feat: CF_AIG_TOKEN support for AI Gateway Authenticated Gateway

[jbbjbb]

Summary

Adds CF_AIG_TOKEN support to enable AI Gateway Authenticated Gateway and BYOK (Bring Your Own Key). This resolves the inability to use Authenticated Gateway or BYOK with moltworker — users currently must either disable Authenticated Gateway or pass raw provider keys into the container.

Fixes #74 | Duplicates: #119 | Related: #192

Changes

Feature — CF_AIG_TOKEN passthrough + header injection:

• Add CF_AIG_TOKEN to MoltbotEnv type definition
• Pass CF_AIG_TOKEN from Worker env to container via buildEnvVars()
• Inject cf-aig-authorization: Bearer <token> header via Node.js --require hook that patches globalThis.fetch for gateway.ai.cloudflare.com requests

Why a fetch hook instead of provider config? OpenClaw's config schema strictly validates provider objects and rejects unrecognized keys like defaultHeaders. This was discovered during live testing (see proof of work below). The --require hook approach is scoped: it only patches fetch() calls targeting AI Gateway URLs and does not affect other HTTP traffic.

Security hardening (scoped to touched files):

• chmod 600 on rclone.conf (both shell script and Worker-side r2.ts)
• chmod 600 on openclaw.json after config patch (fs.chmodSync)
• Remove redundant gateway token from config file (already passed via --token CLI flag — writing it to the config is unnecessary secret exposure)
• Input validation on CF_AIG_TOKEN for control characters that could cause injection or parsing issues

Note: This PR narrowly scopes security improvements to files touched by the feature. Broader security concerns in the existing codebase have been identified and will be filed as separate issues.

Proof of Work — Live Testing on Deployed Instance

Validated on a production Cloudflare Sandbox deployment (a moltworker-based system with AI Gateway + OpenRouter):

1. Initial attempt with defaultHeaders in provider config — OpenClaw rejected the config:

   Invalid config at /root/.openclaw/openclaw.json:
   - models.providers.cf-ai-gw-openrouter: Unrecognized key: "defaultHeaders"
   Config invalid
   

2. Replaced with NODE_OPTIONS --require fetch hook — container started successfully:

   Starting process with command: /usr/local/bin/start-openclaw.sh
   ['CLOUDFLARE_AI_GATEWAY_API_KEY', 'CF_AI_GATEWAY_ACCOUNT_ID', 'CF_AI_GATEWAY_GATEWAY_ID',
    'OPENROUTER_API_KEY', 'ANTHROPIC_API_KEY', 'OPENCLAW_GATEWAY_TOKEN', 'CF_AI_GATEWAY_MODEL',
    'CF_AIG_TOKEN', 'CF_ACCOUNT_ID', 'R2_ACCESS_KEY_ID', 'R2_SECRET_ACCESS_KEY', 'R2_BUCKET_NAME']
   

3. Gateway started and accepted connections — logs show:

   Found existing gateway process:
   Gateway is reachable
   [WS] Proxying WebSocket connection to gateway
   

4. Security hardening confirmed — chmod 600 /root/.config/rclone/rclone.conf executed successfully in container logs.

Test plan

• 85 unit tests pass (82 existing + 3 new CF_AIG_TOKEN tests)
• TypeScript typecheck clean (tsc --noEmit)
• Lint clean (oxlint — 3 pre-existing errors in skills/ unrelated to this PR)
• Live deployment test: container starts, gateway reachable, no config validation errors
• End-to-end: verify cf-aig-authorization header appears in AI Gateway request logs (requires AI Gateway dashboard access)

Files changed

File	Change
src/types.ts	Add CF_AIG_TOKEN to MoltbotEnv
src/gateway/env.ts	Add validateEnvValue(), CF_AIG_TOKEN passthrough with validation
src/gateway/env.test.ts	3 new tests: passthrough, not-set, control char rejection
src/gateway/r2.ts	chmod 600 on rclone.conf
start-openclaw.sh	Fetch hook for cf-aig-authorization, chmod 600 on configs, remove redundant token
wrangler.jsonc	Document CF_AIG_TOKEN secret
README.md	Add to secrets table
.dev.vars.example	Add commented example
AGENTS.md	Add to container env var table

🤖 Generated with Claude Code