@clawcrony/claw-crony 1.2.3 → 1.2.4

package/README.md

@@ -8,9 +8,10 @@ OpenClaw A2A v0.3.0 Gateway - Auto-discovery and secure communication between Op
 ## Key Features
 
 - **A2A Protocol v0.3.0** - JSON-RPC / REST / gRPC with automatic fallback
-- **Hub Matchmaking** - Auto-match peer Agents by skills with token exchange
+- **Hub Matchmaking** - Auto-match peer Agents by skills with encrypted handshake relay
 - **Smart Routing** - Auto-select targets by message patterns, tags, or peer skills
 - **Secure Auth** - Bearer Token + zero-downtime multi-token rotation
+- **Private Hub Identity** - Register with `client_id + public_key` instead of publishing long-lived connection secrets
 - **Resilience** - Health checks + exponential backoff + circuit breaker
 - **File Transfer** - URI / base64 / MIME whitelist + SSRF protection
 - **Observability** - JSONL audit logs + Telemetry metrics endpoint
@@ -19,15 +20,16 @@ OpenClaw A2A v0.3.0 Gateway - Auto-discovery and secure communication between Op
 
 Default Hub: `https://www.clawcrony.com`
 
-After installation, the plugin auto-registers with the Hub (requires `registrationEnabled: true`). Once registered, use the `a2a_match_request` tool to send a matchmaking request, and the Hub will return a matched peer Agent address together with the tokens needed for the current session.
+After installation, the plugin auto-registers with the Hub (requires `registrationEnabled: true`). Registration now uses a local `client_id + public_key` identity pair stored under `~/.openclaw`.
+
+Once registered, use the `a2a_match_request` tool to send a matchmaking request. The Hub matches a peer by skills, then relays encrypted handshake messages between the two plugins. The handshake returns temporary A2A connection details for the current session without requiring the Hub to persist peer `IP/port/token` in plaintext.
 
 After the user signs in to the Hub web dashboard, they can currently see:
 
-- Their own Agent profile, address, and normalized skill tags
+- Their own Agent profile, public identity, and normalized skill tags
 - A match timeline for requests created by this Agent
 - Per-request request summary, required skills, and current status
-- Matched result details including provider name, provider address, and update time
-- Whether requester/provider tokens have already been submitted for the match
+- Matched result details including peer name, handshake state, and update time
 
 A2A service port: **18800** (default)
 
@@ -71,8 +73,8 @@ Send a matchmaking request to the Hub, which automatically finds registered Agen
 # Agent calls a2a_match_request tool with params:
 # { skills: ["chat"], description?: "optional description" }
 #
-# Returns: provider address + yourToken + peerToken
-# Both sides configure each other as peers using the returned tokens to communicate
+# Returns: temporary peer address + temporary inbound token from encrypted handshake
+# Both sides then communicate directly over A2A without the Hub relaying task payloads
 ```
 
 For detailed configuration steps, see [CONFIG.md](CONFIG.md).

package/dist/index.js

@@ -5,6 +5,7 @@
  * - /a2a/rest                 (REST transport)
  * - gRPC on port+1            (gRPC transport)
  */
+import crypto from "node:crypto";
 import os from "node:os";
 import path from "node:path";
 import { AGENT_CARD_PATH } from "@a2a-js/sdk";
@@ -26,6 +27,9 @@ import { runHubRegistration } from "./src/hub-registration.js";
 import { HubMatchClient } from "./src/hub-match.js";
 import { normalizeAgentCardSkills } from "./src/skill-catalog.js";
 import { parseRoutingRules, matchRule } from "./src/routing-rules.js";
+import { decryptHandshake, encryptHandshake } from "./src/handshake-crypto.js";
+import { issueEphemeralInboundToken } from "./src/ephemeral-token.js";
+import { loadIdentity } from "./src/identity-store.js";
 import { validateUri, validateMimeType, } from "./src/file-security.js";
 /** Build a JSON-RPC error response. */
 function jsonRpcError(id, code, message) {
@@ -212,6 +216,7 @@ export function parseConfig(raw, resolvePath) {
             username: asString(registration.username, ""),
             email: asString(registration.email, ""),
             password: asString(registration.password, ""),
+            clientId: asString(registration.clientId, ""),
         },
     };
 }
@@ -221,16 +226,51 @@ function normalizeCardPath() {
     }
     return `/${AGENT_CARD_PATH}`;
 }
-function getAdvertisedInboundToken(config, hubClient) {
-    if (config.security.tokens && config.security.tokens.length > 0) {
-        return config.security.tokens[0] ?? null;
+function getAdvertisedAddress(config) {
+    if (config.agentCard.url) {
+        try {
+            const url = new URL(config.agentCard.url);
+            return `${url.hostname}:${url.port || (url.protocol === "https:" ? "443" : "80")}`;
+        }
+        catch {
+            // Ignore invalid configured URL and fall back below.
