2026-01-16 19:29:48 +00:00
|
|
|
import ConcurrencyExtras
|
2025-12-12 22:26:43 +00:00
|
|
|
import Foundation
|
|
|
|
|
import OSLog
|
|
|
|
|
|
|
|
|
|
enum GatewayEndpointState: Sendable, Equatable {
|
2026-01-01 21:34:46 -06:00
|
|
|
case ready(mode: AppState.ConnectionMode, url: URL, token: String?, password: String?)
|
2026-01-11 04:42:56 +01:00
|
|
|
case connecting(mode: AppState.ConnectionMode, detail: String)
|
2025-12-12 22:26:43 +00:00
|
|
|
case unavailable(mode: AppState.ConnectionMode, reason: String)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Single place to resolve (and publish) the effective gateway control endpoint.
|
|
|
|
|
///
|
|
|
|
|
/// This is intentionally separate from `GatewayConnection`:
|
|
|
|
|
/// - `GatewayConnection` consumes the resolved endpoint (no tunnel side-effects).
|
|
|
|
|
/// - The endpoint store owns observation + explicit "ensure tunnel" actions.
|
|
|
|
|
actor GatewayEndpointStore {
|
|
|
|
|
static let shared = GatewayEndpointStore()
|
2026-01-19 04:50:07 +00:00
|
|
|
private static let supportedBindModes: Set<String> = [
|
|
|
|
|
"loopback",
|
|
|
|
|
"tailnet",
|
|
|
|
|
"lan",
|
|
|
|
|
"auto",
|
|
|
|
|
"custom",
|
|
|
|
|
]
|
2026-01-11 04:42:56 +01:00
|
|
|
private static let remoteConnectingDetail = "Connecting to remote gateway…"
|
2026-01-16 19:29:48 +00:00
|
|
|
private static let staticLogger = Logger(subsystem: "com.clawdbot", category: "gateway-endpoint")
|
|
|
|
|
private enum EnvOverrideWarningKind: Sendable {
|
|
|
|
|
case token
|
|
|
|
|
case password
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private static let envOverrideWarnings = LockIsolated((token: false, password: false))
|
2025-12-12 22:26:43 +00:00
|
|
|
|
|
|
|
|
struct Deps: Sendable {
|
|
|
|
|
let mode: @Sendable () async -> AppState.ConnectionMode
|
|
|
|
|
let token: @Sendable () -> String?
|
2026-01-01 21:34:46 -06:00
|
|
|
let password: @Sendable () -> String?
|
2025-12-12 22:26:43 +00:00
|
|
|
let localPort: @Sendable () -> Int
|
2026-01-05 05:30:40 +01:00
|
|
|
let localHost: @Sendable () async -> String
|
2025-12-12 22:26:43 +00:00
|
|
|
let remotePortIfRunning: @Sendable () async -> UInt16?
|
|
|
|
|
let ensureRemoteTunnel: @Sendable () async throws -> UInt16
|
|
|
|
|
|
|
|
|
|
static let live = Deps(
|
|
|
|
|
mode: { await MainActor.run { AppStateStore.shared.connectionMode } },
|
2026-01-11 01:51:07 +01:00
|
|
|
token: {
|
|
|
|
|
let root = ClawdbotConfigFile.loadDict()
|
2026-01-16 19:29:48 +00:00
|
|
|
let isRemote = ConnectionModeResolver.resolve(root: root).mode == .remote
|
2026-01-11 01:51:07 +01:00
|
|
|
return GatewayEndpointStore.resolveGatewayToken(
|
2026-01-16 19:29:48 +00:00
|
|
|
isRemote: isRemote,
|
2026-01-11 01:51:07 +01:00
|
|
|
root: root,
|
2026-01-15 08:47:45 +00:00
|
|
|
env: ProcessInfo.processInfo.environment,
|
|
|
|
|
launchdSnapshot: GatewayLaunchAgentManager.launchdConfigSnapshot())
|
2026-01-11 01:51:07 +01:00
|
|
|
},
|
2026-01-01 21:34:46 -06:00
|
|
|
password: {
|
2026-01-04 14:32:47 +00:00
|
|
|
let root = ClawdbotConfigFile.loadDict()
|
2026-01-16 19:29:48 +00:00
|
|
|
let isRemote = ConnectionModeResolver.resolve(root: root).mode == .remote
|
2026-01-02 16:56:27 +01:00
|
|
|
return GatewayEndpointStore.resolveGatewayPassword(
|
2026-01-16 19:29:48 +00:00
|
|
|
isRemote: isRemote,
|
2026-01-02 16:56:27 +01:00
|
|
|
root: root,
|
2026-01-15 08:47:45 +00:00
|
|
|
env: ProcessInfo.processInfo.environment,
|
|
|
|
|
launchdSnapshot: GatewayLaunchAgentManager.launchdConfigSnapshot())
|
2026-01-01 21:26:37 -06:00
|
|
|
},
|
2025-12-12 22:26:43 +00:00
|
|
|
localPort: { GatewayEnvironment.gatewayPort() },
|
2026-01-05 05:30:40 +01:00
|
|
|
localHost: {
|
|
|
|
|
let root = ClawdbotConfigFile.loadDict()
|
|
|
|
|
let bind = GatewayEndpointStore.resolveGatewayBindMode(
|
|
|
|
