@agenthifive/openclaw 0.1.0

package/dist/tools.js

@@ -0,0 +1,128 @@
+const DEFAULT_POLL_TIMEOUT_MS = 300_000; // 5 minutes
+const DEFAULT_POLL_INTERVAL_MS = 5_000; // 5 seconds
+/**
+ * Executes an operation via the Vault's Model B brokered proxy.
+ * Returns the execution result or approval requirement.
+ */
+export async function execute(client, input) {
+    const requestBody = {
+        model: "B",
+        method: input.method,
+        url: input.url,
+    };
+    if (input.connectionId)
+        requestBody.connectionId = input.connectionId;
+    if (input.service)
+        requestBody.service = input.service;
+    if (input.query)
+        requestBody.query = input.query;
+    if (input.headers)
+        requestBody.headers = input.headers;
+    if (input.body !== undefined)
+        requestBody.body = input.body;
+    if (input.approvalId)
+        requestBody.approvalId = input.approvalId;
+    const response = await client.post("/vault/execute", requestBody);
+    if (response.approvalRequired) {
+        return {
+            approvalRequired: true,
+            approvalRequestId: response.approvalRequestId ?? "",
+            auditId: response.auditId ?? "",
+        };
+    }
+    return {
+        status: response.status ?? 0,
+        headers: response.headers ?? {},
+        body: response.body,
+        auditId: response.auditId ?? "",
+    };
+}
+/**
+ * Creates a step-up approval request.
+ * The user must approve before the action is executed.
+ */
+export async function approvalRequest(client, input) {
+    // Send a Model B execute request that will trigger step-up approval.
+    // The Vault will detect the write method and create an approval request.
+    const requestBody = {
+        model: "B",
+        connectionId: input.connectionId,
+        method: input.method,
+        url: input.url,
+    };
+    if (input.body !== undefined)
+        requestBody.body = input.body;
+    const response = await client.post("/vault/execute", requestBody);
+    if (!response.approvalRequired) {
+        throw new Error("Expected approval requirement but request was executed directly");
+    }
+    return {
+        approvalRequestId: response.approvalRequestId,
+        auditId: response.auditId,
+    };
+}
+/**
+ * Polls approval status until approved/denied/expired or timeout.
+ * On approval, the caller should re-submit the original request
+ * with the approvalId to execute it.
+ */
+export async function approvalCommit(client, input, pollTimeoutMs = DEFAULT_POLL_TIMEOUT_MS, pollIntervalMs = DEFAULT_POLL_INTERVAL_MS) {
+    const timeout = input.timeoutMs ?? pollTimeoutMs;
+    const deadline = Date.now() + timeout;
+    while (Date.now() < deadline) {
+        // Check approval status
+        const approvals = await client.get("/approvals");
+        const approval = approvals.approvals.find((a) => a.id === input.approvalRequestId);
+        if (!approval) {
+            throw new Error(`Approval request ${input.approvalRequestId} not found`);
+        }
+        switch (approval.status) {
+            case "approved": {
+                // Approval granted — return a signal to the caller.
+                // The caller should re-submit the original request with approvalId
+                // via execute() to actually perform the operation.
+                return {
+                    status: 200,
+                    headers: {},
+                    body: { approved: true, approvalRequestId: input.approvalRequestId },
+                    auditId: "",
+                };
+            }
+            case "consumed":
+                throw new Error("Approval request has already been used");
+            case "denied":
+                throw new Error("Approval request was denied by the user");
+            case "expired":
+                throw new Error("Approval request expired");
+            case "pending":
+                // Continue polling
+                break;
+            default:
+                throw new Error(`Unexpected approval status: ${approval.status}`);
+        }
+        await sleep(pollIntervalMs);
+    }
+    throw new Error(`Approval wait timed out after ${timeout}ms`);
+}
+/**
+ * Lists all connections for the current workspace.
+ */
+export async function connectionsList(client) {
+    const response = await client.get("/connections");
+    return { connections: response.connections };
+}
+/**
+ * Revokes a connection immediately.
+ */
+export async function connectionRevoke(client, input) {
+    const response = await client.post(`/connections/${encodeURIComponent(input.connectionId)}/revoke`);
+    return {
+        revoked: true,
+        connectionId: response.connection.id,
+        auditId: response.auditId,
+    };
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+//# sourceMappingURL=tools.js.map

