@allbaseai/openclaw-allbase 0.1.0 → 0.1.2

package/README.md

@@ -1,11 +1,12 @@
 # OpenClaw Allbase Plugin
 
-Connect OpenClaw agents to Allbase profiles (workspace/agent/api key), with per-agent mapping.
+Connect OpenClaw agents to Allbase profiles with **OAuth (recommended)** and env/api-key fallback.
 
 ## What it supports
 
 - Map each OpenClaw agent to a different Allbase profile
-- Or map all OpenClaw agents to the same Allbase profile
+- OAuth-first auth (access token or refresh-token flow)
+- Env/api-key fallback for server-side automation
 - Tools exposed in agent runtime:
   - `allbase` with actions:
     - `status`
@@ -18,7 +19,7 @@ Connect OpenClaw agents to Allbase profiles (workspace/agent/api key), with per-
 ## Install (npm)
 
 ```bash
-openclaw plugins install @allbase/openclaw-allbase
+openclaw plugins install @allbaseai/openclaw-allbase
 ```
 
 ## Install (local path)
@@ -31,9 +32,45 @@ openclaw plugins install -l /home/jason/Documents/botscripts/skills/openclaw-all
 
 Then restart gateway.
 
-## Config example
+## Config path
 
-Put this under `plugins.entries.allbase.config`:
+Use `plugins.entries.openclaw-allbase.config`.
+
+## OAuth config (recommended)
+
+```json5
+{
+  baseUrl: "https://allbase.ai",
+  defaultProfile: "team",
+  profiles: {
+    team: {
+      // Option A: direct access token
+      oauthAccessToken: "eyJ...",
+
+      // Option B: refresh flow
+      // oauthRefreshToken: "...",
+      // oauthClientId: "oac-...",
+      // oauthTokenEndpoint: "https://allbase.ai/oauth/token"
+    }
+  },
+  mapByOpenclawAgent: {
+    "alan-allbase": "team"
+  }
+}
+```
+
+With OAuth, users can authorize/select their Allbase agent upstream and avoid static env wiring.
+
+## Env/API-key fallback (secondary)
+
+If OAuth is not configured, the plugin can use profile credentials or env vars:
+
+- `ALLBASE_WORKSPACE_ID`
+- `ALLBASE_AGENT_ID`
+- `ALLBASE_AGENT_API_KEY` (or `ALLBASE_API_KEY`)
+- optional: `ALLBASE_BASE_URL`, `ALLBASE_TOKEN_PATH`
+
+Profile-based api-key config still works:
 
 ```json5
 {
@@ -45,16 +82,7 @@ Put this under `plugins.entries.allbase.config`:
       workspaceId: "ws-TEAM",
       agentId: "team-agent",
       apiKey: "abk_..."
-    },
-    personal: {
-      workspaceId: "ws-PERSONAL",
-      agentId: "jason-agent",
-      apiKey: "abk_..."
     }
-  },
-  mapByOpenclawAgent: {
-    "alan-allbase": "team",
-    "assistant-personal": "personal"
   }
 }
 ```
@@ -72,6 +100,6 @@ Optional `profile` parameter overrides automatic mapping for one call.
 
 ## Notes
 
-- Keep API keys private.
-- If token exchange fails, verify workspace_id + agent_id + api_key belong together.
+- Plugin id is `openclaw-allbase` (use this id in `plugins.entries.*`).
+- Keep tokens/API keys private.
 - `upload_document` requires local file path available to the gateway host.

