@hanzo/bot 2026.3.7 → 2026.3.9

package/dist/store-D8F_4CRR.js

@@ -0,0 +1,701 @@
+import { t as __exportAll } from "./rolldown-runtime-Cbj13DAv.js";
+import { g as resolveStateDir, h as resolveOAuthPath } from "./paths-BMo6kTge.js";
+import { t as createSubsystemLogger } from "./subsystem-C6poMade.js";
+import { t as DEFAULT_AGENT_ID } from "./session-key-CC77ya0a.js";
+import { v as resolveUserPath } from "./utils-BnC3HGtm.js";
+import { n as saveJsonFile, t as loadJsonFile } from "./json-file-CNp4GTiH.js";
+import { execFileSync } from "node:child_process";
+import path from "node:path";
+import fs from "node:fs";
+import fs$1 from "node:fs/promises";
+import { createHash } from "node:crypto";
+
+//#region src/agents/auth-profiles/constants.ts
+const AUTH_STORE_VERSION = 1;
+const AUTH_PROFILE_FILENAME = "auth-profiles.json";
+const LEGACY_AUTH_FILENAME = "auth.json";
+const CLAUDE_CLI_PROFILE_ID = "anthropic:claude-cli";
+const CODEX_CLI_PROFILE_ID = "openai-codex:codex-cli";
+const QWEN_CLI_PROFILE_ID = "qwen-portal:qwen-cli";
+const MINIMAX_CLI_PROFILE_ID = "minimax-portal:minimax-cli";
+const AUTH_STORE_LOCK_OPTIONS = {
+	retries: {
+		retries: 10,
+		factor: 2,
+		minTimeout: 100,
+		maxTimeout: 1e4,
+		randomize: true
+	},
+	stale: 3e4
+};
+const EXTERNAL_CLI_SYNC_TTL_MS = 900 * 1e3;
+const EXTERNAL_CLI_NEAR_EXPIRY_MS = 600 * 1e3;
+const log$1 = createSubsystemLogger("agents/auth-profiles");
+
+//#endregion
+//#region src/shared/pid-alive.ts
+function isValidPid(pid) {
+	return Number.isInteger(pid) && pid > 0;
+}
+/**
+* Check if a process is a zombie on Linux by reading /proc/<pid>/status.
+* Returns false on non-Linux platforms or if the proc file can't be read.
+*/
+function isZombieProcess(pid) {
+	if (process.platform !== "linux") return false;
+	try {
+		return fs.readFileSync(`/proc/${pid}/status`, "utf8").match(/^State:\s+(\S)/m)?.[1] === "Z";
+	} catch {
+		return false;
+	}
+}
+function isPidAlive(pid) {
+	if (!isValidPid(pid)) return false;
+	try {
+		process.kill(pid, 0);
+	} catch {
+		return false;
+	}
+	if (isZombieProcess(pid)) return false;
+	return true;
+}
+/**
+* Read the process start time (field 22 "starttime") from /proc/<pid>/stat.
+* Returns the value in clock ticks since system boot, or null on non-Linux
+* platforms or if the proc file can't be read.
+*
+* This is used to detect PID recycling: if two readings for the same PID
+* return different starttimes, the PID has been reused by a different process.
