@integrity-labs/agt-cli 0.14.12 → 0.14.14

package/dist/{chunk-NSHSUWZQ.js → chunk-VWCF6BOZ.js}

@@ -245,6 +245,32 @@ function isResolveError(v) {
   return "ok" in v && v.ok === false;
 }
 
+// ../../packages/core/dist/delivery/console-url.js
+function deriveConsoleUrl(apiUrl) {
+  const trimmed = apiUrl?.trim();
+  if (!trimmed)
+    return null;
+  let parsed;
+  try {
+    parsed = new URL(trimmed);
+  } catch {
+    return null;
+  }
+  const host = parsed.hostname;
+  if (host === "api.agt.localhost") {
+    parsed.hostname = "console.agt.localhost";
+    return stripTrailingSlash(parsed.toString());
+  }
+  if (host.startsWith("api.")) {
+    parsed.hostname = `app.${host.slice(4)}`;
+    return stripTrailingSlash(parsed.toString());
+  }
+  return null;
+}
+function stripTrailingSlash(value) {
+  return value.replace(/\/+$/, "");
+}
+
 // ../../packages/core/dist/provisioning/framework-registry.js
 var adapters = /* @__PURE__ */ new Map();
 function registerFramework(adapter) {
@@ -681,6 +707,51 @@ function writeXurlStoreForIntegrations(integrations, filePath = getXurlStorePath
   return filePath;
 }
 