|
root: root,
|
|
|
|
|
env: ProcessInfo.processInfo.environment)
|
2026-01-19 04:50:07 +00:00
|
|
|
let customBindHost = GatewayEndpointStore.resolveGatewayCustomBindHost(root: root)
|
2026-01-05 05:30:40 +01:00
|
|
|
let tailscaleIP = await MainActor.run { TailscaleService.shared.tailscaleIP }
|
2026-01-21 05:01:22 +00:00
|
|
|
?? TailscaleService.fallbackTailnetIPv4()
|
2026-01-05 05:30:40 +01:00
|
|
|
return GatewayEndpointStore.resolveLocalGatewayHost(
|
|
|
|
|
bindMode: bind,
|
2026-01-19 04:50:07 +00:00
|
|
|
customBindHost: customBindHost,
|
2026-01-05 05:30:40 +01:00
|
|
|
tailscaleIP: tailscaleIP)
|
|
|
|
|
},
|
2025-12-12 22:26:43 +00:00
|
|
|
remotePortIfRunning: { await RemoteTunnelManager.shared.controlTunnelPortIfRunning() },
|
|
|
|
|
ensureRemoteTunnel: { try await RemoteTunnelManager.shared.ensureControlTunnel() })
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-02 16:56:27 +01:00
|
|
|
private static func resolveGatewayPassword(
|
|
|
|
|
isRemote: Bool,
|
|
|
|
|
root: [String: Any],
|
2026-01-15 08:47:45 +00:00
|
|
|
env: [String: String],
|
|
|
|
|
launchdSnapshot: LaunchAgentPlistSnapshot?) -> String?
|
2026-01-04 16:24:10 +01:00
|
|
|
{
|
2026-01-04 14:32:47 +00:00
|
|
|
let raw = env["CLAWDBOT_GATEWAY_PASSWORD"] ?? ""
|
2026-01-02 16:56:27 +01:00
|
|
|
let trimmed = raw.trimmingCharacters(in: .whitespacesAndNewlines)
|
|
|
|
|
if !trimmed.isEmpty {
|
2026-01-16 19:29:48 +00:00
|
|
|
if let configPassword = self.resolveConfigPassword(isRemote: isRemote, root: root),
|
|
|
|
|
!configPassword.isEmpty
|
|
|
|
|
{
|
|
|
|
|
self.warnEnvOverrideOnce(
|
|
|
|
|
kind: .password,
|
|
|
|
|
envVar: "CLAWDBOT_GATEWAY_PASSWORD",
|
|
|
|
|
configKey: isRemote ? "gateway.remote.password" : "gateway.auth.password")
|
|
|
|
|
}
|
2026-01-02 16:56:27 +01:00
|
|
|
return trimmed
|
|
|
|
|
}
|
|
|
|
|
if isRemote {
|
|
|
|
|
if let gateway = root["gateway"] as? [String: Any],
|
|
|
|
|
let remote = gateway["remote"] as? [String: Any],
|
|
|
|
|
let password = remote["password"] as? String
|
|
|
|
|
{
|
|
|
|
|
let pw = password.trimmingCharacters(in: .whitespacesAndNewlines)
|
|
|
|
|
if !pw.isEmpty {
|
|
|
|
|
return pw
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
if let gateway = root["gateway"] as? [String: Any],
|
|
|
|
|
let auth = gateway["auth"] as? [String: Any],
|
|
|
|
|
let password = auth["password"] as? String
|
|
|
|
|
{
|
|
|
|
|
let pw = password.trimmingCharacters(in: .whitespacesAndNewlines)
|
|
|
|
|
if !pw.isEmpty {
|
|
|
|
|
return pw
|
|
|
|
|
}
|
|
|
|
|
}
|
2026-01-15 08:47:45 +00:00
|
|
|
if let password = launchdSnapshot?.password?.trimmingCharacters(in: .whitespacesAndNewlines),
|
|
|
|
|
!password.isEmpty
|
|
|
|
|
{
|
|
|
|
|
return password
|
|
|
|
|
}
|
2026-01-02 16:56:27 +01:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-16 19:29:48 +00:00
|
|
|
private static func resolveConfigPassword(isRemote: Bool, root: [String: Any]) -> String? {
|
|
|
|
|
if isRemote {
|
|
|
|
|
if let gateway = root["gateway"] as? [String: Any],
|
|
|
|
|
let remote = gateway["remote"] as? [String: Any],
|
|
|
|
|
let password = remote["password"] as? String
|
|
|
|
|
{
|
|
|
|
|
return password.trimmingCharacters(in: .whitespacesAndNewlines)
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if let gateway = root["gateway"] as? [String: Any],
|
|
|
|
|
let auth = gateway["auth"] as? [String: Any],
|
|
|
|
|
let password = auth["password"] as? String
|
|
|
|
|
{
|
|
|
|
|
return password.trimmingCharacters(in: .whitespacesAndNewlines)
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-11 01:51:07 +01:00
|
|
|
private static func resolveGatewayToken(
|
|
|
|
|
isRemote: Bool,
|
|
|
|
|
root: [String: Any],
|
2026-01-15 08:47:45 +00:00
|
|
|
env: [String: String],
|
|
|
|
|
launchdSnapshot: LaunchAgentPlistSnapshot?) -> String?