package/index.ts

@@ -7,10 +7,15 @@ import { basename } from "node:path";
 type AgentResult = { content: Array<{ type: string; text: string }>; details?: unknown };
 
 type AllbaseProfile = {
-  workspaceId: string;
-  agentId: string;
-  apiKey: string;
+  workspaceId?: string;
+  agentId?: string;
+  apiKey?: string;
   baseUrl?: string;
+  oauthAccessToken?: string;
+  oauthRefreshToken?: string;
+  oauthClientId?: string;
+  oauthTokenEndpoint?: string;
+  oauthScope?: string;
 };
 
 type AllbasePluginConfig = {
@@ -46,7 +51,7 @@ const AllbaseToolSchema = Type.Object(
     tag: Type.Optional(Type.String({ description: "Single tag filter" })),
 
     filePath: Type.Optional(Type.String({ description: "Local file path to upload" })),
-    title: Type.Optional(Type.String({ description: "Optional document title" }))
+    title: Type.Optional(Type.String({ description: "Optional document title" })),
   },
   { additionalProperties: false },
 );
@@ -73,10 +78,24 @@ function getConfig(api: OpenClawPluginApi): AllbasePluginConfig {
 }
 
 function resolveBaseUrl(cfg: AllbasePluginConfig, profile?: AllbaseProfile): string {
-  const base = (profile?.baseUrl || cfg.baseUrl || "https://allbase.ai").trim();
+  const base = (profile?.baseUrl || cfg.baseUrl || process.env.ALLBASE_BASE_URL || "https://allbase.ai").trim();
   return base.replace(/\/+$/, "");
 }
 
+function getEnvFallbackProfile(): AllbaseProfile {
+  return {
+    workspaceId: process.env.ALLBASE_WORKSPACE_ID,
+    agentId: process.env.ALLBASE_AGENT_ID,
+    apiKey: process.env.ALLBASE_AGENT_API_KEY || process.env.ALLBASE_API_KEY,
+    oauthAccessToken: process.env.ALLBASE_OAUTH_ACCESS_TOKEN,
+    oauthRefreshToken: process.env.ALLBASE_OAUTH_REFRESH_TOKEN,
+    oauthClientId: process.env.ALLBASE_OAUTH_CLIENT_ID,
+    oauthTokenEndpoint: process.env.ALLBASE_OAUTH_TOKEN_ENDPOINT,
+    oauthScope: process.env.ALLBASE_OAUTH_SCOPE,
+    baseUrl: process.env.ALLBASE_BASE_URL,
+  };
+}
+
 function resolveProfile(
   api: OpenClawPluginApi,
   ctx: OpenClawPluginToolContext,
@@ -89,52 +108,125 @@ function resolveProfile(
     (profileOverride && profileOverride.trim()) ||
     (ctx.agentId ? cfg.mapByOpenclawAgent?.[ctx.agentId] : undefined) ||
     cfg.defaultProfile ||
-    Object.keys(profiles)[0];
+    Object.keys(profiles)[0] ||
+    "env";
+
+  const fromConfig = profiles[selectedName];
+  const profile = selectedName === "env" ? { ...getEnvFallbackProfile(), ...(fromConfig || {}) } : fromConfig;
 
-  if (!selectedName) {
+  if (!profile) {
     throw new Error(
-      "No Allbase profile resolved. Configure plugins.entries.allbase.config.profiles and defaultProfile.",
+      "No Allbase profile resolved. Configure plugins.entries.openclaw-allbase.config.profiles or use env fallback variables.",
     );
   }
 
-  const profile = profiles[selectedName];
-  if (!profile) {
-    throw new Error(`Configured profile not found: ${selectedName}`);
-  }
+  const hasOAuth = Boolean(profile.oauthAccessToken || profile.oauthRefreshToken);
+  const hasApiKey = Boolean(profile.workspaceId && profile.agentId && profile.apiKey);
 
-  if (!profile.workspaceId || !profile.agentId || !profile.apiKey) {
-    throw new Error(`Profile ${selectedName} is missing workspaceId/agentId/apiKey`);
+  if (!hasOAuth && !hasApiKey) {
+    throw new Error(
+      `Profile ${selectedName} is missing auth config. Provide OAuth (oauthAccessToken/refresh) or api credentials (workspaceId/agentId/apiKey).`,
+    );
   }
 
   const baseUrl = resolveBaseUrl(cfg, profile);
-  const tokenPath = (cfg.tokenPath || "/token").trim() || "/token";
+  const tokenPath = (cfg.tokenPath || process.env.ALLBASE_TOKEN_PATH || "/token").trim() || "/token";
 