+*/
+function getProcessStartTime(pid) {
+	if (process.platform !== "linux") return null;
+	if (!isValidPid(pid)) return null;
+	try {
+		const stat = fs.readFileSync(`/proc/${pid}/stat`, "utf8");
+		const commEndIndex = stat.lastIndexOf(")");
+		if (commEndIndex < 0) return null;
+		const fields = stat.slice(commEndIndex + 1).trimStart().split(/\s+/);
+		const starttime = Number(fields[19]);
+		return Number.isInteger(starttime) && starttime >= 0 ? starttime : null;
+	} catch {
+		return null;
+	}
+}
+
+//#endregion
+//#region src/shared/process-scoped-map.ts
+function resolveProcessScopedMap(key) {
+	const proc = process;
+	const existing = proc[key];
+	if (existing) return existing;
+	const created = /* @__PURE__ */ new Map();
+	proc[key] = created;
+	return created;
+}
+
+//#endregion
+//#region src/plugin-sdk/file-lock.ts
+const HELD_LOCKS = resolveProcessScopedMap(Symbol.for("openclaw.fileLockHeldLocks"));
+function computeDelayMs(retries, attempt) {
+	const base = Math.min(retries.maxTimeout, Math.max(retries.minTimeout, retries.minTimeout * retries.factor ** attempt));
+	const jitter = retries.randomize ? 1 + Math.random() : 1;
+	return Math.min(retries.maxTimeout, Math.round(base * jitter));
+}
+async function readLockPayload(lockPath) {
+	try {
+		const raw = await fs$1.readFile(lockPath, "utf8");
+		const parsed = JSON.parse(raw);
+		if (typeof parsed.pid !== "number" || typeof parsed.createdAt !== "string") return null;
+		return {
+			pid: parsed.pid,
+			createdAt: parsed.createdAt
+		};
+	} catch {
+		return null;
+	}
+}
+async function resolveNormalizedFilePath(filePath) {
+	const resolved = path.resolve(filePath);
+	const dir = path.dirname(resolved);
+	await fs$1.mkdir(dir, { recursive: true });
+	try {
+		const realDir = await fs$1.realpath(dir);
+		return path.join(realDir, path.basename(resolved));
+	} catch {
+		return resolved;
+	}
+}
+async function isStaleLock(lockPath, staleMs) {
+	const payload = await readLockPayload(lockPath);
+	if (payload?.pid && !isPidAlive(payload.pid)) return true;
+	if (payload?.createdAt) {
+		const createdAt = Date.parse(payload.createdAt);
+		if (!Number.isFinite(createdAt) || Date.now() - createdAt > staleMs) return true;
+	}
+	try {
+		const stat = await fs$1.stat(lockPath);
+		return Date.now() - stat.mtimeMs > staleMs;
+	} catch {
+		return true;
+	}
+}
+async function releaseHeldLock(normalizedFile) {
+	const current = HELD_LOCKS.get(normalizedFile);
+	if (!current) return;
+	current.count -= 1;
+	if (current.count > 0) return;
+	HELD_LOCKS.delete(normalizedFile);
+	await current.handle.close().catch(() => void 0);
+	await fs$1.rm(current.lockPath, { force: true }).catch(() => void 0);
+}
+async function acquireFileLock(filePath, options) {
+	const normalizedFile = await resolveNormalizedFilePath(filePath);
+	const lockPath = `${normalizedFile}.lock`;
+	const held = HELD_LOCKS.get(normalizedFile);
+	if (held) {
+		held.count += 1;
+		return {
+			lockPath,
+			release: () => releaseHeldLock(normalizedFile)
+		};
+	}
+	const attempts = Math.max(1, options.retries.retries + 1);
+	for (let attempt = 0; attempt < attempts; attempt += 1) try {
+		const handle = await fs$1.open(lockPath, "wx");
+		await handle.writeFile(JSON.stringify({
+			pid: process.pid,
+			createdAt: (/* @__PURE__ */ new Date()).toISOString()
+		}, null, 2), "utf8");
+		HELD_LOCKS.set(normalizedFile, {
+			count: 1,
+			handle,
+			lockPath
+		});
+		return {
+			lockPath,
+			release: () => releaseHeldLock(normalizedFile)
+		};
+	} catch (err) {
+		if (err.code !== "EEXIST") throw err;
+		if (await isStaleLock(lockPath, options.stale)) {
+			await fs$1.rm(lockPath, { force: true }).catch(() => void 0);
+			continue;
+		}
+		if (attempt >= attempts - 1) break;
+		await new Promise((resolve) => setTimeout(resolve, computeDelayMs(options.retries, attempt)));
+	}
+	throw new Error(`file lock timeout for ${normalizedFile}`);
+}
+async function withFileLock(filePath, options, fn) {
+	const lock = await acquireFileLock(filePath, options);
+	try {
+		return await fn();
+	} finally {
+		await lock.release();
+	}
+}
+
+//#endregion
+//#region src/agents/cli-credentials.ts
+const log = createSubsystemLogger("agents/auth-profiles");