+        }
     }
-    if (config.security.token) {
-        return config.security.token;
+    if (config.server.host && config.server.port) {
+        return `${config.server.host}:${config.server.port}`;
     }
-    return hubClient?.registrationToken ?? null;
+    return null;
 }
-async function processPendingHubMatches(api, config, processedMatches) {
+function upsertEphemeralPeer(config, peerName, address, token) {
+    const normalizedAddress = address.startsWith("http://") || address.startsWith("https://")
+        ? address
+        : `http://${address}`;
+    const agentCardUrl = `${normalizedAddress}/.well-known/agent.json`;
+    const existing = config.peers.find((peer) => peer.name === peerName);
+    if (existing) {
+        existing.agentCardUrl = agentCardUrl;
+        existing.auth = { type: "bearer", token };
+        return;
+    }
+    config.peers.push({
+        name: peerName,
+        agentCardUrl,
+        auth: { type: "bearer", token },
+    });
+}
+async function waitForHandshakeAnswer(hubClient, matchId, timeoutMs = 45_000) {
+    const deadline = Date.now() + timeoutMs;
+    while (Date.now() < deadline) {
+        const pending = await hubClient.getPendingHandshakeMessages(matchId);
+        const answer = pending.find((message) => message.messageType === "answer");
+        if (answer) {
+            return answer;
+        }
+        await new Promise((resolve) => setTimeout(resolve, 1_500));
+    }
+    throw new Error(`Timed out waiting for handshake answer for match ${matchId}`);
+}
+async function processPendingHubMatches(api, config, processedMessages) {
     let hubClient;
     try {
         hubClient = await HubMatchClient.create();
@@ -239,9 +279,9 @@ async function processPendingHubMatches(api, config, processedMatches) {
         api.logger.warn(`claw-crony: pending match polling skipped - ${err instanceof Error ? err.message : String(err)}`);
         return;
     }
-    const inboundToken = getAdvertisedInboundToken(config, hubClient);
-    if (!inboundToken) {
-        api.logger.warn("claw-crony: pending match polling skipped - no inbound token available");
+    const identity = loadIdentity();
+    if (!identity) {
+        api.logger.warn("claw-crony: pending match polling skipped - no local identity available");
         return;
     }
     let matches;
@@ -257,17 +297,56 @@ async function processPendingHubMatches(api, config, processedMatches) {
             continue;
         }
         try {
-            const alreadySubmitted = match.providerTokenSubmitted === true || processedMatches.has(match.id);
-            let currentMatch = match;
-            if (!alreadySubmitted) {
-                currentMatch = await hubClient.submitToken(match.id, inboundToken);
-                processedMatches.add(match.id);
-                api.logger.info(`claw-crony: submitted provider token for hub match ${match.id}`);
-            }
-            if (currentMatch.readyForComplete === true && currentMatch.status === "token_exchange") {
-                await hubClient.completeMatch(match.id, inboundToken);
-                processedMatches.delete(match.id);
-                api.logger.info(`claw-crony: completed hub match ${match.id}`);
+            const pendingMessages = await hubClient.getPendingHandshakeMessages(match.id);
+            for (const message of pendingMessages) {
+                if (processedMessages.has(message.id)) {
+                    continue;
+                }
+                const decrypted = decryptHandshake(message.ciphertext, identity);
+                await hubClient.consumeHandshakeMessage(match.id, message.id);
+                processedMessages.add(message.id);
+                const remoteName = match.callerRole === "provider"
+                    ? (match.requester?.name ?? `agent-${decrypted.fromAgentId}`)
+                    : (match.provider?.name ?? `agent-${decrypted.fromAgentId}`);
+                upsertEphemeralPeer(config, remoteName, decrypted.address, decrypted.token);
+                if (message.messageType === "offer" && match.callerRole === "provider") {
+                    const localAddress = getAdvertisedAddress(config);
+                    if (!localAddress) {
+                        api.logger.warn(`claw-crony: cannot answer match ${match.id} because no advertised address is configured`);
+                        continue;
+                    }
+                    const issued = issueEphemeralInboundToken(config, match.id, decrypted.fromAgentId);
+                    const payload = {
+                        version: 1,
+                        matchId: match.id,
+                        sessionId: crypto.randomUUID(),
+                        fromAgentId: hubClient.agentId,
+                        toAgentId: decrypted.fromAgentId,
+                        address: localAddress,
+                        agentCardPath: "/.well-known/agent.json",
+                        token: issued.token,
+                        tokenExpiresAt: issued.expiresAt,
+                        protocols: ["jsonrpc", "rest", "grpc"],
+                        createdAt: new Date().toISOString(),
+                        nonce: crypto.randomBytes(12).toString("hex"),
+                    };
+                    const peerPublicKey = match.requester?.publicKey;
+                    if (!peerPublicKey) {
+                        api.logger.warn(`claw-crony: cannot answer match ${match.id} because requester public key is missing`);
+                        continue;
+                    }
+                    await hubClient.sendHandshakeMessage(match.id, {
+                        messageType: "answer",
+                        ciphertext: encryptHandshake(payload, peerPublicKey),
+                        expiresAt: issued.expiresAt,
+                    });
+                    await hubClient.markReady(match.id);
+                    api.logger.info(`claw-crony: answered encrypted handshake for match ${match.id}`);
+                }
+                else if (message.messageType === "answer") {
+                    await hubClient.markReady(match.id);
+                    api.logger.info(`claw-crony: received encrypted handshake answer for match ${match.id}`);
+                }
             }
         }
         catch (err) {
@@ -397,7 +476,7 @@ const plugin = {
         let cleanupTimer = null;
         let hubMatchPollingTimer = null;
         const grpcPort = config.server.port + 1;
-        const processedHubMatches = new Set();
+        const processedHubMessages = new Set();
         api.registerGatewayMethod("a2a.metrics", ({ respond }) => {
             respond(true, {
                 metrics: telemetry.snapshot(),
@@ -563,14 +642,13 @@ const plugin = {
             });
             // ------------------------------------------------------------------
             // Agent tool: a2a_match_request
-            // Creates a match request on the hub and submits this agent's token.
-            // Returns provider address + yourToken + peerToken for A2A communication.
+            // Creates a match request on the hub and performs encrypted connection-info handshake.
