@kweaver-ai/kweaver-sdk 0.6.3 → 0.6.5

package/README.md

@@ -31,6 +31,8 @@ export KWEAVER_BASE_URL=https://your-kweaver-instance.com
 export KWEAVER_TOKEN=your-token
 ```
 
+With both set, API commands use that token even if you never ran `auth login`. You can also run **`kweaver auth status`**, **`kweaver auth whoami`** (supports `--json`), and **`kweaver config show`** when there is **no** current platform in `~/.kweaver/` — the CLI decodes the token locally (JWT only). If the token is opaque, identity fields are omitted and a short hint is printed.
+
 ### Business domain (platform)
 
 Set or verify **before** calling list/query APIs that scope by tenant. DIP deployments often need a UUID, not only `bd_public`.
@@ -151,11 +153,13 @@ const skillMd = await client.skills.fetchContent("skill-id");
 ## CLI Reference
 
 ```
-kweaver auth login <url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--playwright] [--insecure|-k]
+kweaver auth login <url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--http-signin] [--playwright] [--insecure|-k]
+# -u/-p: tries HTTP /oauth2/signin first (refresh_token). If studioweb is missing: falls back to Playwright when installed, else prints install hint. --http-signin: HTTP only. --playwright: force browser automation.
 kweaver auth login <url> --client-id ID --client-secret S --refresh-token T   (headless login)
 kweaver auth export [url|alias] [--json]   (export command to run on a headless host)
-kweaver auth status/list/use/delete/logout
-kweaver config show / list-bd / set-bd <value>   # platform business domain — after login
+kweaver auth status / whoami [url|alias] [--json]   # whoami: --json; with KWEAVER_BASE_URL+KWEAVER_TOKEN when no ~/.kweaver/ platform
+kweaver auth list/use/delete/logout
+kweaver config show / list-bd / set-bd <value>   # platform business domain — show/list-bd work with KWEAVER_BASE_URL (+ KWEAVER_TOKEN for list-bd)
 kweaver token
 kweaver ds list/get/delete/tables/connect
 kweaver ds import-csv <ds_id> --files <glob> [--table-prefix <p>] [--batch-size 500] [--recreate]
@@ -176,7 +180,9 @@ kweaver skill list/market/get/register/status/delete/content/read-file/download/
 kweaver vega health/stats/inspect/sql/catalog/resource/connector-type
 kweaver context-loader config set/use/list/show
 kweaver context-loader kn-search/query-object-instance/...
-kweaver call <path> [-X METHOD] [-d BODY] [-H header]
+kweaver toolbox create/list/publish/unpublish/delete
+kweaver tool upload/list/enable/disable
+kweaver call <path> [-X METHOD] [-d BODY] [-H header] [-F key=value]
 ```
 
 ### Dataflow CLI examples
@@ -207,6 +213,25 @@ kweaver vega sql -d '{"resource_type":"mysql","query":"SELECT * FROM {{res-1}} L
 
 If both `-d` and `--query` / `--resource-type` are present, **only `-d` is used**.
 
+### Register an Agent toolbox
+
+```bash
+# 1. Create a toolbox pointing at your service
+kweaver toolbox create \
+  --name my_actions \
+  --service-url http://my-svc:8080 \
+  --description "Demo action backend"
+# → {"box_id":"<BOX_ID>"}
+
+# 2. Upload an OpenAPI spec as a tool
+kweaver tool upload --toolbox <BOX_ID> ./openapi.json
+# → {"success_ids":["<TOOL_ID>"]}
+
+# 3. Publish the toolbox and enable the tool
+kweaver toolbox publish <BOX_ID>
+kweaver tool enable --toolbox <BOX_ID> <TOOL_ID>
+```
+
 **No-auth platforms:** If OAuth is not enabled, use `kweaver auth <url> --no-auth` (or run a normal `auth login`; a **404** on `POST /oauth2/clients` switches to no-auth automatically). Credentials are still saved under `~/.kweaver/` and work with `auth use` / `auth list`. Optional: `KWEAVER_NO_AUTH=1` with `KWEAVER_BASE_URL` when no token env is set. SDK: `new KWeaverClient({ baseUrl, auth: false })` or `kweaver.configure({ baseUrl, auth: false })`.
