feat: shared API_TOKEN, qwen oauth in container, bot /getToken

- Accept API_TOKEN for MCP and tunnel (apiToken query param)
- Wrap qwen-search image with oauth creds decode and qwen CLI invocation
- Pass PROD_QWEN_OAUTH_CREDS into container runs; deploy reads from env
- Add Telegram /getToken command for standalone package auth

Made-with: Cursor

Author: ilyar

docker/qwen-search/Dockerfile

@@ -12,7 +12,12 @@ RUN npm install -g @qwen-code/qwen-code@latest
 
 WORKDIR /workspace
 
+# Runtime wrapper creates ~/.qwen/oauth_creds.json from env and runs qwen.
+COPY docker/qwen-search/entrypoint.sh /usr/local/bin/qwen-entrypoint
+COPY docker/qwen-search/qwen-search.sh /usr/local/bin/qwen-search
+RUN chmod +x /usr/local/bin/qwen-entrypoint /usr/local/bin/qwen-search
+
 # Default corpus mount point (host maps repo/api/knowledge here with :ro)
 VOLUME ["/corpus"]
 
-ENTRYPOINT ["qwen"]
+ENTRYPOINT ["qwen-entrypoint"]

docker/qwen-search/README.md

@@ -1,6 +1,6 @@
 # Qwen search container (SpawnDock API / MCP)
 
-OCI image that installs **@qwen-code/qwen-code** and runs `qwen` as `ENTRYPOINT`. The API server (`repo/api`) invokes this image for `QWEN_MODE=container` MCP search.
+OCI image that installs **@qwen-code/qwen-code** and runs `qwen-search` as `ENTRYPOINT`. The API server (`repo/api`) invokes this image for `QWEN_MODE=container` MCP search.
 