             // ------------------------------------------------------------------
             api.registerTool({
                 name: "a2a_match_request",
                 description: "Request a match with another agent via the hub. " +
                     "The hub finds a provider agent with matching skills, creates a match record, " +
-                    "and returns the provider's address along with tokens for secure A2A communication. " +
+                    "and relays encrypted handshake messages so both agents can exchange temporary A2A connection details. " +
                     "Use this to discover and connect with peer agents through the hub's registry.",
                 label: "A2A Match Request",
                 parameters: {
@@ -589,9 +667,9 @@ const plugin = {
                     },
                 },
                 async execute(toolCallId, params) {
-                    let client;
+                    let hubClient;
                     try {
-                        client = await HubMatchClient.create();
+                        hubClient = await HubMatchClient.create();
                     }
                     catch (err) {
                         const msg = err instanceof Error ? err.message : String(err);
@@ -600,12 +678,25 @@ const plugin = {
                             details: { ok: false, error: msg },
                         };
                     }
+                    const identity = loadIdentity();
+                    if (!identity) {
+                        return {
+                            content: [{ type: "text", text: "No local identity found. Restart the plugin and try again." }],
+                            details: { ok: false, error: "identity_missing" },
+                        };
+                    }
+                    const localAddress = getAdvertisedAddress(config);
+                    if (!localAddress) {
+                        return {
+                            content: [{ type: "text", text: "No advertised address is configured for this agent." }],
+                            details: { ok: false, error: "address_missing" },
+                        };
+                    }
                     let match;
                     try {
-                        match = await client.createMatch({
+                        match = await hubClient.createMatch({
                             skills: params.skills,
                             description: params.description,
-                            token: getAdvertisedInboundToken(config, client) ?? client.registrationToken,
                         });
                     }
                     catch (err) {
@@ -615,38 +706,84 @@ const plugin = {
                             details: { ok: false, error: msg },
                         };
                     }
-                    // Submit our token
-                    let updatedMatch;
+                    const provider = match.provider;
+                    const providerPublicKey = provider?.publicKey;
+                    if (!provider || !providerPublicKey) {
+                        return {
+                            content: [{ type: "text", text: `Match created (id=${match.id}) but provider public key is missing` }],
+                            details: { ok: false, matchId: match.id, error: "provider_public_key_missing" },
+                        };
+                    }
+                    const issued = issueEphemeralInboundToken(config, match.id, provider.id);
+                    const localPayload = {
+                        version: 1,
+                        matchId: match.id,
+                        sessionId: crypto.randomUUID(),
+                        fromAgentId: hubClient.agentId,
+                        toAgentId: provider.id,
+                        address: localAddress,
+                        agentCardPath: "/.well-known/agent.json",
+                        token: issued.token,
+                        tokenExpiresAt: issued.expiresAt,
+                        protocols: ["jsonrpc", "rest", "grpc"],
+                        createdAt: new Date().toISOString(),
+                        nonce: crypto.randomBytes(12).toString("hex"),
+                    };
+                    try {
+                        await hubClient.sendHandshakeMessage(match.id, {
+                            messageType: "offer",
+                            ciphertext: encryptHandshake(localPayload, providerPublicKey),
+                            expiresAt: issued.expiresAt,
+                        });
+                    }
+                    catch (err) {
+                        const msg = err instanceof Error ? err.message : String(err);
+                        return {
+                            content: [{ type: "text", text: `Match created (id=${match.id}) but failed to send encrypted handshake offer: ${msg}` }],
+                            details: { ok: false, matchId: match.id, error: msg },
+                        };
+                    }
+                    let answer;
+                    try {
+                        answer = await waitForHandshakeAnswer(hubClient, match.id);
+                    }
+                    catch (err) {
+                        const msg = err instanceof Error ? err.message : String(err);
+                        return {
+                            content: [{ type: "text", text: `Encrypted handshake offer sent for match ${match.id}, but waiting for answer failed: ${msg}` }],
+                            details: { ok: false, matchId: match.id, error: msg },
+                        };
+                    }
+                    let remotePayload;
                     try {
-                        updatedMatch = await client.submitToken(match.id, getAdvertisedInboundToken(config, client) ?? client.registrationToken);
+                        remotePayload = decryptHandshake(answer.ciphertext, identity);
+                        await hubClient.consumeHandshakeMessage(match.id, answer.id);
+                        upsertEphemeralPeer(config, provider.name, remotePayload.address, remotePayload.token);
+                        await hubClient.markReady(match.id);
                     }
                     catch (err) {
                         const msg = err instanceof Error ? err.message : String(err);
                         return {
-                            content: [{ type: "text", text: `Match created (id=${match.id}) but failed to submit token: ${msg}` }],
+                            content: [{ type: "text", text: `Encrypted handshake answer received for match ${match.id}, but processing failed: ${msg}` }],
                             details: { ok: false, matchId: match.id, error: msg },
                         };
                     }
-                    const provider = updatedMatch.provider;
-                    const providerAddress = provider?.address ?? "(unknown)";
-                    const providerAccessToken = updatedMatch.yourToken ?? "(none)";
-                    const requesterInboundToken = updatedMatch.peerToken ?? "(none)";
-                    const status = updatedMatch.status;
                     return {
                         content: [{
                                 type: "text",
-                                text: `Match ${status}: id=${updatedMatch.id}\n` +
-                                    `Provider: ${provider?.name ?? "(unknown)"} at ${providerAddress}\n` +
-                                    `Provider access token (use to contact provider): ${providerAccessToken}\n` +
-                                    `Requester inbound token (provider uses this to contact you): ${requesterInboundToken}`,
+                                text: `Encrypted handshake ready: match=${match.id}\n` +
+                                    `Provider: ${provider.name}\n` +
+                                    `Address: ${remotePayload.address}\n` +
+                                    `Temporary token: ${remotePayload.token}\n` +
+                                    `Token expires at: ${remotePayload.tokenExpiresAt}`,
                             }],
                         details: {
                             ok: true,
-                            matchId: updatedMatch.id,
-                            status: updatedMatch.status,
-                            providerAddress,
-                            yourToken: providerAccessToken,
-                            peerToken: requesterInboundToken,
+                            matchId: match.id,
+                            status: "ready_to_connect",
+                            providerAddress: remotePayload.address,
+                            peerToken: remotePayload.token,
+                            tokenExpiresAt: remotePayload.tokenExpiresAt,
                         },
                     };
                 },
@@ -668,6 +805,13 @@ const plugin = {
                         const reg = await runHubRegistration(api, config, config.hub, config.registration ?? {});
                         if (reg) {
                             api.logger.info(`claw-crony: registered with hub (agentId=${reg.agentId})`);
+                            try {
+                                const hubClient = await HubMatchClient.create();
+                                await hubClient.updatePresence("online");
+                            }
+                            catch (presenceErr) {
+                                api.logger.warn(`claw-crony: failed to update hub presence - ${presenceErr instanceof Error ? presenceErr.message : String(presenceErr)}`);
+                            }
                         }
                     }
                     catch (err) {
@@ -742,7 +886,7 @@ const plugin = {
                 if (config.hub?.enabled !== false) {
                     const pollingIntervalMs = Math.max(5_000, config.resilience.healthCheck.intervalMs);
                     const pollHubMatches = () => {
-                        void processPendingHubMatches(api, config, processedHubMatches);
+                        void processPendingHubMatches(api, config, processedHubMessages);
                     };
                     pollHubMatches();
                     hubMatchPollingTimer = setInterval(pollHubMatches, pollingIntervalMs);
@@ -754,6 +898,15 @@ const plugin = {
                 // Stop peer health checks
                 healthManager?.stop();
                 auditLogger.close();
+                if (config.hub?.enabled !== false) {
+                    try {
+                        const hubClient = await HubMatchClient.create();
+                        await hubClient.updatePresence("offline");
+                    }
+                    catch {
+                        // Ignore best-effort presence shutdown failure.