package/dist/tools.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tools.js","sourceRoot":"","sources":["../src/tools.ts"],"names":[],"mappings":"AAeA,MAAM,uBAAuB,GAAG,OAAO,CAAC,CAAC,YAAY;AACrD,MAAM,wBAAwB,GAAG,KAAK,CAAC,CAAC,YAAY;AAEpD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,MAAmB,EACnB,KAAmB;IAcnB,MAAM,WAAW,GAA4B;QAC3C,KAAK,EAAE,GAAG;QACV,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,GAAG,EAAE,KAAK,CAAC,GAAG;KACf,CAAC;IACF,IAAI,KAAK,CAAC,YAAY;QAAE,WAAW,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;IACtE,IAAI,KAAK,CAAC,OAAO;QAAE,WAAW,CAAC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC;IACvD,IAAI,KAAK,CAAC,KAAK;QAAE,WAAW,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC;IACjD,IAAI,KAAK,CAAC,OAAO;QAAE,WAAW,CAAC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC;IACvD,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS;QAAE,WAAW,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;IAC5D,IAAI,KAAK,CAAC,UAAU;QAAE,WAAW,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC;IAEhE,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAAuB,gBAAgB,EAAE,WAAW,CAAC,CAAC;IAExF,IAAI,QAAQ,CAAC,gBAAgB,EAAE,CAAC;QAC9B,OAAO;YACL,gBAAgB,EAAE,IAAI;YACtB,iBAAiB,EAAE,QAAQ,CAAC,iBAAiB,IAAI,EAAE;YACnD,OAAO,EAAE,QAAQ,CAAC,OAAO,IAAI,EAAE;SAChC,CAAC;IACJ,CAAC;IAED,OAAO;QACL,MAAM,EAAE,QAAQ,CAAC,MAAM,IAAI,CAAC;QAC5B,OAAO,EAAE,QAAQ,CAAC,OAAO,IAAI,EAAE;QAC/B,IAAI,EAAE,QAAQ,CAAC,IAAI;QACnB,OAAO,EAAE,QAAQ,CAAC,OAAO,IAAI,EAAE;KAChC,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,MAAmB,EACnB,KAA2B;IAE3B,qEAAqE;IACrE,yEAAyE;IACzE,MAAM,WAAW,GAA4B;QAC3C,KAAK,EAAE,GAAG;QACV,YAAY,EAAE,KAAK,CAAC,YAAY;QAChC,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,GAAG,EAAE,KAAK,CAAC,GAAG;KACf,CAAC;IACF,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS;QAAE,WAAW,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;IAQ5D,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAAmB,gBAAgB,EAAE,WAAW,CAAC,CAAC;IAEpF,IAAI,CAAC,QAAQ,CAAC,gBAAgB,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAC;IACrF,CAAC;IAED,OAAO;QACL,iBAAiB,EAAE,QAAQ,CAAC,iBAAiB;QAC7C,OAAO,EAAE,QAAQ,CAAC,OAAO;KAC1B,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,MAAmB,EACnB,KAA0B,EAC1B,gBAAwB,uBAAuB,EAC/C,iBAAyB,wBAAwB;IAEjD,MAAM,OAAO,GAAG,KAAK,CAAC,SAAS,IAAI,aAAa,CAAC;IACjD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC;IAYtC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;QAC7B,wBAAwB;QACxB,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,GAAG,CAAoB,YAAY,CAAC,CAAC;QACpE,MAAM,QAAQ,GAAG,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,KAAK,CAAC,iBAAiB,CAAC,CAAC;QAEnF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,oBAAoB,KAAK,CAAC,iBAAiB,YAAY,CAAC,CAAC;QAC3E,CAAC;QAED,QAAQ,QAAQ,CAAC,MAAM,EAAE,CAAC;YACxB,KAAK,UAAU,CAAC,CAAC,CAAC;gBAChB,oDAAoD;gBACpD,mEAAmE;gBACnE,mDAAmD;gBACnD,OAAO;oBACL,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE;oBACX,IAAI,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,CAAC,iBAAiB,EAAE;oBACpE,OAAO,EAAE,EAAE;iBACZ,CAAC;YACJ,CAAC;YACD,KAAK,UAAU;gBACb,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;YAC5D,KAAK,QAAQ;gBACX,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;YAC7D,KAAK,SAAS;gBACZ,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;YAC9C,KAAK,SAAS;gBACZ,mBAAmB;gBACnB,MAAM;YACR;gBACE,MAAM,IAAI,KAAK,CAAC,+BAA+B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,KAAK,CAAC,cAAc,CAAC,CAAC;IAC9B,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,iCAAiC,OAAO,IAAI,CAAC,CAAC;AAChE,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,MAAmB;IAMnB,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,GAAG,CAAsB,cAAc,CAAC,CAAC;IACvE,OAAO,EAAE,WAAW,EAAE,QAAQ,CAAC,WAAW,EAAE,CAAC;AAC/C,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,MAAmB,EACnB,KAA4B;IAO5B,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAChC,gBAAgB,kBAAkB,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,CAChE,CAAC;IAEF,OAAO;QACL,OAAO,EAAE,IAAI;QACb,YAAY,EAAE,QAAQ,CAAC,UAAU,CAAC,EAAE;QACpC,OAAO,EAAE,QAAQ,CAAC,OAAO;KAC1B,CAAC;AACJ,CAAC;AAED,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,93 @@
+/**
+ * OpenClaw Gateway plugin configuration.
+ */
+export interface OpenClawPluginConfig {
+    /** AgentHiFive Vault API base URL (e.g., "https://vault.example.com") */
+    baseUrl: string;
+    /** Authentication mode for Vault API */
