Add CEO OpenClaw invite endpoint and update onboarding UX

server/src/__tests__/openclaw-invite-prompt-route.test.ts

@@ -0,0 +1,181 @@
+import express from "express";
+import request from "supertest";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { accessRoutes } from "../routes/access.js";
+import { errorHandler } from "../middleware/index.js";
+
+const mockAccessService = vi.hoisted(() => ({
+  hasPermission: vi.fn(),
+  canUser: vi.fn(),
+  isInstanceAdmin: vi.fn(),
+  getMembership: vi.fn(),
+  ensureMembership: vi.fn(),
+  listMembers: vi.fn(),
+  setMemberPermissions: vi.fn(),
+  promoteInstanceAdmin: vi.fn(),
+  demoteInstanceAdmin: vi.fn(),
+  listUserCompanyAccess: vi.fn(),
+  setUserCompanyAccess: vi.fn(),
+  setPrincipalGrants: vi.fn(),
+}));
+
+const mockAgentService = vi.hoisted(() => ({
+  getById: vi.fn(),
+}));
+
+const mockLogActivity = vi.hoisted(() => vi.fn());
+
+vi.mock("../services/index.js", () => ({
+  accessService: () => mockAccessService,
+  agentService: () => mockAgentService,
+  deduplicateAgentName: vi.fn(),
+  logActivity: mockLogActivity,
+  notifyHireApproved: vi.fn(),
+}));
+
+function createDbStub() {
+  const createdInvite = {
+    id: "invite-1",
+    companyId: "company-1",
+    inviteType: "company_join",
+    allowedJoinTypes: "agent",
+    defaultsPayload: null,
+    expiresAt: new Date("2026-03-07T00:10:00.000Z"),
+    invitedByUserId: null,
+    tokenHash: "hash",
+    revokedAt: null,
+    acceptedAt: null,
+    createdAt: new Date("2026-03-07T00:00:00.000Z"),
+    updatedAt: new Date("2026-03-07T00:00:00.000Z"),
+  };
+  const returning = vi.fn().mockResolvedValue([createdInvite]);
+  const values = vi.fn().mockReturnValue({ returning });
+  const insert = vi.fn().mockReturnValue({ values });
+  return {
+    insert,
+  };
+}
+
+function createApp(actor: Record<string, unknown>, db: Record<string, unknown>) {
+  const app = express();
+  app.use(express.json());
+  app.use((req, _res, next) => {
+    (req as any).actor = actor;
+    next();
+  });
+  app.use(
+    "/api",
+    accessRoutes(db as any, {
+      deploymentMode: "local_trusted",
+      deploymentExposure: "private",
+      bindHost: "127.0.0.1",
+      allowedHostnames: [],
+    }),
+  );
+  app.use(errorHandler);
+  return app;
+}
+
+describe("POST /companies/:companyId/openclaw/invite-prompt", () => {
+  beforeEach(() => {
+    mockAccessService.canUser.mockResolvedValue(false);
+    mockAgentService.getById.mockReset();
+    mockLogActivity.mockResolvedValue(undefined);
+  });
+
+  it("rejects non-CEO agent callers", async () => {
+    const db = createDbStub();
+    mockAgentService.getById.mockResolvedValue({
+      id: "agent-1",
+      companyId: "company-1",
+      role: "engineer",
+    });
+    const app = createApp(
+      {
+        type: "agent",
+        agentId: "agent-1",
+        companyId: "company-1",
+        source: "agent_key",
+      },
+      db,
+    );
+
+    const res = await request(app)
+      .post("/api/companies/company-1/openclaw/invite-prompt")
+      .send({});
+
+    expect(res.status).toBe(403);
+    expect(res.body.error).toContain("Only CEO agents");
+  });
+
+  it("allows CEO agent callers and creates an agent-only invite", async () => {
+    const db = createDbStub();
+    mockAgentService.getById.mockResolvedValue({
+      id: "agent-1",
+      companyId: "company-1",
+      role: "ceo",
+    });
+    const app = createApp(
+      {
+        type: "agent",
+        agentId: "agent-1",
+        companyId: "company-1",
+        source: "agent_key",
+      },
+      db,
+    );
+
+    const res = await request(app)
+      .post("/api/companies/company-1/openclaw/invite-prompt")
+      .send({ agentMessage: "Join and configure OpenClaw gateway." });
+
+    expect(res.status).toBe(201);
+    expect(res.body.allowedJoinTypes).toBe("agent");
+    expect(typeof res.body.token).toBe("string");
+    expect(res.body.onboardingTextPath).toContain("/api/invites/");
+  });
+
+  it("allows board callers with invite permission", async () => {
+    const db = createDbStub();
+    mockAccessService.canUser.mockResolvedValue(true);
+    const app = createApp(
+      {
+        type: "board",
+        userId: "user-1",
+        companyIds: ["company-1"],
+        source: "session",
+        isInstanceAdmin: false,
+      },
+      db,
+    );
+
+    const res = await request(app)
+      .post("/api/companies/company-1/openclaw/invite-prompt")
+      .send({});
+
+    expect(res.status).toBe(201);
+    expect(res.body.allowedJoinTypes).toBe("agent");
+  });
+
+  it("rejects board callers without invite permission", async () => {
+    const db = createDbStub();
+    mockAccessService.canUser.mockResolvedValue(false);
+    const app = createApp(
+      {
+        type: "board",
+        userId: "user-1",
+        companyIds: ["company-1"],
+        source: "session",
+        isInstanceAdmin: false,
+      },
+      db,
+    );
+
+    const res = await request(app)
+      .post("/api/companies/company-1/openclaw/invite-prompt")
+      .send({});
+
+    expect(res.status).toBe(403);
+    expect(res.body.error).toBe("Permission denied");
+  });
+});

