npm - @agentvault/agentvault - Versions diffs - 0.17.5 → 0.18.0 - Mend

@agentvault/agentvault 0.17.5 → 0.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/cli.js +231 -1
package/dist/cli.js.map +4 -4
package/dist/index.js +246 -10
package/dist/index.js.map +4 -4
package/dist/openclaw-entry.js +45057 -87
package/dist/openclaw-entry.js.map +4 -4
package/openclaw.plugin.json +1 -1
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -46265,6 +46265,123 @@ var init_dist = __esm({
   }
 });
+// src/credential-store.ts
+var CredentialStore;
+var init_credential_store = __esm({
+  "src/credential-store.ts"() {
+    "use strict";
+    CredentialStore = class _CredentialStore {
+      /** Map<roomId, Map<credentialKey, RenterCredential>> */
+      _store = /* @__PURE__ */ new Map();
+      /** Seen nonces for replay prevention — bounded per room */
+      _seenNonces = /* @__PURE__ */ new Map();
+      static MAX_NONCES_PER_ROOM = 1e3;
+      constructor() {
+        const purge = () => this.purgeAll();
+        process.on("exit", purge);
+        process.on("SIGINT", () => {
+          purge();
+          process.exit(0);
+        });
+        process.on("SIGTERM", () => {
+          purge();
+          process.exit(0);
+        });
+      }
+      /**
+       * Check if a nonce has been seen (replay prevention).
+       * Returns true if the nonce is new (not a replay), false if seen before.
+       */
+      checkNonce(roomId, nonce) {
+        if (!nonce) return true;
+        let nonces = this._seenNonces.get(roomId);
+        if (!nonces) {
+          nonces = /* @__PURE__ */ new Set();
+          this._seenNonces.set(roomId, nonces);
+        }
+        if (nonces.has(nonce)) return false;
+        nonces.add(nonce);
+        if (nonces.size > _CredentialStore.MAX_NONCES_PER_ROOM) {
+          const iter = nonces.values();
+          for (let i2 = 0; i2 < 100; i2++) {
+            const val = iter.next().value;
+            if (val !== void 0) nonces.delete(val);
+          }
+        }
+        return true;
+      }
+      /** Store a credential for a room. */
+      grant(roomId, credential) {
+        let room = this._store.get(roomId);
+        if (!room) {
+          room = /* @__PURE__ */ new Map();
+          this._store.set(roomId, room);
+        }
+        room.set(credential.key, credential);
+      }
+      /** Revoke a specific credential. */
+      revoke(roomId, key) {
+        const room = this._store.get(roomId);
+        if (!room) return false;
+        return room.delete(key);
+      }
+      /** Revoke all credentials for a room. */
+      revokeAll(roomId) {
+        this._store.delete(roomId);
+      }
+      /** Get a credential value. */
+      get(roomId, key) {
+        return this._store.get(roomId)?.get(key);
+      }
+      /** Get all credentials for a room (values included — only for agent context injection). */
+      getAll(roomId) {
+        const room = this._store.get(roomId);
+        if (!room) return [];
+        return Array.from(room.values());
+      }
+      /** Get credential info without values (safe for logging). */
+      getInfo(roomId) {
+        const room = this._store.get(roomId);
+        if (!room) return [];
+        return Array.from(room.values()).map((c2) => ({
+          key: c2.key,
+          type: c2.type,
+          scope: c2.scope,
+          grantedAt: c2.grantedAt
+        }));
+      }
+      /** Check if a specific credential exists. */
+      has(roomId, key) {
+        return this._store.get(roomId)?.has(key) ?? false;
+      }
+      /** Get credential count for a room. */
+      count(roomId) {
+        return this._store.get(roomId)?.size ?? 0;
+      }
+      /** Purge all credentials for a room (rental end). */
+      purgeForRoom(roomId) {
+        this._store.delete(roomId);
+        this._seenNonces.delete(roomId);
+      }
+      /** Purge everything (process exit). */
+      purgeAll() {
+        this._store.clear();
+        this._seenNonces.clear();
+      }
+      /** Get a map of credential key → value for context injection. */
+      getCredentialMap(roomId) {
+        const room = this._store.get(roomId);
+        if (!room) return {};
+        const result = {};
+        for (const [key, cred] of room) {
+          result[key] = cred.value;
+        }
+        return result;
+      }
+    };
+  }
+});
 // src/crypto-helpers.ts
 var init_crypto_helpers = __esm({
   async "src/crypto-helpers.ts"() {
@@ -46934,12 +47051,13 @@ function migratePersistedState(raw) {
     messageHistory: []
   };
 }
-var ROOM_AGENT_TYPES, POLL_INTERVAL_MS, RECONNECT_BASE_MS, RECONNECT_MAX_MS, PENDING_POLL_INTERVAL_MS, SecureChannel;
