feat(kiloclaw): bundle Morning Briefing plugin into instance image (#2778)

* feat(kiloclaw): bundle Morning Briefing plugin into instance image

* fix(kiloclaw): honor briefing timezone and serialize status writes

* fix(kiloclaw): validate briefing timezone before persistence

* fix(kiloclaw): recover from legacy invalid briefing timezones

* fix(kiloclaw): return 400 for invalid briefing enable input

* test(kiloclaw): stabilize bot identity gateway test

Author: joshavant

.github/workflows/deploy-kiloclaw.yml

@@ -60,7 +60,7 @@ jobs:
         working-directory: services/kiloclaw
         run: |
           # Validate all expected paths exist before hashing
-          for path in Dockerfile controller container plugins/kiloclaw-customizer skills \
+          for path in Dockerfile controller container plugins/kiloclaw-customizer plugins/kiloclaw-morning-briefing skills \
                       openclaw-pairing-list.js openclaw-device-pairing-list.js; do
             if [ ! -e "$path" ]; then
               echo "::error::Required path not found: $path"
@@ -69,7 +69,7 @@ jobs:
           done
 
           CONTENT_HASH=$(
-            find Dockerfile controller/ container/ plugins/kiloclaw-customizer/ skills/ \
+            find Dockerfile controller/ container/ plugins/kiloclaw-customizer/ plugins/kiloclaw-morning-briefing/ skills/ \
               openclaw-pairing-list.js openclaw-device-pairing-list.js \
               -type f \
               | sort \

.github/workflows/push-dev-kiloclaw.yml

@@ -40,7 +40,7 @@ jobs:
         id: content-hash
         working-directory: services/kiloclaw
         run: |
-          for path in Dockerfile controller container plugins/kiloclaw-customizer skills \
+          for path in Dockerfile controller container plugins/kiloclaw-customizer plugins/kiloclaw-morning-briefing skills \
                       openclaw-pairing-list.js openclaw-device-pairing-list.js; do
             if [ ! -e "$path" ]; then
               echo "::error::Required path not found: $path"
@@ -49,7 +49,7 @@ jobs:
           done
 
           CONTENT_HASH=$(
-            find Dockerfile controller/ container/ plugins/kiloclaw-customizer/ skills/ \
+            find Dockerfile controller/ container/ plugins/kiloclaw-customizer/ plugins/kiloclaw-morning-briefing/ skills/ \
               openclaw-pairing-list.js openclaw-device-pairing-list.js \
               -type f \
               | sort \

services/kiloclaw/Dockerfile

@@ -130,7 +130,7 @@ RUN GOBIN=/usr/local/bin go install github.com/steipete/gogcli/cmd/gog@v0.12.0 \
 RUN curl -LsSf https://astral.sh/uv/install.sh | env UV_INSTALL_DIR=/usr/local/bin sh \
     && uv --version
 
-# ── Builder stage: package customizer plugin ───────────────────────────
+# ── Builder stage: package custom plugins ───────────────────────────
 # Build the vendored plugin tarball in an isolated stage so dev-time
 # dependencies do not inflate the runtime image layers.
 FROM runtime AS customizer-builder
@@ -143,6 +143,16 @@ RUN cd /tmp/kiloclaw-customizer \
     && cd / \
     && rm -rf /tmp/kiloclaw-customizer /root/.npm
 
