@agentvault/agentvault 0.13.6 → 0.13.8

package/dist/fetch-interceptor.d.ts

@@ -0,0 +1,32 @@
+export interface HttpCallReport {
+    method: string;
+    url: string;
+    statusCode: number;
+    latencyMs: number;
+    traceId?: string;
+    parentSpanId?: string;
+}
+export interface TraceContext {
+    traceId: string;
+    parentSpanId: string;
+}
+export interface FetchInterceptorOptions {
+    onHttpCall: (report: HttpCallReport) => void;
+    skipPatterns?: RegExp[];
+}
+/**
+ * Install HTTP interceptor using both undici diagnostics channels and
+ * globalThis.fetch monkey-patching. Idempotent.
+ */
+export declare function installFetchInterceptor(opts: FetchInterceptorOptions): void;
+/**
+ * Uninstall all interceptors. Safe to call even if not installed.
+ */
+export declare function uninstallFetchInterceptor(): void;
+/**
+ * Run an async function with trace context attached via AsyncLocalStorage.
+ * Any HTTP calls made within `fn` (via undici or fetch) will include
+ * traceId/parentSpanId in their HttpCallReport.
+ */
+export declare function runWithTraceContext<T>(ctx: TraceContext, fn: () => T | Promise<T>): Promise<T>;
+//# sourceMappingURL=fetch-interceptor.d.ts.map

package/dist/fetch-interceptor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch-interceptor.d.ts","sourceRoot":"","sources":["../src/fetch-interceptor.ts"],"names":[],"mappings":"AAoBA,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,uBAAuB;IACtC,UAAU,EAAE,CAAC,MAAM,EAAE,cAAc,KAAK,IAAI,CAAC;IAC7C,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AA0CD;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,uBAAuB,GAAG,IAAI,CAmK3E;AAED;;GAEG;AACH,wBAAgB,yBAAyB,IAAI,IAAI,CAkBhD;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,CAAC,EACnC,GAAG,EAAE,YAAY,EACjB,EAAE,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,GACvB,OAAO,CAAC,CAAC,CAAC,CAEZ"}

package/dist/index.d.ts

@@ -5,5 +5,5 @@ export type { ResolvedAccount } from "./account-config.js";
 export { agentVaultPlugin, setOcRuntime, getActiveChannel } from "./openclaw-plugin.js";
 export { sendToOwner, checkGateway } from "./gateway-send.js";
 export type { GatewaySendOptions, GatewaySendResult, GatewayStatusResult, } from "./gateway-send.js";
-export declare const VERSION = "0.11.0";
+export declare const VERSION = "0.13.8";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.js

@@ -45443,14 +45443,16 @@ var TelemetryReporter = class {
 };
 
