@agenthifive/openclaw 0.3.3 → 0.3.5

package/dist/register.js

@@ -23,7 +23,7 @@ import { verifyPatches } from "./patch-verify.js";
 // ---------------------------------------------------------------------------
 const DEFAULT_BASE_URL = "https://app.agenthifive.com";
 const PLUGIN_ID = "agenthifive";
-const PLUGIN_VERSION = "0.3.3";
+const PLUGIN_VERSION = "0.3.5";
 // ---------------------------------------------------------------------------
 // Module-scoped singletons (lifecycle managed by register/stop)
 // ---------------------------------------------------------------------------

package/dist/vault-provider.d.ts

@@ -1,9 +1,9 @@
 /**
  * Credential provider backed by AgentHiFive Vault.
  *
- * resolve() calls POST /v1/vault/execute with model "A" (token vending)
- * to get the real provider API key from the vault. Results are cached
- * for cacheTtlMs (default: 5 minutes) to avoid excessive vault calls.
+ * resolve() always returns null — all LLM credential access goes through
+ * vault/llm proxy (Model B brokered). The class is kept for isAvailable(),
+ * getConfig(), and buildAuthHeaders() used by tools and hooks.
  */
 export type CredentialQuery = {
     provider: string;
@@ -32,12 +32,10 @@ export type VaultProviderConfig = {
 export declare class VaultCredentialProvider implements CredentialProvider {
     readonly id = "agenthifive-vault";
     private config;
-    private cache;
     constructor(config: VaultProviderConfig);
-    resolve(query: CredentialQuery): Promise<CredentialResult | null>;
+    resolve(_query: CredentialQuery): Promise<CredentialResult | null>;
     isAvailable(): Promise<boolean>;
     getConfig(): VaultProviderConfig;
     buildAuthHeaders(): Record<string, string>;
-    private fetchCredential;
 }
 //# sourceMappingURL=vault-provider.d.ts.map

package/dist/vault-provider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"vault-provider.d.ts","sourceRoot":"","sources":["../src/vault-provider.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,MAAM,MAAM,eAAe,GAAG;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAAC;IAClE,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;CACjC;AAiBD,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE;QAAE,IAAI,EAAE,QAAQ,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IACxC,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,mFAAmF;IACnF,cAAc,CAAC,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;CACzC,CAAC;AAOF,qBAAa,uBAAwB,YAAW,kBAAkB;IAChE,QAAQ,CAAC,EAAE,uBAAuB;IAElC,OAAO,CAAC,MAAM,CAAsB;IACpC,OAAO,CAAC,KAAK,CAAuC;gBAExC,MAAM,EAAE,mBAAmB;IAIjC,OAAO,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC;IAajE,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;IAWrC,SAAS,IAAI,mBAAmB;IAIhC,gBAAgB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;YAI5B,eAAe;CAkD9B"}
+{"version":3,"file":"vault-provider.d.ts","sourceRoot":"","sources":["../src/vault-provider.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,MAAM,MAAM,eAAe,GAAG;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAAC;IAClE,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;CACjC;AAMD,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE;QAAE,IAAI,EAAE,QAAQ,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IACxC,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,mFAAmF;IACnF,cAAc,CAAC,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;CACzC,CAAC;AAEF,qBAAa,uBAAwB,YAAW,kBAAkB;IAChE,QAAQ,CAAC,EAAE,uBAAuB;IAElC,OAAO,CAAC,MAAM,CAAsB;gBAExB,MAAM,EAAE,mBAAmB;IAIjC,OAAO,CAAC,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC;IAOlE,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;IAWrC,SAAS,IAAI,mBAAmB;IAIhC,gBAAgB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;CAG3C"}

