@kweaver-ai/kweaver-sdk 0.6.4 → 0.6.6

package/README.md

@@ -153,8 +153,8 @@ const skillMd = await client.skills.fetchContent("skill-id");
 ## CLI Reference
 
 ```
-kweaver auth login <url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--http-signin] [--playwright] [--insecure|-k]
-# -u/-p: tries HTTP /oauth2/signin first (refresh_token). If studioweb is missing: falls back to Playwright when installed, else prints install hint. --http-signin: HTTP only. --playwright: force browser automation.
+kweaver auth login <url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--http-signin] [--insecure|-k]
+# -u/-p (with or without --http-signin): HTTP POST /oauth2/signin (yields refresh_token). Missing -u/-p are prompted from stdin (password hidden when TTY).
 kweaver auth login <url> --client-id ID --client-secret S --refresh-token T   (headless login)
 kweaver auth export [url|alias] [--json]   (export command to run on a headless host)
 kweaver auth status / whoami [url|alias] [--json]   # whoami: --json; with KWEAVER_BASE_URL+KWEAVER_TOKEN when no ~/.kweaver/ platform
@@ -180,7 +180,9 @@ kweaver skill list/market/get/register/status/delete/content/read-file/download/
 kweaver vega health/stats/inspect/sql/catalog/resource/connector-type
 kweaver context-loader config set/use/list/show
 kweaver context-loader kn-search/query-object-instance/...
-kweaver call <path> [-X METHOD] [-d BODY] [-H header]
+kweaver toolbox create/list/publish/unpublish/delete
+kweaver tool upload/list/enable/disable
+kweaver call <path> [-X METHOD] [-d BODY] [-H header] [-F key=value]
 ```
 
 ### Dataflow CLI examples
@@ -211,6 +213,25 @@ kweaver vega sql -d '{"resource_type":"mysql","query":"SELECT * FROM {{res-1}} L
 
 If both `-d` and `--query` / `--resource-type` are present, **only `-d` is used**.
 
+### Register an Agent toolbox
+
+```bash
+# 1. Create a toolbox pointing at your service
+kweaver toolbox create \
+  --name my_actions \
+  --service-url http://my-svc:8080 \
+  --description "Demo action backend"
+# → {"box_id":"<BOX_ID>"}
+
+# 2. Upload an OpenAPI spec as a tool
+kweaver tool upload --toolbox <BOX_ID> ./openapi.json
+# → {"success_ids":["<TOOL_ID>"]}
+
+# 3. Publish the toolbox and enable the tool
+kweaver toolbox publish <BOX_ID>
+kweaver tool enable --toolbox <BOX_ID> <TOOL_ID>
+```
+
 **No-auth platforms:** If OAuth is not enabled, use `kweaver auth <url> --no-auth` (or run a normal `auth login`; a **404** on `POST /oauth2/clients` switches to no-auth automatically). Credentials are still saved under `~/.kweaver/` and work with `auth use` / `auth list`. Optional: `KWEAVER_NO_AUTH=1` with `KWEAVER_BASE_URL` when no token env is set. SDK: `new KWeaverClient({ baseUrl, auth: false })` or `kweaver.configure({ baseUrl, auth: false })`.
 
