@goplus/agentguard 1.1.14 → 1.1.20

package/dist/feed/cron.js

@@ -6,11 +6,13 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.validateCronExpression = validateCronExpression;
 exports.localTimeZone = localTimeZone;
 exports.installThreatFeedCron = installThreatFeedCron;
+exports.removeThreatFeedCron = removeThreatFeedCron;
 exports.installOpenClawThreatFeedCron = installOpenClawThreatFeedCron;
 exports.extractOpenClawCronJobs = extractOpenClawCronJobs;
 exports.openClawGatewayRequest = openClawGatewayRequest;
 const node_child_process_1 = require("node:child_process");
 const node_crypto_1 = require("node:crypto");
+const node_fs_1 = require("node:fs");
 const promises_1 = require("node:fs/promises");
 const node_http_1 = __importDefault(require("node:http"));
 const node_net_1 = __importDefault(require("node:net"));
@@ -18,6 +20,13 @@ const node_os_1 = require("node:os");
 const node_path_1 = require("node:path");
 class GatewayHttpFallbackError extends Error {
 }
+const OPENCLAW_STATE_DIRNAME = '.openclaw';
+const OPENCLAW_LEGACY_STATE_DIRNAME = '.clawdbot';
+const OPENCLAW_IDENTITY_PATH = ['identity', 'device.json'];
+const OPENCLAW_GATEWAY_MIN_PROTOCOL = 3;
+const OPENCLAW_GATEWAY_MAX_PROTOCOL = 4;
+const ED25519_SPKI_PREFIX = Buffer.from('302a300506032b6570032100', 'hex');
+const ED25519_PKCS8_PRIVATE_PREFIX = Buffer.from('302e020100300506032b657004220420', 'hex');
 function validateCronExpression(value) {
     const expr = value.trim();
     const fields = expr.split(/\s+/);
@@ -37,6 +46,10 @@ async function installThreatFeedCron(options, adapters = {}) {
     if (backend === 'auto' && !options.agentHost) {
         throw new Error('Cron target auto requires a saved agent host. Run `agentguard init --agent <claude-code|codex|openclaw|hermes|qclaw>` first, or pass `--cron-target openclaw`, `--cron-target qclaw`, `--cron-target hermes`, or `--cron-target system`.');
     }
+    if (backend === 'openclaw' && options.agentHost && options.agentHost !== 'openclaw') {
+        throw new Error(`Cron target openclaw conflicts with saved agent host "${options.agentHost}". ` +
+            'Run `agentguard init --agent openclaw` first, omit `--cron-target` to use auto, or choose a different cron target.');
+    }
     if (backend === 'system' || (backend === 'auto' && options.agentHost !== 'openclaw' && options.agentHost !== 'qclaw' && options.agentHost !== 'hermes')) {
         return installSystemThreatFeedCron(options, adapters.runCommand);
     }
@@ -67,16 +80,63 @@ async function installThreatFeedCron(options, adapters = {}) {
         }
     }
     if (backend === 'qclaw' || (backend === 'auto' && options.agentHost === 'qclaw')) {
-        const result = await installOpenClawThreatFeedCron(options, qclawGatewayOptions(adapters.gateway));
+        const result = await installQClawThreatFeedCron(options, qclawGatewayOptions(adapters.gateway));
         result.backend = 'qclaw-gateway';
         return result;
     }
     throw new Error('Invalid cron target. Use auto, openclaw, qclaw, hermes, or system.');
 }
+async function removeThreatFeedCron(options, adapters = {}) {
+    const backend = options.backend ?? 'auto';
+    if (backend === 'all') {
+        return removeThreatFeedCronFromBackends(options, ['system', 'hermes', 'openclaw', 'openclaw-gateway', 'qclaw-gateway'], adapters);
+    }
+    if (backend === 'system') {
+        return [await removeSystemThreatFeedCron(options, adapters.runCommand)];
+    }
+    if (backend === 'hermes') {
+        return [await removeHermesThreatFeedCron(options, adapters.runCommand)];
+    }
+    if (backend === 'openclaw') {
+        return removeThreatFeedCronFromBackends(options, ['openclaw', 'openclaw-gateway'], adapters);
+    }
+    if (backend === 'qclaw') {
+        return [await removeGatewayThreatFeedCron(options, qclawGatewayOptions(adapters.gateway), 'qclaw-gateway')];
+    }
+    const targets = ['system'];
+    if (options.agentHost === 'hermes')
+        targets.push('hermes');
+    if (options.agentHost === 'openclaw')
+        targets.push('openclaw', 'openclaw-gateway');
+    if (options.agentHost === 'qclaw')
+        targets.push('qclaw-gateway');
+    return removeThreatFeedCronFromBackends(options, targets, adapters);
