
req,
|
|
code: .unavailable,
|
|
message: "SYSTEM_RUN_DENIED: user denied"))
|
|
}
|
|
|
|
if requiresAsk, !approvedByAsk {
|
|
let decision = await MainActor.run {
|
|
ExecApprovalsPromptPresenter.prompt(
|
|
ExecApprovalPromptRequest(
|
|
command: context.displayCommand,
|
|
cwd: params.cwd,
|
|
host: "node",
|
|
security: context.security.rawValue,
|
|
ask: context.ask.rawValue,
|
|
agentId: context.agentId,
|
|
resolvedPath: context.resolution?.resolvedPath,
|
|
sessionKey: context.sessionKey))
|
|
}
|
|
switch decision {
|
|
case .deny:
|
|
await self.emitExecEvent(
|
|
"exec.denied",
|
|
payload: ExecEventPayload(
|
|
sessionKey: context.sessionKey,
|
|
runId: context.runId,
|
|
host: "node",
|
|
command: context.displayCommand,
|
|
reason: "user-denied"))
|
|
return ExecApprovalOutcome(
|
|
approvedByAsk: approvedByAsk,
|
|
persistAllowlist: persistAllowlist,
|
|
response: Self.errorResponse(
|
|
req,
|
|
code: .unavailable,
|
|
message: "SYSTEM_RUN_DENIED: user denied"))
|
|
case .allowAlways:
|
|
approvedByAsk = true
|
|
persistAllowlist = true
|
|
case .allowOnce:
|
|
approvedByAsk = true
|
|
}
|
|
}
|
|
|
|
return ExecApprovalOutcome(
|
|
approvedByAsk: approvedByAsk,
|
|
persistAllowlist: persistAllowlist,
|
|
response: nil)
|
|
}
|
|
|
|
private func handleSystemExecApprovalsGet(_ req: BridgeInvokeRequest) async throws -> BridgeInvokeResponse {
|
|
_ = ExecApprovalsStore.ensureState()
|
|
let snapshot = ExecApprovalsStore.readSnapshot()
|
|
let redacted = ExecApprovalsSnapshot(
|
|
path: snapshot.path,
|
|
exists: snapshot.exists,
|
|
hash: snapshot.hash,
|
|
file: ExecApprovalsStore.redactForSnapshot(snapshot.file))
|
|
let payload = try Self.encodePayload(redacted)
|
|
return BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: payload)
|
|
}
|
|
|
|
private func handleSystemExecApprovalsSet(_ req: BridgeInvokeRequest) async throws -> BridgeInvokeResponse {
|
|
struct SetParams: Decodable {
|
|
var file: ExecApprovalsFile
|
|
var baseHash: String?
|
|
}
|
|
|
|
let params = try Self.decodeParams(SetParams.self, from: req.paramsJSON)
|
|
let current = ExecApprovalsStore.ensureState()
|
|
let snapshot = ExecApprovalsStore.readSnapshot()
|
|
if snapshot.exists {
|
|
if snapshot.hash.isEmpty {
|
|
return Self.errorResponse(
|
|
req,
|
|
code: .invalidRequest,
|
|
message: "INVALID_REQUEST: exec approvals base hash unavailable; reload and retry")
|
|
}
|
|
let baseHash = params.baseHash?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
|
|
if baseHash.isEmpty {
|
|
return Self.errorResponse(
|
|
req,
|
|
code: .invalidRequest,
|
|
message: "INVALID_REQUEST: exec approvals base hash required; reload and retry")
|
|
}
|
|
if baseHash != snapshot.hash {
|
|
return Self.errorResponse(
|
|
req,
|
|
code: .invalidRequest,
|
|
message: "INVALID_REQUEST: exec approvals changed; reload and retry")
|
|
}
|
|
}
|
|
|
|
var normalized = ExecApprovalsStore.normalizeIncoming(params.file)
|
|
let socketPath = normalized.socket?.path?.trimmingCharacters(in: .whitespacesAndNewlines)
|
|
let token = normalized.socket?.token?.trimmingCharacters(in: .whitespacesAndNewlines)
|
|
let resolvedPath = (socketPath?.isEmpty == false)
|
|
? socketPath!
