@kweaver-ai/kweaver-sdk 0.6.5 → 0.6.7

package/README.md

@@ -153,8 +153,11 @@ const skillMd = await client.skills.fetchContent("skill-id");
 ## CLI Reference
 
 ```
-kweaver auth login <url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--http-signin] [--playwright] [--insecure|-k]
-# -u/-p: tries HTTP /oauth2/signin first (refresh_token). If studioweb is missing: falls back to Playwright when installed, else prints install hint. --http-signin: HTTP only. --playwright: force browser automation.
+kweaver auth login <url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--new-password <pwd>] [--http-signin] [--insecure|-k]
+# -u/-p (with or without --http-signin): HTTP POST /oauth2/signin (yields refresh_token). Missing -u/-p are prompted from stdin (password hidden when TTY).
+# If the server returns error 401001017 (initial password), TTY users get a prompt to set a new password; non-interactive scripts must pass --new-password <pwd>.
+kweaver auth change-password [<url>] [-u <account>] [-o <old>] [-n <new>] [--insecure|-k]
+# EACP POST /api/eacp/v1/auth1/modifypassword — no OAuth token required. Omit -o/-n on a TTY to be prompted.
 kweaver auth login <url> --client-id ID --client-secret S --refresh-token T   (headless login)
 kweaver auth export [url|alias] [--json]   (export command to run on a headless host)
 kweaver auth status / whoami [url|alias] [--json]   # whoami: --json; with KWEAVER_BASE_URL+KWEAVER_TOKEN when no ~/.kweaver/ platform

package/README.zh.md

@@ -146,8 +146,10 @@ const skillMd = await client.skills.fetchContent("skill-id");
 ## 命令速查
 
 ```
-kweaver auth login <url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--http-signin] [--playwright] [--insecure|-k]
-# -u/-p：默认先试 HTTP /oauth2/signin（可拿 refresh_token）；无 studioweb 时：已装 Playwright 则回退无头浏览器，否则提示安装 Playwright；--http-signin 仅 HTTP；--playwright 强制浏览器
+kweaver auth login <url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--new-password <pwd>] [--http-signin] [--insecure|-k]
+# -u/-p（无论是否带 --http-signin）：HTTP POST /oauth2/signin（可拿 refresh_token）；缺失的用户名/密码会从 stdin 提示输入（TTY 下密码隐藏）
+# 若服务端返回 401001017（初始密码），交互终端会引导修改；非交互请使用 --new-password <pwd>。
+kweaver auth change-password [<url>] [-u <account>] [-o <old>] [-n <new>] [--insecure|-k]
 kweaver auth login <url> --client-id ID --client-secret S --refresh-token T   (无浏览器登录)
 kweaver auth export [url|alias] [--json]   (导出在无浏览器机器上运行的命令)
 kweaver auth status / whoami [url|alias] [--json]   # whoami 支持 --json；无 ~/.kweaver/ 当前平台时可配 KWEAVER_BASE_URL+KWEAVER_TOKEN

package/dist/api/toolboxes.js

@@ -12,8 +12,8 @@ import { buildHeaders } from "./headers.js";
 //   POST   /tool-box/{id}/tools/status enable/disable (batch)
 //
 // Verified during Task 8 e2e against the live backend (2026-04-18):
-//   GET    /tool-box?keyword=&limit=&offset=  list toolboxes
-//   GET    /tool-box/{id}/tool                list tools
+//   GET    /tool-box/list?keyword=&limit=&offset=  list toolboxes
+//   GET    /tool-box/{id}/tools/list               list tools
 const PATH = "/api/agent-operator-integration/v1/tool-box";
 function url(base, suffix = "") {
     return `${base.replace(/\/+$/, "")}${PATH}${suffix}`;
@@ -74,7 +74,7 @@ export async function listToolboxes(opts) {
         qp.set("limit", String(opts.limit));
     if (opts.offset !== undefined)
         qp.set("offset", String(opts.offset));
-    const suffix = qp.toString() ? `?${qp}` : "";
+    const suffix = `/list${qp.toString() ? `?${qp}` : ""}`;
     const { body } = await fetchTextOrThrow(url(opts.baseUrl, suffix), {
         method: "GET",
         headers: buildHeaders(opts.accessToken, opts.businessDomain ?? "bd_public"),
@@ -82,7 +82,7 @@ export async function listToolboxes(opts) {
     return body;
 }
 export async function listTools(opts) {
-    const { body } = await fetchTextOrThrow(url(opts.baseUrl, `/${encodeURIComponent(opts.boxId)}/tool`), {
+    const { body } = await fetchTextOrThrow(url(opts.baseUrl, `/${encodeURIComponent(opts.boxId)}/tools/list`), {
         method: "GET",
         headers: buildHeaders(opts.accessToken, opts.businessDomain ?? "bd_public"),
     });

