@kweaver-ai/kweaver-sdk 0.6.6 → 0.6.7

package/README.md

@@ -153,8 +153,11 @@ const skillMd = await client.skills.fetchContent("skill-id");
 ## CLI Reference
 
 ```
-kweaver auth login <url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--http-signin] [--insecure|-k]
+kweaver auth login <url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--new-password <pwd>] [--http-signin] [--insecure|-k]
 # -u/-p (with or without --http-signin): HTTP POST /oauth2/signin (yields refresh_token). Missing -u/-p are prompted from stdin (password hidden when TTY).
+# If the server returns error 401001017 (initial password), TTY users get a prompt to set a new password; non-interactive scripts must pass --new-password <pwd>.
+kweaver auth change-password [<url>] [-u <account>] [-o <old>] [-n <new>] [--insecure|-k]
+# EACP POST /api/eacp/v1/auth1/modifypassword — no OAuth token required. Omit -o/-n on a TTY to be prompted.
 kweaver auth login <url> --client-id ID --client-secret S --refresh-token T   (headless login)
 kweaver auth export [url|alias] [--json]   (export command to run on a headless host)
 kweaver auth status / whoami [url|alias] [--json]   # whoami: --json; with KWEAVER_BASE_URL+KWEAVER_TOKEN when no ~/.kweaver/ platform

package/README.zh.md

@@ -146,8 +146,10 @@ const skillMd = await client.skills.fetchContent("skill-id");
 ## 命令速查
 
 ```
-kweaver auth login <url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--http-signin] [--insecure|-k]
+kweaver auth login <url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--new-password <pwd>] [--http-signin] [--insecure|-k]
 # -u/-p（无论是否带 --http-signin）：HTTP POST /oauth2/signin（可拿 refresh_token）；缺失的用户名/密码会从 stdin 提示输入（TTY 下密码隐藏）
+# 若服务端返回 401001017（初始密码），交互终端会引导修改；非交互请使用 --new-password <pwd>。
+kweaver auth change-password [<url>] [-u <account>] [-o <old>] [-n <new>] [--insecure|-k]
 kweaver auth login <url> --client-id ID --client-secret S --refresh-token T   (无浏览器登录)
 kweaver auth export [url|alias] [--json]   (导出在无浏览器机器上运行的命令)
 kweaver auth status / whoami [url|alias] [--json]   # whoami 支持 --json；无 ~/.kweaver/ 当前平台时可配 KWEAVER_BASE_URL+KWEAVER_TOKEN

package/dist/api/toolboxes.js

@@ -12,8 +12,8 @@ import { buildHeaders } from "./headers.js";
 //   POST   /tool-box/{id}/tools/status enable/disable (batch)
 //
 // Verified during Task 8 e2e against the live backend (2026-04-18):
-//   GET    /tool-box?keyword=&limit=&offset=  list toolboxes
-//   GET    /tool-box/{id}/tool                list tools
+//   GET    /tool-box/list?keyword=&limit=&offset=  list toolboxes
+//   GET    /tool-box/{id}/tools/list               list tools
 const PATH = "/api/agent-operator-integration/v1/tool-box";
 function url(base, suffix = "") {
     return `${base.replace(/\/+$/, "")}${PATH}${suffix}`;
@@ -74,7 +74,7 @@ export async function listToolboxes(opts) {
         qp.set("limit", String(opts.limit));
     if (opts.offset !== undefined)
         qp.set("offset", String(opts.offset));
-    const suffix = qp.toString() ? `?${qp}` : "";
+    const suffix = `/list${qp.toString() ? `?${qp}` : ""}`;
     const { body } = await fetchTextOrThrow(url(opts.baseUrl, suffix), {
         method: "GET",
         headers: buildHeaders(opts.accessToken, opts.businessDomain ?? "bd_public"),
@@ -82,7 +82,7 @@ export async function listToolboxes(opts) {
     return body;
 }
 export async function listTools(opts) {
-    const { body } = await fetchTextOrThrow(url(opts.baseUrl, `/${encodeURIComponent(opts.boxId)}/tool`), {
+    const { body } = await fetchTextOrThrow(url(opts.baseUrl, `/${encodeURIComponent(opts.boxId)}/tools/list`), {
         method: "GET",
         headers: buildHeaders(opts.accessToken, opts.businessDomain ?? "bd_public"),
     });