+    auth: OpenClawAuthConfig;
+    /** Default timeout for polling operations in milliseconds (default: 300_000 = 5 min) */
+    pollTimeoutMs?: number;
+    /** Polling interval for approval in milliseconds (default: 5_000) */
+    pollIntervalMs?: number;
+}
+export type OpenClawAuthConfig = {
+    mode: "agent";
+    privateKey: JsonWebKey;
+    agentId: string;
+    tokenAudience?: string;
+} | {
+    mode: "bearer";
+    token: string;
+};
+/**
+ * Tool input/output types.
+ */
+export interface ExecuteInput {
+    connectionId?: string;
+    service?: string;
+    method: "GET" | "POST" | "PUT" | "DELETE" | "PATCH";
+    url: string;
+    query?: Record<string, string>;
+    headers?: Record<string, string>;
+    body?: unknown;
+    /** Approval request ID to bypass a require_approval guard (from a previous 202 response). */
+    approvalId?: string;
+}
+export interface ExecuteOutput {
+    status: number;
+    headers: Record<string, string>;
+    body: unknown;
+    auditId: string;
+}
+export interface ExecuteApprovalOutput {
+    approvalRequired: true;
+    approvalRequestId: string;
+    auditId: string;
+}
+export interface ApprovalRequestInput {
+    connectionId: string;
+    actionDescription: string;
+    method: "GET" | "POST" | "PUT" | "DELETE" | "PATCH";
+    url: string;
+    body?: unknown;
+}
+export interface ApprovalRequestOutput {
+    approvalRequestId: string;
+    auditId: string;
+}
+export interface ApprovalCommitInput {
+    approvalRequestId: string;
+    timeoutMs?: number;
+}
+export interface ApprovalCommitOutput {
+    status: number;
+    headers: Record<string, string>;
+    body: unknown;
+    auditId: string;
+}
+export interface ConnectionListItem {
+    id: string;
+    provider: string;
+    label: string;
+    status: string;
+    grantedScopes: string[];
+    createdAt: string;
+}
+export interface ConnectionsListOutput {
+    connections: ConnectionListItem[];
+}
+export interface ConnectionRevokeInput {
+    connectionId: string;
+}
+export interface ConnectionRevokeOutput {
+    revoked: true;
+    connectionId: string;
+    auditId: string;
+}
+export type { ActionProxy, ProxyRequest, ProxyResponse, } from "./vault-action-proxy.js";
+export type { CredentialProvider, CredentialQuery, CredentialResult, VaultProviderConfig, } from "./vault-provider.js";
+export type { VaultTokenManagerConfig } from "./vault-token-manager.js";
+export type { SessionContext } from "./session-context.js";
+export type { PendingApproval, FallbackNotification, PluginLogger, } from "./pending-approvals.js";
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,yEAAyE;IACzE,OAAO,EAAE,MAAM,CAAC;IAChB,wCAAwC;IACxC,IAAI,EAAE,kBAAkB,CAAC;IACzB,wFAAwF;IACxF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,qEAAqE;IACrE,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,MAAM,kBAAkB,GAC1B;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,UAAU,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,aAAa,CAAC,EAAE,MAAM,CAAA;CAAE,GAClF;IAAE,IAAI,EAAE,QAAQ,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC;AAEtC;;GAEG;AAEH,MAAM,WAAW,YAAY;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,OAAO,CAAC;IACpD,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,6FAA6F;IAC7F,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,EAAE,OAAO,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,qBAAqB;IACpC,gBAAgB,EAAE,IAAI,CAAC;IACvB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,oBAAoB;IACnC,YAAY,EAAE,MAAM,CAAC;IACrB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,MAAM,EAAE,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,OAAO,CAAC;IACpD,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,WAAW,qBAAqB;IACpC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,EAAE,OAAO,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,qBAAqB;IACpC,WAAW,EAAE,kBAAkB,EAAE,CAAC;CACnC;AAED,MAAM,WAAW,qBAAqB;IACpC,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,IAAI,CAAC;IACd,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;CACjB;AAMD,YAAY,EACV,WAAW,EACX,YAAY,EACZ,aAAa,GACd,MAAM,yBAAyB,CAAC;AAEjC,YAAY,EACV,kBAAkB,EAClB,eAAe,EACf,gBAAgB,EAChB,mBAAmB,GACpB,MAAM,qBAAqB,CAAC;AAE7B,YAAY,EAAE,uBAAuB,EAAE,MAAM,0BAA0B,CAAC;AAExE,YAAY,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE3D,YAAY,EACV,eAAe,EACf,oBAAoB,EACpB,YAAY,GACb,MAAM,wBAAwB,CAAC"}