+const QWEN_CLI_CREDENTIALS_RELATIVE_PATH = ".qwen/oauth_creds.json";
+const MINIMAX_CLI_CREDENTIALS_RELATIVE_PATH = ".minimax/oauth_creds.json";
+let qwenCliCache = null;
+let minimaxCliCache = null;
+function resolveQwenCliCredentialsPath(homeDir) {
+	const baseDir = homeDir ?? resolveUserPath("~");
+	return path.join(baseDir, QWEN_CLI_CREDENTIALS_RELATIVE_PATH);
+}
+function resolveMiniMaxCliCredentialsPath(homeDir) {
+	const baseDir = homeDir ?? resolveUserPath("~");
+	return path.join(baseDir, MINIMAX_CLI_CREDENTIALS_RELATIVE_PATH);
+}
+function readQwenCliCredentials(options) {
+	return readPortalCliOauthCredentials(resolveQwenCliCredentialsPath(options?.homeDir), "qwen-portal");
+}
+function readPortalCliOauthCredentials(credPath, provider) {
+	const raw = loadJsonFile(credPath);
+	if (!raw || typeof raw !== "object") return null;
+	const data = raw;
+	const accessToken = data.access_token;
+	const refreshToken = data.refresh_token;
+	const expiresAt = data.expiry_date;
+	if (typeof accessToken !== "string" || !accessToken) return null;
+	if (typeof refreshToken !== "string" || !refreshToken) return null;
+	if (typeof expiresAt !== "number" || !Number.isFinite(expiresAt)) return null;
+	return {
+		type: "oauth",
+		provider,
+		access: accessToken,
+		refresh: refreshToken,
+		expires: expiresAt
+	};
+}
+function readMiniMaxCliCredentials(options) {
+	return readPortalCliOauthCredentials(resolveMiniMaxCliCredentialsPath(options?.homeDir), "minimax-portal");
+}
+function readQwenCliCredentialsCached(options) {
+	const ttlMs = options?.ttlMs ?? 0;
+	const now = Date.now();
+	const cacheKey = resolveQwenCliCredentialsPath(options?.homeDir);
+	if (ttlMs > 0 && qwenCliCache && qwenCliCache.cacheKey === cacheKey && now - qwenCliCache.readAt < ttlMs) return qwenCliCache.value;
+	const value = readQwenCliCredentials({ homeDir: options?.homeDir });
+	if (ttlMs > 0) qwenCliCache = {
+		value,
+		readAt: now,
+		cacheKey
+	};
+	return value;
+}
+function readMiniMaxCliCredentialsCached(options) {
+	const ttlMs = options?.ttlMs ?? 0;
+	const now = Date.now();
+	const cacheKey = resolveMiniMaxCliCredentialsPath(options?.homeDir);
+	if (ttlMs > 0 && minimaxCliCache && minimaxCliCache.cacheKey === cacheKey && now - minimaxCliCache.readAt < ttlMs) return minimaxCliCache.value;
+	const value = readMiniMaxCliCredentials({ homeDir: options?.homeDir });
+	if (ttlMs > 0) minimaxCliCache = {
+		value,
+		readAt: now,
+		cacheKey
+	};
+	return value;
+}
+
+//#endregion
+//#region src/agents/auth-profiles/external-cli-sync.ts
+function shallowEqualOAuthCredentials(a, b) {
+	if (!a) return false;
+	if (a.type !== "oauth") return false;
+	return a.provider === b.provider && a.access === b.access && a.refresh === b.refresh && a.expires === b.expires && a.email === b.email && a.enterpriseUrl === b.enterpriseUrl && a.projectId === b.projectId && a.accountId === b.accountId;
+}
+function isExternalProfileFresh(cred, now) {
+	if (!cred) return false;
+	if (cred.type !== "oauth" && cred.type !== "token") return false;
+	if (cred.provider !== "qwen-portal" && cred.provider !== "minimax-portal") return false;
+	if (typeof cred.expires !== "number") return true;
+	return cred.expires > now + EXTERNAL_CLI_NEAR_EXPIRY_MS;
+}
+/** Sync external CLI credentials into the store for a given provider. */
+function syncExternalCliCredentialsForProvider(store, profileId, provider, readCredentials, now) {
+	const existing = store.profiles[profileId];
+	const creds = !existing || existing.provider !== provider || !isExternalProfileFresh(existing, now) ? readCredentials() : null;
+	if (!creds) return false;
+	const existingOAuth = existing?.type === "oauth" ? existing : void 0;
+	if ((!existingOAuth || existingOAuth.provider !== provider || existingOAuth.expires <= now || creds.expires > existingOAuth.expires) && !shallowEqualOAuthCredentials(existingOAuth, creds)) {
+		store.profiles[profileId] = creds;
+		log$1.info(`synced ${provider} credentials from external cli`, {
+			profileId,
+			expires: new Date(creds.expires).toISOString()
+		});
+		return true;
+	}
+	return false;
+}
+/**
+* Sync OAuth credentials from external CLI tools (Qwen Code CLI, MiniMax CLI) into the store.
