feat(kiloclaw): Google account access for bots

kiloclaw/Dockerfile

@@ -54,7 +54,6 @@ RUN npm install -g mcporter@0.7.3
 # Install summarize (web page summarization CLI)
 RUN npm install -g @steipete/summarize@0.11.1
 
-
 # Install Go (available at runtime for users to `go install` additional tools)
 ENV GO_VERSION=1.26.0
 RUN ARCH="$(dpkg --print-architecture)" \

kiloclaw/controller/src/gog-credentials.test.ts

@@ -0,0 +1,128 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+
+function mockDeps() {
+  return {
+    mkdirSync: vi.fn(),
+    writeFileSync: vi.fn(),
+    unlinkSync: vi.fn(),
+    rmSync: vi.fn(),
+    execFileSync: vi.fn(),
+  };
+}
+
+// A tiny valid .tar.gz base64 — content doesn't matter for unit tests since execSync is mocked
+const FAKE_TARBALL_BASE64 = Buffer.from('fake-tarball-data').toString('base64');
+
+describe('writeGogCredentials', () => {
+  let writeGogCredentials: typeof import('./gog-credentials').writeGogCredentials;
+
+  beforeEach(async () => {
+    vi.resetModules();
+    const mod = await import('./gog-credentials');
+    writeGogCredentials = mod.writeGogCredentials;
+  });
+
+  it('extracts tarball and sets env vars when GOOGLE_GOG_CONFIG_TARBALL is set', async () => {
+    const deps = mockDeps();
+    const dir = '/root/.config/gogcli';
+    const env: Record<string, string | undefined> = {
+      GOOGLE_GOG_CONFIG_TARBALL: FAKE_TARBALL_BASE64,
+      GOOGLE_ACCOUNT_EMAIL: 'user@gmail.com',
+    };
+    const result = await writeGogCredentials(env, dir, deps);
+
+    expect(result).toBe(true);
+    // Should remove stale config before extracting
+    expect(deps.rmSync).toHaveBeenCalledWith(dir, { recursive: true, force: true });
+    expect(deps.mkdirSync).toHaveBeenCalledWith('/root/.config', { recursive: true });
+
+    // Should write temp tarball file
+    expect(deps.writeFileSync).toHaveBeenCalledWith(
+      '/root/.config/gogcli-config.tar.gz',
+      Buffer.from(FAKE_TARBALL_BASE64, 'base64')
+    );
+
+    expect(deps.execFileSync).toHaveBeenCalledWith('tar', [
+      'xzf',
+      '/root/.config/gogcli-config.tar.gz',
+      '-C',
+      '/root/.config',
+    ]);
+
+    // Should clean up temp tarball
+    expect(deps.unlinkSync).toHaveBeenCalledWith('/root/.config/gogcli-config.tar.gz');
+
+    // Should set gog env vars
+    expect(env.GOG_KEYRING_BACKEND).toBe('file');
+    expect(env.GOG_KEYRING_PASSWORD).toBe('kiloclaw');
+    expect(env.GOG_ACCOUNT).toBe('user@gmail.com');
+  });
+
+  it('works without GOOGLE_ACCOUNT_EMAIL', async () => {