 ## Build
 
@@ -10,6 +10,12 @@ From `repo/api`:
 docker build -t spawndock/qwen-search:local -f docker/qwen-search/Dockerfile .
 ```
 
+## Runtime contract
+
+- `ENTRYPOINT` is `qwen-search` (wrapper over `qwen --output-format json --prompt "<TERM>"`).
+- At container start it decodes `PROD_QWEN_OAUTH_CREDS` (or `QWEN_OAUTH_CREDS_B64`) into `~/.qwen/oauth_creds.json`.
+- Knowledge directory is mounted read-only.
+
 ## Volume contract (read-only)
 
 | Host path | Container path | Mode |
@@ -25,9 +31,9 @@ Replace `/abs/path/to/repo/api/knowledge` with your checkout:
 ```bash
 docker run --rm \
   -v /abs/path/to/repo/api/knowledge:/corpus:ro \
-  -e QWEN_OAUTH=true \
+  -e PROD_QWEN_OAUTH_CREDS="$(cat ~/.qwen/oauth_creds.json | base64 -w0)" \
   spawndock/qwen-search:local \
-  --help
+  --term "how to build TON mini app auth flow"
 ```
 
 Pass auth / API keys only via `-e` as required by your Qwen CLI setup; do not bake secrets into the image.

docker/qwen-search/entrypoint.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env sh
+set -eu
+
+ensure_oauth_file() {
+  creds_b64="${PROD_QWEN_OAUTH_CREDS:-${QWEN_OAUTH_CREDS_B64:-}}"
+  if [ -z "${creds_b64}" ]; then
+    return 0
+  fi
+
+  mkdir -p "${HOME}/.qwen"
+  printf "%s" "${creds_b64}" | base64 -d > "${HOME}/.qwen/oauth_creds.json"
+  chmod 600 "${HOME}/.qwen/oauth_creds.json"
+}
+
+ensure_oauth_file
+exec /usr/local/bin/qwen-search "$@"

docker/qwen-search/qwen-search.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env sh
+set -eu
+
+prompt=""
+output_format="json"
+
+while [ "$#" -gt 0 ]; do
+  case "$1" in
+    --term|--prompt|-p)
+      if [ "$#" -lt 2 ]; then
+        echo "Missing value for $1" >&2
+        exit 2
+      fi
+      prompt="$2"
+      shift 2
+      ;;
+    --output-format)
+      if [ "$#" -lt 2 ]; then
+        echo "Missing value for --output-format" >&2
+        exit 2
+      fi
+      output_format="$2"
+      shift 2
+      ;;
+    *)
+      shift
+      ;;
+  esac
+done
+
+if [ -z "$prompt" ]; then
+  echo "Missing --term/--prompt value" >&2
+  exit 2
+fi
+
+exec qwen --output-format "$output_format" --prompt "$prompt"

package-lock.json

@@ -1,17 +1,22 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-if [[ $# -lt 3 ]]; then
-  echo "Usage: $0 <ssh-password> <qwen-oauth-creds-b64> <telegram-bot-token> [ssh-host] [ssh-user] [public-origin]" >&2
+if [[ $# -lt 2 ]]; then
+  echo "Usage: $0 <ssh-password> <telegram-bot-token> [ssh-host] [ssh-user] [public-origin]" >&2
+  echo "Required env: PROD_QWEN_OAUTH_CREDS (base64 of ~/.qwen/oauth_creds.json)" >&2
   exit 1
 fi
 
 SSH_PASSWORD="$1"
-QWEN_OAUTH_CREDS_B64="$2"
-TELEGRAM_BOT_TOKEN="$3"
-SSH_HOST="${4-spawn-dock.w3voice.net}"
-SSH_USER="${5:-ops}"
-PUBLIC_ORIGIN="${6:-https://spawn-dock.w3voice.net}"
+TELEGRAM_BOT_TOKEN="$2"
+SSH_HOST="${3-spawn-dock.w3voice.net}"
+SSH_USER="${4:-ops}"
+PUBLIC_ORIGIN="${5:-https://spawn-dock.w3voice.net}"
+QWEN_OAUTH_CREDS_B64="${PROD_QWEN_OAUTH_CREDS:-}"
+if [[ -z "$QWEN_OAUTH_CREDS_B64" ]]; then
+  echo "PROD_QWEN_OAUTH_CREDS is required" >&2
+  exit 1
+fi
 TARGET_DIR="/srv/spawndock-api"
 BOT_SECRET="$(openssl rand -hex 24)"
 BOT_CONTROL_PLANE_URL="http://mcp-server:3000"
@@ -69,6 +74,7 @@ QWEN_CODE_COMMAND=qwen
 QWEN_CODE_AUTH_TYPE=qwen-oauth
 QWEN_CONTAINER_IMAGE=spawndock/qwen-search:prod
 QWEN_KNOWLEDGE_HOST_PATH=${TARGET_DIR}/knowledge
+PROD_QWEN_OAUTH_CREDS=${QWEN_OAUTH_CREDS_B64}
 QWEN_OAUTH_CREDS_B64=${QWEN_OAUTH_CREDS_B64}
 HF_TOKEN=
 EOF

scripts/deploy-prod.sh

@@ -33,6 +33,9 @@ describe("parseCommand", () => {
   it("parses unknown /lang code as lang-invalid", () => {
     expect(parseCommand("/lang de")).toEqual({ tag: "lang-invalid", arg: "de" });
   });
+  it("parses /getToken", () => {
+    expect(parseCommand("/getToken")).toEqual({ tag: "get-token" });
+  });
   it("returns unknown for random text", () => {
     expect(parseCommand("hello").tag).toBe("unknown");
   });

src/__tests__/bot-commands.test.ts

@@ -2,6 +2,8 @@ import { describe, expect, it } from "vitest";
 import { authenticateMcpRequest, findDeviceCredentialByMcpApiKey, readMcpApiKey } from "../mcp-auth.js";
 import type { StoreState } from "../types.js";
 
+delete process.env.API_TOKEN;
+
 const state: StoreState = {
   projects: [],
   pairingTokens: [],

src/__tests__/mcp-auth.test.ts

@@ -86,7 +86,7 @@ describe("runQwenSearchInContainer", () => {
         "-v",
         expect.stringMatching(/\/host\/knowledge:\/corpus:ro$/),
         "spawndock/qwen-search:local",
-        "-p",
+        "--term",
         "test prompt",
         "--output-format",
         "json",

src/__tests__/qwen-container.test.ts

@@ -11,6 +11,7 @@ export type BotCommand =
   | { tag: "lang-help" }
   | { tag: "lang-set"; locale: BotLocale }
   | { tag: "lang-invalid"; arg: string }
+  | { tag: "get-token" }
   | { tag: "unknown"; input: string };
 
 export function parseCommand(input: string): BotCommand {
@@ -31,6 +32,9 @@ export function parseCommand(input: string): BotCommand {
     const slug = text.slice(7).trim();
     return slug ? { tag: "launch", slug } : { tag: "launch-missing" };
   }
+  if (text === "/getToken" || text === "/gettoken") {
+    return { tag: "get-token" };
+  }
   return { tag: "unknown", input: text };
 }