@clawcrony/claw-crony 1.2.3 → 1.3.0

package/dist/src/ephemeral-token.d.ts

@@ -0,0 +1,7 @@
+import type { GatewayConfig } from "./types.js";
+export declare const EPHEMERAL_INBOUND_TOKEN_LENGTH = 48;
+export declare function isValidEphemeralInboundToken(value: unknown): value is string;
+export declare function issueEphemeralInboundToken(config: GatewayConfig, _matchId: number, _peerAgentId: number, ttlMs?: number): {
+    token: string;
+    expiresAt: string;
+};

package/dist/src/ephemeral-token.js

@@ -0,0 +1,17 @@
+import crypto from "node:crypto";
+export const EPHEMERAL_INBOUND_TOKEN_LENGTH = 48;
+const EPHEMERAL_INBOUND_TOKEN_PATTERN = /^[0-9a-f]{48}$/;
+export function isValidEphemeralInboundToken(value) {
+    return typeof value === "string" && EPHEMERAL_INBOUND_TOKEN_PATTERN.test(value);
+}
+export function issueEphemeralInboundToken(config, _matchId, _peerAgentId, ttlMs = 5 * 60_000) {
+    const token = crypto.randomBytes(EPHEMERAL_INBOUND_TOKEN_LENGTH / 2).toString("hex");
+    config.security.validTokens.add(token);
+    setTimeout(() => {
+        config.security.validTokens.delete(token);
+    }, ttlMs).unref?.();
+    return {
+        token,
+        expiresAt: new Date(Date.now() + ttlMs).toISOString(),
+    };
+}

package/dist/src/handshake-crypto.d.ts

@@ -0,0 +1,3 @@
+import type { HandshakePayload, IdentityData } from "./types.js";
+export declare function encryptHandshake(payload: HandshakePayload, recipientPublicKeyPem: string): string;
+export declare function decryptHandshake(ciphertext: string, identity: IdentityData): HandshakePayload;

package/dist/src/handshake-crypto.js

@@ -0,0 +1,58 @@
+import crypto from "node:crypto";
+function toBase64(value) {
+    return Buffer.from(value instanceof Buffer ? value : new Uint8Array(value)).toString("base64");
+}
+function fromBase64(value) {
+    return Buffer.from(value, "base64");
+}
+function exportPublicPem(key) {
+    return key.export({ format: "pem", type: "spki" }).toString();
+}
+function hkdf(secret, salt, info) {
+    return Buffer.from(crypto.hkdfSync("sha256", secret, salt, Buffer.from(info, "utf-8"), 32));
+}
+const HANDSHAKE_INFO = "claw-crony:handshake:v1";
+export function encryptHandshake(payload, recipientPublicKeyPem) {
+    const recipientPublicKey = crypto.createPublicKey(recipientPublicKeyPem);
+    const ephemeral = crypto.generateKeyPairSync("x25519");
+    const sharedSecret = crypto.diffieHellman({
+        privateKey: ephemeral.privateKey,
+        publicKey: recipientPublicKey,
+    });
+    const iv = crypto.randomBytes(12);
+    const key = hkdf(sharedSecret, iv, HANDSHAKE_INFO);
+    const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+    const plaintext = Buffer.from(JSON.stringify(payload), "utf-8");
+    const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    const encrypted = {
+        version: 1,
+        algorithm: "x25519-aes-256-gcm",
+        senderPublicKey: exportPublicPem(ephemeral.publicKey),
+        iv: toBase64(iv),
+        ciphertext: toBase64(ciphertext),
+        authTag: toBase64(authTag),
+    };
+    return JSON.stringify(encrypted);
+}
+export function decryptHandshake(ciphertext, identity) {
+    const envelope = JSON.parse(ciphertext);
+    if (envelope.algorithm !== "x25519-aes-256-gcm") {
+        throw new Error(`Unsupported handshake algorithm: ${envelope.algorithm}`);
+    }
+    const privateKey = crypto.createPrivateKey(identity.privateKey);
+    const senderPublicKey = crypto.createPublicKey(envelope.senderPublicKey);
+    const iv = fromBase64(envelope.iv);
+    const sharedSecret = crypto.diffieHellman({
+        privateKey,
+        publicKey: senderPublicKey,
+    });
+    const key = hkdf(sharedSecret, iv, HANDSHAKE_INFO);
+    const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
+    decipher.setAuthTag(fromBase64(envelope.authTag));
+    const plaintext = Buffer.concat([
+        decipher.update(fromBase64(envelope.ciphertext)),
+        decipher.final(),
+    ]);
+    return JSON.parse(plaintext.toString("utf-8"));
+}

