npm - @agenthifive/openclaw - Versions diffs - 0.1.0 - Mend

@agenthifive/openclaw 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (65) hide show

package/README.md +124 -0
package/dist/client.d.ts +27 -0
package/dist/client.d.ts.map +1 -0
package/dist/client.js +136 -0
package/dist/client.js.map +1 -0
package/dist/index.d.ts +16 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +23 -0
package/dist/index.js.map +1 -0
package/dist/jwt-utils.d.ts +29 -0
package/dist/jwt-utils.d.ts.map +1 -0
package/dist/jwt-utils.js +55 -0
package/dist/jwt-utils.js.map +1 -0
package/dist/patch-verify.d.ts +28 -0
package/dist/patch-verify.d.ts.map +1 -0
package/dist/patch-verify.js +72 -0
package/dist/patch-verify.js.map +1 -0
package/dist/pending-approvals.d.ts +55 -0
package/dist/pending-approvals.d.ts.map +1 -0
package/dist/pending-approvals.js +95 -0
package/dist/pending-approvals.js.map +1 -0
package/dist/prompt-reference.d.ts +51 -0
package/dist/prompt-reference.d.ts.map +1 -0
package/dist/prompt-reference.js +645 -0
package/dist/prompt-reference.js.map +1 -0
package/dist/register.d.ts +20 -0
package/dist/register.d.ts.map +1 -0
package/dist/register.js +551 -0
package/dist/register.js.map +1 -0
package/dist/runtime.d.ts +66 -0
package/dist/runtime.d.ts.map +1 -0
package/dist/runtime.js +87 -0
package/dist/runtime.js.map +1 -0
package/dist/session-context.d.ts +39 -0
package/dist/session-context.d.ts.map +1 -0
package/dist/session-context.js +58 -0
package/dist/session-context.js.map +1 -0
package/dist/setup-wizard.d.ts +28 -0
package/dist/setup-wizard.d.ts.map +1 -0
package/dist/setup-wizard.js +303 -0
package/dist/setup-wizard.js.map +1 -0
package/dist/tools.d.ts +27 -0
package/dist/tools.d.ts.map +1 -0
package/dist/tools.js +128 -0
package/dist/tools.js.map +1 -0
package/dist/types.d.ts +93 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +2 -0
package/dist/types.js.map +1 -0
package/dist/vault-action-proxy.d.ts +75 -0
package/dist/vault-action-proxy.d.ts.map +1 -0
package/dist/vault-action-proxy.js +152 -0
package/dist/vault-action-proxy.js.map +1 -0
package/dist/vault-provider.d.ts +52 -0
package/dist/vault-provider.d.ts.map +1 -0
package/dist/vault-provider.js +37 -0
package/dist/vault-provider.js.map +1 -0
package/dist/vault-token-manager.d.ts +42 -0
package/dist/vault-token-manager.d.ts.map +1 -0
package/dist/vault-token-manager.js +124 -0
package/dist/vault-token-manager.js.map +1 -0
package/openclaw.plugin.json +59 -0
package/package.json +58 -0
package/patches/README.md +85 -0
package/patches/model-auth.patch +44 -0