+}
+async function removeThreatFeedCronFromBackends(options, backends, adapters) {
+    const results = [];
+    for (const backend of backends) {
+        if (backend === 'system') {
+            results.push(await removeSystemThreatFeedCron(options, adapters.runCommand));
+        }
+        else if (backend === 'hermes') {
+            results.push(await removeHermesThreatFeedCron(options, adapters.runCommand));
+        }
+        else if (backend === 'openclaw') {
+            results.push(await removeOpenClawNativeThreatFeedCron(options, adapters.runCommand));
+        }
+        else if (backend === 'openclaw-gateway') {
+            results.push(await removeGatewayThreatFeedCron(options, adapters.gateway, 'openclaw-gateway'));
+        }
+        else if (backend === 'qclaw-gateway') {
+            results.push(await removeGatewayThreatFeedCron(options, qclawGatewayOptions(adapters.gateway), 'qclaw-gateway'));
+        }
+    }
+    return results;
+}
 async function installOpenClawThreatFeedCron(options, gateway = {}) {
     const schedule = validateCronExpression(options.cronExpression);
     const timezone = options.timezone ?? localTimeZone();
-    const command = threatFeedCommand(options.quiet, { notifyRun: true });
+    const command = threatFeedCommand(options.quiet);
     const existing = await findOpenClawCronJobsByName(options.name, gateway);
     if (existing.length > 0 && !options.force) {
         return {
@@ -93,6 +153,54 @@ async function installOpenClawThreatFeedCron(options, gateway = {}) {
     if (existing.length > 0) {
         await removeOpenClawCronJobs(existing, gateway);
     }
+    await openClawGatewayRequest('cron.add', {
+        name: options.name,
+        description,
+        enabled: true,
+        schedule: {
+            kind: 'cron',
+            expr: schedule,
+            tz: timezone,
+        },
+        sessionTarget: 'isolated',
+        payload: {
+            kind: 'agentTurn',
+            message,
+            timeoutSeconds: 300,
+        },
+        delivery: {
+            mode: 'none',
+        },
+    }, gateway);
+    return {
+        name: options.name,
+        schedule,
+        timezone,
+        created: true,
+        backend: 'openclaw-gateway',
+        command,
+    };
+}
+async function installQClawThreatFeedCron(options, gateway = {}) {
+    const schedule = validateCronExpression(options.cronExpression);
+    const timezone = options.timezone ?? localTimeZone();
+    const command = threatFeedCommand(options.quiet, { notifyRun: true });
+    const existing = await findOpenClawCronJobsByName(options.name, gateway);
+    if (existing.length > 0 && !options.force) {
+        return {
+            name: options.name,
+            schedule,
+            timezone,
+            created: false,
+            backend: 'qclaw-gateway',
+            command,
+        };
+    }
+    const description = `AgentGuard Cloud threat feed subscription (${schedule})`;
+    const message = qclawCronMessage(options.quiet);
+    if (existing.length > 0) {
+        await removeOpenClawCronJobs(existing, gateway);
+    }
     await openClawGatewayRequest('cron.add', {
         name: options.name,
         description,
@@ -118,7 +226,7 @@ async function installOpenClawThreatFeedCron(options, gateway = {}) {
         schedule,
         timezone,
         created: true,
-        backend: 'openclaw-gateway',
+        backend: 'qclaw-gateway',
         command,
     };
 }
@@ -129,7 +237,7 @@ async function findOpenClawCronJobsByName(name, gateway) {
 async function installOpenClawNativeThreatFeedCron(options, runCommand = execCommand) {
     const schedule = validateCronExpression(options.cronExpression);
     const timezone = options.timezone ?? localTimeZone();
-    const command = threatFeedCommand(options.quiet, { notifyRun: true });
+    const command = threatFeedCommand(options.quiet);
     const message = openClawCronMessage(options.quiet);
     let existing;
     try {
@@ -138,7 +246,8 @@ async function installOpenClawNativeThreatFeedCron(options, runCommand = execCom
     catch (err) {
         throw new CronBackendUnavailableError(`Could not list native OpenClaw cron jobs. Is OpenClaw installed and available on PATH? ${err.message}`);