 
 ## Environment Variables

package/README.zh.md

@@ -31,6 +31,8 @@ export KWEAVER_BASE_URL=https://your-kweaver-instance.com
 export KWEAVER_TOKEN=your-token
 ```
 
+两者同时设置时，即使未执行 `auth login`，业务命令也会使用该 token。若 **`~/.kweaver/` 无当前平台**，仍可使用 **`kweaver auth status`**、**`kweaver auth whoami`**（支持 `--json`）、**`kweaver config show`**：CLI 会在本地解 JWT 展示身份；若 token 为 opaque，则省略身份字段并给出简短提示。
+
 ### 业务域（平台配置）
 
 在调用依赖租户范围的接口前，应先确认业务域；DIP 环境通常使用 **UUID**，不能长期只依赖默认 `bd_public`。
@@ -144,11 +146,13 @@ const skillMd = await client.skills.fetchContent("skill-id");
 ## 命令速查
 
 ```
-kweaver auth login <url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--playwright] [--insecure|-k]
+kweaver auth login <url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--http-signin] [--playwright] [--insecure|-k]
+# -u/-p：默认先试 HTTP /oauth2/signin（可拿 refresh_token）；无 studioweb 时：已装 Playwright 则回退无头浏览器，否则提示安装 Playwright；--http-signin 仅 HTTP；--playwright 强制浏览器
 kweaver auth login <url> --client-id ID --client-secret S --refresh-token T   (无浏览器登录)
 kweaver auth export [url|alias] [--json]   (导出在无浏览器机器上运行的命令)
-kweaver auth status/list/use/delete/logout
-kweaver config show / list-bd / set-bd <value>   # 平台业务域，登录后优先
+kweaver auth status / whoami [url|alias] [--json]   # whoami 支持 --json；无 ~/.kweaver/ 当前平台时可配 KWEAVER_BASE_URL+KWEAVER_TOKEN
+kweaver auth list/use/delete/logout
+kweaver config show / list-bd / set-bd <value>   # 业务域；show/list-bd 在无已保存平台时可与 env 配对
 kweaver token
 kweaver ds list/get/delete/tables/connect
 kweaver dataflow list/run/runs/logs

package/dist/api/dataflow.d.ts

@@ -14,7 +14,7 @@ export interface DataflowCreateBody {
 }
 export interface DataflowResult {
     status: "success" | "completed" | "failed" | "error";
-    reason?: string;
+    reason?: unknown;
 }
 export interface CreateDataflowOptions {
     baseUrl: string;

package/dist/api/dataflow.js

@@ -82,7 +82,10 @@ export async function pollDataflowResults(options) {
                 return latest;
             }
             if (latest.status === "failed" || latest.status === "error") {
-                const reason = latest.reason ? `: ${latest.reason}` : "";
+                const reasonVal = latest.reason;
+                const reason = reasonVal
+                    ? `: ${typeof reasonVal === "string" ? reasonVal : JSON.stringify(reasonVal)}`
+                    : "";
                 throw new Error(`Dataflow run ${latest.status}${reason}`);
             }
         }

package/dist/api/toolboxes.d.ts

@@ -0,0 +1,47 @@
+interface BaseOpts {
+    baseUrl: string;
+    accessToken: string;
+    businessDomain?: string;
+}
+export interface CreateToolboxOptions extends BaseOpts {
+    name: string;
+    description: string;
+    serviceUrl: string;
+    metadataType?: "openapi";
+    source?: string;
+}
+export declare function createToolbox(opts: CreateToolboxOptions): Promise<string>;
+export interface DeleteToolboxOptions extends BaseOpts {
+    boxId: string;
+}
+export declare function deleteToolbox(opts: DeleteToolboxOptions): Promise<void>;
+export interface SetToolboxStatusOptions extends BaseOpts {
+    boxId: string;
+    status: "published" | "draft";
+}
+export declare function setToolboxStatus(opts: SetToolboxStatusOptions): Promise<void>;
