@dcrays/dcgchat-test 0.5.0-alpha.2 → 0.5.0-alpha.3

package/src/gateway/index.ts

@@ -1,452 +0,0 @@
-// Gateway connection handler - connects to local OpenClaw gateway
-import { WebSocket } from 'ws'
-import crypto from 'crypto'
-import { deriveDeviceIdFromPublicKey, publicKeyRawBase64UrlFromPem, buildDeviceAuthPayloadV3, signDevicePayload } from './security.js'
-import { dcgLogger } from '../utils/log.js'
-import { getWorkspaceDir } from '../utils/global.js'
-import { handleGatewayEventMessage } from '../utils/gatewayMsgHanlder.js'
-
-export interface GatewayEvent {
-  type: string
-  payload?: Record<string, unknown>
-  seq?: number
-}
-
-export interface GatewayHelloOk {
-  server: {
-    connId: string
-  }
-  features: {
-    methods: string[]
-    events: string[]
-  }
-  policy?: {
-    tickIntervalMs?: number
-  }
-  auth?: {
-    deviceToken?: string
-    role?: string
-    scopes?: string[]
-  }
-}
-
-export interface GatewayResponse {
-  type: 'res'
-  id: string
-  ok: boolean
-  /** 多数 RPC 成功时的返回值 */
-  result?: unknown
-  /** connect 及部分响应使用 payload（见 docs/gateway/protocol.md） */
-  payload?: unknown
-  error?: {
-    code: string
-    message: string
-    details?: Record<string, unknown>
-  }
-}
-
-export interface GatewayEventFrame {
-  type: 'event'
-  event: string
-  payload?: Record<string, unknown>
-  seq?: number
-}
-
-export interface GatewayHelloOkFrame {
-  type: 'hello-ok'
-  server: {
-    connId: string
-  }
-  features: {
-    methods: string[]
-    events: string[]
-  }
-  policy?: {
-    tickIntervalMs?: number
-  }
-}
-
-// Union of all possible gateway messages
-export type GatewayMessage = GatewayEventFrame | GatewayResponse | GatewayHelloOkFrame
-
-export interface GatewayConfig {
-  url: string
-  token: string
-  role: string
-  scopes: string[]
-  reconnectInterval?: number
-  maxReconnectAttempts?: number
-}
-
-/**
- * Gateway connection handler
- */
-export class GatewayConnection {
-  private ws: WebSocket | null = null
-  private config: Required<GatewayConfig>
-  private deviceId: string
-  private privateKeyPem: string
-  private publicKeyB64Url: string
-  private connected: boolean = false
-  private connId: string | null = null
-  /** 服务端 connect.challenge 提供的 nonce，须与签名载荷一致 */
-  private connectChallengeNonce: string | null = null
-  private connectSent: boolean = false
-  private pendingRpcById: Map<string, (response: GatewayResponse) => void> = new Map()
-  private eventHandlers: Set<(event: GatewayEvent) => void> = new Set()
-
-  constructor(config: GatewayConfig) {
-    this.config = {
-      url: config.url,
-      token: config.token,
-      role: config.role || 'operator',
-      scopes: config.scopes || ['operator.admin'],
-      reconnectInterval: config.reconnectInterval || 5000,
-      maxReconnectAttempts: config.maxReconnectAttempts || 10
-    }
-
-    const identity = this.loadOrCreateDeviceIdentity()
-    // 必须与公钥指纹一致（deriveDeviceIdFromPublicKey），不可用随机 UUID
-    this.deviceId = identity.deviceId
-    this.privateKeyPem = identity.privateKeyPem
-    this.publicKeyB64Url = identity.publicKeyB64Url
-  }
-
-  private loadOrCreateDeviceIdentity() {
-    const fs = require('fs')
-    const path = require('path')
-    const workspaceDir = getWorkspaceDir()
-    const stateDir = path.join(workspaceDir, '.state')
-    const deviceFile = path.join(stateDir, 'device.json')
-
-    // Try to load existing identity
-    if (fs.existsSync(deviceFile)) {
-      const stored = JSON.parse(fs.readFileSync(deviceFile, 'utf8'))
-      if (stored.deviceId && stored.publicKeyPem && stored.privateKeyPem) {
-        const derivedId = deriveDeviceIdFromPublicKey(stored.publicKeyPem)
-        const deviceId = derivedId !== stored.deviceId ? derivedId : stored.deviceId
-        if (derivedId !== stored.deviceId) {
-          try {
-            fs.writeFileSync(deviceFile, JSON.stringify({ ...stored, deviceId: derivedId }, null, 2))
-          } catch {
-            /* keep in-memory fixed id only */
-          }
-        }
-        return {
-          deviceId,
-          publicKeyPem: stored.publicKeyPem,
-          privateKeyPem: stored.privateKeyPem,
-          publicKeyB64Url: publicKeyRawBase64UrlFromPem(stored.publicKeyPem)
-        }
-      }
-    }
-
-    // Create new identity
-    const keyPair = crypto.generateKeyPairSync('ed25519')
-    const publicKeyPem = keyPair.publicKey.export({ type: 'spki', format: 'pem' }).toString()
-    const privateKeyPem = keyPair.privateKey.export({ type: 'pkcs8', format: 'pem' }).toString()