package/dist/auth/eacp-modify-password.d.ts

@@ -0,0 +1,25 @@
+/** Encrypt a password with EACP modifypassword's RSA public key, base64-encoded. */
+export declare function encryptModifyPwd(plain: string, publicKeyPem?: string): string;
+/** @internal For unit tests: decrypt ciphertext produced by encryptModifyPwd with the embedded key. */
+export declare function decryptModifyPwdForTest(cipherB64: string): string;
+export interface EacpModifyPasswordOptions {
+    account: string;
+    oldPassword: string;
+    newPassword: string;
+    /** Override the embedded RSA public key (PEM). */
+    publicKeyPem?: string;
+    tlsInsecure?: boolean;
+}
+export interface EacpModifyPasswordResult {
+    status: number;
+    ok: boolean;
+    body: string;
+    json?: unknown;
+}
+/**
+ * Call EACP `POST /api/eacp/v1/auth1/modifypassword` to change a user's password
+ * when the old password is known (`isforgetpwd: false`).
+ *
+ * No bearer token / cookie is required — the endpoint authenticates by old password.
+ */
+export declare function eacpModifyPassword(baseUrl: string, options: EacpModifyPasswordOptions): Promise<EacpModifyPasswordResult>;

package/dist/auth/eacp-modify-password.js

@@ -0,0 +1,84 @@
+import { constants as cryptoConstants, createPrivateKey, createPublicKey, privateDecrypt, publicEncrypt, } from "node:crypto";
+import { normalizeBaseUrl, runWithTlsInsecure } from "./oauth.js";
+/**
+ * 1024-bit RSA private key embedded in ShareServer
+ * (`isf/ShareServer/src/eachttpserver/ncEACHttpServerUtil.cpp`, function
+ * `ncEACHttpServerUtil::RSADecrypt`). It is the keypair used by the EACP
+ * `auth1/modifypassword` endpoint to decrypt `oldpwd` / `newpwd`.
+ *
+ * Note: this key is intentionally hard-coded in the C++ binary and shipped to
+ * every customer; it is not a secret. We embed it here so the CLI can perform
+ * the matching `RSA_PKCS1` encryption without contacting the server.
+ */
+const EACP_MODIFYPWD_PRIVATE_KEY_PEM = `-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDB2fhLla9rMx+6LWTXajnK11Kdp520s1Q+TfPfIXI/7G9+L2YC
+4RA3M5rgRi32s5+UFQ/CVqUFqMqVuzaZ4lw/uEdk1qHcP0g6LB3E9wkl2FclFR0M
++/HrWmxPoON+0y/tFQxxfNgsUodFzbdh0XY1rIVUIbPLvufUBbLKXHDPpwIDAQAB
+AoGBALCM/H6ajXFs1nCR903aCVicUzoS9qckzI0SIhIOPCfMBp8+PAJTSJl9/ohU
+YnhVj/kmVXwBvboxyJAmOcxdRPWL7iTk5nA1oiVXMer3Wby+tRg/ls91xQbJLVv3
+oGSt7q0CXxJpRH2oYkVVlMMlZUwKz3ovHiLKAnhw+jEsdL2BAkEA9hA97yyeA2eq
+f9dMu/ici99R3WJRRtk4NEI4WShtWPyziDg48d3SOzYmhEJjPuOo3g1ze01os70P
+ApE7d0qcyQJBAMmt+FR8h5MwxPQPAzjh/fTuTttvUfBeMiUDrIycK1I/L96lH+fU
+i4Nu+7TPOzExnPeGO5UJbZxrpIEUB7Zs8O8CQQCLzTCTGiNwxc5eMgH77kVrRudp