|
|
: current.socket?.path?.trimmingCharacters(in: .whitespacesAndNewlines) ??
|
|
ExecApprovalsStore.socketPath()
|
|
let resolvedToken = (token?.isEmpty == false)
|
|
? token!
|
|
: current.socket?.token?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
|
|
normalized.socket = ExecApprovalsSocketConfig(path: resolvedPath, token: resolvedToken)
|
|
|
|
ExecApprovalsStore.saveState(normalized)
|
|
let nextSnapshot = ExecApprovalsStore.readSnapshot()
|
|
let redacted = ExecApprovalsSnapshot(
|
|
path: nextSnapshot.path,
|
|
exists: nextSnapshot.exists,
|
|
hash: nextSnapshot.hash,
|
|
file: ExecApprovalsStore.redactForSnapshot(nextSnapshot.file))
|
|
let payload = try Self.encodePayload(redacted)
|
|
return BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: payload)
|
|
}
|
|
|
|
private func emitExecEvent(_ event: String, payload: ExecEventPayload) async {
|
|
guard let sender = self.eventSender else { return }
|
|
guard let data = try? JSONEncoder().encode(payload),
|
|
let json = String(data: data, encoding: .utf8)
|
|
else {
|
|
return
|
|
}
|
|
await sender(event, json)
|
|
}
|
|
|
|
private func handleSystemNotify(_ req: BridgeInvokeRequest) async throws -> BridgeInvokeResponse {
|
|
let params = try Self.decodeParams(OpenClawSystemNotifyParams.self, from: req.paramsJSON)
|
|
let title = params.title.trimmingCharacters(in: .whitespacesAndNewlines)
|
|
let body = params.body.trimmingCharacters(in: .whitespacesAndNewlines)
|
|
if title.isEmpty, body.isEmpty {
|
|
return Self.errorResponse(req, code: .invalidRequest, message: "INVALID_REQUEST: empty notification")
|
|
}
|
|
|
|
let priority = params.priority.flatMap { NotificationPriority(rawValue: $0.rawValue) }
|
|
let delivery = params.delivery.flatMap { NotificationDelivery(rawValue: $0.rawValue) } ?? .system
|
|
let manager = NotificationManager()
|
|
|
|
switch delivery {
|
|
case .system:
|
|
let ok = await manager.send(
|
|
title: title,
|
|
body: body,
|
|
sound: params.sound,
|
|
priority: priority)
|
|
return ok
|
|
? BridgeInvokeResponse(id: req.id, ok: true)
|
|
: Self.errorResponse(req, code: .unavailable, message: "NOT_AUTHORIZED: notifications")
|
|
case .overlay:
|
|
await NotifyOverlayController.shared.present(title: title, body: body)
|
|
return BridgeInvokeResponse(id: req.id, ok: true)
|
|
case .auto:
|
|
let ok = await manager.send(
|
|
title: title,
|
|
body: body,
|
|
sound: params.sound,
|
|
priority: priority)
|
|
if ok {
|
|
return BridgeInvokeResponse(id: req.id, ok: true)
|
|
}
|
|
await NotifyOverlayController.shared.present(title: title, body: body)
|
|
return BridgeInvokeResponse(id: req.id, ok: true)
|
|
}
|
|
}
|
|
}
|
|
|
|
extension MacNodeRuntime {
|
|
private func persistAllowlistPatterns(
|
|
persistAllowlist: Bool,
|
|
security: ExecSecurity,
|
|
agentId: String?,
|
|
allowAlwaysPatterns: [String])
|
|
{
|
|
guard persistAllowlist, security == .allowlist else { return }
|
|
var seenPatterns = Set<String>()
|
|
for pattern in allowAlwaysPatterns where seenPatterns.insert(pattern).inserted {
|
|
ExecApprovalsStore.addAllowlistEntry(agentId: agentId, pattern: pattern)
|
|
}
|
|
}
|
|
|
|
private func recordAllowlistMatches(
|
|
security: ExecSecurity,
|
|
allowlistSatisfied: Bool,
|
|
agentId: String?,
|
|
allowlistMatches: [ExecAllowlistEntry],
|
|
allowlistResolutions: [ExecCommandResolution],
|
|
displayCommand: String)
|
|
{
|
|
guard security == .allowlist, allowlistSatisfied else { return }
|
|
var seenPatterns = Set<String>()
|
|
for (idx, match) in allowlistMatches.enumerated() {
|
|
if !seenPatterns.insert(match.pattern).inserted {
|
|
continue
|
|
}
|
|
let resolvedPath = idx < allowlistResolutions.count ? allowlistResolutions[idx].resolvedPath : nil
|
|
ExecApprovalsStore.recordAllowlistUse(
|
|
agentId: agentId,
|
|
pattern: match.pattern,
|
|
command: displayCommand,
|
|
resolvedPath: resolvedPath)
|
|
}
|
|
}
|
|
|
|
private func validateScreenRecordingIfNeeded(
|
|
req: BridgeInvokeRequest,
|
|
needsScreenRecording: Bool?,
|
|
sessionKey: String,
|
|
runId: String,
|
|
displayCommand: String) async -> BridgeInvokeResponse?
