NewsClaw

NewsClaw is a Next.js 16 web application for passkey-secured news monitoring. A user signs in with WebAuthn passkeys, completes a first-login OpenClaw agent setup, and then lands on a professional dashboard to choose the news categories that should drive their workspace.

Overview

NewsClaw is designed for teams that want a lightweight operator UI around an OpenClaw-style news workflow. The app handles user authentication, first-run agent setup, workspace restore, messaging-channel pairing, and category-driven dashboard personalization in one flow.

What It Does

• Registers and signs in users with WebAuthn passkeys
• Guides first-time users through agent setup before dashboard access
• Restores a pinned AWS Lightsail snapshot through the local clawmacdo CLI
• Supports per-user WhatsApp or Telegram pairing after restore
• Stores local workspace state in SQLite
• Lets users shape the dashboard around the news categories they actually track

Stack

• Next.js 16 with App Router and TypeScript
• Tailwind CSS v4 and shadcn/ui
• SQLite with better-sqlite3
• Native WebAuthn passkeys with @simplewebauthn/server and @simplewebauthn/browser
• Local session persistence with HTTP-only cookies and SQLite-backed session records

Features

• Passkey-first authentication with account creation and sign-in flows
• First-login gate that requires OpenClaw agent setup before dashboard access
• AWS Lightsail snapshot restore orchestrated through the local clawmacdo CLI
• Per-user messaging channel choice for WhatsApp QR pairing or Telegram bot challenge pairing
• SQLite persistence for users, passkeys, sessions, agent configuration, and category preferences
• Dashboard experience for selecting preferred news categories
• Tailwind + shadcn styling with a polished editorial UI

Quick Start

1. Install dependencies.
2. Create .env from .env.example and fill in the AWS and encryption settings.
3. Run the development server.
4. Open http://localhost:3000 and create a passkey-backed account.
5. Complete setup, restore, pairing, and dashboard selection.

Environment

Create a .env file from .env.example.

SQLITE_DATA_DIR=./data
WEBAUTHN_RP_ID=localhost
WEBAUTHN_ORIGIN=http://localhost:3000
WEBAUTHN_REQUIRE_USER_VERIFICATION=false
SESSION_COOKIE_NAME=newsclaw_session
NEWSCLAW_KEY_ENCRYPTION_SECRET=change-this-to-a-long-random-secret
CLAWMACDO_SNAPSHOT_NAME=openclaw-6ce6169b-10007-prod
CLAWMACDO_INSTANCE_SIZE=s-2vcpu-4gb
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_REGION=ap-southeast-1

Set WEBAUTHN_REQUIRE_USER_VERIFICATION=true only if you want to force biometric/PIN verification on every authenticator and your test devices support it consistently.

Local Development

Install dependencies:

npm install

Start the development server:

npm run dev

Open http://localhost:3000.

Requirements

• Node.js 20+
• npm
• AWS credentials with access to the target Lightsail snapshot
• A local environment capable of WebAuthn testing
• clawmacdo installed through npm dependencies

Authentication Flow

1. New users create an account with name, email, and a passkey.
2. After the passkey is registered, NewsClaw checks whether an OpenClaw agent exists.
3. If no agent exists, the user is redirected to /setup-agent.
4. Setup now captures the user-specific channel choice: WhatsApp or Telegram.
5. NewsClaw restores the pinned Lightsail snapshot through clawmacdo ls-restore.
6. After restore, the user completes WhatsApp QR pairing or Telegram challenge pairing.
7. Once pairing is complete, the user lands on /dashboard.

SQLite Storage

The app creates newsclaw.db inside the directory configured by SQLITE_DATA_DIR.

Examples:

• SQLITE_DATA_DIR=./data
• SQLITE_DATA_DIR=./storage/sqlite

If SQLITE_DATA_DIR is not set, the app falls back to ./data.

Stored entities:

• users
• passkeys
• sessions
• openclaw_agents
• category_preferences
• restore_jobs
• user_channel_configs
• messaging_pairings

Passkey Testing Notes

• Use a browser with WebAuthn support.
• Chrome DevTools includes a WebAuthn emulator if you want to test passkeys without a physical authenticator.
• For local development, the relying party ID defaults to localhost.

Build Validation

Production build validation succeeds with:

npm run build

Railway Deployment

This repository now includes a Dockerfile for Railway.

Runtime behavior inside Railway:

• If WEBAUTHN_ORIGIN is not set, the container derives it from RAILWAY_PUBLIC_DOMAIN.
• If WEBAUTHN_RP_ID is not set, the container derives it from RAILWAY_PUBLIC_DOMAIN.
• If SQLITE_DATA_DIR is not set and a Railway volume is mounted, the container uses RAILWAY_VOLUME_MOUNT_PATH.

Recommended Railway environment variables:

• WEBAUTHN_RP_ID
• WEBAUTHN_ORIGIN
• WEBAUTHN_REQUIRE_USER_VERIFICATION
• SESSION_COOKIE_NAME
• NEWSCLAW_KEY_ENCRYPTION_SECRET
• CLAWMACDO_SNAPSHOT_NAME
• CLAWMACDO_INSTANCE_SIZE
• AWS_ACCESS_KEY_ID
• AWS_SECRET_ACCESS_KEY
• AWS_REGION

Container notes:

• The container listens on Railway's PORT value and binds to 0.0.0.0.
• SQLite defaults to /app/data inside the container.
• For persistent SQLite storage on Railway, mount a volume and point SQLITE_DATA_DIR at that mounted path.
• The WebAuthn values can be set explicitly, but Railway domain fallbacks are now handled automatically at container startup.

Decrypt an encrypted restore-job private key for manual inspection:

npm run decrypt-restore-key -- --job <restore-job-id>

Notes

• The OpenClaw step currently captures the agent configuration required for the news-search workflow and stores it locally in SQLite.
• Category choices are saved immediately and reloaded on the dashboard.

Security Notes

• .env is ignored and intended for local secrets only.
• The local SQLite data directory is ignored and should not be committed.
• Telegram bot tokens and restored private keys are encrypted before storage.