   return { profileName: selectedName, profile, baseUrl, tokenPath };
 }
 
+function jwtExpMs(token: string): number | null {
+  try {
+    const part = token.split(".")[1];
+    if (!part) return null;
+    const payload = JSON.parse(Buffer.from(part, "base64url").toString("utf8"));
+    if (typeof payload?.exp === "number") return payload.exp * 1000;
+  } catch {
+    // ignore parse issues
+  }
+  return null;
+}
+
+async function getOAuthToken(baseUrl: string, profile: AllbaseProfile): Promise<{ token: string; exp: number }> {
+  const directToken = profile.oauthAccessToken?.trim();
+  if (directToken) {
+    return { token: directToken, exp: jwtExpMs(directToken) ?? Date.now() + 15 * 60_000 };
+  }
+
+  const refreshToken = profile.oauthRefreshToken?.trim();
+  const clientId = profile.oauthClientId?.trim();
+  if (!refreshToken || !clientId) {
+    throw new Error("OAuth config requires oauthAccessToken or oauthRefreshToken+oauthClientId");
+  }
+
+  const tokenEndpoint = (profile.oauthTokenEndpoint || `${baseUrl}/oauth/token`).trim();
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: refreshToken,
+    client_id: clientId,
+  });
+  if (profile.oauthScope?.trim()) body.set("scope", profile.oauthScope.trim());
+
+  const response = await fetch(tokenEndpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: body.toString(),
+  });
+
+  if (!response.ok) {
+    throw new Error(`OAuth refresh failed (${response.status}): ${await response.text()}`);
+  }
+
+  const data = (await response.json()) as { access_token?: string; expires_in?: number };
+  if (!data.access_token) throw new Error("OAuth refresh did not return access_token");
+
+  const exp = Date.now() + Math.max(60_000, (data.expires_in ?? 3600) * 1000);
+  return { token: data.access_token, exp };
+}
+
 async function getAccessToken(
   api: OpenClawPluginApi,
   ctx: OpenClawPluginToolContext,
   profileOverride?: string,
-): Promise<{ token: string; resolved: ReturnType<typeof resolveProfile> }> {
+): Promise<{ token: string; resolved: ReturnType<typeof resolveProfile>; authMode: "oauth" | "api_key" }> {
   const resolved = resolveProfile(api, ctx, profileOverride);
   const { profile, baseUrl, tokenPath } = resolved;
-  const cacheKey = `${baseUrl}|${profile.workspaceId}|${profile.agentId}|${profile.apiKey}`;
+
+  const hasOAuth = Boolean(profile.oauthAccessToken || profile.oauthRefreshToken);
+  const hasApiKey = Boolean(profile.workspaceId && profile.agentId && profile.apiKey);
+
+  if (hasOAuth) {
+    const cacheKey = `oauth|${baseUrl}|${resolved.profileName}|${profile.oauthClientId || ""}`;
+    const now = Date.now();
+    const cached = tokenCache.get(cacheKey);
+    if (cached && cached.exp > now + 30_000) return { token: cached.token, resolved, authMode: "oauth" };
+
+    const refreshed = await getOAuthToken(baseUrl, profile);
+    tokenCache.set(cacheKey, refreshed);
+    return { token: refreshed.token, resolved, authMode: "oauth" };
+  }
+
+  if (!hasApiKey) {
+    throw new Error("No usable auth mode found. Configure OAuth or workspaceId/agentId/apiKey.");
+  }
+
+  const cacheKey = `apikey|${baseUrl}|${profile.workspaceId}|${profile.agentId}|${profile.apiKey}`;
   const now = Date.now();
   const cached = tokenCache.get(cacheKey);
   if (cached && cached.exp > now + 30_000) {
-    return { token: cached.token, resolved };
+    return { token: cached.token, resolved, authMode: "api_key" };
   }
 
   const url = new URL(`${baseUrl}${tokenPath}`);
-  url.searchParams.set("workspace_id", profile.workspaceId);
-  url.searchParams.set("agent_id", profile.agentId);
-  url.searchParams.set("api_key", profile.apiKey);
+  url.searchParams.set("workspace_id", profile.workspaceId!);
+  url.searchParams.set("agent_id", profile.agentId!);
+  url.searchParams.set("api_key", profile.apiKey!);
 