+*
+* Returns true if any credentials were updated.
+*/
+function syncExternalCliCredentials(store) {
+	let mutated = false;
+	const now = Date.now();
+	const existingQwen = store.profiles[QWEN_CLI_PROFILE_ID];
+	const qwenCreds = !existingQwen || existingQwen.provider !== "qwen-portal" || !isExternalProfileFresh(existingQwen, now) ? readQwenCliCredentialsCached({ ttlMs: EXTERNAL_CLI_SYNC_TTL_MS }) : null;
+	if (qwenCreds) {
+		const existing = store.profiles[QWEN_CLI_PROFILE_ID];
+		const existingOAuth = existing?.type === "oauth" ? existing : void 0;
+		if ((!existingOAuth || existingOAuth.provider !== "qwen-portal" || existingOAuth.expires <= now || qwenCreds.expires > existingOAuth.expires) && !shallowEqualOAuthCredentials(existingOAuth, qwenCreds)) {
+			store.profiles[QWEN_CLI_PROFILE_ID] = qwenCreds;
+			mutated = true;
+			log$1.info("synced qwen credentials from qwen cli", {
+				profileId: QWEN_CLI_PROFILE_ID,
+				expires: new Date(qwenCreds.expires).toISOString()
+			});
+		}
+	}
+	if (syncExternalCliCredentialsForProvider(store, MINIMAX_CLI_PROFILE_ID, "minimax-portal", () => readMiniMaxCliCredentialsCached({ ttlMs: EXTERNAL_CLI_SYNC_TTL_MS }), now)) mutated = true;
+	return mutated;
+}
+
+//#endregion
+//#region src/agents/agent-paths.ts
+function resolveOpenClawAgentDir() {
+	const override = process.env.OPENCLAW_AGENT_DIR?.trim() || process.env.PI_CODING_AGENT_DIR?.trim();
+	if (override) return resolveUserPath(override);
+	return resolveUserPath(path.join(resolveStateDir(), "agents", DEFAULT_AGENT_ID, "agent"));
+}
+
+//#endregion
+//#region src/agents/auth-profiles/paths.ts
+function resolveAuthStorePath(agentDir) {
+	const resolved = resolveUserPath(agentDir ?? resolveOpenClawAgentDir());
+	return path.join(resolved, AUTH_PROFILE_FILENAME);
+}
+function resolveLegacyAuthStorePath(agentDir) {
+	const resolved = resolveUserPath(agentDir ?? resolveOpenClawAgentDir());
+	return path.join(resolved, LEGACY_AUTH_FILENAME);
+}
+function resolveAuthStorePathForDisplay(agentDir) {
+	const pathname = resolveAuthStorePath(agentDir);
+	return pathname.startsWith("~") ? pathname : resolveUserPath(pathname);
+}
+function ensureAuthStoreFile(pathname) {
+	if (fs.existsSync(pathname)) return;
+	saveJsonFile(pathname, {
+		version: AUTH_STORE_VERSION,
+		profiles: {}
+	});
+}
+
+//#endregion
+//#region src/agents/auth-profiles/store.ts
+var store_exports = /* @__PURE__ */ __exportAll({
+	clearRuntimeAuthProfileStoreSnapshots: () => clearRuntimeAuthProfileStoreSnapshots,
+	ensureAuthProfileStore: () => ensureAuthProfileStore,
+	loadAuthProfileStore: () => loadAuthProfileStore,
