QUICKSTART.md

# Alfred Proxy Quick Start

## Your Configuration

### Backend Details for HAProxy

**Add to HAProxy backend:**
```
Server IP: 192.168.1.169
Server Port: 18790
```

**Full HAProxy backend config:**
```haproxy
backend alfred_mobile_proxy-backend
    mode http
    option forwardfor
    
    http-request add-header X-CLIENT-IP %[var(txn.real_ip)]
    http-request set-header X-Real-IP %[var(txn.real_ip)]
    http-request set-header X-Forwarded-For %[var(txn.real_ip)]
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    
    timeout tunnel 1h
    timeout client 1h
    timeout server 1h
    
    server alfred_proxy 192.168.1.169:18790 check
```

### URLs

- **Mobile app connects to:** `wss://alfred-app.dnspegasus.net`
- **OAuth authentication:** `https://auth.dnspegasus.net`
- **Web browser redirect:** `https://alfred.dnspegasus.net`

### DNS

Your wildcard DNS (`*.dnspegasus.net`) should already resolve `alfred-app.dnspegasus.net` to HAProxy.

Test: `nslookup alfred-app.dnspegasus.net`

### Android App Configuration

```kotlin
// OAuthConfig.kt
object OAuthConfig {
    const val AUTHENTIK_URL = "https://auth.dnspegasus.net"
    const val CLIENT_ID = "QeSNaZPqZUz5pPClZMA2bakSsddkStiEhqbE4QZR"
    const val REDIRECT_URI = "alfredmobile://oauth/callback"
    const val SCOPE = "openid profile email"
    
    const val AUTHORIZATION_ENDPOINT = "$AUTHENTIK_URL/application/o/authorize/"
    const val TOKEN_ENDPOINT = "$AUTHENTIK_URL/application/o/token/"
    const val USERINFO_ENDPOINT = "$AUTHENTIK_URL/application/o/userinfo/"
}

// AlfredConfig.kt
object AlfredConfig {
    const val GATEWAY_URL = "wss://alfred-app.dnspegasus.net"
}
```

### Start the Proxy

```bash
cd ~/.openclaw/workspace/alfred-proxy

# 1. Create .env
cat > .env << 'EOF'
PROXY_PORT=18790
OPENCLAW_URL=ws://127.0.0.1:18789
OPENCLAW_TOKEN=9b87d15fee3922ecfbe77b0ea1744851757cda618beceeba
AUTHENTIK_URL=https://auth.dnspegasus.net
AUTHENTIK_CLIENT_ID=QeSNaZPqZUz5pPClZMA2bakSsddkStiEhqbE4QZR
REQUIRE_AUTH=true
EOF

# 2. Install and start
npm install
npm run dev

# 3. Test health
curl http://localhost:18790/health
```

### HAProxy Configuration

See `haproxy-alfred-app.cfg` for complete config.

**Key points:**
- Frontend ACL: `alfred-app.dnspegasus.net`
- WebSocket connections → `alfred_mobile_proxy-backend`
- Browser visits → Redirect to main web UI
- Backend server: `192.168.1.169:18790`

### Network Diagram

```
Android App
    ↓
    wss://alfred-app.dnspegasus.net (OAuth token in Authorization header)
    ↓
HAProxy (192.168.1.20:443)
    ↓
Alfred Proxy (192.168.1.169:18790)
    - Validates OAuth token with Authentik
    - Injects OpenClaw gateway token
    ↓
OpenClaw (127.0.0.1:18789)
    ↓
Alfred AI assistant
```

### Testing Flow

1. **Test proxy locally:**
   ```bash
   curl http://localhost:18790/health
   ```

2. **Test from HAProxy server:**
   ```bash
   curl http://192.168.1.169:18790/health
   ```

3. **Test DNS:**
   ```bash
   nslookup alfred-app.dnspegasus.net
   ```

4. **Test redirect (browser):**
   ```bash
   curl -I https://alfred-app.dnspegasus.net
   # Should redirect to alfred.dnspegasus.net
   ```