+Q7nv6ex/7Hu9VDXEUFbkdyULbj9KuvppPJrMmWZROw04qgNp02mayM8jeLXZAkEA
+o+PM/pMn9TPXiWE9xBbaMhUKXgXLd2KEq1GeAbHS/oY8l1hmYhV1vjwNLbSNrH9d
+yEP73TQJL+jFiONHFTbYXwJAU03Xgum5mLIkX/02LpOrz2QCdfX1IMJk2iKi9osV
+KqfbvHsF0+GvFGg18/FXStG9Kr4TjqLsygQJT76/MnMluw==
+-----END RSA PRIVATE KEY-----`;
+let cachedPubKey;
+function getModifyPwdPublicKey() {
+    if (!cachedPubKey) {
+        cachedPubKey = createPublicKey(createPrivateKey(EACP_MODIFYPWD_PRIVATE_KEY_PEM));
+    }
+    return cachedPubKey;
+}
+/** Encrypt a password with EACP modifypassword's RSA public key, base64-encoded. */
+export function encryptModifyPwd(plain, publicKeyPem) {
+    const key = publicKeyPem ? createPublicKey(publicKeyPem) : getModifyPwdPublicKey();
+    const buf = publicEncrypt({ key, padding: cryptoConstants.RSA_PKCS1_PADDING }, Buffer.from(plain, "utf8"));
+    return buf.toString("base64");
+}
+/** @internal For unit tests: decrypt ciphertext produced by encryptModifyPwd with the embedded key. */
+export function decryptModifyPwdForTest(cipherB64) {
+    const key = createPrivateKey(EACP_MODIFYPWD_PRIVATE_KEY_PEM);
+    const buf = privateDecrypt({ key, padding: cryptoConstants.RSA_PKCS1_PADDING }, Buffer.from(cipherB64, "base64"));
+    return buf.toString("utf8");
+}
+/**
+ * Call EACP `POST /api/eacp/v1/auth1/modifypassword` to change a user's password
+ * when the old password is known (`isforgetpwd: false`).
+ *
+ * No bearer token / cookie is required — the endpoint authenticates by old password.
+ */
+export async function eacpModifyPassword(baseUrl, options) {
+    return runWithTlsInsecure(options.tlsInsecure, async () => {
+        const body = {
+            account: options.account,
+            oldpwd: encryptModifyPwd(options.oldPassword, options.publicKeyPem),
+            newpwd: encryptModifyPwd(options.newPassword, options.publicKeyPem),
+            vcodeinfo: {
+                uuid: "",
+                vcode: "",
+            },
+            isforgetpwd: false,
+        };
+        const url = `${normalizeBaseUrl(baseUrl)}/api/eacp/v1/auth1/modifypassword`;
+        const resp = await fetch(url, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Accept: "application/json, text/plain, */*",
+            },
+            body: JSON.stringify(body),
+        });
+        const text = await resp.text();
+        let json;
+        try {
+            json = text ? JSON.parse(text) : undefined;
+        }
+        catch {
+            /* not JSON */
+        }
+        return { status: resp.status, ok: resp.ok, body: text, json };
+    });
+}