package/dist/src/history.d.ts

@@ -0,0 +1,44 @@
+export type RequestHistoryType = "match.created" | "match.failed" | "handshake.offer_sent" | "handshake.offer_received" | "handshake.answer_sent" | "handshake.answer_received" | "handshake.failed" | "peer.upserted" | "send.started" | "send.completed" | "send.failed" | "send_file.started" | "send_file.completed" | "send_file.failed" | "task.inbound_completed" | "task.inbound_failed";
+export type RequestHistoryStatus = "started" | "success" | "failure" | "ignored";
+export type RequestHistoryDirection = "inbound" | "outbound" | "local";
+export interface RequestHistoryEntry {
+    ts: string;
+    type: RequestHistoryType;
+    status: RequestHistoryStatus;
+    direction?: RequestHistoryDirection;
+    matchId?: number;
+    messageId?: number;
+    peer?: string;
+    durationMs?: number;
+    detail?: Record<string, unknown>;
+}
+export interface RequestHistoryFilter {
+    count?: number;
+    type?: string;
+    status?: string;
+    direction?: string;
+    matchId?: number;
+    peer?: string;
+}
+export interface RequestHistoryOptions {
+    enabled: boolean;
+    includeEncryptedPayloads: boolean;
+}
+/**
+ * Append-only request history store for operator-facing troubleshooting.
+ * Unlike the audit log, this captures Hub match/handshake milestones and
+ * gateway calls. Sensitive fields are redacted before persistence.
+ */
+export declare class RequestHistoryStore {
+    private readonly filePath;
+    private readonly options;
+    private dirEnsured;
+    constructor(filePath: string, options?: Partial<RequestHistoryOptions>);
+    record(entry: Omit<RequestHistoryEntry, "ts"> & {
+        ts?: string;
+    }): void;
+    tail(filter?: RequestHistoryFilter): Promise<RequestHistoryEntry[]>;
+    close(): void;
+    private ensureDir;
+    private write;
+}

package/dist/src/history.js

@@ -0,0 +1,119 @@
+import fs from "node:fs";
+import path from "node:path";
+import readline from "node:readline";
+const SECRET_KEY_NAMES = ["token", "secret", "password", "authorization", "ciphertext"];
+function redactValue(key, value, includeEncryptedPayloads) {
+    const normalizedKey = key.toLowerCase();
+    if (SECRET_KEY_NAMES.some((name) => normalizedKey.includes(name))) {
+        if (normalizedKey.includes("ciphertext") && includeEncryptedPayloads) {
+            return value;
+        }
+        return "[redacted]";
+    }
+    if (Array.isArray(value)) {
+        return value.map((entry) => redactUnknown(entry, includeEncryptedPayloads));
+    }
+    if (value && typeof value === "object") {
+        return redactObject(value, includeEncryptedPayloads);
+    }
+    return value;
+}
+function redactUnknown(value, includeEncryptedPayloads) {
+    if (Array.isArray(value)) {
+        return value.map((entry) => redactUnknown(entry, includeEncryptedPayloads));
+    }
+    if (value && typeof value === "object") {
+        return redactObject(value, includeEncryptedPayloads);
+    }
+    return value;
+}
+function redactObject(value, includeEncryptedPayloads) {
+    const next = {};
+    for (const [key, entry] of Object.entries(value)) {
+        next[key] = redactValue(key, entry, includeEncryptedPayloads);
+    }
+    return next;
+}
+function matchesFilter(entry, filter) {
+    if (filter.type && entry.type !== filter.type)
+        return false;
+    if (filter.status && entry.status !== filter.status)
+        return false;
+    if (filter.direction && entry.direction !== filter.direction)
+        return false;
+    if (filter.matchId != null && entry.matchId !== filter.matchId)
+        return false;
+    if (filter.peer && entry.peer !== filter.peer)
+        return false;
+    return true;
+}
+/**
+ * Append-only request history store for operator-facing troubleshooting.
+ * Unlike the audit log, this captures Hub match/handshake milestones and
+ * gateway calls. Sensitive fields are redacted before persistence.
+ */
+export class RequestHistoryStore {
+    filePath;
+    options;
+    dirEnsured = false;
+    constructor(filePath, options = {}) {
+        this.filePath = filePath;
+        this.options = {
+            enabled: options.enabled ?? true,
+            includeEncryptedPayloads: options.includeEncryptedPayloads ?? false,
+        };
+    }
+    record(entry) {
+        if (!this.options.enabled) {
+            return;
+        }
+        const detail = entry.detail
+            ? redactObject(entry.detail, this.options.includeEncryptedPayloads)
+            : undefined;
+        this.write({
+            ...entry,
+            ts: entry.ts ?? new Date().toISOString(),
+            ...(detail ? { detail } : {}),
+        });
+    }
+    async tail(filter = {}) {
+        if (!fs.existsSync(this.filePath))
+            return [];
+        const count = Math.min(Math.max(1, Math.floor(filter.count ?? 50)), 500);
+        const entries = [];
+        const input = fs.createReadStream(this.filePath, { encoding: "utf-8" });
+        const rl = readline.createInterface({ input, crlfDelay: Infinity });
+        for await (const line of rl) {
+            if (!line.trim())
+                continue;
+            try {
+                const entry = JSON.parse(line);
+                if (matchesFilter(entry, filter)) {
+                    entries.push(entry);
+                }
+            }
+            catch {
+                // Skip malformed lines.
+            }
+        }
+        return entries.slice(-count).reverse();
+    }
+    close() {
+        // No persistent handles.
+    }
+    ensureDir() {
+        if (this.dirEnsured)
+            return;
+        this.dirEnsured = true;
+        fs.mkdirSync(path.dirname(this.filePath), { recursive: true });
+    }
+    write(entry) {
+        try {
+            this.ensureDir();
+            fs.appendFileSync(this.filePath, JSON.stringify(entry) + "\n");
+        }
+        catch {
+            // History is diagnostic only; never crash the gateway.
+        }
+    }
+}

