@coclaw/openclaw-coclaw 0.2.3 → 0.3.0

package/index.js

@@ -3,7 +3,7 @@ import { registerCoclawCli } from './src/cli-registrar.js';
 import { resolveErrorMessage } from './src/common/errors.js';
 import { notBound, bindOk, unbindOk } from './src/common/messages.js';
 import { coclawChannelPlugin } from './src/channel-plugin.js';
-import { refreshRealtimeBridge, startRealtimeBridge, stopRealtimeBridge } from './src/realtime-bridge.js';
+import { ensureAgentSession, refreshRealtimeBridge, startRealtimeBridge, stopRealtimeBridge } from './src/realtime-bridge.js';
 import { setRuntime } from './src/runtime.js';
 import { createSessionManager } from './src/session-manager/manager.js';
 import { AutoUpgradeScheduler } from './src/auto-upgrade/updater.js';
@@ -88,8 +88,12 @@ const plugin = {
 			}
 		});
 
-		api.registerGatewayMethod('nativeui.sessions.listAll', ({ params, respond }) => {
+		api.registerGatewayMethod('nativeui.sessions.listAll', async ({ params, respond }) => {
 			try {
+				const agentId = params?.agentId?.trim?.() || 'main';
+				// best-effort ensure：失败不阻断 listAll
+				try { await ensureAgentSession(agentId); }
+				catch {}
 				respond(true, manager.listAll(params ?? {}));
 			}
 			catch (err) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coclaw/openclaw-coclaw",
-  "version": "0.2.3",
+  "version": "0.3.0",
   "type": "module",
   "license": "Apache-2.0",
   "description": "OpenClaw CoClaw channel plugin for remote chat",

