@m1a0rz/agent-identity 0.1.2

package/dist/src/services/session-refresh.js

@@ -0,0 +1,38 @@
+/**
+ * Session token refresh: when userToken expires, use refresh_token to get new tokens.
+ * Used by before_agent_start when GetWorkloadAccessTokenForJWT fails with "token has expired".
+ */
+import { getSession, setSession } from "../store/session-store.js";
+import { fetchOIDCDiscovery, refreshAccessToken } from "./oidc-client.js";
+/**
+ * Refresh session userToken using refresh_token grant.
+ * Updates session with new userToken (and rotated refresh_token if returned).
+ * Returns the new userToken or null if refresh failed or no refresh token.
+ */
+export async function refreshSessionUserToken(storeDir, sessionKey, getOidcConfig) {
+    const session = await getSession(storeDir, sessionKey);
+    if (!session?.refreshToken)
+        return null;
+    try {
+        const config = await getOidcConfig();
+        const discovery = await fetchOIDCDiscovery(config.discoveryUrl);
+        const tokens = await refreshAccessToken({
+            tokenEndpoint: discovery.token_endpoint,
+            clientId: config.clientId,
+            clientSecret: config.clientSecret,
+            refreshToken: session.refreshToken,
+        });
+        const userToken = tokens.id_token ?? tokens.access_token;
+        const newRefreshToken = tokens.refresh_token ?? session.refreshToken;
+        await setSession(storeDir, sessionKey, {
+            ...session,
+            userToken,
+            refreshToken: newRefreshToken,
+            expiresAt: Date.now() + (tokens.expires_in ?? 3600) * 1000,
+        });
+        return userToken;
+    }
+    catch {
+        return null;
+    }
+}

package/dist/src/store/credential-env-bindings.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Credential-to-env-var bindings, per sessionKey.
+ * Used by `identity set <provider> <envVar>` to configure injection of stored credentials.
+ * Format: { [sessionKey]: { [provider]: envVar } }.
+ */
+/**
+ * Get bindings for a session.
+ */
+export declare function loadCredentialEnvBindings(storeDir: string, sessionKey?: string | null): Promise<Record<string, string>>;
+/**
+ * Load all bindings (for list-tips etc). Returns { sessionKey: { provider: envVar } }.
+ */
+export declare function loadAllCredentialEnvBindings(storeDir: string): Promise<Record<string, Record<string, string>>>;
+export declare function setCredentialEnvBinding(storeDir: string, sessionKey: string, provider: string, envVar: string): Promise<void>;
+export declare function deleteCredentialEnvBinding(storeDir: string, sessionKey: string, provider: string): Promise<void>;
+//# sourceMappingURL=credential-env-bindings.d.ts.map

package/dist/src/store/credential-env-bindings.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-env-bindings.d.ts","sourceRoot":"","sources":["../../../src/store/credential-env-bindings.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AA6BH;;GAEG;AACH,wBAAsB,yBAAyB,CAC7C,QAAQ,EAAE,MAAM,EAChB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,GACzB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAIjC;AAED;;GAEG;AACH,wBAAsB,4BAA4B,CAChD,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,CAEjD;AAED,wBAAsB,uBAAuB,CAC3C,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,IAAI,CAAC,CAMf;AAED,wBAAsB,0BAA0B,CAC9C,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC,CAWf"}