package/README.md ADDED Viewed

@@ -0,0 +1,124 @@
+# @agenthifive/openclaw
+OpenClaw plugin for [AgentHiFive](https://agenthifive.com) vault integration. Gives AI agents secure, policy-governed access to user accounts through vault-managed credentials and a brokered API proxy.
+## What It Does
+- **5 agent tools** for executing API calls through the vault (Model B brokered proxy)
+- **Step-up approval flow** for sensitive actions (user approves via dashboard)
+- **Prompt injection** with chunked API reference docs for connected services
+- **ES256 JWT auth** with automatic background token refresh
+- **Setup wizard** (`openclaw setup-vault`) for bootstrapping agent auth
+## Quick Start
+### 1. Install
+```bash
+openclaw plugins install @agenthifive/openclaw
+```
+Or add to your OpenClaw config manually:
+```json
+{
+  "plugins": {
+    "load": { "paths": ["@agenthifive/openclaw"] },
+    "entries": {
+      "agenthifive": {
+        "enabled": true,
+        "hooks": { "allowPromptInjection": true },
+        "config": { ... }
+      }
+    }
+  }
+}
+```
+### 2. Setup
+Run the setup wizard to bootstrap agent auth and discover connected services:
+```bash
+openclaw setup-vault
+```
+Or non-interactively:
+```bash
+openclaw setup-vault --base-url https://app.agenthifive.com --bootstrap-secret ah5b_...
+```
+The wizard generates a JSON config block to paste into `~/.openclaw/openclaw.json`.
+### 3. Connect Services
+Add OAuth connections (Google, Microsoft, Slack, Telegram, etc.) and configure policies in the [AgentHiFive dashboard](https://app.agenthifive.com).
+## Tools
+| Tool | Description |
+|------|-------------|
+| `agenthifive_execute` | Execute an HTTP request through the vault proxy (Model B) |
+| `agenthifive_approval_request` | Create a step-up approval request for sensitive actions |
+| `agenthifive_approval_commit` | Wait for an approval to be resolved |
+| `agenthifive_connections_list` | List available connections and their status |
+| `agenthifive_connection_revoke` | Revoke a connection immediately |
+## Configuration
+Plugin config goes in `plugins.entries.agenthifive.config` in your `openclaw.json`:
+| Key | Type | Description |
+|-----|------|-------------|
+| `baseUrl` | string | AgentHiFive API base URL |
+| `auth.mode` | `"agent"` \| `"bearer"` | Authentication mode |
+| `auth.agentId` | string | Agent ID (agent mode) |
+| `auth.privateKey` | string | Base64-encoded ES256 JWK (agent mode) |
+| `auth.token` | string | Bearer token (bearer mode) |
+| `auth.tokenAudience` | string | Token audience override (optional) |
+| `connectedProviders` | string[] | Provider names for prompt injection |
+| `proxiedProviders` | string[] | Providers using vault LLM proxy |
+| `pollTimeoutMs` | number | Approval poll timeout (default: 300000) |
+| `pollIntervalMs` | number | Approval poll interval (default: 3000) |
+## LLM Credential Proxying (Optional Patch)
+To route LLM API calls through the vault (so agents don't need local API keys), apply the included patch:
+```bash
+pnpm patch openclaw
+cd <temp-directory>
+patch -p1 < node_modules/@agenthifive/openclaw/patches/model-auth.patch
+pnpm patch-commit <temp-directory>
+```
+This adds vault credential resolution (Tier 0 + Tier 0.5) to OpenClaw's `resolveApiKeyForProvider()`. The patch uses dynamic imports and is a no-op when the plugin is not installed.
+See [`patches/README.md`](patches/README.md) for details.
+## Programmatic Usage
+The package also exports classes for use outside the plugin system:
+```typescript
+import { VaultClient, VaultTokenManager, VaultActionProxy } from "@agenthifive/openclaw";
+// Direct API client
+const client = new VaultClient({
+  baseUrl: "https://app.agenthifive.com",
+  auth: { mode: "bearer", token: "ah5t_..." },
+});
+// ES256 JWT token management
+const tokenManager = new VaultTokenManager({
+  baseUrl: "https://app.agenthifive.com",
+  agentId: "agent_...",
+  privateKey: jwk,
+});
+await tokenManager.init();
+```
+## License
+MIT

package/dist/client.d.ts ADDED Viewed

@@ -0,0 +1,27 @@
+import type { OpenClawPluginConfig } from "./types.js";
+/**
+ * Lightweight HTTP client for communicating with the AgentHiFive Vault API.
+ * Supports agent auth (private_key_jwt with auto token refresh) and direct bearer tokens.
+ */
+export declare class VaultClient {
+    private readonly baseUrl;
+    private directBearerToken;
+    private privateKeyJWK;
+    private privateKeyObj;
+    private agentId;
+    private tokenAudience;
+    private accessToken;
+    private tokenExpiresAt;
+    constructor(config: OpenClawPluginConfig);
+    private getAuthHeader;
+    private refreshToken;
+    get<T>(path: string): Promise<T>;
+    post<T>(path: string, body?: unknown): Promise<T>;
+    put<T>(path: string, body?: unknown): Promise<T>;
+    private handleResponse;
+}
+export declare class VaultApiError extends Error {
+    readonly statusCode: number;
+    constructor(message: string, statusCode: number);
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAGvD;;;GAGG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IAGjC,OAAO,CAAC,iBAAiB,CAAgB;IAGzC,OAAO,CAAC,aAAa,CAAoB;IACzC,OAAO,CAAC,aAAa,CAAwB;IAC7C,OAAO,CAAC,OAAO,CAAgB;IAC/B,OAAO,CAAC,aAAa,CAAS;IAG9B,OAAO,CAAC,WAAW,CAAuB;IAC1C,OAAO,CAAC,cAAc,CAAa;gBAEvB,MAAM,EAAE,oBAAoB;YAkB1B,aAAa;YAYb,YAAY;IAyBpB,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC;IAYhC,IAAI,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC;IAgBjD,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC;YAgBxC,cAAc;CAiB7B;AAED,qBAAa,aAAc,SAAQ,KAAK;aAGpB,UAAU,EAAE,MAAM;gBADlC,OAAO,EAAE,MAAM,EACC,UAAU,EAAE,MAAM;CAKrC"}