package/dist/src/hub-match.d.ts

@@ -1,20 +1,14 @@
 /**
- * Hub Match API client for openclaw-claw-crony.
- *
- * Provides a typed client for the hub's /api/matches endpoints:
- * - POST   /api/matches              createMatch
- * - GET    /api/matches/{id}         getMatch
- * - GET    /api/matches/pending       getPendingMatches
- * - POST   /api/matches/{id}/token   submitToken
- * - POST   /api/matches/{id}/complete completeMatch
- * - POST   /api/matches/{id}/cancel  cancelMatch
+ * Hub Match API client for claw-crony.
  */
 import type { HubRegistrationData } from "./types.js";
 export interface HubAgentDto {
     id: number;
     name: string;
-    address: string;
     skills: string[];
+    clientId?: string;
+    publicKey?: string;
+    presenceStatus?: string;
 }
 export interface HubMatchResult {
     id: number;
@@ -22,58 +16,53 @@ export interface HubMatchResult {
     status: string;
     requester: HubAgentDto | null;
     provider: HubAgentDto | null;
-    yourToken: string | null;
-    peerToken: string | null;
+    yourToken?: string | null;
+    peerToken?: string | null;
     callerRole?: "requester" | "provider" | "observer" | null;
     requesterTokenSubmitted?: boolean;
     providerTokenSubmitted?: boolean;
     readyForComplete?: boolean;
+    requesterHandshakeSent?: boolean;
+    providerHandshakeSent?: boolean;
+    requesterHandshakeConsumed?: boolean;
+    providerHandshakeConsumed?: boolean;
+    requesterReady?: boolean;
+    providerReady?: boolean;
+    readyForConnect?: boolean;
+}
+export interface HubHandshakeMessage {
+    id: number;
+    senderAgentId: number;
+    receiverAgentId: number;
+    messageType: "offer" | "answer";
+    ciphertext: string;
+    status: string;
+    expiresAt: string;
+    createdAt?: string;
+    consumedAt?: string | null;
 }
 export declare class HubMatchClient {
     private readonly hubUrl;
     private readonly registration;
     constructor(hubUrl: string, registration: HubRegistrationData);
     get agentId(): number;
-    get registrationToken(): string;
     static create(): Promise<HubMatchClient>;
     private request;
-    /**
-     * Create a new match request.
-     * @param params.skills - Skills to search for in a provider
-     * @param params.description - Optional description of the match request
-     * @param params.token - Optional bearer token to include for this agent
-     */
     createMatch(params: {
         skills: string[];
         description?: string;
-        token?: string;
     }): Promise<HubMatchResult>;
-    /**
-     * Get a match result by ID.
-     * @param matchId - The match ID
-     * @param callerId - Optional agent ID to set callerId query param (affects yourToken)
-     */
     getMatch(matchId: number, callerId?: number): Promise<HubMatchResult>;
-    /**
-     * Get all pending matches for this agent.
-     */
     getPendingMatches(): Promise<HubMatchResult[]>;
-    /**
-     * Submit this agent's token for a match.
-     * @param matchId - The match ID
-     * @param token - This agent's bearer token
-     */
-    submitToken(matchId: number, token: string): Promise<HubMatchResult>;
-    /**
-     * Mark a match as completed (both parties have submitted tokens).
-     * @param matchId - The match ID
-     * @param token - This agent's bearer token (for authorization)
-     */
-    completeMatch(matchId: number, token: string): Promise<HubMatchResult>;
-    /**
-     * Cancel a pending or token_exchange match.
-     * @param matchId - The match ID
-     * @param token - This agent's bearer token (for authorization)
-     */
-    cancelMatch(matchId: number, token: string): Promise<HubMatchResult>;
+    updatePresence(presenceStatus: "online" | "offline" | "busy", clientVersion?: string): Promise<HubAgentDto>;
+    sendHandshakeMessage(matchId: number, params: {
+        messageType: "offer" | "answer";
+        ciphertext: string;
+        expiresAt: string;
+    }): Promise<HubHandshakeMessage>;
+    getPendingHandshakeMessages(matchId: number): Promise<HubHandshakeMessage[]>;
+    consumeHandshakeMessage(matchId: number, messageId: number): Promise<HubHandshakeMessage>;
+    markReady(matchId: number): Promise<HubMatchResult>;
+    completeMatch(matchId: number): Promise<HubMatchResult>;
+    cancelMatch(matchId: number): Promise<HubMatchResult>;
 }