+export interface UploadToolOptions extends BaseOpts {
+    boxId: string;
+    filePath: string;
+    metadataType?: "openapi";
+}
+export declare function uploadTool(opts: UploadToolOptions): Promise<string>;
+export interface SetToolStatusesOptions extends BaseOpts {
+    boxId: string;
+    updates: Array<{
+        toolId: string;
+        status: "enabled" | "disabled";
+    }>;
+}
+export declare function setToolStatuses(opts: SetToolStatusesOptions): Promise<void>;
+export interface ListToolboxesOptions extends BaseOpts {
+    keyword?: string;
+    limit?: number;
+    offset?: number;
+}
+export declare function listToolboxes(opts: ListToolboxesOptions): Promise<string>;
+export interface ListToolsOptions extends BaseOpts {
+    boxId: string;
+}
+export declare function listTools(opts: ListToolsOptions): Promise<string>;
+export {};

package/dist/api/toolboxes.js

@@ -0,0 +1,90 @@
+import { readFile } from "node:fs/promises";
+import { basename } from "node:path";
+import { fetchTextOrThrow } from "../utils/http.js";
+import { buildHeaders } from "./headers.js";
+// Backend endpoints under /api/agent-operator-integration/v1/tool-box.
+//
+// Verified against kweaver/examples/03-action-lifecycle/run.sh (lines 78–197):
+//   POST   /tool-box                   create
+//   DELETE /tool-box/{id}              delete
+//   POST   /tool-box/{id}/status       publish/draft
+//   POST   /tool-box/{id}/tool         upload tool (multipart)
+//   POST   /tool-box/{id}/tools/status enable/disable (batch)
+//
+// Verified during Task 8 e2e against the live backend (2026-04-18):
+//   GET    /tool-box?keyword=&limit=&offset=  list toolboxes
+//   GET    /tool-box/{id}/tool                list tools
+const PATH = "/api/agent-operator-integration/v1/tool-box";
+function url(base, suffix = "") {
+    return `${base.replace(/\/+$/, "")}${PATH}${suffix}`;
+}
+export async function createToolbox(opts) {
+    const body = JSON.stringify({
+        metadata_type: opts.metadataType ?? "openapi",
+        box_name: opts.name,
+        box_desc: opts.description,
+        box_svc_url: opts.serviceUrl,
+        source: opts.source ?? "custom",
+    });
+    const { body: text } = await fetchTextOrThrow(url(opts.baseUrl), {
+        method: "POST",
+        headers: { ...buildHeaders(opts.accessToken, opts.businessDomain ?? "bd_public"), "content-type": "application/json" },
+        body,
+    });
+    return text;
+}
+export async function deleteToolbox(opts) {
+    await fetchTextOrThrow(url(opts.baseUrl, `/${encodeURIComponent(opts.boxId)}`), {
+        method: "DELETE",
+        headers: buildHeaders(opts.accessToken, opts.businessDomain ?? "bd_public"),
+    });
+}
+export async function setToolboxStatus(opts) {
+    await fetchTextOrThrow(url(opts.baseUrl, `/${encodeURIComponent(opts.boxId)}/status`), {
+        method: "POST",
+        headers: { ...buildHeaders(opts.accessToken, opts.businessDomain ?? "bd_public"), "content-type": "application/json" },
+        body: JSON.stringify({ status: opts.status }),
+    });
+}
+export async function uploadTool(opts) {
+    const buf = await readFile(opts.filePath);
+    const form = new FormData();