package/dist/src/store/credential-env-bindings.js

@@ -0,0 +1,61 @@
+/**
+ * Credential-to-env-var bindings, per sessionKey.
+ * Used by `identity set <provider> <envVar>` to configure injection of stored credentials.
+ * Format: { [sessionKey]: { [provider]: envVar } }.
+ */
+import fs from "node:fs/promises";
+import path from "node:path";
+const BINDINGS_FILENAME = "credential-env-bindings.json";
+async function loadBindingsFile(storeDir) {
+    const p = path.join(storeDir, BINDINGS_FILENAME);
+    try {
+        const raw = await fs.readFile(p, "utf-8");
+        const parsed = JSON.parse(raw);
+        const entries = Object.entries(parsed ?? {}).filter(([, v]) => typeof v === "object" && v !== null && !Array.isArray(v));
+        return Object.fromEntries(entries);
+    }
+    catch {
+        return {};
+    }
+}
+async function saveBindingsFile(storeDir, data) {
+    await fs.mkdir(storeDir, { recursive: true });
+    const p = path.join(storeDir, BINDINGS_FILENAME);
+    await fs.writeFile(p, JSON.stringify(data, null, 2), "utf-8");
+}
+/**
+ * Get bindings for a session.
+ */
+export async function loadCredentialEnvBindings(storeDir, sessionKey) {
+    if (!sessionKey)
+        return {};
+    const file = await loadBindingsFile(storeDir);
+    return file[sessionKey] ?? {};
+}
+/**
+ * Load all bindings (for list-tips etc). Returns { sessionKey: { provider: envVar } }.
+ */
+export async function loadAllCredentialEnvBindings(storeDir) {
+    return loadBindingsFile(storeDir);
+}
+export async function setCredentialEnvBinding(storeDir, sessionKey, provider, envVar) {
+    const file = await loadBindingsFile(storeDir);
+    const session = file[sessionKey] ?? {};
+    session[provider] = envVar;
+    file[sessionKey] = session;
+    await saveBindingsFile(storeDir, file);
+}
+export async function deleteCredentialEnvBinding(storeDir, sessionKey, provider) {
+    const file = await loadBindingsFile(storeDir);
+    const session = file[sessionKey];
+    if (!session || !(provider in session))
+        return;
+    delete session[provider];
+    if (Object.keys(session).length === 0) {
+        delete file[sessionKey];
+    }
+    else {
+        file[sessionKey] = session;
+    }
+    await saveBindingsFile(storeDir, file);
+}

package/dist/src/store/credential-store.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Credential store: (sessionKey, provider) -> credential (in-memory only).
+ * Credentials are per-session; not persisted; lost on gateway restart.
+ */
+export type ApiKeyCredential = {
+    type: "api_key";
+    key: string;
+    value?: string;
+    /** When set, resolve value from process.env at read time (do not persist). */
+    valueFromEnv?: string;
+};
+export type OAuth2Credential = {
+    type: "oauth2";
+    status: "pending_auth" | "authenticated" | "expired";
+    accessToken?: string;
+    refreshToken?: string;
+    expiresAt?: number;
+    scopes?: string[];
+};
+export type CredentialEntry = ApiKeyCredential | OAuth2Credential;
+export declare function loadCredentials(_storeDir: string, sessionKey?: string): Promise<Record<string, CredentialEntry>>;
+export declare function getCredential(_storeDir: string, sessionKey: string, provider: string): Promise<CredentialEntry | null>;
+/**
+ * Resolve the actual value for a credential (for injection).
+ * For api_key with valueFromEnv, reads from process.env at runtime.
+ */
+export declare function resolveCredentialValue(entry: CredentialEntry): string | undefined;
+export declare function setCredential(_storeDir: string, sessionKey: string, provider: string, entry: CredentialEntry): Promise<void>;
+/** Remove all credentials for a session (e.g. on logout). */
+export declare function deleteCredentialsForSession(_storeDir: string, sessionKey: string): void;
+//# sourceMappingURL=credential-store.d.ts.map

package/dist/src/store/credential-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-store.d.ts","sourceRoot":"","sources":["../../../src/store/credential-store.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,MAAM,gBAAgB,GAAG;IAC7B,IAAI,EAAE,SAAS,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,8EAA8E;IAC9E,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,IAAI,EAAE,QAAQ,CAAC;IACf,MAAM,EAAE,cAAc,GAAG,eAAe,GAAG,SAAS,CAAC;IACrD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG,gBAAgB,GAAG,gBAAgB,CAAC;AAUlE,wBAAsB,eAAe,CACnC,SAAS,EAAE,MAAM,EACjB,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,CAW1C;AAED,wBAAsB,aAAa,CACjC,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAQjC;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,eAAe,GAAG,MAAM,GAAG,SAAS,CAOjF;AAED,wBAAsB,aAAa,CACjC,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,eAAe,GACrB,OAAO,CAAC,IAAI,CAAC,CAEf;AAED,6DAA6D;AAC7D,wBAAgB,2BAA2B,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,CAKvF"}