package/dist/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/dist/vault-action-proxy.d.ts

@@ -0,0 +1,75 @@
+/**
+ * Action proxy abstraction and AgentHiFive Vault implementation.
+ *
+ * When configured, routes outgoing API calls through the AgentHiFive vault
+ * proxy (Model B: brokered proxy) instead of calling provider APIs directly.
+ * This enables content filtering, action allowlists, rate limiting, and audit.
+ */
+export type ProxyRequest = {
+    /** Which connection/credential to use (required for multi-account services) */
+    connectionId?: string;
+    /** Service ID for singleton services — vault resolves the connection server-side */
+    service?: string;
+    /** Target provider API */
+    method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE";
+    url: string;
+    headers?: Record<string, string>;
+    body?: unknown;
+    /** Redeem a previously approved step-up approval */
+    approvalId?: string;
+    /** Context for policy evaluation */
+    context?: {
+        tool: string;
+        action: string;
+        channel?: string;
+        agentId?: string;
+    };
+};
+export type ProxyResponse = {
+    status: number;
+    headers: Record<string, string>;
+    body: unknown;
+    auditId: string;
+    /** If blocked by policy or auth failure, this explains why */
+    blocked?: {
+        reason: string;
+        policy: string;
+        /** Actionable hint for the AI agent — tells it how to fix the issue */
+        hint?: string;
+        /** Present when policy is "step-up-approval" — use to poll and redeem */
+        approvalRequestId?: string;
+    };
+};
+export interface ActionProxy {
+    execute(request: ProxyRequest, signal?: AbortSignal): Promise<ProxyResponse>;
+}
+type VaultActionProxyConfig = {
+    baseUrl: string;
+    auth: {
+        mode: "bearer";
+        token: string;
+    };
+    timeoutMs: number;
+    /** Called on 401 to attempt a token refresh. Returns true if refresh succeeded. */
+    onTokenRefresh?: () => Promise<boolean>;
+};
+/**
+ * Action proxy backed by AgentHiFive Vault.
+ *
+ * Routes API calls through POST /v1/vault/execute (Model B: brokered proxy).
+ * The vault adds the credential (Authorization header), evaluates policies,
+ * executes the request, and returns the response with an audit ID.
+ */
+export declare class VaultActionProxy implements ActionProxy {
+    private config;
+    constructor(config: VaultActionProxyConfig);
+    execute(request: ProxyRequest, callerSignal?: AbortSignal): Promise<ProxyResponse>;
+    /** Vault base URL — used by the approval poller to call GET /v1/approvals/:id */
+    get baseUrl(): string;
+    /** Build auth header with current bearer token */
+    buildAuthHeader(): Record<string, string>;
+    /** Force a token refresh. Returns true if the token was successfully refreshed. */
+    refreshToken(): Promise<boolean>;
+}
+export {};
+//# sourceMappingURL=vault-action-proxy.d.ts.map

package/dist/vault-action-proxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-action-proxy.d.ts","sourceRoot":"","sources":["../src/vault-action-proxy.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,MAAM,MAAM,YAAY,GAAG;IACzB,+EAA+E;IAC/E,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,oFAAoF;IACpF,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,0BAA0B;IAC1B,MAAM,EAAE,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,OAAO,GAAG,QAAQ,CAAC;IACpD,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,oDAAoD;IACpD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,oCAAoC;IACpC,OAAO,CAAC,EAAE;QACR,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;CACH,CAAC;AAEF,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,EAAE,OAAO,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,8DAA8D;IAC9D,OAAO,CAAC,EAAE;QACR,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,EAAE,MAAM,CAAC;QACf,uEAAuE;QACvE,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,yEAAyE;QACzE,iBAAiB,CAAC,EAAE,MAAM,CAAC;KAC5B,CAAC;CACH,CAAC;AAEF,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,OAAO,EAAE,YAAY,EAAE,MAAM,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;CAC9E;AAMD,KAAK,sBAAsB,GAAG;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE;QAAE,IAAI,EAAE,QAAQ,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IACxC,SAAS,EAAE,MAAM,CAAC;IAClB,mFAAmF;IACnF,cAAc,CAAC,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;CACzC,CAAC;AAEF;;;;;;GAMG;AACH,qBAAa,gBAAiB,YAAW,WAAW;IAClD,OAAO,CAAC,MAAM,CAAyB;gBAE3B,MAAM,EAAE,sBAAsB;IAIpC,OAAO,CAAC,OAAO,EAAE,YAAY,EAAE,YAAY,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,aAAa,CAAC;IAqIxF,iFAAiF;IACjF,IAAI,OAAO,IAAI,MAAM,CAEpB;IAED,kDAAkD;IAClD,eAAe,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAIzC,mFAAmF;IAC7E,YAAY,IAAI,OAAO,CAAC,OAAO,CAAC;CAMvC"}

