@agenthifive/openclaw-setup 0.1.0

package/dist/vault-token-manager.js

@@ -0,0 +1,124 @@
+import { importES256Key, exchangeToken } from "./jwt-utils.js";
+export class VaultTokenManager {
+    baseUrl;
+    agentId;
+    privateKeyJWK;
+    tokenAudience;
+    privateKeyObj = null;
+    accessToken = null;
+    tokenExpiresAt = 0; // epoch ms
+    refreshTimer = null;
+    refreshInFlight = null;
+    /** Called after every successful token refresh with the new token. */
+    onRefresh = null;
+    /** Called when token refresh fails with 401 — indicates the agent's key is no longer valid. */
+    onAuthFailure = null;
+    constructor(config) {
+        this.baseUrl = config.baseUrl.replace(/\/+$/, "");
+        this.agentId = config.agentId;
+        this.privateKeyJWK = config.privateKey;
+        this.tokenAudience = (config.tokenAudience ?? this.baseUrl).replace(/\/+$/, "");
+    }
+    /**
+     * Perform the initial token exchange and start the background refresh timer.
+     * Must be called (and awaited) before getToken().
+     */
+    async init() {
+        // Import the JWK once
+        this.privateKeyObj = await importES256Key(this.privateKeyJWK);
+        // Initial token exchange
+        await this.refreshToken();
+        // Schedule background refresh — check every 30s, refresh when near expiry
+        this.refreshTimer = setInterval(() => {
+            if (Date.now() >= this.tokenExpiresAt - 60_000) {
+                this.refreshToken().catch((err) => {
+                    const ttlLeft = Math.max(0, Math.round((this.tokenExpiresAt - Date.now()) / 1000));
+                    console.error(`[vault-token-manager] refresh failed (current token expires in ${ttlLeft}s, ` +
+                        `prefix: ${this.accessToken?.slice(0, 4) ?? "none"}): ${err instanceof Error ? err.message : String(err)}`);
+                });
+            }
+        }, 30_000);
+        // Don't keep the process alive just for token refresh
+        if (this.refreshTimer &&
+            typeof this.refreshTimer === "object" &&
+            "unref" in this.refreshTimer) {
+            this.refreshTimer.unref();
+        }
+    }
+    /**
+     * Get the current bearer token. Synchronous — relies on background refresh.
+     * Throws if init() hasn't been called.
+     */
+    getToken() {
+        if (!this.accessToken) {
+            throw new Error("VaultTokenManager not initialized — call init() first");
+        }
+        return this.accessToken;
+    }
+    /** Stop the background refresh timer. */
+    stop() {
+        if (this.refreshTimer) {
+            clearInterval(this.refreshTimer);
+            this.refreshTimer = null;
+        }
+    }
+    /**
+     * Force an immediate token refresh. Called on-demand when a 401 is received.
+     * Coalesces concurrent requests — if a refresh is already in flight, callers
+     * wait for the same promise instead of hammering the token endpoint.
+     */
+    async forceRefresh() {
+        if (this.refreshInFlight) {
+            try {
+                await this.refreshInFlight;
+                return true;
+            }
+            catch {
+                return false;
+            }
+        }
+        const attempt = this.refreshToken();
+        this.refreshInFlight = attempt;
+        try {
+            await attempt;
+            return true;
+        }
+        catch {
+            return false;
+        }
+        finally {
+            this.refreshInFlight = null;
+        }
+    }
+    async refreshToken() {
+        if (!this.privateKeyObj) {
+            throw new Error("Private key not imported — call init() first");
+        }
+        try {
+            const result = await exchangeToken(this.privateKeyObj, {
+                baseUrl: this.baseUrl,
+                agentId: this.agentId,
+                tokenAudience: this.tokenAudience,
+            });
+            const previousToken = this.accessToken;
+            this.accessToken = result.accessToken;
+            this.tokenExpiresAt = Date.now() + result.expiresIn * 1000;
+            console.log(`[vault-token-manager] Token refreshed (prefix: ${this.accessToken.slice(0, 4)}..., ` +
+                `ttl: ${result.expiresIn}s, previous: ${previousToken ? previousToken.slice(0, 4) + "..." : "none"})`);
+            // Notify listener (register.ts uses this to update the shared mutable auth object)
+            this.onRefresh?.(this.accessToken);
+        }
+        catch (err) {
+            // Check for 401 specifically
+            if (err instanceof Error && err.message.includes("401")) {
+                console.error("[vault-token-manager] Token exchange rejected (401). " +
+                    "The agent's key pair is no longer valid — agent may have been disabled or key rotated. " +
+                    "Generate a bootstrap secret from the AgentHiFive dashboard (Agents → Bootstrap Secret), " +
+                    "then run `openclaw configure` to reconnect.");
+                this.onAuthFailure?.();
+            }
+            throw err;
+        }
+    }
+}
+//# sourceMappingURL=vault-token-manager.js.map

