@elizaos/plugin-elizacloud 2.0.0-alpha.8 → 2.0.11-beta.7

package/dist/routes/travel-provider-relay-routes.js.map

@@ -0,0 +1,14 @@
+{
+  "version": 3,
+  "sources": ["../src/cloud/base-url.ts", "../src/cloud/validate-url.ts", "../src/cloud/auth-service-types.ts", "../src/cloud/cloud-api-key.ts", "../src/routes/travel-provider-relay-routes.ts"],
+  "sourcesContent": [
+    "/**\n * Cloud site/API URL normalizer. The implementation moved to\n * `@elizaos/shared/elizacloud/base-url` so host-layer packages can normalize\n * URLs without reverse-importing this plugin.\n */\nexport { normalizeCloudSiteUrl, resolveCloudApiBaseUrl } from \"@elizaos/shared\";\n",
+    "import dns from \"node:dns\";\nimport net from \"node:net\";\nimport { promisify } from \"node:util\";\n\nconst dnsLookupAll = promisify(dns.lookup);\n\nconst BLOCKED_IPV4_CIDRS: Array<{ base: number; mask: number }> = [\n  cidrV4(\"0.0.0.0\", 8),\n  cidrV4(\"10.0.0.0\", 8),\n  cidrV4(\"172.16.0.0\", 12),\n  cidrV4(\"192.168.0.0\", 16),\n  cidrV4(\"100.64.0.0\", 10),\n  cidrV4(\"127.0.0.0\", 8),\n  cidrV4(\"169.254.0.0\", 16),\n  cidrV4(\"192.0.0.0\", 24),\n  cidrV4(\"198.18.0.0\", 15),\n  cidrV4(\"192.0.2.0\", 24),\n  cidrV4(\"198.51.100.0\", 24),\n  cidrV4(\"203.0.113.0\", 24),\n  cidrV4(\"224.0.0.0\", 4),\n  cidrV4(\"240.0.0.0\", 4),\n];\n\nfunction normalizeHostLike(value: string): string {\n  return value\n    .trim()\n    .toLowerCase()\n    .replace(/^\\[|\\]$/g, \"\");\n}\n\nfunction decodeIpv6MappedHex(mapped: string): string | null {\n  const parts = mapped.split(\":\");\n  if (parts.length < 1 || parts.length > 2) return null;\n\n  const parsed = parts.map((part) => {\n    if (!/^[0-9a-f]{1,4}$/i.test(part)) return Number.NaN;\n    return Number.parseInt(part, 16);\n  });\n  if (parsed.some((value) => !Number.isFinite(value))) return null;\n\n  const [hi, lo] = parsed.length === 1 ? [0, parsed[0]] : parsed;\n  const octets = [hi >> 8, hi & 0xff, lo >> 8, lo & 0xff];\n  return octets.join(\".\");\n}\n\nfunction canonicalizeIpv6(ip: string): string | null {\n  try {\n    return new URL(`http://[${ip}]/`).hostname.replace(/^\\[|\\]$/g, \"\");\n  } catch {\n    return null;\n  }\n}\n\nfunction normalizeIpForPolicy(ip: string): string {\n  const base = normalizeHostLike(ip).split(\"%\")[0];\n  if (!base) return base;\n\n  let normalized = base;\n  if (net.isIP(normalized) === 6) {\n    normalized = canonicalizeIpv6(normalized) ?? normalized;\n  }\n\n  let mapped: string | null = null;\n  if (normalized.startsWith(\"::ffff:\")) {\n    mapped = normalized.slice(\"::ffff:\".length);\n  } else if (normalized.startsWith(\"0:0:0:0:0:ffff:\")) {\n    mapped = normalized.slice(\"0:0:0:0:0:ffff:\".length);\n  }\n  if (!mapped) return normalized;\n\n  if (net.isIP(mapped) === 4) return mapped;\n  return decodeIpv6MappedHex(mapped) ?? normalized;\n}\n\nfunction cidrV4(base: string, prefix: number): { base: number; mask: number } {\n  const parsed = parseIpv4ToInt(base);\n  if (parsed === null) {\n    throw new Error(`Invalid CIDR base IPv4 address: ${base}`);\n  }\n  const shift = 32 - prefix;\n  const mask = shift === 32 ? 0 : (0xffffffff << shift) >>> 0;\n  return { base: parsed & mask, mask };\n}\n\nfunction parseIpv4ToInt(ip: string): number | null {\n  const parts = ip.split(\".\");\n  if (parts.length !== 4) return null;\n\n  let value = 0;\n  for (const part of parts) {\n    if (!/^\\d{1,3}$/.test(part)) return null;\n    const octet = Number.parseInt(part, 10);\n    if (!Number.isInteger(octet) || octet < 0 || octet > 255) return null;\n    value = (value << 8) | octet;\n  }\n\n  return value >>> 0;\n}\n\nfunction isBlockedIpv4(ip: string): boolean {\n  const asInt = parseIpv4ToInt(ip);\n  if (asInt === null) return true;\n  return BLOCKED_IPV4_CIDRS.some((cidr) => (asInt & cidr.mask) === cidr.base);\n}\n\nfunction isBlockedIpv6(ip: string): boolean {\n  const normalized = ip.toLowerCase();\n  return (\n    normalized === \"::\" ||\n    normalized === \"::1\" ||\n    /^fe[89ab][0-9a-f]:/.test(normalized) ||\n    /^f[cd][0-9a-f]{2}:/i.test(normalized) ||\n    normalized.startsWith(\"ff\")\n  );\n}\n\nfunction isBlockedIp(ip: string): boolean {\n  const normalized = normalizeIpForPolicy(ip);\n  const family = net.isIP(normalized);\n  if (family === 4) return isBlockedIpv4(normalized);\n  if (family === 6) return isBlockedIpv6(normalized);\n  return false;\n}\n\nexport async function validateCloudBaseUrl(\n  rawUrl: string,\n): Promise<string | null> {\n  let parsed: URL;\n  try {\n    parsed = new URL(rawUrl);\n  } catch {\n    return `Invalid cloud base URL: \"${rawUrl}\"`;\n  }\n\n  if (parsed.protocol !== \"https:\") {\n    return `Cloud base URL must use HTTPS, got \"${parsed.protocol}\" in \"${rawUrl}\"`;\n  }\n\n  const hostname = normalizeHostLike(parsed.hostname);\n  if (!hostname) {\n    return `Invalid cloud base URL: \"${rawUrl}\"`;\n  }\n\n  if (\n    hostname === \"localhost\" ||\n    hostname.endsWith(\".localhost\") ||\n    hostname.endsWith(\".local\")\n  ) {\n    return `Cloud base URL \"${rawUrl}\" points to a blocked local hostname.