feat: ssh tunnel + browser auto-open for OpenClaw web dashboard (#2452)

OpenClaw runs a web dashboard on port 18791 of the remote VM. This
change SSH-tunnels that port to localhost and auto-opens the browser,
giving users a web UI with zero CLI knowledge needed.

- Add TunnelConfig to AgentConfig interface (agents.ts)
- Add startSshTunnel function with port-finding logic (ssh.ts)
- Capture gateway token in closure so the same token is used for both
  the remote config and the browser URL (agent-setup.ts)
- Wire tunnel into orchestration pipeline between preLaunch and
  interactiveSession (orchestrate.ts)
- Add getConnectionInfo to CloudOrchestrator interface and implement
  in all SSH-based clouds (DO, Hetzner, AWS, GCP)
- Local: opens browser directly at localhost:18791
- Sprite: gracefully skipped (no standard SSH)
- Add USER.md bootstrap to guide OpenClaw users to web dashboard

Closes #2449
Supersedes #2418

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: L <6723574+louisgv@users.noreply.github.com>

Author: 3 people

packages/cli/src/aws/aws.ts

@@ -198,6 +198,17 @@ export function getState() {
   };
 }
 
+/** Return SSH connection info for tunnel support. */
+export function getConnectionInfo(): {
+  host: string;
+  user: string;
+} {
+  return {
+    host: _state.instanceIp,
+    user: SSH_USER,
+  };
+}
+
 // ─── SSH Config ─────────────────────────────────────────────────────────────
 
 const SSH_USER = "ubuntu";

packages/cli/src/aws/main.ts

@@ -12,6 +12,7 @@ import {
   createInstance,
   ensureAwsCli,
   ensureSshKey,
+  getConnectionInfo,
   getServerName,
   interactiveSession,
   promptBundle,
@@ -58,6 +59,7 @@ async function main() {
       await waitForCloudInit();
     },
     interactiveSession,
+    getConnectionInfo,
   };
 
   await runOrchestration(cloud, agent, agentName);

packages/cli/src/digitalocean/digitalocean.ts

@@ -105,6 +105,17 @@ const _state: DigitalOceanState = {
   serverIp: "",
 };
 
+/** Return SSH connection info for tunnel support. */
+export function getConnectionInfo(): {
+  host: string;
+  user: string;
+} {
+  return {
+    host: _state.serverIp,
+    user: "root",
+  };
+}
+
 // ─── API Client ──────────────────────────────────────────────────────────────
 
 async function doApi(method: string, endpoint: string, body?: string, maxRetries = 3): Promise<string> {

packages/cli/src/digitalocean/main.ts

@@ -13,6 +13,7 @@ import {
   ensureDoToken,
   ensureSshKey,
   findSpawnSnapshot,
+  getConnectionInfo,
   getServerName,
   interactiveSession,
   promptDoRegion,
@@ -75,6 +76,7 @@ async function main() {
       }
     },
     interactiveSession,
+    getConnectionInfo,
   };
 
   await runOrchestration(cloud, agent, agentName);

packages/cli/src/gcp/gcp.ts

@@ -155,6 +155,17 @@ const _state: GcpState = {
   username: "",
 };
 
+/** Return SSH connection info for tunnel support. */
+export function getConnectionInfo(): {
+  host: string;
+  user: string;
+} {
+  return {
+    host: _state.serverIp,
+    user: resolveUsername(),
+  };
+}
+
 // ─── gcloud CLI Wrapper ─────────────────────────────────────────────────────
 
 function getGcloudCmd(): string | null {

packages/cli/src/gcp/main.ts

@@ -12,6 +12,7 @@ import {
   checkBillingEnabled,
   createInstance,
   ensureGcloudCli,
+  getConnectionInfo,
   getServerName,
   interactiveSession,
   promptMachineType,
@@ -64,6 +65,7 @@ async function main() {
       await waitForCloudInit();
     },
     interactiveSession,
+    getConnectionInfo,
   };
 
   await runOrchestration(cloud, agent, agentName);

packages/cli/src/hetzner/hetzner.ts

@@ -52,6 +52,17 @@ const _state: HetznerState = {
   serverIp: "",
 };
 
+/** Return SSH connection info for tunnel support. */
+export function getConnectionInfo(): {
+  host: string;
+  user: string;
+} {
+  return {
+    host: _state.serverIp,
+    user: "root",
+  };
+}
+
 // ─── API Client ──────────────────────────────────────────────────────────────
 
 async function hetznerApi(method: string, endpoint: string, body?: string, maxRetries = 3): Promise<string> {

packages/cli/src/hetzner/main.ts

@@ -11,6 +11,7 @@ import {
   createServer as createHetznerServer,
   ensureHcloudToken,
   ensureSshKey,
+  getConnectionInfo,
   getServerName,
   interactiveSession,
   promptLocation,
@@ -58,6 +59,7 @@ async function main() {
       await waitForCloudInit();
     },
     interactiveSession,
+    getConnectionInfo,
   };
 
   await runOrchestration(cloud, agent, agentName);

packages/cli/src/shared/agent-setup.ts

@@ -334,15 +334,20 @@ async function installChromeBrowser(runner: CloudRunner): Promise<void> {
   }
 }
 
-async function setupOpenclawConfig(runner: CloudRunner, apiKey: string, modelId: string): Promise<void> {
+async function setupOpenclawConfig(
+  runner: CloudRunner,
+  apiKey: string,
+  modelId: string,
+  token?: string,
+): Promise<void> {
   logStep("Configuring openclaw...");
   await runner.runServer("mkdir -p ~/.openclaw");
 