 // src/state.ts
-import { mkdir, readFile, rm, writeFile } from "node:fs/promises";
+import { mkdir, readFile, rename, rm, writeFile } from "node:fs/promises";
 import { join } from "node:path";
 var STATE_FILE = "agentvault.json";
 var LEGACY_STATE_FILE = "secure-channel.json";
+var DIR_MODE = 448;
+var FILE_MODE = 384;
 async function saveState(dataDir, state) {
-  await mkdir(dataDir, { recursive: true });
+  await mkdir(dataDir, { recursive: true, mode: DIR_MODE });
   const filePath = join(dataDir, STATE_FILE);
-  await writeFile(filePath, JSON.stringify(state, null, 2), "utf-8");
+  await writeFile(filePath, JSON.stringify(state, null, 2), { encoding: "utf-8", mode: FILE_MODE });
   try {
     await rm(join(dataDir, LEGACY_STATE_FILE));
   } catch {
@@ -45467,14 +45469,52 @@ async function loadState(dataDir) {
   try {
     const raw = await readFile(legacyPath, "utf-8");
     const parsed = JSON.parse(raw);
-    await mkdir(dataDir, { recursive: true });
-    await writeFile(filePath, JSON.stringify(parsed, null, 2), "utf-8");
+    await mkdir(dataDir, { recursive: true, mode: DIR_MODE });
+    await writeFile(filePath, JSON.stringify(parsed, null, 2), { encoding: "utf-8", mode: FILE_MODE });
     await rm(legacyPath);
     return parsed;
   } catch {
     return null;
   }
 }
+async function isStateValid(dataDir) {
+  try {
+    const filePath = join(dataDir, STATE_FILE);
+    const raw = await readFile(filePath, "utf-8");
+    const parsed = JSON.parse(raw);
+    return !!(parsed && parsed.deviceId && parsed.deviceJwt && parsed.sessions && Object.keys(parsed.sessions).length > 0);
+  } catch {
+    return false;
+  }
+}
+async function backupState(dataDir) {
+  const src = join(dataDir, STATE_FILE);
+  const bak = join(dataDir, `${STATE_FILE}.bak`);
+  const tmp = join(dataDir, `${STATE_FILE}.bak.tmp`);
+  try {
+    const data = await readFile(src, "utf-8");
+    await writeFile(tmp, data, { encoding: "utf-8", mode: FILE_MODE });
+    await rename(tmp, bak);
+  } catch {
+  }
+}
+async function restoreState(dataDir) {
+  const primaryValid = await isStateValid(dataDir);
+  if (primaryValid) return false;
+  const bak = join(dataDir, `${STATE_FILE}.bak`);
+  try {
+    const data = await readFile(bak, "utf-8");
+    const parsed = JSON.parse(data);
+    if (!parsed || !parsed.deviceId || !parsed.deviceJwt || !parsed.sessions || Object.keys(parsed.sessions).length === 0) {
+      return false;
+    }
+    await mkdir(dataDir, { recursive: true, mode: DIR_MODE });
+    await writeFile(join(dataDir, STATE_FILE), data, { encoding: "utf-8", mode: FILE_MODE });
+    return true;
+  } catch {
+    return false;
+  }
+}
 async function clearState(dataDir) {
   for (const filename of [STATE_FILE, LEGACY_STATE_FILE]) {
     try {
@@ -45629,6 +45669,7 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
     await libsodium_wrappers_default.ready;
     const raw = await loadState(this.config.dataDir);
     if (raw) {
+      await backupState(this.config.dataDir);
       this._persisted = migratePersistedState(raw);
       if (!this._persisted.messageHistory) {
         this._persisted.messageHistory = [];
@@ -45652,6 +45693,30 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
       this._connect();
       return;
     }
+    const restored = await restoreState(this.config.dataDir);
+    if (restored) {
+      console.log("[SecureChannel] Restored state from backup");
+      const restoredRaw = await loadState(this.config.dataDir);
+      if (restoredRaw) {
+        this._persisted = migratePersistedState(restoredRaw);
+        if (!this._persisted.messageHistory) this._persisted.messageHistory = [];
+        this._deviceId = this._persisted.deviceId;
+        this._deviceJwt = this._persisted.deviceJwt;
+        this._primaryConversationId = this._persisted.primaryConversationId;
+        this._fingerprint = this._persisted.fingerprint;
+        for (const [convId, sd] of Object.entries(this._persisted.sessions)) {
+          if (sd.ratchetState) {
+            this._sessions.set(convId, {
+              ownerDeviceId: sd.ownerDeviceId,
+              ratchet: DoubleRatchet.deserialize(sd.ratchetState),
+              activated: sd.activated ?? false
+            });
+          }
+        }
+        this._connect();
+        return;
+      }
+    }
     await this._enroll();
   }
   /**
@@ -45998,7 +46063,9 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
           data: {
             room_id: roomId,
             recipients,
-            message_type: messageType
+            message_type: messageType,
+            priority: opts?.priority ?? "normal",
+            metadata: opts?.metadata
           }
         })
       );
@@ -46012,7 +46079,12 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
               "Content-Type": "application/json",