package/src/device-identity.js

@@ -0,0 +1,190 @@
+import crypto from 'node:crypto';
+import fs from 'node:fs';
+import os from 'node:os';
+import nodePath from 'node:path';
+
+import { getRuntime } from './runtime.js';
+
+const CHANNEL_ID = 'coclaw';
+const IDENTITY_FILENAME = 'device-identity.json';
+
+// Ed25519 SPKI 前缀（固定 12 字节），公钥裸字节从 SPKI DER 中截取
+const ED25519_SPKI_PREFIX = Buffer.from('302a300506032b6570032100', 'hex');
+
+function base64UrlEncode(buf) {
+	return buf.toString('base64').replaceAll('+', '-').replaceAll('/', '_').replace(/=+$/g, '');
+}
+
+// 仅处理 ASCII 范围的大写→小写，保持跨运行时确定性
+function toLowerAscii(input) {
+	return input.replace(/[A-Z]/g, (ch) => String.fromCharCode(ch.charCodeAt(0) + 32));
+}
+
+function normalizeMetadataForAuth(value) {
+	if (typeof value !== 'string') return '';
+	const trimmed = value.trim();
+	return trimmed ? toLowerAscii(trimmed) : '';
+}
+
+function resolveStateDir() {
+	const rt = getRuntime();
+	if (rt?.state?.resolveStateDir) {
+		return rt.state.resolveStateDir();
+	}
+	return process.env.OPENCLAW_STATE_DIR
+		? nodePath.resolve(process.env.OPENCLAW_STATE_DIR)
+		: nodePath.join(os.homedir(), '.openclaw');
+}
+
+/**
+ * 获取身份文件路径
+ * @returns {string}
+ */
+export function getIdentityPath() {
+	return nodePath.join(resolveStateDir(), CHANNEL_ID, IDENTITY_FILENAME);
+}
+
+/**
+ * 从 PEM 公钥提取裸字节
+ * @param {string} publicKeyPem
+ * @returns {Buffer}
+ */
+function derivePublicKeyRaw(publicKeyPem) {
+	const key = crypto.createPublicKey(publicKeyPem);
+	const spki = key.export({ type: 'spki', format: 'der' });
+	if (
+		spki.length === ED25519_SPKI_PREFIX.length + 32
+		&& spki.subarray(0, ED25519_SPKI_PREFIX.length).equals(ED25519_SPKI_PREFIX)
+	) {
+		return spki.subarray(ED25519_SPKI_PREFIX.length);
+	}
+	/* c8 ignore next -- Ed25519 密钥 SPKI 格式固定，此分支仅防御未知密钥格式 */
+	return spki;
+}
+
+/**
+ * 公钥指纹 = SHA256(裸公钥字节) 的十六进制
+ * @param {string} publicKeyPem
+ * @returns {string}
+ */
+function fingerprintPublicKey(publicKeyPem) {
+	const raw = derivePublicKeyRaw(publicKeyPem);
+	return crypto.createHash('sha256').update(raw).digest('hex');
+}
+
+/**
+ * 生成新的 Ed25519 密钥对
+ * @returns {{ deviceId: string, publicKeyPem: string, privateKeyPem: string }}
+ */
+function generateIdentity() {
+	const { publicKey, privateKey } = crypto.generateKeyPairSync('ed25519');
+	const publicKeyPem = publicKey.export({ type: 'spki', format: 'pem' }).toString();
+	const privateKeyPem = privateKey.export({ type: 'pkcs8', format: 'pem' }).toString();
+	const deviceId = fingerprintPublicKey(publicKeyPem);
+	return { deviceId, publicKeyPem, privateKeyPem };
+}
+
+/**
+ * 加载或创建设备身份（Ed25519 密钥对）
+ *
+ * 存储格式与 OpenClaw device-identity.ts 保持一致。
+ * @param {string} [filePath] - 自定义路径，默认 ~/.openclaw/coclaw/device-identity.json
+ * @returns {{ deviceId: string, publicKeyPem: string, privateKeyPem: string }}
+ */
+export function loadOrCreateDeviceIdentity(filePath) {
+	const fp = filePath ?? getIdentityPath();
+	try {
+		if (fs.existsSync(fp)) {
+			const raw = fs.readFileSync(fp, 'utf8');
+			const parsed = JSON.parse(raw);
+			if (
+				parsed?.version === 1
+				&& typeof parsed.deviceId === 'string'
+				&& typeof parsed.publicKeyPem === 'string'
+				&& typeof parsed.privateKeyPem === 'string'
+			) {
+				// 校验 deviceId 一致性
+				const derivedId = fingerprintPublicKey(parsed.publicKeyPem);
+				if (derivedId && derivedId !== parsed.deviceId) {
+					const updated = { ...parsed, deviceId: derivedId };
+					fs.writeFileSync(fp, `${JSON.stringify(updated, null, 2)}\n`, { mode: 0o600 });
+					try { fs.chmodSync(fp, 0o600); } catch { /* best-effort */ }
+					return { deviceId: derivedId, publicKeyPem: parsed.publicKeyPem, privateKeyPem: parsed.privateKeyPem };
+				}
+				return { deviceId: parsed.deviceId, publicKeyPem: parsed.publicKeyPem, privateKeyPem: parsed.privateKeyPem };
+			}
+		}
+	}
+	catch {
+		// 读取/解析失败时重新生成
+	}
+
+	const identity = generateIdentity();
+	fs.mkdirSync(nodePath.dirname(fp), { recursive: true });
+	const stored = {
+		version: 1,
+		deviceId: identity.deviceId,
+		publicKeyPem: identity.publicKeyPem,
+		privateKeyPem: identity.privateKeyPem,
+		createdAtMs: Date.now(),
+	};
+	fs.writeFileSync(fp, `${JSON.stringify(stored, null, 2)}\n`, { mode: 0o600 });
+	try { fs.chmodSync(fp, 0o600); } catch { /* best-effort */ }
+	return identity;
+}
+
+/**
+ * 签名设备认证载荷
+ * @param {string} privateKeyPem
+ * @param {string} payload
+ * @returns {string} base64url 编码签名
+ */
+export function signDevicePayload(privateKeyPem, payload) {
+	const key = crypto.createPrivateKey(privateKeyPem);
+	const sig = crypto.sign(null, Buffer.from(payload, 'utf8'), key);
+	return base64UrlEncode(sig);
+}
+
+/**
+ * 公钥 PEM → base64url 裸字节
+ * @param {string} publicKeyPem
+ * @returns {string}
+ */
+export function publicKeyRawBase64Url(publicKeyPem) {
+	return base64UrlEncode(derivePublicKeyRaw(publicKeyPem));
+}
+
+/**
+ * 构建 v3 版本的设备认证载荷字符串
+ * @param {object} params
+ * @param {string} params.deviceId
+ * @param {string} params.clientId
+ * @param {string} params.clientMode
+ * @param {string} params.role
+ * @param {string[]} params.scopes
+ * @param {number} params.signedAtMs
+ * @param {string} [params.token]
+ * @param {string} params.nonce
+ * @param {string} [params.platform]
+ * @param {string} [params.deviceFamily]
+ * @returns {string}
+ */
+export function buildDeviceAuthPayloadV3(params) {
+	const scopes = params.scopes.join(',');
+	const token = params.token ?? '';
+	const platform = normalizeMetadataForAuth(params.platform);
+	const deviceFamily = normalizeMetadataForAuth(params.deviceFamily);
+	return [
+		'v3',
+		params.deviceId,
+		params.clientId,
+		params.clientMode,
+		params.role,
+		scopes,
+		String(params.signedAtMs),
+		token,
+		params.nonce,
+		platform,
+		deviceFamily,
+	].join('|');
+}