|
2026-01-11 01:51:07 +01:00
|
|
|
{
|
|
|
|
|
let raw = env["CLAWDBOT_GATEWAY_TOKEN"] ?? ""
|
|
|
|
|
let trimmed = raw.trimmingCharacters(in: .whitespacesAndNewlines)
|
|
|
|
|
if !trimmed.isEmpty {
|
2026-01-16 19:29:48 +00:00
|
|
|
if let configToken = self.resolveConfigToken(isRemote: isRemote, root: root),
|
2026-01-18 20:00:26 +01:00
|
|
|
!configToken.isEmpty,
|
|
|
|
|
configToken != trimmed
|
2026-01-16 19:29:48 +00:00
|
|
|
{
|
|
|
|
|
self.warnEnvOverrideOnce(
|
|
|
|
|
kind: .token,
|
|
|
|
|
envVar: "CLAWDBOT_GATEWAY_TOKEN",
|
|
|
|
|
configKey: isRemote ? "gateway.remote.token" : "gateway.auth.token")
|
|
|
|
|
}
|
2026-01-11 01:51:07 +01:00
|
|
|
return trimmed
|
|
|
|
|
}
|
2026-01-20 16:19:37 +00:00
|
|
|
|
2026-01-18 20:00:26 +01:00
|
|
|
if let configToken = self.resolveConfigToken(isRemote: isRemote, root: root),
|
|
|
|
|
!configToken.isEmpty
|
2026-01-11 01:51:07 +01:00
|
|
|
{
|
2026-01-18 20:00:26 +01:00
|
|
|
return configToken
|
2026-01-11 01:51:07 +01:00
|
|
|
}
|
2026-01-18 20:00:26 +01:00
|
|
|
|
2026-01-21 03:34:42 +00:00
|
|
|
if isRemote {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-15 08:47:45 +00:00
|
|
|
if let token = launchdSnapshot?.token?.trimmingCharacters(in: .whitespacesAndNewlines),
|
|
|
|
|
!token.isEmpty
|
|
|
|
|
{
|
|
|
|
|
return token
|
|
|
|
|
}
|
2026-01-20 16:19:37 +00:00
|
|
|
|
2026-01-11 01:51:07 +01:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-16 19:29:48 +00:00
|
|
|
private static func resolveConfigToken(isRemote: Bool, root: [String: Any]) -> String? {
|
|
|
|
|
if isRemote {
|
|
|
|
|
if let gateway = root["gateway"] as? [String: Any],
|
|
|
|
|
let remote = gateway["remote"] as? [String: Any],
|
|
|
|
|
let token = remote["token"] as? String
|
|
|
|
|
{
|
|
|
|
|
return token.trimmingCharacters(in: .whitespacesAndNewlines)
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if let gateway = root["gateway"] as? [String: Any],
|
|
|
|
|
let auth = gateway["auth"] as? [String: Any],
|
|
|
|
|
let token = auth["token"] as? String
|
|
|
|
|
{
|
|
|
|
|
return token.trimmingCharacters(in: .whitespacesAndNewlines)
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private static func warnEnvOverrideOnce(
|
|
|
|
|
kind: EnvOverrideWarningKind,
|
|
|
|
|
envVar: String,
|
|
|
|
|
configKey: String)
|
|
|
|
|
{
|
|
|
|
|
let shouldWarn = Self.envOverrideWarnings.withValue { state in
|
|
|
|
|
switch kind {
|
|
|
|
|
case .token:
|
|
|
|
|
guard !state.token else { return false }
|
|
|
|
|
state.token = true
|
|
|
|
|
return true
|
|
|
|
|
case .password:
|
|
|
|
|
guard !state.password else { return false }
|
|
|
|
|
state.password = true
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
guard shouldWarn else { return }
|
|
|
|
|
Self.staticLogger.warning(
|
|
|
|
|
"\(envVar, privacy: .public) is set and overrides \(configKey, privacy: .public). " +
|
|
|
|
|
"If this is unintentional, clear it with: launchctl unsetenv \(envVar, privacy: .public)")
|
|
|
|
|
}
|
|
|
|
|
|
2025-12-12 22:26:43 +00:00
|
|
|
private let deps: Deps
|
2026-01-04 14:32:47 +00:00
|
|
|
private let logger = Logger(subsystem: "com.clawdbot", category: "gateway-endpoint")
|
2025-12-12 22:26:43 +00:00
|
|
|
|
|
|
|
|
private var state: GatewayEndpointState
|
|
|
|
|
private var subscribers: [UUID: AsyncStream<GatewayEndpointState>.Continuation] = [:]
|
2026-01-11 04:42:56 +01:00
|
|
|
private var remoteEnsure: (token: UUID, task: Task<UInt16, Error>)?