package/dist/vault-action-proxy.js

@@ -0,0 +1,152 @@
+/**
+ * Action proxy abstraction and AgentHiFive Vault implementation.
+ *
+ * When configured, routes outgoing API calls through the AgentHiFive vault
+ * proxy (Model B: brokered proxy) instead of calling provider APIs directly.
+ * This enables content filtering, action allowlists, rate limiting, and audit.
+ */
+/**
+ * Action proxy backed by AgentHiFive Vault.
+ *
+ * Routes API calls through POST /v1/vault/execute (Model B: brokered proxy).
+ * The vault adds the credential (Authorization header), evaluates policies,
+ * executes the request, and returns the response with an audit ID.
+ */
+export class VaultActionProxy {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    async execute(request, callerSignal) {
+        const vaultBody = {
+            model: "B",
+            method: request.method,
+            url: request.url,
+            headers: request.headers,
+            body: request.body,
+            ...(request.context ? { context: request.context } : {}),
+        };
+        if (request.service) {
+            vaultBody.service = request.service;
+        }
+        if (request.connectionId) {
+            vaultBody.connectionId = request.connectionId;
+        }
+        if (request.approvalId) {
+            vaultBody.approvalId = request.approvalId;
+        }
+        // Combine our own timeout with the caller's abort signal (if any).
+        const timeoutSignal = AbortSignal.timeout(this.config.timeoutMs);
+        const signal = callerSignal ? AbortSignal.any([timeoutSignal, callerSignal]) : timeoutSignal;
+        const doFetch = () => fetch(`${this.config.baseUrl}/v1/vault/execute`, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                ...this.buildAuthHeader(),
+            },
+            body: JSON.stringify(vaultBody),
+            signal,
+        });
+        let response = await doFetch();
+        // 401 = token expired — try refreshing once before giving up
+        if (response.status === 401 && this.config.onTokenRefresh) {
+            const refreshed = await this.config.onTokenRefresh();
+            if (refreshed) {
+                response = await doFetch();
+            }
+        }
+        // 401 = authentication failure
+        if (response.status === 401) {
+            const tokenPrefix = this.config.auth.token?.slice(0, 4) || "empty";
+            console.warn(`[vault-action-proxy] 401 on POST /v1/vault/execute (token: ${tokenPrefix}..., ` +
+                `service: ${request.service ?? "n/a"}, url: ${request.url})`);
+            return {
+                status: 401,
+                headers: {},
+                body: null,
+                auditId: "",
+                blocked: {
+                    reason: "Vault authentication failed — the agent's access token is invalid or expired.",
+                    policy: "vault-auth",
+                    hint: "The vault connection is broken. Ask your admin to generate a bootstrap secret from the AgentHiFive dashboard (Agents → Bootstrap Secret), then run `openclaw configure` to reconnect.",
+                },
+            };
+        }
+        // Guard against non-JSON responses
+        const contentType = response.headers.get("content-type") ?? "";
+        if (!contentType.includes("application/json") && !response.ok) {
+            const text = await response.text();
+            const preview = text.slice(0, 120).replace(/\n/g, " ");
+            throw new Error(`Vault returned HTTP ${response.status} with non-JSON body (${contentType || "no content-type"}): ${preview}`);
+        }
+        const result = (await response.json());
+        // Policy block
+        if (result["blocked"]) {
+            return {
+                status: 0,
+                headers: {},
+                body: null,
+                auditId: result["auditId"] ?? "",
+                blocked: {
+                    reason: result["reason"] ?? "Blocked by policy",
+                    policy: result["policy"] ?? "unknown",
+                },
+            };
+        }
+        // 202 = step-up approval required
+        if (response.status === 202 && result["approvalRequired"]) {
+            const approvalRequestId = result["approvalRequestId"] ?? undefined;
+            const blocked = {
+                reason: result["hint"] ?? "This request requires human approval.",
+                policy: "step-up-approval",
+            };
+            if (approvalRequestId) {
+                blocked.hint = `Approval required. approvalRequestId: ${approvalRequestId}`;
+                blocked.approvalRequestId = approvalRequestId;
+            }
+            return {
+                status: 202,
+                headers: {},
+                body: null,
+                auditId: result["auditId"] ?? "",
+                blocked,
+            };
+        }
+        // 403 = policy denial
+        if (response.status === 403) {
+            return {
+                status: 403,
+                headers: {},
+                body: null,
+                auditId: result["auditId"] ?? "",
+                blocked: {
+                    reason: result["error"] ?? "Denied by policy",
+                    policy: "vault-policy",
+                },
+            };
+        }
+        // Success
+        return {
+            status: result["status"] ?? response.status,
+            headers: result["headers"] ?? {},
+            body: result["body"] ?? null,
+            auditId: result["auditId"] ?? "",
+        };
+    }
+    /** Vault base URL — used by the approval poller to call GET /v1/approvals/:id */
+    get baseUrl() {
+        return this.config.baseUrl;
+    }
+    /** Build auth header with current bearer token */
+    buildAuthHeader() {
+        return { Authorization: `Bearer ${this.config.auth.token}` };
+    }
+    /** Force a token refresh. Returns true if the token was successfully refreshed. */
+    async refreshToken() {
+        if (!this.config.onTokenRefresh) {
+            return false;
+        }
+        return this.config.onTokenRefresh();
+    }
+}
+//# sourceMappingURL=vault-action-proxy.js.map