 ## Environment Variables

package/README.zh.md

@@ -146,8 +146,8 @@ const skillMd = await client.skills.fetchContent("skill-id");
 ## 命令速查
 
 ```
-kweaver auth login <url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--http-signin] [--playwright] [--insecure|-k]
-# -u/-p：默认先试 HTTP /oauth2/signin（可拿 refresh_token）；无 studioweb 时：已装 Playwright 则回退无头浏览器，否则提示安装 Playwright；--http-signin 仅 HTTP；--playwright 强制浏览器
+kweaver auth login <url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--http-signin] [--insecure|-k]
+# -u/-p（无论是否带 --http-signin）：HTTP POST /oauth2/signin（可拿 refresh_token）；缺失的用户名/密码会从 stdin 提示输入（TTY 下密码隐藏）
 kweaver auth login <url> --client-id ID --client-secret S --refresh-token T   (无浏览器登录)
 kweaver auth export [url|alias] [--json]   (导出在无浏览器机器上运行的命令)
 kweaver auth status / whoami [url|alias] [--json]   # whoami 支持 --json；无 ~/.kweaver/ 当前平台时可配 KWEAVER_BASE_URL+KWEAVER_TOKEN

package/dist/api/dataflow.d.ts

@@ -14,7 +14,7 @@ export interface DataflowCreateBody {
 }
 export interface DataflowResult {
     status: "success" | "completed" | "failed" | "error";
-    reason?: string;
+    reason?: unknown;
 }
 export interface CreateDataflowOptions {
     baseUrl: string;

package/dist/api/toolboxes.d.ts

@@ -0,0 +1,47 @@
+interface BaseOpts {
+    baseUrl: string;
+    accessToken: string;
+    businessDomain?: string;
+}
+export interface CreateToolboxOptions extends BaseOpts {
+    name: string;
+    description: string;
+    serviceUrl: string;
+    metadataType?: "openapi";
+    source?: string;
+}
+export declare function createToolbox(opts: CreateToolboxOptions): Promise<string>;
+export interface DeleteToolboxOptions extends BaseOpts {
+    boxId: string;
+}
+export declare function deleteToolbox(opts: DeleteToolboxOptions): Promise<void>;
+export interface SetToolboxStatusOptions extends BaseOpts {
+    boxId: string;
+    status: "published" | "draft";
+}
+export declare function setToolboxStatus(opts: SetToolboxStatusOptions): Promise<void>;
+export interface UploadToolOptions extends BaseOpts {
+    boxId: string;
+    filePath: string;
+    metadataType?: "openapi";
+}
+export declare function uploadTool(opts: UploadToolOptions): Promise<string>;
+export interface SetToolStatusesOptions extends BaseOpts {
+    boxId: string;
+    updates: Array<{
+        toolId: string;
+        status: "enabled" | "disabled";
+    }>;
+}
+export declare function setToolStatuses(opts: SetToolStatusesOptions): Promise<void>;
+export interface ListToolboxesOptions extends BaseOpts {
+    keyword?: string;
+    limit?: number;
+    offset?: number;
+}
+export declare function listToolboxes(opts: ListToolboxesOptions): Promise<string>;
+export interface ListToolsOptions extends BaseOpts {
+    boxId: string;
+}
+export declare function listTools(opts: ListToolsOptions): Promise<string>;
+export {};

package/dist/api/toolboxes.js

@@ -0,0 +1,90 @@
+import { readFile } from "node:fs/promises";
+import { basename } from "node:path";
+import { fetchTextOrThrow } from "../utils/http.js";
+import { buildHeaders } from "./headers.js";
+// Backend endpoints under /api/agent-operator-integration/v1/tool-box.
+//
+// Verified against kweaver/examples/03-action-lifecycle/run.sh (lines 78–197):
+//   POST   /tool-box                   create
+//   DELETE /tool-box/{id}              delete
+//   POST   /tool-box/{id}/status       publish/draft
+//   POST   /tool-box/{id}/tool         upload tool (multipart)
+//   POST   /tool-box/{id}/tools/status enable/disable (batch)
+//
+// Verified during Task 8 e2e against the live backend (2026-04-18):
+//   GET    /tool-box?keyword=&limit=&offset=  list toolboxes
+//   GET    /tool-box/{id}/tool                list tools
+const PATH = "/api/agent-operator-integration/v1/tool-box";
