feat(remote): support github token login bootstrap

Author: vincentkoc

CHANGELOG.md

@@ -6,9 +6,9 @@
 
 - Update `crawlkit` to v0.7.0.
 - Add read-only Cloudflare remote archive scaffolding with `[remote]` config,
-  `subscribe-cloud`, GitHub-backed `remote login`, `remote status`,
-  `remote archives`, and cloud-mode `status --json` output that does not open
-  or create a local SQLite database.
+  `subscribe-cloud`, GitHub-backed `remote login` with OAuth or token-env
+  bootstrap, `remote status`, `remote archives`, and cloud-mode `status --json`
+  output that does not open or create a local SQLite database.
 - Route cloud-mode `search` and filtered `messages` reads to Worker named
   queries so subscribers can inspect live D1 data without local SQLite.
 - Add `discrawl cloud publish` to export non-DM local SQLite rows into the

README.md

@@ -550,6 +550,9 @@ discrawl whoami
 SQLite database.
 `remote login` starts the Worker GitHub OAuth flow, verifies org/team
 membership server-side, and stores the signed bearer token in the OS keyring.
+Use `remote login --github-token-env GITHUB_TOKEN` for non-browser bootstrap;
+the Worker verifies that GitHub token against the same org/team policy and
+stores only the returned remote session token locally.
 
 Publishers can send the current non-DM SQLite archive into the Worker-backed
 D1 archive:

go.mod

@@ -44,7 +44,7 @@ require (
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
 	github.com/ncruces/go-strftime v1.0.0 // indirect
-	github.com/openclaw/crawlkit v0.7.1-0.20260527173115-df4eca58a4c9
+	github.com/openclaw/crawlkit v0.7.1-0.20260527174716-74916a98ee45
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect

go.sum

@@ -71,8 +71,8 @@ github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc
 github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk=
 github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
 github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
-github.com/openclaw/crawlkit v0.7.1-0.20260527173115-df4eca58a4c9 h1:FbutsmKLVob/J5+4fmHOgvGv4btcxq5E/n5FbWyhgDw=
-github.com/openclaw/crawlkit v0.7.1-0.20260527173115-df4eca58a4c9/go.mod h1:2XkSx3N8yzyjc+Jyf1Zl9VEQVlElh/dzBMW1cRMQQGw=
+github.com/openclaw/crawlkit v0.7.1-0.20260527174716-74916a98ee45 h1:dx8+XyE2JddHEzhhhM7BupViAhzI5Ws4qKvNDegK04g=
+github.com/openclaw/crawlkit v0.7.1-0.20260527174716-74916a98ee45/go.mod h1:2XkSx3N8yzyjc+Jyf1Zl9VEQVlElh/dzBMW1cRMQQGw=
 github.com/pelletier/go-toml/v2 v2.3.1 h1:MYEvvGnQjeNkRF1qUuGolNtNExTDwct51yp7olPtrEc=
 github.com/pelletier/go-toml/v2 v2.3.1/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=

internal/cli/cli_test.go

@@ -1227,6 +1227,53 @@ func TestRemoteLoginStoresKeyringToken(t *testing.T) {
 	require.Contains(t, whoami.String(), `"login": "alice"`)
 }
 