+                    }
+                }
                 // Stop task cleanup timer
                 if (cleanupTimer) {
                     clearInterval(cleanupTimer);

package/dist/src/ephemeral-token.d.ts

@@ -0,0 +1,5 @@
+import type { GatewayConfig } from "./types.js";
+export declare function issueEphemeralInboundToken(config: GatewayConfig, matchId: number, peerAgentId: number, ttlMs?: number): {
+    token: string;
+    expiresAt: string;
+};

package/dist/src/ephemeral-token.js

@@ -0,0 +1,12 @@
+import crypto from "node:crypto";
+export function issueEphemeralInboundToken(config, matchId, peerAgentId, ttlMs = 5 * 60_000) {
+    const token = `match-${matchId}-peer-${peerAgentId}-${crypto.randomBytes(18).toString("hex")}`;
+    config.security.validTokens.add(token);
+    setTimeout(() => {
+        config.security.validTokens.delete(token);
+    }, ttlMs).unref?.();
+    return {
+        token,
+        expiresAt: new Date(Date.now() + ttlMs).toISOString(),
+    };
+}

package/dist/src/handshake-crypto.d.ts

@@ -0,0 +1,3 @@
+import type { HandshakePayload, IdentityData } from "./types.js";
+export declare function encryptHandshake(payload: HandshakePayload, recipientPublicKeyPem: string): string;
+export declare function decryptHandshake(ciphertext: string, identity: IdentityData): HandshakePayload;

package/dist/src/handshake-crypto.js

@@ -0,0 +1,58 @@
+import crypto from "node:crypto";
+function toBase64(value) {
+    return Buffer.from(value instanceof Buffer ? value : new Uint8Array(value)).toString("base64");
+}
+function fromBase64(value) {
+    return Buffer.from(value, "base64");
+}
+function exportPublicPem(key) {
+    return key.export({ format: "pem", type: "spki" }).toString();
+}
+function hkdf(secret, salt, info) {
+    return Buffer.from(crypto.hkdfSync("sha256", secret, salt, Buffer.from(info, "utf-8"), 32));
+}
+const HANDSHAKE_INFO = "claw-crony:handshake:v1";
+export function encryptHandshake(payload, recipientPublicKeyPem) {
+    const recipientPublicKey = crypto.createPublicKey(recipientPublicKeyPem);
+    const ephemeral = crypto.generateKeyPairSync("x25519");
+    const sharedSecret = crypto.diffieHellman({
+        privateKey: ephemeral.privateKey,
+        publicKey: recipientPublicKey,
+    });
+    const iv = crypto.randomBytes(12);
+    const key = hkdf(sharedSecret, iv, HANDSHAKE_INFO);
+    const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+    const plaintext = Buffer.from(JSON.stringify(payload), "utf-8");
+    const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    const encrypted = {
+        version: 1,
+        algorithm: "x25519-aes-256-gcm",
+        senderPublicKey: exportPublicPem(ephemeral.publicKey),
+        iv: toBase64(iv),
+        ciphertext: toBase64(ciphertext),
+        authTag: toBase64(authTag),
+    };
+    return JSON.stringify(encrypted);
+}
+export function decryptHandshake(ciphertext, identity) {
+    const envelope = JSON.parse(ciphertext);
+    if (envelope.algorithm !== "x25519-aes-256-gcm") {
+        throw new Error(`Unsupported handshake algorithm: ${envelope.algorithm}`);
+    }
+    const privateKey = crypto.createPrivateKey(identity.privateKey);
+    const senderPublicKey = crypto.createPublicKey(envelope.senderPublicKey);
+    const iv = fromBase64(envelope.iv);
+    const sharedSecret = crypto.diffieHellman({
+        privateKey,
+        publicKey: senderPublicKey,
+    });
+    const key = hkdf(sharedSecret, iv, HANDSHAKE_INFO);
+    const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
+    decipher.setAuthTag(fromBase64(envelope.authTag));
+    const plaintext = Buffer.concat([
+        decipher.update(fromBase64(envelope.ciphertext)),
+        decipher.final(),
+    ]);
+    return JSON.parse(plaintext.toString("utf-8"));
+}

package/dist/src/hub-match.d.ts

@@ -1,20 +1,14 @@
 /**
- * Hub Match API client for openclaw-claw-crony.
- *
- * Provides a typed client for the hub's /api/matches endpoints:
- * - POST   /api/matches              createMatch
- * - GET    /api/matches/{id}         getMatch
- * - GET    /api/matches/pending       getPendingMatches
- * - POST   /api/matches/{id}/token   submitToken
- * - POST   /api/matches/{id}/complete completeMatch
- * - POST   /api/matches/{id}/cancel  cancelMatch
+ * Hub Match API client for claw-crony.
  */
 import type { HubRegistrationData } from "./types.js";
 export interface HubAgentDto {
     id: number;
     name: string;
-    address: string;
     skills: string[];
+    clientId?: string;
+    publicKey?: string;
+    presenceStatus?: string;
 }
 export interface HubMatchResult {
     id: number;
@@ -22,58 +16,53 @@ export interface HubMatchResult {
     status: string;
     requester: HubAgentDto | null;
     provider: HubAgentDto | null;
-    yourToken: string | null;
-    peerToken: string | null;
+    yourToken?: string | null;
+    peerToken?: string | null;
     callerRole?: "requester" | "provider" | "observer" | null;
     requesterTokenSubmitted?: boolean;
     providerTokenSubmitted?: boolean;
     readyForComplete?: boolean;
+    requesterHandshakeSent?: boolean;
+    providerHandshakeSent?: boolean;
+    requesterHandshakeConsumed?: boolean;
+    providerHandshakeConsumed?: boolean;
+    requesterReady?: boolean;
+    providerReady?: boolean;
+    readyForConnect?: boolean;
+}
+export interface HubHandshakeMessage {
+    id: number;
+    senderAgentId: number;
+    receiverAgentId: number;
+    messageType: "offer" | "answer";
+    ciphertext: string;
+    status: string;
+    expiresAt: string;
+    createdAt?: string;
+    consumedAt?: string | null;
 }
 export declare class HubMatchClient {
     private readonly hubUrl;
     private readonly registration;
     constructor(hubUrl: string, registration: HubRegistrationData);
     get agentId(): number;
-    get registrationToken(): string;
     static create(): Promise<HubMatchClient>;
     private request;
-    /**
-     * Create a new match request.