+function url(base, suffix = "") {
+    return `${base.replace(/\/+$/, "")}${PATH}${suffix}`;
+}
+export async function createToolbox(opts) {
+    const body = JSON.stringify({
+        metadata_type: opts.metadataType ?? "openapi",
+        box_name: opts.name,
+        box_desc: opts.description,
+        box_svc_url: opts.serviceUrl,
+        source: opts.source ?? "custom",
+    });
+    const { body: text } = await fetchTextOrThrow(url(opts.baseUrl), {
+        method: "POST",
+        headers: { ...buildHeaders(opts.accessToken, opts.businessDomain ?? "bd_public"), "content-type": "application/json" },
+        body,
+    });
+    return text;
+}
+export async function deleteToolbox(opts) {
+    await fetchTextOrThrow(url(opts.baseUrl, `/${encodeURIComponent(opts.boxId)}`), {
+        method: "DELETE",
+        headers: buildHeaders(opts.accessToken, opts.businessDomain ?? "bd_public"),
+    });
+}
+export async function setToolboxStatus(opts) {
+    await fetchTextOrThrow(url(opts.baseUrl, `/${encodeURIComponent(opts.boxId)}/status`), {
+        method: "POST",
+        headers: { ...buildHeaders(opts.accessToken, opts.businessDomain ?? "bd_public"), "content-type": "application/json" },
+        body: JSON.stringify({ status: opts.status }),
+    });
+}
+export async function uploadTool(opts) {
+    const buf = await readFile(opts.filePath);
+    const form = new FormData();
+    form.append("metadata_type", opts.metadataType ?? "openapi");
+    form.append("data", new Blob([buf]), basename(opts.filePath));
+    const { body: text } = await fetchTextOrThrow(url(opts.baseUrl, `/${encodeURIComponent(opts.boxId)}/tool`), {
+        method: "POST",
+        headers: buildHeaders(opts.accessToken, opts.businessDomain ?? "bd_public"),
+        body: form,
+    });
+    return text;
+}
+export async function setToolStatuses(opts) {
+    const body = JSON.stringify(opts.updates.map((u) => ({ tool_id: u.toolId, status: u.status })));
+    await fetchTextOrThrow(url(opts.baseUrl, `/${encodeURIComponent(opts.boxId)}/tools/status`), {
+        method: "POST",
+        headers: { ...buildHeaders(opts.accessToken, opts.businessDomain ?? "bd_public"), "content-type": "application/json" },
+        body,
+    });
+}
+export async function listToolboxes(opts) {
+    const qp = new URLSearchParams();
+    if (opts.keyword !== undefined)
+        qp.set("keyword", opts.keyword);
+    if (opts.limit !== undefined)
+        qp.set("limit", String(opts.limit));
+    if (opts.offset !== undefined)
+        qp.set("offset", String(opts.offset));
+    const suffix = qp.toString() ? `?${qp}` : "";
+    const { body } = await fetchTextOrThrow(url(opts.baseUrl, suffix), {
+        method: "GET",
+        headers: buildHeaders(opts.accessToken, opts.businessDomain ?? "bd_public"),
+    });
+    return body;
+}
+export async function listTools(opts) {
+    const { body } = await fetchTextOrThrow(url(opts.baseUrl, `/${encodeURIComponent(opts.boxId)}/tool`), {
+        method: "GET",
+        headers: buildHeaders(opts.accessToken, opts.businessDomain ?? "bd_public"),
+    });
+    return body;
+}

package/dist/auth/oauth.d.ts

@@ -32,6 +32,40 @@ export declare function normalizeBaseUrl(value: string): string;
  */
 /** @internal Exported for CLI env-only identity resolution (`env-snapshot.ts`). */
 export declare function runWithTlsInsecure<T>(tlsInsecure: boolean | undefined, fn: () => Promise<T>): Promise<T>;
+/**
+ * Headless login: read authorization code from stdin (full callback URL or raw code).
+ * Used with `--no-browser` or when automatic browser launch fails.
+ *
+ * `io` is injectable for tests; defaults to `process.stdin` / `process.stderr`.
+ */
+export declare function promptForCode(authUrl: string, state: string, port: number, pasteMode?: "explicit" | "fallback", io?: {