|
2025-12-12 22:26:43 +00:00
|
|
|
|
|
|
|
|
init(deps: Deps = .live) {
|
|
|
|
|
self.deps = deps
|
2025-12-20 02:20:48 +01:00
|
|
|
let modeRaw = UserDefaults.standard.string(forKey: connectionModeKey)
|
|
|
|
|
let initialMode: AppState.ConnectionMode
|
|
|
|
|
if let modeRaw {
|
|
|
|
|
initialMode = AppState.ConnectionMode(rawValue: modeRaw) ?? .local
|
|
|
|
|
} else {
|
2026-01-04 14:32:47 +00:00
|
|
|
let seen = UserDefaults.standard.bool(forKey: "clawdbot.onboardingSeen")
|
2025-12-20 02:20:48 +01:00
|
|
|
initialMode = seen ? .local : .unconfigured
|
|
|
|
|
}
|
|
|
|
|
|
2025-12-12 22:26:43 +00:00
|
|
|
let port = deps.localPort()
|
2026-01-05 05:30:40 +01:00
|
|
|
let bind = GatewayEndpointStore.resolveGatewayBindMode(
|
|
|
|
|
root: ClawdbotConfigFile.loadDict(),
|
|
|
|
|
env: ProcessInfo.processInfo.environment)
|
2026-01-19 04:50:07 +00:00
|
|
|
let customBindHost = GatewayEndpointStore.resolveGatewayCustomBindHost(root: ClawdbotConfigFile.loadDict())
|
2026-01-19 02:46:07 +00:00
|
|
|
let scheme = GatewayEndpointStore.resolveGatewayScheme(
|
|
|
|
|
root: ClawdbotConfigFile.loadDict(),
|
|
|
|
|
env: ProcessInfo.processInfo.environment)
|
2026-01-19 04:50:07 +00:00
|
|
|
let host = GatewayEndpointStore.resolveLocalGatewayHost(
|
|
|
|
|
bindMode: bind,
|
|
|
|
|
customBindHost: customBindHost,
|
|
|
|
|
tailscaleIP: nil)
|
2026-01-01 21:34:46 -06:00
|
|
|
let token = deps.token()
|
|
|
|
|
let password = deps.password()
|
2025-12-20 02:20:48 +01:00
|
|
|
switch initialMode {
|
|
|
|
|
case .local:
|
2026-01-04 16:24:10 +01:00
|
|
|
self.state = .ready(
|
|
|
|
|
mode: .local,
|
2026-01-19 02:46:07 +00:00
|
|
|
url: URL(string: "\(scheme)://\(host):\(port)")!,
|
2026-01-04 16:24:10 +01:00
|
|
|
token: token,
|
|
|
|
|
password: password)
|
2025-12-20 02:20:48 +01:00
|
|
|
case .remote:
|
2026-01-11 04:42:56 +01:00
|
|
|
self.state = .connecting(mode: .remote, detail: Self.remoteConnectingDetail)
|
|
|
|
|
Task { await self.setMode(.remote) }
|
2025-12-20 02:20:48 +01:00
|
|
|
case .unconfigured:
|
|
|
|
|
self.state = .unavailable(mode: .unconfigured, reason: "Gateway not configured")
|
|
|
|
|
}
|
2025-12-12 22:26:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func subscribe(bufferingNewest: Int = 1) -> AsyncStream<GatewayEndpointState> {
|
|
|
|
|
let id = UUID()
|
|
|
|
|
let initial = self.state
|
|
|
|
|
let store = self
|
|
|
|
|
return AsyncStream(bufferingPolicy: .bufferingNewest(bufferingNewest)) { continuation in
|
|
|
|
|
continuation.yield(initial)
|
|
|
|
|
self.subscribers[id] = continuation
|
|
|
|
|
continuation.onTermination = { @Sendable _ in
|
|
|
|
|
Task { await store.removeSubscriber(id) }
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func refresh() async {
|
|
|
|
|
let mode = await self.deps.mode()
|
|
|
|
|
await self.setMode(mode)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func setMode(_ mode: AppState.ConnectionMode) async {
|
|
|
|
|
let token = self.deps.token()
|
2026-01-01 21:34:46 -06:00
|
|
|
let password = self.deps.password()
|
2025-12-12 22:26:43 +00:00
|
|
|
switch mode {
|
|
|
|
|
case .local:
|
2026-01-11 04:42:56 +01:00
|
|
|
self.cancelRemoteEnsure()
|
2025-12-12 22:26:43 +00:00
|
|
|
let port = self.deps.localPort()
|
2026-01-05 05:30:40 +01:00
|
|
|
let host = await self.deps.localHost()
|
2026-01-19 02:46:07 +00:00
|
|
|
let scheme = GatewayEndpointStore.resolveGatewayScheme(
|
|
|
|
|
root: ClawdbotConfigFile.loadDict(),
|
|
|
|
|