+var ROOM_AGENT_TYPES, CREDENTIAL_MESSAGE_TYPES, POLL_INTERVAL_MS, RECONNECT_BASE_MS, RECONNECT_MAX_MS, PENDING_POLL_INTERVAL_MS, SecureChannel;
 var init_channel = __esm({
   async "src/channel.ts"() {
     "use strict";
     await init_libsodium_wrappers();
     await init_dist();
+    init_credential_store();
     await init_crypto_helpers();
     await init_state();
     init_transport2();
@@ -46950,6 +47068,11 @@ var init_channel = __esm({
       "decision_response",
       "artifact_share"
     ]);
+    CREDENTIAL_MESSAGE_TYPES = /* @__PURE__ */ new Set([
+      "credential_grant",
+      "credential_revoke",
+      "credential_request"
+    ]);
     POLL_INTERVAL_MS = 6e3;
     RECONNECT_BASE_MS = 1e3;
     RECONNECT_MAX_MS = 3e4;
@@ -46992,6 +47115,8 @@ var init_channel = __esm({
       _senderKeyChains = /* @__PURE__ */ new Map();
       /** Sender Key peer state — peer chains per room for decryption */
       _senderKeyStates = /* @__PURE__ */ new Map();
+      /** In-memory credential store for renter-provided credentials (never persisted). */
+      _credentialStore = new CredentialStore();
       /** Queued A2A messages for responder channels not yet activated (no first initiator message received). */
       _a2aPendingQueue = {};
       /** Dedup buffer for A2A message IDs (prevents double-delivery via direct + Redis) */
@@ -49778,6 +49903,14 @@ ${messageText}`;
           messageType = "message";
           messageText = plaintext;
         }
+        if (CREDENTIAL_MESSAGE_TYPES.has(messageType)) {
+          this._handleCredentialMessage(msgData.room_id, messageType, messageText, msgData.message_id);
+          if (msgData.created_at && this._persisted) {
+            this._persisted.lastMessageTimestamp = msgData.created_at;
+          }
+          await this._persistState();
+          return;
+        }
         if (!ROOM_AGENT_TYPES.has(messageType)) {
           return;
         }
@@ -49814,6 +49947,94 @@ ${messageText}`;
           console.error("[SecureChannel] onMessage callback error:", err);
         });
       }
+      /**
+       * Handle credential protocol messages (grant, revoke, request).
+       * These are intercepted before reaching the agent's onMessage callback.
+       */
+      _handleCredentialMessage(roomId, messageType, plaintext, messageId) {
+        try {
+          const payload = JSON.parse(plaintext);
+          if (messageType === "credential_grant") {
+            const grant = payload;
+            if (grant.nonce && !this._credentialStore.checkNonce(roomId, grant.nonce)) {
+              console.warn(`[SecureChannel] Credential grant replay detected for room ${roomId.slice(0, 8)}..., ignoring`);
+              return;
+            }
+            const keys = [];
+            for (const cred of grant.credentials || []) {
+              this._credentialStore.grant(roomId, {
+                key: cred.key,
+                value: cred.value,
+                type: cred.type,
+                scope: cred.scope,
+                grantedAt: grant.timestamp || (/* @__PURE__ */ new Date()).toISOString(),
+                agreementId: grant.agreement_id,
+                roomId
+              });
+              keys.push(cred.key);
+            }
+            console.log(
+              `[SecureChannel] Credentials granted for room ${roomId.slice(0, 8)}...: ${keys.join(", ")} (${keys.length} keys)`
+            );
+            this._sendCredentialAck(roomId, grant.agreement_id, keys, "stored");
+            this.emit("credentials_granted", { roomId, keys, agreementId: grant.agreement_id });
+          } else if (messageType === "credential_revoke") {
+            const revoke = payload;
+            const revoked = [];
+            for (const key of revoke.credential_keys || []) {
+              if (this._credentialStore.revoke(roomId, key)) {
+                revoked.push(key);
+              }
+            }
+            console.log(
+              `[SecureChannel] Credentials revoked for room ${roomId.slice(0, 8)}...: ${revoked.join(", ")} (reason: ${revoke.reason || "none"})`
+            );
+            this._sendCredentialAck(roomId, revoke.agreement_id, revoked, "revoked");
+            this.emit("credentials_revoked", { roomId, keys: revoked, agreementId: revoke.agreement_id });
+          }
+        } catch (err) {
+          console.error("[SecureChannel] Error handling credential message:", err);
+        }
+        if (messageId) {
+          this._sendAck(messageId);
+        }
+      }
+      /**
+       * Send a credential_ack back to a room.