package/dist/src/store/credential-store.js

@@ -0,0 +1,57 @@
+/**
+ * Credential store: (sessionKey, provider) -> credential (in-memory only).
+ * Credentials are per-session; not persisted; lost on gateway restart.
+ */
+const SESSION_PROVIDER_SEP = "\0";
+function credKey(sessionKey, provider) {
+    return `${sessionKey}${SESSION_PROVIDER_SEP}${provider}`;
+}
+const credentials = new Map();
+export async function loadCredentials(_storeDir, sessionKey) {
+    const all = Object.fromEntries(credentials);
+    if (!sessionKey)
+        return all;
+    const out = {};
+    for (const [k, v] of Object.entries(all)) {
+        const [, prov] = k.split(SESSION_PROVIDER_SEP);
+        if (prov && k.startsWith(sessionKey + SESSION_PROVIDER_SEP)) {
+            out[prov] = v;
+        }
+    }
+    return out;
+}
+export async function getCredential(_storeDir, sessionKey, provider) {
+    const entry = credentials.get(credKey(sessionKey, provider));
+    if (!entry)
+        return null;
+    if (entry.type === "oauth2" && entry.expiresAt && entry.expiresAt < Date.now()) {
+        entry.status = "expired";
+        return entry;
+    }
+    return entry;
+}
+/**
+ * Resolve the actual value for a credential (for injection).
+ * For api_key with valueFromEnv, reads from process.env at runtime.
+ */
+export function resolveCredentialValue(entry) {
+    if (entry.type === "oauth2" && entry.accessToken)
+        return entry.accessToken;
+    if (entry.type === "api_key") {
+        if (entry.valueFromEnv)
+            return process.env[entry.valueFromEnv];
+        return entry.value;
+    }
+    return undefined;
+}
+export async function setCredential(_storeDir, sessionKey, provider, entry) {
+    credentials.set(credKey(sessionKey, provider), entry);
+}
+/** Remove all credentials for a session (e.g. on logout). */
+export function deleteCredentialsForSession(_storeDir, sessionKey) {
+    const prefix = sessionKey + SESSION_PROVIDER_SEP;
+    for (const k of [...credentials.keys()]) {
+        if (k.startsWith(prefix))
+            credentials.delete(k);
+    }
+}

package/dist/src/store/oidc-state-store.d.ts

@@ -0,0 +1,15 @@
+/**
+ * OAuth2 state store for OIDC login flow (in-memory only).
+ * Stores state -> { sessionKey, redirectUri, deliveryTarget? } with TTL. Lost on gateway restart.
+ */
+import type { SessionKeyDeliveryTarget } from "../utils/derive-session-key.js";
+export type OIDCStateEntry = {
+    sessionKey: string;
+    redirectUri: string;
+    createdAt: number;
+    /** Delivery target for sending follow-up message; avoids parsing sessionKey. */
+    deliveryTarget?: SessionKeyDeliveryTarget | null;
+};
+export declare function createState(_storeDir: string, sessionKey: string, redirectUri: string, state: string, deliveryTarget?: SessionKeyDeliveryTarget | null): Promise<void>;
+export declare function consumeState(_storeDir: string, state: string): Promise<OIDCStateEntry | null>;
+//# sourceMappingURL=oidc-state-store.d.ts.map

package/dist/src/store/oidc-state-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-state-store.d.ts","sourceRoot":"","sources":["../../../src/store/oidc-state-store.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;AAE/E,MAAM,MAAM,cAAc,GAAG;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,gFAAgF;IAChF,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAC;CAClD,CAAC;AAYF,wBAAsB,WAAW,CAC/B,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,KAAK,EAAE,MAAM,EACb,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,GAC/C,OAAO,CAAC,IAAI,CAAC,CAQf;AAED,wBAAsB,YAAY,CAChC,SAAS,EAAE,MAAM,EACjB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAOhC"}