package/dist/client.js ADDED Viewed

@@ -0,0 +1,136 @@
+import { importES256Key, exchangeToken, TokenExchangeError } from "./jwt-utils.js";
+/**
+ * Lightweight HTTP client for communicating with the AgentHiFive Vault API.
+ * Supports agent auth (private_key_jwt with auto token refresh) and direct bearer tokens.
+ */
+export class VaultClient {
+    baseUrl;
+    // Direct bearer mode
+    directBearerToken;
+    // Agent auth mode
+    privateKeyJWK;
+    privateKeyObj = null;
+    agentId;
+    tokenAudience;
+    // Token cache
+    accessToken = null;
+    tokenExpiresAt = 0; // epoch ms
+    constructor(config) {
+        // Strip trailing slash
+        this.baseUrl = config.baseUrl.replace(/\/+$/, "");
+        if (config.auth.mode === "bearer") {
+            this.directBearerToken = config.auth.token;
+            this.privateKeyJWK = null;
+            this.agentId = null;
+            this.tokenAudience = "";
+        }
+        else {
+            // agent mode
+            this.directBearerToken = null;
+            this.privateKeyJWK = config.auth.privateKey;
+            this.agentId = config.auth.agentId;
+            this.tokenAudience = config.auth.tokenAudience ?? this.baseUrl;
+        }
+    }
+    async getAuthHeader() {
+        if (this.directBearerToken) {
+            return `Bearer ${this.directBearerToken}`;
+        }
+        // Refresh token if expired or expiring within 30s
+        if (!this.accessToken || Date.now() >= this.tokenExpiresAt - 30_000) {
+            await this.refreshToken();
+        }
+        return `Bearer ${this.accessToken}`;
+    }
+    async refreshToken() {
+        if (!this.privateKeyJWK || !this.agentId) {
+            throw new Error("Cannot refresh token without privateKey and agentId");
+        }
+        if (!this.privateKeyObj) {
+            this.privateKeyObj = await importES256Key(this.privateKeyJWK);
+        }
+        try {
+            const result = await exchangeToken(this.privateKeyObj, {
+                baseUrl: this.baseUrl,
+                agentId: this.agentId,
+                tokenAudience: this.tokenAudience,
+            });
+            this.accessToken = result.accessToken;
+            this.tokenExpiresAt = Date.now() + result.expiresIn * 1000;
+        }
+        catch (err) {
+            if (err instanceof TokenExchangeError) {
+                throw new VaultApiError(err.message, err.statusCode);
+            }
+            throw err;
+        }
+    }
+    async get(path) {
+        const authHeader = await this.getAuthHeader();
+        const response = await fetch(`${this.baseUrl}${path}`, {
+            method: "GET",
+            headers: {
+                Authorization: authHeader,
+                Accept: "application/json",
+            },
+        });
+        return this.handleResponse(response);
+    }
+    async post(path, body) {
+        const authHeader = await this.getAuthHeader();
+        const headers = {
+            Authorization: authHeader,
+            Accept: "application/json",
+        };
+        const init = { method: "POST", headers };
+        if (body !== undefined) {
+            headers["Content-Type"] = "application/json";
+            init.body = JSON.stringify(body);
+        }
+        const response = await fetch(`${this.baseUrl}${path}`, init);
+        return this.handleResponse(response);
+    }
+    async put(path, body) {
+        const authHeader = await this.getAuthHeader();
+        const headers = {
+            Authorization: authHeader,
+            Accept: "application/json",
+        };
+        const init = { method: "PUT", headers };
+        if (body !== undefined) {
+            headers["Content-Type"] = "application/json";
+            init.body = JSON.stringify(body);
+        }
+        const response = await fetch(`${this.baseUrl}${path}`, init);
+        return this.handleResponse(response);
+    }
+    async handleResponse(response) {
+        if (!response.ok) {
+            const text = await response.text().catch(() => "");
+            let message = `Vault API error: ${response.status} ${response.statusText}`;
+            if (text) {
+                try {
+                    const parsed = JSON.parse(text);
+                    if (parsed.error)
+                        message = parsed.error;
+                    else if (parsed.message)
+                        message = parsed.message;
+                }
+                catch {
+                    message = text;
+                }
+            }
+            throw new VaultApiError(message, response.status);
+        }
+        return (await response.json());
+    }
+}
+export class VaultApiError extends Error {
+    statusCode;
+    constructor(message, statusCode) {
+        super(message);
+        this.statusCode = statusCode;
+        this.name = "VaultApiError";
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/client.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAEnF;;;GAGG;AACH,MAAM,OAAO,WAAW;IACL,OAAO,CAAS;IAEjC,qBAAqB;IACb,iBAAiB,CAAgB;IAEzC,kBAAkB;IACV,aAAa,CAAoB;IACjC,aAAa,GAAmB,IAAI,CAAC;IACrC,OAAO,CAAgB;IACvB,aAAa,CAAS;IAE9B,cAAc;IACN,WAAW,GAAkB,IAAI,CAAC;IAClC,cAAc,GAAW,CAAC,CAAC,CAAC,WAAW;IAE/C,YAAY,MAA4B;QACtC,uBAAuB;QACvB,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAElD,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAClC,IAAI,CAAC,iBAAiB,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC;YAC3C,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;YAC1B,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;YACpB,IAAI,CAAC,aAAa,GAAG,EAAE,CAAC;QAC1B,CAAC;aAAM,CAAC;YACN,aAAa;YACb,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC;YAC9B,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;YAC5C,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;YACnC,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,OAAO,CAAC;QACjE,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,aAAa;QACzB,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC3B,OAAO,UAAU,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC5C,CAAC;QAED,kDAAkD;QAClD,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,cAAc,GAAG,MAAM,EAAE,CAAC;YACpE,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAC5B,CAAC;QACD,OAAO