feat: Add explicit provider support, fix Cloudflare Access auth

## Changes
- Add AI_GATEWAY_PROVIDER for explicit OpenAI/Anthropic selection
- Add AI_GATEWAY_MODEL for custom model names
- Add AI_GATEWAY_API_FORMAT for openai-completions/openai-responses API type
- Fix Cloudflare Access domain normalization (add .cloudflareaccess.com suffix)
- Add normalizeTeamDomain() helper shared between jwt.ts and middleware.ts
- Fix OpenAI provider config to include apiKey (required for custom baseUrl)
- Add comprehensive tests for new env.ts logic

## Security
- Redact API keys in debug endpoints and container logs
- No sensitive data exposed in /debug/env or container config

## Breaking Changes
- None (backward compatible with existing configs)

Tested with custom OpenAI-compatible API gateway

Author: redf0x1

README.md

@@ -363,6 +363,7 @@ The `AI_GATEWAY_*` variables take precedence over `ANTHROPIC_*` if both are set.
 | `AI_GATEWAY_BASE_URL` | Yes* | AI Gateway endpoint URL (required when using `AI_GATEWAY_API_KEY`) |
 | `AI_GATEWAY_PROVIDER` | No | Explicit provider type: `openai` or `anthropic` (auto-detected from URL if not set) |
 | `AI_GATEWAY_MODEL` | No | Custom model name (e.g., `gpt-5-mini`) |
+| `AI_GATEWAY_API_FORMAT` | No | OpenAI API format: `openai-completions` (default) or `openai-responses` |
 | `ANTHROPIC_API_KEY` | Yes* | Direct Anthropic API key (fallback if AI Gateway not configured) |
 | `ANTHROPIC_BASE_URL` | No | Direct Anthropic API base URL (fallback) |
 | `OPENAI_API_KEY` | No | OpenAI API key (alternative provider) |

src/auth/jwt.ts

@@ -1,6 +1,23 @@
 import { jwtVerify, createRemoteJWKSet, type JWTPayload as JoseJWTPayload } from 'jose';
 import type { JWTPayload } from '../types';
 
+/**
+ * Normalize a Cloudflare Access team domain.
+ * Handles cases where user provides just the team name or the full domain.
+ *
+ * @param teamDomain - Team domain (e.g., 'myteam' or 'myteam.cloudflareaccess.com')
+ * @returns Normalized domain (e.g., 'myteam.cloudflareaccess.com')
+ */
+export function normalizeTeamDomain(teamDomain: string): string {
+  // Remove trailing slashes
+  let domain = teamDomain.replace(/\/+$/, '');
+  // Add .cloudflareaccess.com if not present
+  if (!domain.endsWith('.cloudflareaccess.com')) {
+    domain = `${domain}.cloudflareaccess.com`;
+  }
+  return domain;
+}
+
 /**
  * Verify a Cloudflare Access JWT token using the jose library.
  *
@@ -18,10 +35,13 @@ export async function verifyAccessJWT(
   teamDomain: string,
   expectedAud: string
 ): Promise<JWTPayload> {
+  // Normalize team domain
+  const normalizedDomain = normalizeTeamDomain(teamDomain);
+
   // Ensure teamDomain has https:// prefix for issuer check
-  const issuer = teamDomain.startsWith('https://')
-    ? teamDomain
-    : `https://${teamDomain}`;
+  const issuer = normalizedDomain.startsWith('https://')
+    ? normalizedDomain
+    : `https://${normalizedDomain}`;
 
   // Create JWKS from the team domain
   const JWKS = createRemoteJWKSet(new URL(`${issuer}/cdn-cgi/access/certs`));

src/auth/middleware.test.ts

@@ -70,18 +70,18 @@ describe('extractJWT', () => {
 
   it('extracts JWT from CF_Authorization cookie with other cookies', () => {
     const jwt = 'cookie.payload.signature';
-    const c = createMockContext({ 
-      cookies: `other=value; CF_Authorization=${jwt}; another=test` 
+    const c = createMockContext({
+      cookies: `other=value; CF_Authorization=${jwt}; another=test`
     });
     expect(extractJWT(c)).toBe(jwt);
   });
 
   it('prefers header over cookie', () => {
     const headerJwt = 'header.jwt.token';
     const cookieJwt = 'cookie.jwt.token';
-    const c = createMockContext({ 
+    const c = createMockContext({
       jwtHeader: headerJwt,
-      cookies: `CF_Authorization=${cookieJwt}` 
+      cookies: `CF_Authorization=${cookieJwt}`
     });
     expect(extractJWT(c)).toBe(headerJwt);
   });
@@ -187,8 +187,8 @@ describe('createAccessMiddleware', () => {
   });
 
   it('returns 401 JSON error when JWT is missing', async () => {
-    const { c, jsonMock } = createFullMockContext({ 
-      env: { CF_ACCESS_TEAM_DOMAIN: 'team.cloudflareaccess.com', CF_ACCESS_AUD: 'aud123' } 
+    const { c, jsonMock } = createFullMockContext({
+      env: { CF_ACCESS_TEAM_DOMAIN: 'team', CF_ACCESS_AUD: 'aud123' }
     });
     const middleware = createAccessMiddleware({ type: 'json' });
     const next = vi.fn();
@@ -203,8 +203,8 @@ describe('createAccessMiddleware', () => {
   });
 