+	loadAuthProfileStoreForRuntime: () => loadAuthProfileStoreForRuntime,
+	loadAuthProfileStoreForSecretsRuntime: () => loadAuthProfileStoreForSecretsRuntime,
+	replaceRuntimeAuthProfileStoreSnapshots: () => replaceRuntimeAuthProfileStoreSnapshots,
+	saveAuthProfileStore: () => saveAuthProfileStore,
+	updateAuthProfileStoreWithLock: () => updateAuthProfileStoreWithLock
+});
+const AUTH_PROFILE_TYPES = new Set([
+	"api_key",
+	"oauth",
+	"token"
+]);
+const runtimeAuthStoreSnapshots = /* @__PURE__ */ new Map();
+function resolveRuntimeStoreKey(agentDir) {
+	return resolveAuthStorePath(agentDir);
+}
+function cloneAuthProfileStore(store) {
+	return structuredClone(store);
+}
+function resolveRuntimeAuthProfileStore(agentDir) {
+	if (runtimeAuthStoreSnapshots.size === 0) return null;
+	const mainKey = resolveRuntimeStoreKey(void 0);
+	const requestedKey = resolveRuntimeStoreKey(agentDir);
+	const mainStore = runtimeAuthStoreSnapshots.get(mainKey);
+	const requestedStore = runtimeAuthStoreSnapshots.get(requestedKey);
+	if (!agentDir || requestedKey === mainKey) {
+		if (!mainStore) return null;
+		return cloneAuthProfileStore(mainStore);
+	}
+	if (mainStore && requestedStore) return mergeAuthProfileStores(cloneAuthProfileStore(mainStore), cloneAuthProfileStore(requestedStore));
+	if (requestedStore) return cloneAuthProfileStore(requestedStore);
+	if (mainStore) return cloneAuthProfileStore(mainStore);
+	return null;
+}
+function replaceRuntimeAuthProfileStoreSnapshots(entries) {
+	runtimeAuthStoreSnapshots.clear();
+	for (const entry of entries) runtimeAuthStoreSnapshots.set(resolveRuntimeStoreKey(entry.agentDir), cloneAuthProfileStore(entry.store));
+}
+function clearRuntimeAuthProfileStoreSnapshots() {
+	runtimeAuthStoreSnapshots.clear();
+}
+async function updateAuthProfileStoreWithLock(params) {
+	const authPath = resolveAuthStorePath(params.agentDir);
+	ensureAuthStoreFile(authPath);
+	try {
+		return await withFileLock(authPath, AUTH_STORE_LOCK_OPTIONS, async () => {
+			const store = ensureAuthProfileStore(params.agentDir);
+			if (params.updater(store)) saveAuthProfileStore(store, params.agentDir);
+			return store;
+		});
+	} catch {
+		return null;
+	}
+}
+/**
+* Normalise a raw auth-profiles.json credential entry.
+*
+* The official format uses `type` and (for api_key credentials) `key`.
+* A common mistake — caused by the similarity with the `openclaw.json`
+* `auth.profiles` section which uses `mode` — is to write `mode` instead of
+* `type` and `apiKey` instead of `key`.  Accept both spellings so users don't
+* silently lose their credentials.