+       */
+      _sendCredentialAck(roomId, agreementId, keys, ackStatus) {
+        const ack = JSON.stringify({
+          type: "credential_ack",
+          agreement_id: agreementId,
+          acknowledged_keys: keys,
+          status: ackStatus,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        });
+        this.sendToRoom(roomId, ack, { messageType: "credential_ack" }).catch((err) => {
+          console.warn("[SecureChannel] Failed to send credential ACK:", err);
+        });
+      }
+      // --- Public credential accessors ---
+      /** Get a specific renter credential for a room. */
+      getCredential(roomId, key) {
+        return this._credentialStore.get(roomId, key);
+      }
+      /** Get all renter credentials for a room (includes values — for agent context). */
+      getCredentials(roomId) {
+        return this._credentialStore.getAll(roomId);
+      }
+      /** Get credential key→value map for a room (for context injection). */
+      getCredentialMap(roomId) {
+        return this._credentialStore.getCredentialMap(roomId);
+      }
+      /** Check if a specific credential exists for a room. */
+      hasCredential(roomId, key) {
+        return this._credentialStore.has(roomId, key);
+      }
+      /** Purge all credentials for a room (call on rental end). */
+      purgeRoomCredentials(roomId) {
+        this._credentialStore.purgeForRoom(roomId);
+      }
       /**
        * Find the pairwise conversation ID for a given sender in a room.
        */
@@ -49976,6 +50197,14 @@ ${messageText}`;
           messageType = "message";
           messageText = plaintext;
         }
+        if (CREDENTIAL_MESSAGE_TYPES.has(messageType)) {
+          this._handleCredentialMessage(msgData.room_id, messageType, messageText, msgData.message_id);
+          if (msgData.created_at && this._persisted) {
+            this._persisted.lastMessageTimestamp = msgData.created_at;
+          }
+          await this._persistState();
+          return;
+        }
         if (!ROOM_AGENT_TYPES.has(messageType)) {
           return;
         }
@@ -76664,21 +76893,26 @@ function loadSkillsFromDirectory(dir) {
   const skills = [];
   const absDir = resolve2(dir);
   if (!existsSync(absDir)) return skills;
-  const rootSkill = join4(absDir, "SKILL.md");
-  if (existsSync(rootSkill)) {
-    const content = readFileSync(rootSkill, "utf-8");
-    const skill = parseSkillMd(content);
-    if (skill) skills.push(skill);
+  const seen = /* @__PURE__ */ new Set();
+  function tryLoad(filePath) {
+    if (seen.has(filePath)) return;
+    seen.add(filePath);
+    try {
+      const content = readFileSync(filePath, "utf-8");
+      const skill = parseSkillMd(content);
+      if (skill) skills.push(skill);
+    } catch {
+    }
   }
   try {
     const entries = readdirSync(absDir, { withFileTypes: true });
     for (const entry of entries) {
-      if (entry.isDirectory()) {
+      if (entry.isFile() && entry.name.endsWith("SKILL.md")) {
+        tryLoad(join4(absDir, entry.name));
+      } else if (entry.isDirectory()) {
         const subSkill = join4(absDir, entry.name, "SKILL.md");
         if (existsSync(subSkill)) {
-          const content = readFileSync(subSkill, "utf-8");
-          const skill = parseSkillMd(content);
-          if (skill) skills.push(skill);
+          tryLoad(subSkill);
         }
       }
     }
@@ -77079,6 +77313,7 @@ var init_index = __esm({
   async "src/index.ts"() {
     await init_channel();
     init_types();
+    init_credential_store();
     init_account_config();
     await init_openclaw_plugin();
     init_gateway_send();
@@ -77097,6 +77332,7 @@ var init_index = __esm({
 await init_index();
 export {
   AgentVaultMcpServer,
+  CredentialStore,
   PolicyEnforcer,
   SecureChannel,
   VERSION,