npm - @clawchatsai/connector - Versions diffs - 0.0.11 → 0.0.13 - Mend

@clawchatsai/connector 0.0.11 → 0.0.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/gateway-bridge.d.ts +1 -0
package/dist/gateway-bridge.js +75 -3
package/dist/index.d.ts +1 -1
package/dist/index.js +2 -4
package/dist/signaling-client.d.ts +1 -2
package/dist/signaling-client.js +3 -11
package/package.json +1 -1
package/server.js +62 -1

package/dist/gateway-bridge.d.ts CHANGED Viewed

@@ -20,6 +20,7 @@ export interface PluginConfig {
 }
 export interface BridgeConfig {
     gatewayToken: string;
+    dataDir: string;
 }
 export declare class GatewayBridge extends EventEmitter {
     private readonly gatewayUrl;

package/dist/gateway-bridge.js CHANGED Viewed

@@ -9,6 +9,9 @@
  * 3. Reconnect with exponential backoff on disconnect.
  */
 import { EventEmitter } from 'node:events';
+import * as crypto from 'node:crypto';
+import * as fs from 'node:fs';
+import * as path from 'node:path';
 import { WebSocket } from 'ws';
 import { PLUGIN_VERSION } from './index.js';
 // Reconnect backoff constants (milliseconds)
@@ -19,6 +22,62 @@ const CLIENT_ID = 'gateway-client';
 const CLIENT_MODE = 'backend';
 const ROLE = 'operator';
 const SCOPES = ['operator.read', 'operator.write', 'operator.admin'];
+// ---------------------------------------------------------------------------
+// Device Identity — ed25519 key generation + connect payload signing
+// Required by OpenClaw ≥2.15 to prevent scope clearing on connect.
+// ---------------------------------------------------------------------------
+const ED25519_SPKI_PREFIX = Buffer.from('302a300506032b6570032100', 'hex');
+function _derivePublicKeyRaw(publicKeyPem) {
+    const spki = crypto.createPublicKey(publicKeyPem).export({ type: 'spki', format: 'der' });
+    if (spki.length === ED25519_SPKI_PREFIX.length + 32 &&
+        spki.subarray(0, ED25519_SPKI_PREFIX.length).equals(ED25519_SPKI_PREFIX)) {
+        return spki.subarray(ED25519_SPKI_PREFIX.length);
+    }
+    return spki;
+}
+function _fingerprintPublicKey(publicKeyPem) {
+    return crypto.createHash('sha256').update(_derivePublicKeyRaw(publicKeyPem)).digest('hex');
+}
+function _base64UrlEncode(buf) {
+    return buf.toString('base64').replaceAll('+', '-').replaceAll('/', '_').replace(/=+$/g, '');
+}
+function _loadOrCreateDeviceIdentity(identityPath) {
+    try {
+        if (fs.existsSync(identityPath)) {
+            const parsed = JSON.parse(fs.readFileSync(identityPath, 'utf8'));
+            if (parsed?.version === 1 && parsed.deviceId && parsed.publicKeyPem && parsed.privateKeyPem) {
+                return parsed;
+            }
+        }
+    }
+    catch { /* regenerate */ }
+    const { publicKey, privateKey } = crypto.generateKeyPairSync('ed25519');
+    const publicKeyPem = publicKey.export({ type: 'spki', format: 'pem' }).toString();
+    const privateKeyPem = privateKey.export({ type: 'pkcs8', format: 'pem' }).toString();
+    const identity = {
+        version: 1,
+        deviceId: _fingerprintPublicKey(publicKeyPem),
+        publicKeyPem,
+        privateKeyPem,
+        createdAtMs: Date.now(),
+    };
+    fs.mkdirSync(path.dirname(identityPath), { recursive: true });
+    fs.writeFileSync(identityPath, JSON.stringify(identity, null, 2) + '\n', { mode: 0o600 });
+    return identity;
+}
+function _buildDeviceAuth(identity, params) {
+    const signedAt = Date.now();
+    const payload = [
+        'v2', identity.deviceId, params.clientId, params.clientMode,
+        params.role, params.scopes.join(','), String(signedAt),
+        params.token || '', params.nonce,
+    ].join('|');
+    const privateKey = crypto.createPrivateKey(identity.privateKeyPem);
+    const signature = _base64UrlEncode(crypto.sign(null, Buffer.from(payload, 'utf8'), privateKey));
+    const publicKeyB64Url = _base64UrlEncode(_derivePublicKeyRaw(identity.publicKeyPem));
+    return { id: identity.deviceId, publicKey: publicKeyB64Url, signature, signedAt, nonce: params.nonce };
+}
+// ---------------------------------------------------------------------------
 export class GatewayBridge extends EventEmitter {
     gatewayUrl;
     config;
@@ -121,9 +180,11 @@ export class GatewayBridge extends EventEmitter {
         }
         const type = msg['type'];
         const event = msg['event'];
-        // connect.challenge → send token-only connect request (loopback skips nonce)
+        // connect.challenge → send signed connect request with device identity
         if (type === 'event' && event === 'connect.challenge') {
-            this._sendConnect();
+            const payload = msg['payload'];
+            const nonce = payload?.['nonce'] ?? '';
+            this._sendConnect(nonce);
             return;
         }
         // hello-ok → handshake complete
@@ -138,7 +199,17 @@ export class GatewayBridge extends EventEmitter {
             }
         }
     }
-    _sendConnect() {
+    _sendConnect(nonce) {
+        const identityPath = path.join(this.config.dataDir, 'device-identity.json');
+        const identity = _loadOrCreateDeviceIdentity(identityPath);
+        const device = _buildDeviceAuth(identity, {
+            clientId: CLIENT_ID,
+            clientMode: CLIENT_MODE,
+            role: ROLE,
+            scopes: SCOPES,
+            token: this.config.gatewayToken,
+            nonce,
+        });
         this.send(JSON.stringify({
             type: 'req',
             id: 'gw-connect-1',
@@ -154,6 +225,7 @@ export class GatewayBridge extends EventEmitter {
                 },
                 role: ROLE,
                 scopes: SCOPES,
+                device,
                 auth: { token: this.config.gatewayToken },
                 caps: ['tool-events'],
             },