package/dist/auth/oauth.d.ts

@@ -1,4 +1,17 @@
 import { type TokenConfig } from "../config/store.js";
+/** Thrown when `POST /oauth2/signin` returns HTTP 401 with EACP code `401001017` (initial password must be changed). */
+export declare class InitialPasswordChangeRequiredError extends Error {
+    readonly code = 401001017;
+    readonly account: string;
+    readonly baseUrl: string;
+    readonly httpStatus = 401;
+    readonly serverMessage: string;
+    constructor(opts: {
+        account: string;
+        baseUrl: string;
+        serverMessage: string;
+    });
+}
 /**
  * Studioweb hardcoded LOGIN public key (PEM) — the single key used for HTTP `/oauth2/signin`.
  * Source: kweaver-ai/kweaver `deploy/auto_cofig/auto_config.sh` `LOGIN_PUBLIC_KEY`.

package/dist/auth/oauth.js

@@ -3,6 +3,21 @@ import { createPublicKey } from "node:crypto";
 import { isNoAuth } from "../config/no-auth.js";
 import { deleteClientConfig, getCurrentPlatform, loadClientConfig, loadTokenConfig, loadUserTokenConfig, resolveUserId, saveClientConfig, saveNoAuthPlatform, saveTokenConfig, setCurrentPlatform, } from "../config/store.js";
 import { HttpError, NetworkRequestError, fetchWithRetry } from "../utils/http.js";
+/** Thrown when `POST /oauth2/signin` returns HTTP 401 with EACP code `401001017` (initial password must be changed). */
+export class InitialPasswordChangeRequiredError extends Error {
+    code = 401001017;
+    account;
+    baseUrl;
+    httpStatus = 401;
+    serverMessage;
+    constructor(opts) {
+        super(opts.serverMessage);
+        this.name = "InitialPasswordChangeRequiredError";
+        this.account = opts.account;
+        this.baseUrl = opts.baseUrl;
+        this.serverMessage = opts.serverMessage;
+    }
+}
 const TOKEN_TTL_SECONDS = 3600;
 /** Seconds before access token expiry to trigger refresh (matches Python ConfigAuth). */
 const REFRESH_THRESHOLD_SEC = 60;
@@ -1268,6 +1283,26 @@ export async function oauth2PasswordSigninLogin(baseUrl, options) {
                 }
             }
             else {
+                if (postResp.status === 401) {
+                    try {
+                        const j = JSON.parse(bodyText);
+                        const c = j.code;
+                        if (c === 401001017 || c === "401001017") {
+                            const msg = typeof j.message === "string" && j.message.trim() !== ""
+                                ? j.message.trim()
+                                : "Initial password must be changed before login.";
+                            throw new InitialPasswordChangeRequiredError({
+                                account: options.username,
+                                baseUrl: base,
+                                serverMessage: msg,
+                            });
+                        }
+                    }
+                    catch (e) {
+                        if (e instanceof InitialPasswordChangeRequiredError)
+                            throw e;
+                    }
+                }
                 throw new HttpError(postResp.status, postResp.statusText, bodyText);
             }
         }
@@ -1610,6 +1645,9 @@ function isTlsVerificationDisabledForProcess() {
         process.env.KWEAVER_TLS_INSECURE === "true");
 }
 export function formatHttpError(error) {
+    if (error instanceof InitialPasswordChangeRequiredError) {
+        return `${error.serverMessage} (code ${error.code})`;
+    }
     if (error instanceof HttpError) {
         const oauthMessage = formatOAuthErrorBody(error.body);
         if (oauthMessage) {

package/dist/cli.js

@@ -23,9 +23,10 @@ Usage:
   kweaver --version | -V
   kweaver --help | -h
 
-  kweaver auth <platform-url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--http-signin] [--insecure|-k]
+  kweaver auth <platform-url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--new-password <pwd>] [--http-signin] [--insecure|-k]
   kweaver auth login <platform-url>          (alias for auth <url>)
   kweaver auth login <url> --client-id ID --client-secret S --refresh-token T   (run on host without browser)
+  kweaver auth change-password [<platform-url>] [-u <account>] [-o <old>] [-n <new>] [--insecure|-k]
   kweaver auth whoami [platform-url|alias] [--json]
   kweaver auth export [platform-url|alias] [--json]
   kweaver auth status [platform-url|alias]

package/dist/commands/auth.js

@@ -1,7 +1,8 @@
 import { isNoAuth } from "../config/no-auth.js";
-import { autoSelectBusinessDomain, clearPlatformSession, deletePlatform, deleteUser, getActiveUser, getConfigDir, getCurrentPlatform, getPlatformAlias, hasPlatform, listPlatforms, listUserProfiles, loadClientConfig, loadTokenConfig, resolveBusinessDomain, resolvePlatformIdentifier, resolveUserId, saveNoAuthPlatform, setActiveUser, setCurrentPlatform, setPlatformAlias, } from "../config/store.js";
+import { autoSelectBusinessDomain, clearPlatformSession, deletePlatform, deleteUser, getActiveUser, getConfigDir, getCurrentPlatform, getPlatformAlias, hasPlatform, listPlatforms, listUserProfiles, loadClientConfig, loadTokenConfig, loadUserTokenConfig, resolveBusinessDomain, resolvePlatformIdentifier, resolveUserId, saveNoAuthPlatform, setActiveUser, setCurrentPlatform, setPlatformAlias, } from "../config/store.js";
 import { decodeJwtPayload } from "../config/jwt.js";
-import { buildCopyCommand, formatHttpError, normalizeBaseUrl, oauth2Login, oauth2PasswordSigninLogin, promptForUsername, promptForPassword, refreshTokenLogin, } from "../auth/oauth.js";
+import { eacpModifyPassword } from "../auth/eacp-modify-password.js";
+import { buildCopyCommand, formatHttpError, InitialPasswordChangeRequiredError, normalizeBaseUrl, oauth2Login, oauth2PasswordSigninLogin, promptForUsername, promptForPassword, refreshTokenLogin, } from "../auth/oauth.js";
 export async function runAuthCommand(args) {
     const target = args[0];
     const rest = args.slice(1);
@@ -17,6 +18,7 @@ kweaver auth users [url|alias]       List all user profiles (with usernames) for
 kweaver auth switch [url|alias] --user <id|username>  Switch active user for a platform
 kweaver auth logout [url|alias] [--user <id>]  Logout (clear local token)
 kweaver auth delete <url|alias> [--user <id>]  Delete saved credentials
+kweaver auth change-password [<url>] [-u <account>] [-o <old>] [-n <new>]  Change password
 