5. **Test WebSocket (with OAuth token):**
   ```bash
   # Get token from Authentik first, then:
   wscat -c "wss://alfred-app.dnspegasus.net" \
     -H "Authorization: Bearer YOUR_TOKEN"
   ```

### Troubleshooting

**Can't reach proxy from HAProxy:**
```bash
# Test direct connection
curl http://192.168.1.169:18790/health

# Check Windows firewall
# PowerShell (Admin):
New-NetFirewallRule -DisplayName "Alfred Proxy" `
  -Direction Inbound -LocalPort 18790 -Protocol TCP -Action Allow
```

**WebSocket upgrade fails:**
- Check HAProxy ACL matches `alfred-app.dnspegasus.net`
- Verify WebSocket headers are present
- Check proxy logs: `journalctl --user -u alfred-proxy.service -f`

**Invalid token:**
- Verify Client ID in proxy `.env` matches Authentik
- Test token: `curl -H "Authorization: Bearer TOKEN" https://auth.dnspegasus.net/application/o/userinfo/`

### Next Steps

1. ✅ Start proxy locally
2. ✅ Configure HAProxy with correct backend
3. ✅ Test DNS resolves
4. ✅ Test redirect in browser
5. ✅ Implement OAuth in Android app
6. ✅ Test end-to-end flow
Initial commit: Alfred Proxy with OAuth, TTS, and FCM push notifications - Environment-based configuration (no hardcoded secrets) - OAuth authentication via Authentik - ElevenLabs TTS integration via SAG CLI - FCM push notification support - User preferences sync system - Multi-user support with per-user context files - No internal IPs or service accounts in tracked files 2026-02-09 11:13:01 -08:00			`# Alfred Proxy Quick Start`

			`## Your Configuration`

			`### Backend Details for HAProxy`

			`Add to HAProxy backend:`
			```
			`Server IP: 192.168.1.169`
			`Server Port: 18790`
			```

			`Full HAProxy backend config:`
			```haproxy
			`backend alfred_mobile_proxy-backend`
			`mode http`
			`option forwardfor`

			`http-request add-header X-CLIENT-IP %[var(txn.real_ip)]`
			`http-request set-header X-Real-IP %[var(txn.real_ip)]`
			`http-request set-header X-Forwarded-For %[var(txn.real_ip)]`
			`http-request set-header X-Forwarded-Proto https if { ssl_fc }`

			`timeout tunnel 1h`
			`timeout client 1h`
			`timeout server 1h`

			`server alfred_proxy 192.168.1.169:18790 check`
			```

			`### URLs`

			- Mobile app connects to: `wss://alfred-app.dnspegasus.net`
			- OAuth authentication: `https://auth.dnspegasus.net`
			- Web browser redirect: `https://alfred.dnspegasus.net`

			`### DNS`

			Your wildcard DNS (`*.dnspegasus.net`) should already resolve `alfred-app.dnspegasus.net` to HAProxy.

			Test: `nslookup alfred-app.dnspegasus.net`

			`### Android App Configuration`

			```kotlin
			`// OAuthConfig.kt`
			`object OAuthConfig {`
			`const val AUTHENTIK_URL = "https://auth.dnspegasus.net"`
			`const val CLIENT_ID = "QeSNaZPqZUz5pPClZMA2bakSsddkStiEhqbE4QZR"`
			`const val REDIRECT_URI = "alfredmobile://oauth/callback"`
			`const val SCOPE = "openid profile email"`

			`const val AUTHORIZATION_ENDPOINT = "$AUTHENTIK_URL/application/o/authorize/"`
			`const val TOKEN_ENDPOINT = "$AUTHENTIK_URL/application/o/token/"`
			`const val USERINFO_ENDPOINT = "$AUTHENTIK_URL/application/o/userinfo/"`
			`}`

			`// AlfredConfig.kt`
			`object AlfredConfig {`
			`const val GATEWAY_URL = "wss://alfred-app.dnspegasus.net"`
			`}`
			```