+FROM runtime AS morning-briefing-builder
+
+COPY plugins/kiloclaw-morning-briefing/ /tmp/kiloclaw-morning-briefing/
+RUN cd /tmp/kiloclaw-morning-briefing \
+    && npm install --include=dev --legacy-peer-deps --no-fund --no-audit \
+    && PKG_TGZ="$(npm pack --silent)" \
+    && mv "${PKG_TGZ}" /tmp/kiloclaw-morning-briefing.tgz \
+    && cd / \
+    && rm -rf /tmp/kiloclaw-morning-briefing /root/.npm
+
 # ── Builder stage: compile the controller with Bun ────────────────────
 # Bun is only needed to bundle the controller TypeScript into a single JS
 # file. By building in a separate stage, Bun (~100MB) stays out of the
@@ -175,8 +185,10 @@ FROM runtime AS final
 # Also drop /etc/gitconfig (set earlier for the build's ssh→https rewrite) so
 # it doesn't persist in the runtime image.
 COPY --from=customizer-builder /tmp/kiloclaw-customizer.tgz /tmp/kiloclaw-customizer.tgz
-RUN npm install -g --legacy-peer-deps /tmp/kiloclaw-customizer.tgz \
+COPY --from=morning-briefing-builder /tmp/kiloclaw-morning-briefing.tgz /tmp/kiloclaw-morning-briefing.tgz
+RUN npm install -g --legacy-peer-deps /tmp/kiloclaw-customizer.tgz /tmp/kiloclaw-morning-briefing.tgz \
     && rm -f /tmp/kiloclaw-customizer.tgz \
+    && rm -f /tmp/kiloclaw-morning-briefing.tgz \
     && rm -f /etc/gitconfig \
     && rm -rf /root/.npm
 

services/kiloclaw/Dockerfile.local

@@ -134,7 +134,7 @@ EXPOSE 18789
 # feature flags) lives in the controller's bootstrap module — no shell wrapper needed.
 CMD ["node", "/usr/local/bin/kiloclaw-controller.js"]
 
-# Build customizer plugin tarball in isolated stage so dev dependencies
+# Build custom plugins tarballs in isolated stages so dev dependencies
 # are not persisted in the runtime image.
 FROM runtime AS customizer-builder
 
@@ -146,9 +146,21 @@ RUN cd /tmp/kiloclaw-customizer \
     && cd / \
     && rm -rf /tmp/kiloclaw-customizer /root/.npm
 
+FROM runtime AS morning-briefing-builder
+
+COPY plugins/kiloclaw-morning-briefing/ /tmp/kiloclaw-morning-briefing/
+RUN cd /tmp/kiloclaw-morning-briefing \
+    && npm install --include=dev --legacy-peer-deps --no-fund --no-audit \
+    && PKG_TGZ="$(npm pack --silent)" \
+    && mv "${PKG_TGZ}" /tmp/kiloclaw-morning-briefing.tgz \
+    && cd / \
+    && rm -rf /tmp/kiloclaw-morning-briefing /root/.npm
+
 FROM runtime AS final
 
 COPY --from=customizer-builder /tmp/kiloclaw-customizer.tgz /tmp/kiloclaw-customizer.tgz
-RUN npm install -g --legacy-peer-deps /tmp/kiloclaw-customizer.tgz \
+COPY --from=morning-briefing-builder /tmp/kiloclaw-morning-briefing.tgz /tmp/kiloclaw-morning-briefing.tgz
+RUN npm install -g --legacy-peer-deps /tmp/kiloclaw-customizer.tgz /tmp/kiloclaw-morning-briefing.tgz \
     && rm -f /tmp/kiloclaw-customizer.tgz \
+    && rm -f /tmp/kiloclaw-morning-briefing.tgz \
     && rm -rf /root/.npm

services/kiloclaw/controller/src/config-writer.test.ts

@@ -615,15 +615,25 @@ describe('generateBaseConfig', () => {
     expect(config.plugins.load.paths).toContain(
       '/usr/local/lib/node_modules/@kiloclaw/kiloclaw-customizer'
     );
+    expect(config.plugins.entries['kiloclaw-morning-briefing'].enabled).toBe(true);
+    expect(config.plugins.load.paths).toContain(
+      '/usr/local/lib/node_modules/@kiloclaw/kiloclaw-morning-briefing'
+    );
   });
 