package/dist/auth/eacp-modify-password.d.ts

@@ -0,0 +1,25 @@
+/** Encrypt a password with EACP modifypassword's RSA public key, base64-encoded. */
+export declare function encryptModifyPwd(plain: string, publicKeyPem?: string): string;
+/** @internal For unit tests: decrypt ciphertext produced by encryptModifyPwd with the embedded key. */
+export declare function decryptModifyPwdForTest(cipherB64: string): string;
+export interface EacpModifyPasswordOptions {
+    account: string;
+    oldPassword: string;
+    newPassword: string;
+    /** Override the embedded RSA public key (PEM). */
+    publicKeyPem?: string;
+    tlsInsecure?: boolean;
+}
+export interface EacpModifyPasswordResult {
+    status: number;
+    ok: boolean;
+    body: string;
+    json?: unknown;
+}
+/**
+ * Call EACP `POST /api/eacp/v1/auth1/modifypassword` to change a user's password
+ * when the old password is known (`isforgetpwd: false`).
+ *
+ * No bearer token / cookie is required — the endpoint authenticates by old password.
+ */
+export declare function eacpModifyPassword(baseUrl: string, options: EacpModifyPasswordOptions): Promise<EacpModifyPasswordResult>;

package/dist/auth/eacp-modify-password.js

@@ -0,0 +1,84 @@
+import { constants as cryptoConstants, createPrivateKey, createPublicKey, privateDecrypt, publicEncrypt, } from "node:crypto";
+import { normalizeBaseUrl, runWithTlsInsecure } from "./oauth.js";
+/**
+ * 1024-bit RSA private key embedded in ShareServer
+ * (`isf/ShareServer/src/eachttpserver/ncEACHttpServerUtil.cpp`, function
+ * `ncEACHttpServerUtil::RSADecrypt`). It is the keypair used by the EACP
+ * `auth1/modifypassword` endpoint to decrypt `oldpwd` / `newpwd`.
+ *
+ * Note: this key is intentionally hard-coded in the C++ binary and shipped to
+ * every customer; it is not a secret. We embed it here so the CLI can perform
+ * the matching `RSA_PKCS1` encryption without contacting the server.
+ */
+const EACP_MODIFYPWD_PRIVATE_KEY_PEM = `-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDB2fhLla9rMx+6LWTXajnK11Kdp520s1Q+TfPfIXI/7G9+L2YC
+4RA3M5rgRi32s5+UFQ/CVqUFqMqVuzaZ4lw/uEdk1qHcP0g6LB3E9wkl2FclFR0M
++/HrWmxPoON+0y/tFQxxfNgsUodFzbdh0XY1rIVUIbPLvufUBbLKXHDPpwIDAQAB
+AoGBALCM/H6ajXFs1nCR903aCVicUzoS9qckzI0SIhIOPCfMBp8+PAJTSJl9/ohU
+YnhVj/kmVXwBvboxyJAmOcxdRPWL7iTk5nA1oiVXMer3Wby+tRg/ls91xQbJLVv3
+oGSt7q0CXxJpRH2oYkVVlMMlZUwKz3ovHiLKAnhw+jEsdL2BAkEA9hA97yyeA2eq
+f9dMu/ici99R3WJRRtk4NEI4WShtWPyziDg48d3SOzYmhEJjPuOo3g1ze01os70P
+ApE7d0qcyQJBAMmt+FR8h5MwxPQPAzjh/fTuTttvUfBeMiUDrIycK1I/L96lH+fU
+i4Nu+7TPOzExnPeGO5UJbZxrpIEUB7Zs8O8CQQCLzTCTGiNwxc5eMgH77kVrRudp