|
|
{
|
|
guard needsScreenRecording == true else { return nil }
|
|
let authorized = await PermissionManager
|
|
.status([.screenRecording])[.screenRecording] ?? false
|
|
if authorized {
|
|
return nil
|
|
}
|
|
await self.emitExecEvent(
|
|
"exec.denied",
|
|
payload: ExecEventPayload(
|
|
sessionKey: sessionKey,
|
|
runId: runId,
|
|
host: "node",
|
|
command: displayCommand,
|
|
reason: "permission:screenRecording"))
|
|
return Self.errorResponse(
|
|
req,
|
|
code: .unavailable,
|
|
message: "PERMISSION_MISSING: screenRecording")
|
|
}
|
|
|
|
private func executeSystemRun(
|
|
req: BridgeInvokeRequest,
|
|
params: OpenClawSystemRunParams,
|
|
command: [String],
|
|
env: [String: String],
|
|
sessionKey: String,
|
|
runId: String,
|
|
displayCommand: String) async throws -> BridgeInvokeResponse
|
|
{
|
|
let timeoutSec = params.timeoutMs.flatMap { Double($0) / 1000.0 }
|
|
await self.emitExecEvent(
|
|
"exec.started",
|
|
payload: ExecEventPayload(
|
|
sessionKey: sessionKey,
|
|
runId: runId,
|
|
host: "node",
|
|
command: displayCommand))
|
|
let result = await ShellExecutor.runDetailed(
|
|
command: command,
|
|
cwd: params.cwd,
|
|
env: env,
|
|
timeout: timeoutSec)
|
|
let combined = [result.stdout, result.stderr, result.errorMessage]
|
|
.compactMap(\.self)
|
|
.filter { !$0.isEmpty }
|
|
.joined(separator: "\n")
|
|
await self.emitExecEvent(
|
|
"exec.finished",
|
|
payload: ExecEventPayload(
|
|
sessionKey: sessionKey,
|
|
runId: runId,
|
|
host: "node",
|
|
command: displayCommand,
|
|
exitCode: result.exitCode,
|
|
timedOut: result.timedOut,
|
|
success: result.success,
|
|
output: ExecEventPayload.truncateOutput(combined)))
|
|
|
|
struct RunPayload: Encodable {
|
|
var exitCode: Int?
|
|
var timedOut: Bool
|
|
var success: Bool
|
|
var stdout: String
|
|
var stderr: String
|
|
var error: String?