   it('does not duplicate KiloClaw customizer plugin path on repeated generateBaseConfig calls', () => {
     const existing = JSON.stringify({
       plugins: {
         load: {
-          paths: ['/usr/local/lib/node_modules/@kiloclaw/kiloclaw-customizer'],
+          paths: [
+            '/usr/local/lib/node_modules/@kiloclaw/kiloclaw-customizer',
+            '/usr/local/lib/node_modules/@kiloclaw/kiloclaw-morning-briefing',
+          ],
+        },
+        entries: {
+          'kiloclaw-customizer': { enabled: true },
+          'kiloclaw-morning-briefing': { enabled: true },
         },
-        entries: { 'kiloclaw-customizer': { enabled: true } },
       },
     });
     const { deps } = fakeDeps(existing);
@@ -632,6 +642,8 @@ describe('generateBaseConfig', () => {
     const pluginPath = '/usr/local/lib/node_modules/@kiloclaw/kiloclaw-customizer';
     const paths = config.plugins.load.paths as string[];
     expect(paths.filter(p => p === pluginPath)).toHaveLength(1);
+    const morningPluginPath = '/usr/local/lib/node_modules/@kiloclaw/kiloclaw-morning-briefing';
+    expect(paths.filter(p => p === morningPluginPath)).toHaveLength(1);
   });
 
   it('adds KiloClaw customizer to an existing plugin allowlist', () => {
@@ -644,6 +656,7 @@ describe('generateBaseConfig', () => {
     const config = generateBaseConfig(minimalEnv(), '/tmp/openclaw.json', deps);
 
     expect(config.plugins.allow).toContain('kiloclaw-customizer');
+    expect(config.plugins.allow).toContain('kiloclaw-morning-briefing');
   });
 
   it('configures Telegram channel', () => {

services/kiloclaw/controller/src/config-writer.ts

@@ -75,6 +75,9 @@ const ONBOARD_FLAGS = [
 
 const KILOCLAW_CUSTOMIZER_PLUGIN_ID = 'kiloclaw-customizer';
 const KILOCLAW_CUSTOMIZER_PLUGIN_PATH = '/usr/local/lib/node_modules/@kiloclaw/kiloclaw-customizer';
+const KILOCLAW_MORNING_BRIEFING_PLUGIN_ID = 'kiloclaw-morning-briefing';
+const KILOCLAW_MORNING_BRIEFING_PLUGIN_PATH =
+  '/usr/local/lib/node_modules/@kiloclaw/kiloclaw-morning-briefing';
 const KILO_EXA_PROVIDER_ID = 'kilo-exa';
 
 type KiloExaSearchMode = 'kilo-proxy' | 'disabled';
@@ -402,6 +405,19 @@ export function generateBaseConfig(
   customizerPluginConfig.webSearch = customizerWebSearchConfig;
   config.plugins.entries[KILOCLAW_CUSTOMIZER_PLUGIN_ID].config = customizerPluginConfig;
 
+  if (!(config.plugins.load.paths as string[]).includes(KILOCLAW_MORNING_BRIEFING_PLUGIN_PATH)) {
+    (config.plugins.load.paths as string[]).push(KILOCLAW_MORNING_BRIEFING_PLUGIN_PATH);
+  }
+  if (
+    Array.isArray(config.plugins.allow) &&
+    !config.plugins.allow.includes(KILOCLAW_MORNING_BRIEFING_PLUGIN_ID)
+  ) {
+    config.plugins.allow.push(KILOCLAW_MORNING_BRIEFING_PLUGIN_ID);
+  }
+  config.plugins.entries[KILOCLAW_MORNING_BRIEFING_PLUGIN_ID] =
+    config.plugins.entries[KILOCLAW_MORNING_BRIEFING_PLUGIN_ID] ?? {};
+  config.plugins.entries[KILOCLAW_MORNING_BRIEFING_PLUGIN_ID].enabled = true;
+
   // Telegram
   if (env.TELEGRAM_BOT_TOKEN) {
     const dmPolicy = env.TELEGRAM_DM_POLICY || 'pairing';

