# OpenClaw Gap Roadmap (Flynn) **Date:** 2026-02-15 **Source:** `docs/plans/2026-02-06-openclaw-feature-gap-analysis.md` **Goal:** Turn the remaining **MISSING** items into an executable roadmap with clear milestones, acceptance criteria, and test strategy. **Status:** Completed on 2026-02-16. ## Definition of Done A gap item is considered implemented when: - It is behind config flags where appropriate. - It has tests for core logic (unit/integration, plus minimal adapter/provider mocks where applicable). - It has docs (README or relevant docs section). - `docs/plans/state.json` is updated with status + summary + test status. ## Remaining Gap Inventory (from gap analysis) ### Channels / Frontends (MISSING) - Zalo - LINE/Feishu/Mattermost ### Model Providers (MISSING) - MiniMax / Moonshot - Vercel AI Gateway - OAuth subscription auth (support both API key and OAuth/token) ### Agent Runtime / UX (MISSING) - Canvas / A2UI (agent-driven visual workspace) ### Memory - QMD backend (experimental) — completed on 2026-02-16 ### Security - Skill/plugin code safety scanner (static analysis) — completed on 2026-02-16 - Elevated mode (explicit host-exec escape hatch) — completed on 2026-02-16, hardening pass completed on 2026-02-19 (shared elevation module + parity refactor) ### Skills Ecosystem (MISSING) - ClawHub / community skill registry ### Gateway / Infra / Deployment (MISSING) - Nix deployment - Fly.io / Railway / Render - Announce delivery mode (isolated job delivery) - Bonjour/mDNS discovery ### Misc (MISSING) ### Companion Apps / Devices (MISSING) - macOS menu bar app - iOS node - Android node - Location access ## Roadmap Overview (Milestones) This roadmap optimizes for: (1) high leverage, (2) low coupling, (3) ability to ship incrementally. 1) Credential System v2 (API + OAuth/token) [P0] - completed 2) Vercel AI Gateway provider [P1] - completed 3) Skill/plugin safety scanner [P1] - completed 4) Elevated mode (break-glass) [P2] - completed 5) Matrix channel adapter [P2] - completed 6) Deployment targets (Nix + PaaS) [P3] - completed Everything else is explicitly deferred until there is a strong user need. --- ## Milestone 1 (P0): Credential System v2 — API + OAuth/token This closes the gap item "OAuth subscription auth" as: providers should support both API-key credentials and OAuth/token-based credentials (where available), with consistent UX and deterministic resolution order. ### Scope - Add an explicit `auth_mode` selector per model tier config: - `auto` (default): try the most specific configured credential sources in priority order - `api_key`: require API key sources - `oauth`: require OAuth/token sources Rationale: per-tier enables common setups like: - `fast` uses an API key for deterministic reliability. - `default` uses OAuth/token for personal subscription accounts. ### Provider Behavior (initial) - OpenAI: - Support OAuth (existing): device flow + stored token (`flynn openai-auth`, `/login openai`, `use_oauth: true`). - Add API key storage in the same auth store (so YAML can omit secrets). - Anthropic: - Today supports: API key (config/env/auth store) and `auth_token` (config/env). - Add auth-token storage and allow selecting it via `auth_mode: oauth`. - Note: do not invent an OAuth device flow for Anthropic unless a real flow exists; "oauth" here means token-based auth. ### Design Credential sources (recommended priority): - Config (`api_key` / `auth_token`) -> Env var(s) -> Auth store (`~/.config/flynn/auth.json`) Auth store should be able to hold multiple types per provider, e.g.: ```json { "openai": { "api_key": "...", "oauth": { "refresh_token": "...", "created_at": "..." } }, "anthropic": { "api_key": "...", "auth_token": "..." } } ``` ### Implementation Tasks Config/schema: - Add `auth_mode` to the model config schema (per tier) in `src/config/schema.ts`. - Update schema tests in `src/config/schema.test.ts`. Auth store: - Extend `src/auth/openai.ts` to support API-key storage in auth.json (store/load/clear). - Extend `src/auth/anthropic.ts` to support auth-token storage in auth.json (store/load/clear). - Update `src/auth/index.ts` exports. CLI: - Add CLI command(s) for managing stored API keys for OpenAI (name TBD, recommended: `flynn openai-key`). - Extend Anthropic auth CLI to store either API key or auth token (flag or separate command). TUI: - Extend `/login openai` flow to let user choose OAuth device flow OR paste API key. - Add `/login anthropic` "paste API key" and "paste auth token" (non-OAuth). Model factory: - Update `createClientFromConfig()` in `src/daemon/models.ts` to resolve creds according to `auth_mode`. - Ensure error messages are explicit about which credential type is missing. Doctor: - Update `src/cli/doctor.ts` to report: - whether the provider has an API key source - whether OAuth/token sources exist - without revealing any secret material ### Tests - `src/daemon/clientFactory.test.ts` - auth_mode=auto resolves API key when present - auth_mode=oauth resolves token when present - auth_mode=api_key fails when only OAuth exists (and vice