-     * @param params.skills - Skills to search for in a provider
-     * @param params.description - Optional description of the match request
-     * @param params.token - Optional bearer token to include for this agent
-     */
     createMatch(params: {
         skills: string[];
         description?: string;
-        token?: string;
     }): Promise<HubMatchResult>;
-    /**
-     * Get a match result by ID.
-     * @param matchId - The match ID
-     * @param callerId - Optional agent ID to set callerId query param (affects yourToken)
-     */
     getMatch(matchId: number, callerId?: number): Promise<HubMatchResult>;
-    /**
-     * Get all pending matches for this agent.
-     */
     getPendingMatches(): Promise<HubMatchResult[]>;
-    /**
-     * Submit this agent's token for a match.
-     * @param matchId - The match ID
-     * @param token - This agent's bearer token
-     */
-    submitToken(matchId: number, token: string): Promise<HubMatchResult>;
-    /**
-     * Mark a match as completed (both parties have submitted tokens).
-     * @param matchId - The match ID
-     * @param token - This agent's bearer token (for authorization)
-     */
-    completeMatch(matchId: number, token: string): Promise<HubMatchResult>;
-    /**
-     * Cancel a pending or token_exchange match.
-     * @param matchId - The match ID
-     * @param token - This agent's bearer token (for authorization)
-     */
-    cancelMatch(matchId: number, token: string): Promise<HubMatchResult>;
+    updatePresence(presenceStatus: "online" | "offline" | "busy", clientVersion?: string): Promise<HubAgentDto>;
+    sendHandshakeMessage(matchId: number, params: {
+        messageType: "offer" | "answer";
+        ciphertext: string;
+        expiresAt: string;
+    }): Promise<HubHandshakeMessage>;
+    getPendingHandshakeMessages(matchId: number): Promise<HubHandshakeMessage[]>;
+    consumeHandshakeMessage(matchId: number, messageId: number): Promise<HubHandshakeMessage>;
+    markReady(matchId: number): Promise<HubMatchResult>;
+    completeMatch(matchId: number): Promise<HubMatchResult>;
+    cancelMatch(matchId: number): Promise<HubMatchResult>;
 }

package/dist/src/hub-match.js

@@ -1,18 +1,7 @@
 /**
- * Hub Match API client for openclaw-claw-crony.
- *
- * Provides a typed client for the hub's /api/matches endpoints:
- * - POST   /api/matches              createMatch
- * - GET    /api/matches/{id}         getMatch
- * - GET    /api/matches/pending       getPendingMatches
- * - POST   /api/matches/{id}/token   submitToken
- * - POST   /api/matches/{id}/complete completeMatch
- * - POST   /api/matches/{id}/cancel  cancelMatch
+ * Hub Match API client for claw-crony.
  */
 import { loadRegistration } from "./hub-registration.js";
-// ---------------------------------------------------------------------------
-// HubMatchClient
-// ---------------------------------------------------------------------------
 export class HubMatchClient {
     hubUrl;
     registration;
@@ -23,16 +12,12 @@ export class HubMatchClient {
     get agentId() {
         return this.registration.agentId;
     }
-    get registrationToken() {
-        return this.registration.token;
-    }
     static async create() {
         const registration = loadRegistration();
         if (!registration) {
             throw new Error("No hub registration found. Run the gateway first to register with the hub.");
         }
-        const configUrl = registration.hubUrl;
-        return new HubMatchClient(configUrl, registration);
+        return new HubMatchClient(registration.hubUrl, registration);
     }
     async request(path, options = {}) {
         const url = `${this.hubUrl}${path}`;
@@ -40,7 +25,6 @@ export class HubMatchClient {
             ...options,
             headers: {
                 "Content-Type": "application/json",
-                "Authorization": `Bearer ${this.registration.token}`,
                 ...(options.headers ?? {}),
             },
         });
@@ -50,12 +34,6 @@ export class HubMatchClient {
         }
         return res.json();
     }
-    /**
-     * Create a new match request.
-     * @param params.skills - Skills to search for in a provider
-     * @param params.description - Optional description of the match request
-     * @param params.token - Optional bearer token to include for this agent
-     */
     async createMatch(params) {
         return this.request("/api/matches", {
             method: "POST",
@@ -63,45 +41,57 @@ export class HubMatchClient {
                 agentId: this.registration.agentId,
                 requiredSkills: params.skills,
                 description: params.description ?? "",
-                token: params.token,
             }),
         });
     }
-    /**
-     * Get a match result by ID.
-     * @param matchId - The match ID
-     * @param callerId - Optional agent ID to set callerId query param (affects yourToken)
-     */
     async getMatch(matchId, callerId) {
         const path = callerId != null ? `/api/matches/${matchId}?callerId=${callerId}` : `/api/matches/${matchId}`;
         return this.request(path);
     }
-    /**
-     * Get all pending matches for this agent.
-     */
     async getPendingMatches() {
         return this.request(`/api/matches/pending?agentId=${this.registration.agentId}`);
     }
-    /**
-     * Submit this agent's token for a match.