,UAAU,IAAI,CAAC,WAAW,EAAE,CAAC;IACtC,CAAC;IAEO,KAAK,CAAC,YAAY;QACxB,IAAI,CAAC,IAAI,CAAC,aAAa,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YACzC,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;QACzE,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,IAAI,CAAC,aAAa,GAAG,MAAM,cAAc,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAChE,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,IAAI,CAAC,aAAa,EAAE;gBACrD,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,aAAa,EAAE,IAAI,CAAC,aAAa;aAClC,CAAC,CAAC;YACH,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;YACtC,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC;QAC7D,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,kBAAkB,EAAE,CAAC;gBACtC,MAAM,IAAI,aAAa,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,UAAU,CAAC,CAAC;YACvD,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,GAAG,CAAI,IAAY;QACvB,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;QAC9C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,EAAE;YACrD,MAAM,EAAE,KAAK;YACb,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU;gBACzB,MAAM,EAAE,kBAAkB;aAC3B;SACF,CAAC,CAAC;QACH,OAAO,IAAI,CAAC,cAAc,CAAI,QAAQ,CAAC,CAAC;IAC1C,CAAC;IAED,KAAK,CAAC,IAAI,CAAI,IAAY,EAAE,IAAc;QACxC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;QAC9C,MAAM,OAAO,GAA2B;YACtC,aAAa,EAAE,UAAU;YACzB,MAAM,EAAE,kBAAkB;SAC3B,CAAC;QACF,MAAM,IAAI,GAAgB,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;QACtD,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;YACvB,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;YAC7C,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACnC,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,EAAE,IAAI,CAAC,CAAC;QAC7D,OAAO,IAAI,CAAC,cAAc,CAAI,QAAQ,CAAC,CAAC;IAC1C,CAAC;IAED,KAAK,CAAC,GAAG,CAAI,IAAY,EAAE,IAAc;QACvC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;QAC9C,MAAM,OAAO,GAA2B;YACtC,aAAa,EAAE,UAAU;YACzB,MAAM,EAAE,kBAAkB;SAC3B,CAAC;QACF,MAAM,IAAI,GAAgB,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;QACrD,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;YACvB,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;YAC7C,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACnC,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,EAAE,IAAI,CAAC,CAAC;QAC7D,OAAO,IAAI,CAAC,cAAc,CAAI,QAAQ,CAAC,CAAC;IAC1C,CAAC;IAEO,KAAK,CAAC,cAAc,CAAI,QAAkB;QAChD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YACnD,IAAI,OAAO,GAAG,oBAAoB,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC3E,IAAI,IAAI,EAAE,CAAC;gBACT,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAyC,CAAC;oBACxE,IAAI,MAAM,CAAC,KAAK;wBAAE,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC;yBACpC,IAAI,MAAM,CAAC,OAAO;wBAAE,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;gBACpD,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,GAAG,IAAI,CAAC;gBACjB,CAAC;YACH,CAAC;YACD,MAAM,IAAI,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;QACpD,CAAC;QACD,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAM,CAAC;IACtC,CAAC;CACF;AAED,MAAM,OAAO,aAAc,SAAQ,KAAK;IAGpB;IAFlB,YACE,OAAe,EACC,UAAkB;QAElC,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,eAAU,GAAV,UAAU,CAAQ;QAGlC,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;IAC9B,CAAC;CACF"}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+export { default as plugin } from "./register.js";
+export { API_REFERENCE_PROMPT, API_REFERENCE_SECTIONS, CHUNKED_API_SECTIONS, buildApiReferencePrompt, writeReferenceFiles, buildChunkedPrompt, } from "./prompt-reference.js";
+export { VaultClient, VaultApiError } from "./client.js";
+export { importES256Key, exchangeToken, TokenExchangeError } from "./jwt-utils.js";
+export { VaultTokenManager } from "./vault-token-manager.js";
+export { VaultActionProxy } from "./vault-action-proxy.js";
+export { VaultCredentialProvider } from "./vault-provider.js";
+export { verifyPatches } from "./patch-verify.js";
+export type { PatchStatus } from "./patch-verify.js";
+export { runSetupWizard, parseSetupArgs, buildConfigOutput } from "./setup-wizard.js";
+export type { SetupOptions } from "./setup-wizard.js";
+export { setCurrentSessionContext, getCurrentSessionContext, parseSessionKey, } from "./session-context.js";
+export { initPendingApprovals, addPendingApproval, loadPendingApprovals, savePendingApprovals, loadFallbackNotifications, saveFallbackNotifications, } from "./pending-approvals.js";
+export type { OpenClawPluginConfig, OpenClawAuthConfig, ExecuteInput, ExecuteOutput, ExecuteApprovalOutput, ApprovalRequestInput, ApprovalRequestOutput, ApprovalCommitInput, ApprovalCommitOutput, ConnectionListItem, ConnectionsListOutput, ConnectionRevokeInput, ConnectionRevokeOutput, ActionProxy, ProxyRequest, ProxyResponse, CredentialProvider, CredentialQuery, CredentialResult, VaultProviderConfig, VaultTokenManagerConfig, SessionContext, PendingApproval, FallbackNotification, PluginLogger, } from "./types.js";
+export { execute, approvalRequest, approvalCommit, connectionsList, connectionRevoke, } from "./tools.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,OAAO,IAAI,MAAM,EAAE,MAAM,eAAe,CAAC;AAGlD,OAAO,EACL,oBAAoB,EACpB,sBAAsB,EACtB,oBAAoB,EACpB,uBAAuB,EACvB,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAGzD,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAGnF,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,uBAAuB,EAAE,MAAM,qBAAqB,CAAC;AAG9D,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,YAAY,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAGrD,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtF,YAAY,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAGtD,OAAO,EACL,wBAAwB,EACxB,wBAAwB,EACxB,eAAe,GAChB,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EACL,oBAAoB,EACpB,kBAAkB,EAClB,oBAAoB,EACpB,oBAAoB,EACpB,yBAAyB,EACzB,yBAAyB,GAC1B,MAAM,wBAAwB,CAAC;AAGhC,YAAY,EACV,oBAAoB,EACpB,kBAAkB,EAClB,YAAY,EACZ,aAAa,EACb,qBAAqB,EACrB,oBAAoB,EACpB,qBAAqB,EACrB,mBAAmB,EACnB,oBAAoB,EACpB,kBAAkB,EAClB,qBAAqB,EACrB,qBAAqB,EACrB,sBAAsB,EAEtB,WAAW,EACX,YAAY,EACZ,aAAa,EACb,kBAAkB,EAClB,eAAe,EACf,gBAAgB,EAChB,mBAAmB,EACnB,uBAAuB,EACvB,cAAc,EACd,eAAe,EACf,oBAAoB,EACpB,YAAY,GACb,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,OAAO,EACP,eAAe,EACf,cAAc,EACd,eAAe,EACf,gBAAgB,GACjB,MAAM,YAAY,CAAC"}