package/dist/vault-provider.js

@@ -1,36 +1,21 @@
 /**
  * Credential provider backed by AgentHiFive Vault.
  *
- * resolve() calls POST /v1/vault/execute with model "A" (token vending)
- * to get the real provider API key from the vault. Results are cached
- * for cacheTtlMs (default: 5 minutes) to avoid excessive vault calls.
+ * resolve() always returns null — all LLM credential access goes through
+ * vault/llm proxy (Model B brokered). The class is kept for isAvailable(),
+ * getConfig(), and buildAuthHeaders() used by tools and hooks.
  */
-// ---------------------------------------------------------------------------
-// Provider → service mapping (matches AH5 API's SERVICE_CATALOG)
-// ---------------------------------------------------------------------------
-const PROVIDER_TO_SERVICE = {
-    anthropic: "anthropic-messages",
-    openai: "openai",
-    gemini: "gemini",
-    openrouter: "openrouter",
-};
 export class VaultCredentialProvider {
     id = "agenthifive-vault";
     config;
-    cache = new Map();
     constructor(config) {
         this.config = config;
     }
-    async resolve(query) {
-        const serviceId = PROVIDER_TO_SERVICE[query.provider];
-        if (!serviceId)
-            return null;
-        // Check cache (with 30s buffer before expiry)
-        const cached = this.cache.get(query.provider);
-        if (cached && cached.expiresAt > Date.now() + 30_000) {
-            return { token: cached.token, expiresAt: cached.expiresAt };
-        }
-        return this.fetchCredential(query.provider, serviceId, true);
+    async resolve(_query) {
+        // All LLM credential resolution goes through vault/llm proxy (Model B).
+        // The patch in resolveApiKeyForProvider returns the vault bearer token
+        // directly, and the provider baseUrl is redirected to the vault proxy.
+        return null;
     }
     async isAvailable() {
         try {
@@ -49,44 +34,5 @@ export class VaultCredentialProvider {
     buildAuthHeaders() {
         return { Authorization: `Bearer ${this.config.auth.token}` };
     }
-    async fetchCredential(provider, serviceId, allowRetry) {
-        try {
-            const response = await fetch(`${this.config.baseUrl}/v1/vault/execute`, {
-                method: "POST",
-                headers: {
-                    "Content-Type": "application/json",
-                    ...this.buildAuthHeaders(),
-                },
-                body: JSON.stringify({ model: "A", service: serviceId }),
-                signal: AbortSignal.timeout(this.config.timeoutMs),
-            });
-            // Handle 401 with token refresh retry
-            if (response.status === 401 && allowRetry && this.config.onTokenRefresh) {
-                const refreshed = await this.config.onTokenRefresh();
-                if (refreshed) {
-                    return this.fetchCredential(provider, serviceId, false);
-                }
-                console.error(`[AH5 resolve] ${provider}: 401 after refresh retry`);
-                return null;
-            }
-            if (!response.ok) {
-                const body = await response.text().catch(() => "");
-                console.error(`[AH5 resolve] ${provider}: HTTP ${response.status} ${body.slice(0, 200)}`);
-                return null;
-            }
-            const data = (await response.json());
-            if (!data.accessToken) {
-                console.error(`[AH5 resolve] ${provider}: response has no accessToken`, JSON.stringify(data).slice(0, 200));
-                return null;
-            }
-            const expiresAt = Date.now() + (data.expiresIn ?? 3600) * 1000;
-            this.cache.set(provider, { token: data.accessToken, expiresAt });
-            return { token: data.accessToken, expiresAt };
-        }
-        catch (err) {
-            console.error(`[AH5 resolve] ${provider}: fetch error:`, err instanceof Error ? err.message : err);
-            return null;
-        }
-    }
 }
 //# sourceMappingURL=vault-provider.js.map

