Fix: Use JSON config files for ESM compatibility

- Replace @simpleworkjs/conf with simple custom loader
- Use JSON config files (base, development, production, secrets)
- Add config.js with ESM-compatible deep merge
- Support env var overrides for critical settings
- Auth disabled in dev mode via development.json

conf/base.js

@@ -1,36 +0,0 @@
-/**
- * Base configuration - shared across all environments
- */
-
-module.exports = {
-  server: {
-    port: 3000,
-    host: '0.0.0.0'
-  },
-  
-  gateway: {
-    url: 'http://127.0.0.1:18789',
-    token: 'a41984619a5f4b9bf9148ab6eb4abca53eb796d046cbbec5'
-  },
-  
-  session: {
-    secret: 'change-me-in-production',
-    maxAge: 24 * 60 * 60 * 1000 // 24 hours
-  },
-  
-  auth: {
-    disabled: false,
-    ldap: {
-      enabled: false,
-      url: 'ldap://localhost:389',
-      baseDN: 'ou=users,dc=example,dc=com',
-      bindDN: '',
-      bindPassword: '',
-      searchFilter: '(uid={{username}})'
-    }
-  },
-  
-  data: {
-    dir: './data'
-  }
-};

conf/base.json

@@ -0,0 +1,27 @@
+{
+  "server": {
+    "port": 3000,
+    "host": "0.0.0.0"
+  },
+  "gateway": {
+    "url": "http://127.0.0.1:18789"
+  },
+  "session": {
+    "secret": "change-me-in-production",
+    "maxAge": 86400000
+  },
+  "auth": {
+    "disabled": false,
+    "ldap": {
+      "enabled": false,
+      "url": "ldap://localhost:389",
+      "baseDN": "ou=users,dc=example,dc=com",
+      "bindDN": "",
+      "bindPassword": "",
+      "searchFilter": "(uid={{username}})"
+    }
+  },
+  "data": {
+    "dir": "./data"
+  }
+}

conf/development.js

@@ -1,16 +0,0 @@
-/**
- * Development environment configuration
- */
-
-module.exports = {
-  auth: {
-    disabled: true, // Skip auth in dev
-    ldap: {
-      enabled: false
-    }
-  },
-  
-  server: {
-    // Vite runs on 5173, proxy from there
-  }
-};

conf/development.json

@@ -0,0 +1,8 @@
+{
+  "auth": {
+    "disabled": true,
+    "ldap": {
+      "enabled": false
+    }
+  }
+}

conf/production.js

@@ -1,22 +0,0 @@
-/**
- * Production environment configuration
- */
-
-module.exports = {
-  server: {
-    // Use PORT env var if set, otherwise default
-    port: parseInt(process.env.PORT) || 3000
-  },
-  
-  session: {
-    // Should be set via secrets.js in production
-    secret: process.env.SESSION_SECRET || 'CHANGE-ME-NOW'
-  },
-  
-  auth: {
-    disabled: false,
-    ldap: {
-      enabled: process.env.LDAP_ENABLED === 'true'
-    }
-  }
-};

conf/production.json

@@ -0,0 +1,11 @@
+{
+  "server": {
+    "port": 3000
+  },
+  "session": {
+    "secret": "CHANGE-ME-NOW"
+  },
+  "auth": {
+    "disabled": false
+  }
+}

conf/secrets.example.js

@@ -1,26 +0,0 @@
-/**
- * Example secrets file
- * 
- * Copy this to secrets.js and fill in your actual values
- * secrets.js is ignored by git
- */
-
-module.exports = {
-  gateway: {
-    // Your OpenClaw gateway token
-    token: 'your-gateway-token-here'
-  },
-  
-  session: {
-    // Random string for session signing
-    secret: 'generate-a-random-string-here'
-  },
-  
-  auth: {
-    ldap: {
-      // LDAP bind credentials (if needed for search)
-      bindDN: 'cn=admin,dc=example,dc=com',
-      bindPassword: 'ldap-admin-password'
-    }
-  }
-};

conf/secrets.example.json

@@ -0,0 +1,14 @@
+{
+  "gateway": {
+    "token": "your-gateway-token-here"
+  },
+  "session": {
+    "secret": "generate-a-random-string-here"
+  },
+  "auth": {
+    "ldap": {
+      "bindDN": "cn=admin,dc=example,dc=com",
+      "bindPassword": "ldap-admin-password"
+    }
+  }
+}

conf/secrets.json

@@ -0,0 +1,14 @@
+{
+  "gateway": {
+    "token": "a41984619a5f4b9bf9148ab6eb4abca53eb796d046cbbec5"
+  },
+  "session": {
+    "secret": "dev-session-secret-change-in-production"
+  },
+  "auth": {
+    "ldap": {
+      "bindDN": "",
+      "bindPassword": ""
+    }
+  }
+}