package/dist/index.js ADDED Viewed

@@ -0,0 +1,23 @@
+// OpenClaw plugin entry (register-based API for OpenClaw's plugin loader)
+export { default as plugin } from "./register.js";
+// Prompt reference (for LLM-as-integration-layer)
+export { API_REFERENCE_PROMPT, API_REFERENCE_SECTIONS, CHUNKED_API_SECTIONS, buildApiReferencePrompt, writeReferenceFiles, buildChunkedPrompt, } from "./prompt-reference.js";
+// Client
+export { VaultClient, VaultApiError } from "./client.js";
+// JWT utilities
+export { importES256Key, exchangeToken, TokenExchangeError } from "./jwt-utils.js";
+// Vault auth & runtime (M2 extractions)
+export { VaultTokenManager } from "./vault-token-manager.js";
+export { VaultActionProxy } from "./vault-action-proxy.js";
+export { VaultCredentialProvider } from "./vault-provider.js";
+// Patch runtime (separate entry point at @agenthifive/openclaw/runtime)
+export { verifyPatches } from "./patch-verify.js";
+// Setup wizard
+export { runSetupWizard, parseSetupArgs, buildConfigOutput } from "./setup-wizard.js";
+// Session context
+export { setCurrentSessionContext, getCurrentSessionContext, parseSessionKey, } from "./session-context.js";
+// Pending approvals
+export { initPendingApprovals, addPendingApproval, loadPendingApprovals, savePendingApprovals, loadFallbackNotifications, saveFallbackNotifications, } from "./pending-approvals.js";
+// Individual tool functions (for advanced usage)
+export { execute, approvalRequest, approvalCommit, connectionsList, connectionRevoke, } from "./tools.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,OAAO,EAAE,OAAO,IAAI,MAAM,EAAE,MAAM,eAAe,CAAC;AAElD,kDAAkD;AAClD,OAAO,EACL,oBAAoB,EACpB,sBAAsB,EACtB,oBAAoB,EACpB,uBAAuB,EACvB,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,uBAAuB,CAAC;AAE/B,SAAS;AACT,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAEzD,gBAAgB;AAChB,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAEnF,wCAAwC;AACxC,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,uBAAuB,EAAE,MAAM,qBAAqB,CAAC;AAE9D,wEAAwE;AACxE,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGlD,eAAe;AACf,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAGtF,kBAAkB;AAClB,OAAO,EACL,wBAAwB,EACxB,wBAAwB,EACxB,eAAe,GAChB,MAAM,sBAAsB,CAAC;AAE9B,oBAAoB;AACpB,OAAO,EACL,oBAAoB,EACpB,kBAAkB,EAClB,oBAAoB,EACpB,oBAAoB,EACpB,yBAAyB,EACzB,yBAAyB,GAC1B,MAAM,wBAAwB,CAAC;AAgChC,iDAAiD;AACjD,OAAO,EACL,OAAO,EACP,eAAe,EACf,cAAc,EACd,eAAe,EACf,gBAAgB,GACjB,MAAM,YAAY,CAAC"}