package/src/realtime-bridge.js

@@ -3,6 +3,12 @@ import os from 'node:os';
 import nodePath from 'node:path';
 
 import { clearConfig, getBindingsPath, readConfig } from './config.js';
+import {
+	loadOrCreateDeviceIdentity,
+	signDevicePayload,
+	publicKeyRawBase64Url,
+	buildDeviceAuthPayloadV3,
+} from './device-identity.js';
 import { getRuntime } from './runtime.js';
 
 const DEFAULT_GATEWAY_WS_URL = 'ws://127.0.0.1:18789';
@@ -65,12 +71,14 @@ export class RealtimeBridge {
 	 * @param {Function} [deps.clearConfig] - 清除绑定配置
 	 * @param {Function} [deps.getBindingsPath] - 获取绑定文件路径
 	 * @param {Function} [deps.resolveGatewayAuthToken] - 获取 gateway 认证 token
+	 * @param {Function} [deps.loadDeviceIdentity] - 加载设备身份
 	 */
 	constructor(deps = {}) {
 		this.__readConfig = deps.readConfig ?? readConfig;
 		this.__clearConfig = deps.clearConfig ?? clearConfig;
 		this.__getBindingsPath = deps.getBindingsPath ?? getBindingsPath;
 		this.__resolveGatewayAuthToken = deps.resolveGatewayAuthToken ?? defaultResolveGatewayAuthToken;
+		this.__loadDeviceIdentity = deps.loadDeviceIdentity ?? loadOrCreateDeviceIdentity;
 		this.__WebSocket = deps.WebSocket ?? null;
 
 		this.serverWs = null;
@@ -82,14 +90,13 @@ export class RealtimeBridge {
 		this.gatewayConnectReqId = null;
 		this.gatewayRpcSeq = 0;
 		this.gatewayPendingRequests = new Map();
-		this.mainSessionEnsurePromise = null;
-		this.mainSessionEnsured = false;
 		this.logger = console;
 		this.pluginConfig = {};
 		this.intentionallyClosed = false;
 		this.serverHbInterval = null;
 		this.serverHbTimer = null;
 		this.__serverHbMissCount = 0;
+		this.__deviceIdentity = null;
 	}
 