     }
-    if (nativeCronListHasExactName(existing.stdout, options.name) && !options.force) {
+    const existingJobs = nativeCronListJobsByName(existing.stdout, options.name);
+    if (existingJobs.length > 0 && !options.force) {
         return {
             name: options.name,
             schedule,
@@ -148,6 +257,11 @@ async function installOpenClawNativeThreatFeedCron(options, runCommand = execCom
             command,
         };
     }
+    if (existingJobs.length > 0) {
+        for (const job of existingJobs) {
+            await runCommand('openclaw', ['cron', 'remove', job.id ?? job.name ?? options.name]);
+        }
+    }
     const args = [
         'cron',
         'add',
@@ -165,14 +279,10 @@ async function installOpenClawNativeThreatFeedCron(options, runCommand = execCom
         message,
         '--timeout-seconds',
         '300',
-        '--announce',
-        '--channel',
-        'last',
+        '--no-deliver',
         '--thinking',
         'off',
     ];
-    if (options.force)
-        args.push('--force');
     await runCommand('openclaw', args);
     return {
         name: options.name,
@@ -190,21 +300,34 @@ class CronBackendUnavailableError extends Error {
     }
 }
 function nativeCronListHasExactName(stdout, name) {
+    return nativeCronListJobsByName(stdout, name).length > 0;
+}
+function nativeCronListJobsByName(stdout, name) {
     const jsonJobs = extractOpenClawCronJobs(parseJsonOrNull(stdout));
-    if (jsonJobs.some((job) => job.name === name))
-        return true;
+    const exactJsonJobs = jsonJobs.filter((job) => job.name === name);
+    if (exactJsonJobs.length > 0)
+        return exactJsonJobs;
     return stdout
         .split(/\r?\n/)
         .map((line) => line.trim())
         .filter(Boolean)
-        .some((line) => nativeCronListLineHasExactName(line, name));
+        .filter((line) => nativeCronListLineHasExactName(line, name))
+        .map((line) => ({ id: nativeCronListLineId(line), name }));
 }
 function nativeCronListLineHasExactName(line, name) {
     const quoted = line.match(/(["'])(.*?)\1/);
     if (quoted?.[2] === name)
         return true;
     const cells = line.split(/\s{2,}|\t+/).map((cell) => cell.trim()).filter(Boolean);
-    return cells.includes(name);
+    if (cells.includes(name))
+        return true;
+    return new RegExp(`(^|\\s)${escapeRegExp(name)}(\\s|$)`).test(line);
+}
+function nativeCronListLineId(line) {
+    return line.match(/\b[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b/i)?.[0];
+}
+function escapeRegExp(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
 }
 function parseJsonOrNull(value) {
     try {
@@ -302,6 +425,67 @@ async function installSystemThreatFeedCron(options, runCommand = execCommand) {
         script,
     };
 }
+async function removeSystemThreatFeedCron(options, runCommand = execCommand) {
+    const home = validateCronFilesystemPath(options.agentGuardHome ?? (0, node_path_1.join)((0, node_os_1.homedir)(), '.agentguard'), 'AGENTGUARD_HOME');
+    const jobId = sanitizeCronJobId(options.name);
+    try {
+        const existing = await runCommand('crontab', ['-l']).then((result) => result.stdout, () => '');
+        const next = removeAgentGuardCronBlock(existing, jobId).trimEnd();
+        if (next === existing.trimEnd()) {
+            return { name: options.name, backend: 'system', removed: false };
+        }
+        await runCommand('crontab', ['-'], next ? `${next}\n` : '');
+        await (0, promises_1.rm)((0, node_path_1.join)(home, 'scripts', `${jobId}.sh`), { force: true }).catch(() => undefined);
+        return { name: options.name, backend: 'system', removed: true };
+    }
+    catch (err) {
+        return { name: options.name, backend: 'system', removed: false, error: err.message };
+    }
+}
+async function removeHermesThreatFeedCron(options, runCommand = execCommand) {
+    try {
+        const existing = await runCommand('hermes', ['cron', 'list']);
+        if (!existing.stdout.includes(options.name)) {
+            return { name: options.name, backend: 'hermes', removed: false };
+        }
+        await runCommand('hermes', ['cron', 'remove', options.name]);