+    const deps = mockDeps();
+    const env: Record<string, string | undefined> = {
+      GOOGLE_GOG_CONFIG_TARBALL: FAKE_TARBALL_BASE64,
+    };
+    const result = await writeGogCredentials(env, '/root/.config/gogcli', deps);
+
+    expect(result).toBe(true);
+    expect(env.GOG_KEYRING_BACKEND).toBe('file');
+    expect(env.GOG_KEYRING_PASSWORD).toBe('kiloclaw');
+    expect(env.GOG_ACCOUNT).toBeUndefined();
+  });
+
+  it('returns false and cleans up when tarball env var is absent', async () => {
+    const deps = mockDeps();
+    const dir = '/root/.config/gogcli';
+    const result = await writeGogCredentials({}, dir, deps);
+
+    expect(result).toBe(false);
+    expect(deps.rmSync).toHaveBeenCalledWith(dir, { recursive: true, force: true });
+    expect(deps.mkdirSync).not.toHaveBeenCalled();
+  });
+
+  it('clears gog env vars when tarball env var is absent', async () => {
+    const deps = mockDeps();
+    const env: Record<string, string | undefined> = {
+      GOG_KEYRING_BACKEND: 'file',
+      GOG_KEYRING_PASSWORD: 'kiloclaw',
+      GOG_ACCOUNT: 'user@gmail.com',
+    };
+    await writeGogCredentials(env, '/root/.config/gogcli', deps);
+
+    expect(env.GOG_KEYRING_BACKEND).toBeUndefined();
+    expect(env.GOG_KEYRING_PASSWORD).toBeUndefined();
+    expect(env.GOG_ACCOUNT).toBeUndefined();
+  });
+
+  it('removes existing config dir before extracting new tarball', async () => {
+    const deps = mockDeps();
+    const callOrder: string[] = [];
+    deps.rmSync.mockImplementation(() => callOrder.push('rmSync'));
+    deps.mkdirSync.mockImplementation(() => callOrder.push('mkdirSync'));
+    deps.execFileSync.mockImplementation(() => callOrder.push('execFileSync'));
+
+    const env: Record<string, string | undefined> = {
+      GOOGLE_GOG_CONFIG_TARBALL: FAKE_TARBALL_BASE64,
+    };
+    await writeGogCredentials(env, '/root/.config/gogcli', deps);
+
+    expect(callOrder).toEqual(['rmSync', 'mkdirSync', 'execFileSync']);
+  });
+
+  it('cleans up temp tarball even if extraction fails', async () => {
+    const deps = mockDeps();
+    deps.execFileSync.mockImplementation(() => {
+      throw new Error('tar failed');
+    });
+
+    const env: Record<string, string | undefined> = {
+      GOOGLE_GOG_CONFIG_TARBALL: FAKE_TARBALL_BASE64,
+    };
+
+    await expect(writeGogCredentials(env, '/root/.config/gogcli', deps)).rejects.toThrow(
+      'tar failed'
+    );
+    expect(deps.unlinkSync).toHaveBeenCalledWith('/root/.config/gogcli-config.tar.gz');
+  });
+});