package/dist/jwt-utils.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+/**
+ * Shared JWT utilities for ES256 client assertion auth.
+ *
+ * Used by both VaultClient (on-demand token refresh) and
+ * VaultTokenManager (background token refresh).
+ */
+import { type KeyLike } from "jose";
+export type TokenExchangeConfig = {
+    baseUrl: string;
+    agentId: string;
+    tokenAudience: string;
+};
+export type TokenExchangeResult = {
+    accessToken: string;
+    expiresIn: number;
+};
+/**
+ * Import a JWK as a KeyLike object for ES256 signing.
+ */
+export declare function importES256Key(jwk: JsonWebKey): Promise<KeyLike>;
+/**
+ * Sign an ES256 client assertion JWT and exchange it for an access token.
+ */
+export declare function exchangeToken(privateKey: KeyLike, config: TokenExchangeConfig): Promise<TokenExchangeResult>;
+export declare class TokenExchangeError extends Error {
+    readonly statusCode: number;
+    constructor(message: string, statusCode: number);
+}
+//# sourceMappingURL=jwt-utils.d.ts.map

package/dist/jwt-utils.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"jwt-utils.d.ts","sourceRoot":"","sources":["../src/jwt-utils.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAsB,KAAK,OAAO,EAAY,MAAM,MAAM,CAAC;AAElE,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;GAEG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,CAEtE;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,UAAU,EAAE,OAAO,EACnB,MAAM,EAAE,mBAAmB,GAC1B,OAAO,CAAC,mBAAmB,CAAC,CAuC9B;AAED,qBAAa,kBAAmB,SAAQ,KAAK;aAGzB,UAAU,EAAE,MAAM;gBADlC,OAAO,EAAE,MAAM,EACC,UAAU,EAAE,MAAM;CAKrC"}

package/dist/jwt-utils.js ADDED Viewed

@@ -0,0 +1,55 @@
+/**
+ * Shared JWT utilities for ES256 client assertion auth.
+ *
+ * Used by both VaultClient (on-demand token refresh) and
+ * VaultTokenManager (background token refresh).
+ */
+import { SignJWT, importJWK } from "jose";
+/**
+ * Import a JWK as a KeyLike object for ES256 signing.
+ */
+export async function importES256Key(jwk) {
+    return (await importJWK(jwk, "ES256"));
+}
+/**
+ * Sign an ES256 client assertion JWT and exchange it for an access token.
+ */
+export async function exchangeToken(privateKey, config) {
+    const now = Math.floor(Date.now() / 1000);
+    const assertion = await new SignJWT({})
+        .setProtectedHeader({ alg: "ES256" })
+        .setIssuer(config.agentId)
+        .setSubject(config.agentId)
+        .setAudience(config.tokenAudience)
+        .setIssuedAt(now)
+        .setExpirationTime(now + 30)
+        .setJti(crypto.randomUUID())
+        .sign(privateKey);
+    const response = await fetch(`${config.baseUrl}/v1/agents/token`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+            grant_type: "client_assertion",
+            client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+            client_assertion: assertion,
+        }),
+    });
+    if (!response.ok) {
+        const text = await response.text().catch(() => "");
+        throw new TokenExchangeError(`Token exchange failed: ${response.status} ${text}`, response.status);
+    }
+    const result = (await response.json());
+    return {
+        accessToken: result.access_token,
+        expiresIn: result.expires_in,
+    };
+}
+export class TokenExchangeError extends Error {
+    statusCode;
+    constructor(message, statusCode) {
+        super(message);
+        this.statusCode = statusCode;
+        this.name = "TokenExchangeError";
+    }
+}
+//# sourceMappingURL=jwt-utils.js.map

package/dist/jwt-utils.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"jwt-utils.js","sourceRoot":"","sources":["../src/jwt-utils.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,OAAO,EAAE,SAAS,EAA0B,MAAM,MAAM,CAAC;AAalE;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,GAAe;IAClD,OAAO,CAAC,MAAM,SAAS,CAAC,GAAU,EAAE,OAAO,CAAC,CAAY,CAAC;AAC3D,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,UAAmB,EACnB,MAA2B;IAE3B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,MAAM,IAAI,OAAO,CAAC,EAAE,CAAC;SACpC,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;SACpC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC;SACzB,UAAU,CAAC,MAAM,CAAC,OAAO,CAAC;SAC1B,WAAW,CAAC,MAAM,CAAC,aAAa,CAAC;SACjC,WAAW,CAAC,GAAG,CAAC;SAChB,iBAAiB,CAAC,GAAG,GAAG,EAAE,CAAC;SAC3B,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;SAC3B,IAAI,CAAC,UAAU,CAAC,CAAC;IAEpB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,MAAM,CAAC,OAAO,kBAAkB,EAAE;QAChE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,UAAU,EAAE,kBAAkB;YAC9B,qBAAqB,EAAE,wDAAwD;YAC/E,gBAAgB,EAAE,SAAS;SAC5B,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QACnD,MAAM,IAAI,kBAAkB,CAC1B,0BAA0B,QAAQ,CAAC,MAAM,IAAI,IAAI,EAAE,EACnD,QAAQ,CAAC,MAAM,CAChB,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAGpC,CAAC;IAEF,OAAO;QACL,WAAW,EAAE,MAAM,CAAC,YAAY;QAChC,SAAS,EAAE,MAAM,CAAC,UAAU;KAC7B,CAAC;AACJ,CAAC;AAED,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAGzB;IAFlB,YACE,OAAe,EACC,UAAkB;QAElC,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,eAAU,GAAV,UAAU,CAAQ;QAGlC,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF"}