+        const hermesHome = (options.hermesHome ?? process.env.HERMES_HOME?.trim()) || (0, node_path_1.join)((0, node_os_1.homedir)(), '.hermes');
+        await (0, promises_1.rm)((0, node_path_1.join)(hermesHome, 'scripts', `${sanitizeHermesScriptName(options.name)}.sh`), { force: true }).catch(() => undefined);
+        return { name: options.name, backend: 'hermes', removed: true };
+    }
+    catch (err) {
+        return { name: options.name, backend: 'hermes', removed: false, error: err.message };
+    }
+}
+async function removeOpenClawNativeThreatFeedCron(options, runCommand = execCommand) {
+    try {
+        const existing = await runCommand('openclaw', ['cron', 'list']);
+        const jobs = nativeCronListJobsByName(existing.stdout, options.name);
+        if (jobs.length === 0) {
+            return { name: options.name, backend: 'openclaw', removed: false };
+        }
+        for (const job of jobs) {
+            await runCommand('openclaw', ['cron', 'remove', job.id ?? job.name ?? options.name]);
+        }
+        return { name: options.name, backend: 'openclaw', removed: true };
+    }
+    catch (err) {
+        return { name: options.name, backend: 'openclaw', removed: false, error: err.message };
+    }
+}
+async function removeGatewayThreatFeedCron(options, gateway = {}, backend = 'openclaw-gateway') {
+    try {
+        const jobs = await findOpenClawCronJobsByName(options.name, gateway);
+        if (jobs.length === 0) {
+            return { name: options.name, backend, removed: false };
+        }
+        await removeOpenClawCronJobs(jobs, gateway);
+        return { name: options.name, backend, removed: jobs.some((job) => Boolean(job.id)) };
+    }
+    catch (err) {
+        return { name: options.name, backend, removed: false, error: err.message };
+    }
+}
 function threatFeedCommand(quiet, options = {}) {
     const modeFlag = options.notifyRun ? '--cron-notify-run' : '--json --cron-run';
     return `agentguard subscribe${quiet ? ' --quiet' : ''} ${modeFlag}`;
@@ -368,8 +552,42 @@ function shellQuote(value) {
     return `'${value.replace(/'/g, `'\\''`)}'`;
 }
 function openClawCronMessage(quiet) {
+    const mode = quiet ? 'quiet' : 'manual';
+    const command = threatFeedCommand(quiet);
+    return [
+        `Mode: ${mode}.`,
+        `Command: \`${command}\`.`,
+        `Run exactly the command above.`,
+        '',
+        'Rules:',
+        '- The command handles its own OpenClaw notification delivery.',
+        '- Do not send a separate chat reply, summary, or confirmation.',
+        '- Output the command stdout exactly as your final response.',
+        '- If the command fails or prints no stdout, output `NO_REPLY`.',
+        '',
+        'Follow these rules exactly.',
+    ].join('\n');
+}
+function qclawCronMessage(quiet) {
     const mode = quiet ? 'quiet' : 'manual';
     const command = threatFeedCommand(quiet, { notifyRun: true });
+    if (!quiet) {
+        return [
+            `Mode: ${mode}.`,
+            `Command: \`${command}\`.`,
+            `Run exactly the command above.`,
+            '',
+            'Rules:',
+            '- If the command fails, prints no stdout, or prints only `NO_REPLY`, output `NO_REPLY`.',
+            '- If the command prints threat-feed advisories, read the full output, including any remediation guidance.',
+            '- Respond in the same language as the user would naturally use for this chat.',
+            '- Summarize the new threat(s), identify the likely local impact, and give concise manual response steps.',
+            '- Preserve advisory IDs and severity labels.',
+            '- Do not claim a local match was found unless the command output explicitly says so.',
+            '',
+            'Follow these rules exactly.',
+        ].join('\n');
+    }
     return [
         `Mode: ${mode}.`,
         `Command: \`${command}\`.`,
@@ -470,16 +688,78 @@ function openClawGatewayRequest(method, params, options = {}) {
     const port = options.port ?? 18789;
     const label = options.label ?? 'OpenClaw Gateway';
     const timeoutMs = options.timeoutMs ?? 5000;
+    const token = options.token ?? resolveOpenClawGatewayToken();
+    if (shouldUseOpenClawGatewayCli(options)) {
+        return openClawGatewayCliRequest({
+            method,
+            params,