               Authorization: `Bearer ${this._deviceJwt}`
             },
-            body: JSON.stringify({ recipients, message_type: messageType })
+            body: JSON.stringify({
+              recipients,
+              message_type: messageType,
+              priority: opts?.priority ?? "normal",
+              metadata: opts?.metadata
+            })
           }
         );
         if (!res.ok) {
@@ -46157,6 +46229,27 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
       }
     );
   }
+  async sendActionConfirmationToRoom(roomId, confirmation) {
+    const envelope = {
+      type: "action_confirmation",
+      action: confirmation.action,
+      status: confirmation.status
+    };
+    if (confirmation.decisionId !== void 0) envelope.decision_id = confirmation.decisionId;
+    if (confirmation.detail !== void 0) envelope.detail = confirmation.detail;
+    const metadata = {
+      action: confirmation.action,
+      status: confirmation.status
+    };
+    if (confirmation.estimated_cost !== void 0) {
+      metadata.estimated_cost = confirmation.estimated_cost;
+    }
+    await this.sendToRoom(roomId, JSON.stringify(envelope), {
+      messageType: "action_confirmation",
+      priority: "high",
+      metadata
+    });
+  }
   _sendHeartbeat() {
     if (this._state !== "ready" || !this._heartbeatCallback) return;
     const status = this._heartbeatCallback();
@@ -46231,10 +46324,52 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
               res.end(JSON.stringify({ ok: false, error: "Missing 'text' field" }));
               return;
             }
-            if (parsed.file_path && typeof parsed.file_path === "string") {
+            if (parsed.room_id && typeof parsed.room_id === "string") {
+              await this.sendToRoom(parsed.room_id, text, {
+                messageType: parsed.message_type,
+                priority: parsed.priority,
+                metadata: parsed.metadata
+              });
+            } else if (parsed.file_path && typeof parsed.file_path === "string") {
               await this.sendWithAttachment(text, parsed.file_path, { topicId: parsed.topicId });
             } else {
-              await this.send(text, { topicId: parsed.topicId });
+              await this.send(text, {
+                topicId: parsed.topicId,
+                messageType: parsed.message_type,
+                metadata: parsed.metadata
+              });
+            }
+            res.writeHead(200, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ ok: true }));
+          } catch (err) {
+            res.writeHead(500, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ ok: false, error: String(err) }));
+          }
+        });
+      } else if (req.method === "POST" && req.url === "/action") {
+        let body = "";
+        req.on("data", (chunk) => {
+          body += chunk.toString();
+        });
+        req.on("end", async () => {
+          try {
+            const parsed = JSON.parse(body);
+            if (!parsed.action || typeof parsed.action !== "string") {
+              res.writeHead(400, { "Content-Type": "application/json" });
+              res.end(JSON.stringify({ ok: false, error: "Missing 'action' field" }));
+              return;
+            }
+            const confirmation = {
+              action: parsed.action,
+              status: parsed.status ?? "completed",
+              decisionId: parsed.decision_id,
+              detail: parsed.detail,
+              estimated_cost: parsed.estimated_cost
+            };
+            if (parsed.room_id && typeof parsed.room_id === "string") {
+              await this.sendActionConfirmationToRoom(parsed.room_id, confirmation);
+            } else {
+              await this.sendActionConfirmation(confirmation);
             }
             res.writeHead(200, { "Content-Type": "application/json" });
             res.end(JSON.stringify({ ok: true }));
@@ -46253,7 +46388,7 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
         }));
       } else {
         res.writeHead(404, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ ok: false, error: "Not found. Use POST /send or GET /status" }));
+        res.end(JSON.stringify({ ok: false, error: "Not found. Use POST /send, POST /action, or GET /status" }));
       }
     });
     this._httpServer.listen(port, "127.0.0.1", () => {
@@ -47047,7 +47182,15 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
                   nonce: hexToBytes(msgData.nonce)
                 };
                 const ratchet = DoubleRatchet.deserialize(channelEntry.session.ratchetState);
-                const plaintext = ratchet.decrypt(encryptedMessage);
+                const ratchetSnapshot = channelEntry.session.ratchetState;
+                let a2aPlaintext;
+                try {
+                  a2aPlaintext = ratchet.decrypt(encryptedMessage);