-    const deviceId = deriveDeviceIdFromPublicKey(publicKeyPem)
-    const publicKeyB64Url = publicKeyRawBase64UrlFromPem(publicKeyPem)
-
-    // Ensure directory exists
-    if (!fs.existsSync(stateDir)) {
-      fs.mkdirSync(stateDir, { recursive: true })
-    }
-
-    // Save identity
-    fs.writeFileSync(
-      deviceFile,
-      JSON.stringify(
-        {
-          version: 1,
-          deviceId,
-          publicKeyPem,
-          privateKeyPem,
-          createdAtMs: Date.now()
-        },
-        null,
-        2
-      )
-    )
-    fs.chmodSync(deviceFile, 0o600)
-
-    return { deviceId, publicKeyPem, privateKeyPem, publicKeyB64Url }
-  }
-
-  /**
-   * Connect to the gateway
-   */
-  async connect(): Promise<GatewayHelloOk> {
-    return new Promise((resolve, reject) => {
-      this.connectChallengeNonce = null
-      this.connectSent = false
-      this.ws = new WebSocket(this.config.url)
-
-      let handshakeSettled = false
-      const finishHandshake = (fn: () => void) => {
-        if (handshakeSettled) return
-        handshakeSettled = true
-        clearTimeout(timeout)
-        fn()
-      }
-
-      const timeout = setTimeout(() => {
-        finishHandshake(() => reject(new Error('Gateway connection timeout')))
-      }, 15000)
-
-      this.ws.on('open', () => {
-        dcgLogger('Gateway connection opened（等待 connect.challenge）')
-      })
-
-      this.ws.on('message', (data, ...args) => {
-        try {
-          const msg = JSON.parse(data.toString())
-          this.handleMessage(
-            msg,
-            (hello) => finishHandshake(() => resolve(hello)),
-            (err) => finishHandshake(() => reject(err)),
-            timeout
-          )
-        } catch (err) {
-          dcgLogger(`[Gateway] 解析消息失败: ${err}`, 'error')
-        }
-      })
-
-      this.ws.on('close', () => {
-        this.connected = false
-        finishHandshake(() => reject(new Error('Gateway 在握手完成前关闭了连接')))
-      })
-
-      this.ws.on('error', (err) => {
-        dcgLogger(`Gateway 连接错误: ${err}`, 'error')
-        finishHandshake(() => reject(err))
-      })
-    })
-  }
-
-  /**
-   * Send initial connect request
-   */
-  private sendConnect(): void {
-    if (this.connectSent) return
-    const nonce = this.connectChallengeNonce?.trim() ?? ''
-    if (!nonce) return
-
-    this.connectSent = true
-    const signedAtMs = Date.now()
-    const platform = process.platform
-
-    const payload = buildDeviceAuthPayloadV3({
-      deviceId: this.deviceId,
-      clientId: 'gateway-client',
-      clientMode: 'backend',
-      role: this.config.role,
-      scopes: this.config.scopes,
-      signedAtMs,
-      token: this.config.token,
-      nonce,
-      platform,
-      deviceFamily: ''
-    })
-
-    const signature = signDevicePayload(this.privateKeyPem, payload)
-
-    this.ws?.send(
-      JSON.stringify({
-        type: 'req',
-        id: '1',
-        method: 'connect',
-        params: {
-          minProtocol: 3,
-          maxProtocol: 3,
-          client: {
-            id: 'gateway-client',
-            version: '1.0.0',
-            platform,
-            mode: 'backend'
-          },
-          auth: { token: this.config.token },
-          role: this.config.role,
-          scopes: this.config.scopes,
-          device: {
-            id: this.deviceId,
-            publicKey: this.publicKeyB64Url,
-            signature,
-            signedAt: signedAtMs,
-            nonce
-          }
-        }
-      })
-    )
-  }
-
-  /**
-   * Handle incoming messages
-   */
-  private mapHelloPayloadToHelloOk(payload: Record<string, unknown>): GatewayHelloOk {
-    const serverRaw = payload.server as Record<string, unknown> | undefined
-    const featuresRaw = payload.features as Record<string, unknown> | undefined
-    return {
-      server: { connId: typeof serverRaw?.connId === 'string' ? serverRaw.connId : '' },
-      features: {
-        methods: Array.isArray(featuresRaw?.methods) ? (featuresRaw.methods as string[]) : [],
-        events: Array.isArray(featuresRaw?.events) ? (featuresRaw.events as string[]) : []
-      },
-      policy: payload.policy as GatewayHelloOk['policy'],
-      auth: payload.auth as GatewayHelloOk['auth']
-    }
-  }
-
-  private handleMessage(
-    msg: Record<string, any>,
-    resolveHello: (helloOk: GatewayHelloOk) => void,
-    rejectHello: (err: Error) => void,
-    timeout: NodeJS.Timeout
-  ): void {
-    const msgType = msg.type as string | undefined
-