+            label,
+            timeoutMs,
+            runCommand: options.runCommand ?? execCommand,
+        }).catch(() => openClawGatewayNetworkRequest({ host, port, method, params, label, timeoutMs, url: options.url, token }));
+    }
+    return openClawGatewayNetworkRequest({ host, port, method, params, label, timeoutMs, url: options.url, token });
+}
+function openClawGatewayNetworkRequest(options) {
     if (options.url) {
-        return openClawGatewayWebSocketRequest({ url: options.url, method, params, label, timeoutMs });
+        return openClawGatewayWebSocketRequest({
+            url: options.url,
+            method: options.method,
+            params: options.params,
+            label: options.label,
+            timeoutMs: options.timeoutMs,
+            token: options.token,
+        });
     }
-    return openClawGatewayHttpRequest({ host, port, method, params, label, timeoutMs }).catch((err) => {
+    return openClawGatewayHttpRequest({
+        host: options.host,
+        port: options.port,
+        method: options.method,
+        params: options.params,
+        label: options.label,
+        timeoutMs: options.timeoutMs,
+        token: options.token,
+    }).catch((err) => {
         if (err instanceof GatewayHttpFallbackError) {
-            return openClawGatewayWebSocketRequest({ url: `ws://${host}:${port}`, method, params, label, timeoutMs });
+            return openClawGatewayWebSocketRequest({
+                url: `ws://${options.host}:${options.port}`,
+                method: options.method,
+                params: options.params,
+                label: options.label,
+                timeoutMs: options.timeoutMs,
+                token: options.token,
+            });
         }
         throw err;
     });
 }
+function shouldUseOpenClawGatewayCli(options) {
+    if (options.url || options.host || options.port)
+        return false;
+    return !options.label || options.label === 'OpenClaw Gateway';
+}
+async function openClawGatewayCliRequest(options) {
+    const result = await options.runCommand('openclaw', [
+        'gateway',
+        'call',
+        options.method,
+        '--params',
+        JSON.stringify(options.params ?? {}),
+        '--timeout',
+        String(options.timeoutMs),
+        '--json',
+    ]);
+    const trimmed = result.stdout.trim();
+    if (!trimmed) {
+        throw new Error(`${options.label} ${options.method} command returned no JSON output.`);
+    }
+    try {
+        return JSON.parse(trimmed);
+    }
+    catch {
+        throw new Error(`${options.label} ${options.method} command returned non-JSON output: ${trimmed}`);
+    }
+}
 function openClawGatewayHttpRequest(options) {
     const payload = JSON.stringify({
         jsonrpc: '2.0',
@@ -487,6 +767,13 @@ function openClawGatewayHttpRequest(options) {
         params: legacyGatewayParams(options.method, options.params),
         id: 1,
     });
+    const headers = {
+        'Content-Type': 'application/json',
+        'Content-Length': Buffer.byteLength(payload),
+    };
+    if (options.token) {
+        headers.Authorization = `Bearer ${options.token}`;
+    }
     return new Promise((resolve, reject) => {
         let settled = false;
         const fail = (err) => {
@@ -506,10 +793,7 @@ function openClawGatewayHttpRequest(options) {
             port: options.port,
             path: '/',
             method: 'POST',
-            headers: {
-                'Content-Type': 'application/json',
-                'Content-Length': Buffer.byteLength(payload),
-            },
+            headers,
         }, (res) => {
             let data = '';
             res.setEncoding('utf8');
@@ -556,6 +840,41 @@ function legacyGatewayParams(method, params) {
         return [params];
     return params;
 }
+function resolveOpenClawGatewayToken() {
+    const agentGuardOverride = process.env.AGENTGUARD_OPENCLAW_GATEWAY_TOKEN?.trim();
+    if (agentGuardOverride)
+        return agentGuardOverride;
+    const openClawOverride = process.env.OPENCLAW_GATEWAY_TOKEN?.trim();
+    if (openClawOverride)
+        return openClawOverride;
+    return readOpenClawGatewayConfigToken();
+}
+function readOpenClawGatewayConfigToken() {