+                } catch (decryptErr) {
+                  console.error(`[SecureChannel] A2A decrypt failed \u2014 restoring ratchet state:`, decryptErr);
+                  channelEntry.session.ratchetState = ratchetSnapshot;
+                  return;
+                }
                 channelEntry.session.ratchetState = ratchet.serialize();
                 if (channelEntry.role === "responder" && !channelEntry.session.activated) {
                   channelEntry.session.activated = true;
@@ -47070,7 +47213,7 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
                 }
                 await this._persistState();
                 const a2aMsg = {
-                  text: plaintext,
+                  text: a2aPlaintext,
                   fromHubAddress: msgData.from_hub_address || msgData.hub_address || "",
                   channelId,
                   conversationId: msgData.conversation_id || "",
@@ -47141,7 +47284,19 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
       header_blob: msgData.header_blob,
       ciphertext: msgData.ciphertext
     });
-    const plaintext = session.ratchet.decrypt(encrypted);
+    const ratchetSnapshot = session.ratchet.serialize();
+    let plaintext;
+    try {
+      plaintext = session.ratchet.decrypt(encrypted);
+    } catch (decryptErr) {
+      console.error(`[SecureChannel] Decrypt failed for conv ${convId.slice(0, 8)}... \u2014 restoring ratchet:`, decryptErr);
+      try {
+        session.ratchet = DoubleRatchet.deserialize(ratchetSnapshot);
+      } catch (restoreErr) {
+        console.error("[SecureChannel] Ratchet restore failed:", restoreErr);
+      }
+      return;
+    }
     this._sendAck(msgData.message_id);
     if (!session.activated) {
       session.activated = true;
@@ -47529,9 +47684,14 @@ ${messageText}`;
       ciphertext: msgData.ciphertext
     });
     let plaintext;
+    const ratchetSnapshot = session.ratchet.serialize();
     try {
       plaintext = session.ratchet.decrypt(encrypted);
     } catch (decryptErr) {
+      try {
+        session.ratchet = DoubleRatchet.deserialize(ratchetSnapshot);
+      } catch {
+      }
       console.warn(
         `[SecureChannel] Room decrypt failed for conv ${convId.slice(0, 8)}...: ${String(decryptErr)}, re-initializing ratchet`
       );
@@ -47677,7 +47837,20 @@ ${messageText}`;
               header_blob: msg.header_blob,
               ciphertext: msg.ciphertext
             });
-            const plaintext = session.ratchet.decrypt(encrypted);
+            const ratchetSnapshot = session.ratchet.serialize();
+            let plaintext;
+            try {
+              plaintext = session.ratchet.decrypt(encrypted);
+            } catch (decryptErr) {
+              console.error(`[SecureChannel] Sync decrypt failed for ${msg.conversation_id.slice(0, 8)}... \u2014 restoring ratchet:`, decryptErr);
+              try {
+                session.ratchet = DoubleRatchet.deserialize(ratchetSnapshot);
+              } catch {
+              }
+              this._persisted.lastMessageTimestamp = msg.created_at;
+              since = msg.created_at;
+              continue;
+            }
             this._sendAck(msg.id);
             if (!session.activated) {
               session.activated = true;
@@ -47712,7 +47885,7 @@ ${messageText}`;
             totalProcessed++;
           } catch (err) {
             console.warn(
-              `[SecureChannel] Sync decrypt failed for msg ${msg.id.slice(0, 8)}... in conv ${msg.conversation_id.slice(0, 8)}...: ${String(err)}`
+              `[SecureChannel] Sync failed for msg ${msg.id.slice(0, 8)}... in conv ${msg.conversation_id.slice(0, 8)}...: ${String(err)}`
             );
             this._persisted.lastMessageTimestamp = msg.created_at;
             since = msg.created_at;
@@ -47908,7 +48081,18 @@ ${messageText}`;
               header_blob: msg.header_blob,
               ciphertext: msg.ciphertext
             });
-            const plaintext = session.ratchet.decrypt(encrypted);
+            const ratchetSnapshot = session.ratchet.serialize();
+            let plaintext;
+            try {
+              plaintext = session.ratchet.decrypt(encrypted);
+            } catch (decryptErr) {
+              console.error(`[SecureChannel] Room sync decrypt failed for ${msg.conversation_id.slice(0, 8)}... \u2014 restoring ratchet:`, decryptErr);
+              try {
+                session.ratchet = DoubleRatchet.deserialize(ratchetSnapshot);
+              } catch {
+              }
+              continue;
+            }
             if (!session.activated) {
               session.activated = true;
             }
@@ -47988,6 +48172,7 @@ ${messageText}`;
       };
     }
     await saveState(this.config.dataDir, this._persisted);
+    await backupState(this.config.dataDir);
   }
 };
 