   it('returns 401 HTML error when JWT is missing', async () => {
-    const { c, htmlMock } = createFullMockContext({ 
-      env: { CF_ACCESS_TEAM_DOMAIN: 'team.cloudflareaccess.com', CF_ACCESS_AUD: 'aud123' } 
+    const { c, htmlMock } = createFullMockContext({
+      env: { CF_ACCESS_TEAM_DOMAIN: 'team', CF_ACCESS_AUD: 'aud123' }
     });
     const middleware = createAccessMiddleware({ type: 'html' });
     const next = vi.fn();
@@ -219,8 +219,8 @@ describe('createAccessMiddleware', () => {
   });
 
   it('redirects when JWT is missing and redirectOnMissing is true', async () => {
-    const { c, redirectMock } = createFullMockContext({ 
-      env: { CF_ACCESS_TEAM_DOMAIN: 'team.cloudflareaccess.com', CF_ACCESS_AUD: 'aud123' } 
+    const { c, redirectMock } = createFullMockContext({
+      env: { CF_ACCESS_TEAM_DOMAIN: 'team', CF_ACCESS_AUD: 'aud123' }
     });
     const middleware = createAccessMiddleware({ type: 'html', redirectOnMissing: true });
     const next = vi.fn();

src/auth/middleware.ts

@@ -1,6 +1,6 @@
 import type { Context, Next } from 'hono';
 import type { AppEnv, MoltbotEnv } from '../types';
-import { verifyAccessJWT } from './jwt';
+import { verifyAccessJWT, normalizeTeamDomain } from './jwt';
 
 /**
  * Options for creating an access middleware
@@ -34,7 +34,7 @@ export function extractJWT(c: Context<AppEnv>): string | null {
 
 /**
  * Create a Cloudflare Access authentication middleware
- * 
+ *
  * @param options - Middleware options
  * @returns Hono middleware function
  */
@@ -75,9 +75,9 @@ export function createAccessMiddleware(options: AccessMiddlewareOptions) {
 
     if (!jwt) {
       if (type === 'html' && redirectOnMissing) {
-        return c.redirect(`https://${teamDomain}`, 302);
+        return c.redirect(`https://${normalizeTeamDomain(teamDomain)}`, 302);
       }
-      
+
       if (type === 'json') {
         return c.json({
           error: 'Unauthorized',
@@ -89,7 +89,7 @@ export function createAccessMiddleware(options: AccessMiddlewareOptions) {
             <body>
               <h1>Unauthorized</h1>
               <p>Missing Cloudflare Access token.</p>
-              <a href="https://${teamDomain}">Login</a>
+              <a href="https://${normalizeTeamDomain(teamDomain)}">Login</a>
             </body>
           </html>
         `, 401);
@@ -103,7 +103,7 @@ export function createAccessMiddleware(options: AccessMiddlewareOptions) {
       await next();
     } catch (err) {
       console.error('Access JWT verification failed:', err);
-      
+
       if (type === 'json') {
         return c.json({
           error: 'Unauthorized',
@@ -115,7 +115,7 @@ export function createAccessMiddleware(options: AccessMiddlewareOptions) {
             <body>
               <h1>Unauthorized</h1>
               <p>Your Cloudflare Access session is invalid or expired.</p>
-              <a href="https://${teamDomain}">Login again</a>
+              <a href="https://${normalizeTeamDomain(teamDomain)}">Login again</a>
             </body>
           </html>
         `, 401);

src/gateway/env.test.ts

@@ -101,7 +101,7 @@ describe('buildEnvVars', () => {
       SLACK_APP_TOKEN: 'slack-app',
     });
     const result = buildEnvVars(env);
-    
+
     expect(result.TELEGRAM_BOT_TOKEN).toBe('tg-token');
     expect(result.TELEGRAM_DM_POLICY).toBe('pairing');
     expect(result.DISCORD_BOT_TOKEN).toBe('discord-token');
@@ -116,7 +116,7 @@ describe('buildEnvVars', () => {
       CLAWDBOT_BIND_MODE: 'lan',
     });
     const result = buildEnvVars(env);
-    
+
     expect(result.CLAWDBOT_DEV_MODE).toBe('true');
     expect(result.CLAWDBOT_BIND_MODE).toBe('lan');
   });
@@ -128,7 +128,7 @@ describe('buildEnvVars', () => {
       TELEGRAM_BOT_TOKEN: 'tg',
     });
     const result = buildEnvVars(env);
-    
+
     expect(result).toEqual({
       ANTHROPIC_API_KEY: 'sk-key',
       CLAWDBOT_GATEWAY_TOKEN: 'token',

