Initial commit: Alfred Proxy with OAuth, TTS, and FCM push notifications

- Environment-based configuration (no hardcoded secrets)
- OAuth authentication via Authentik
- ElevenLabs TTS integration via SAG CLI
- FCM push notification support
- User preferences sync system
- Multi-user support with per-user context files
- No internal IPs or service accounts in tracked files

STATUS.md

@@ -0,0 +1,220 @@
+# Alfred Proxy Setup Status
+
+## ✅ Completed Steps
+
+1. **OpenClaw switched to localhost** ✅
+   - Bind mode: `loopback`
+   - Port: `18789`
+   - Status: Running
+
+2. **Proxy service installed** ✅
+   - Location: `~/.openclaw/workspace/alfred-proxy/`
+   - Configuration: `.env` created with Client ID
+   - Dependencies: Installed
+
+3. **Proxy running** ✅
+   - Port: `18790`
+   - Health check: http://localhost:18790/health → OK
+   - OpenClaw connection: Configured
+
+4. **HAProxy configured** ✅
+   - Subdomain: `alfred-app.dnspegasus.net`
+   - Backend: `192.168.1.169:18790`
+   - SSL: Configured
+
+## ⚠️ Pending: Windows Firewall
+
+**The proxy needs to be accessible from HAProxy (192.168.1.20)**
+
+### Open Firewall (Run as Administrator)
+
+**Option 1: Using the batch file**
+1. Open File Explorer
+2. Navigate to: `\\wsl.localhost\Ubuntu-22.04\home\jknapp\.openclaw\workspace\alfred-proxy\`
+3. Right-click `open-firewall.bat`
+4. Select **"Run as administrator"**
+
+**Option 2: Using PowerShell (Admin)**
+```powershell
+New-NetFirewallRule -DisplayName "Alfred Proxy" -Direction Inbound -LocalPort 18790 -Protocol TCP -Action Allow
+```
+
+**Option 3: Using Command Prompt (Admin)**
+```cmd
+netsh advfirewall firewall add rule name="Alfred Proxy" dir=in action=allow protocol=TCP localport=18790
+```
+
+### Verify Firewall is Open
+
+After opening the firewall, test from HAProxy:
+
+```bash
+ssh root@192.168.1.20 'curl -s http://192.168.1.169:18790/health'
+```
+
+Should return:
+```json
+{"status":"ok","service":"alfred-proxy"}
+```
+
+---
+
+## Testing Checklist
+
+### 1. Local Tests (Already Passing ✅)
+
+```bash
+# Proxy health
+curl http://localhost:18790/health
+# ✅ {"status":"ok","service":"alfred-proxy"}
+
+# Proxy accessible on network
+curl http://192.168.1.169:18790/health
+# ✅ {"status":"ok","service":"alfred-proxy"}
+```
+
+### 2. HAProxy Connection (After firewall)
+
+```bash
+# From HAProxy server
+ssh root@192.168.1.20 'curl -s http://192.168.1.169:18790/health'
+# Should return: {"status":"ok","service":"alfred-proxy"}
+
+# From outside (browser redirect test)
+curl -I https://alfred-app.dnspegasus.net
+# Should return: HTTP/2 200 with HTML redirect
+```
+
+### 3. WebSocket Test (After OAuth token)
+
+```bash
+# Get OAuth token from Authentik first
+# Then test WebSocket connection:
+wscat -c "wss://alfred-app.dnspegasus.net" -H "Authorization: Bearer YOUR_TOKEN"
+```
+
+---
+
+## Current Configuration
+
+### Proxy (.env)
+```
+PROXY_PORT=18790
+OPENCLAW_URL=ws://127.0.0.1:18789
+OPENCLAW_TOKEN=9b87d15fee3922ecfbe77b0ea1744851757cda618beceeba
+AUTHENTIK_URL=https://auth.dnspegasus.net
+AUTHENTIK_CLIENT_ID=QeSNaZPqZUz5pPClZMA2bakSsddkStiEhqbE4QZR
+REQUIRE_AUTH=true
+```
+
+### OpenClaw Gateway
+```
+gateway.bind = "loopback"
+gateway.port = 18789
+gateway.auth.token = "9b87d15fee3922ecfbe77b0ea1744851757cda618beceeba"
+```
+
+### HAProxy Backend
+```
+Server: 192.168.1.169:18790
+Domain: alfred-app.dnspegasus.net
+```
+
+---
+
+## Install Proxy as Systemd Service (Recommended)
+
+Once firewall is confirmed working, install as a service:
+
+```bash
+cd ~/.openclaw/workspace/alfred-proxy
+
+# Install service
+mkdir -p ~/.config/systemd/user
+cp alfred-proxy.service ~/.config/systemd/user/
+
+# Create override with Client ID
+mkdir -p ~/.config/systemd/user/alfred-proxy.service.d
+cat > ~/.config/systemd/user/alfred-proxy.service.d/override.conf << 'EOF'
+[Service]
+Environment="AUTHENTIK_CLIENT_ID=QeSNaZPqZUz5pPClZMA2bakSsddkStiEhqbE4QZR"
+EOF
+
+# Enable and start
+systemctl --user daemon-reload
+systemctl --user enable alfred-proxy.service
+systemctl --user start alfred-proxy.service
+
+# Check status
+systemctl --user status alfred-proxy.service
+
+# View logs
+journalctl --user -u alfred-proxy.service -f
+```
+
+---
+
+## Android App Configuration
+
+Once the proxy is fully working, configure your Android app:
+
+```kotlin
+// OAuthConfig.kt
+object OAuthConfig {
+    const val AUTHENTIK_URL = "https://auth.dnspegasus.net"
+    const val CLIENT_ID = "QeSNaZPqZUz5pPClZMA2bakSsddkStiEhqbE4QZR"
+    const val REDIRECT_URI = "alfredmobile://oauth/callback"
+    const val SCOPE = "openid profile email"
+    
+    const val AUTHORIZATION_ENDPOINT = "$AUTHENTIK_URL/application/o/authorize/"
+    const val TOKEN_ENDPOINT = "$AUTHENTIK_URL/application/o/token/"
+    const val USERINFO_ENDPOINT = "$AUTHENTIK_URL/application/o/userinfo/"
+}
+
+// AlfredConfig.kt
+object AlfredConfig {
+    const val GATEWAY_URL = "wss://alfred-app.dnspegasus.net"
+}
+```
+
+---
+
+## Next Steps
+
+1. **Open Windows Firewall** (see instructions above)
+2. **Test HAProxy connection** (verify backend is reachable)
+3. **Test browser redirect** (https://alfred-app.dnspegasus.net → should redirect)
+4. **Install as systemd service** (for auto-start)
+5. **Implement OAuth in Android app** (see DEPLOYMENT.md for OAuth flow)
+6. **Test end-to-end** (OAuth → WebSocket → OpenClaw)
+
+---
+
+## Troubleshooting
+
+### Proxy won't connect to HAProxy
+
+**Check firewall:**
+```bash
+# From HAProxy
+ssh root@192.168.1.20 'curl -v http://192.168.1.169:18790/health'
+```
+
+If it times out, firewall is blocking.
+
+### "503 Service Unavailable" from HAProxy
+
+HAProxy can't reach the backend. Possible causes:
+- Firewall blocking port 18790
+- Proxy not running
+- Wrong IP in HAProxy config
+
+### Invalid OAuth token
+
+```bash
+# Test token with Authentik
+curl -H "Authorization: Bearer YOUR_TOKEN" \
+  https://auth.dnspegasus.net/application/o/userinfo/
+```
+
+Should return user info if token is valid.