package/dist/src/hub-match.js

@@ -1,18 +1,7 @@
 /**
- * Hub Match API client for openclaw-claw-crony.
- *
- * Provides a typed client for the hub's /api/matches endpoints:
- * - POST   /api/matches              createMatch
- * - GET    /api/matches/{id}         getMatch
- * - GET    /api/matches/pending       getPendingMatches
- * - POST   /api/matches/{id}/token   submitToken
- * - POST   /api/matches/{id}/complete completeMatch
- * - POST   /api/matches/{id}/cancel  cancelMatch
+ * Hub Match API client for claw-crony.
  */
 import { loadRegistration } from "./hub-registration.js";
-// ---------------------------------------------------------------------------
-// HubMatchClient
-// ---------------------------------------------------------------------------
 export class HubMatchClient {
     hubUrl;
     registration;
@@ -23,16 +12,12 @@ export class HubMatchClient {
     get agentId() {
         return this.registration.agentId;
     }
-    get registrationToken() {
-        return this.registration.token;
-    }
     static async create() {
         const registration = loadRegistration();
         if (!registration) {
             throw new Error("No hub registration found. Run the gateway first to register with the hub.");
         }
-        const configUrl = registration.hubUrl;
-        return new HubMatchClient(configUrl, registration);
+        return new HubMatchClient(registration.hubUrl, registration);
     }
     async request(path, options = {}) {
         const url = `${this.hubUrl}${path}`;
@@ -40,7 +25,6 @@ export class HubMatchClient {
             ...options,
             headers: {
                 "Content-Type": "application/json",
-                "Authorization": `Bearer ${this.registration.token}`,
                 ...(options.headers ?? {}),
             },
         });
@@ -50,12 +34,6 @@ export class HubMatchClient {
         }
         return res.json();
     }
-    /**
-     * Create a new match request.
-     * @param params.skills - Skills to search for in a provider
-     * @param params.description - Optional description of the match request
-     * @param params.token - Optional bearer token to include for this agent
-     */
     async createMatch(params) {
         return this.request("/api/matches", {
             method: "POST",
@@ -63,45 +41,57 @@ export class HubMatchClient {
                 agentId: this.registration.agentId,
                 requiredSkills: params.skills,
                 description: params.description ?? "",
-                token: params.token,
             }),
         });
     }
-    /**
-     * Get a match result by ID.
-     * @param matchId - The match ID
-     * @param callerId - Optional agent ID to set callerId query param (affects yourToken)
-     */
     async getMatch(matchId, callerId) {
         const path = callerId != null ? `/api/matches/${matchId}?callerId=${callerId}` : `/api/matches/${matchId}`;
         return this.request(path);
     }
-    /**
-     * Get all pending matches for this agent.
-     */
     async getPendingMatches() {
         return this.request(`/api/matches/pending?agentId=${this.registration.agentId}`);
     }
-    /**
-     * Submit this agent's token for a match.
-     * @param matchId - The match ID
-     * @param token - This agent's bearer token
-     */
-    async submitToken(matchId, token) {
-        return this.request(`/api/matches/${matchId}/token`, {
+    async updatePresence(presenceStatus, clientVersion = "claw-crony/1.3.0") {