+    input?: NodeJS.ReadableStream;
+    output?: NodeJS.WritableStream;
+}): Promise<string>;
+/**
+ * Prompt the user for a username on stderr (input echoed).
+ *
+ * `io` is injectable for tests; defaults to `process.stdin` / `process.stderr`.
+ */
+export declare function promptForUsername(promptLabel?: string, io?: {
+    input?: NodeJS.ReadableStream;
+    output?: NodeJS.WritableStream;
+}): Promise<string>;
+/**
+ * Prompt the user for a password on stderr without echoing keystrokes (TTY only).
+ *
+ * Falls back to a regular readline prompt when stdin is not a TTY (e.g. piped input
+ * during scripted use); callers needing strict no-echo should detect this case themselves.
+ *
+ * `io` is injectable for tests.
+ */
+export declare function promptForPassword(promptLabel?: string, io?: {
+    input?: NodeJS.ReadableStream & {
+        isTTY?: boolean;
+        setRawMode?: (mode: boolean) => unknown;
+    };
+    output?: NodeJS.WritableStream;
+}): Promise<string>;
 /**
  * OAuth2 Authorization Code login flow.
  * 1. Register client (if not already registered), OR use a provided client ID
@@ -53,24 +87,6 @@ export declare function oauth2Login(baseUrl: string, options?: {
      */
     noBrowser?: boolean;
 }): Promise<TokenConfig>;
-/**
- * Playwright-automated OAuth2 login.
- *
- * Uses the full OAuth2 authorization code flow (same as `oauth2Login`) but
- * automates the browser interaction with Playwright.  This produces a
- * refresh_token so the CLI can auto-refresh without re-login.
- *
- * When `username` and `password` are provided the browser runs headless and
- * fills the login form automatically.  Otherwise it opens a visible browser
- * window for manual login (same UX as the old cookie-based flow).
- */
-export declare function playwrightLogin(baseUrl: string, options?: {
-    username?: string;
-    password?: string;
-    port?: number;
-    scope?: string;
-    tlsInsecure?: boolean;
-}): Promise<TokenConfig>;
 /**
  * Parse Next.js `__NEXT_DATA__` from the OAuth2 sign-in HTML shell (CSRF + optional challenge/remember for POST /oauth2/signin).
  * Hydra `login_challenge` may appear only in the sign-in URL; use that when `pageProps.challenge` is absent.
@@ -83,10 +99,25 @@ export declare function parseSigninPageHtmlProps(html: string): {
     rsaPublicKeyMaterial?: string;
 };
 /**
- * True when {@link oauth2PasswordSigninLogin} failed because the Studio web sign-in shell
- * (`/interface/studioweb/login`) is missing or unreachable — callers may fall back to Playwright.
+ * Build the JSON body for `POST /oauth2/signin` (matches the browser `oauth2-ui` form).
+ *
+ * `device.client_type` MUST be a value present in the EACP whitelist defined by
+ * `kweaver/deploy/auto_cofig/auto_config.sh`. `console_web` is the canonical CLI value
+ * (also used by `kweaver-admin`); other values such as `unknown` are rejected by strict
+ * deployments with `管理员已禁止此类客户端登录` — surfaced upstream as a `request_forbidden`
+ * `No CSRF value available in the session cookie` error after Hydra discards the rejected
+ * login challenge.
+ *
+ * `vcode` and `dualfactorauthinfo` must be present even when empty; otherwise eachttpserver
+ * returns HTTP 400 (invalid parameter).
  */
-export declare function isStudiowebShellUnavailableError(err: unknown): boolean;
+export declare function buildOauth2SigninPostBody(opts: {
+    csrftoken: string;
+    challenge: string;
+    account: string;
+    passwordCipher: string;
+    remember: boolean;
+}): Record<string, unknown>;
 /**
  * OAuth2 Authorization Code login using HTTP **only**: `GET /oauth2/signin` (Next.js shell) and
  * `POST /oauth2/signin` with an RSA PKCS#1 v1.5–encrypted password (same as the browser `rsa.min` / Studio