package/dist/index.d.ts CHANGED Viewed

@@ -10,7 +10,7 @@
  * Spec: specs/multitenant-p2p.md sections 6.1-6.2
  */
 export declare const PLUGIN_ID = "connector";
-export declare const PLUGIN_VERSION = "0.0.1";
+export declare const PLUGIN_VERSION = "0.0.13";
 interface PluginServiceContext {
     stateDir: string;
     logger: {

package/dist/index.js CHANGED Viewed

@@ -19,7 +19,7 @@ import { checkForUpdates, performUpdate } from './updater.js';
 // Inline from shared/api-version.ts to avoid rootDir conflict
 const CURRENT_API_VERSION = 1;
 export const PLUGIN_ID = 'connector';
-export const PLUGIN_VERSION = '0.0.1';
+export const PLUGIN_VERSION = '0.0.13';
 /** Max DataChannel message size (~256KB, leave room for envelope) */
 const MAX_DC_MESSAGE_SIZE = 256 * 1024;
 /** Active DataChannel connections: connectionId → send function */
@@ -147,9 +147,7 @@ async function startShellChat(ctx, api) {
     signaling.on('auth-rejected', (reason) => {
         ctx.logger.error(`Signaling auth rejected: ${reason}`);
     });
-    signaling.on('version-rejected', (current, minimum) => {
-        ctx.logger.error(`Plugin version ${current} rejected, minimum: ${minimum}`);
-    });
+    // version-rejected listener removed — version check is now client-side
     signaling.on('force-update', async (targetVersion) => {
         ctx.logger.info(`Force update to ${targetVersion} requested`);
         try {