   const response = await fetch(url, { method: "POST" });
   if (!response.ok) {
     throw new Error(`Token exchange failed (${response.status}): ${await response.text()}`);
   }
+
   const data = (await response.json()) as { access_token?: string; expires_in?: number };
   if (!data.access_token) {
     throw new Error("Token exchange did not return access_token");
@@ -142,7 +234,7 @@ async function getAccessToken(
 
   const ttlMs = Math.max(60_000, (data.expires_in ?? 3600) * 1000);
   tokenCache.set(cacheKey, { token: data.access_token, exp: now + ttlMs });
-  return { token: data.access_token, resolved };
+  return { token: data.access_token, resolved, authMode: "api_key" };
 }
 
 async function callAllbase(
@@ -152,7 +244,7 @@ async function callAllbase(
   path: string,
   init: RequestInit,
 ) {
-  const { token, resolved } = await getAccessToken(api, ctx, profileOverride);
+  const { token, resolved, authMode } = await getAccessToken(api, ctx, profileOverride);
   const response = await fetch(`${resolved.baseUrl}${path}`, {
     ...init,
     headers: {
@@ -169,7 +261,7 @@ async function callAllbase(
     // keep text body
   }
 
-  return { ok: response.ok, status: response.status, body, resolved };
+  return { ok: response.ok, status: response.status, body, resolved, authMode };
 }
 
 async function executeAllbaseTool(
@@ -198,15 +290,17 @@ async function executeAllbaseTool(
     if (action === "status") {
       const cfg = getConfig(api);
       const resolved = resolveProfile(api, ctx, profileOverride);
+      const auth = await getAccessToken(api, ctx, profileOverride);
       const healthResp = await fetch(`${resolveBaseUrl(cfg, resolved.profile)}/healthz`);
       const health = await healthResp.json().catch(() => ({}));
       return json({
         ok: true,
         profile: resolved.profileName,
         openclawAgentId: ctx.agentId || null,
-        workspaceId: resolved.profile.workspaceId,
-        allbaseAgentId: resolved.profile.agentId,
+        workspaceId: resolved.profile.workspaceId || null,
+        allbaseAgentId: resolved.profile.agentId || null,
         baseUrl: resolved.baseUrl,
+        authMode: auth.authMode,
         health,
       });
     }
@@ -221,7 +315,7 @@ async function executeAllbaseTool(
         tags: parseTags(params.tags),
         visibility: params.visibility === "public" ? "public" : "private",
         is_verified: false,
-        metadata: { source: "openclaw-plugin", plugin: "allbase" },
+        metadata: { source: "openclaw-plugin", plugin: "openclaw-allbase" },
       };
 
       const result = await callAllbase(api, ctx, profileOverride, "/memories", {
@@ -279,7 +373,7 @@ async function executeAllbaseTool(
       form.append("file", new Blob([fileData]), basename(filePath));
       if (params.title?.trim()) form.append("title", params.title.trim());
 
-      const { token, resolved } = await getAccessToken(api, ctx, profileOverride);
+      const { token, resolved, authMode } = await getAccessToken(api, ctx, profileOverride);
       const response = await fetch(`${resolved.baseUrl}/documents/upload`, {
         method: "POST",
         headers: { Authorization: `Bearer ${token}` },
@@ -292,25 +386,25 @@ async function executeAllbaseTool(
       } catch {
         // keep text
       }
-      return json({ ok: response.ok, status: response.status, body, resolved });
+      return json({ ok: response.ok, status: response.status, body, resolved, authMode });
     }
 
     throw new Error(`Unsupported action: ${String(action)}`);
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
-    api.logger.warn(`[allbase] tool error: ${message}`);
+    api.logger.warn(`[openclaw-allbase] tool error: ${message}`);
     return json({ ok: false, error: message });
   }
 }
 