+    form.append("metadata_type", opts.metadataType ?? "openapi");
+    form.append("data", new Blob([buf]), basename(opts.filePath));
+    const { body: text } = await fetchTextOrThrow(url(opts.baseUrl, `/${encodeURIComponent(opts.boxId)}/tool`), {
+        method: "POST",
+        headers: buildHeaders(opts.accessToken, opts.businessDomain ?? "bd_public"),
+        body: form,
+    });
+    return text;
+}
+export async function setToolStatuses(opts) {
+    const body = JSON.stringify(opts.updates.map((u) => ({ tool_id: u.toolId, status: u.status })));
+    await fetchTextOrThrow(url(opts.baseUrl, `/${encodeURIComponent(opts.boxId)}/tools/status`), {
+        method: "POST",
+        headers: { ...buildHeaders(opts.accessToken, opts.businessDomain ?? "bd_public"), "content-type": "application/json" },
+        body,
+    });
+}
+export async function listToolboxes(opts) {
+    const qp = new URLSearchParams();
+    if (opts.keyword !== undefined)
+        qp.set("keyword", opts.keyword);
+    if (opts.limit !== undefined)
+        qp.set("limit", String(opts.limit));
+    if (opts.offset !== undefined)
+        qp.set("offset", String(opts.offset));
+    const suffix = qp.toString() ? `?${qp}` : "";
+    const { body } = await fetchTextOrThrow(url(opts.baseUrl, suffix), {
+        method: "GET",
+        headers: buildHeaders(opts.accessToken, opts.businessDomain ?? "bd_public"),
+    });
+    return body;
+}
+export async function listTools(opts) {
+    const { body } = await fetchTextOrThrow(url(opts.baseUrl, `/${encodeURIComponent(opts.boxId)}/tool`), {
+        method: "GET",
+        headers: buildHeaders(opts.accessToken, opts.businessDomain ?? "bd_public"),
+    });
+    return body;
+}

package/dist/auth/oauth.d.ts

@@ -1,4 +1,19 @@
 import { type TokenConfig } from "../config/store.js";
+/**
+ * Studioweb hardcoded LOGIN public key (PEM) — the single key used for HTTP `/oauth2/signin`.
+ * Source: kweaver-ai/kweaver `deploy/auto_cofig/auto_config.sh` `LOGIN_PUBLIC_KEY`.
+ */
+export declare const STUDIOWEB_LOGIN_PUBLIC_KEY_PEM = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsyOstgbYuubBi2PUqeVj\nGKlkwVUY6w1Y8d4k116dI2SkZI8fxcjHALv77kItO4jYLVplk9gO4HAtsisnNE2o\nwlYIqdmyEPMwupaeFFFcg751oiTXJiYbtX7ABzU5KQYPjRSEjMq6i5qu/mL67XTk\nhvKwrC83zme66qaKApmKupDODPb0RRkutK/zHfd1zL7sciBQ6psnNadh8pE24w8O\n2XVy1v2bgSNkGHABgncR7seyIg81JQ3c/Axxd6GsTztjLnlvGAlmT1TphE84mi99\nfUaGD2A1u1qdIuNc+XuisFeNcUW6fct0+x97eS2eEGRr/7qxWmO/P20sFVzXc2bF\n1QIDAQAB\n-----END PUBLIC KEY-----";
+/**
+ * Default RSA modulus (hex) for `/oauth2/signin` when `__NEXT_DATA__` has no `publicKey` / `modulus`.
+ * DIP / EACP / AnyShare-style deployments use the ISFWeb `core/auth` PUBLIC_KEY (1024-bit, exp 65537).
+ * Prefer key material from the sign-in page when present.
+ */
+export declare const DEFAULT_SIGNIN_RSA_MODULUS_HEX = "C1D9F84B95AF6B331FBA2D64D76A39CAD7529DA79DB4B3543E4DF3DF21723FEC6F7E2F6602E11037339AE0462DF6B39F94150FC256A505A8CA95BB3699E25C3FB84764D6A1DC3F483A2C1DC4F70925D85725151D0CFBF1EB5A6C4FA0E37ED32FED150C717CD82C528745CDB761D17635AC855421B3CBBEE7D405B2CA5C70CFA7";
+/**
+ * Build an SPKI PEM from an RSA modulus (hex) and public exponent (default 65537 / 0x10001).