-    if (msg.type === 'event' && msg.event === 'connect.challenge') {
-      const payload = msg.payload as Record<string, unknown> | undefined
-      const nonce = typeof payload?.nonce === 'string' ? payload.nonce.trim() : ''
-      if (!nonce) {
-        rejectHello(new Error('connect.challenge 缺少 nonce'))
-        return
-      }
-      this.connectChallengeNonce = nonce
-      this.sendConnect()
-      return
-    }
-
-    // 协议 v3：握手成功为 type:"res" + payload.type:"hello-ok"（见 openclaw docs/gateway/protocol.md）
-    if (msg.type === 'res' && !this.connected) {
-      const ok = msg.ok === true
-      const inner = msg.payload as Record<string, unknown> | undefined
-      if (ok && inner && inner.type === 'hello-ok') {
-        this.connected = true
-        const serverRaw = inner.server as Record<string, unknown> | undefined
-        this.connId = typeof serverRaw?.connId === 'string' ? serverRaw.connId : null
-        clearTimeout(timeout)
-        dcgLogger(`[Gateway] 已连接 connId=${this.connId ?? '(none)'}`)
-        resolveHello(this.mapHelloPayloadToHelloOk(inner))
-        return
-      }
-      if (msg.ok === false) {
-        const errObj = msg.error as Record<string, unknown> | undefined
-        const message = (typeof errObj?.message === 'string' && errObj.message) || 'Gateway connect 被拒绝'
-        clearTimeout(timeout)
-        rejectHello(new Error(message))
-        return
-      }
-    }
-
-    // 旧式或其它实现：顶层 hello-ok
-    if (msgType === 'hello-ok' || (!msgType && msg.server)) {
-      this.connected = true
-      this.connId = ((msg.server as Record<string, unknown>)?.connId as string) || null
-      clearTimeout(timeout)
-      dcgLogger(`[Gateway] 已连接 connId=${this.connId ?? '(none)'}`)
-      resolveHello(msg as unknown as GatewayHelloOk)
-      return
-    }
-    if (msg.type === 'res') {
-      const handler = this.pendingRpcById.get(msg.id as string)
-      if (handler) {
-        this.pendingRpcById.delete(msg.id as string)
-        handler(msg as unknown as GatewayResponse)
-      }
-      return
-    }
-
-    if (msg.type === 'event') {
-      void handleGatewayEventMessage(msg)
-        .then((event) => {
-          this.eventHandlers.forEach((h) => h(event))
-        })
-        .catch((err) => {
-          dcgLogger(`[Gateway] event 处理异步失败: ${String(err)}`, 'error')
-        })
-    }
-  }
-
-  /**
-   * Call a gateway method
-   */
-  async callMethod<T = unknown>(method: string, params: Record<string, unknown> = {}): Promise<T> {
-    const id = crypto.randomUUID()
-
-    return new Promise((resolve, reject) => {
-      if (!this.connected || !this.ws) {
-        reject(new Error('Not connected to gateway'))
-        return
-      }
-
-      const timeout = setTimeout(() => {
-        this.pendingRpcById.delete(id)
-        reject(new Error('Method call timeout'))
-      }, 30000)
-
-      this.pendingRpcById.set(id, (response) => {
-        clearTimeout(timeout)
-        if (response.ok) {
-          const body = response.result !== undefined ? response.result : (response as GatewayResponse).payload
-          resolve(body as T)
-        } else {
-          reject(new Error(response.error?.message || 'Method call failed'))
-        }
-      })
-
-      this.ws.send(
-        JSON.stringify({
-          type: 'req',
-          id,
-          method,
-          params
-        })
-      )
-    })
-  }
-
-  /**
-   * Register event handler
-   */
-  onEvent(handler: (event: GatewayEvent) => void): () => void {
-    this.eventHandlers.add(handler)
-    return () => this.eventHandlers.delete(handler)
-  }
-
-  /**
-   * Close connection
-   */
-  close(): void {
-    this.ws?.close(1000, 'Plugin stopped')
-    this.connected = false
-  }
-
-  /**
-   * Check if connected
-   */
-  isConnected(): boolean {
-    return this.connected
-  }
-
-  /**
-   * Get connection ID
-   */
-  getConnId(): string | null {
-    return this.connId
-  }
-
-  /**
-   * Get the WebSocket instance (for external use)
-   */
-  getWebSocket(): WebSocket | null {
-    return this.ws
-  }
-
-  /**
-   * Ping the gateway
-   */
-  ping(): void {
-    this.ws?.ping()
-  }
-}

package/src/gateway/security.ts

@@ -1,95 +0,0 @@
-// Security utilities for the tunnel plugin
-import crypto from 'crypto'
-
-// ED25519 SubjectPublicKeyInfo prefix (must match openclaw gateway `ED25519_SPKI_PREFIX`)
-const ED25519_SPKI_PREFIX = Buffer.from('302a300506032b6570032100', 'hex')
-
-/**
- * Raw 32-byte Ed25519 public key bytes from PEM (same rules as openclaw `derivePublicKeyRaw`).