package/dist/vault-action-proxy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-action-proxy.js","sourceRoot":"","sources":["../src/vault-action-proxy.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AA2DH;;;;;;GAMG;AACH,MAAM,OAAO,gBAAgB;IACnB,MAAM,CAAyB;IAEvC,YAAY,MAA8B;QACxC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,OAAqB,EAAE,YAA0B;QAC7D,MAAM,SAAS,GAA4B;YACzC,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACzD,CAAC;QACF,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YACpB,SAAS,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QACtC,CAAC;QACD,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACzB,SAAS,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;QAChD,CAAC;QACD,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACvB,SAAS,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QAC5C,CAAC;QAED,mEAAmE;QACnE,MAAM,aAAa,GAAG,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACjE,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC;QAE7F,MAAM,OAAO,GAAG,GAAG,EAAE,CACnB,KAAK,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,mBAAmB,EAAE;YAC/C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,GAAG,IAAI,CAAC,eAAe,EAAE;aAC1B;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC;YAC/B,MAAM;SACP,CAAC,CAAC;QAEL,IAAI,QAAQ,GAAG,MAAM,OAAO,EAAE,CAAC;QAE/B,6DAA6D;QAC7D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;YAC1D,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;YACrD,IAAI,SAAS,EAAE,CAAC;gBACd,QAAQ,GAAG,MAAM,OAAO,EAAE,CAAC;YAC7B,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,OAAO,CAAC;YACnE,OAAO,CAAC,IAAI,CACV,8DAA8D,WAAW,OAAO;gBAC9E,YAAY,OAAO,CAAC,OAAO,IAAI,KAAK,UAAU,OAAO,CAAC,GAAG,GAAG,CAC/D,CAAC;YACF,OAAO;gBACL,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE;gBACX,IAAI,EAAE,IAAI;gBACV,OAAO,EAAE,EAAE;gBACX,OAAO,EAAE;oBACP,MAAM,EAAE,+EAA+E;oBACvF,MAAM,EAAE,YAAY;oBACpB,IAAI,EAAE,uLAAuL;iBAC9L;aACF,CAAC;QACJ,CAAC;QAED,mCAAmC;QACnC,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;QAC/D,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YAC9D,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YACvD,MAAM,IAAI,KAAK,CACb,uBAAuB,QAAQ,CAAC,MAAM,wBAAwB,WAAW,IAAI,iBAAiB,MAAM,OAAO,EAAE,CAC9G,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;QAElE,eAAe;QACf,IAAI,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;YACtB,OAAO;gBACL,MAAM,EAAE,CAAC;gBACT,OAAO,EAAE,EAAE;gBACX,IAAI,EAAE,IAAI;gBACV,OAAO,EAAG,MAAM,CAAC,SAAS,CAAY,IAAI,EAAE;gBAC5C,OAAO,EAAE;oBACP,MAAM,EAAG,MAAM,CAAC,QAAQ,CAAY,IAAI,mBAAmB;oBAC3D,MAAM,EAAG,MAAM,CAAC,QAAQ,CAAY,IAAI,SAAS;iBAClD;aACF,CAAC;QACJ,CAAC;QAED,kCAAkC;QAClC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC1D,MAAM,iBAAiB,GAAI,MAAM,CAAC,mBAAmB,CAAY,IAAI,SAAS,CAAC;YAC/E,MAAM,OAAO,GAA6B;gBACxC,MAAM,EAAG,MAAM,CAAC,MAAM,CAAY,IAAI,uCAAuC;gBAC7E,MAAM,EAAE,kBAAkB;aAC3B,CAAC;YACF,IAAI,iBAAiB,EAAE,CAAC;gBACtB,OAAO,CAAC,IAAI,GAAG,yCAAyC,iBAAiB,EAAE,CAAC;gBAC5E,OAAO,CAAC,iBAAiB,GAAG,iBAAiB,CAAC;YAChD,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE;gBACX,IAAI,EAAE,IAAI;gBACV,OAAO,EAAG,MAAM,CAAC,SAAS,CAAY,IAAI,EAAE;gBAC5C,OAAO;aACR,CAAC;QACJ,CAAC;QAED,sBAAsB;QACtB,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE;gBACX,IAAI,EAAE,IAAI;gBACV,OAAO,EAAG,MAAM,CAAC,SAAS,CAAY,IAAI,EAAE;gBAC5C,OAAO,EAAE;oBACP,MAAM,EAAG,MAAM,CAAC,OAAO,CAAY,IAAI,kBAAkB;oBACzD,MAAM,EAAE,cAAc;iBACvB;aACF,CAAC;QACJ,CAAC;QAED,UAAU;QACV,OAAO;YACL,MAAM,EAAG,MAAM,CAAC,QAAQ,CAAY,IAAI,QAAQ,CAAC,MAAM;YACvD,OAAO,EAAG,MAAM,CAAC,SAAS,CAA4B,IAAI,EAAE;YAC5D,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI,IAAI;YAC5B,OAAO,EAAG,MAAM,CAAC,SAAS,CAAY,IAAI,EAAE;SAC7C,CAAC;IACJ,CAAC;IAED,iFAAiF;IACjF,IAAI,OAAO;QACT,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC;IAC7B,CAAC;IAED,kDAAkD;IAClD,eAAe;QACb,OAAO,EAAE,aAAa,EAAE,UAAU,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,CAAC;IAC/D,CAAC;IAED,mFAAmF;IACnF,KAAK,CAAC,YAAY;QAChB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;YAChC,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;IACtC,CAAC;CACF"}