server/src/routes/access.ts

@@ -21,6 +21,7 @@ import {
   acceptInviteSchema,
   claimJoinRequestApiKeySchema,
   createCompanyInviteSchema,
+  createOpenClawInvitePromptSchema,
   listJoinRequestsQuerySchema,
   updateMemberPermissionsSchema,
   updateUserCompanyAccessSchema,
@@ -1942,6 +1943,80 @@ export function accessRoutes(
     if (!allowed) throw forbidden("Permission denied");
   }
 
+  async function assertCanGenerateOpenClawInvitePrompt(
+    req: Request,
+    companyId: string
+  ) {
+    assertCompanyAccess(req, companyId);
+    if (req.actor.type === "agent") {
+      if (!req.actor.agentId) throw forbidden("Agent authentication required");
+      const actorAgent = await agents.getById(req.actor.agentId);
+      if (!actorAgent || actorAgent.companyId !== companyId) {
+        throw forbidden("Agent key cannot access another company");
+      }
+      if (actorAgent.role !== "ceo") {
+        throw forbidden("Only CEO agents can generate OpenClaw invite prompts");
+      }
+      return;
+    }
+    if (req.actor.type !== "board") throw unauthorized();
+    if (isLocalImplicit(req)) return;
+    const allowed = await access.canUser(companyId, req.actor.userId, "users:invite");
+    if (!allowed) throw forbidden("Permission denied");
+  }
+
+  async function createCompanyInviteForCompany(input: {
+    req: Request;
+    companyId: string;
+    allowedJoinTypes: "human" | "agent" | "both";
+    defaultsPayload?: Record<string, unknown> | null;
+    agentMessage?: string | null;
+  }) {
+    const normalizedAgentMessage =
+      typeof input.agentMessage === "string"
+        ? input.agentMessage.trim() || null
+        : null;
+    const insertValues = {
+      companyId: input.companyId,
+      inviteType: "company_join" as const,
+      allowedJoinTypes: input.allowedJoinTypes,
+      defaultsPayload: mergeInviteDefaults(
+        input.defaultsPayload ?? null,
+        normalizedAgentMessage
+      ),
+      expiresAt: companyInviteExpiresAt(),
+      invitedByUserId: input.req.actor.userId ?? null
+    };
+
+    let token: string | null = null;
+    let created: typeof invites.$inferSelect | null = null;
+    for (let attempt = 0; attempt < INVITE_TOKEN_MAX_RETRIES; attempt += 1) {
+      const candidateToken = createInviteToken();
+      try {
+        const row = await db
+          .insert(invites)
+          .values({
+            ...insertValues,
+            tokenHash: hashToken(candidateToken)
+          })
+          .returning()
+          .then((rows) => rows[0]);
+        token = candidateToken;
+        created = row;
+        break;
+      } catch (error) {
+        if (!isInviteTokenHashCollisionError(error)) {
+          throw error;
+        }
+      }
+    }
+    if (!token || !created) {
+      throw conflict("Failed to generate a unique invite token. Please retry.");
+    }
+
+    return { token, created, normalizedAgentMessage };
+  }
+
   router.get("/skills/index", (_req, res) => {
     res.json({
       skills: [
@@ -1967,49 +2042,14 @@ export function accessRoutes(
     async (req, res) => {
       const companyId = req.params.companyId as string;
       await assertCompanyPermission(req, companyId, "users:invite");
-      const normalizedAgentMessage =
-        typeof req.body.agentMessage === "string"
-          ? req.body.agentMessage.trim() || null
-          : null;
-      const insertValues = {
-        companyId,