package/dist/vault-provider.js.map

@@ -1 +1 @@
-{"version":3,"file":"vault-provider.js","sourceRoot":"","sources":["../src/vault-provider.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAsBH,8EAA8E;AAC9E,iEAAiE;AACjE,8EAA8E;AAE9E,MAAM,mBAAmB,GAA2B;IAClD,SAAS,EAAE,oBAAoB;IAC/B,MAAM,EAAE,QAAQ;IAChB,MAAM,EAAE,QAAQ;IAChB,UAAU,EAAE,YAAY;CACzB,CAAC;AAoBF,MAAM,OAAO,uBAAuB;IACzB,EAAE,GAAG,mBAAmB,CAAC;IAE1B,MAAM,CAAsB;IAC5B,KAAK,GAAG,IAAI,GAAG,EAA4B,CAAC;IAEpD,YAAY,MAA2B;QACrC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAAsB;QAClC,MAAM,SAAS,GAAG,mBAAmB,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QACtD,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC;QAE5B,8CAA8C;QAC9C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC9C,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;YACrD,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC;QAC9D,CAAC;QAED,OAAO,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,QAAQ,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;IAC/D,CAAC;IAED,KAAK,CAAC,WAAW;QACf,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,YAAY,EAAE;gBAC/D,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;aAClC,CAAC,CAAC;YACH,OAAO,QAAQ,CAAC,EAAE,CAAC;QACrB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,gBAAgB;QACd,OAAO,EAAE,aAAa,EAAE,UAAU,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,CAAC;IAC/D,CAAC;IAEO,KAAK,CAAC,eAAe,CAC3B,QAAgB,EAChB,SAAiB,EACjB,UAAmB;QAEnB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,mBAAmB,EAAE;gBACtE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;oBAClC,GAAG,IAAI,CAAC,gBAAgB,EAAE;iBAC3B;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;gBACxD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;aACnD,CAAC,CAAC;YAEH,sCAAsC;YACtC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,UAAU,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;gBACxE,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;gBACrD,IAAI,SAAS,EAAE,CAAC;oBACd,OAAO,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;gBAC1D,CAAC;gBACD,OAAO,CAAC,KAAK,CAAC,iBAAiB,QAAQ,2BAA2B,CAAC,CAAC;gBACpE,OAAO,IAAI,CAAC;YACd,CAAC;YAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;gBACnD,OAAO,CAAC,KAAK,CAAC,iBAAiB,QAAQ,UAAU,QAAQ,CAAC,MAAM,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;gBAC1F,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAGlC,CAAC;YACF,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;gBACtB,OAAO,CAAC,KAAK,CAAC,iBAAiB,QAAQ,+BAA+B,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;gBAC5G,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,IAAI,CAAC;YAC/D,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,WAAW,EAAE,SAAS,EAAE,CAAC,CAAC;YAEjE,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,WAAW,EAAE,SAAS,EAAE,CAAC;QAChD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,iBAAiB,QAAQ,gBAAgB,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YACnG,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;CACF"}
+{"version":3,"file":"vault-provider.js","sourceRoot":"","sources":["../src/vault-provider.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAmCH,MAAM,OAAO,uBAAuB;IACzB,EAAE,GAAG,mBAAmB,CAAC;IAE1B,MAAM,CAAsB;IAEpC,YAAY,MAA2B;QACrC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,MAAuB;QACnC,wEAAwE;QACxE,uEAAuE;QACvE,uEAAuE;QACvE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,WAAW;QACf,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,YAAY,EAAE;gBAC/D,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;aAClC,CAAC,CAAC;YACH,OAAO,QAAQ,CAAC,EAAE,CAAC;QACrB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,gBAAgB;QACd,OAAO,EAAE,aAAa,EAAE,UAAU,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,CAAC;IAC/D,CAAC;CACF"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agenthifive/openclaw",
-  "version": "0.3.3",
+  "version": "0.3.5",
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/patches/README.md

@@ -1,58 +1,53 @@
 # AgentHiFive OpenClaw Patches
 
-Optional patches that enable credential proxying features in OpenClaw core.
+Optional patches that enable LLM credential proxying in OpenClaw core.
 
 **These patches are NOT required for basic functionality.** The AgentHiFive plugin
 works fully without patches — tools, prompt injection, approval flow, and the
 brokered API proxy (Model B) all work out of the box. Patches only enable
 **LLM credential proxying** (routing LLM API calls through the vault).
 
+## How It Works
+
+The patch injects a small code block into `resolveApiKeyForProvider()` that checks
+`globalThis.__ah5_runtime` (set by the plugin at startup). When the requested
+provider is in the `proxiedProviders` list, it returns the vault bearer token
+instead of looking up a local API key. Combined with the provider `baseUrl`
+redirect (set in `openclaw.json` by the setup wizard), this routes all LLM
+traffic through the vault's Model B proxy.
+
 ## Available Patches
 
 ### `model-auth.patch`
 
-Adds vault credential resolution to OpenClaw's `resolveApiKeyForProvider()` function
-in `src/agents/model-auth.ts`. This inserts two new resolution tiers before the
-existing local profile lookup:
+Adds vault credential resolution to `src/agents/model-auth.ts`:
 
 | Tier | What it does | When it activates |
 |------|-------------|-------------------|
-| **Tier 0** | Returns the vault bearer token directly | Provider is in `proxiedProviders` list |
-| **Tier 0.5** | Queries the vault credential provider chain | Always (falls through if no credentials found) |
+| **Tier 0** | Returns the vault bearer token | Provider is in `proxiedProviders` list |
 
-The patch uses `await import("@agenthifive/openclaw/runtime")` wrapped in try/catch,
-so it's a **complete no-op** when the plugin is not installed — safe for vanilla OpenClaw.
+The patch uses `globalThis.__ah5_runtime` (no dynamic imports), so it's a
+**complete no-op** when the plugin is not installed.
 
 ## How to Apply
 
-### Using pnpm patch (recommended)
+### Automatic (recommended)
 
 ```bash
-# 1. Start the patch session
-pnpm patch openclaw
-
-# 2. Apply the patch to the extracted directory
-#    (pnpm will print the temporary directory path)
-cd <temp-directory>
-patch -p1 < /path/to/@agenthifive/openclaw/patches/model-auth.patch
-
-# 3. Commit the patch
-pnpm patch-commit <temp-directory>
+npx @agenthifive/openclaw-setup --base-url https://app.agenthifive.com --bootstrap-secret ah5b_...
 ```
 
-This adds a `patchedDependencies` entry to your `package.json` that pnpm applies
-automatically on `pnpm install`.
+The setup wizard applies the patch automatically as step 7/7.
 