 Login options:
   --alias <name>         Save platform with a short alias (use with use / status / logout)
@@ -34,13 +36,14 @@ Login options:
   -u, --username         Username for HTTP /oauth2/signin (POST). If -p is omitted, password is prompted.
   -p, --password         Password for HTTP /oauth2/signin (POST). If -u is omitted, username is prompted.
   --http-signin          Force HTTP /oauth2/signin (no browser). Missing -u/-p are prompted from stdin.
+  --new-password <pwd>   After HTTP sign-in error 401001017 (initial password), set the new password non-interactively, then retry login.
   --insecure, -k         Skip TLS certificate verification (self-signed / dev HTTPS only)
   --no-auth              Save platform without OAuth (servers with no authentication). Same as detecting OAuth 404 during login.`);
         return 0;
     }
     if (target === "login") {
         if (rest[0] === "--help" || rest[0] === "-h") {
-            console.log(`kweaver auth login <platform-url> [--alias <name>] [--no-auth] [--no-browser] [-u user] [-p pass] [--http-signin] [--refresh-token T --client-id ID --client-secret S]`);
+            console.log(`kweaver auth login <platform-url> [--alias <name>] [--no-auth] [--no-browser] [-u user] [-p pass] [--new-password <pwd>] [--http-signin] [--refresh-token T --client-id ID --client-secret S]`);
             return 0;
         }
         const url = rest[0];
@@ -62,6 +65,9 @@ Login options:
     if (target === "switch") {
         return runAuthSwitchCommand(rest);
     }
+    if (target === "change-password") {
+        return runAuthChangePasswordCommand(rest);
+    }
     const LOGIN_SUBCOMMANDS = new Set(["status", "list", "use", "delete", "logout", "export", "whoami", "users", "switch"]);
     if (target && !LOGIN_SUBCOMMANDS.has(target)) {
         try {
@@ -80,6 +86,7 @@ Login options:
             const tlsInsecure = args.includes("--insecure") || args.includes("-k");
             const noAuth = args.includes("--no-auth");
             const noBrowser = args.includes("--no-browser");
+            const newPasswordFlag = readOption(args, "--new-password");
             if (args.includes("--redirect-uri")) {
                 console.error("Warning: --redirect-uri is deprecated and ignored. The redirect URI is always http://127.0.0.1:<port>/callback.");
             }
@@ -87,6 +94,7 @@ Login options:
                 "--alias", "--client-id", "--client-secret", "--refresh-token",
                 "--port", "--no-browser", "--username", "-u", "--password", "-p",
                 "--http-signin",
+                "--new-password",
                 "--oauth-product",
                 "--signin-public-key-file",
                 "--insecure", "-k", "--no-auth", "--redirect-uri",
@@ -94,6 +102,7 @@ Login options:
             const KNOWN_VALUE_FLAGS = new Set([
                 "--alias", "--client-id", "--client-secret", "--refresh-token",
                 "--port", "--username", "-u", "--password", "-p", "--redirect-uri",
+                "--new-password",
                 "--oauth-product",
                 "--signin-public-key-file",
             ]);
@@ -122,6 +131,10 @@ Login options:
                 console.error("--no-auth cannot be used with HTTP sign-in or -u/-p.");
                 return 1;
             }
+            if (newPasswordFlag !== undefined && (!username || !password)) {
+                console.error("--new-password requires -u/--username and -p/--password (HTTP sign-in).");
+                return 1;
+            }
             if (noBrowser && httpSignin) {
                 // HTTP sign-in already runs without a browser; --no-browser is a no-op signal here.
                 console.error("--http-signin already runs without a browser; --no-browser is redundant and ignored.");
@@ -161,22 +174,9 @@ Login options:
                     clientId, clientSecret, refreshToken, tlsInsecure,
                 });
             }
-            else if (username && password && httpSignin) {
-                console.log("Logging in (HTTP /oauth2/signin)...");
-                token = await oauth2PasswordSigninLogin(normalizedTarget, {
-                    username,
-                    password,
-                    tlsInsecure,
-                    port: customPort,
-                    clientId: clientId ?? undefined,
-                    clientSecret: clientSecret ?? undefined,
-                    oauthProduct: oauthProduct ?? undefined,
-                    signinPublicKeyPemPath: signinPublicKeyFile ?? undefined,
-                });
-            }
             else if (username && password) {
                 console.log("Logging in (HTTP /oauth2/signin)...");
-                token = await oauth2PasswordSigninLogin(normalizedTarget, {
+                token = await loginWithInitialPasswordRecovery(normalizedTarget, {
                     username,
                     password,