`;\n  }\n\n  // Dev-mode bypass: skip IP-range blocking but keep URL format checks above.\n  const elizaDev = process.env.ELIZA_DEV?.trim().toLowerCase();\n  if (\n    process.env.NODE_ENV === \"development\" ||\n    elizaDev === \"1\" ||\n    elizaDev === \"true\" ||\n    elizaDev === \"yes\"\n  ) {\n    return null;\n  }\n\n  if (isBlockedIp(hostname)) {\n    return `Cloud base URL \"${rawUrl}\" points to a blocked address.`;\n  }\n\n  try {\n    const results = await dnsLookupAll(hostname, { all: true });\n    const addresses = Array.isArray(results) ? results : [results];\n    for (const entry of addresses) {\n      const ip =\n        typeof entry === \"string\"\n          ? entry\n          : (entry as { address: string }).address;\n      if (isBlockedIp(ip)) {\n        return (\n          `Cloud base URL \"${rawUrl}\" resolves to ${ip}, ` +\n          \"which is a blocked internal/metadata address.\"\n        );\n      }\n    }\n  } catch {\n    return `Cloud base URL \"${rawUrl}\" could not be resolved via DNS.`;\n  }\n\n  return null;\n}\n",
+    "import type { Service } from \"@elizaos/core\";\n\nexport interface CloudAuthApiKeyService {\n  isAuthenticated: () => boolean;\n  getApiKey?: () => string | undefined;\n}\n\nexport function isCloudAuthApiKeyService(\n  value: Service | null | undefined,\n): value is Service & CloudAuthApiKeyService {\n  return (\n    value !== null &&\n    value !== undefined &&\n    typeof (value as Partial<CloudAuthApiKeyService>).isAuthenticated ===\n      \"function\"\n  );\n}\n\nexport function normalizeCloudApiKey(value: string | null | undefined): string | null {\n  if (typeof value !== \"string\") return null;\n  const trimmed = value.trim();\n  if (!trimmed || trimmed.toUpperCase() === \"[REDACTED]\") return null;\n  return trimmed;\n}\n",
+    "/**\n * Cloud API key + base URL resolution.\n *\n * Resolves the Eliza Cloud API key and base URL from (in priority order):\n *   1. Explicit `config.cloud.apiKey` / `config.cloud.baseUrl`\n *   2. Runtime settings + character secrets (`ELIZAOS_CLOUD_API_KEY`)\n *   3. Process env (`ELIZAOS_CLOUD_API_KEY`, `ELIZAOS_CLOUD_BASE_URL`)\n *\n * Previously these helpers lived in `packages/agent/src/api/wallet-rpc.ts`\n * because the wallet uses Cloud RPC proxies. They are NOT wallet-specific —\n * cloud auth is consumed by cloud-status, cloud-billing, cloud-compat,\n * health, x-relay, and travel-provider-relay routes. Hosting them under\n * `cloud/` matches their actual ownership.\n */\n\nimport type { ElizaConfig } from \"../lib/config-like\";\n\nexport const DEFAULT_CLOUD_API_BASE_URL = \"https://elizacloud.ai/api/v1\";\n\nexport type CloudApiKeyRuntimeLike = {\n  getSetting?: (key: string) => unknown;\n  character?: {\n    secrets?: Record<string, unknown>;\n  } | null;\n} | null;\n\nexport function normalizeCloudSecret(\n  value: string | null | undefined,\n): string | null {\n  if (typeof value !== \"string\") return null;\n  const trimmed = value.trim();\n  return trimmed.length > 0 ? trimmed : null;\n}\n\nfunction resolveRuntimeCloudApiKey(\n  runtime?: CloudApiKeyRuntimeLike,\n): string | null {\n  const fromSetting = runtime?.getSetting?.(\"ELIZAOS_CLOUD_API_KEY\");\n  if (typeof fromSetting === \"string\") {\n    return normalizeCloudSecret(fromSetting);\n  }\n\n  const fromSecrets = runtime?.character?.secrets?.ELIZAOS_CLOUD_API_KEY;\n  return typeof fromSecrets === \"string\"\n    ? normalizeCloudSecret(fromSecrets)\n    : null;\n}\n\nexport function resolveCloudApiBaseUrl(\n  rawBaseUrl?: string | null,\n): string | null {\n  const candidate =\n    normalizeCloudSecret(rawBaseUrl ?? process.env.ELIZAOS_CLOUD_BASE_URL) ??\n    DEFAULT_CLOUD_API_BASE_URL;\n  try {\n    const parsed = new URL(candidate);\n    if (parsed.protocol !== \"http:\" && parsed.protocol !== \"https:\") {\n      return null;\n    }\n    parsed.hash = \"\";\n    parsed.search = \"\";\n    const normalizedBase = parsed.toString().replace(/\\/+$/, \"\");\n    return normalizedBase.endsWith(\"/api/v1\")\n      ? normalizedBase\n      : `${normalizedBase}/api/v1`;\n  } catch {\n    return null;\n  }\n}\n\nexport function resolveCloudApiKey(\n  config?: Pick<ElizaConfig, \"cloud\"> | null,\n  runtime?: CloudApiKeyRuntimeLike,\n): string | null {\n  return normalizeCloudSecret(\n    config?.cloud?.apiKey ??\n      resolveRuntimeCloudApiKey(runtime) ??\n      process.env.ELIZAOS_CLOUD_API_KEY,\n  );\n}\n",