env: ProcessInfo.processInfo.environment)
|
2026-01-04 16:24:10 +01:00
|
|
|
self.setState(.ready(
|
2026-01-15 14:40:57 +00:00
|
|
|
mode: .local,
|
2026-01-19 02:46:07 +00:00
|
|
|
url: URL(string: "\(scheme)://\(host):\(port)")!,
|
2026-01-15 14:40:57 +00:00
|
|
|
token: token,
|
|
|
|
|
password: password))
|
2025-12-12 22:26:43 +00:00
|
|
|
case .remote:
|
|
|
|
|
let port = await self.deps.remotePortIfRunning()
|
|
|
|
|
guard let port else {
|
2026-01-11 04:42:56 +01:00
|
|
|
self.setState(.connecting(mode: .remote, detail: Self.remoteConnectingDetail))
|
|
|
|
|
self.kickRemoteEnsureIfNeeded(detail: Self.remoteConnectingDetail)
|
2025-12-12 22:26:43 +00:00
|
|
|
return
|
|
|
|
|
}
|
2026-01-11 04:42:56 +01:00
|
|
|
self.cancelRemoteEnsure()
|
2026-01-19 02:46:07 +00:00
|
|
|
let scheme = GatewayEndpointStore.resolveGatewayScheme(
|
|
|
|
|
root: ClawdbotConfigFile.loadDict(),
|
|
|
|
|
env: ProcessInfo.processInfo.environment)
|
2026-01-04 16:24:10 +01:00
|
|
|
self.setState(.ready(
|
2026-01-15 14:40:57 +00:00
|
|
|
mode: .remote,
|
2026-01-19 02:46:07 +00:00
|
|
|
url: URL(string: "\(scheme)://127.0.0.1:\(Int(port))")!,
|
2026-01-15 14:40:57 +00:00
|
|
|
token: token,
|
|
|
|
|
password: password))
|
2025-12-20 02:20:48 +01:00
|
|
|
case .unconfigured:
|
2026-01-11 04:42:56 +01:00
|
|
|
self.cancelRemoteEnsure()
|
2025-12-20 02:20:48 +01:00
|
|
|
self.setState(.unavailable(mode: .unconfigured, reason: "Gateway not configured"))
|
2025-12-12 22:26:43 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Explicit action: ensure the remote control tunnel is established and publish the resolved endpoint.
|
|
|
|
|
func ensureRemoteControlTunnel() async throws -> UInt16 {
|
|
|
|
|
let mode = await self.deps.mode()
|
|
|
|
|
guard mode == .remote else {
|
|
|
|
|
throw NSError(
|
|
|
|
|
domain: "RemoteTunnel",
|
|
|
|
|
code: 1,
|
|
|
|
|
userInfo: [NSLocalizedDescriptionKey: "Remote mode is not enabled"])
|
|
|
|
|
}
|
2026-01-11 04:42:56 +01:00
|
|
|
let config = try await self.ensureRemoteConfig(detail: Self.remoteConnectingDetail)
|
|
|
|
|
guard let portInt = config.0.port, let port = UInt16(exactly: portInt) else {
|
2026-01-11 11:45:25 +00:00
|
|
|
throw NSError(
|
|
|
|
|
domain: "GatewayEndpoint",
|
|
|
|
|
code: 1,
|
|
|
|
|
userInfo: [NSLocalizedDescriptionKey: "Missing tunnel port"])
|
2026-01-11 04:42:56 +01:00
|
|
|
}
|
2025-12-12 22:26:43 +00:00
|
|
|
return port
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func requireConfig() async throws -> GatewayConnection.Config {
|
|
|
|
|
await self.refresh()
|
|
|
|
|
switch self.state {
|
2026-01-01 21:34:46 -06:00
|
|
|
case let .ready(_, url, token, password):
|
|
|
|
|
return (url, token, password)
|
2026-01-11 04:42:56 +01:00
|
|
|
case let .connecting(mode, _):
|
|
|
|
|
guard mode == .remote else {
|
|
|
|
|
throw NSError(domain: "GatewayEndpoint", code: 1, userInfo: [NSLocalizedDescriptionKey: "Connecting…"])
|
|
|
|
|
}
|
|
|
|
|
return try await self.ensureRemoteConfig(detail: Self.remoteConnectingDetail)
|
2025-12-12 22:45:18 +00:00
|
|
|
case let .unavailable(mode, reason):
|
|
|
|
|
guard mode == .remote else {
|
|
|
|
|
throw NSError(domain: "GatewayEndpoint", code: 1, userInfo: [NSLocalizedDescriptionKey: reason])
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Auto-recover for remote mode: if the SSH control tunnel died (or hasn't been created yet),
|
|
|
|
|
// recreate it on demand so callers can recover without a manual reconnect.