                     tlsInsecure,
@@ -185,7 +185,7 @@ Login options:
                     clientSecret: clientSecret ?? undefined,
                     oauthProduct: oauthProduct ?? undefined,
                     signinPublicKeyPemPath: signinPublicKeyFile ?? undefined,
-                });
+                }, { newPasswordFlag, tlsInsecure });
             }
             else {
                 if (noBrowser) {
@@ -635,3 +635,217 @@ function readOption(args, name) {
     }
     return args[index + 1];
 }
+const EACP_NEW_PWD_MIN = 6;
+const EACP_NEW_PWD_MAX = 100;
+function validateNewPasswordLengthForEacp(pwd) {
+    if (pwd.length < EACP_NEW_PWD_MIN || pwd.length > EACP_NEW_PWD_MAX) {
+        throw new Error(`New password must be between ${EACP_NEW_PWD_MIN} and ${EACP_NEW_PWD_MAX} characters.`);
+    }
+}
+function formatEacpModifyFailure(status, json, body) {
+    if (json && typeof json === "object" && json !== null) {
+        const o = json;
+        const msg = typeof o.message === "string" && o.message.trim() !== ""
+            ? o.message
+            : typeof o.cause === "string"
+                ? o.cause
+                : "";
+        if (msg)
+            return `Password change failed (HTTP ${status}): ${msg}`;
+    }
+    return `Password change failed (HTTP ${status}): ${body.slice(0, 500)}`;
+}
+async function promptYesNo(message) {
+    const { createInterface } = await import("node:readline");
+    const rl = createInterface({ input: process.stdin, output: process.stderr });
+    return await new Promise((resolve, reject) => {
+        let answered = false;
+        rl.on("close", () => {
+            if (!answered)
+                reject(new Error("Login cancelled."));
+        });
+        rl.question(`${message} [Y/n] `, (answer) => {
+            answered = true;
+            rl.close();
+            const a = answer.trim().toLowerCase();
+            resolve(a === "" || a === "y" || a === "yes");
+        });
+    });
+}
+async function loginWithInitialPasswordRecovery(normalizedTarget, signinOpts, recovery) {
+    try {
+        return await oauth2PasswordSigninLogin(normalizedTarget, signinOpts);
+    }
+    catch (e) {
+        if (!(e instanceof InitialPasswordChangeRequiredError))
+            throw e;
+        const err = e;
+        const account = signinOpts.username;
+        const oldPwd = signinOpts.password;
+        let newPwd = recovery.newPasswordFlag;
+        if (newPwd !== undefined) {
+            validateNewPasswordLengthForEacp(newPwd);
+        }
+        else if (process.stderr.isTTY) {
+            process.stderr.write(`${err.serverMessage}\n`);
+            const ok = await promptYesNo(`Account "${account}" must change its initial password. Proceed with password change now?`);
+            if (!ok) {
+                throw new Error("Initial password change declined. Run again when ready.");
+            }
+            const np1 = await promptForPassword("New password (6-100 characters)");
+            const np2 = await promptForPassword("Confirm new password");
+            if (np1 !== np2) {
+                throw new Error("New passwords do not match.");
+            }
+            validateNewPasswordLengthForEacp(np1);
+            newPwd = np1;
+        }
+        else {
+            throw new Error("This account must change its initial password (error 401001017). Re-run with --new-password <password> (non-interactive).");
+        }
+        const mod = await eacpModifyPassword(normalizedTarget, {
+            account,
+            oldPassword: oldPwd,
+            newPassword: newPwd,
+            tlsInsecure: recovery.tlsInsecure,
+        });
+        if (!mod.ok) {
+            throw new Error(formatEacpModifyFailure(mod.status, mod.json, mod.body));
+        }
+        return oauth2PasswordSigninLogin(normalizedTarget, {
+            ...signinOpts,
+            password: newPwd,
+        });
+    }
+}
+async function runAuthChangePasswordCommand(args) {
+    if (args[0] === "--help" || args[0] === "-h") {
+        console.log(`kweaver auth change-password [<platform-url>] [options]
+
+Change the EACP account password via POST /api/eacp/v1/auth1/modifypassword.
+No saved OAuth token is required.
+
+Options:
+  -u, --account <name>       Account / login name. On TTY, defaults to the current active user
+                             after a confirmation prompt. Required in non-interactive mode.
+  -o, --old-password <pwd>   Current password (omit on TTY to be prompted)
+  -n, --new-password <pwd>   New password, 6-100 characters (omit on TTY to be prompted)
+  --insecure, -k             Skip TLS certificate verification (defaults to the platform's saved
+                             preference set at login with -k; pass to override per-call)
+
+Platform URL is optional; defaults to the current active platform (kweaver auth use).`);
+        return 0;