+Q7nv6ex/7Hu9VDXEUFbkdyULbj9KuvppPJrMmWZROw04qgNp02mayM8jeLXZAkEA
+o+PM/pMn9TPXiWE9xBbaMhUKXgXLd2KEq1GeAbHS/oY8l1hmYhV1vjwNLbSNrH9d
+yEP73TQJL+jFiONHFTbYXwJAU03Xgum5mLIkX/02LpOrz2QCdfX1IMJk2iKi9osV
+KqfbvHsF0+GvFGg18/FXStG9Kr4TjqLsygQJT76/MnMluw==
+-----END RSA PRIVATE KEY-----`;
+let cachedPubKey;
+function getModifyPwdPublicKey() {
+    if (!cachedPubKey) {
+        cachedPubKey = createPublicKey(createPrivateKey(EACP_MODIFYPWD_PRIVATE_KEY_PEM));
+    }
+    return cachedPubKey;
+}
+/** Encrypt a password with EACP modifypassword's RSA public key, base64-encoded. */
+export function encryptModifyPwd(plain, publicKeyPem) {
+    const key = publicKeyPem ? createPublicKey(publicKeyPem) : getModifyPwdPublicKey();
+    const buf = publicEncrypt({ key, padding: cryptoConstants.RSA_PKCS1_PADDING }, Buffer.from(plain, "utf8"));
+    return buf.toString("base64");
+}
+/** @internal For unit tests: decrypt ciphertext produced by encryptModifyPwd with the embedded key. */
+export function decryptModifyPwdForTest(cipherB64) {
+    const key = createPrivateKey(EACP_MODIFYPWD_PRIVATE_KEY_PEM);
+    const buf = privateDecrypt({ key, padding: cryptoConstants.RSA_PKCS1_PADDING }, Buffer.from(cipherB64, "base64"));
+    return buf.toString("utf8");
+}
+/**
+ * Call EACP `POST /api/eacp/v1/auth1/modifypassword` to change a user's password
+ * when the old password is known (`isforgetpwd: false`).
+ *
+ * No bearer token / cookie is required — the endpoint authenticates by old password.
+ */
+export async function eacpModifyPassword(baseUrl, options) {
+    return runWithTlsInsecure(options.tlsInsecure, async () => {
+        const body = {
+            account: options.account,
+            oldpwd: encryptModifyPwd(options.oldPassword, options.publicKeyPem),
+            newpwd: encryptModifyPwd(options.newPassword, options.publicKeyPem),
+            vcodeinfo: {
+                uuid: "",
+                vcode: "",
+            },
+            isforgetpwd: false,
+        };
+        const url = `${normalizeBaseUrl(baseUrl)}/api/eacp/v1/auth1/modifypassword`;
+        const resp = await fetch(url, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Accept: "application/json, text/plain, */*",
+            },
+            body: JSON.stringify(body),
+        });
+        const text = await resp.text();
+        let json;
+        try {
+            json = text ? JSON.parse(text) : undefined;
+        }
+        catch {
+            /* not JSON */
+        }
+        return { status: resp.status, ok: resp.ok, body: text, json };
+    });
+}