package/dist/src/store/oidc-state-store.js

@@ -0,0 +1,32 @@
+/**
+ * OAuth2 state store for OIDC login flow (in-memory only).
+ * Stores state -> { sessionKey, redirectUri, deliveryTarget? } with TTL. Lost on gateway restart.
+ */
+const STATE_TTL_MS = 5 * 60 * 1000; // 5 min
+const states = new Map();
+function pruneExpired() {
+    const now = Date.now();
+    for (const [k, v] of states.entries()) {
+        if (now - v.createdAt >= STATE_TTL_MS)
+            states.delete(k);
+    }
+}
+export async function createState(_storeDir, sessionKey, redirectUri, state, deliveryTarget) {
+    pruneExpired();
+    states.set(state, {
+        sessionKey,
+        redirectUri,
+        createdAt: Date.now(),
+        deliveryTarget: deliveryTarget ?? undefined,
+    });
+}
+export async function consumeState(_storeDir, state) {
+    pruneExpired();
+    const entry = states.get(state);
+    states.delete(state);
+    if (!entry)
+        return null;
+    if (Date.now() - entry.createdAt > STATE_TTL_MS)
+        return null;
+    return entry;
+}

package/dist/src/store/session-store.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Session store: sessionKey → userToken mapping.
+ * Persists to ~/.openclaw/plugins/identity/sessions.json
+ * Prunes expired entries on load/save to prevent growth.
+ */
+export type SessionEntry = {
+    userToken: string;
+    sub: string;
+    /** OIDC refresh token for silent token renewal. */
+    refreshToken?: string;
+    claims?: Record<string, unknown>;
+    loginAt: number;
+    expiresAt?: number;
+};
+export declare function ensureStoreDir(storeDir: string): Promise<void>;
+export declare function loadSessions(storeDir: string): Promise<Record<string, SessionEntry>>;
+export declare function saveSessions(storeDir: string, sessions: Record<string, SessionEntry>): Promise<void>;
+export declare function getSession(storeDir: string, sessionKey: string): Promise<SessionEntry | null>;
+export declare function setSession(storeDir: string, sessionKey: string, entry: SessionEntry): Promise<void>;
+export declare function deleteSession(storeDir: string, sessionKey: string): Promise<void>;
+//# sourceMappingURL=session-store.d.ts.map

package/dist/src/store/session-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-store.d.ts","sourceRoot":"","sources":["../../../src/store/session-store.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,MAAM,MAAM,YAAY,GAAG;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,mDAAmD;IACnD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAMF,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAEpE;AAeD,wBAAsB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,CAc1F;AAED,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,GACrC,OAAO,CAAC,IAAI,CAAC,CAKf;AAED,wBAAsB,UAAU,CAC9B,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAU9B;AAED,wBAAsB,UAAU,CAC9B,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,IAAI,CAAC,CAIf;AAED,wBAAsB,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAIvF"}