+    "import type http from \"node:http\";\nimport {\n  type IAgentRuntime,\n  type Service,\n  sendJson,\n  sendJsonError,\n} from \"@elizaos/core\";\nimport {\n  isCloudAuthApiKeyService,\n  normalizeCloudApiKey,\n} from \"../cloud/auth-service-types.js\";\nimport { normalizeCloudSiteUrl } from \"../cloud/base-url.js\";\nimport { resolveCloudApiKey } from \"../cloud/cloud-api-key.js\";\nimport { validateCloudBaseUrl } from \"../cloud/validate-url.js\";\nimport type { CloudProxyConfigLike } from \"../lib/config-like\";\n\nexport interface TravelProviderRelayRouteState {\n  config: CloudProxyConfigLike;\n  runtime?: IAgentRuntime | null;\n}\n\nconst PROXY_TIMEOUT_MS = 30_000;\nconst MAX_BODY_BYTES = 1_048_576;\nconst TRAVEL_PROVIDER_PATH_RE =\n  /^\\/api\\/cloud\\/travel-providers\\/([a-z0-9][a-z0-9-]*)(\\/.*)$/;\n\nfunction resolveProxyApiKey(\n  state: TravelProviderRelayRouteState,\n): string | null {\n  const cloudAuth = state.runtime?.getService<Service>(\"CLOUD_AUTH\");\n  const runtimeApiKey =\n    isCloudAuthApiKeyService(cloudAuth) && cloudAuth.isAuthenticated() === true\n      ? normalizeCloudApiKey(cloudAuth.getApiKey?.())\n      : null;\n  return runtimeApiKey ?? resolveCloudApiKey(state.config, state.runtime);\n}\n\nfunction buildAuthHeaders(\n  config: CloudProxyConfigLike,\n  apiKey: string,\n): Record<string, string> {\n  const serviceKey = config.cloud?.serviceKey?.trim();\n  const headers: Record<string, string> = {\n    Accept: \"application/json\",\n    \"Content-Type\": \"application/json\",\n    Authorization: `Bearer ${apiKey}`,\n  };\n  if (serviceKey) headers[\"X-Service-Key\"] = serviceKey;\n  return headers;\n}\n\nfunction readBody(req: http.IncomingMessage): Promise<string | undefined> {\n  return new Promise<string | undefined>((resolve, reject) => {\n    const chunks: Buffer[] = [];\n    let size = 0;\n    req.on(\"data\", (chunk: Buffer) => {\n      size += chunk.length;\n      if (size > MAX_BODY_BYTES) {\n        reject(new Error(\"Request body too large\"));\n        return;\n      }\n      chunks.push(chunk);\n    });\n    req.on(\"end\", () =>\n      resolve(\n        chunks.length > 0 ? Buffer.concat(chunks).toString(\"utf-8\") : undefined,\n      ),\n    );\n    req.on(\"error\", reject);\n  });\n}\n\nasync function readJsonResponse(response: Response): Promise<unknown> {\n  return response.json().catch(async () => ({\n    success: response.ok,\n    error: await response\n      .text()\n      .catch(() => \"Travel-provider relay request failed\"),\n  }));\n}\n\nfunction buildUpstreamPath(localPath: string): string {\n  const parsed = parseTravelProviderPath(localPath);\n  if (!parsed) {\n    throw new Error(\"Invalid travel-provider relay path\");\n  }\n  return `/api/v1/${parsed.provider}${parsed.providerPath}`;\n}\n\nconst TRAVEL_PROVIDER_RELAY_ROUTES: ReadonlyArray<{\n  method: \"GET\" | \"POST\";\n  pattern: RegExp;\n}> = [\n  { method: \"POST\", pattern: /^\\/offer-requests$/ },\n  { method: \"GET\", pattern: /^\\/offers\\/[^/]+$/ },\n  { method: \"POST\", pattern: /^\\/orders$/ },\n  { method: \"GET\", pattern: /^\\/orders\\/[^/]+$/ },\n  { method: \"POST\", pattern: /^\\/payments$/ },\n];\n\nfunction parseTravelProviderPath(\n  pathname: string,\n): { provider: string; providerPath: string } | null {\n  const match = TRAVEL_PROVIDER_PATH_RE.exec(pathname);\n  if (!match) return null;\n  const [, provider, providerPath] = match;\n  return provider ? { provider, providerPath } : null;\n}\n\nfunction matchRoute(method: string, pathname: string): boolean {\n  const parsed = parseTravelProviderPath(pathname);\n  if (!parsed) return false;\n  return TRAVEL_PROVIDER_RELAY_ROUTES.some(\n    (route) => route.method === method && route.pattern.test(parsed.providerPath),\n  );\n}\n\nexport async function handleTravelProviderRelayRoute(\n  req: http.IncomingMessage,\n  res: http.ServerResponse,\n  pathname: string,\n  method: string,\n  state: TravelProviderRelayRouteState,\n): Promise<boolean> {\n  const parsed = parseTravelProviderPath(pathname);\n  if (!parsed) return false;\n\n  if (!matchRoute(method, pathname)) {\n    sendJsonError(res, \"Unknown travel-provider relay route\", 404);\n    return true;\n  }\n\n  const apiKey = resolveProxyApiKey(state);\n  if (!apiKey) {\n    sendJsonError(\n      res,\n      \"Not connected to Eliza Cloud. Sign in to use travel search.\",\n      401,\n    );\n    return true;\n  }\n\n  const baseUrl = normalizeCloudSiteUrl(state.config.cloud?.baseUrl);\n  const urlError = await validateCloudBaseUrl(baseUrl);\n  if (urlError) {\n    sendJsonError(res, urlError, 502);\n    return true;\n  }\n\n  const headers = buildAuthHeaders(state.config, apiKey);\n  let body: string | undefined;\n  if (method === \"POST\") {\n    try {\n      body = await readBody(req);\n    } catch (err) {\n      const msg = err instanceof Error ? err.message : \"Failed to read body\";\n      sendJsonError(res, msg, 413);\n      return true;\n    }\n  }\n\n  const fullUrl = new URL(req.url ?? pathname, \"http://localhost\");\n  const upstreamUrl = `${baseUrl}${buildUpstreamPath(pathname)}${fullUrl.search}`;\n  const upstreamResponse = await fetch(upstreamUrl, {\n    method,\n    headers,\n    body,\n    redirect: \"manual\",\n    signal: AbortSignal.timeout(PROXY_TIMEOUT_MS),\n  });\n\n  if (upstreamResponse.status === 402) {\n    await forward402(res, upstreamResponse);\n    return true;\n  }\n\n  const payload = await readJsonResponse(upstreamResponse);\n  sendJson(res, payload, upstreamResponse.status);\n  return true;\n}\n\nasync function forward402(\n  res: http.ServerResponse,\n  upstream: Response,\n): Promise<void> {\n  const wwwAuth = upstream.headers.get(\"www-authenticate\");\n  const contentType = upstream.headers.get(\"content-type\") ?? \"application/json\";\n  const bodyText = await upstream.text();\n  res.statusCode = 402;\n  res.setHeader(\"Content-Type\", contentType);\n  if (wwwAuth) res.setHeader(\"WWW-Authenticate\", wwwAuth);\n  res.end(bodyText);\n}\n"