-### Manual application
+### Manual with pnpm patch
 
 ```bash
-cd /path/to/openclaw
-patch -p1 < node_modules/@agenthifive/openclaw/patches/model-auth.patch
+pnpm patch openclaw
+cd <temp-directory>
+patch -p1 < /path/to/@agenthifive/openclaw/patches/model-auth.patch
+pnpm patch-commit <temp-directory>
 ```
 
-Note: Manual patches are lost on `npm install` / `pnpm install`. Use `pnpm patch`
-for persistence.
-
 ## Verification
 
 After applying, the AgentHiFive plugin will log at startup:
@@ -61,25 +56,14 @@ After applying, the AgentHiFive plugin will log at startup:
 AgentHiFive: model-auth patch detected — credential proxying enabled
 ```
 
-Without the patch, you'll see:
+Without the patch:
 
 ```
 AgentHiFive: model-auth patch not detected. LLM credential proxying is unavailable.
 ```
 
-## Compatibility
-
-| OpenClaw Version | Patch Status |
-|-----------------|-------------|
-| Latest (Mar 2026) | Compatible |
-
-The patch targets `resolveApiKeyForProvider()` in `src/agents/model-auth.ts`.
-If OpenClaw restructures this function significantly, the patch may need
-regeneration. Check the [AgentHiFive releases](https://github.com/supersantux/AgentH5/releases)
-for updated patches.
-
 ## When Patches Become Unnecessary
 
 When OpenClaw merges support for `apiKeyOverride` in the `before_model_resolve`
 hook result type, the plugin can use the hook API directly and patches will be
-deprecated. Track progress in the upstream PR.
+deprecated.

package/patches/model-auth.patch

@@ -1,42 +1,22 @@
 --- a/src/agents/model-auth.ts
 +++ b/src/agents/model-auth.ts
-@@ -289,7 +289,41 @@
+@@ -289,7 +289,22 @@
  }): Promise<ResolvedProviderAuth> {
    const { provider, cfg, profileId, preferredProfile } = params;
    const store = params.store ?? ensureAuthProfileStore(params.agentDir);
 
-+  // -- Tier 0: AgentHiFive proxied providers (vault bearer token) --
-+  // When the provider is in proxiedProviders, the vault acts as an LLM proxy.
-+  // Return the managed vault bearer token directly -- no local API key needed.
-+  // @agenthifive/openclaw/runtime -- dynamic import is a no-op when plugin is not installed.
++  // -- AgentHiFive: vault LLM proxy (Model B brokered) --
++  // @agenthifive/openclaw/runtime @ah5-patch-v4
 +  try {
-+    const runtime = await import("@agenthifive/openclaw/runtime");
-+    if (runtime.isInitialized()) {
-+      const proxiedProviders = runtime.getProxiedProviders();
-+      if (proxiedProviders.includes(provider)) {
-+        const vaultToken = runtime.getVaultBearerToken();
-+        if (vaultToken) {
-+          return { apiKey: vaultToken, source: "vault:agent-token", mode: "api-key" };
-+        }
-+      }
-+
-+      // -- Tier 0.5: Credential provider chain --
-+      // Try the vault credential provider before local profiles.
-+      const vaultResult = await runtime.resolveCredential({
-+        kind: "model_provider",
-+        provider,
-+        profileId: preferredProfile,
-+      });
-+      if (vaultResult?.apiKey) {
-+        return {
-+          apiKey: vaultResult.apiKey,
-+          source: "credential-provider:vault",
-+          mode: vaultResult.mode ?? "api-key",
-+        };
-+      }
++    const ah5rt = (globalThis as Record<string, unknown>).__ah5_runtime as
++      | { proxiedProviders?: string[]; vaultBearerToken?: string }
++      | undefined;
++    if (ah5rt?.proxiedProviders?.includes(provider) && ah5rt?.vaultBearerToken) {
++      return { apiKey: ah5rt.vaultBearerToken, source: "vault:agent-token", mode: "api-key" };
 +    }
-+  } catch {
-+    // Plugin not installed -- skip vault credential resolution
++  } catch (ah5Err: unknown) {
++    const msg = ah5Err instanceof Error ? ah5Err.message : String(ah5Err);
++    console.error("[AH5 patch] error:", msg);
 +  }
 +
    if (profileId) {