+    const configPath = resolveOpenClawConfigPath();
+    try {
+        const raw = (0, node_fs_1.readFileSync)(configPath, 'utf8').trim();
+        if (!raw)
+            return undefined;
+        const config = JSON.parse(raw);
+        const gateway = config.gateway;
+        if (!gateway || typeof gateway !== 'object' || Array.isArray(gateway))
+            return undefined;
+        const auth = gateway.auth;
+        if (!auth || typeof auth !== 'object' || Array.isArray(auth))
+            return undefined;
+        const token = auth.token;
+        return typeof token === 'string' && token.trim() ? token.trim() : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+function resolveOpenClawConfigPath() {
+    const override = process.env.OPENCLAW_CONFIG_PATH?.trim();
+    if (override)
+        return resolveOpenClawUserPath(override);
+    return (0, node_path_1.join)(resolveOpenClawStateDir(), 'openclaw.json');
+}
 function openClawGatewayWebSocketRequest(options) {
     const endpoint = parseGatewayWebSocketUrl(options.url, options.label);
     return new Promise((resolve, reject) => {
@@ -668,11 +987,12 @@ function openClawGatewayWebSocketRequest(options) {
                 return;
             }
             if (frame?.type === 'event' && frame.event === 'connect.challenge') {
+                const nonce = extractOpenClawConnectNonce(frame);
                 socket.write(encodeWebSocketFrame(JSON.stringify({
                     type: 'req',
                     id: connectRequestId,
                     method: 'connect',
-                    params: openClawConnectParams(),
+                    params: openClawConnectParams(nonce, options.token),
                 })));
                 return;
             }
@@ -824,10 +1144,10 @@ function encodeWebSocketFrame(text, opcode = 0x1) {
     }
     return Buffer.concat([header, mask, masked]);
 }
-function openClawConnectParams() {
+function openClawConnectParams(connectNonce, token) {
     return {
-        minProtocol: 3,
-        maxProtocol: 3,
+        minProtocol: OPENCLAW_GATEWAY_MIN_PROTOCOL,
+        maxProtocol: OPENCLAW_GATEWAY_MAX_PROTOCOL,
         client: {
             id: 'cli',
             version: 'agentguard',
@@ -844,9 +1164,163 @@ function openClawConnectParams() {
             'operator.pairing',
             'operator.talk.secrets',
         ],
+        ...(token ? { auth: { token } } : {}),
+        ...(buildOpenClawGatewayDeviceAuth(connectNonce, token) ?? {}),
     };
 }
 function gatewayFrameErrorMessage(frame) {
     return frame?.error?.message ?? JSON.stringify(frame?.error ?? frame);
 }
+function extractOpenClawConnectNonce(frame) {
+    if (!frame || typeof frame !== 'object')
+        return undefined;
+    const payload = frame.payload;
+    if (!payload || typeof payload !== 'object')
+        return undefined;
+    const nonce = payload.nonce;
+    return typeof nonce === 'string' && nonce.trim() ? nonce : undefined;
+}
+function buildOpenClawGatewayDeviceAuth(connectNonce, token) {
+    if (!connectNonce?.trim())
+        return undefined;
+    const identity = loadOpenClawDeviceIdentity();
+    if (!identity)
+        return undefined;
+    try {
+        const signedAtMs = Date.now();
+        const payload = buildOpenClawDeviceAuthPayload({
+            deviceId: identity.deviceId,
+            clientId: 'cli',
+            clientMode: 'cli',
+            role: 'operator',
+            scopes: [
+                'operator.admin',
+                'operator.read',
+                'operator.write',
+                'operator.approvals',
+                'operator.pairing',
+                'operator.talk.secrets',
+            ],
+            signedAtMs,
+            nonce: connectNonce,
+            platform: process.platform,
+            token,
+        });
+        return {
+            device: {
+                id: identity.deviceId,
+                publicKey: publicKeyRawBase64UrlFromPem(identity.publicKeyPem),
+                signature: signOpenClawDevicePayload(identity.privateKeyPem, payload),
+                signedAt: signedAtMs,
+                nonce: connectNonce,
+            },
+        };
+    }
+    catch {
+        return undefined;
+    }
+}
+function buildOpenClawDeviceAuthPayload(params) {