package/dist/src/store/session-store.js

@@ -0,0 +1,69 @@
+/**
+ * Session store: sessionKey → userToken mapping.
+ * Persists to ~/.openclaw/plugins/identity/sessions.json
+ * Prunes expired entries on load/save to prevent growth.
+ */
+import fs from "node:fs/promises";
+import path from "node:path";
+const SESSIONS_FILENAME = "sessions.json";
+/** Max session age when no expiresAt (e.g. legacy entries). Default 30 days. */
+const MAX_SESSION_AGE_MS = 30 * 24 * 60 * 60 * 1000;
+export async function ensureStoreDir(storeDir) {
+    await fs.mkdir(storeDir, { recursive: true });
+}
+function pruneExpiredSessions(sessions) {
+    const now = Date.now();
+    const pruned = {};
+    for (const [k, v] of Object.entries(sessions)) {
+        if (v.expiresAt != null && v.expiresAt < now)
+            continue;
+        if (v.expiresAt == null && now - v.loginAt > MAX_SESSION_AGE_MS)
+            continue;
+        pruned[k] = v;
+    }
+    return pruned;
+}
+export async function loadSessions(storeDir) {
+    const sessionsPath = path.join(storeDir, SESSIONS_FILENAME);
+    let sessions;
+    try {
+        const raw = await fs.readFile(sessionsPath, "utf-8");
+        sessions = JSON.parse(raw);
+    }
+    catch {
+        return {};
+    }
+    const pruned = pruneExpiredSessions(sessions);
+    if (Object.keys(pruned).length < Object.keys(sessions).length) {
+        await saveSessions(storeDir, pruned);
+    }
+    return pruned;
+}
+export async function saveSessions(storeDir, sessions) {
+    const pruned = pruneExpiredSessions(sessions);
+    await ensureStoreDir(storeDir);
+    const sessionsPath = path.join(storeDir, SESSIONS_FILENAME);
+    await fs.writeFile(sessionsPath, JSON.stringify(pruned, null, 2), "utf-8");
+}
+export async function getSession(storeDir, sessionKey) {
+    const sessions = await loadSessions(storeDir);
+    const entry = sessions[sessionKey];
+    if (!entry)
+        return null;
+    if (entry.expiresAt && entry.expiresAt < Date.now()) {
+        delete sessions[sessionKey];
+        await saveSessions(storeDir, sessions);
+        return null;
+    }
+    return entry;
+}
+export async function setSession(storeDir, sessionKey, entry) {
+    const sessions = await loadSessions(storeDir);
+    sessions[sessionKey] = entry;
+    await saveSessions(storeDir, sessions);
+}
+export async function deleteSession(storeDir, sessionKey) {
+    const sessions = await loadSessions(storeDir);
+    delete sessions[sessionKey];
+    await saveSessions(storeDir, sessions);
+}

package/dist/src/store/tip-store.d.ts

@@ -0,0 +1,21 @@
+/**
+ * TIP (Trusted Identity Provider) token store.
+ * Caches sessionKey → TIP token mapping.
+ * Persists to ~/.openclaw/plugins/identity/tip-tokens.json
+ * Prunes expired entries on load/save to prevent growth.
+ */
+export type TIPTokenEntry = {
+    token: string;
+    sub: string;
+    agentId?: string;
+    chain?: string[];
+    issuedAt: number;
+    expiresAt: number;
+    parentSessionKey?: string;
+};
+export declare function ensureStoreDir(storeDir: string): Promise<void>;
+export declare function loadTIPTokens(storeDir: string): Promise<Record<string, TIPTokenEntry>>;
+export declare function saveTIPTokens(storeDir: string, tokens: Record<string, TIPTokenEntry>): Promise<void>;
+export declare function getTIPToken(storeDir: string, sessionKey: string): Promise<TIPTokenEntry | null>;
+export declare function setTIPToken(storeDir: string, sessionKey: string, entry: TIPTokenEntry): Promise<void>;
+//# sourceMappingURL=tip-store.d.ts.map

package/dist/src/store/tip-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tip-store.d.ts","sourceRoot":"","sources":["../../../src/store/tip-store.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,MAAM,MAAM,aAAa,GAAG;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AAIF,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAEpE;AAaD,wBAAsB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC,CAc5F;AAED,wBAAsB,aAAa,CACjC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,GACpC,OAAO,CAAC,IAAI,CAAC,CAKf;AAED,wBAAsB,WAAW,CAC/B,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAU/B;AAED,wBAAsB,WAAW,CAC/B,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,aAAa,GACnB,OAAO,CAAC,IAAI,CAAC,CAIf"}