+  ],
+  "mappings": ";;;;;;;;;;;;;;;;;;;AAKA;AAAA;;;ACLA;AACA;AACA;AAqBA,SAAS,iBAAiB,CAAC,OAAuB;AAAA,EAChD,OAAO,MACJ,KAAK,EACL,YAAY,EACZ,QAAQ,YAAY,EAAE;AAAA;AAG3B,SAAS,mBAAmB,CAAC,QAA+B;AAAA,EAC1D,MAAM,QAAQ,OAAO,MAAM,GAAG;AAAA,EAC9B,IAAI,MAAM,SAAS,KAAK,MAAM,SAAS;AAAA,IAAG,OAAO;AAAA,EAEjD,MAAM,SAAS,MAAM,IAAI,CAAC,SAAS;AAAA,IACjC,IAAI,CAAC,mBAAmB,KAAK,IAAI;AAAA,MAAG,OAAO,OAAO;AAAA,IAClD,OAAO,OAAO,SAAS,MAAM,EAAE;AAAA,GAChC;AAAA,EACD,IAAI,OAAO,KAAK,CAAC,UAAU,CAAC,OAAO,SAAS,KAAK,CAAC;AAAA,IAAG,OAAO;AAAA,EAE5D,OAAO,IAAI,MAAM,OAAO,WAAW,IAAI,CAAC,GAAG,OAAO,EAAE,IAAI;AAAA,EACxD,MAAM,SAAS,CAAC,MAAM,GAAG,KAAK,KAAM,MAAM,GAAG,KAAK,GAAI;AAAA,EACtD,OAAO,OAAO,KAAK,GAAG;AAAA;AAGxB,SAAS,gBAAgB,CAAC,IAA2B;AAAA,EACnD,IAAI;AAAA,IACF,OAAO,IAAI,IAAI,WAAW,MAAM,EAAE,SAAS,QAAQ,YAAY,EAAE;AAAA,IACjE,MAAM;AAAA,IACN,OAAO;AAAA;AAAA;AAIX,SAAS,oBAAoB,CAAC,IAAoB;AAAA,EAChD,MAAM,OAAO,kBAAkB,EAAE,EAAE,MAAM,GAAG,EAAE;AAAA,EAC9C,IAAI,CAAC;AAAA,IAAM,OAAO;AAAA,EAElB,IAAI,aAAa;AAAA,EACjB,IAAI,IAAI,KAAK,UAAU,MAAM,GAAG;AAAA,IAC9B,aAAa,iBAAiB,UAAU,KAAK;AAAA,EAC/C;AAAA,EAEA,IAAI,SAAwB;AAAA,EAC5B,IAAI,WAAW,WAAW,SAAS,GAAG;AAAA,IACpC,SAAS,WAAW,MAAM,UAAU,MAAM;AAAA,EAC5C,EAAO,SAAI,WAAW,WAAW,iBAAiB,GAAG;AAAA,IACnD,SAAS,WAAW,MAAM,kBAAkB,MAAM;AAAA,EACpD;AAAA,EACA,IAAI,CAAC;AAAA,IAAQ,OAAO;AAAA,EAEpB,IAAI,IAAI,KAAK,MAAM,MAAM;AAAA,IAAG,OAAO;AAAA,EACnC,OAAO,oBAAoB,MAAM,KAAK;AAAA;AAGxC,SAAS,MAAM,CAAC,MAAc,QAAgD;AAAA,EAC5E,MAAM,SAAS,eAAe,IAAI;AAAA,EAClC,IAAI,WAAW,MAAM;AAAA,IACnB,MAAM,IAAI,MAAM,mCAAmC,MAAM;AAAA,EAC3D;AAAA,EACA,MAAM,QAAQ,KAAK;AAAA,EACnB,MAAM,OAAO,UAAU,KAAK,IAAK,cAAc,UAAW;AAAA,EAC1D,OAAO,EAAE,MAAM,SAAS,MAAM,KAAK;AAAA;AAGrC,SAAS,cAAc,CAAC,IAA2B;AAAA,EACjD,MAAM,QAAQ,GAAG,MAAM,GAAG;AAAA,EAC1B,IAAI,MAAM,WAAW;AAAA,IAAG,OAAO;AAAA,EAE/B,IAAI,QAAQ;AAAA,EACZ,WAAW,QAAQ,OAAO;AAAA,IACxB,IAAI,CAAC,YAAY,KAAK,IAAI;AAAA,MAAG,OAAO;AAAA,IACpC,MAAM,QAAQ,OAAO,SAAS,MAAM,EAAE;AAAA,IACtC,IAAI,CAAC,OAAO,UAAU,KAAK,KAAK,QAAQ,KAAK,QAAQ;AAAA,MAAK,OAAO;AAAA,IACjE,QAAS,SAAS,IAAK;AAAA,EACzB;AAAA,EAEA,OAAO,UAAU;AAAA;AAGnB,SAAS,aAAa,CAAC,IAAqB;AAAA,EAC1C,MAAM,QAAQ,eAAe,EAAE;AAAA,EAC/B,IAAI,UAAU;AAAA,IAAM,OAAO;AAAA,EAC3B,OAAO,mBAAmB,KAAK,CAAC,UAAU,QAAQ,KAAK,UAAU,KAAK,IAAI;AAAA;AAG5E,SAAS,aAAa,CAAC,IAAqB;AAAA,EAC1C,MAAM,aAAa,GAAG,YAAY;AAAA,EAClC,OACE,eAAe,QACf,eAAe,SACf,qBAAqB,KAAK,UAAU,KACpC,sBAAsB,KAAK,UAAU,KACrC,WAAW,WAAW,IAAI;AAAA;AAI9B,SAAS,WAAW,CAAC,IAAqB;AAAA,EACxC,MAAM,aAAa,qBAAqB,EAAE;AAAA,EAC1C,MAAM,SAAS,IAAI,KAAK,UAAU;AAAA,EAClC,IAAI,WAAW;AAAA,IAAG,OAAO,cAAc,UAAU;AAAA,EACjD,IAAI,WAAW;AAAA,IAAG,OAAO,cAAc,UAAU;AAAA,EACjD,OAAO;AAAA;AAGT,eAAsB,oBAAoB,CACxC,QACwB;AAAA,EACxB,IAAI;AAAA,EACJ,IAAI;AAAA,IACF,SAAS,IAAI,IAAI,MAAM;AAAA,IACvB,MAAM;AAAA,IACN,OAAO,4BAA4B;AAAA;AAAA,EAGrC,IAAI,OAAO,aAAa,UAAU;AAAA,IAChC,OAAO,uCAAuC,OAAO,iBAAiB;AAAA,EACxE;AAAA,EAEA,MAAM,WAAW,kBAAkB,OAAO,QAAQ;AAAA,EAClD,IAAI,CAAC,UAAU;AAAA,IACb,OAAO,4BAA4B;AAAA,EACrC;AAAA,EAEA,IACE,aAAa,eACb,SAAS,SAAS,YAAY,KAC9B,SAAS,SAAS,QAAQ,GAC1B;AAAA,IACA,OAAO,mBAAmB;AAAA,EAC5B;AAAA,EAGA,MAAM,WAAW,QAAQ,IAAI,WAAW,KAAK,EAAE,YAAY;AAAA,EAC3D,IACE,MAIA;AAAA,IACA,OAAO;AAAA,EACT;AAAA,EAEA,IAAI,YAAY,QAAQ,GAAG;AAAA,IACzB,OAAO,mBAAmB;AAAA,EAC5B;AAAA,EAEA,IAAI;AAAA,IACF,MAAM,UAAU,MAAM,aAAa,UAAU,EAAE,KAAK,KAAK,CAAC;AAAA,IAC1D,MAAM,YAAY,MAAM,QAAQ,OAAO,IAAI,UAAU,CAAC,OAAO;AAAA,IAC7D,WAAW,SAAS,WAAW;AAAA,MAC7B,MAAM,KACJ,OAAO,UAAU,WACb,QACC,MAA8B;AAAA,MACrC,IAAI,YAAY,EAAE,GAAG;AAAA,QACnB,OACE,mBAAmB,uBAAuB,SAC1C;AAAA,MAEJ;AAAA,IACF;AAAA,IACA,MAAM;AAAA,IACN,OAAO,mBAAmB;AAAA;AAAA,EAG5B,OAAO;AAAA;AAAA,IArLH,cAEA;AAAA;AAAA,EAFA,eAAe,UAAU,IAAI,MAAM;AAAA,EAEnC,qBAA4D;AAAA,IAChE,OAAO,WAAW,CAAC;AAAA,IACnB,OAAO,YAAY,CAAC;AAAA,IACpB,OAAO,cAAc,EAAE;AAAA,IACvB,OAAO,eAAe,EAAE;AAAA,IACxB,OAAO,cAAc,EAAE;AAAA,IACvB,OAAO,aAAa,CAAC;AAAA,IACrB,OAAO,eAAe,EAAE;AAAA,IACxB,OAAO,aAAa,EAAE;AAAA,IACtB,OAAO,cAAc,EAAE;AAAA,IACvB,OAAO,aAAa,EAAE;AAAA,IACtB,OAAO,gBAAgB,EAAE;AAAA,IACzB,OAAO,eAAe,EAAE;AAAA,IACxB,OAAO,aAAa,CAAC;AAAA,IACrB,OAAO,aAAa,CAAC;AAAA,EACvB;AAAA;;;ACdO,SAAS,wBAAwB,CACtC,OAC2C;AAAA,EAC3C,OACE,UAAU,QACV,UAAU,aACV,OAAQ,MAA0C,oBAChD;AAAA;AAIC,SAAS,oBAAoB,CAAC,OAAiD;AAAA,EACpF,IAAI,OAAO,UAAU;AAAA,IAAU,OAAO;AAAA,EACtC,MAAM,UAAU,MAAM,KAAK;AAAA,EAC3B,IAAI,CAAC,WAAW,QAAQ,YAAY,MAAM;AAAA,IAAc,OAAO;AAAA,EAC/D,OAAO;AAAA;;;ACIF,SAAS,oBAAoB,CAClC,OACe;AAAA,EACf,IAAI,OAAO,UAAU;AAAA,IAAU,OAAO;AAAA,EACtC,MAAM,UAAU,MAAM,KAAK;AAAA,EAC3B,OAAO,QAAQ,SAAS,IAAI,UAAU;AAAA;AAGxC,SAAS,yBAAyB,CAChC,SACe;AAAA,EACf,MAAM,cAAc,SAAS,aAAa,uBAAuB;AAAA,EACjE,IAAI,OAAO,gBAAgB,UAAU;AAAA,IACnC,OAAO,qBAAqB,WAAW;AAAA,EACzC;AAAA,EAEA,MAAM,cAAc,SAAS,WAAW,SAAS;AAAA,EACjD,OAAO,OAAO,gBAAgB,WAC1B,qBAAqB,WAAW,IAChC;AAAA;AAGC,SAAS,uBAAsB,CACpC,YACe;AAAA,EACf,MAAM,YACJ,qBAAqB,cAAc,QAAQ,IAAI,sBAAsB,KACrE;AAAA,EACF,IAAI;AAAA,IACF,MAAM,SAAS,IAAI,IAAI,SAAS;AAAA,IAChC,IAAI,OAAO,aAAa,WAAW,OAAO,aAAa,UAAU;AAAA,MAC/D,OAAO;AAAA,IACT;AAAA,IACA,OAAO,OAAO;AAAA,IACd,OAAO,SAAS;AAAA,IAChB,MAAM,iBAAiB,OAAO,SAAS,EAAE,QAAQ,QAAQ,EAAE;AAAA,IAC3D,OAAO,eAAe,SAAS,SAAS,IACpC,iBACA,GAAG;AAAA,IACP,MAAM;AAAA,IACN,OAAO;AAAA;AAAA;AAIJ,SAAS,kBAAkB,CAChC,QACA,SACe;AAAA,EACf,OAAO,qBACL,QAAQ,OAAO,UACb,0BAA0B,OAAO,KACjC,QAAQ,IAAI,qBAChB;AAAA;AAAA,IA7DW,6BAA6B;;;ACN1C;AAEA;AAZA;AAAA;AAAA;AAAA;AAoBA,IAAM,mBAAmB;AACzB,IAAM,iBAAiB;AACvB,IAAM,0BACJ;AAEF,SAAS,kBAAkB,CACzB,OACe;AAAA,EACf,MAAM,YAAY,MAAM,SAAS,WAAoB,YAAY;AAAA,EACjE,MAAM,gBACJ,yBAAyB,SAAS,KAAK,UAAU,gBAAgB,MAAM,OACnE,qBAAqB,UAAU,YAAY,CAAC,IAC5C;AAAA,EACN,OAAO,iBAAiB,mBAAmB,MAAM,QAAQ,MAAM,OAAO;AAAA;AAGxE,SAAS,gBAAgB,CACvB,QACA,QACwB;AAAA,EACxB,MAAM,aAAa,OAAO,OAAO,YAAY,KAAK;AAAA,EAClD,MAAM,UAAkC;AAAA,IACtC,QAAQ;AAAA,IACR,gBAAgB;AAAA,IAChB,eAAe,UAAU;AAAA,EAC3B;AAAA,EACA,IAAI;AAAA,IAAY,QAAQ,mBAAmB;AAAA,EAC3C,OAAO;AAAA;AAGT,SAAS,QAAQ,CAAC,KAAwD;AAAA,EACxE,OAAO,IAAI,QAA4B,CAAC,SAAS,WAAW;AAAA,IAC1D,MAAM,SAAmB,CAAC;AAAA,IAC1B,IAAI,OAAO;AAAA,IACX,IAAI,GAAG,QAAQ,CAAC,UAAkB;AAAA,MAChC,QAAQ,MAAM;AAAA,MACd,IAAI,OAAO,gBAAgB;AAAA,QACzB,OAAO,IAAI,MAAM,wBAAwB,CAAC;AAAA,QAC1C;AAAA,MACF;AAAA,MACA,OAAO,KAAK,KAAK;AAAA,KAClB;AAAA,IACD,IAAI,GAAG,OAAO,MACZ,QACE,OAAO,SAAS,IAAI,OAAO,OAAO,MAAM,EAAE,SAAS,OAAO,IAAI,SAChE,CACF;AAAA,IACA,IAAI,GAAG,SAAS,MAAM;AAAA,GACvB;AAAA;AAGH,eAAe,gBAAgB,CAAC,UAAsC;AAAA,EACpE,OAAO,SAAS,KAAK,EAAE,MAAM,aAAa;AAAA,IACxC,SAAS,SAAS;AAAA,IAClB,OAAO,MAAM,SACV,KAAK,EACL,MAAM,MAAM,sCAAsC;AAAA,EACvD,EAAE;AAAA;AAGJ,SAAS,iBAAiB,CAAC,WAA2B;AAAA,EACpD,MAAM,SAAS,wBAAwB,SAAS;AAAA,EAChD,IAAI,CAAC,QAAQ;AAAA,IACX,MAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAAA,EACA,OAAO,WAAW,OAAO,WAAW,OAAO;AAAA;AAG7C,IAAM,+BAGD;AAAA,EACH,EAAE,QAAQ,QAAQ,SAAS,qBAAqB;AAAA,EAChD,EAAE,QAAQ,OAAO,SAAS,oBAAoB;AAAA,EAC9C,EAAE,QAAQ,QAAQ,SAAS,aAAa;AAAA,EACxC,EAAE,QAAQ,OAAO,SAAS,oBAAoB;AAAA,EAC9C,EAAE,QAAQ,QAAQ,SAAS,eAAe;AAC5C;AAEA,SAAS,uBAAuB,CAC9B,UACmD;AAAA,EACnD,MAAM,QAAQ,wBAAwB,KAAK,QAAQ;AAAA,EACnD,IAAI,CAAC;AAAA,IAAO,OAAO;AAAA,EACnB,SAAS,UAAU,gBAAgB;AAAA,EACnC,OAAO,WAAW,EAAE,UAAU,aAAa,IAAI;AAAA;AAGjD,SAAS,UAAU,CAAC,QAAgB,UAA2B;AAAA,EAC7D,MAAM,SAAS,wBAAwB,QAAQ;AAAA,EAC/C,IAAI,CAAC;AAAA,IAAQ,OAAO;AAAA,EACpB,OAAO,6BAA6B,KAClC,CAAC,UAAU,MAAM,WAAW,UAAU,MAAM,QAAQ,KAAK,OAAO,YAAY,CAC9E;AAAA;AAGF,eAAsB,8BAA8B,CAClD,KACA,KACA,UACA,QACA,OACkB;AAAA,EAClB,MAAM,SAAS,wBAAwB,QAAQ;AAAA,EAC/C,IAAI,CAAC;AAAA,IAAQ,OAAO;AAAA,EAEpB,IAAI,CAAC,WAAW,QAAQ,QAAQ,GAAG;AAAA,IACjC,cAAc,KAAK,uCAAuC,GAAG;AAAA,IAC7D,OAAO;AAAA,EACT;AAAA,EAEA,MAAM,SAAS,mBAAmB,KAAK;AAAA,EACvC,IAAI,CAAC,QAAQ;AAAA,IACX,cACE,KACA,+DACA,GACF;AAAA,IACA,OAAO;AAAA,EACT;AAAA,EAEA,MAAM,UAAU,sBAAsB,MAAM,OAAO,OAAO,OAAO;AAAA,EACjE,MAAM,WAAW,MAAM,qBAAqB,OAAO;AAAA,EACnD,IAAI,UAAU;AAAA,IACZ,cAAc,KAAK,UAAU,GAAG;AAAA,IAChC,OAAO;AAAA,EACT;AAAA,EAEA,MAAM,UAAU,iBAAiB,MAAM,QAAQ,MAAM;AAAA,EACrD,IAAI;AAAA,EACJ,IAAI,WAAW,QAAQ;AAAA,IACrB,IAAI;AAAA,MACF,OAAO,MAAM,SAAS,GAAG;AAAA,MACzB,OAAO,KAAK;AAAA,MACZ,MAAM,MAAM,eAAe,QAAQ,IAAI,UAAU;AAAA,MACjD,cAAc,KAAK,KAAK,GAAG;AAAA,MAC3B,OAAO;AAAA;AAAA,EAEX;AAAA,EAEA,MAAM,UAAU,IAAI,IAAI,IAAI,OAAO,UAAU,kBAAkB;AAAA,EAC/D,MAAM,cAAc,GAAG,UAAU,kBAAkB,QAAQ,IAAI,QAAQ;AAAA,EACvE,MAAM,mBAAmB,MAAM,MAAM,aAAa;AAAA,IAChD;AAAA,IACA;AAAA,IACA;AAAA,IACA,UAAU;AAAA,IACV,QAAQ,YAAY,QAAQ,gBAAgB;AAAA,EAC9C,CAAC;AAAA,EAED,IAAI,iBAAiB,WAAW,KAAK;AAAA,IACnC,MAAM,WAAW,KAAK,gBAAgB;AAAA,IACtC,OAAO;AAAA,EACT;AAAA,EAEA,MAAM,UAAU,MAAM,iBAAiB,gBAAgB;AAAA,EACvD,SAAS,KAAK,SAAS,iBAAiB,MAAM;AAAA,EAC9C,OAAO;AAAA;AAGT,eAAe,UAAU,CACvB,KACA,UACe;AAAA,EACf,MAAM,UAAU,SAAS,QAAQ,IAAI,kBAAkB;AAAA,EACvD,MAAM,cAAc,SAAS,QAAQ,IAAI,cAAc,KAAK;AAAA,EAC5D,MAAM,WAAW,MAAM,SAAS,KAAK;AAAA,EACrC,IAAI,aAAa;AAAA,EACjB,IAAI,UAAU,gBAAgB,WAAW;AAAA,EACzC,IAAI;AAAA,IAAS,IAAI,UAAU,oBAAoB,OAAO;AAAA,EACtD,IAAI,IAAI,QAAQ;AAAA;",
+  "debugId": "868735A1EE187E7764756E2164756E21",
+  "names": []
+}

package/dist/services/cloud-auth.d.ts

@@ -1,13 +1,136 @@
 /**
- * CloudAuthService — Device-based auto-signup and session management.
+ * CloudAuthService — Eliza Cloud authentication entry points.
  *
- * On first launch, derives a hardware fingerprint and calls
- * POST /api/v1/device-auth. The cloud backend creates a user + org +
- * $5 credit + API key if new, or returns the existing session.
+ * Two distinct auth flows live here:
+ *
+ * 1. **Device auto-signup** (`authenticateWithDevice`) — convenience-only.
+ *    Derives a hardware fingerprint and exchanges it for a free-tier API key
+ *    against the cloud signup endpoint. The result is treated as opaque and
+ *    is **never** trusted as inbound auth for the local Eliza dashboard.
+ *    See `docs/security/remote-auth-hardening-plan.md` §7 for the explicit
+ *    demotion rationale.