+*/
+function normalizeRawCredentialEntry(raw) {
+	const entry = { ...raw };
+	if (!("type" in entry) && typeof entry["mode"] === "string") entry["type"] = entry["mode"];
+	if (!("key" in entry) && typeof entry["apiKey"] === "string") entry["key"] = entry["apiKey"];
+	return entry;
+}
+function parseCredentialEntry(raw, fallbackProvider) {
+	if (!raw || typeof raw !== "object") return {
+		ok: false,
+		reason: "non_object"
+	};
+	const typed = normalizeRawCredentialEntry(raw);
+	if (!AUTH_PROFILE_TYPES.has(typed.type)) return {
+		ok: false,
+		reason: "invalid_type"
+	};
+	const provider = typed.provider ?? fallbackProvider;
+	if (typeof provider !== "string" || provider.trim().length === 0) return {
+		ok: false,
+		reason: "missing_provider"
+	};
+	return {
+		ok: true,
+		credential: {
+			...typed,
+			provider
+		}
+	};
+}
+function warnRejectedCredentialEntries(source, rejected) {
+	if (rejected.length === 0) return;
+	const reasons = rejected.reduce((acc, current) => {
+		acc[current.reason] = (acc[current.reason] ?? 0) + 1;
+		return acc;
+	}, {});
+	log$1.warn("ignored invalid auth profile entries during store load", {
+		source,
+		dropped: rejected.length,
+		reasons,
+		keys: rejected.slice(0, 10).map((entry) => entry.key)
+	});
+}
+function coerceLegacyStore(raw) {
+	if (!raw || typeof raw !== "object") return null;
+	const record = raw;
+	if ("profiles" in record) return null;
+	const entries = {};
+	const rejected = [];
+	for (const [key, value] of Object.entries(record)) {
+		const parsed = parseCredentialEntry(value, key);
+		if (!parsed.ok) {
+			rejected.push({
+				key,
+				reason: parsed.reason
+			});
+			continue;
+		}
+		entries[key] = parsed.credential;
+	}
+	warnRejectedCredentialEntries("auth.json", rejected);
+	return Object.keys(entries).length > 0 ? entries : null;
+}
+function coerceAuthStore(raw) {
+	if (!raw || typeof raw !== "object") return null;
+	const record = raw;
+	if (!record.profiles || typeof record.profiles !== "object") return null;
+	const profiles = record.profiles;
+	const normalized = {};
+	const rejected = [];
+	for (const [key, value] of Object.entries(profiles)) {
+		const parsed = parseCredentialEntry(value);
+		if (!parsed.ok) {
+			rejected.push({
+				key,
+				reason: parsed.reason
+			});
+			continue;
+		}
+		normalized[key] = parsed.credential;
+	}
+	warnRejectedCredentialEntries("auth-profiles.json", rejected);
+	const order = record.order && typeof record.order === "object" ? Object.entries(record.order).reduce((acc, [provider, value]) => {
+		if (!Array.isArray(value)) return acc;
+		const list = value.map((entry) => typeof entry === "string" ? entry.trim() : "").filter(Boolean);
+		if (list.length === 0) return acc;
+		acc[provider] = list;
+		return acc;
+	}, {}) : void 0;
+	return {
+		version: Number(record.version ?? AUTH_STORE_VERSION),
+		profiles: normalized,
+		order,
+		lastGood: record.lastGood && typeof record.lastGood === "object" ? record.lastGood : void 0,
+		usageStats: record.usageStats && typeof record.usageStats === "object" ? record.usageStats : void 0
+	};
+}
+function mergeRecord(base, override) {
+	if (!base && !override) return;
+	if (!base) return { ...override };
+	if (!override) return { ...base };
+	return {
+		...base,
+		...override
+	};
+}
+function mergeAuthProfileStores(base, override) {
+	if (Object.keys(override.profiles).length === 0 && !override.order && !override.lastGood && !override.usageStats) return base;
+	return {
+		version: Math.max(base.version, override.version ?? base.version),