+        return this.request(`/api/agents/${this.registration.agentId}/presence`, {
+            method: "PUT",
+            body: JSON.stringify({
+                presenceStatus,
+                clientVersion,
+            }),
+        });
+    }
+    async sendHandshakeMessage(matchId, params) {
+        return this.request(`/api/matches/${matchId}/handshake`, {
+            method: "POST",
+            body: JSON.stringify({
+                agentId: this.registration.agentId,
+                messageType: params.messageType,
+                ciphertext: params.ciphertext,
+                expiresAt: params.expiresAt,
+            }),
+        });
+    }
+    async getPendingHandshakeMessages(matchId) {
+        const result = await this.request(`/api/matches/${matchId}/handshake/pending?agentId=${this.registration.agentId}`);
+        return result.messages ?? [];
+    }
+    async consumeHandshakeMessage(matchId, messageId) {
+        return this.request(`/api/matches/${matchId}/handshake/${messageId}/consume`, {
+            method: "POST",
+            body: JSON.stringify({
+                agentId: this.registration.agentId,
+            }),
+        });
+    }
+    async markReady(matchId) {
+        return this.request(`/api/matches/${matchId}/ready`, {
             method: "POST",
             body: JSON.stringify({
                 agentId: this.registration.agentId,
-                token,
             }),
         });
     }
-    /**
-     * Mark a match as completed (both parties have submitted tokens).
-     * @param matchId - The match ID
-     * @param token - This agent's bearer token (for authorization)
-     */
-    async completeMatch(matchId, token) {
+    async completeMatch(matchId) {
         return this.request(`/api/matches/${matchId}/complete`, {
             method: "POST",
             body: JSON.stringify({
@@ -109,12 +99,7 @@ export class HubMatchClient {
             }),
         });
     }
-    /**
-     * Cancel a pending or token_exchange match.
-     * @param matchId - The match ID
-     * @param token - This agent's bearer token (for authorization)
-     */
-    async cancelMatch(matchId, token) {
+    async cancelMatch(matchId) {
         return this.request(`/api/matches/${matchId}/cancel`, {
             method: "POST",
             body: JSON.stringify({

package/dist/src/hub-registration.d.ts

@@ -1,8 +1,8 @@
 /**
- * Hub registration module for openclaw-claw-crony.
+ * Hub registration module for claw-crony.
  *
- * Handles automatic registration of the gateway with the hub server on first startup,
- * token generation, and idempotent re-registration.
+ * Registers the local plugin with the hub using client_id + public_key
+ * and persists the resulting agent binding locally.
  */
 import type { GatewayConfig, HubConfig, HubRegistrationData, OpenClawPluginApi, RegistrationConfig } from "./types.js";
 export declare function loadRegistration(configDir?: string): HubRegistrationData | null;
@@ -13,11 +13,4 @@ export interface HubRegistration {
     address: string;
     name: string;
 }
-/**
- * Run the full hub registration flow:
- * 1. Load existing registration (if any)
- * 2. Validate existing token with hub
- * 3. If no valid registration, create new one (handling 409 conflicts)
- * 4. Save registration file atomically
- */
 export declare function runHubRegistration(api: OpenClawPluginApi, config: GatewayConfig, hubConfig: HubConfig, registrationConfig: RegistrationConfig): Promise<HubRegistration | null>;