services/kiloclaw/controller/src/index.ts

@@ -23,6 +23,7 @@ import { registerGmailPushRoute } from './routes/gmail-push';
 import { registerInboundEmailRoute } from './routes/inbound-email';
 import { registerFileRoutes } from './routes/files';
 import { registerKiloCliRunRoutes } from './routes/kilo-cli-run';
+import { registerMorningBriefingRoutes } from './routes/morning-briefing';
 import { CONTROLLER_COMMIT, CONTROLLER_VERSION } from './version';
 import { writeKiloCliConfig } from './kilo-cli-config';
 import { writeGogCredentials } from './gog-credentials';
@@ -378,6 +379,7 @@ export async function startController(env: NodeJS.ProcessEnv = process.env): Pro
   const honoApp = new Hono();
   registerHealthRoute(honoApp, supervisor, config.expectedToken, controllerState);
   registerGatewayRoutes(honoApp, supervisor, config.expectedToken);
+  registerMorningBriefingRoutes(honoApp, supervisor, config.expectedToken);
   registerConfigRoutes(honoApp, supervisor, config.expectedToken);
   registerPairingRoutes(honoApp, pairingCache, config.expectedToken);
   registerEnvRoutes(honoApp, supervisor, config.expectedToken);

services/kiloclaw/controller/src/routes/morning-briefing.test.ts

@@ -0,0 +1,73 @@
+import { afterEach, describe, expect, it, vi } from 'vitest';
+import { Hono } from 'hono';
+import { registerMorningBriefingRoutes } from './morning-briefing';
+import type { Supervisor } from '../supervisor';
+
+function createRunningSupervisor(): Supervisor {
+  const state = 'running' as const;
+  return {
+    start: vi.fn(async () => true),
+    stop: vi.fn(async () => true),
+    restart: vi.fn(async () => true),
+    shutdown: vi.fn(async () => undefined),
+    signal: vi.fn(() => true),
+    getState: vi.fn(() => state),
+    getStats: vi.fn(() => ({
+      state,
+      pid: 1,
+      uptime: 1,
+      restarts: 0,
+      lastExit: null,
+    })),
+  };
+}
+
+afterEach(() => {
+  vi.unstubAllGlobals();
+  vi.restoreAllMocks();
+});
+
+describe('morning briefing controller routes', () => {
+  it('enforces bearer auth before proxying', async () => {
+    const app = new Hono();
+    registerMorningBriefingRoutes(app, createRunningSupervisor(), 'expected-token');
+
+    const response = await app.request('/_kilo/morning-briefing/status');
+    expect(response.status).toBe(401);
+    expect(await response.json()).toEqual({ error: 'Unauthorized' });
+  });
+
+  it('forwards expected gateway token to proxied route', async () => {
+    const app = new Hono();
+    const fetchMock = vi.fn().mockResolvedValue(
+      new Response(JSON.stringify({ ok: true }), {
+        status: 200,
+        headers: { 'content-type': 'application/json' },
+      })
+    );
+    vi.stubGlobal('fetch', fetchMock);
+
+    registerMorningBriefingRoutes(app, createRunningSupervisor(), 'expected-token');
+
+    const response = await app.request('/_kilo/morning-briefing/enable', {
+      method: 'POST',
+      headers: {
+        authorization: 'Bearer expected-token',
+        'content-type': 'application/json',
+      },
+      body: JSON.stringify({ cron: '0 7 * * *', timezone: 'America/Chicago' }),
+    });
+
+    expect(response.status).toBe(200);
+    expect(fetchMock).toHaveBeenCalledWith(
+      'http://127.0.0.1:3001/api/plugins/kiloclaw-morning-briefing/enable',
+      expect.objectContaining({
+        method: 'POST',
+        headers: expect.objectContaining({
+          authorization: 'Bearer expected-token',
+          'content-type': 'application/json',
+        }),
+      })
+    );
+  });
+});