package/dist/signaling-client.d.ts CHANGED Viewed

@@ -37,8 +37,7 @@ export declare class SignalingClient extends EventEmitter {
     /**
      * Open the WebSocket connection and perform the gateway-auth handshake.
      * Resolves once the socket is open (not necessarily authenticated yet).
-     * Authentication outcome is signalled via 'connected' / 'auth-rejected' /
-     * 'version-rejected' events.
+     * Authentication outcome is signalled via 'connected' / 'auth-rejected' events.
      */
     connect(): Promise<void>;
     /**

package/dist/signaling-client.js CHANGED Viewed

@@ -63,8 +63,7 @@ export class SignalingClient extends EventEmitter {
     /**
      * Open the WebSocket connection and perform the gateway-auth handshake.
      * Resolves once the socket is open (not necessarily authenticated yet).
-     * Authentication outcome is signalled via 'connected' / 'auth-rejected' /
-     * 'version-rejected' events.
+     * Authentication outcome is signalled via 'connected' / 'auth-rejected' events.
      */
     connect() {
         this.intentionalClose = false;
@@ -198,15 +197,8 @@ export class SignalingClient extends EventEmitter {
                 this.emit('auth-rejected', reason);
                 break;
             }
-            case 'version-rejected': {
-                const current = msg['current'] ?? PLUGIN_VERSION;
-                const minimum = msg['minimum'] ?? '';
-                console.error(`[SignalingClient] Version rejected: current=${current}, minimum=${minimum}`);
-                // Do not reconnect — must upgrade first; auto-update logic is in updater.ts
-                this.intentionalClose = true;
-                this.emit('version-rejected', current, minimum);
-                break;
-            }
+            // version-rejected removed — version compatibility is now checked
+            // client-side via pluginVersion in connect-ready
             case 'ice-offer': {
                 const offer = {
                     connectionId: msg['connectionId'] ?? '',

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@clawchatsai/connector",
-  "version": "0.0.11",
+  "version": "0.0.13",
   "type": "module",
   "description": "ShellChat OpenClaw plugin — P2P tunnel + local API bridge",
   "main": "dist/index.js",