 	__resolveWebSocket() {
@@ -239,67 +246,118 @@ export class RealtimeBridge {
 		});
 	}
 
-	async __ensureMainSessionKey() {
-		if (this.mainSessionEnsured) {
+	/**
+	 * 确保指定 agent 的主 session 存在（sessions.resolve + 条件 sessions.reset）
+	 * @param {string} [agentId] - agent ID，默认 'main'
+	 * @returns {Promise<{ok: boolean, state?: string, error?: string}>}
+	 */
+	async ensureAgentSession(agentId) {
+		const aid = typeof agentId === 'string' && agentId.trim() ? agentId.trim() : 'main';
+		const key = `agent:${aid}:main`;
+		const resolved = await this.__gatewayRpc('sessions.resolve', { key }, { timeoutMs: 2000 });
+		if (resolved?.ok === true) {
+			this.__logDebug(`ensure agent session: ready agentId=${aid}`);
 			return { ok: true, state: 'ready' };
 		}
-		/* c8 ignore next 3 -- 并发调用防御，复用进行中的 promise */
-		if (this.mainSessionEnsurePromise) {
-			return await this.mainSessionEnsurePromise;
-		}
-		this.mainSessionEnsurePromise = (async () => {
-			const key = 'agent:main:main';
-			// sessions.resolve 仅返回 { ok, key }，不含 entry
-			const resolved = await this.__gatewayRpc('sessions.resolve', { key }, { timeoutMs: 2000 });
-			if (resolved?.ok === true) {
-				this.mainSessionEnsured = true;
-				this.__logDebug(`main session key ensure: ready key=${key}`);
-				return { ok: true, state: 'ready' };
-			}
-			// 仅当网关真实响应 "不存在" 时才创建；超时/网关未就绪等瞬态错误不触发 reset
-			if (!resolved?.response) {
-				return { ok: false, error: resolved?.error ?? 'resolve_transient_failure' };
+		// 仅当网关真实响应 "不存在" 时才创建；超时/网关未就绪等瞬态错误不触发 reset
+		if (!resolved?.response) {
+			return { ok: false, error: resolved?.error ?? 'resolve_transient_failure' };
+		}
+		// session key 不存在，通过 sessions.reset 创建
+		const reset = await this.__gatewayRpc('sessions.reset', { key, reason: 'new' }, { timeoutMs: 2500 });
+		if (reset?.ok !== true) {
+			return { ok: false, error: reset?.error ?? 'sessions_reset_failed' };
+		}
+		this.__logDebug(`ensure agent session: created agentId=${aid}`);
+		return { ok: true, state: 'created' };
+	}
+
+	async __ensureAllAgentSessions() {
+		try {
+			const listResult = await this.__gatewayRpc('agents.list', {}, { timeoutMs: 3000 });
+			let agentIds = ['main'];
+			if (listResult?.ok === true && Array.isArray(listResult?.response?.payload?.agents)) {
+				const ids = listResult.response.payload.agents
+					.map((a) => a?.id)
+					.filter((id) => typeof id === 'string' && id.trim());
+				if (ids.length > 0) agentIds = ids;
 			}
-			// session key 不存在，通过 sessions.reset 创建
-			const reset = await this.__gatewayRpc('sessions.reset', { key, reason: 'new' }, { timeoutMs: 2500 });
-			if (reset?.ok !== true) {
-				return { ok: false, error: reset?.error ?? 'sessions_reset_failed' };
+			else {
+				this.logger.warn?.(`[coclaw] agents.list failed, falling back to main: ${listResult?.error ?? 'unknown'}`);
 			}
-			this.mainSessionEnsured = true;
-			this.__logDebug(`main session key ensure: created key=${key}`);
-			return { ok: true, state: 'created' };
-		})();
-		try {
-			const result = await this.mainSessionEnsurePromise;
-			if (!result?.ok) {
-				this.logger.warn?.(`[coclaw] ensure main session key failed: ${result?.error ?? 'unknown'}`);
+			const results = await Promise.allSettled(
+				agentIds.map((id) => this.ensureAgentSession(id)),
+			);
+			for (let i = 0; i < results.length; i++) {
+				const r = results[i];
+				if (r.status === 'fulfilled' && r.value?.ok) continue;
+				const err = r.status === 'fulfilled' ? r.value?.error : String(r.reason);
+				this.logger.warn?.(`[coclaw] ensure agent session failed: agentId=${agentIds[i]} error=${err ?? 'unknown'}`);
 			}
-			return result;
 		}
-		finally {
-			this.mainSessionEnsurePromise = null;
+		/* c8 ignore next 3 -- 防御性兜底，__gatewayRpc 内部已有完整错误处理 */
+		catch (err) {
+			this.logger.warn?.(`[coclaw] ensureAllAgentSessions unexpected error: ${String(err?.message ?? err)}`);
+		}
+	}
+
+	__ensureDeviceIdentity() {
+		if (!this.__deviceIdentity) {
+			this.__deviceIdentity = this.__loadDeviceIdentity();
 		}
+		return this.__deviceIdentity;
+	}
+
+	__buildDeviceField(nonce, authToken) {
+		const identity = this.__ensureDeviceIdentity();
+		const clientId = 'gateway-client';
+		const clientMode = 'backend';
+		const role = 'operator';
+		const scopes = ['operator.admin'];
+		const signedAtMs = Date.now();
+		const payload = buildDeviceAuthPayloadV3({
+			deviceId: identity.deviceId,
+			clientId,
+			clientMode,
+			role,
+			scopes,
+			signedAtMs,
+			token: authToken ?? '',
+			nonce: nonce ?? '',
+			platform: process.platform,
+			deviceFamily: '',
+		});
+		const signature = signDevicePayload(identity.privateKeyPem, payload);
+		return {
+			id: identity.deviceId,
+			publicKey: publicKeyRawBase64Url(identity.publicKeyPem),
+			signature,
+			signedAt: signedAtMs,
+			nonce: nonce ?? '',
+		};
 	}
 