services/kiloclaw/controller/src/routes/morning-briefing.ts

@@ -0,0 +1,124 @@
+import type { Hono } from 'hono';
+import { timingSafeTokenEqual } from '../auth';
+import { getBearerToken } from './gateway';
+import type { Supervisor } from '../supervisor';
+
+const MORNING_BRIEFING_PREFIX = '/api/plugins/kiloclaw-morning-briefing';
+
+async function readJsonBody(c: { req: { json: () => Promise<unknown> } }): Promise<unknown> {
+  try {
+    return await c.req.json();
+  } catch {
+    return {};
+  }
+}
+
+async function proxyMorningBriefingRoute(params: {
+  supervisor: Supervisor;
+  gatewayToken: string;
+  path: string;
+  method: 'GET' | 'POST';
+  body?: unknown;
+}): Promise<Response> {
+  if (params.supervisor.getState() !== 'running') {
+    return new Response(JSON.stringify({ error: 'Gateway not running' }), {
+      status: 503,
+      headers: { 'content-type': 'application/json' },
+    });
+  }
+
+  try {
+    return await fetch(`http://127.0.0.1:3001${MORNING_BRIEFING_PREFIX}${params.path}`, {
+      method: params.method,
+      headers: {
+        authorization: `Bearer ${params.gatewayToken}`,
+        'content-type': 'application/json',
+      },
+      body: params.body !== undefined ? JSON.stringify(params.body) : undefined,
+    });
+  } catch (error) {
+    console.error('[controller] morning briefing proxy failed:', error);
+    return new Response(JSON.stringify({ error: 'Failed to reach gateway' }), {
+      status: 502,
+      headers: { 'content-type': 'application/json' },
+    });
+  }
+}
+
+export function registerMorningBriefingRoutes(
+  app: Hono,
+  supervisor: Supervisor,
+  expectedToken: string
+): void {
+  app.use('/_kilo/morning-briefing/*', async (c, next) => {
+    const token = getBearerToken(c.req.header('authorization'));
+    if (!timingSafeTokenEqual(token, expectedToken)) {
+      return c.json({ error: 'Unauthorized' }, 401);
+    }
+    await next();
+  });
+
+  app.get('/_kilo/morning-briefing/status', async c => {
+    const response = await proxyMorningBriefingRoute({
+      supervisor,
+      gatewayToken: expectedToken,
+      path: '/status',
+      method: 'GET',
+    });
+    return response;
+  });
+
+  app.post('/_kilo/morning-briefing/enable', async c => {
+    const body = await readJsonBody(c);
+    const response = await proxyMorningBriefingRoute({
+      supervisor,
+      gatewayToken: expectedToken,
+      path: '/enable',
+      method: 'POST',
+      body,
+    });
+    return response;
+  });
+
+  app.post('/_kilo/morning-briefing/disable', async c => {
+    const response = await proxyMorningBriefingRoute({
+      supervisor,
+      gatewayToken: expectedToken,
+      path: '/disable',
+      method: 'POST',
+      body: {},
+    });
+    return response;
+  });
+
+  app.post('/_kilo/morning-briefing/run', async c => {
+    const response = await proxyMorningBriefingRoute({
+      supervisor,
+      gatewayToken: expectedToken,
+      path: '/run',
+      method: 'POST',
+      body: {},
+    });
+    return response;
+  });
+
+  app.get('/_kilo/morning-briefing/read/today', async c => {
+    const response = await proxyMorningBriefingRoute({
+      supervisor,
+      gatewayToken: expectedToken,
+      path: '/read/today',
+      method: 'GET',
+    });
+    return response;
+  });
+
+  app.get('/_kilo/morning-briefing/read/yesterday', async c => {
+    const response = await proxyMorningBriefingRoute({
+      supervisor,
+      gatewayToken: expectedToken,
+      path: '/read/yesterday',
+      method: 'GET',
+    });
+    return response;
+  });
+}