|
|
}
|
|
let runPayload = RunPayload(
|
|
exitCode: result.exitCode,
|
|
timedOut: result.timedOut,
|
|
success: result.success,
|
|
stdout: result.stdout,
|
|
stderr: result.stderr,
|
|
error: result.errorMessage)
|
|
let payload = try Self.encodePayload(runPayload)
|
|
return BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: payload)
|
|
}
|
|
|
|
private static func decodeParams<T: Decodable>(_ type: T.Type, from json: String?) throws -> T {
|
|
guard let json, let data = json.data(using: .utf8) else {
|
|
throw NSError(domain: "Gateway", code: 20, userInfo: [
|
|
NSLocalizedDescriptionKey: "INVALID_REQUEST: paramsJSON required",
|
|
])
|
|
}
|
|
return try JSONDecoder().decode(type, from: data)
|
|
}
|
|
|
|
private static func encodePayload(_ obj: some Encodable) throws -> String {
|
|
let data = try JSONEncoder().encode(obj)
|
|
guard let json = String(bytes: data, encoding: .utf8) else {
|
|
throw NSError(domain: "Node", code: 21, userInfo: [
|
|
NSLocalizedDescriptionKey: "Failed to encode payload as UTF-8",
|
|
])
|
|
}
|
|
return json
|
|
}
|
|
|
|
private nonisolated static func canvasEnabled() -> Bool {
|
|
UserDefaults.standard.object(forKey: canvasEnabledKey) as? Bool ?? true
|
|
}
|
|
|
|
private nonisolated static func cameraEnabled() -> Bool {
|
|
UserDefaults.standard.object(forKey: cameraEnabledKey) as? Bool ?? false
|
|
}
|
|
|
|
private nonisolated static func locationMode() -> OpenClawLocationMode {
|
|
let raw = UserDefaults.standard.string(forKey: locationModeKey) ?? "off"
|
|
return OpenClawLocationMode(rawValue: raw) ?? .off
|
|
}
|
|
|
|
private nonisolated static func locationPreciseEnabled() -> Bool {
|
|
if UserDefaults.standard.object(forKey: locationPreciseKey) == nil { return true }
|
|
return UserDefaults.standard.bool(forKey: locationPreciseKey)
|
|
}
|
|
|
|
private static func errorResponse(
|
|
_ req: BridgeInvokeRequest,
|
|
code: OpenClawNodeErrorCode,
|
|
message: String) -> BridgeInvokeResponse
|
|
{
|
|
BridgeInvokeResponse(
|
|
id: req.id,
|
|
ok: false,
|
|
error: OpenClawNodeError(code: code, message: message))
|
|
}
|
|
|
|
private static func encodeCanvasSnapshot(
|
|
image: NSImage,
|
|
format: OpenClawCanvasSnapshotFormat,
|
|
maxWidth: Int?,
|
|
quality: Double) throws -> Data
|
|
{
|
|
let source = Self.scaleImage(image, maxWidth: maxWidth) ?? image
|
|
guard let tiff = source.tiffRepresentation,
|
|
let rep = NSBitmapImageRep(data: tiff)
|
|
else {
|
|
throw NSError(domain: "Canvas", code: 22, userInfo: [
|
|
NSLocalizedDescriptionKey: "snapshot encode failed",
|
|
])
|
|
}
|
|
|
|
switch format {
|
|
case .png:
|
|
guard let data = rep.representation(using: .png, properties: [:]) else {
|
|
throw NSError(domain: "Canvas", code: 23, userInfo: [
|
|
NSLocalizedDescriptionKey: "png encode failed",
|
|
])
|
|
}
|
|
return data
|
|
case .jpeg:
|
|
let clamped = min(1.0, max(0.05, quality))
|
|
guard let data = rep.representation(
|
|
using: .jpeg,
|
|
properties: [.compressionFactor: clamped])
|
|
else {
|
|
throw NSError(domain: "Canvas", code: 24, userInfo: [
|
|
NSLocalizedDescriptionKey: "jpeg encode failed",
|
|
])
|
|
}
|
|
return data
|
|
}
|
|
}
|
|
|
|
private static func scaleImage(_ image: NSImage, maxWidth: Int?) -> NSImage? {
|
|
guard let maxWidth, maxWidth > 0 else { return image }
|
|
let size = image.size
|
|
guard size.width > 0, size.width > CGFloat(maxWidth) else { return image }
|
|
let scale = CGFloat(maxWidth) / size.width
|
|
let target = NSSize(width: CGFloat(maxWidth), height: size.height * scale)
|
|
|
|
let out = NSImage(size: target)
|
|
out.lockFocus()
|
|
image.draw(
|
|
in: NSRect(origin: .zero, size: target),
|
|
from: NSRect(origin: .zero, size: size),
|
|
operation: .copy,
|
|
fraction: 1.0)
|
|
out.unlockFocus()
|
|
return out
|
|
}
|
|
}
|