|
2026-01-11 04:42:56 +01:00
|
|
|
self.logger.info(
|
|
|
|
|
"endpoint unavailable; ensuring remote control tunnel reason=\(reason, privacy: .public)")
|
|
|
|
|
return try await self.ensureRemoteConfig(detail: Self.remoteConnectingDetail)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private func cancelRemoteEnsure() {
|
|
|
|
|
self.remoteEnsure?.task.cancel()
|
|
|
|
|
self.remoteEnsure = nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private func kickRemoteEnsureIfNeeded(detail: String) {
|
|
|
|
|
if self.remoteEnsure != nil {
|
|
|
|
|
self.setState(.connecting(mode: .remote, detail: detail))
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let deps = self.deps
|
|
|
|
|
let token = UUID()
|
|
|
|
|
let task = Task.detached(priority: .utility) { try await deps.ensureRemoteTunnel() }
|
|
|
|
|
self.remoteEnsure = (token: token, task: task)
|
|
|
|
|
self.setState(.connecting(mode: .remote, detail: detail))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private func ensureRemoteConfig(detail: String) async throws -> GatewayConnection.Config {
|
|
|
|
|
let mode = await self.deps.mode()
|
|
|
|
|
guard mode == .remote else {
|
|
|
|
|
throw NSError(
|
|
|
|
|
domain: "RemoteTunnel",
|
|
|
|
|
code: 1,
|
|
|
|
|
userInfo: [NSLocalizedDescriptionKey: "Remote mode is not enabled"])
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
self.kickRemoteEnsureIfNeeded(detail: detail)
|
|
|
|
|
guard let ensure = self.remoteEnsure else {
|
|
|
|
|
throw NSError(domain: "GatewayEndpoint", code: 1, userInfo: [NSLocalizedDescriptionKey: "Connecting…"])
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
do {
|
|
|
|
|
let forwarded = try await ensure.task.value
|
|
|
|
|
let stillRemote = await self.deps.mode() == .remote
|
|
|
|
|
guard stillRemote else {
|
2026-01-11 11:45:25 +00:00
|
|
|
throw NSError(
|
|
|
|
|
domain: "RemoteTunnel",
|
|
|
|
|
code: 1,
|
|
|
|
|
userInfo: [NSLocalizedDescriptionKey: "Remote mode is not enabled"])
|
2026-01-11 04:42:56 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if self.remoteEnsure?.token == ensure.token {
|
|
|
|
|
self.remoteEnsure = nil
|
2025-12-12 22:45:18 +00:00
|
|
|
}
|
2026-01-11 04:42:56 +01:00
|
|
|
|
|
|
|
|
let token = self.deps.token()
|
|
|
|
|
let password = self.deps.password()
|
2026-01-19 04:50:07 +00:00
|
|
|
let scheme = GatewayEndpointStore.resolveGatewayScheme(
|
|
|
|
|
root: ClawdbotConfigFile.loadDict(),
|
|
|
|
|
env: ProcessInfo.processInfo.environment)
|
|
|
|
|
let url = URL(string: "\(scheme)://127.0.0.1:\(Int(forwarded))")!
|
2026-01-11 04:42:56 +01:00
|
|
|
self.setState(.ready(mode: .remote, url: url, token: token, password: password))
|
|
|
|
|
return (url, token, password)
|
|
|
|
|
} catch let err as CancellationError {
|
|
|
|
|
if self.remoteEnsure?.token == ensure.token {
|
|
|
|
|
self.remoteEnsure = nil
|
|
|
|
|
}
|
|
|
|
|
throw err
|
|
|
|
|
} catch {
|
|
|
|
|
if self.remoteEnsure?.token == ensure.token {
|
|
|
|
|
self.remoteEnsure = nil
|
|
|
|
|
}
|
|
|
|
|
let msg = "Remote control tunnel failed (\(error.localizedDescription))"
|
|
|
|
|
self.setState(.unavailable(mode: .remote, reason: msg))
|
|
|
|
|
self.logger.error("remote control tunnel ensure failed \(msg, privacy: .public)")
|
|
|
|
|
throw NSError(domain: "GatewayEndpoint", code: 1, userInfo: [NSLocalizedDescriptionKey: msg])
|
2025-12-12 22:26:43 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private func removeSubscriber(_ id: UUID) {
|
|
|
|
|
self.subscribers[id] = nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private func setState(_ next: GatewayEndpointState) {
|
|
|
|
|
guard next != self.state else { return }
|
|
|
|
|
self.state = next
|
|
|
|
|
for (_, continuation) in self.subscribers {
|
|
|
|
|
continuation.yield(next)
|
|
|
|
|
}
|
2025-12-13 19:53:17 +00:00
|
|
|
switch next {
|
2026-01-01 21:34:46 -06:00
|
|
|
case let .ready(mode, url, _, _):
|
2025-12-13 19:53:17 +00:00
|
|
|
let modeDesc = String(describing: mode)
|
|
|
|
|
let urlDesc = url.absoluteString
|
|
|
|
|
self.logger
|
|
|
|
|
.debug(
|
|
|
|
|