-	__sendGatewayConnectRequest(ws) {
+	__sendGatewayConnectRequest(ws, nonce) {
 		this.gatewayConnectReqId = `coclaw-connect-${Date.now()}`;
 		this.__logDebug(`gateway connect request -> id=${this.gatewayConnectReqId}`);
-		const authToken = this.__resolveGatewayAuthToken();
-		const params = {
-			minProtocol: 3,
-			maxProtocol: 3,
-			client: {
-				id: 'gateway-client',
-				version: 'dev',
-				platform: process.platform,
-				mode: 'backend',
-			},
-			caps: [],
-			role: 'operator',
-			scopes: ['operator.admin'],
-			auth: authToken ? { token: authToken } : undefined,
-		};
 		try {
+			const authToken = this.__resolveGatewayAuthToken();
+			const device = this.__buildDeviceField(nonce, authToken);
+			const params = {
+				minProtocol: 3,
+				maxProtocol: 3,
+				client: {
+					id: 'gateway-client',
+					version: 'dev',
+					platform: process.platform,
+					mode: 'backend',
+				},
+				caps: [],
+				role: 'operator',
+				scopes: ['operator.admin'],
+				auth: authToken ? { token: authToken } : undefined,
+				device,
+			};
 			ws.send(JSON.stringify({
 				type: 'req',
 				id: this.gatewayConnectReqId,
@@ -338,8 +396,9 @@ export class RealtimeBridge {
 				return;
 			}
 			if (payload.type === 'event' && payload.event === 'connect.challenge') {
+				const nonce = payload?.payload?.nonce ?? '';
 				this.__logDebug('gateway event <- connect.challenge');
-				this.__sendGatewayConnectRequest(ws);
+				this.__sendGatewayConnectRequest(ws, nonce);
 				return;
 			}
 			if (payload.type === 'res' && this.gatewayConnectReqId && payload.id === this.gatewayConnectReqId) {
@@ -347,7 +406,7 @@ export class RealtimeBridge {
 					this.gatewayReady = true;
 					this.__logDebug(`gateway connect ok <- id=${payload.id}`);
 					this.gatewayConnectReqId = null;
-					void this.__ensureMainSessionKey();
+					void this.__ensureAllAgentSessions();
 				}
 				else {
 					this.gatewayReady = false;
@@ -624,8 +683,6 @@ export class RealtimeBridge {
 
 	async stop() {
 		this.started = false;
-		this.mainSessionEnsured = false;
-		this.mainSessionEnsurePromise = null;
 		this.__clearServerHeartbeat();
 		this.__clearConnectTimer();
 		if (this.reconnectTimer) {
@@ -676,4 +733,12 @@ export async function stopRealtimeBridge() {
 		return;
 	}
 	await singleton.stop();
+	singleton = null;
+}
+
+export async function ensureAgentSession(agentId) {
+	if (!singleton) {
+		return { ok: false, error: 'bridge_not_started' };
+	}
+	return singleton.ensureAgentSession(agentId);
 }