package/dist/vault-provider.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Credential provider backed by AgentHiFive Vault.
+ *
+ * resolve() always returns null — all credential access goes through
+ * vault/execute (Model B) or vault/llm proxy. The class is kept for
+ * isAvailable(), getConfig(), and buildAuthHeaders() used by capability
+ * cache and permission request modules.
+ */
+export type CredentialQuery = {
+    provider: string;
+    scopes?: string[];
+};
+export type CredentialResult = {
+    token: string;
+    expiresAt?: number;
+};
+export interface CredentialProvider {
+    readonly id: string;
+    resolve(query: CredentialQuery): Promise<CredentialResult | null>;
+    isAvailable(): Promise<boolean>;
+}
+export type VaultProviderConfig = {
+    baseUrl: string;
+    auth: {
+        mode: "bearer";
+        token: string;
+    };
+    timeoutMs: number;
+    cacheTtlMs: number;
+    /** Providers proxied through AH5 — skip credential resolution for these */
+    proxiedProviders?: string[];
+    /** Capability checking and permission request configuration */
+    capabilities?: {
+        enabled: boolean;
+        cacheTtl?: number;
+        permissionRequest?: {
+            enabled: boolean;
+        };
+    };
+    /** Called on 401 to attempt a token refresh. Returns true if refresh succeeded. */
+    onTokenRefresh?: () => Promise<boolean>;
+};
+export declare class VaultCredentialProvider implements CredentialProvider {
+    readonly id = "agenthifive-vault";
+    private config;
+    constructor(config: VaultProviderConfig);
+    resolve(_query: CredentialQuery): Promise<CredentialResult | null>;
+    isAvailable(): Promise<boolean>;
+    getConfig(): VaultProviderConfig;
+    buildAuthHeaders(): Record<string, string>;
+}
+//# sourceMappingURL=vault-provider.d.ts.map

package/dist/vault-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-provider.d.ts","sourceRoot":"","sources":["../src/vault-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAMH,MAAM,MAAM,eAAe,GAAG;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAAC;IAClE,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;CACjC;AAMD,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE;QAAE,IAAI,EAAE,QAAQ,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IACxC,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,2EAA2E;IAC3E,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,+DAA+D;IAC/D,YAAY,CAAC,EAAE;QACb,OAAO,EAAE,OAAO,CAAC;QACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,iBAAiB,CAAC,EAAE;YAClB,OAAO,EAAE,OAAO,CAAC;SAClB,CAAC;KACH,CAAC;IACF,mFAAmF;IACnF,cAAc,CAAC,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;CACzC,CAAC;AAEF,qBAAa,uBAAwB,YAAW,kBAAkB;IAChE,QAAQ,CAAC,EAAE,uBAAuB;IAElC,OAAO,CAAC,MAAM,CAAsB;gBAExB,MAAM,EAAE,mBAAmB;IAIjC,OAAO,CAAC,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC;IAKlE,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;IAWrC,SAAS,IAAI,mBAAmB;IAIhC,gBAAgB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;CAG3C"}