+ *
+ * 2. **Eliza Cloud SSO** (`getSsoRedirectUrl` / `exchangeCodeForSession`) —
+ *    OAuth-style authorization-code flow against the cloud issuer. The
+ *    callback handler in `app-core` (`api/auth/cloud-sso.ts`) consumes these
+ *    methods to bind a verified cloud user to a local Identity. All error
+ *    paths fail closed: the methods throw and the caller MUST refuse the
+ *    request. There is no partial-claims fallback.
  */
-import { type IAgentRuntime, Service } from "@elizaos/core";
+import { type RuntimeEnvRecord, type IAgentRuntime, Service } from "@elizaos/core";
 import type { CloudCredentials } from "../types/cloud";
 import { CloudApiClient } from "../utils/cloud-api";
+import type { CloudBootstrapService } from "./cloud-bootstrap";
+/**
+ * Required ID-token claims for an Eliza Cloud SSO exchange.
+ *
+ * `sub` is the cloud user id (canonical identity key). `email` and `name`
+ * are surfaced for UI display and identity provisioning. Anything else the
+ * cloud issuer adds is preserved on `extra` for callers that need it but
+ * is never required for auth decisions.
+ */
+export interface CloudSsoIdTokenClaims {
+    iss: string;
+    sub: string;
+    aud: string | string[];
+    exp: number;
+    iat: number;
+    email: string;
+    email_verified?: boolean;
+    name: string;
+    picture?: string;
+    extra: Record<string, unknown>;
+}
+export interface CloudSsoSession {
+    cloudUserId: string;
+    email: string;
+    displayName: string;
+    claims: CloudSsoIdTokenClaims;
+}
+export interface SsoRedirectArgs {
+    /**
+     * Local URL the user should land on after the SSO round-trip
+     * (e.g. `/first-run/setup`). The dashboard's callback route forwards
+     * to this once the session cookie is set; it is NOT sent to the cloud
+     * issuer.
+     */
+    returnTo?: string;
+    /**
+     * State nonce. The caller is responsible for generating this with
+     * `crypto.randomBytes(32)` and storing it server-side keyed by the
+     * issued cookie / pending exchange.
+     */
+    state: string;
+    /**
+     * Override for `ELIZA_CLOUD_CLIENT_ID`. Falls through to the env when
+     * unset; explicitly throws when neither is provided.
+     */
+    clientId?: string;
+    /** Allows tests to inject a synthetic env record. */
+    env?: RuntimeEnvRecord;
+}
+export interface ExchangeCodeArgs {
+    /** Authorization code returned on the SSO callback. */
+    code: string;
+    /** State value the cloud issuer echoed back on the callback. */
+    state: string;
+    /**
+     * State value the caller originally issued. Compared with `state` and
+     * mismatch causes a fail-closed throw before any network call is made.
+     */
+    expectedState: string;
+    /**
+     * Source for `getJwksUrl()`. The caller resolves this from the runtime
+     * service registry (`runtime.getService("CLOUD_BOOTSTRAP")`) so this
+     * file does not import from `app-core` directly.
+     */
+    bootstrap: CloudBootstrapService;
+    /** Allows tests to inject a fake fetch for the token endpoint. */
+    fetchImpl?: typeof fetch;
+    /** Allows tests to inject a synthetic env record. */
+    env?: RuntimeEnvRecord;
+    /** Optional override for the redirect URI; defaults to the local callback. */
+    redirectUri?: string;
+}
+interface ApiKeyAuthInput {
+    apiKey: string;
+    organizationId?: string;
+    userId?: string;
+}
+/**
+ * Returns the absolute URL the dashboard should redirect the user to in
+ * order to start an Eliza Cloud SSO authorization-code flow.
+ *
+ * Throws when `ELIZA_CLOUD_CLIENT_ID` is unset and no `clientId` override
+ * is provided — there is no built-in default. `ELIZA_CLOUD_ISSUER` is read
+ * via the `CloudBootstrapService`'s service-port and must already be set;
+ * if not, this method throws via the bootstrap's existing fail-closed
+ * behaviour.
+ *
+ * The `state` argument MUST be generated by the caller with a cryptographic
+ * RNG and stored server-side bound to the issued cookie. This method does
+ * NOT generate or persist state.
+ *
+ * @param bootstrap - Service-port that exposes `getExpectedIssuer()`.
+ * @param args - Required `state`, optional `clientId` / `returnTo` / `env`.
+ */
+export declare function getSsoRedirectUrl(bootstrap: CloudBootstrapService, args: SsoRedirectArgs): string;
+/**
+ * Exchange an authorization code for a verified Eliza Cloud session.
+ *
+ * Steps:
+ *   1. Compare `state === expectedState`. Mismatch throws.
+ *   2. POST to `${ELIZA_CLOUD_ISSUER}/oauth/token` with the code,
+ *      `client_id`, and `client_secret` (the latter from
+ *      `ELIZA_CLOUD_CLIENT_SECRET`).
+ *   3. Verify the returned `id_token` against the JWKS exposed by
+ *      `CloudBootstrapService.getJwksUrl()`. RS256 only.
+ *   4. Project the claims onto a `CloudSsoSession`.
+ *
+ * Any error in fetch / signature verify / claim shape throws — this method
+ * NEVER returns a partial or fallback session.
+ */
+export declare function exchangeCodeForSession(args: ExchangeCodeArgs): Promise<CloudSsoSession>;
 export declare class CloudAuthService extends Service {
     static serviceType: string;
     capabilityDescription: string;
@@ -18,7 +141,18 @@ export declare class CloudAuthService extends Service {
     stop(): Promise<void>;
     private initialize;
     private validateApiKey;
+    /**
+     * Free-tier device auto-signup. **Convenience only — not a security
+     * primitive.** The hardware fingerprint is treated as opaque material the
+     * cloud signup endpoint can use to mint a fresh API key + $5 free credit
+     * for new installs. The result is usable for outbound LLM calls; it never
+     * authorizes inbound dashboard access.
+     *
+     * See `docs/security/remote-auth-hardening-plan.md` §7.