+		profiles: {
+			...base.profiles,
+			...override.profiles
+		},
+		order: mergeRecord(base.order, override.order),
+		lastGood: mergeRecord(base.lastGood, override.lastGood),
+		usageStats: mergeRecord(base.usageStats, override.usageStats)
+	};
+}
+function mergeOAuthFileIntoStore(store) {
+	const oauthRaw = loadJsonFile(resolveOAuthPath());
+	if (!oauthRaw || typeof oauthRaw !== "object") return false;
+	const oauthEntries = oauthRaw;
+	let mutated = false;
+	for (const [provider, creds] of Object.entries(oauthEntries)) {
+		if (!creds || typeof creds !== "object") continue;
+		const profileId = `${provider}:default`;
+		if (store.profiles[profileId]) continue;
+		store.profiles[profileId] = {
+			type: "oauth",
+			provider,
+			...creds
+		};
+		mutated = true;
+	}
+	return mutated;
+}
+function applyLegacyStore(store, legacy) {
+	for (const [provider, cred] of Object.entries(legacy)) {
+		const profileId = `${provider}:default`;
+		if (cred.type === "api_key") {
+			store.profiles[profileId] = {
+				type: "api_key",
+				provider: String(cred.provider ?? provider),
+				key: cred.key,
+				...cred.email ? { email: cred.email } : {}
+			};
+			continue;
+		}
+		if (cred.type === "token") {
+			store.profiles[profileId] = {
+				type: "token",
+				provider: String(cred.provider ?? provider),
+				token: cred.token,
+				...typeof cred.expires === "number" ? { expires: cred.expires } : {},
+				...cred.email ? { email: cred.email } : {}
+			};
+			continue;
+		}
+		store.profiles[profileId] = {
+			type: "oauth",
+			provider: String(cred.provider ?? provider),
+			access: cred.access,
+			refresh: cred.refresh,
+			expires: cred.expires,
+			...cred.enterpriseUrl ? { enterpriseUrl: cred.enterpriseUrl } : {},
+			...cred.projectId ? { projectId: cred.projectId } : {},
+			...cred.accountId ? { accountId: cred.accountId } : {},
+			...cred.email ? { email: cred.email } : {}
+		};
+	}
+}
+function loadCoercedStore(authPath) {
+	return coerceAuthStore(loadJsonFile(authPath));
+}
+function loadAuthProfileStore() {
+	const authPath = resolveAuthStorePath();
+	const asStore = loadCoercedStore(authPath);
+	if (asStore) {
+		if (syncExternalCliCredentials(asStore)) saveJsonFile(authPath, asStore);
+		return asStore;
+	}
+	const legacy = coerceLegacyStore(loadJsonFile(resolveLegacyAuthStorePath()));
+	if (legacy) {
+		const store = {
+			version: AUTH_STORE_VERSION,
+			profiles: {}
+		};
+		applyLegacyStore(store, legacy);
+		syncExternalCliCredentials(store);
+		return store;
+	}
+	const store = {
+		version: AUTH_STORE_VERSION,
+		profiles: {}
+	};
+	syncExternalCliCredentials(store);
+	return store;
+}
+function loadAuthProfileStoreForAgent(agentDir, options) {
+	const readOnly = options?.readOnly === true;
+	const authPath = resolveAuthStorePath(agentDir);
+	const asStore = loadCoercedStore(authPath);
+	if (asStore) {
+		if (syncExternalCliCredentials(asStore) && !readOnly) saveJsonFile(authPath, asStore);
+		return asStore;
+	}
+	if (agentDir && !readOnly) {
+		const mainStore = coerceAuthStore(loadJsonFile(resolveAuthStorePath()));
+		if (mainStore && Object.keys(mainStore.profiles).length > 0) {
+			saveJsonFile(authPath, mainStore);
+			log$1.info("inherited auth-profiles from main agent", { agentDir });
+			return mainStore;
+		}
+	}
+	const legacy = coerceLegacyStore(loadJsonFile(resolveLegacyAuthStorePath(agentDir)));
+	const store = {
+		version: AUTH_STORE_VERSION,
+		profiles: {}
+	};
+	if (legacy) applyLegacyStore(store, legacy);
+	const mergedOAuth = mergeOAuthFileIntoStore(store);