"resolved endpoint mode=\(modeDesc, privacy: .public) url=\(urlDesc, privacy: .public)")
|
2026-01-11 04:42:56 +01:00
|
|
|
case let .connecting(mode, detail):
|
|
|
|
|
let modeDesc = String(describing: mode)
|
|
|
|
|
self.logger
|
|
|
|
|
.debug(
|
|
|
|
|
"endpoint connecting mode=\(modeDesc, privacy: .public) detail=\(detail, privacy: .public)")
|
2025-12-13 19:53:17 +00:00
|
|
|
case let .unavailable(mode, reason):
|
|
|
|
|
let modeDesc = String(describing: mode)
|
|
|
|
|
self.logger
|
|
|
|
|
.debug(
|
|
|
|
|
"endpoint unavailable mode=\(modeDesc, privacy: .public) reason=\(reason, privacy: .public)")
|
|
|
|
|
}
|
|
|
|
|
}
|
2026-01-05 05:30:40 +01:00
|
|
|
|
2026-01-20 23:48:22 +00:00
|
|
|
func maybeFallbackToTailnet(from currentURL: URL) async -> GatewayConnection.Config? {
|
|
|
|
|
let mode = await self.deps.mode()
|
|
|
|
|
guard mode == .local else { return nil }
|
|
|
|
|
|
|
|
|
|
let root = ClawdbotConfigFile.loadDict()
|
|
|
|
|
let bind = GatewayEndpointStore.resolveGatewayBindMode(
|
|
|
|
|
root: root,
|
|
|
|
|
env: ProcessInfo.processInfo.environment)
|
2026-01-22 06:34:41 +00:00
|
|
|
guard bind == "tailnet" else { return nil }
|
2026-01-20 23:48:22 +00:00
|
|
|
|
|
|
|
|
let currentHost = currentURL.host?.lowercased() ?? ""
|
|
|
|
|
guard currentHost == "127.0.0.1" || currentHost == "localhost" else { return nil }
|
|
|
|
|
|
|
|
|
|
let tailscaleIP = await MainActor.run { TailscaleService.shared.tailscaleIP }
|
2026-01-21 05:01:22 +00:00
|
|
|
?? TailscaleService.fallbackTailnetIPv4()
|
2026-01-20 23:48:22 +00:00
|
|
|
guard let tailscaleIP, !tailscaleIP.isEmpty else { return nil }
|
|
|
|
|
|
|
|
|
|
let scheme = GatewayEndpointStore.resolveGatewayScheme(
|
|
|
|
|
root: root,
|
|
|
|
|
env: ProcessInfo.processInfo.environment)
|
|
|
|
|
let port = self.deps.localPort()
|
|
|
|
|
let token = self.deps.token()
|
|
|
|
|
let password = self.deps.password()
|
|
|
|
|
let url = URL(string: "\(scheme)://\(tailscaleIP):\(port)")!
|
|
|
|
|
|
|
|
|
|
self.logger.info("auto bind fallback to tailnet host=\(tailscaleIP, privacy: .public)")
|
|
|
|
|
self.setState(.ready(mode: .local, url: url, token: token, password: password))
|
|
|
|
|
return (url, token, password)
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-05 05:30:40 +01:00
|
|
|
private static func resolveGatewayBindMode(
|
|
|
|
|
root: [String: Any],
|
|
|
|
|
env: [String: String]) -> String?
|
|
|
|
|
{
|
|
|
|
|
if let envBind = env["CLAWDBOT_GATEWAY_BIND"] {
|
|
|
|
|
let trimmed = envBind.trimmingCharacters(in: .whitespacesAndNewlines).lowercased()
|
|
|
|
|
if self.supportedBindModes.contains(trimmed) {
|
|
|
|
|
return trimmed
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if let gateway = root["gateway"] as? [String: Any],
|
|
|
|
|
let bind = gateway["bind"] as? String
|
|
|
|
|
{
|
|
|
|
|
let trimmed = bind.trimmingCharacters(in: .whitespacesAndNewlines).lowercased()
|
|
|
|
|
if self.supportedBindModes.contains(trimmed) {
|
|
|
|
|
return trimmed
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-19 04:50:07 +00:00
|
|
|
private static func resolveGatewayCustomBindHost(root: [String: Any]) -> String? {
|
|
|
|
|
if let gateway = root["gateway"] as? [String: Any],
|
|
|
|
|
let customBindHost = gateway["customBindHost"] as? String
|
|
|
|
|
{
|
|
|
|
|
let trimmed = customBindHost.trimmingCharacters(in: .whitespacesAndNewlines)
|
|
|
|
|
return trimmed.isEmpty ? nil : trimmed
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-19 02:46:07 +00:00
|
|
|
private static func resolveGatewayScheme(
|
|
|
|
|
root: [String: Any],
|
|
|
|
|
env: [String: String]) -> String
|
|
|
|
|
{
|
|
|
|
|
if let envValue = env["CLAWDBOT_GATEWAY_TLS"]?.trimmingCharacters(in: .whitespacesAndNewlines),
|
|
|
|
|
!envValue.isEmpty
|
|
|
|
|
{
|
|
|
|
|
return (envValue == "1" || envValue.lowercased() == "true") ? "wss" : "ws"
|
|
|
|
|
}
|
|
|
|
|
if let gateway = root["gateway"] as? [String: Any],
|
|
|
|
|
let tls = gateway["tls"] as? [String: Any],
|
|
|
|
|
let enabled = tls["enabled"] as? Bool
|
|
|
|
|
{
|
|
|
|
|
return enabled ? "wss" : "ws"
|
|
|
|
|
}
|