-        inviteType: "company_join" as const,
-        allowedJoinTypes: req.body.allowedJoinTypes,
-        defaultsPayload: mergeInviteDefaults(
-          req.body.defaultsPayload ?? null,
-          normalizedAgentMessage
-        ),
-        expiresAt: companyInviteExpiresAt(),
-        invitedByUserId: req.actor.userId ?? null
-      };
-
-      let token: string | null = null;
-      let created: typeof invites.$inferSelect | null = null;
-      for (let attempt = 0; attempt < INVITE_TOKEN_MAX_RETRIES; attempt += 1) {
-        const candidateToken = createInviteToken();
-        try {
-          const row = await db
-            .insert(invites)
-            .values({
-              ...insertValues,
-              tokenHash: hashToken(candidateToken)
-            })
-            .returning()
-            .then((rows) => rows[0]);
-          token = candidateToken;
-          created = row;
-          break;
-        } catch (error) {
-          if (!isInviteTokenHashCollisionError(error)) {
-            throw error;
-          }
-        }
-      }
-      if (!token || !created) {
-        throw conflict(
-          "Failed to generate a unique invite token. Please retry."
-        );
-      }
+      const { token, created, normalizedAgentMessage } =
+        await createCompanyInviteForCompany({
+          req,
+          companyId,
+          allowedJoinTypes: req.body.allowedJoinTypes,
+          defaultsPayload: req.body.defaultsPayload ?? null,
+          agentMessage: req.body.agentMessage ?? null
+        });
 
       await logActivity(db, {
         companyId,
@@ -2041,6 +2081,51 @@ export function accessRoutes(
     }
   );
 
+  router.post(
+    "/companies/:companyId/openclaw/invite-prompt",
+    validate(createOpenClawInvitePromptSchema),
+    async (req, res) => {
+      const companyId = req.params.companyId as string;
+      await assertCanGenerateOpenClawInvitePrompt(req, companyId);
+      const { token, created, normalizedAgentMessage } =
+        await createCompanyInviteForCompany({
+          req,
+          companyId,
+          allowedJoinTypes: "agent",
+          defaultsPayload: null,
+          agentMessage: req.body.agentMessage ?? null
+        });
+
+      await logActivity(db, {
+        companyId,
+        actorType: req.actor.type === "agent" ? "agent" : "user",
+        actorId:
+          req.actor.type === "agent"
+            ? req.actor.agentId ?? "unknown-agent"
+            : req.actor.userId ?? "board",
+        action: "invite.openclaw_prompt_created",
+        entityType: "invite",
+        entityId: created.id,
+        details: {
+          inviteType: created.inviteType,
+          allowedJoinTypes: created.allowedJoinTypes,
+          expiresAt: created.expiresAt.toISOString(),
+          hasAgentMessage: Boolean(normalizedAgentMessage)
+        }
+      });
+
+      const inviteSummary = toInviteSummaryResponse(req, token, created);
+      res.status(201).json({
+        ...created,
+        token,
+        inviteUrl: `/invite/${token}`,
+        onboardingTextPath: inviteSummary.onboardingTextPath,
+        onboardingTextUrl: inviteSummary.onboardingTextUrl,
+        inviteMessage: inviteSummary.inviteMessage
+      });
+    }
+  );
+
   router.get("/invites/:token", async (req, res) => {
     const token = (req.params.token as string).trim();
     if (!token) throw notFound("Invite not found");