+    return [
+        'v3',
+        params.deviceId,
+        params.clientId,
+        params.clientMode,
+        params.role,
+        params.scopes.join(','),
+        String(params.signedAtMs),
+        params.token ?? '',
+        params.nonce,
+        normalizeDeviceMetadataForAuth(params.platform),
+        normalizeDeviceMetadataForAuth(params.deviceFamily),
+    ].join('|');
+}
+function normalizeDeviceMetadataForAuth(value) {
+    return typeof value === 'string' ? value.trim() : '';
+}
+function loadOpenClawDeviceIdentity() {
+    try {
+        const raw = (0, node_fs_1.readFileSync)(resolveOpenClawDeviceIdentityPath(), 'utf8');
+        return normalizeOpenClawDeviceIdentity(JSON.parse(raw));
+    }
+    catch {
+        return null;
+    }
+}
+function resolveOpenClawDeviceIdentityPath() {
+    return (0, node_path_1.join)(resolveOpenClawStateDir(), ...OPENCLAW_IDENTITY_PATH);
+}
+function resolveOpenClawStateDir() {
+    const override = process.env.OPENCLAW_STATE_DIR?.trim();
+    if (override)
+        return resolveOpenClawUserPath(override);
+    const current = (0, node_path_1.join)((0, node_os_1.homedir)(), OPENCLAW_STATE_DIRNAME);
+    if ((0, node_fs_1.existsSync)(current))
+        return current;
+    const legacy = (0, node_path_1.join)((0, node_os_1.homedir)(), OPENCLAW_LEGACY_STATE_DIRNAME);
+    if ((0, node_fs_1.existsSync)(legacy))
+        return legacy;
+    return current;
+}
+function resolveOpenClawUserPath(path) {
+    if (path === '~')
+        return (0, node_os_1.homedir)();
+    if (path.startsWith('~/') || path.startsWith('~\\')) {
+        return (0, node_path_1.join)((0, node_os_1.homedir)(), path.slice(2));
+    }
+    return (0, node_path_1.isAbsolute)(path) ? path : (0, node_path_1.join)(process.cwd(), path);
+}
+function normalizeOpenClawDeviceIdentity(value) {
+    if (!value || typeof value !== 'object')
+        return null;
+    const record = value;
+    if (record.version === 1 &&
+        typeof record.deviceId === 'string' &&
+        typeof record.publicKeyPem === 'string' &&
+        typeof record.privateKeyPem === 'string') {
+        return {
+            deviceId: record.deviceId,
+            publicKeyPem: record.publicKeyPem,
+            privateKeyPem: record.privateKeyPem,
+        };
+    }
+    if (typeof record.deviceId === 'string' &&
+        typeof record.publicKey === 'string' &&
+        typeof record.privateKey === 'string') {
+        const publicKeyRaw = base64UrlDecode(record.publicKey);
+        const privateKeyRaw = base64UrlDecode(record.privateKey);
+        if (publicKeyRaw.length !== 32 || privateKeyRaw.length !== 32)
+            return null;
+        return {
+            deviceId: record.deviceId,
+            publicKeyPem: pemEncode('PUBLIC KEY', Buffer.concat([ED25519_SPKI_PREFIX, publicKeyRaw])),
+            privateKeyPem: pemEncode('PRIVATE KEY', Buffer.concat([ED25519_PKCS8_PRIVATE_PREFIX, privateKeyRaw])),
+        };
+    }
+    return null;
+}
+function signOpenClawDevicePayload(privateKeyPem, payload) {
+    return base64UrlEncode((0, node_crypto_1.sign)(null, Buffer.from(payload, 'utf8'), (0, node_crypto_1.createPrivateKey)(privateKeyPem)));
+}
+function publicKeyRawBase64UrlFromPem(publicKeyPem) {
+    const publicKey = (0, node_crypto_1.createPublicKey)(publicKeyPem);
+    const spki = publicKey.export({ type: 'spki', format: 'der' });
+    const raw = spki.length === ED25519_SPKI_PREFIX.length + 32 &&
+        spki.subarray(0, ED25519_SPKI_PREFIX.length).equals(ED25519_SPKI_PREFIX)
+        ? spki.subarray(ED25519_SPKI_PREFIX.length)
+        : spki;
+    return base64UrlEncode(raw);
+}
+function base64UrlEncode(value) {
+    return value.toString('base64').replaceAll('+', '-').replaceAll('/', '_').replace(/=+$/g, '');
+}
+function base64UrlDecode(value) {
+    const normalized = value.replaceAll('-', '+').replaceAll('_', '/');
+    const padded = normalized + '='.repeat((4 - (normalized.length % 4)) % 4);
+    return Buffer.from(padded, 'base64');
+}
+function pemEncode(label, der) {
+    const body = der.toString('base64').match(/.{1,64}/g)?.join('\n') ?? '';
+    return `-----BEGIN ${label}-----\n${body}\n-----END ${label}-----\n`;
+}
 //# sourceMappingURL=cron.js.map