versa) - `src/auth/openai.test.ts` (or new) and `src/auth/anthropic.test.ts` - store/load/clear for all supported credential types - `src/config/schema.test.ts` - config parsing + defaults for auth_mode ### Acceptance Criteria - OpenAI can authenticate via either: - stored OAuth token, or - stored API key, without secrets in YAML. - Anthropic can authenticate via either: - stored API key, or - stored auth token, without secrets in YAML. - `/model` switching does not silently fall back to a weaker tier due to missing credentials; it returns an explicit error. --- ## Milestone 2 (P1): Vercel AI Gateway Provider ### Scope - Add a new model provider for Vercel AI Gateway. - If OpenAI-compatible, implement via `OpenAIClient` with a configurable `baseURL`. ### Implementation Tasks - Add provider id in `src/config/schema.ts` (`MODEL_PROVIDERS`). - Add `createClientFromConfig()` case in `src/daemon/models.ts`. - Update setup wizard provider list (optional): `src/cli/setup/providers.ts`. - Update doctor key checks if needed: `src/cli/doctor.ts`. ### Tests - `src/daemon/clientFactory.test.ts`: constructs correct client and passes `baseURL`. ### Acceptance - Tool calls + streaming work through the gateway in at least one tier. --- ## Milestone 3 (P1): Skill/Plugin Code Safety Scanner ### Scope Add a static scanner that runs during skill load (and optionally install) to prevent obvious unsafe skill packages. Recommended baseline checks: - Reject symlinks. - Reject binary blobs / huge files. - Validate `manifest.json.permissions` exists for skills that will be routed as intent targets. - Optionally scan `SKILL.md` for disallowed patterns (e.g. embedding secrets, injection markers). ### Best Insertion Point - `src/skills/loader.ts` inside `loadSkill()` (covers daemon load, watcher reload, and CLI skill operations). Optional second insertion: - `src/skills/installer.ts` pre-copy scan to avoid persisting unsafe content into managed dir. ### Tests - `src/skills/loader.test.ts` with fixture dirs for: - symlink rejection - oversized/binary rejection - missing/invalid permissions (when used for routing) ### Acceptance - Unsafe skills do not load and do not get injected into the system prompt. - Clean skills behave exactly as before. --- ## Milestone 4 (P2): Elevated Mode (Break Glass) Status: completed (2026-02-16), hardened and unified on 2026-02-19. ### Scope Add a user-visible, auditable, time-bounded mechanism to permit host execution of high-risk tools. Constraints: - Must require explicit confirmation. - Must expire automatically. - Must emit audit events with reason + TTL. ### Integration Points - `src/tools/executor.ts`: enforcement gate + audit fields - `src/daemon/routing.ts`: set `ToolPolicyContext.executionEnvironment` based on elevation state - `src/hooks/*`: confirmation UX ### Tests - Unit tests for TTL expiry and denial without elevation. - Cross-surface parity tests for command behavior (`daemon`/`gateway`/`tui`) and shared helper tests (`src/security/elevation.test.ts`). --- ## Milestone 5 (P2): Matrix Channel Adapter ### Scope Add Matrix as a channel adapter following existing patterns. ### Implementation Tasks - Implement adapter: `src/channels/matrix/adapter.ts` (+ tests) - Export and register: - `src/channels/matrix/index.ts` - `src/channels/index.ts` - `src/daemon/channels.ts` - Config schema: `src/config/schema.ts` - Dashboard services reporting: `src/gateway/handlers/services.ts` - Config secret redaction: `src/gateway/handlers/config.ts` ### Acceptance - Inbound messages normalize to `InboundMessage` with stable `senderId`. - Outbound send works. - Allowlists + mention gating work. --- ## Milestone 6 (P3): Deployment Targets (Nix + Fly/Railway/Render) Status: completed (2026-02-16). See `docs/plans/2026-02-16-deployment-targets.md`. ### Nix - Provide a flake/package that builds `dist/` and preserves `dist/gateway/ui` adjacency. - Optional NixOS module with: - service user - config path - data dir ### PaaS Targets - Add first-class docs and templates. - Ensure network binding is correct (`server.localhost: false`). - Either: - add `PORT` env override support, or - document explicit config requirements. --- ## Deferred Items (P4+) These are substantial UX/ecosystem projects or highly platform-specific; defer until there is a clear need: - Canvas/A2UI - Companion apps (macOS/iOS/Android) - Location access - Presence tracking - Bonjour/mDNS discovery - QMD backend - ClawHub registry ## Suggested Next Execution Order 1) Auth-profile expansion beyond API-key pools (if needed) 2) Additional run-control UX refinements only if interrupt behavior is still insufficient in production 3) Re-evaluate continuity quality after daily-log tuning and proactive extraction data Note: API-key pool auth profile cooldown/backoff (`auth_profile_cooldown_ms`) shipped on 2026-02-19. Note: Queue interrupt preemption telemetry/notice (`queue.preempt` + requester content hint) shipped on 2026-02-19. Note: Daily memory continuity tuning (`memory.daily_log` metadata + truncation controls) shipped on 2026-02-19.