-     * @param matchId - The match ID
-     * @param token - This agent's bearer token
-     */
-    async submitToken(matchId, token) {
-        return this.request(`/api/matches/${matchId}/token`, {
+    async updatePresence(presenceStatus, clientVersion = "claw-crony/1.2.4") {
+        return this.request(`/api/agents/${this.registration.agentId}/presence`, {
+            method: "PUT",
+            body: JSON.stringify({
+                presenceStatus,
+                clientVersion,
+            }),
+        });
+    }
+    async sendHandshakeMessage(matchId, params) {
+        return this.request(`/api/matches/${matchId}/handshake`, {
+            method: "POST",
+            body: JSON.stringify({
+                agentId: this.registration.agentId,
+                messageType: params.messageType,
+                ciphertext: params.ciphertext,
+                expiresAt: params.expiresAt,
+            }),
+        });
+    }
+    async getPendingHandshakeMessages(matchId) {
+        const result = await this.request(`/api/matches/${matchId}/handshake/pending?agentId=${this.registration.agentId}`);
+        return result.messages ?? [];
+    }
+    async consumeHandshakeMessage(matchId, messageId) {
+        return this.request(`/api/matches/${matchId}/handshake/${messageId}/consume`, {
+            method: "POST",
+            body: JSON.stringify({
+                agentId: this.registration.agentId,
+            }),
+        });
+    }
+    async markReady(matchId) {
+        return this.request(`/api/matches/${matchId}/ready`, {
             method: "POST",
             body: JSON.stringify({
                 agentId: this.registration.agentId,
-                token,
             }),
         });
     }
-    /**
-     * Mark a match as completed (both parties have submitted tokens).
-     * @param matchId - The match ID
-     * @param token - This agent's bearer token (for authorization)
-     */
-    async completeMatch(matchId, token) {
+    async completeMatch(matchId) {
         return this.request(`/api/matches/${matchId}/complete`, {
             method: "POST",
             body: JSON.stringify({
@@ -109,12 +99,7 @@ export class HubMatchClient {
             }),
         });
     }
-    /**
-     * Cancel a pending or token_exchange match.
-     * @param matchId - The match ID
-     * @param token - This agent's bearer token (for authorization)
-     */
-    async cancelMatch(matchId, token) {
+    async cancelMatch(matchId) {
         return this.request(`/api/matches/${matchId}/cancel`, {
             method: "POST",
             body: JSON.stringify({

package/dist/src/hub-registration.d.ts

@@ -1,8 +1,8 @@
 /**
- * Hub registration module for openclaw-claw-crony.
+ * Hub registration module for claw-crony.
  *
- * Handles automatic registration of the gateway with the hub server on first startup,
- * token generation, and idempotent re-registration.
+ * Registers the local plugin with the hub using client_id + public_key
+ * and persists the resulting agent binding locally.
  */
 import type { GatewayConfig, HubConfig, HubRegistrationData, OpenClawPluginApi, RegistrationConfig } from "./types.js";
 export declare function loadRegistration(configDir?: string): HubRegistrationData | null;
@@ -13,11 +13,4 @@ export interface HubRegistration {
     address: string;
     name: string;
 }
-/**
- * Run the full hub registration flow:
- * 1. Load existing registration (if any)
- * 2. Validate existing token with hub
- * 3. If no valid registration, create new one (handling 409 conflicts)
- * 4. Save registration file atomically
- */
 export declare function runHubRegistration(api: OpenClawPluginApi, config: GatewayConfig, hubConfig: HubConfig, registrationConfig: RegistrationConfig): Promise<HubRegistration | null>;

package/dist/src/hub-registration.js

@@ -1,22 +1,13 @@
 /**
- * Hub registration module for openclaw-claw-crony.
+ * Hub registration module for claw-crony.
  *
- * Handles automatic registration of the gateway with the hub server on first startup,
- * token generation, and idempotent re-registration.
+ * Registers the local plugin with the hub using client_id + public_key
+ * and persists the resulting agent binding locally.
  */
-import crypto from "node:crypto";
 import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
-// ---------------------------------------------------------------------------
-// Token generation
-// ---------------------------------------------------------------------------
-function generateToken() {
-    return crypto.randomBytes(32).toString("hex");
-}
-// ---------------------------------------------------------------------------
-// Registration file path & I/O
-// ---------------------------------------------------------------------------
+import { loadOrCreateIdentity } from "./identity-store.js";
 const REGISTRATION_FILENAME = "a2a-registration.json";
 function getRegistrationPath(configDir) {
     return path.join(configDir, REGISTRATION_FILENAME);
@@ -48,7 +39,6 @@ async function registerHubUser(hubUrl, agentId, username, password) {
         body: JSON.stringify({ agentId, username, password }),
     });
     if (res.status === 409) {
-        // Already registered — this is fine, idempotent
         return;
     }
     if (!res.ok) {
@@ -63,18 +53,14 @@ async function registerWithHub(hubUrl, payload) {
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify(payload),
     });
-    if (res.status === 409) {
-        const err = await res.json().catch(() => ({}));
-        throw Object.assign(new Error("Agent address already registered"), { status: 409, body: err });
-    }
     if (!res.ok) {
         const err = await res.json().catch(() => ({}));
         throw Object.assign(new Error(`Hub rejected registration: ${JSON.stringify(err)}`), { status: res.status });
     }
     return res.json();
 }
-async function lookupAgentByAddress(hubUrl, address) {
-    const url = `${hubUrl.replace(/\/$/, "")}/api/agents?address=${encodeURIComponent(address)}`;
+async function lookupAgentByClientId(hubUrl, clientId) {
+    const url = `${hubUrl.replace(/\/$/, "")}/api/agents?clientId=${encodeURIComponent(clientId)}`;
     const res = await fetch(url);
     if (!res.ok) {
         throw Object.assign(new Error(`Hub lookup failed: ${res.status}`), { status: res.status });
@@ -82,9 +68,6 @@ async function lookupAgentByAddress(hubUrl, address) {
     const agents = await res.json();
     return agents.length > 0 ? agents[0] : null;
 }
-// ---------------------------------------------------------------------------
-// Retry with exponential backoff
-// ---------------------------------------------------------------------------
 async function retryWithBackoff(fn, maxRetries, baseDelayMs, maxDelayMs) {
     let lastError;
     for (let attempt = 0; attempt <= maxRetries; attempt++) {
@@ -101,106 +84,37 @@ async function retryWithBackoff(fn, maxRetries, baseDelayMs, maxDelayMs) {
     }
     throw lastError;
 }
-// ---------------------------------------------------------------------------
-// Flatten skills from agent card config
-// ---------------------------------------------------------------------------