 const plugin = {
-  id: "allbase",
+  id: "openclaw-allbase",
   name: "Allbase",
   description: "Allbase memory/document tools with per-agent profile mapping",
   configSchema: emptyPluginConfigSchema(),
   register(api: OpenClawPluginApi) {
     api.registerTool(
-      ((ctx: OpenClawPluginToolContext) => {
+      (ctx: OpenClawPluginToolContext) => {
         return {
           name: "allbase",
           label: "Allbase",
@@ -319,7 +413,7 @@ const plugin = {
           parameters: AllbaseToolSchema,
           execute: (toolCallId: string, params: any) => executeAllbaseTool(api, ctx, toolCallId, params),
         } as AnyAgentTool;
-      }),
+      },
       { optional: true },
     );
 
@@ -328,16 +422,18 @@ const plugin = {
       description: "Show resolved Allbase profile for this agent",
       acceptsArgs: true,
       requireAuth: true,
-      handler: (cmdCtx) => {
+      handler: async (cmdCtx) => {
         const profileOverride = (cmdCtx.args || "").trim() || undefined;
         try {
           const resolved = resolveProfile(api, { agentId: cmdCtx.config.defaultAgentId }, profileOverride);
+          const auth = await getAccessToken(api, { agentId: cmdCtx.config.defaultAgentId }, profileOverride);
           return {
             text:
               `Allbase profile: ${resolved.profileName}\n` +
               `Base URL: ${resolved.baseUrl}\n` +
-              `Workspace: ${resolved.profile.workspaceId}\n` +
-              `Allbase Agent: ${resolved.profile.agentId}`,
+              `Auth mode: ${auth.authMode}\n` +
+              `Workspace: ${resolved.profile.workspaceId || "(from OAuth)"}\n` +
+              `Allbase Agent: ${resolved.profile.agentId || "(from OAuth)"}`,
           };
         } catch (err) {
           return { text: `Allbase profile resolution failed: ${err instanceof Error ? err.message : String(err)}` };

package/openclaw.plugin.json

@@ -1,5 +1,5 @@
 {
-  "id": "allbase",
+  "id": "openclaw-allbase",
   "name": "Allbase",
   "description": "Allbase memory/document tools with per-OpenClaw-agent profile mapping.",
   "uiHints": {
@@ -11,7 +11,12 @@
     "profiles.*.workspaceId": { "label": "Workspace ID" },
     "profiles.*.agentId": { "label": "Allbase Agent ID" },
     "profiles.*.apiKey": { "label": "Allbase API Key", "sensitive": true },
-    "profiles.*.baseUrl": { "label": "Profile Base URL", "advanced": true }
+    "profiles.*.baseUrl": { "label": "Profile Base URL", "advanced": true },
+    "profiles.*.oauthAccessToken": { "label": "OAuth Access Token", "sensitive": true },
+    "profiles.*.oauthRefreshToken": { "label": "OAuth Refresh Token", "sensitive": true },
+    "profiles.*.oauthClientId": { "label": "OAuth Client ID" },
+    "profiles.*.oauthTokenEndpoint": { "label": "OAuth Token Endpoint", "advanced": true },
+    "profiles.*.oauthScope": { "label": "OAuth Scope", "advanced": true }
   },
   "configSchema": {
     "type": "object",
@@ -25,12 +30,16 @@
         "additionalProperties": {
           "type": "object",
           "additionalProperties": false,
-          "required": ["workspaceId", "agentId", "apiKey"],
           "properties": {
             "workspaceId": { "type": "string" },
             "agentId": { "type": "string" },
             "apiKey": { "type": "string" },
-            "baseUrl": { "type": "string" }
+            "baseUrl": { "type": "string" },
+            "oauthAccessToken": { "type": "string" },
+            "oauthRefreshToken": { "type": "string" },
+            "oauthClientId": { "type": "string" },
+            "oauthTokenEndpoint": { "type": "string" },
+            "oauthScope": { "type": "string" }
           }
         }
       },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@allbaseai/openclaw-allbase",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "type": "module",
   "description": "OpenClaw plugin to map OpenClaw agents to Allbase agent/workspace profiles.",
   "license": "MIT",