package/server.js CHANGED Viewed

@@ -16,6 +16,52 @@ import { WebSocket as WS, WebSocketServer } from 'ws';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
+// ─── Device Identity (ed25519 signing for OpenClaw ≥2.15 scope preservation) ─
+const ED25519_SPKI_PREFIX = Buffer.from('302a300506032b6570032100', 'hex');
+function _derivePublicKeyRaw(publicKeyPem) {
+  const spki = crypto.createPublicKey(publicKeyPem).export({ type: 'spki', format: 'der' });
+  if (spki.length === ED25519_SPKI_PREFIX.length + 32 &&
+      spki.subarray(0, ED25519_SPKI_PREFIX.length).equals(ED25519_SPKI_PREFIX)) {
+    return spki.subarray(ED25519_SPKI_PREFIX.length);
+  }
+  return spki;
+}
+function _fingerprintPublicKey(publicKeyPem) {
+  return crypto.createHash('sha256').update(_derivePublicKeyRaw(publicKeyPem)).digest('hex');
+}
+function _base64UrlEncode(buf) {
+  return buf.toString('base64').replaceAll('+', '-').replaceAll('/', '_').replace(/=+$/g, '');
+}
+function _loadOrCreateDeviceIdentity(identityPath) {
+  try {
+    if (fs.existsSync(identityPath)) {
+      const parsed = JSON.parse(fs.readFileSync(identityPath, 'utf8'));
+      if (parsed?.version === 1 && parsed.deviceId && parsed.publicKeyPem && parsed.privateKeyPem) return parsed;
+    }
+  } catch { /* regenerate */ }
+  const { publicKey, privateKey } = crypto.generateKeyPairSync('ed25519');
+  const publicKeyPem = publicKey.export({ type: 'spki', format: 'pem' }).toString();
+  const privateKeyPem = privateKey.export({ type: 'pkcs8', format: 'pem' }).toString();
+  const identity = { version: 1, deviceId: _fingerprintPublicKey(publicKeyPem), publicKeyPem, privateKeyPem, createdAtMs: Date.now() };
+  fs.mkdirSync(path.dirname(identityPath), { recursive: true });
+  fs.writeFileSync(identityPath, JSON.stringify(identity, null, 2) + '\n', { mode: 0o600 });
+  return identity;
+}
+function _buildDeviceAuth(identity, { clientId, clientMode, role, scopes, token, nonce }) {
+  const signedAt = Date.now();
+  const payload = ['v2', identity.deviceId, clientId, clientMode, role, scopes.join(','), String(signedAt), token || '', nonce].join('|');
+  const privateKey = crypto.createPrivateKey(identity.privateKeyPem);
+  const signature = _base64UrlEncode(crypto.sign(null, Buffer.from(payload, 'utf8'), privateKey));
+  const publicKeyB64Url = _base64UrlEncode(_derivePublicKeyRaw(identity.publicKeyPem));
+  return { id: identity.deviceId, publicKey: publicKeyB64Url, signature, signedAt, nonce };
+}
 // ─── Configuration ──────────────────────────────────────────────────────────
 const PORT = parseInt(process.env.SHELLCHAT_PORT || '3001', 10);
@@ -2233,6 +2279,13 @@ class GatewayClient {
     // Handle connect.challenge (handshake)
     if (msg.type === 'event' && msg.event === 'connect.challenge') {
       console.log('Received connect.challenge, sending auth...');
+      const nonce = msg.payload?.nonce || '';
+      const identityPath = path.join(DATA_DIR, 'device-identity.json');
+      const identity = _loadOrCreateDeviceIdentity(identityPath);
+      const device = _buildDeviceAuth(identity, {
+        clientId: 'gateway-client', clientMode: 'backend', role: 'operator',
+        scopes: ['operator.read', 'operator.write', 'operator.admin'], token: AUTH_TOKEN, nonce
+      });
       this.ws.send(JSON.stringify({
         type: 'req',
         id: 'gw-connect-1',
@@ -2243,6 +2296,7 @@ class GatewayClient {
           client: { id: 'gateway-client', version: '0.1.0', platform: 'node', mode: 'backend' },
           role: 'operator',
           scopes: ['operator.read', 'operator.write', 'operator.admin'],
+          device,
           auth: { token: AUTH_TOKEN },
           caps: ['tool-events']
         }
@@ -3567,7 +3621,14 @@ export function createApp(config = {}) {
       try { msg = JSON.parse(data); } catch { console.error('Invalid JSON from gateway:', data); return; }
       if (msg.type === 'event' && msg.event === 'connect.challenge') {
         console.log('Received connect.challenge, sending auth...');
-        this.ws.send(JSON.stringify({ type: 'req', id: 'gw-connect-1', method: 'connect', params: { minProtocol: 3, maxProtocol: 3, client: { id: 'gateway-client', version: '0.1.0', platform: 'node', mode: 'backend' }, role: 'operator', scopes: ['operator.read', 'operator.write', 'operator.admin'], auth: { token: _GATEWAY_TOKEN }, caps: ['tool-events'] } }));
+        const _nonce = msg.payload?.nonce || '';
+        const _identityPath = path.join(_DATA_DIR, 'device-identity.json');
+        const _identity = _loadOrCreateDeviceIdentity(_identityPath);
+        const _device = _buildDeviceAuth(_identity, {
+          clientId: 'gateway-client', clientMode: 'backend', role: 'operator',
+          scopes: ['operator.read', 'operator.write', 'operator.admin'], token: _GATEWAY_TOKEN, nonce: _nonce
+        });
+        this.ws.send(JSON.stringify({ type: 'req', id: 'gw-connect-1', method: 'connect', params: { minProtocol: 3, maxProtocol: 3, client: { id: 'gateway-client', version: '0.1.0', platform: 'node', mode: 'backend' }, role: 'operator', scopes: ['operator.read', 'operator.write', 'operator.admin'], device: _device, auth: { token: _GATEWAY_TOKEN }, caps: ['tool-events'] } }));
         return;
       }
       if (msg.type === 'res' && msg.payload?.type === 'hello-ok') { console.log('Gateway handshake complete'); this.connected = true; this.broadcastGatewayStatus(true); }