+    }
+    const KNOWN_CP_FLAGS = new Set([
+        "-u",
+        "--account",
+        "-o",
+        "--old-password",
+        "-n",
+        "--new-password",
+        "--insecure",
+        "-k",
+        "--help",
+        "-h",
+    ]);
+    const KNOWN_CP_VALUE = new Set([
+        "-u",
+        "--account",
+        "-o",
+        "--old-password",
+        "-n",
+        "--new-password",
+    ]);
+    // First positional (if present and not a flag) is the platform URL or alias.
+    const positional = args[0] && !args[0].startsWith("-") ? args[0] : undefined;
+    const flagArgs = positional ? args.slice(1) : args;
+    for (let i = 0; i < flagArgs.length; i++) {
+        const a = flagArgs[i];
+        if (a.startsWith("-") && !KNOWN_CP_FLAGS.has(a)) {
+            console.error(`Unknown option: ${a}`);
+            console.error("Run 'kweaver auth change-password --help' for usage.");
+            return 1;
+        }
+        if (KNOWN_CP_VALUE.has(a))
+            i++;
+    }
+    const normalizedTarget = resolvePlatformArg(positional ? [positional] : []);
+    if (!normalizedTarget) {
+        console.error("No platform resolved. Pass <platform-url|alias> or run `kweaver auth use <url|alias>` first.");
+        return 1;
+    }
+    let account = readOption(flagArgs, "--account") ?? readOption(flagArgs, "-u");
+    let oldPassword = readOption(flagArgs, "--old-password") ?? readOption(flagArgs, "-o");
+    let newPassword = readOption(flagArgs, "--new-password") ?? readOption(flagArgs, "-n");
+    const explicitTlsInsecure = flagArgs.includes("--insecure") || flagArgs.includes("-k");
+    // Resolve the active user's saved token; we use it both to default the account
+    // and to inherit the platform's saved tlsInsecure preference (set at login with -k).
+    const activeUser = getActiveUser(normalizedTarget);
+    const activeToken = activeUser ? loadUserTokenConfig(normalizedTarget, activeUser) : null;
+    const tlsInsecure = explicitTlsInsecure || activeToken?.tlsInsecure === true;
+    const interactive = process.stdin.isTTY === true && process.stderr.isTTY === true;
+    const accountWasExplicit = !!account?.trim();
+    // Account resolution (with safety guards):
+    // - Explicit -u always wins.
+    // - Non-TTY + no -u: REFUSE. Silently using the active account in CI / pipes
+    //   would let scripts modify the wrong account's password without warning.
+    // - TTY + no -u: default to the active user's displayName, but require an
+    //   interactive yes/no confirmation before proceeding.
+    if (!accountWasExplicit) {
+        const defaultAccount = activeToken?.displayName?.trim();
+        if (!defaultAccount) {
+            console.error("Cannot determine current account on the platform. Pass -u/--account, or log in first (kweaver auth login ...).");
+            return 1;
+        }
+        if (!interactive) {
+            console.error(`Refusing to default account in non-interactive mode. Pass -u/--account explicitly (would have used "${defaultAccount}").`);
+            return 1;
+        }
+        const ok = await promptYesNo(`Change password for account "${defaultAccount}" on ${normalizedTarget}?`);
+        if (!ok) {
+            console.error("Aborted by user.");
+            return 1;
+        }
+        account = defaultAccount;
+    }
+    const trimmedAccount = account.trim();
+    try {
+        if (!interactive) {
+            if (!oldPassword || !newPassword) {
+                console.error("In non-interactive mode, --old-password and --new-password are required.");
+                return 1;
+            }
+        }
+        else {
+            if (!oldPassword) {
+                oldPassword = await promptForPassword("Old password");
+            }
+            if (!newPassword) {
+                const n1 = await promptForPassword("New password (6-100 characters)");
+                const n2 = await promptForPassword("Confirm new password");
+                if (n1 !== n2) {
+                    console.error("New passwords do not match.");
+                    return 1;
+                }
+                newPassword = n1;
+            }
+        }
+        validateNewPasswordLengthForEacp(newPassword);
+        const result = await eacpModifyPassword(normalizedTarget, {
+            account: trimmedAccount,
+            oldPassword: oldPassword,
+            newPassword: newPassword,
+            tlsInsecure,
+        });
+        if (!result.ok) {
+            console.error(`${formatEacpModifyFailure(result.status, result.json, result.body)} (account="${trimmedAccount}")`);
+            return 1;
+        }
+        console.log(`Password changed for ${trimmedAccount} on ${normalizedTarget}`);
+        return 0;
+    }
+    catch (e) {
+        console.error(`${formatHttpError(e)}\n(account="${trimmedAccount}")`);
+        return 1;
+    }
+}

