feat(openclaw-security-advisor) adds unique signup path for tracking and promotions

Author: St0rmz1

README.md

@@ -132,7 +132,7 @@ KiloCode account:
 To run a security checkup, connect your KiloCode account.
 
 1. Open this URL in your browser:
-   https://app.kilo.ai/device-auth?code=XXXX-XXXX
+   https://app.kilo.ai/openclaw-advisor?code=XXXX-XXXX
 
 2. Enter this code: XXXX-XXXX
 

src/auth/device-auth.ts

@@ -54,6 +54,13 @@ export type DeviceAuthPollResult =
 /**
  * Create a device auth request and return the code + URL for the user to visit.
  * Call this once, show the result to the user, then poll with pollDeviceAuth().
+ *
+ * Note: the server returns a generic `/device-auth?code=...` URL in `verificationUrl`,
+ * but we construct our own landing URL pointing at `/openclaw-advisor?code=...`.
+ * The cloud side uses the path prefix to attribute Security Advisor signups and
+ * layer a per-product signup bonus on top of the standard welcome credits.
+ * Old plugin builds keep working against the server — they just land on the generic
+ * URL and don't qualify for the bonus, which is the intended behavior.
  */
 export async function startDeviceAuth(
   apiBase: string,
@@ -72,7 +79,7 @@ export async function startDeviceAuth(
   return {
     kind: "started",
     code: data.code,
-    verificationUrl: data.verificationUrl,
+    verificationUrl: `${apiBase}/openclaw-advisor?code=${encodeURIComponent(data.code)}`,
     expiresIn: data.expiresIn,
   };
 }

test/device-auth.test.ts

@@ -0,0 +1,83 @@
+import { describe, test, expect, beforeEach, afterEach } from "bun:test";
+import { startDeviceAuth } from "../src/auth/device-auth";
+
+let originalFetch: typeof globalThis.fetch;
+
+beforeEach(() => {
+  originalFetch = globalThis.fetch;
+});
+
+afterEach(() => {
+  globalThis.fetch = originalFetch;
+});
+
+function stubFetch(response: unknown, { ok = true, status = 200 } = {}): void {
+  const stub: typeof fetch = async () =>
+    new Response(JSON.stringify(response), {
+      status,
+      headers: { "Content-Type": "application/json" },
+    });
+  // ok is derived from status in Response, so we rely on status here.
+  // Allow callers to force ok=false by passing status>=400.
+  void ok;
+  globalThis.fetch = stub;
+}
+
+describe("startDeviceAuth", () => {
+  test("constructs the openclaw-advisor verification URL from the returned code, ignoring the server-returned verificationUrl", async () => {
+    // Server returns a legacy /device-auth?code=... URL — plugin should ignore it.
+    stubFetch({
+      code: "ABCD-1234",
+      verificationUrl: "https://app.kilo.ai/device-auth?code=ABCD-1234",
+      expiresIn: 600,
+    });
+
+    const result = await startDeviceAuth("https://app.kilo.ai");
+
+    expect(result.kind).toBe("started");
+    expect(result.code).toBe("ABCD-1234");
+    expect(result.verificationUrl).toBe(
+      "https://app.kilo.ai/openclaw-advisor?code=ABCD-1234",
+    );
+    expect(result.expiresIn).toBe(600);
+  });
+
+  test("uses the caller-provided apiBase for the verification URL (dev loop)", async () => {
+    stubFetch({
+      code: "WXYZ-5678",
+      verificationUrl:
+        "http://host.docker.internal:3000/device-auth?code=WXYZ-5678",
+      expiresIn: 600,
+    });
+
+    const result = await startDeviceAuth("http://host.docker.internal:3000");
+
+    expect(result.verificationUrl).toBe(
+      "http://host.docker.internal:3000/openclaw-advisor?code=WXYZ-5678",
+    );
+  });
+
+  test("url-encodes the code to defend against unexpected server responses", async () => {
+    // Defense-in-depth: even if the server returned a malformed code, we must
+    // not inject unescaped query chars into the verification URL.
+    stubFetch({
+      code: "A&B=C D",
+      verificationUrl: "ignored",
+      expiresIn: 600,
+    });
+
+    const result = await startDeviceAuth("https://app.kilo.ai");
+
+    expect(result.verificationUrl).toBe(
+      "https://app.kilo.ai/openclaw-advisor?code=A%26B%3DC%20D",
+    );
+  });
+
+  test("throws a descriptive error when the server rejects the request", async () => {
+    stubFetch({}, { status: 500 });
+
+    await expect(startDeviceAuth("https://app.kilo.ai")).rejects.toThrow(
+      /HTTP 500/,
+    );
+  });
+});