kiloclaw/controller/src/gog-credentials.ts

@@ -0,0 +1,96 @@
+/**
+ * Sets up gogcli credentials by extracting a pre-built config tarball.
+ *
+ * When the container starts with GOOGLE_GOG_CONFIG_TARBALL env var, this module:
+ * 1. Base64-decodes the tarball to a temp file
+ * 2. Extracts it to /root/.config/ (produces /root/.config/gogcli/)
+ * 3. Sets GOG_KEYRING_BACKEND, GOG_KEYRING_PASSWORD, GOG_ACCOUNT env vars
+ */
+import path from 'node:path';
+
+const GOG_CONFIG_DIR = '/root/.config/gogcli';
+
+export type GogCredentialsDeps = {
+  mkdirSync: (dir: string, opts: { recursive: boolean }) => void;
+  writeFileSync: (path: string, data: Buffer) => void;
+  unlinkSync: (path: string) => void;
+  rmSync: (path: string, opts: { recursive: boolean; force: boolean }) => void;
+  execFileSync: (file: string, args: string[]) => void;
+};
+
+/**
+ * Extract gog config tarball if the corresponding env var is set.
+ * Returns true if credentials were extracted, false if skipped.
+ *
+ * Side effect: mutates the passed `env` record by setting
+ * GOG_KEYRING_BACKEND, GOG_KEYRING_PASSWORD, and GOG_ACCOUNT.
+ */
+export async function writeGogCredentials(
+  env: Record<string, string | undefined> = process.env as Record<string, string | undefined>,
+  configDir = GOG_CONFIG_DIR,
+  deps?: Partial<GogCredentialsDeps>
+): Promise<boolean> {
+  const fs = await import('node:fs');
+  const cp = await import('node:child_process');
+  const d: GogCredentialsDeps = {
+    mkdirSync: deps?.mkdirSync ?? ((dir, opts) => fs.default.mkdirSync(dir, opts)),
+    writeFileSync: deps?.writeFileSync ?? ((p, data) => fs.default.writeFileSync(p, data)),
+    unlinkSync: deps?.unlinkSync ?? (p => fs.default.unlinkSync(p)),
+    rmSync: deps?.rmSync ?? ((p, opts) => fs.default.rmSync(p, opts)),
+    execFileSync:
+      deps?.execFileSync ??
+      ((file, args) =>
+        cp.default.execFileSync(file, args, {
+          stdio: ['pipe', 'pipe', 'pipe'],
+        })),
+  };
+
+  const tarballBase64 = env.GOOGLE_GOG_CONFIG_TARBALL;
+
+  if (!tarballBase64) {
+    // Clean up stale config from a previous run (e.g. after disconnect)
+    d.rmSync(configDir, { recursive: true, force: true });
+    delete env.GOG_KEYRING_BACKEND;
+    delete env.GOG_KEYRING_PASSWORD;
+    delete env.GOG_ACCOUNT;
+    return false;
+  }
+
+  // Remove stale config from a previous connection before extracting the new bundle.
+  // Without this, files present in the old tarball but absent from the new one linger.
+  d.rmSync(configDir, { recursive: true, force: true });
+
+  // Decode tarball and extract to /root/.config/
+  const parentDir = path.dirname(configDir);
+  d.mkdirSync(parentDir, { recursive: true });
+
+  const tarballBuffer = Buffer.from(tarballBase64, 'base64');
+
+  const tmpTarball = path.join(parentDir, 'gogcli-config.tar.gz');
+  d.writeFileSync(tmpTarball, tarballBuffer);
+
+  try {
+    d.execFileSync('tar', ['xzf', tmpTarball, '-C', parentDir]);
+    console.log(`[gog] Extracted config tarball to ${configDir}`);
+  } finally {
+    try {
+      d.unlinkSync(tmpTarball);
+    } catch {
+      // ignore cleanup errors
+    }
+  }
+
+  // Set env vars for gog runtime.
+  // GOG_KEYRING_PASSWORD is NOT a secret. The 99designs/keyring file backend
+  // requires a password to operate, but gog runs inside a single-tenant VM
+  // with no shared access. The value is arbitrary — it just needs to be
+  // consistent across setup (google-setup/setup.mjs), container startup
+  // (start-openclaw.sh), and here.
+  env.GOG_KEYRING_BACKEND = 'file';
+  env.GOG_KEYRING_PASSWORD = 'kiloclaw';
+  if (env.GOOGLE_ACCOUNT_EMAIL) {
+    env.GOG_ACCOUNT = env.GOOGLE_ACCOUNT_EMAIL;
+  }
+
+  return true;
+}

kiloclaw/controller/src/index.ts

@@ -13,6 +13,7 @@ import { registerHealthRoute } from './routes/health';
 import { registerGatewayRoutes } from './routes/gateway';
 import { registerConfigRoutes } from './routes/config';
 import { CONTROLLER_COMMIT, CONTROLLER_VERSION } from './version';
+import { writeGogCredentials } from './gog-credentials';
 
 export type RuntimeConfig = {
   port: number;
@@ -112,6 +113,15 @@ async function handleHttpRequest(
 
 export async function startController(env: NodeJS.ProcessEnv = process.env): Promise<void> {
   const config = loadRuntimeConfig(env);
+
+  // Write gog credentials before starting the gateway so env vars are available
+  // to the child process on first spawn. Best-effort: log and continue on failure.
+  try {
+    await writeGogCredentials(env as Record<string, string | undefined>);
+  } catch (err) {
+    console.error('[gog] Failed to write credentials:', err);
+  }
+
   const supervisor = createSupervisor({
     gatewayArgs: config.gatewayArgs,
   });