package/dist/index.d.ts

@@ -62,4 +62,5 @@ export type { TokenConfig, ContextLoaderEntry, ContextLoaderConfig, } from "./co
 export type { UserProfile } from "./config/store.js";
 export { NO_AUTH_TOKEN, isNoAuth, saveNoAuthPlatform, autoSelectBusinessDomain, getConfigDir, getCurrentPlatform, getActiveUser, setActiveUser, listUsers, listUserProfiles, resolveUserId, extractUserId, } from "./config/store.js";
 export { decodeJwtPayload, extractUserIdFromJwt } from "./config/jwt.js";
-export { DEFAULT_SIGNIN_RSA_MODULUS_HEX, oauth2PasswordSigninLogin, parseSigninPageHtmlProps, rsaModulusHexToSpkiPem, STUDIOWEB_LOGIN_PUBLIC_KEY_PEM, } from "./auth/oauth.js";
+export { DEFAULT_SIGNIN_RSA_MODULUS_HEX, InitialPasswordChangeRequiredError, oauth2PasswordSigninLogin, parseSigninPageHtmlProps, rsaModulusHexToSpkiPem, STUDIOWEB_LOGIN_PUBLIC_KEY_PEM, } from "./auth/oauth.js";
+export { eacpModifyPassword, encryptModifyPwd } from "./auth/eacp-modify-password.js";

package/dist/index.js

@@ -50,4 +50,5 @@ export { NO_AUTH_TOKEN, isNoAuth, saveNoAuthPlatform, autoSelectBusinessDomain,
 // ── JWT utilities ─────────────────────────────────────────────────────────────
 export { decodeJwtPayload, extractUserIdFromJwt } from "./config/jwt.js";
 // ── OAuth (advanced — CLI uses these internally; optional for custom login tools) ─
-export { DEFAULT_SIGNIN_RSA_MODULUS_HEX, oauth2PasswordSigninLogin, parseSigninPageHtmlProps, rsaModulusHexToSpkiPem, STUDIOWEB_LOGIN_PUBLIC_KEY_PEM, } from "./auth/oauth.js";
+export { DEFAULT_SIGNIN_RSA_MODULUS_HEX, InitialPasswordChangeRequiredError, oauth2PasswordSigninLogin, parseSigninPageHtmlProps, rsaModulusHexToSpkiPem, STUDIOWEB_LOGIN_PUBLIC_KEY_PEM, } from "./auth/oauth.js";
+export { eacpModifyPassword, encryptModifyPwd } from "./auth/eacp-modify-password.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kweaver-ai/kweaver-sdk",
-  "version": "0.6.6",
+  "version": "0.6.7",
   "description": "KWeaver TypeScript SDK — CLI tool and programmatic API for knowledge networks and Decision Agents.",
   "type": "module",
   "main": "./dist/index.js",