 function flattenSkills(skills) {
     return skills.map((s) => (typeof s === "string" ? s : s.name));
 }
-/**
- * Run the full hub registration flow:
- * 1. Load existing registration (if any)
- * 2. Validate existing token with hub
- * 3. If no valid registration, create new one (handling 409 conflicts)
- * 4. Save registration file atomically
- */
 export async function runHubRegistration(api, config, hubConfig, registrationConfig) {
     const configDir = getConfigDir();
     const hubUrl = hubConfig.url;
-    // Derive address from agentCard.url (the externally reachable address), not server.bind
-    // e.g. "http://100.10.10.1:18800/a2a/jsonrpc" -> "100.10.10.1:18800"
-    let address;
-    if (config.agentCard.url) {
-        try {
-            const urlObj = new URL(config.agentCard.url);
-            address = `${urlObj.hostname}:${urlObj.port || (urlObj.protocol === "https:" ? 443 : 80)}`;
-        }
-        catch {
-            address = `${config.server.host}:${config.server.port}`;
-        }
-    }
-    else {
-        address = `${config.server.host}:${config.server.port}`;
-    }
-    // Ensure config directory exists
+    const identity = loadOrCreateIdentity(registrationConfig.clientId);
     if (!fs.existsSync(configDir)) {
         fs.mkdirSync(configDir, { recursive: true });
     }
-    // Load existing registration
     const existing = loadRegistration(configDir);
-    // If we have a registration with a matching address and token, validate it
-    if (existing && existing.address === address && existing.hubUrl === hubUrl && existing.token) {
+    if (existing &&
+        existing.hubUrl === hubUrl &&
+        existing.clientId === identity.clientId &&
+        existing.publicKey === identity.publicKey) {
         try {
-            const agent = await lookupAgentByAddress(hubUrl, address);
+            const agent = await lookupAgentByClientId(hubUrl, identity.clientId);
             if (agent && agent.id === existing.agentId) {
                 api.logger.info(`claw-crony: using existing hub registration (agentId=${existing.agentId})`);
                 return {
                     agentId: existing.agentId,
-                    token: existing.token,
-                    address: existing.address,
+                    token: "",
+                    address: "",
                     name: existing.name,
                 };
             }
         }
         catch {
-            // Hub unreachable or agent not found — try re-registering with existing token first
-            api.logger.warn("claw-crony: existing registration invalid, trying with existing token");
-            const existingToken = existing.token;
-            try {
-                const existingPayload = {
-                    name: config.agentCard.name,
-                    description: config.agentCard.description ?? "",
-                    skills: flattenSkills(config.agentCard.skills),
-                    address,
-                    token: existingToken,
-                    username: registrationConfig.username ?? config.agentCard.name,
-                    email: registrationConfig.email ?? "",
-                };
-                const agent = await retryWithBackoff(() => registerWithHub(hubUrl, existingPayload), 3, 1000, 10000);
-                api.logger.info(`claw-crony: re-registered with hub using existing token (agentId=${agent.id})`);
-                // Also register hub user if password is configured
-                if (registrationConfig.password) {
-                    try {
-                        await retryWithBackoff(() => registerHubUser(hubUrl, agent.id, registrationConfig.username ?? config.agentCard.name, registrationConfig.password), 3, 1000, 10000);
-                        api.logger.info(`claw-crony: registered hub user for web login (agentId=${agent.id})`);
-                    }
-                    catch (err) {
-                        api.logger.warn(`claw-crony: hub user registration failed — ${err instanceof Error ? err.message : String(err)}`);
-                    }
-                }
-                // Re-save to update registration file
-                const updatedData = {
-                    ...existing,
-                    registeredAt: new Date().toISOString(),
-                };
-                saveRegistration(configDir, updatedData);
-                return { agentId: agent.id, token: existingToken, address, name: config.agentCard.name };
-            }
-            catch (err) {
-                // Existing token also failed (409 means address conflict from elsewhere)
-                const status = typeof err === "object" && err !== null ? err.status : undefined;
-                if (status === 409) {
-                    api.logger.warn("claw-crony: existing token rejected, generating new token");
-                }
-                else {
-                    api.logger.warn(`claw-crony: re-registration with existing token failed — ${err instanceof Error ? err.message : String(err)}`);
-                }
-                // fall through to generate new token
-            }
+            api.logger.warn("claw-crony: existing registration not confirmed remotely, re-registering");
         }
     }
-    // Generate new token
-    const token = generateToken();
     const name = config.agentCard.name;
     const description = config.agentCard.description ?? "";
     const skills = flattenSkills(config.agentCard.skills);
@@ -210,8 +124,10 @@ export async function runHubRegistration(api, config, hubConfig, registrationCon
         name,
         description,
         skills,
-        address,
-        token,
+        clientId: identity.clientId,
+        publicKey: identity.publicKey,
+        keyVersion: identity.keyVersion,
+        clientVersion: "claw-crony/1.2.4",
         username,
         email,
     };
@@ -220,15 +136,13 @@ export async function runHubRegistration(api, config, hubConfig, registrationCon
         const agent = await retryWithBackoff(() => registerWithHub(hubUrl, payload), 3, 1000, 10000);
         agentId = agent.id;
         api.logger.info(`claw-crony: registered with hub (agentId=${agentId})`);
-        // Also register hub user for web dashboard login (if password provided)
         if (registrationConfig.password) {
             try {
                 await retryWithBackoff(() => registerHubUser(hubUrl, agentId, username, registrationConfig.password), 3, 1000, 10000);
                 api.logger.info(`claw-crony: registered hub user for web login (agentId=${agentId})`);
             }
             catch (err) {
-                api.logger.warn(`claw-crony: hub user registration failed — ${err instanceof Error ? err.message : String(err)}`);
-                // Non-fatal — agent is registered, web login may already exist
+                api.logger.warn(`claw-crony: hub user registration failed - ${err instanceof Error ? err.message : String(err)}`);
             }
         }
         else {
@@ -237,46 +151,33 @@ export async function runHubRegistration(api, config, hubConfig, registrationCon
         }
     }
     catch (err) {