package/dist/vault-provider.js

@@ -0,0 +1,37 @@
+/**
+ * Credential provider backed by AgentHiFive Vault.
+ *
+ * resolve() always returns null — all credential access goes through
+ * vault/execute (Model B) or vault/llm proxy. The class is kept for
+ * isAvailable(), getConfig(), and buildAuthHeaders() used by capability
+ * cache and permission request modules.
+ */
+export class VaultCredentialProvider {
+    id = "agenthifive-vault";
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    async resolve(_query) {
+        // All credential resolution goes through vault/execute (Model B) or vault/llm proxy.
+        return null;
+    }
+    async isAvailable() {
+        try {
+            const response = await fetch(`${this.config.baseUrl}/v1/health`, {
+                signal: AbortSignal.timeout(2000),
+            });
+            return response.ok;
+        }
+        catch {
+            return false;
+        }
+    }
+    getConfig() {
+        return this.config;
+    }
+    buildAuthHeaders() {
+        return { Authorization: `Bearer ${this.config.auth.token}` };
+    }
+}
+//# sourceMappingURL=vault-provider.js.map

package/dist/vault-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-provider.js","sourceRoot":"","sources":["../src/vault-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AA6CH,MAAM,OAAO,uBAAuB;IACzB,EAAE,GAAG,mBAAmB,CAAC;IAE1B,MAAM,CAAsB;IAEpC,YAAY,MAA2B;QACrC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,MAAuB;QACnC,qFAAqF;QACrF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,WAAW;QACf,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,YAAY,EAAE;gBAC/D,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;aAClC,CAAC,CAAC;YACH,OAAO,QAAQ,CAAC,EAAE,CAAC;QACrB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,gBAAgB;QACd,OAAO,EAAE,aAAa,EAAE,UAAU,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,CAAC;IAC/D,CAAC;CACF"}

package/dist/vault-token-manager.d.ts

@@ -0,0 +1,42 @@
+export type VaultTokenManagerConfig = {
+    baseUrl: string;
+    agentId: string;
+    privateKey: JsonWebKey;
+    tokenAudience?: string;
+};
+export declare class VaultTokenManager {
+    private readonly baseUrl;
+    private readonly agentId;
+    private readonly privateKeyJWK;
+    private readonly tokenAudience;
+    private privateKeyObj;
+    private accessToken;
+    private tokenExpiresAt;
+    private refreshTimer;
+    private refreshInFlight;
+    /** Called after every successful token refresh with the new token. */
+    onRefresh: ((newToken: string) => void) | null;
+    /** Called when token refresh fails with 401 — indicates the agent's key is no longer valid. */
+    onAuthFailure: (() => void) | null;
+    constructor(config: VaultTokenManagerConfig);
+    /**
+     * Perform the initial token exchange and start the background refresh timer.
+     * Must be called (and awaited) before getToken().
+     */
+    init(): Promise<void>;
+    /**
+     * Get the current bearer token. Synchronous — relies on background refresh.
+     * Throws if init() hasn't been called.
+     */
+    getToken(): string;
+    /** Stop the background refresh timer. */
+    stop(): void;
+    /**
+     * Force an immediate token refresh. Called on-demand when a 401 is received.
+     * Coalesces concurrent requests — if a refresh is already in flight, callers
+     * wait for the same promise instead of hammering the token endpoint.
+     */
+    forceRefresh(): Promise<boolean>;
+    private refreshToken;
+}
+//# sourceMappingURL=vault-token-manager.d.ts.map

package/dist/vault-token-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-token-manager.d.ts","sourceRoot":"","sources":["../src/vault-token-manager.ts"],"names":[],"mappings":"AAcA,MAAM,MAAM,uBAAuB,GAAG;IACpC,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,UAAU,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAa;IAC3C,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;IAEvC,OAAO,CAAC,aAAa,CAAwB;IAC7C,OAAO,CAAC,WAAW,CAAuB;IAC1C,OAAO,CAAC,cAAc,CAAK;IAC3B,OAAO,CAAC,YAAY,CAA+C;IACnE,OAAO,CAAC,eAAe,CAA8B;IAErD,sEAAsE;IACtE,SAAS,EAAE,CAAC,CAAC,QAAQ,EAAE,MAAM,KAAK,IAAI,CAAC,GAAG,IAAI,CAAQ;IAEtD,+FAA+F;IAC/F,aAAa,EAAE,CAAC,MAAM,IAAI,CAAC,GAAG,IAAI,CAAQ;gBAE9B,MAAM,EAAE,uBAAuB;IAO3C;;;OAGG;IACG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IA8B3B;;;OAGG;IACH,QAAQ,IAAI,MAAM;IAOlB,yCAAyC;IACzC,IAAI,IAAI,IAAI;IAOZ;;;;OAIG;IACG,YAAY,IAAI,OAAO,CAAC,OAAO,CAAC;YAsBxB,YAAY;CAqC3B"}