package/dist/vault-token-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-token-manager.js","sourceRoot":"","sources":["../src/vault-token-manager.ts"],"names":[],"mappings":"AAYA,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAS/D,MAAM,OAAO,iBAAiB;IACX,OAAO,CAAS;IAChB,OAAO,CAAS;IAChB,aAAa,CAAa;IAC1B,aAAa,CAAS;IAE/B,aAAa,GAAmB,IAAI,CAAC;IACrC,WAAW,GAAkB,IAAI,CAAC;IAClC,cAAc,GAAG,CAAC,CAAC,CAAC,WAAW;IAC/B,YAAY,GAA0C,IAAI,CAAC;IAC3D,eAAe,GAAyB,IAAI,CAAC;IAErD,sEAAsE;IACtE,SAAS,GAAwC,IAAI,CAAC;IAEtD,+FAA+F;IAC/F,aAAa,GAAwB,IAAI,CAAC;IAE1C,YAAY,MAA+B;QACzC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAClD,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC9B,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,UAAU,CAAC;QACvC,IAAI,CAAC,aAAa,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAClF,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,IAAI;QACR,sBAAsB;QACtB,IAAI,CAAC,aAAa,GAAG,MAAM,cAAc,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAE9D,yBAAyB;QACzB,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAE1B,0EAA0E;QAC1E,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC,GAAG,EAAE;YACnC,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,cAAc,GAAG,MAAM,EAAE,CAAC;gBAC/C,IAAI,CAAC,YAAY,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;oBAChC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;oBACnF,OAAO,CAAC,KAAK,CACX,kEAAkE,OAAO,KAAK;wBAC5E,WAAW,IAAI,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,MAAM,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC7G,CAAC;gBACJ,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC,EAAE,MAAM,CAAC,CAAC;QAEX,sDAAsD;QACtD,IACE,IAAI,CAAC,YAAY;YACjB,OAAO,IAAI,CAAC,YAAY,KAAK,QAAQ;YACrC,OAAO,IAAI,IAAI,CAAC,YAAY,EAC5B,CAAC;YACD,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;QAC5B,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,QAAQ;QACN,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;QAC3E,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IAED,yCAAyC;IACzC,IAAI;QACF,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,aAAa,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YACjC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QAC3B,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,YAAY;QAChB,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,eAAe,CAAC;gBAC3B,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QACpC,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC;QAC/B,IAAI,CAAC;YACH,MAAM,OAAO,CAAC;YACd,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;gBAAS,CAAC;YACT,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;QAC9B,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,YAAY;QACxB,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;QAClE,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,IAAI,CAAC,aAAa,EAAE;gBACrD,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,aAAa,EAAE,IAAI,CAAC,aAAa;aAClC,CAAC,CAAC;YAEH,MAAM,aAAa,GAAG,IAAI,CAAC,WAAW,CAAC;YACvC,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;YACtC,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC;YAE3D,OAAO,CAAC,GAAG,CACT,kDAAkD,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,OAAO;gBACnF,QAAQ,MAAM,CAAC,SAAS,gBAAgB,aAAa,CAAC,CAAC,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,MAAM,GAAG,CACxG,CAAC;YAEF,mFAAmF;YACnF,IAAI,CAAC,SAAS,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACrC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,6BAA6B;YAC7B,IAAI,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxD,OAAO,CAAC,KAAK,CACX,uDAAuD;oBACrD,yFAAyF;oBACzF,0FAA0F;oBAC1F,6CAA6C,CAChD,CAAC;gBACF,IAAI,CAAC,aAAa,EAAE,EAAE,CAAC;YACzB,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;CACF"}

package/package.json

@@ -0,0 +1,40 @@
+{
+  "name": "@agenthifive/openclaw-setup",
+  "version": "0.1.0",
+  "type": "module",
+  "bin": {
+    "ah5-setup": "dist/cli.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "lint": "echo Lint: OK"
+  },
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/supersantux/AgentH5.git",
+    "directory": "packages/openclaw-setup"
+  },
+  "keywords": [
+    "openclaw",
+    "agenthifive",
+    "vault",
+    "ai-agent",
+    "setup",
+    "cli"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "jose": "^5.9.3"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "typescript": "^5.6.0"
+  }
+}