   // Chrome must be installed before config is written (config references its path).
   // This runs in configure() — not install() — so it works even with tarball installs.
   await installChromeBrowser(runner);
 
-  const gatewayToken = crypto.randomUUID().replace(/-/g, "");
+  const gatewayToken = token ?? crypto.randomUUID().replace(/-/g, "");
   const escapedKey = jsonEscape(apiKey);
   const escapedToken = jsonEscape(gatewayToken);
   const escapedModel = jsonEscape(modelId);
@@ -380,6 +385,25 @@ async function setupOpenclawConfig(runner: CloudRunner, apiKey: string, modelId:
   } catch {
     logWarn("Browser config setup failed (non-fatal)");
   }
+
+  // Write USER.md bootstrap file — guides users to the web dashboard for
+  // visual tasks like WhatsApp QR code scanning that don't work in the TUI.
+  const userMd = [
+    "# User",
+    "",
+    "## Web Dashboard",
+    "",
+    "This machine has a web dashboard running on port 18791.",
+    "When helping the user set up channels that require QR code scanning",
+    "(WhatsApp, Telegram, etc.), always guide them to use the web dashboard",
+    "instead of the TUI — QR codes cannot be scanned from a terminal.",
+    "",
+    "The dashboard URL is: http://localhost:18791",
+    "(It may also be SSH-tunneled to the user's local machine automatically.)",
+    "",
+  ].join("\n");
+  await runner.runServer("mkdir -p ~/.openclaw/workspace");
+  await uploadConfigFile(runner, userMd, "$HOME/.openclaw/workspace/USER.md");
 }
 
 export async function startGateway(runner: CloudRunner): Promise<void> {
@@ -612,30 +636,37 @@ function createAgents(runner: CloudRunner): Record<string, AgentConfig> {
       launchCmd: () => "source ~/.spawnrc 2>/dev/null; source ~/.zshrc 2>/dev/null; codex",
     },
 
-    openclaw: {
-      name: "OpenClaw",
-      cloudInitTier: "full",
-      preProvision: detectGithubAuth,
-      modelDefault: "moonshotai/kimi-k2.5",
-      install: async () => {
-        await installAgent(
-          runner,
-          "openclaw",
-          `source ~/.bashrc 2>/dev/null; ${NPM_PREFIX_SETUP} && npm install -g \${_NPM_G_FLAGS} openclaw && ${NPM_GLOBAL_PATH_PERSIST}`,
-        );
-      },
-      envVars: (apiKey) => [
-        `OPENROUTER_API_KEY=${apiKey}`,
-        `ANTHROPIC_API_KEY=${apiKey}`,
-        "ANTHROPIC_BASE_URL=https://openrouter.ai/api",
-      ],
-      configure: (apiKey, modelId) => setupOpenclawConfig(runner, apiKey, modelId || "moonshotai/kimi-k2.5"),
-      preLaunch: () => startGateway(runner),
-      preLaunchMsg:
-        "Set up one channel at a time in the OpenClaw TUI. Wait for each channel to fully complete before pasting the next token — concurrent token pastes can cause setup to hang.",
-      launchCmd: () =>
-        "source ~/.spawnrc 2>/dev/null; export PATH=$HOME/.npm-global/bin:$HOME/.bun/bin:$HOME/.local/bin:$PATH; openclaw tui",
-    },
+    openclaw: (() => {
+      const dashboardToken = crypto.randomUUID().replace(/-/g, "");
+      return {
+        name: "OpenClaw",
+        cloudInitTier: "full" satisfies AgentConfig["cloudInitTier"],
+        preProvision: detectGithubAuth,
+        modelDefault: "moonshotai/kimi-k2.5",
+        install: async () => {
+          await installAgent(
+            runner,
+            "openclaw",
+            `source ~/.bashrc 2>/dev/null; ${NPM_PREFIX_SETUP} && npm install -g \${_NPM_G_FLAGS} openclaw && ${NPM_GLOBAL_PATH_PERSIST}`,
+          );
+        },
+        envVars: (apiKey: string) => [
+          `OPENROUTER_API_KEY=${apiKey}`,
+          `ANTHROPIC_API_KEY=${apiKey}`,
+          "ANTHROPIC_BASE_URL=https://openrouter.ai/api",
+        ],
+        configure: (apiKey: string, modelId?: string) =>
+          setupOpenclawConfig(runner, apiKey, modelId || "moonshotai/kimi-k2.5", dashboardToken),
+        preLaunch: () => startGateway(runner),
+        preLaunchMsg: "Your web dashboard will open automatically. If it doesn't, check the terminal for the URL.",
+        launchCmd: () =>
+          "source ~/.spawnrc 2>/dev/null; export PATH=$HOME/.npm-global/bin:$HOME/.bun/bin:$HOME/.local/bin:$PATH; openclaw tui",
+        tunnel: {
+          remotePort: 18791,
+          browserUrl: (localPort: number) => `http://localhost:${localPort}/?token=${dashboardToken}`,
+        },
+      };
+    })(),
 
     opencode: {
       name: "OpenCode",

packages/cli/src/shared/agents.ts

@@ -29,6 +29,14 @@ export interface AgentConfig {
   cloudInitTier?: CloudInitTier;
   /** Skip tarball install attempt (e.g., already using snapshot). */
   skipTarball?: boolean;
+  /** SSH tunnel config for web dashboards. */
+  tunnel?: TunnelConfig;
+}
+
+/** Configuration for SSH-tunneling a remote port to localhost. */
+export interface TunnelConfig {
+  remotePort: number;
+  browserUrl?: (localPort: number) => string | undefined;
 }
 
 // ─── Shared Helpers ──────────────────────────────────────────────────────────