src/gateway/env.ts

@@ -19,7 +19,7 @@ function isValidGatewayUrl(url: string): boolean {
 
 /**
  * Build environment variables to pass to the Moltbot container process
- * 
+ *
  * @param env - Worker environment bindings
  * @returns Environment variables record
  */
@@ -74,9 +74,10 @@ export function buildEnvVars(env: MoltbotEnv): Record<string, string> {
   } else if (env.ANTHROPIC_BASE_URL) {
     envVars.ANTHROPIC_BASE_URL = env.ANTHROPIC_BASE_URL;
   }
-  // Pass explicit provider type and model overrides to container
+  // Pass explicit provider type, model, and API format overrides to container
   if (env.AI_GATEWAY_PROVIDER) envVars.AI_GATEWAY_PROVIDER = env.AI_GATEWAY_PROVIDER;
   if (env.AI_GATEWAY_MODEL) envVars.AI_GATEWAY_MODEL = env.AI_GATEWAY_MODEL;
+  if (env.AI_GATEWAY_API_FORMAT) envVars.AI_GATEWAY_API_FORMAT = env.AI_GATEWAY_API_FORMAT;
   // Map MOLTBOT_GATEWAY_TOKEN to CLAWDBOT_GATEWAY_TOKEN (container expects this name)
   if (env.MOLTBOT_GATEWAY_TOKEN) envVars.CLAWDBOT_GATEWAY_TOKEN = env.MOLTBOT_GATEWAY_TOKEN;
   if (env.DEV_MODE) envVars.CLAWDBOT_DEV_MODE = env.DEV_MODE; // Pass DEV_MODE as CLAWDBOT_DEV_MODE to container

src/types.ts

@@ -12,6 +12,7 @@ export interface MoltbotEnv {
   AI_GATEWAY_BASE_URL?: string; // AI Gateway URL (e.g., https://gateway.ai.cloudflare.com/v1/{account_id}/{gateway_id}/anthropic)
   AI_GATEWAY_PROVIDER?: 'openai' | 'anthropic'; // Explicit provider type override
   AI_GATEWAY_MODEL?: string; // Custom model name override
+  AI_GATEWAY_API_FORMAT?: 'openai-completions' | 'openai-responses'; // OpenAI API format (default: openai-completions)
   // Legacy direct provider configuration (fallback)
   ANTHROPIC_API_KEY?: string;
   ANTHROPIC_BASE_URL?: string;

start-moltbot.sh

@@ -39,30 +39,30 @@ mkdir -p "$CONFIG_DIR"
 should_restore_from_r2() {
     local R2_SYNC_FILE="$BACKUP_DIR/.last-sync"
     local LOCAL_SYNC_FILE="$CONFIG_DIR/.last-sync"
-    
+
     # If no R2 sync timestamp, don't restore
     if [ ! -f "$R2_SYNC_FILE" ]; then
         echo "No R2 sync timestamp found, skipping restore"
         return 1
     fi
-    
+
     # If no local sync timestamp, restore from R2
     if [ ! -f "$LOCAL_SYNC_FILE" ]; then
         echo "No local sync timestamp, will restore from R2"
         return 0
     fi
-    
+
     # Compare timestamps
     R2_TIME=$(cat "$R2_SYNC_FILE" 2>/dev/null)
     LOCAL_TIME=$(cat "$LOCAL_SYNC_FILE" 2>/dev/null)
-    
+
     echo "R2 last sync: $R2_TIME"
     echo "Local last sync: $LOCAL_TIME"
-    
+
     # Convert to epoch seconds for comparison
     R2_EPOCH=$(date -d "$R2_TIME" +%s 2>/dev/null || echo "0")
     LOCAL_EPOCH=$(date -d "$LOCAL_TIME" +%s 2>/dev/null || echo "0")
-    
+
     if [ "$R2_EPOCH" -gt "$LOCAL_EPOCH" ]; then
         echo "R2 backup is newer, will restore"
         return 0
@@ -223,23 +223,27 @@ if (isOpenAI) {
     console.log('Configuring OpenAI provider with base URL:', baseUrl);
     config.models = config.models || {};
     config.models.providers = config.models.providers || {};
-    
+
     // Use custom model if specified, otherwise use defaults
     const defaultModels = [
         { id: 'gpt-5.2', name: 'GPT-5.2', contextWindow: 200000 },
         { id: 'gpt-5', name: 'GPT-5', contextWindow: 200000 },
         { id: 'gpt-4.5-preview', name: 'GPT-4.5 Preview', contextWindow: 128000 },
     ];
-    const models = customModel 
+    const models = customModel
         ? [{ id: customModel, name: customModel, contextWindow: 200000 }, ...defaultModels]
         : defaultModels;
     const primaryModel = customModel || 'gpt-5.2';
-    
+
     config.models.providers.openai = {
         baseUrl: baseUrl,
-        api: 'openai-responses',
+        api: process.env.AI_GATEWAY_API_FORMAT || 'openai-completions',
         models: models
     };
+    // Include API key in provider config if set (required when using custom baseUrl)
+    if (process.env.OPENAI_API_KEY) {
+        config.models.providers.openai.apiKey = process.env.OPENAI_API_KEY;
+    }
     // Add models to the allowlist so they appear in /models
     config.agents.defaults.models = config.agents.defaults.models || {};
     if (customModel) {