+// ../../packages/core/dist/crypto/secret.js
+import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
+var ALGORITHM = "aes-256-gcm";
+var AUTH_TAG_LENGTH = 16;
+var PREFIX = "enc:";
+function getKey() {
+  const hex = process.env["AUTH_ENCRYPTION_KEY"];
+  if (!hex || hex.length !== 64) {
+    throw new Error("AUTH_ENCRYPTION_KEY must be a 64-char hex string (32 bytes)");
+  }
+  return Buffer.from(hex, "hex");
+}
+function decryptSecret(encoded) {
+  if (!encoded.startsWith(PREFIX)) {
+    return encoded;
+  }
+  const key = getKey();
+  const parts = encoded.slice(PREFIX.length).split(":");
+  if (parts.length !== 2)
+    throw new Error("Invalid encrypted secret format");
+  const iv = Buffer.from(parts[0], "base64");
+  const data = Buffer.from(parts[1], "base64");
+  const ciphertext = data.subarray(0, data.length - AUTH_TAG_LENGTH);
+  const tag = data.subarray(data.length - AUTH_TAG_LENGTH);
+  const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });
+  decipher.setAuthTag(tag);
+  return decipher.update(ciphertext) + decipher.final("utf8");
+}
+function isEncrypted(value) {
+  return value.startsWith(PREFIX);
+}
+
+// ../../packages/core/dist/crypto/integration-credentials.js
+var SENSITIVE_INTEGRATION_FIELDS = ["access_token", "refresh_token", "api_key"];
+function decryptIntegrationCredentials(credentials) {
+  const out = { ...credentials };
+  for (const field of SENSITIVE_INTEGRATION_FIELDS) {
+    const value = out[field];
+    if (typeof value === "string" && value && isEncrypted(value)) {
+      out[field] = decryptSecret(value);
+    }
+  }
+  return out;
+}
+
 // ../../packages/core/dist/channels/registry.js
 var CHANNEL_REGISTRY = [
   { id: "slack", name: "Slack", securityTier: "standard", e2eEncrypted: false, auditTrail: true, publicExposureRisk: "Low" },
@@ -767,7 +838,8 @@ function mapIntegrationsToOpenClaw(integrations) {
   let memory;
   for (const integration of integrations) {
     const profileKey = `integration:${integration.definition_id}:default`;
-    const apiKey = integration.credentials.api_key ?? integration.credentials.access_token;
+    const creds = decryptIntegrationCredentials(integration.credentials);
+    const apiKey = creds.api_key ?? creds.access_token;
     if (typeof apiKey === "string" && apiKey) {
       authProfiles[profileKey] = {
         type: integration.auth_type,
@@ -780,7 +852,7 @@ function mapIntegrationsToOpenClaw(integrations) {
     }
     const mcpUrl = integration.config.mcp_url;
     if (mcpUrl) {
-      const token = integration.credentials.api_key ?? integration.credentials.access_token;
+      const token = creds.api_key ?? creds.access_token;
       mcpServers[integration.definition_id] = { url: mcpUrl, ...token ? { token } : {} };
     }
     const definition = getIntegration(integration.definition_id);
@@ -1063,13 +1135,14 @@ function writeIntegrationTokenFile(codeName, integrations) {
   for (const integration of integrations) {
     if (integration.auth_type !== "oauth2")
       continue;
-    const accessToken = integration.credentials.access_token;
+    const creds = decryptIntegrationCredentials(integration.credentials);
+    const accessToken = creds.access_token;
     if (!accessToken)
       continue;
     tokens[integration.definition_id] = {
       access_token: accessToken,
       ...Object.keys(integration.config).length > 0 ? { config: integration.config } : {},
-      ...integration.credentials.token_expires_at ? { expires_at: integration.credentials.token_expires_at } : {}
+      ...creds.token_expires_at ? { expires_at: creds.token_expires_at } : {}
     };
   }
   if (Object.keys(tokens).length === 0)
@@ -2291,7 +2364,8 @@ var nemoClawAdapter = {
     const envFile = join3(configDir, "integration-env.json");
     const env2 = {};
     for (const integration of integrations) {
-      const apiKey = integration.credentials.api_key ?? integration.credentials.access_token;
+      const creds = decryptIntegrationCredentials(integration.credentials);
+      const apiKey = creds.api_key ?? creds.access_token;
       if (apiKey) {
         const envKey = `INTEGRATION_${integration.definition_id.toUpperCase().replace(/-/g, "_")}_KEY`;
         env2[envKey] = apiKey;
@@ -3479,16 +3553,21 @@ ${sections}`
   writeIntegrations(codeName, integrations) {
     const agentDir = getAgentDir(codeName);
     mkdirSync4(agentDir, { recursive: true });
+    const decryptedIntegrations = integrations.map((integration) => ({
+      ...integration,
+      credentials: decryptIntegrationCredentials(integration.credentials)
+    }));
     const envLines = ["# Augmented integrations \u2014 auto-generated, do not edit"];
-    for (const integration of integrations) {
+    for (const integration of decryptedIntegrations) {
       const prefix = integration.definition_id.toUpperCase().replace(/[^A-Z0-9]/g, "_");
+      const creds = integration.credentials;
       if (integration.auth_type === "oauth2") {
-        const accessToken = integration.credentials.access_token;
+        const accessToken = creds.access_token;
         if (accessToken) {
           envLines.push(`${prefix}_ACCESS_TOKEN=${accessToken}`);
         }
       } else if (integration.auth_type === "api_key") {
-        const apiKey = integration.credentials.api_key;
+        const apiKey = creds.api_key;
         if (apiKey) {
           envLines.push(`${prefix}_API_KEY=${apiKey}`);
         }
@@ -3509,7 +3588,7 @@ ${sections}`
       writeFileSync4(envPath, envLines.join("\n") + "\n");
       chmodSync4(envPath, SECRET_FILE_MODE);
     }
-    writeXurlStoreForIntegrations(integrations);
+    writeXurlStoreForIntegrations(decryptedIntegrations);
     const hasQmd = integrations.some((i) => i.definition_id === "qmd");
     if (hasQmd) {
       this.writeMcpServer(codeName, "qmd", { command: "qmd", args: ["mcp"] });
@@ -3809,13 +3888,14 @@ ${sections}`
     for (const integration of integrations) {
       if (integration.auth_type !== "oauth2")
         continue;
-      const accessToken = integration.credentials.access_token;
+      const creds = decryptIntegrationCredentials(integration.credentials);
+      const accessToken = creds.access_token;
       if (!accessToken)
         continue;
       tokens[integration.definition_id] = {
         access_token: accessToken,
         ...Object.keys(integration.config).length > 0 ? { config: integration.config } : {},
-        ...integration.credentials.token_expires_at ? { expires_at: integration.credentials.token_expires_at } : {}
+        ...creds.token_expires_at ? { expires_at: creds.token_expires_at } : {}
       };
     }
     if (Object.keys(tokens).length === 0)
@@ -6802,6 +6882,7 @@ export {
   appendDmFooter,
   resolveDmTarget,
   isResolveError,
+  deriveConsoleUrl,
   getFramework,
   CHANNEL_REGISTRY,
   getChannel,
@@ -6853,4 +6934,4 @@ export {
   managerStopCommand,
   managerStatusCommand
 };
-//# sourceMappingURL=chunk-NSHSUWZQ.js.map
+//# sourceMappingURL=chunk-VWCF6BOZ.js.map