+	const syncedCli = syncExternalCliCredentials(store);
+	const forceReadOnly = process.env.OPENCLAW_AUTH_STORE_READONLY === "1";
+	const shouldWrite = !readOnly && !forceReadOnly && (legacy !== null || mergedOAuth || syncedCli);
+	if (shouldWrite) saveJsonFile(authPath, store);
+	if (shouldWrite && legacy !== null) {
+		const legacyPath = resolveLegacyAuthStorePath(agentDir);
+		try {
+			fs.unlinkSync(legacyPath);
+		} catch (err) {
+			if (err?.code !== "ENOENT") log$1.warn("failed to delete legacy auth.json after migration", {
+				err,
+				legacyPath
+			});
+		}
+	}
+	return store;
+}
+function loadAuthProfileStoreForRuntime(agentDir, options) {
+	const store = loadAuthProfileStoreForAgent(agentDir, options);
+	const authPath = resolveAuthStorePath(agentDir);
+	const mainAuthPath = resolveAuthStorePath();
+	if (!agentDir || authPath === mainAuthPath) return store;
+	return mergeAuthProfileStores(loadAuthProfileStoreForAgent(void 0, options), store);
+}
+function loadAuthProfileStoreForSecretsRuntime(agentDir) {
+	return loadAuthProfileStoreForRuntime(agentDir, {
+		readOnly: true,
+		allowKeychainPrompt: false
+	});
+}
+function ensureAuthProfileStore(agentDir, options) {
+	const runtimeStore = resolveRuntimeAuthProfileStore(agentDir);
+	if (runtimeStore) return runtimeStore;
+	const store = loadAuthProfileStoreForAgent(agentDir, options);
+	const authPath = resolveAuthStorePath(agentDir);
+	const mainAuthPath = resolveAuthStorePath();
+	if (!agentDir || authPath === mainAuthPath) return store;
+	return mergeAuthProfileStores(loadAuthProfileStoreForAgent(void 0, options), store);
+}
+function saveAuthProfileStore(store, agentDir) {
+	saveJsonFile(resolveAuthStorePath(agentDir), {
+		version: AUTH_STORE_VERSION,
+		profiles: Object.fromEntries(Object.entries(store.profiles).map(([profileId, credential]) => {
+			if (credential.type === "api_key" && credential.keyRef && credential.key !== void 0) {
+				const sanitized = { ...credential };
+				delete sanitized.key;
+				return [profileId, sanitized];
+			}
+			if (credential.type === "token" && credential.tokenRef && credential.token !== void 0) {
+				const sanitized = { ...credential };
+				delete sanitized.token;
+				return [profileId, sanitized];
+			}
+			return [profileId, credential];
+		})),
+		order: store.order ?? void 0,
+		lastGood: store.lastGood ?? void 0,
+		usageStats: store.usageStats ?? void 0
+	});
+}
+
+//#endregion
+export { AUTH_STORE_LOCK_OPTIONS as _, replaceRuntimeAuthProfileStoreSnapshots as a, CODEX_CLI_PROFILE_ID as b, updateAuthProfileStoreWithLock as c, resolveAuthStorePathForDisplay as d, resolveOpenClawAgentDir as f, isPidAlive as g, getProcessStartTime as h, loadAuthProfileStoreForSecretsRuntime as i, ensureAuthStoreFile as l, resolveProcessScopedMap as m, ensureAuthProfileStore as n, saveAuthProfileStore as o, withFileLock as p, loadAuthProfileStore as r, store_exports as s, clearRuntimeAuthProfileStoreSnapshots as t, resolveAuthStorePath as u, AUTH_STORE_VERSION as v, log$1 as x, CLAUDE_CLI_PROFILE_ID as y };

package/dist/{store-BgCLFtxS.js → store-DCoVH3mG.js}

@@ -1,5 +1,5 @@
-import { h as resolveConfigDir } from "./utils-cwpAMi-t.js";
-import { c as detectMime, l as extensionForMime } from "./image-ops-DBPCaLYI.js";
+import { h as resolveConfigDir } from "./utils-BnC3HGtm.js";
+import { c as detectMime, l as extensionForMime } from "./image-ops-Bnk-bI_x.js";
 import path from "node:path";
 import { createWriteStream } from "node:fs";
 import fs$1 from "node:fs/promises";