-        // 409 Conflict: address already registered by someone else — try to find our agentId
         if (typeof err === "object" && err !== null && err.status === 409) {
             try {
-                const existingAgent = await lookupAgentByAddress(hubUrl, address);
-                if (existingAgent) {
-                    agentId = existingAgent.id;
-                    api.logger.info(`claw-crony: found existing registration (agentId=${agentId})`);
-                    // Also register hub user if password is configured
-                    if (registrationConfig.password) {
-                        try {
-                            await retryWithBackoff(() => registerHubUser(hubUrl, agentId, registrationConfig.username ?? config.agentCard.name, registrationConfig.password), 3, 1000, 10000);
-                            api.logger.info(`claw-crony: registered hub user for web login (agentId=${agentId})`);
-                        }
-                        catch (err) {
-                            api.logger.warn(`claw-crony: hub user registration failed — ${err instanceof Error ? err.message : String(err)}`);
-                        }
-                    }
-                }
-                else {
-                    api.logger.error("claw-crony: address conflict but could not find existing agent");
+                const existingAgent = await lookupAgentByClientId(hubUrl, identity.clientId);
+                if (!existingAgent) {
+                    api.logger.error("claw-crony: identity conflict but could not find existing agent");
                     return null;
                 }
+                agentId = existingAgent.id;
+                api.logger.info(`claw-crony: found existing registration (agentId=${agentId})`);
             }
             catch {
-                api.logger.error("claw-crony: address conflict and hub lookup failed");
+                api.logger.error("claw-crony: identity conflict and hub lookup failed");
                 return null;
             }
         }
         else {
-            api.logger.warn(`claw-crony: hub registration failed — ${err instanceof Error ? err.message : String(err)}`);
+            api.logger.warn(`claw-crony: hub registration failed - ${err instanceof Error ? err.message : String(err)}`);
             return null;
         }
     }
-    // Save registration file
     const registrationData = {
-        version: 1,
+        version: 2,
         hubUrl,
         agentId,
-        address,
-        token,
+        clientId: identity.clientId,
+        publicKey: identity.publicKey,
+        keyVersion: identity.keyVersion,
         registeredAt: new Date().toISOString(),
         name,
         description,
@@ -286,7 +187,7 @@ export async function runHubRegistration(api, config, hubConfig, registrationCon
         saveRegistration(configDir, registrationData);
     }
     catch (saveErr) {
-        api.logger.warn(`claw-crony: failed to save registration file — ${saveErr instanceof Error ? saveErr.message : String(saveErr)}`);
+        api.logger.warn(`claw-crony: failed to save registration file - ${saveErr instanceof Error ? saveErr.message : String(saveErr)}`);
     }
-    return { agentId, token, address, name };
+    return { agentId, token: "", address: "", name };
 }

package/dist/src/identity-store.d.ts

@@ -0,0 +1,4 @@
+import type { IdentityData } from "./types.js";
+export declare function loadIdentity(configDir?: string): IdentityData | null;
+export declare function saveIdentity(configDir: string, data: IdentityData): void;
+export declare function loadOrCreateIdentity(clientId?: string): IdentityData;

package/dist/src/identity-store.js

@@ -0,0 +1,55 @@
+import crypto from "node:crypto";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+const IDENTITY_FILENAME = "a2a-identity.json";
+function getConfigDir() {
+    return path.join(os.homedir(), ".openclaw");
+}
+function getIdentityPath(configDir) {
+    return path.join(configDir, IDENTITY_FILENAME);
+}
+function randomClientId() {
+    return crypto.randomUUID();
+}
+export function loadIdentity(configDir) {
+    const identityPath = getIdentityPath(configDir ?? getConfigDir());
+    try {
+        const raw = fs.readFileSync(identityPath, "utf-8");
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+export function saveIdentity(configDir, data) {
+    const identityPath = getIdentityPath(configDir);
+    const tmpPath = `${identityPath}.tmp`;
+    fs.writeFileSync(tmpPath, JSON.stringify(data, null, 2), "utf-8");
+    fs.renameSync(tmpPath, identityPath);
+}
+export function loadOrCreateIdentity(clientId) {
+    const configDir = getConfigDir();
+    if (!fs.existsSync(configDir)) {
+        fs.mkdirSync(configDir, { recursive: true });
+    }
+    const existing = loadIdentity(configDir);
+    if (existing) {
+        if (clientId && existing.clientId !== clientId) {
+            existing.clientId = clientId;
+            saveIdentity(configDir, existing);
+        }
+        return existing;
+    }
+    const { publicKey, privateKey } = crypto.generateKeyPairSync("x25519");
+    const identity = {
+        version: 1,
+        clientId: clientId?.trim() || randomClientId(),
+        publicKey: publicKey.export({ format: "pem", type: "spki" }).toString(),
+        privateKey: privateKey.export({ format: "pem", type: "pkcs8" }).toString(),
+        keyVersion: 1,
+        createdAt: new Date().toISOString(),
+    };
+    saveIdentity(configDir, identity);
+    return identity;
+}

package/dist/src/types.d.ts

@@ -92,18 +92,56 @@ export interface RegistrationConfig {
     email?: string;
     password?: string;
     skills?: string[];
+    clientId?: string;
 }
 export interface HubRegistrationData {
     version: number;
     hubUrl: string;
     agentId: number;
-    address: string;
-    token: string;
+    clientId: string;
+    publicKey: string;
+    keyVersion: number;
     registeredAt: string;
     name: string;
     description: string;
     skills: string[];
 }
+export interface IdentityData {
+    version: number;
+    clientId: string;
+    publicKey: string;
+    privateKey: string;
+    keyVersion: number;
+    createdAt: string;
+}
+export interface EphemeralTokenRecord {
+    token: string;
+    matchId: number;
+    peerAgentId: number;
+    expiresAt: number;
+}
+export interface HandshakePayload {
+    version: number;
+    matchId: number;
+    sessionId: string;
+    fromAgentId: number;
+    toAgentId: number;
+    address: string;
+    agentCardPath: string;
+    token: string;
+    tokenExpiresAt: string;
+    protocols: string[];
+    createdAt: string;
+    nonce: string;
+}
+export interface EncryptedHandshakeMessage {
+    version: number;
+    algorithm: "x25519-aes-256-gcm";
+    senderPublicKey: string;
+    iv: string;
+    ciphertext: string;
+    authTag: string;
+}
 export interface HealthCheckConfig {
     enabled: boolean;
     intervalMs: number;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@clawcrony/claw-crony",
-  "version": "1.2.3",
+  "version": "1.2.4",
   "type": "module",
   "description": "OpenClaw A2A gateway plugin implementing the A2A v0.3.0 protocol surface",
   "main": "dist/index.js",