			`### Start the Proxy`

			```bash
			`cd ~/.openclaw/workspace/alfred-proxy`

			`# 1. Create .env`
			`cat > .env << 'EOF'`
			`PROXY_PORT=18790`
			`OPENCLAW_URL=ws://127.0.0.1:18789`
			`OPENCLAW_TOKEN=9b87d15fee3922ecfbe77b0ea1744851757cda618beceeba`
			`AUTHENTIK_URL=https://auth.dnspegasus.net`
			`AUTHENTIK_CLIENT_ID=QeSNaZPqZUz5pPClZMA2bakSsddkStiEhqbE4QZR`
			`REQUIRE_AUTH=true`
			`EOF`

			`# 2. Install and start`
			`npm install`
			`npm run dev`

			`# 3. Test health`
			`curl http://localhost:18790/health`
			```

			`### HAProxy Configuration`

			See `haproxy-alfred-app.cfg` for complete config.

			`Key points:`
			- Frontend ACL: `alfred-app.dnspegasus.net`
			- WebSocket connections → `alfred_mobile_proxy-backend`
			`- Browser visits → Redirect to main web UI`
			- Backend server: `192.168.1.169:18790`

			`### Network Diagram`

			```
			`Android App`
			`↓`
			`wss://alfred-app.dnspegasus.net (OAuth token in Authorization header)`
			`↓`
			`HAProxy (192.168.1.20:443)`
			`↓`
			`Alfred Proxy (192.168.1.169:18790)`
			`- Validates OAuth token with Authentik`
			`- Injects OpenClaw gateway token`
			`↓`
			`OpenClaw (127.0.0.1:18789)`
			`↓`
			`Alfred AI assistant`
			```

			`### Testing Flow`

			`1. Test proxy locally:`
			```bash
			`curl http://localhost:18790/health`
			```

			`2. Test from HAProxy server:`
			```bash
			`curl http://192.168.1.169:18790/health`
			```

			`3. Test DNS:`
			```bash
			`nslookup alfred-app.dnspegasus.net`
			```

			`4. Test redirect (browser):`
			```bash
			`curl -I https://alfred-app.dnspegasus.net`
			`# Should redirect to alfred.dnspegasus.net`
			```

			`5. Test WebSocket (with OAuth token):`
			```bash
			`# Get token from Authentik first, then:`
			`wscat -c "wss://alfred-app.dnspegasus.net" \`
			`-H "Authorization: Bearer YOUR_TOKEN"`
			```

			`### Troubleshooting`

			`Can't reach proxy from HAProxy:`
			```bash
			`# Test direct connection`
			`curl http://192.168.1.169:18790/health`

			`# Check Windows firewall`
			`# PowerShell (Admin):`
			New-NetFirewallRule -DisplayName "Alfred Proxy" `
			`-Direction Inbound -LocalPort 18790 -Protocol TCP -Action Allow`
			```

			`WebSocket upgrade fails:`
			- Check HAProxy ACL matches `alfred-app.dnspegasus.net`
			`- Verify WebSocket headers are present`
			- Check proxy logs: `journalctl --user -u alfred-proxy.service -f`

			`Invalid token:`
			- Verify Client ID in proxy `.env` matches Authentik
			- Test token: `curl -H "Authorization: Bearer TOKEN" https://auth.dnspegasus.net/application/o/userinfo/`

			`### Next Steps`

			`1. ✅ Start proxy locally`
			`2. ✅ Configure HAProxy with correct backend`
			`3. ✅ Test DNS resolves`
			`4. ✅ Test redirect in browser`
			`5. ✅ Implement OAuth in Android app`
			`6. ✅ Test end-to-end flow`