+func TestRemoteLoginWithGitHubTokenEnvStoresKeyringToken(t *testing.T) {
+	ctx := context.Background()
+	dir := t.TempDir()
+	keyring.MockInit()
+	t.Setenv("DISCRAWL_TEST_GITHUB_TOKEN", "github-token")
+
+	var sawToken string
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		w.Header().Set("content-type", "application/json")
+		switch req.URL.Path {
+		case "/v1/auth/github/token":
+			var body crawlremote.GitHubTokenLoginRequest
+			require.NoError(t, json.NewDecoder(req.Body).Decode(&body))
+			sawToken = body.Token
+			_ = json.NewEncoder(w).Encode(crawlremote.LoginPollResult{Status: "complete", Token: "session-token", Org: "openclaw", Login: "alice"})
+		case "/v1/whoami":
+			require.Equal(t, "Bearer session-token", req.Header.Get("Authorization"))
+			_ = json.NewEncoder(w).Encode(crawlremote.Identity{Owner: "openclaw", Org: "openclaw", Login: "alice", Auth: "github"})
+		default:
+			http.NotFound(w, req)
+		}
+	}))
+	defer server.Close()
+
+	cfgPath := filepath.Join(dir, "config.toml")
+	var out bytes.Buffer
+	require.NoError(t, Run(ctx, []string{
+		"--config", cfgPath,
+		"--json",
+		"remote", "login",
+		"--endpoint", server.URL,
+		"--github-token-env", "DISCRAWL_TEST_GITHUB_TOKEN",
+	}, &out, &bytes.Buffer{}))
+	require.Equal(t, "github-token", sawToken)
+	require.Contains(t, out.String(), `"login_method": "github-token"`)
+
+	cfg, err := config.Load(cfgPath)
+	require.NoError(t, err)
+	stored, err := keyring.Get(cfg.Remote.Auth.KeyringService, cfg.Remote.Auth.KeyringAccount)
+	require.NoError(t, err)
+	require.Equal(t, "session-token", stored)
+
+	var whoami bytes.Buffer
+	require.NoError(t, Run(ctx, []string{"--config", cfgPath, "--json", "whoami"}, &whoami, &bytes.Buffer{}))
+	require.Contains(t, whoami.String(), `"login": "alice"`)
+}
+
 func TestCloudPublishSendsNonDMRows(t *testing.T) {
 	ctx := context.Background()
 	dir := t.TempDir()

internal/cli/output.go

@@ -221,6 +221,7 @@ Read-only SQL is allowed by default. Use "-" or no query to read SQL from stdin.
   discrawl remote status
   discrawl remote archives
   discrawl remote login --endpoint URL
+  discrawl remote login --endpoint URL --github-token-env GITHUB_TOKEN
   discrawl remote whoami
 
 Reads the configured Cloudflare-backed remote archive without opening the local SQLite database.

internal/cli/remote_commands.go

@@ -6,6 +6,7 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"os"
 	"os/exec"
 	goruntime "runtime"
 	"strings"
@@ -109,6 +110,7 @@ func (r *runtime) runRemoteLogin(args []string) error {
 	fs := flag.NewFlagSet("remote login", flag.ContinueOnError)
 	fs.SetOutput(io.Discard)
 	endpoint := fs.String("endpoint", "", "")
+	githubTokenEnv := fs.String("github-token-env", "", "")
 	noBrowser := fs.Bool("no-browser", false, "")
 	timeoutRaw := fs.String("timeout", "5m", "")
 	pollRaw := fs.String("poll-interval", "2s", "")
@@ -151,6 +153,17 @@ func (r *runtime) runRemoteLogin(args []string) error {
 	if err != nil {
 		return configErr(err)
 	}
+	if tokenEnv := strings.TrimSpace(*githubTokenEnv); tokenEnv != "" {
+		githubToken := strings.TrimSpace(os.Getenv(tokenEnv))
+		if githubToken == "" {
+			return fmt.Errorf("%s is empty", tokenEnv)
+		}
+		result, err := client.LoginWithGitHubToken(r.ctx, githubToken)
+		if err != nil {
+			return err
+		}
+		return r.finishRemoteLogin(cfg, "github-token", result)
+	}
 	pollSecret, err := crawlremote.NewLoginPollSecret()
 	if err != nil {
 		return err
@@ -170,6 +183,16 @@ func (r *runtime) runRemoteLogin(args []string) error {
 	if err != nil {
 		return err
 	}
+	return r.finishRemoteLogin(cfg, "github-oauth", result)
+}
+
+func (r *runtime) finishRemoteLogin(cfg config.Config, method string, result crawlremote.LoginPollResult) error {
+	if strings.ToLower(strings.TrimSpace(result.Status)) != "complete" {
+		return fmt.Errorf("remote login returned status %q", result.Status)
+	}
+	if strings.TrimSpace(result.Token) == "" {
+		return errors.New("remote login completed without token")
+	}
 	auth, err := config.StoreRemoteToken(cfg, result.Token)
 	if err != nil {
 		return configErr(fmt.Errorf("store remote token: %w", err))
@@ -188,6 +211,7 @@ func (r *runtime) runRemoteLogin(args []string) error {
 		"login":           result.Login,
 		"org":             result.Org,
 		"owner":           result.Owner,
+		"login_method":    method,
 		"auth_source":     cfg.Remote.Auth.TokenSource,
 		"keyring_service": cfg.Remote.Auth.KeyringService,
 		"keyring_account": cfg.Remote.Auth.KeyringAccount,