- */
-export function derivePublicKeyRawFromPem(publicKeyPem: string): Buffer {
-  const spki = crypto.createPublicKey(publicKeyPem).export({ type: 'spki', format: 'der' }) as Buffer
-  if (spki.length === ED25519_SPKI_PREFIX.length + 32 && spki.subarray(0, ED25519_SPKI_PREFIX.length).equals(ED25519_SPKI_PREFIX)) {
-    return spki.subarray(ED25519_SPKI_PREFIX.length)
-  }
-  return spki
-}
-
-/**
- * Base64url encode (no padding)
- */
-export function base64UrlEncode(buffer: Buffer): string {
-  return buffer.toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')
-}
-
-/** Wire-format device public key (base64url of raw 32 bytes), matches gateway expectations. */
-export function publicKeyRawBase64UrlFromPem(publicKeyPem: string): string {
-  return base64UrlEncode(derivePublicKeyRawFromPem(publicKeyPem))
-}
-
-/**
- * Derive device ID from ED25519 public key
- * Device ID = sha256(rawPublicKey)
- */
-export function deriveDeviceIdFromPublicKey(publicKeyPem: string): string {
-  const rawPublicKey = derivePublicKeyRawFromPem(publicKeyPem)
-  return crypto.createHash('sha256').update(rawPublicKey).digest('hex')
-}
-
-/**
- * Sign device payload
- */
-export function signDevicePayload(privateKeyPem: string, payload: string, encoding: 'base64' | 'base64url' = 'base64url'): string {
-  const key = crypto.createPrivateKey(privateKeyPem)
-  const sig = crypto.sign(null, Buffer.from(payload, 'utf8'), key)
-  return encoding === 'base64url' ? base64UrlEncode(sig) : sig.toString('base64')
-}
-function normalizeTrimmedMetadata(value: unknown): string {
-  if (typeof value !== 'string') return ''
-  const trimmed = value.trim()
-  return trimmed ? trimmed : ''
-}
-
-function toLowerAscii(input: string): string {
-  return input.replace(/[A-Z]/g, (char) => String.fromCharCode(char.charCodeAt(0) + 32))
-}
-
-function normalizeDeviceMetadataForAuth(value: unknown): string {
-  const trimmed = normalizeTrimmedMetadata(value)
-  if (!trimmed) return ''
-  return toLowerAscii(trimmed)
-}
-
-/**
- * Device authentication payload v3（与 openclaw `buildDeviceAuthPayloadV3` 一致）
- */
-export function buildDeviceAuthPayloadV3(params: {
-  deviceId: string
-  clientId: string
-  clientMode: string
-  role: string
-  scopes: string[]
-  signedAtMs: number
-  token: string
-  nonce: string
-  platform?: string
-  deviceFamily?: string
-}): string {
-  const scopes = params.scopes.join(',')
-  const token = params.token ?? ''
-  const platform = normalizeDeviceMetadataForAuth(params.platform ?? '')
-  const deviceFamily = normalizeDeviceMetadataForAuth(params.deviceFamily ?? '')
-  return [
-    'v3',
-    params.deviceId,
-    params.clientId,
-    params.clientMode,
-    params.role,
-    scopes,
-    String(params.signedAtMs),
-    token,
-    params.nonce,
-    platform,
-    deviceFamily
-  ].join('|')
-}