|
|
|
|
return "ws"
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-05 05:30:40 +01:00
|
|
|
private static func resolveLocalGatewayHost(
|
|
|
|
|
bindMode: String?,
|
2026-01-19 04:50:07 +00:00
|
|
|
customBindHost: String?,
|
2026-01-05 05:30:40 +01:00
|
|
|
tailscaleIP: String?) -> String
|
|
|
|
|
{
|
|
|
|
|
switch bindMode {
|
2026-01-20 23:48:22 +00:00
|
|
|
case "tailnet":
|
2026-01-22 10:00:55 +00:00
|
|
|
tailscaleIP ?? "127.0.0.1"
|
2026-01-20 23:48:22 +00:00
|
|
|
case "auto":
|
2026-01-22 10:00:55 +00:00
|
|
|
"127.0.0.1"
|
2026-01-19 04:50:07 +00:00
|
|
|
case "custom":
|
2026-01-22 10:00:55 +00:00
|
|
|
customBindHost ?? "127.0.0.1"
|
2026-01-05 05:30:40 +01:00
|
|
|
default:
|
2026-01-22 10:00:55 +00:00
|
|
|
"127.0.0.1"
|
2026-01-05 05:30:40 +01:00
|
|
|
}
|
|
|
|
|
}
|
2025-12-12 22:26:43 +00:00
|
|
|
}
|
2026-01-02 16:56:27 +01:00
|
|
|
|
2026-01-14 23:42:12 +00:00
|
|
|
extension GatewayEndpointStore {
|
|
|
|
|
static func dashboardURL(for config: GatewayConnection.Config) throws -> URL {
|
|
|
|
|
guard var components = URLComponents(url: config.url, resolvingAgainstBaseURL: false) else {
|
|
|
|
|
throw NSError(domain: "Dashboard", code: 1, userInfo: [
|
|
|
|
|
NSLocalizedDescriptionKey: "Invalid gateway URL",
|
|
|
|
|
])
|
|
|
|
|
}
|
|
|
|
|
switch components.scheme?.lowercased() {
|
|
|
|
|
case "ws":
|
|
|
|
|
components.scheme = "http"
|
|
|
|
|
case "wss":
|
|
|
|
|
components.scheme = "https"
|
|
|
|
|
default:
|
|
|
|
|
components.scheme = "http"
|
|
|
|
|
}
|
|
|
|
|
components.path = "/"
|
|
|
|
|
var queryItems: [URLQueryItem] = []
|
|
|
|
|
if let token = config.token?.trimmingCharacters(in: .whitespacesAndNewlines),
|
|
|
|
|
!token.isEmpty
|
|
|
|
|
{
|
|
|
|
|
queryItems.append(URLQueryItem(name: "token", value: token))
|
|
|
|
|
}
|
|
|
|
|
if let password = config.password?.trimmingCharacters(in: .whitespacesAndNewlines),
|
|
|
|
|
!password.isEmpty
|
|
|
|
|
{
|
|
|
|
|
queryItems.append(URLQueryItem(name: "password", value: password))
|
|
|
|
|
}
|
|
|
|
|
components.queryItems = queryItems.isEmpty ? nil : queryItems
|
|
|
|
|
guard let url = components.url else {
|
|
|
|
|
throw NSError(domain: "Dashboard", code: 2, userInfo: [
|
|
|
|
|
NSLocalizedDescriptionKey: "Failed to build dashboard URL",
|
|
|
|
|
])
|
|
|
|
|
}
|
|
|
|
|
return url
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-02 16:56:27 +01:00
|
|
|
#if DEBUG
|
|
|
|
|
extension GatewayEndpointStore {
|
|
|
|
|
static func _testResolveGatewayPassword(
|
|
|
|
|
isRemote: Bool,
|
|
|
|
|
root: [String: Any],
|
2026-01-15 08:47:45 +00:00
|
|
|
env: [String: String],
|
|
|
|
|
launchdSnapshot: LaunchAgentPlistSnapshot? = nil) -> String?
|
|
|
|
|
{
|
|
|
|
|
self.resolveGatewayPassword(isRemote: isRemote, root: root, env: env, launchdSnapshot: launchdSnapshot)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static func _testResolveGatewayToken(
|
|
|
|
|
isRemote: Bool,
|
|
|
|
|
root: [String: Any],
|
|
|
|
|
env: [String: String],
|
|
|
|
|
launchdSnapshot: LaunchAgentPlistSnapshot? = nil) -> String?
|
2026-01-04 16:24:10 +01:00
|
|
|
{
|
2026-01-15 08:47:45 +00:00
|
|
|
self.resolveGatewayToken(isRemote: isRemote, root: root, env: env, launchdSnapshot: launchdSnapshot)
|
2026-01-02 16:56:27 +01:00
|
|
|
}
|
2026-01-05 05:30:40 +01:00
|
|
|
|
|
|
|
|
static func _testResolveGatewayBindMode(
|
|
|
|
|
root: [String: Any],
|
|
|
|
|
env: [String: String]) -> String?
|
|
|
|
|
{
|
|
|
|
|
self.resolveGatewayBindMode(root: root, env: env)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static func _testResolveLocalGatewayHost(
|
|
|
|
|
bindMode: String?,
|
2026-01-21 02:38:41 +00:00
|
|
|
tailscaleIP: String?,
|
|
|
|
|
customBindHost: String? = nil) -> String
|
2026-01-05 05:30:40 +01:00
|
|
|
{
|
2026-01-19 04:50:07 +00:00
|
|
|
self.resolveLocalGatewayHost(
|
|
|
|
|
bindMode: bindMode,
|
2026-01-21 02:38:41 +00:00
|
|
|
customBindHost: customBindHost,
|
2026-01-19 04:50:07 +00:00
|
|
|
tailscaleIP: tailscaleIP)
|
2026-01-05 05:30:40 +01:00
|
|
|
}
|
2026-01-02 16:56:27 +01:00
|
|
|
}
|
|
|
|
|
#endif
|