@@ -48014,8 +48199,7 @@ function resolveAccount(cfg, accountId) {
         apiUrl: av.apiUrl ?? DEFAULT_API_URL,
         agentName: id,
         httpPort: DEFAULT_HTTP_PORT,
-        configured: false,
-        inviteToken: ""
+        configured: false
       };
     }
     let httpPort = acct.httpPort;
@@ -48030,8 +48214,7 @@ function resolveAccount(cfg, accountId) {
       apiUrl: acct.apiUrl ?? av.apiUrl ?? DEFAULT_API_URL,
       agentName: acct.agentName ?? id,
       httpPort,
-      configured: Boolean(acct.dataDir),
-      inviteToken: acct.inviteToken ?? ""
+      configured: Boolean(acct.dataDir)
     };
   }
   return {
@@ -48040,8 +48223,7 @@ function resolveAccount(cfg, accountId) {
     apiUrl: av.apiUrl ?? DEFAULT_API_URL,
     agentName: av.agentName ?? "OpenClaw Agent",
     httpPort: av.httpPort ?? DEFAULT_HTTP_PORT,
-    configured: Boolean(av.dataDir),
-    inviteToken: av.inviteToken ?? ""
+    configured: Boolean(av.dataDir)
   };
 }
 
@@ -48082,43 +48264,46 @@ var agentVaultPlugin = {
       }
       const dataDir = resolve(account.dataDir.replace(/^~/, process.env.HOME ?? "~"));
       log?.(`[AgentVault] starting channel (dataDir=${dataDir})`);
-      const channel = new SecureChannel({
-        // No invite token needed — resuming from persisted enrolled state
-        inviteToken: "",
-        dataDir,
-        apiUrl: account.apiUrl,
-        agentName: account.agentName,
-        onMessage: async (plaintext, metadata) => {
-          if (!_ocRuntime) {
-            log?.("[AgentVault] runtime not ready \u2014 dropping inbound message");
-            return;
-          }
-          try {
-            await _handleInbound({ plaintext, metadata, channel, account, cfg });
-          } catch (err) {
-            log?.(`[AgentVault] inbound dispatch error: ${String(err)}`);
+      await new Promise((resolvePromise, reject) => {
+        const channel = new SecureChannel({
+          inviteToken: "",
+          dataDir,
+          apiUrl: account.apiUrl,
+          agentName: account.agentName,
+          onMessage: async (plaintext, metadata) => {
+            if (!_ocRuntime) {
+              log?.("[AgentVault] runtime not ready \u2014 dropping inbound message");
+              return;
+            }
+            try {
+              await _handleInbound({ plaintext, metadata, channel, account, cfg });
+            } catch (err) {
+              log?.(`[AgentVault] inbound dispatch error: ${String(err)}`);
+            }
+          },
+          onStateChange: (state) => {
+            log?.(`[AgentVault] state \u2192 ${state}`);
+            if (state === "error") reject(new Error("AgentVault channel permanent error"));
           }
-        },
-        onStateChange: (state) => {
-          log?.(`[AgentVault] state \u2192 ${state}`);
-        }
-      });
-      _channels.set(account.accountId, channel);
-      const httpPort = account.httpPort;
-      channel.on("ready", () => {
-        channel.startHttpServer(httpPort);
-        log?.(`[AgentVault] HTTP send server listening on http://127.0.0.1:${httpPort}`);
-      });
-      abortSignal?.addEventListener("abort", () => {
-        _channels.delete(account.accountId);
-      });
-      await channel.start();
-      return {
-        stop: async () => {
+        });
+        _channels.set(account.accountId, channel);
+        channel.on("error", (err) => {
+          log?.(`[AgentVault] channel error (non-fatal): ${String(err)}`);
+        });
+        const httpPort = account.httpPort;
+        channel.on("ready", () => {
+          channel.startHttpServer(httpPort);
+          log?.(`[AgentVault] HTTP send server listening on http://127.0.0.1:${httpPort}`);
+        });
+        abortSignal?.addEventListener("abort", async () => {
           await channel.stop();
           _channels.delete(account.accountId);
-        }
-      };
+          resolvePromise();
+        });
+        channel.start().catch(reject);
+      });
+      return { stop: async () => {
+      } };
     }
   },
   outbound: {
@@ -48283,7 +48468,7 @@ async function checkGateway(options) {
 }
 
 // src/index.ts
-var VERSION = "0.11.0";
+var VERSION = "0.13.8";
 export {
   SecureChannel,
   VERSION,