package/dist/patch-verify.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+/**
+ * Runtime verification of whether OpenClaw core patches are applied.
+ *
+ * Called during plugin registration to inform the user whether credential
+ * proxying features are available. The plugin works fully (tools, hooks,
+ * prompt injection) WITHOUT patches — they only enable LLM credential
+ * proxying via model-auth.ts.
+ */
+import type { PluginLogger } from "./pending-approvals.js";
+export type PatchStatus = {
+    /** Whether the model-auth.ts patch is applied (Tier 0 + Tier 0.5) */
+    modelAuth: boolean;
+};
+/**
+ * Probe whether the model-auth patch is applied by checking if OpenClaw's
+ * resolveApiKeyForProvider function consults our runtime module.
+ *
+ * Strategy: We check if the patched module can be resolved. The patch adds
+ * a dynamic import of "@agenthifive/openclaw/runtime" — if the import path
+ * resolves, the module exists. The actual behavior test would require calling
+ * resolveApiKeyForProvider which is too invasive for a startup check.
+ *
+ * Instead, we do a simpler check: look for our credential resolution code
+ * in the model-auth module by attempting to import it and checking for the
+ * patched function signature.
+ */
+export declare function verifyPatches(logger: PluginLogger): Promise<PatchStatus>;
+//# sourceMappingURL=patch-verify.d.ts.map

package/dist/patch-verify.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"patch-verify.d.ts","sourceRoot":"","sources":["../src/patch-verify.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAE3D,MAAM,MAAM,WAAW,GAAG;IACxB,qEAAqE;IACrE,SAAS,EAAE,OAAO,CAAC;CACpB,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,wBAAsB,aAAa,CAAC,MAAM,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC,CAiC9E"}

package/dist/patch-verify.js ADDED Viewed

@@ -0,0 +1,72 @@
+/**
+ * Runtime verification of whether OpenClaw core patches are applied.
+ *
+ * Called during plugin registration to inform the user whether credential
+ * proxying features are available. The plugin works fully (tools, hooks,
+ * prompt injection) WITHOUT patches — they only enable LLM credential
+ * proxying via model-auth.ts.
+ */
+/**
+ * Probe whether the model-auth patch is applied by checking if OpenClaw's
+ * resolveApiKeyForProvider function consults our runtime module.
+ *
+ * Strategy: We check if the patched module can be resolved. The patch adds
+ * a dynamic import of "@agenthifive/openclaw/runtime" — if the import path
+ * resolves, the module exists. The actual behavior test would require calling
+ * resolveApiKeyForProvider which is too invasive for a startup check.
+ *
+ * Instead, we do a simpler check: look for our credential resolution code
+ * in the model-auth module by attempting to import it and checking for the
+ * patched function signature.
+ */
+export async function verifyPatches(logger) {
+    const status = { modelAuth: false };
+    try {
+        // Try to import model-auth and check if it has vault awareness
+        // The patched version exports a marker or has vault-related code paths.
+        // We check by looking for the `resolveApiKeyForProvider` and testing
+        // whether it consults our runtime module.
+        //
+        // Simplest reliable approach: check if the source contains our patch
+        // marker comment that we add in the patch file.
+        const modelAuthPath = await findModuleFile("../agents/model-auth.js");
+        if (modelAuthPath) {
+            const { readFileSync } = await import("node:fs");
+            const source = readFileSync(modelAuthPath, "utf-8");
+            status.modelAuth = source.includes("@agenthifive/openclaw/runtime");
+        }
+    }
+    catch {
+        // Module not found or read failed — patches not applied
+    }
+    if (!status.modelAuth) {
+        logger.warn?.("AgentHiFive: model-auth patch not detected. LLM credential proxying is unavailable. " +
+            "Tools, prompt injection, and approval flow work normally. " +
+            "To enable credential proxying, apply the patch: " +
+            "see @agenthifive/openclaw/patches/README.md");
+    }
+    else {
+        logger.info?.("AgentHiFive: model-auth patch detected — credential proxying enabled");
+    }
+    return status;
+}
+/**
+ * Attempt to find the filesystem path of a module relative to openclaw's location.
+ * Returns null if the module cannot be found.
+ */
+async function findModuleFile(specifier) {
+    try {
+        // Use import.meta.resolve to find the module path
+        const resolved = import.meta.resolve(specifier);
+        // Convert file:// URL to path
+        if (resolved.startsWith("file://")) {
+            const { fileURLToPath } = await import("node:url");
+            return fileURLToPath(resolved);
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=patch-verify.js.map