+     */
     authenticateWithDevice(): Promise<CloudCredentials>;
+    authenticateWithApiKey(input: ApiKeyAuthInput): CloudCredentials;
+    clearAuth(): void;
     isAuthenticated(): boolean;
     getCredentials(): CloudCredentials | null;
     getApiKey(): string | undefined;
@@ -26,4 +160,5 @@ export declare class CloudAuthService extends Service {
     getUserId(): string | undefined;
     getOrganizationId(): string | undefined;
 }
+export {};
 //# sourceMappingURL=cloud-auth.d.ts.map

package/dist/services/cloud-auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cloud-auth.d.ts","sourceRoot":"","sources":["../../services/cloud-auth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,KAAK,aAAa,EAAU,OAAO,EAAE,MAAM,eAAe,CAAC;AACpE,OAAO,KAAK,EAAE,gBAAgB,EAAsC,MAAM,gBAAgB,CAAC;AAE3F,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AA4BpD,qBAAa,gBAAiB,SAAQ,OAAO;IAC3C,MAAM,CAAC,WAAW,SAAgB;IAClC,qBAAqB,SAA6D;IAElF,OAAO,CAAC,MAAM,CAAiB;IAC/B,OAAO,CAAC,WAAW,CAAiC;gBAExC,OAAO,CAAC,EAAE,aAAa;WAKtB,KAAK,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC;IAMtD,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;YAIb,UAAU;YA2DV,cAAc;IActB,sBAAsB,IAAI,OAAO,CAAC,gBAAgB,CAAC;IA6BzD,eAAe,IAAI,OAAO;IAG1B,cAAc,IAAI,gBAAgB,GAAG,IAAI;IAGzC,SAAS,IAAI,MAAM,GAAG,SAAS;IAG/B,SAAS,IAAI,cAAc;IAG3B,SAAS,IAAI,MAAM,GAAG,SAAS;IAG/B,iBAAiB,IAAI,MAAM,GAAG,SAAS;CAGxC"}
+{"version":3,"file":"cloud-auth.d.ts","sourceRoot":"","sources":["../../src/services/cloud-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EACL,KAAK,gBAAgB,EACrB,KAAK,aAAa,EAElB,OAAO,EAGR,MAAM,eAAe,CAAC;AAGvB,OAAO,KAAK,EAAE,gBAAgB,EAAsC,MAAM,gBAAgB,CAAC;AAE3F,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AA8B/D;;;;;;;GAOG;AACH,MAAM,WAAW,qBAAqB;IACpC,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAChC;AAED,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,qBAAqB,CAAC;CAC/B;AAED,MAAM,WAAW,eAAe;IAC9B;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;;OAIG;IACH,KAAK,EAAE,MAAM,CAAC;IACd;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,qDAAqD;IACrD,GAAG,CAAC,EAAE,gBAAgB,CAAC;CACxB;AAED,MAAM,WAAW,gBAAgB;IAC/B,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;IACb,gEAAgE;IAChE,KAAK,EAAE,MAAM,CAAC;IACd;;;OAGG;IACH,aAAa,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,SAAS,EAAE,qBAAqB,CAAC;IACjC,kEAAkE;IAClE,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IACzB,qDAAqD;IACrD,GAAG,CAAC,EAAE,gBAAgB,CAAC;IACvB,8EAA8E;IAC9E,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAUD,UAAU,eAAe;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAgDD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,qBAAqB,EAAE,IAAI,EAAE,eAAe,GAAG,MAAM,CAuBjG;AAqED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,sBAAsB,CAAC,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC,CAiE7F;AAID,qBAAa,gBAAiB,SAAQ,OAAO;IAC3C,MAAM,CAAC,WAAW,SAAgB;IAClC,qBAAqB,SAA+D;IAEpF,OAAO,CAAC,MAAM,CAAiB;IAC/B,OAAO,CAAC,WAAW,CAAiC;gBAExC,OAAO,CAAC,EAAE,aAAa;WAKtB,KAAK,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC;IAMtD,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;YAIb,UAAU;YA+DV,cAAc;IAkB5B;;;;;;;;OAQG;IACG,sBAAsB,IAAI,OAAO,CAAC,gBAAgB,CAAC;IA6BzD,sBAAsB,CAAC,KAAK,EAAE,eAAe,GAAG,gBAAgB;IAkBhE,SAAS,IAAI,IAAI;IAKjB,eAAe,IAAI,OAAO;IAG1B,cAAc,IAAI,gBAAgB,GAAG,IAAI;IAGzC,SAAS,IAAI,MAAM,GAAG,SAAS;IAG/B,SAAS,IAAI,cAAc;IAG3B,SAAS,IAAI,MAAM,GAAG,SAAS;IAG/B,iBAAiB,IAAI,MAAM,GAAG,SAAS;CAGxC"}

package/dist/services/cloud-auth.js

@@ -0,0 +1,368 @@
+import { createRequire } from "node:module";
+var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+var __require = /* @__PURE__ */ createRequire(import.meta.url);
+
+// src/types/cloud.ts
+import {
+  CloudApiError,
+  InsufficientCreditsError
+} from "@elizaos/cloud-sdk";
+var DEFAULT_CLOUD_CONFIG = {
+  enabled: false,
+  baseUrl: "https://www.elizacloud.ai/api/v1",
+  inferenceMode: "cloud",
+  autoProvision: false,
+  bridge: {
+    reconnectIntervalMs: 3000,
+    maxReconnectAttempts: 20,
+    heartbeatIntervalMs: 30000
+  },
+  backup: {
+    autoBackupIntervalMs: 3600000,
+    maxSnapshots: 10
+  },
+  container: {
+    defaultImage: "elizaos/agent:latest",
+    defaultArchitecture: "arm64",
+    defaultCpu: 1792,
+    defaultMemory: 1792,
+    defaultPort: 3000
+  }
+};
+
+// src/utils/cloud-api.ts
+import {
+  CloudApiClient,
+  CloudApiError as CloudApiError2,
+  ElizaCloudHttpClient,
+  InsufficientCreditsError as InsufficientCreditsError2
+} from "@elizaos/cloud-sdk";
+
+// src/services/cloud-auth.ts
+import {
+  logger,
+  Service,
+  resolveApiSecurityConfig,
+  resolveDesktopApiPort
+} from "@elizaos/core";
+import { isCloudReachable } from "@elizaos/shared";
+import { createRemoteJWKSet, jwtVerify } from "jose";
+async function deriveDeviceId() {
+  const os = await import("node:os");
+  const crypto = await import("node:crypto");
+  const cpus = os.cpus();
+  const raw = [
+    os.hostname(),
+    os.platform(),
+    os.arch(),
+    cpus[0]?.model ?? "?",
+    cpus.length,
+    os.totalmem()
+  ].join(":");
+  return crypto.createHash("sha256").update(raw).digest("hex");
+}
+function detectPlatform() {
+  if (typeof process === "undefined")
+    return "web";
+  const map = {
+    darwin: "macos",
+    win32: "windows",
+    linux: "linux"
+  };
+  return map[process.platform] ?? "linux";
+}
+function readEnvKey(env, key) {
+  const value = env[key];
+  if (typeof value !== "string")
+    return null;
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function processEnv() {
+  if (typeof process === "undefined")
+    return {};
+  return process.env;
+}
+function defaultRedirectUri(env) {
+  const security = resolveApiSecurityConfig(env);
+  const port = resolveDesktopApiPort(env);
+  const scheme = security.isLoopbackBind ? "http" : "https";
+  const host = security.bindHost.startsWith("[") ? security.bindHost : security.bindHost.includes(":") && !security.bindHost.startsWith("[") ? `[${security.bindHost}]` : security.bindHost;
+  return `${scheme}://${host}:${port}/api/auth/login/sso/callback`;
+}
+function getSsoRedirectUrl(bootstrap, args) {
+  const env = args.env ?? processEnv();
+  const clientId = args.clientId ?? readEnvKey(env, "ELIZA_CLOUD_CLIENT_ID");
+  if (!clientId) {
+    throw new Error("ELIZA_CLOUD_CLIENT_ID is not configured — cannot start Eliza Cloud SSO");
+  }
+  if (args.state.length === 0) {
+    throw new Error("getSsoRedirectUrl requires a non-empty state nonce");
+  }
+  const issuer = bootstrap.getExpectedIssuer();
+  const redirectUri = defaultRedirectUri(env);
+  const params = new URLSearchParams;
+  params.set("response_type", "code");
+  params.set("client_id", clientId);
+  params.set("redirect_uri", redirectUri);
+  params.set("scope", "openid profile");
+  params.set("state", args.state);
+  if (args.returnTo) {
+    params.set("eliza_return_to", args.returnTo);
+  }
+  return `${issuer}/oauth/authorize?${params.toString()}`;
+}
+function shapeIdTokenClaims(payload) {
+  if (typeof payload.iss !== "string" || payload.iss.length === 0) {
+    throw new Error("id_token missing issuer claim");
+  }
+  if (typeof payload.sub !== "string" || payload.sub.length === 0) {
+    throw new Error("id_token missing sub claim");
+  }
+  if (typeof payload.aud !== "string" && !(Array.isArray(payload.aud) && payload.aud.every((value) => typeof value === "string"))) {
+    throw new Error("id_token missing or malformed aud claim");
+  }
+  if (typeof payload.exp !== "number" || !Number.isFinite(payload.exp)) {
+    throw new Error("id_token missing exp claim");
+  }
+  if (typeof payload.iat !== "number" || !Number.isFinite(payload.iat)) {
+    throw new Error("id_token missing iat claim");
+  }
+  if (typeof payload.email !== "string" || payload.email.length === 0) {
+    throw new Error("id_token missing email claim — Eliza Cloud SSO requires it");
+  }
+  if (typeof payload.name !== "string" || payload.name.length === 0) {