package/dist/auth/oauth.d.ts

@@ -1,4 +1,17 @@
 import { type TokenConfig } from "../config/store.js";
+/** Thrown when `POST /oauth2/signin` returns HTTP 401 with EACP code `401001017` (initial password must be changed). */
+export declare class InitialPasswordChangeRequiredError extends Error {
+    readonly code = 401001017;
+    readonly account: string;
+    readonly baseUrl: string;
+    readonly httpStatus = 401;
+    readonly serverMessage: string;
+    constructor(opts: {
+        account: string;
+        baseUrl: string;
+        serverMessage: string;
+    });
+}
 /**
  * Studioweb hardcoded LOGIN public key (PEM) — the single key used for HTTP `/oauth2/signin`.
  * Source: kweaver-ai/kweaver `deploy/auto_cofig/auto_config.sh` `LOGIN_PUBLIC_KEY`.
@@ -32,6 +45,40 @@ export declare function normalizeBaseUrl(value: string): string;
  */
 /** @internal Exported for CLI env-only identity resolution (`env-snapshot.ts`). */
 export declare function runWithTlsInsecure<T>(tlsInsecure: boolean | undefined, fn: () => Promise<T>): Promise<T>;
+/**
+ * Headless login: read authorization code from stdin (full callback URL or raw code).
+ * Used with `--no-browser` or when automatic browser launch fails.
+ *
+ * `io` is injectable for tests; defaults to `process.stdin` / `process.stderr`.
+ */
+export declare function promptForCode(authUrl: string, state: string, port: number, pasteMode?: "explicit" | "fallback", io?: {
+    input?: NodeJS.ReadableStream;
+    output?: NodeJS.WritableStream;
+}): Promise<string>;
+/**
+ * Prompt the user for a username on stderr (input echoed).
+ *
+ * `io` is injectable for tests; defaults to `process.stdin` / `process.stderr`.
+ */
+export declare function promptForUsername(promptLabel?: string, io?: {
+    input?: NodeJS.ReadableStream;
+    output?: NodeJS.WritableStream;
+}): Promise<string>;
+/**
+ * Prompt the user for a password on stderr without echoing keystrokes (TTY only).
+ *
+ * Falls back to a regular readline prompt when stdin is not a TTY (e.g. piped input
+ * during scripted use); callers needing strict no-echo should detect this case themselves.
+ *
+ * `io` is injectable for tests.
+ */
+export declare function promptForPassword(promptLabel?: string, io?: {
+    input?: NodeJS.ReadableStream & {
+        isTTY?: boolean;
+        setRawMode?: (mode: boolean) => unknown;
+    };
+    output?: NodeJS.WritableStream;
+}): Promise<string>;
 /**
  * OAuth2 Authorization Code login flow.
  * 1. Register client (if not already registered), OR use a provided client ID
@@ -53,24 +100,6 @@ export declare function oauth2Login(baseUrl: string, options?: {
      */
     noBrowser?: boolean;
 }): Promise<TokenConfig>;
-/**
- * Playwright-automated OAuth2 login.
- *
- * Uses the full OAuth2 authorization code flow (same as `oauth2Login`) but
- * automates the browser interaction with Playwright.  This produces a
- * refresh_token so the CLI can auto-refresh without re-login.
- *
- * When `username` and `password` are provided the browser runs headless and
- * fills the login form automatically.  Otherwise it opens a visible browser
- * window for manual login (same UX as the old cookie-based flow).
- */
-export declare function playwrightLogin(baseUrl: string, options?: {
-    username?: string;
-    password?: string;
-    port?: number;
-    scope?: string;
-    tlsInsecure?: boolean;
-}): Promise<TokenConfig>;
 /**
  * Parse Next.js `__NEXT_DATA__` from the OAuth2 sign-in HTML shell (CSRF + optional challenge/remember for POST /oauth2/signin).
  * Hydra `login_challenge` may appear only in the sign-in URL; use that when `pageProps.challenge` is absent.
@@ -83,10 +112,25 @@ export declare function parseSigninPageHtmlProps(html: string): {
     rsaPublicKeyMaterial?: string;
 };
 /**
- * True when {@link oauth2PasswordSigninLogin} failed because the Studio web sign-in shell
- * (`/interface/studioweb/login`) is missing or unreachable — callers may fall back to Playwright.
+ * Build the JSON body for `POST /oauth2/signin` (matches the browser `oauth2-ui` form).
+ *
+ * `device.client_type` MUST be a value present in the EACP whitelist defined by
+ * `kweaver/deploy/auto_cofig/auto_config.sh`. `console_web` is the canonical CLI value
+ * (also used by `kweaver-admin`); other values such as `unknown` are rejected by strict
+ * deployments with `管理员已禁止此类客户端登录` — surfaced upstream as a `request_forbidden`
+ * `No CSRF value available in the session cookie` error after Hydra discards the rejected
+ * login challenge.
+ *
+ * `vcode` and `dualfactorauthinfo` must be present even when empty; otherwise eachttpserver
+ * returns HTTP 400 (invalid parameter).
  */
-export declare function isStudiowebShellUnavailableError(err: unknown): boolean;
+export declare function buildOauth2SigninPostBody(opts: {
+    csrftoken: string;
+    challenge: string;
+    account: string;
+    passwordCipher: string;
+    remember: boolean;
+}): Record<string, unknown>;
 /**
  * OAuth2 Authorization Code login using HTTP **only**: `GET /oauth2/signin` (Next.js shell) and
  * `POST /oauth2/signin` with an RSA PKCS#1 v1.5–encrypted password (same as the browser `rsa.min` / Studio