package/dist/patch-verify.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"patch-verify.js","sourceRoot":"","sources":["../src/patch-verify.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AASH;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,MAAoB;IACtD,MAAM,MAAM,GAAgB,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IAEjD,IAAI,CAAC;QACH,+DAA+D;QAC/D,wEAAwE;QACxE,qEAAqE;QACrE,0CAA0C;QAC1C,EAAE;QACF,qEAAqE;QACrE,gDAAgD;QAChD,MAAM,aAAa,GAAG,MAAM,cAAc,CAAC,yBAAyB,CAAC,CAAC;QACtE,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;YACjD,MAAM,MAAM,GAAG,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;YACpD,MAAM,CAAC,SAAS,GAAG,MAAM,CAAC,QAAQ,CAAC,+BAA+B,CAAC,CAAC;QACtE,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,wDAAwD;IAC1D,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QACtB,MAAM,CAAC,IAAI,EAAE,CACX,sFAAsF;YACpF,4DAA4D;YAC5D,kDAAkD;YAClD,6CAA6C,CAChD,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,EAAE,CAAC,sEAAsE,CAAC,CAAC;IACxF,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,cAAc,CAAC,SAAiB;IAC7C,IAAI,CAAC;QACH,kDAAkD;QAClD,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAChD,8BAA8B;QAC9B,IAAI,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACnC,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;YACnD,OAAO,aAAa,CAAC,QAAQ,CAAC,CAAC;QACjC,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/pending-approvals.d.ts ADDED Viewed

@@ -0,0 +1,55 @@
+/**
+ * State file for tracking pending vault step-up approvals.
+ *
+ * When the vault_execute agent tool gets a 202 (approval required), it writes
+ * the pending approval to {stateDir}/vault-pending-approvals.json.
+ *
+ * The before_agent_start hook reads this file on each turn, polls the AH5 API
+ * for resolved approvals, and injects notifications into the agent's context
+ * so it can re-submit approved requests and continue multi-step plans.
+ *
+ * Unlike the fork version, this module accepts `stateDir` as a parameter
+ * instead of importing from OpenClaw's config/paths.
+ */
+export type PendingApproval = {
+    approvalRequestId: string;
+    service?: string;
+    connectionId?: string;
+    method: string;
+    url: string;
+    /** Human-readable summary of what the request does */
+    summary: string;
+    createdAt: string;
+    expiresAt?: string;
+    /** Routing info for auto-triggering the agent when the approval resolves */
+    sessionKey?: string;
+    channel?: string;
+    peerId?: string;
+    peerKind?: string;
+    threadId?: string;
+};
+export type FallbackNotification = {
+    approvalRequestId: string;
+    notificationText: string;
+    createdAt: string;
+};
+export interface PluginLogger {
+    info?: (...args: unknown[]) => void;
+    warn?: (...args: unknown[]) => void;
+    error?: (...args: unknown[]) => void;
+}
+/**
+ * Initialize the pending approvals module with a state directory and logger.
+ * Must be called before any other function in this module.
+ */
+export declare function initPendingApprovals(stateDir: string, logger?: PluginLogger): void;
+/**
+ * Add a pending approval to the state file.
+ * Called by the vault_execute tool when it receives a 202.
+ */
+export declare function addPendingApproval(approval: PendingApproval): void;
+export declare function loadPendingApprovals(): PendingApproval[];
+export declare function savePendingApprovals(approvals: PendingApproval[]): void;
+export declare function loadFallbackNotifications(): FallbackNotification[];
+export declare function saveFallbackNotifications(notifications: FallbackNotification[]): void;
+//# sourceMappingURL=pending-approvals.d.ts.map

package/dist/pending-approvals.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"pending-approvals.d.ts","sourceRoot":"","sources":["../src/pending-approvals.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAQH,MAAM,MAAM,eAAe,GAAG;IAC5B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,sDAAsD;IACtD,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,4EAA4E;IAC5E,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,gBAAgB,EAAE,MAAM,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAMF,MAAM,WAAW,YAAY;IAC3B,IAAI,CAAC,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,CAAC;IACpC,IAAI,CAAC,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,CAAC;IACpC,KAAK,CAAC,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,CAAC;CACtC;AAKD;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,YAAY,GAAG,IAAI,CAGlF;AASD;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,eAAe,GAAG,IAAI,CAYlE;AAED,wBAAgB,oBAAoB,IAAI,eAAe,EAAE,CAWxD;AAED,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,eAAe,EAAE,GAAG,IAAI,CAMvE;AAED,wBAAgB,yBAAyB,IAAI,oBAAoB,EAAE,CAWlE;AAED,wBAAgB,yBAAyB,CAAC,aAAa,EAAE,oBAAoB,EAAE,GAAG,IAAI,CAMrF"}