+    throw new Error("id_token missing name claim — Eliza Cloud SSO requires it");
+  }
+  const extra = {};
+  for (const [key, value] of Object.entries(payload)) {
+    if (key !== "iss" && key !== "sub" && key !== "aud" && key !== "exp" && key !== "iat" && key !== "email" && key !== "email_verified" && key !== "name" && key !== "picture") {
+      extra[key] = value;
+    }
+  }
+  return {
+    iss: payload.iss,
+    sub: payload.sub,
+    aud: payload.aud,
+    exp: payload.exp,
+    iat: payload.iat,
+    email: payload.email,
+    email_verified: typeof payload.email_verified === "boolean" ? payload.email_verified : undefined,
+    name: payload.name,
+    picture: typeof payload.picture === "string" ? payload.picture : undefined,
+    extra
+  };
+}
+function shapeTokenResponse(payload) {
+  if (!payload || typeof payload !== "object") {
+    throw new Error("Eliza Cloud token endpoint returned a non-object body");
+  }
+  const raw = payload;
+  if (typeof raw.id_token !== "string" || raw.id_token.length === 0) {
+    throw new Error("Eliza Cloud token endpoint did not return an id_token");
+  }
+  return { idToken: raw.id_token };
+}
+async function exchangeCodeForSession(args) {
+  if (args.code.length === 0) {
+    throw new Error("exchangeCodeForSession requires a non-empty code");
+  }
+  if (!args.state || !args.expectedState || args.state !== args.expectedState) {
+    throw new Error("Eliza Cloud SSO state mismatch — refusing to exchange code (possible CSRF)");
+  }
+  const env = args.env ?? processEnv();
+  const clientId = readEnvKey(env, "ELIZA_CLOUD_CLIENT_ID");
+  if (!clientId) {
+    throw new Error("ELIZA_CLOUD_CLIENT_ID is not configured — cannot complete Eliza Cloud SSO");
+  }
+  const clientSecret = readEnvKey(env, "ELIZA_CLOUD_CLIENT_SECRET");
+  if (!clientSecret) {
+    throw new Error("ELIZA_CLOUD_CLIENT_SECRET is not configured — cannot complete Eliza Cloud SSO");
+  }
+  const issuer = args.bootstrap.getExpectedIssuer();
+  const redirectUri = args.redirectUri ?? defaultRedirectUri(env);
+  const tokenUrl = `${issuer}/oauth/token`;
+  const fetchImpl = args.fetchImpl ?? fetch;
+  const body = new URLSearchParams;
+  body.set("grant_type", "authorization_code");
+  body.set("code", args.code);
+  body.set("redirect_uri", redirectUri);
+  body.set("client_id", clientId);
+  body.set("client_secret", clientSecret);
+  const response = await fetchImpl(tokenUrl, {
+    method: "POST",
+    headers: {
+      "content-type": "application/x-www-form-urlencoded",
+      accept: "application/json"
+    },
+    body: body.toString()
+  });
+  if (!response.ok) {
+    throw new Error(`Eliza Cloud token endpoint returned HTTP ${response.status} for code exchange`);
+  }
+  const payload = await response.json();
+  const { idToken } = shapeTokenResponse(payload);
+  const jwksUrl = args.bootstrap.getJwksUrl();
+  const remoteJwks = createRemoteJWKSet(new URL(jwksUrl));
+  const verified = await jwtVerify(idToken, remoteJwks, {
+    algorithms: ["RS256"],
+    issuer,
+    audience: clientId
+  });
+  const claims = shapeIdTokenClaims(verified.payload);
+  return {
+    cloudUserId: claims.sub,
+    email: claims.email,
+    displayName: claims.name,
+    claims
+  };
+}
+
+class CloudAuthService extends Service {
+  static serviceType = "CLOUD_AUTH";
+  capabilityDescription = "Eliza Cloud device authentication and SSO session helpers";
+  client;
+  credentials = null;
+  constructor(runtime) {
+    super(runtime);
+    this.client = new CloudApiClient(DEFAULT_CLOUD_CONFIG.baseUrl);
+  }
+  static async start(runtime) {
+    const service = new CloudAuthService(runtime);
+    await service.initialize();
+    return service;
+  }
+  async stop() {
+    this.credentials = null;
+  }
+  async initialize() {
+    const baseUrl = String(this.runtime.getSetting("ELIZAOS_CLOUD_BASE_URL") ?? DEFAULT_CLOUD_CONFIG.baseUrl);
+    this.client.setBaseUrl(baseUrl);
+    const existingKey = this.runtime.getSetting("ELIZAOS_CLOUD_API_KEY");
+    if (existingKey) {
+      const key = String(existingKey);
+      this.client.setApiKey(key);
+      this.credentials = {
+        apiKey: key,
+        userId: String(this.runtime.getSetting("ELIZAOS_CLOUD_USER_ID") ?? ""),
+        organizationId: String(this.runtime.getSetting("ELIZAOS_CLOUD_ORG_ID") ?? this.runtime.getSetting("ELIZA_CLOUD_ORGANIZATION_ID") ?? ""),
+        authenticatedAt: Date.now()
+      };
+      logger.info("[CloudAuth] Authenticated with saved API key");
+      this.validateApiKey(key).then((valid) => {
+        if (!valid) {
+          logger.warn("[CloudAuth] Saved API key could not be validated (cloud may be unreachable or key revoked) — model calls will use the key anyway");
+        }
+      }).catch(() => {});
+      return;
+    }
+    const enabled = this.runtime.getSetting("ELIZAOS_CLOUD_ENABLED");
+    if (enabled === "true" || enabled === "1") {
+      try {
+        await this.authenticateWithDevice();
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.warn(`[CloudAuth] Device auth failed (cloud may be unreachable): ${msg}`);
+        logger.info("[CloudAuth] Service will start unauthenticated — cloud features disabled until connectivity is restored");
+      }
+    } else {
+      logger.info("[CloudAuth] Cloud not enabled (set ELIZAOS_CLOUD_ENABLED=true)");
+    }
+  }
+  async validateApiKey(key) {
+    if (!await isCloudReachable()) {
+      logger.warn("[CloudAuth] Cloud unreachable at boot — skipping API key validation; key will be used as-is");
+      return false;
+    }
+    try {
+      const validationClient = new CloudApiClient(this.client.getBaseUrl(), key);
+      await validationClient.get("/models", { timeoutMs: 2500 });
+      return true;
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      logger.warn(`[CloudAuth] Could not reach cloud API to validate key: ${msg}`);
+      return false;
+    }
+  }
+  async authenticateWithDevice() {
+    const deviceId = await deriveDeviceId();
+    const platform = detectPlatform();
+    const appVersion = process.env.ELIZAOS_CLOUD_APP_VERSION ?? "2.0.0-beta.0";
+    const os = await import("node:os");
+    logger.info(`[CloudAuth] Authenticating device (platform=${platform})`);
+    const response = await this.client.postUnauthenticated("/device-auth", {
+      deviceId,
+      platform,
+      appVersion,
+      deviceName: os.hostname()
+    });
+    this.credentials = {
+      apiKey: response.data.apiKey,
+      userId: response.data.userId,
+      organizationId: response.data.organizationId,
+      authenticatedAt: Date.now()
+    };
+    this.client.setApiKey(response.data.apiKey);
+    const action = response.data.isNew ? "New account created" : "Authenticated";
+    logger.info(`[CloudAuth] ${action} (credits: $${response.data.credits.toFixed(2)})`);
+    return this.credentials;
+  }
+  authenticateWithApiKey(input) {
+    const apiKey = input.apiKey.trim();
+    if (!apiKey) {
+      throw new Error("Eliza Cloud API key is required");
+    }
+    this.client.setApiKey(apiKey);
+    this.credentials = {
+      apiKey,
+      userId: input.userId ?? "",
+      organizationId: input.organizationId ?? "",
+      authenticatedAt: Date.now()
+    };
+    logger.info("[CloudAuth] Authenticated with API key");
+    return this.credentials;
+  }
+  clearAuth() {
+    this.credentials = null;
+    this.client.setApiKey(undefined);
+  }
+  isAuthenticated() {
+    return this.credentials !== null;
+  }
+  getCredentials() {
+    return this.credentials;
+  }
+  getApiKey() {
+    return this.credentials?.apiKey ?? this.client.getApiKey();
+  }
+  getClient() {
+    return this.client;
+  }
+  getUserId() {
+    return this.credentials?.userId;
+  }
+  getOrganizationId() {
+    return this.credentials?.organizationId;
+  }
+}
+export {
+  getSsoRedirectUrl,
+  exchangeCodeForSession,
+  CloudAuthService
+};
+
+//# debugId=C706585F0178D71764756E2164756E21