+ */
+export declare function rsaModulusHexToSpkiPem(modulusHex: string, exponent?: number): string;
 /** POSIX shell single-quote escaping for copy-paste commands. */
 export declare function shellQuoteForShell(value: string): string;
 /**
@@ -11,6 +26,12 @@ export declare function buildCopyCommand(baseUrl: string, clientId: string, clie
  */
 export declare function buildCallbackHtml(copyCommand: string): string;
 export declare function normalizeBaseUrl(value: string): string;
+/**
+ * Temporarily disable TLS certificate verification for Node `fetch` (sets
+ * NODE_TLS_REJECT_UNAUTHORIZED). Used for `--insecure` login and token refresh.
+ */
+/** @internal Exported for CLI env-only identity resolution (`env-snapshot.ts`). */
+export declare function runWithTlsInsecure<T>(tlsInsecure: boolean | undefined, fn: () => Promise<T>): Promise<T>;
 /**
  * OAuth2 Authorization Code login flow.
  * 1. Register client (if not already registered), OR use a provided client ID
@@ -50,6 +71,54 @@ export declare function playwrightLogin(baseUrl: string, options?: {
     scope?: string;
     tlsInsecure?: boolean;
 }): Promise<TokenConfig>;
+/**
+ * Parse Next.js `__NEXT_DATA__` from the OAuth2 sign-in HTML shell (CSRF + optional challenge/remember for POST /oauth2/signin).
+ * Hydra `login_challenge` may appear only in the sign-in URL; use that when `pageProps.challenge` is absent.
+ */
+export declare function parseSigninPageHtmlProps(html: string): {
+    challenge?: string;
+    csrftoken: string;
+    remember?: boolean;
+    /** Hex modulus, PEM, or Base64 SPKI from page (nested search + HTML regex fallback). */
+    rsaPublicKeyMaterial?: string;
+};
+/**
+ * True when {@link oauth2PasswordSigninLogin} failed because the Studio web sign-in shell
+ * (`/interface/studioweb/login`) is missing or unreachable — callers may fall back to Playwright.
+ */
+export declare function isStudiowebShellUnavailableError(err: unknown): boolean;
+/**
+ * OAuth2 Authorization Code login using HTTP **only**: `GET /oauth2/signin` (Next.js shell) and
+ * `POST /oauth2/signin` with an RSA PKCS#1 v1.5–encrypted password (same as the browser `rsa.min` / Studio
+ * `core/mediator/auth` path).
+ *
+ * `/oauth2/auth` uses `product` `adp` by default (KWeaver Studio shell); set `oauthProduct` or `KWEAVER_OAUTH_PRODUCT` for DIP (`dip`).
+ * Password ciphertext defaults to **single-line base64** (PyCrypto-style); set `KWEAVER_SIGNIN_PASSWORD_B64_RSA_MIN=1` for rsa.min-style wrapped lines.
+ */
+export declare function oauth2PasswordSigninLogin(baseUrl: string, options: {
+    username: string;
+    password: string;
+    port?: number;
+    scope?: string;
+    clientId?: string;
+    clientSecret?: string;
+    tlsInsecure?: boolean;
+    /**
+     * `product` query for `/oauth2/auth` (must match deployment). Default `adp`; DIP deployments often use `dip`.
+     * @default KWEAVER_OAUTH_PRODUCT env or `adp`
+     */
+    oauthProduct?: string;
+    /**
+     * Password ciphertext: `rsa.min` uses newline every 64 chars; PyCrypto / some gateways expect a single base64 line.
+     * @default false (single-line base64, matches kweaver-core EACP-style encryption)
+     */
+    signinPasswordBase64Plain?: boolean;
+    /**
+     * PEM / hex / Base64-SPKI file path — overrides key from the sign-in HTML.
+     * Env: `KWEAVER_SIGNIN_RSA_PUBLIC_KEY` (same path semantics as CLI `--signin-public-key-file`).
+     */
+    signinPublicKeyPemPath?: string;
+}): Promise<TokenConfig>;
 /**
  * Log in on a headless machine using OAuth2 client credentials and a refresh token (no browser).
  * Exchanges the refresh token for a new access token and persists ~/.kweaver/ state.