package/dist/src/store/tip-store.js

@@ -0,0 +1,60 @@
+/**
+ * TIP (Trusted Identity Provider) token store.
+ * Caches sessionKey → TIP token mapping.
+ * Persists to ~/.openclaw/plugins/identity/tip-tokens.json
+ * Prunes expired entries on load/save to prevent growth.
+ */
+import fs from "node:fs/promises";
+import path from "node:path";
+const TIP_TOKENS_FILENAME = "tip-tokens.json";
+export async function ensureStoreDir(storeDir) {
+    await fs.mkdir(storeDir, { recursive: true });
+}
+function pruneExpiredTIPTokens(tokens) {
+    const now = Date.now();
+    const pruned = {};
+    for (const [k, v] of Object.entries(tokens)) {
+        if (v.expiresAt >= now)
+            pruned[k] = v;
+    }
+    return pruned;
+}
+export async function loadTIPTokens(storeDir) {
+    const tipPath = path.join(storeDir, TIP_TOKENS_FILENAME);
+    let tokens;
+    try {
+        const raw = await fs.readFile(tipPath, "utf-8");
+        tokens = JSON.parse(raw);
+    }
+    catch {
+        return {};
+    }
+    const pruned = pruneExpiredTIPTokens(tokens);
+    if (Object.keys(pruned).length < Object.keys(tokens).length) {
+        await saveTIPTokens(storeDir, pruned);
+    }
+    return pruned;
+}
+export async function saveTIPTokens(storeDir, tokens) {
+    const pruned = pruneExpiredTIPTokens(tokens);
+    await ensureStoreDir(storeDir);
+    const tipPath = path.join(storeDir, TIP_TOKENS_FILENAME);
+    await fs.writeFile(tipPath, JSON.stringify(pruned, null, 2), "utf-8");
+}
+export async function getTIPToken(storeDir, sessionKey) {
+    const tokens = await loadTIPTokens(storeDir);
+    const entry = tokens[sessionKey];
+    if (!entry)
+        return null;
+    if (entry.expiresAt < Date.now()) {
+        delete tokens[sessionKey];
+        await saveTIPTokens(storeDir, tokens);
+        return null;
+    }
+    return entry;
+}
+export async function setTIPToken(storeDir, sessionKey, entry) {
+    const tokens = await loadTIPTokens(storeDir);
+    tokens[sessionKey] = entry;
+    await saveTIPTokens(storeDir, tokens);
+}

package/dist/src/store/tool-approval-store.d.ts

@@ -0,0 +1,44 @@
+/**
+ * In-memory store for tool approval flow.
+ * Pending: awaiting user approval. Approval: recorded for retry-path allow.
+ */
+export type PendingEntry = {
+    approvalId: string;
+    sessionKey: string;
+    toolName: string;
+    params: Record<string, unknown>;
+    expiresAtMs: number;
+};
+/**
+ * Hash for tool+params, used as approval key and short approval id.
+ */
+export declare function hashToolParams(toolName: string, params: Record<string, unknown>): string;
+/**
+ * Short id for approval messages (first 8 chars of hash).
+ */
+export declare function shortApprovalId(fullHash: string): string;
+export declare function createPending(params: {
+    approvalId: string;
+    sessionKey: string;
+    toolName: string;
+    params: Record<string, unknown>;
+    ttlMs: number;
+}): void;
+export declare function getPending(approvalId: string): PendingEntry | undefined;
+/**
+ * Approve a pending request. Records approval for retry-path and poll-path; removes from pending.
+ * When approverSessionKey is provided, verifies it matches the pending entry's sessionKey.
+ */
+export declare function approve(approvalId: string, ttlMs: number, approverSessionKey?: string | null): boolean;
+/**
+ * Reject a pending request. When rejecterSessionKey is provided, verifies it matches.
+ */
+export declare function reject(approvalId: string, rejecterSessionKey?: string | null): boolean;
+export declare function hasRecentApproval(sessionKey: string, toolName: string, params: Record<string, unknown>): boolean;
+export declare function consumeApproval(sessionKey: string, toolName: string, params: Record<string, unknown>): boolean;
+export declare function getPendingForSession(sessionKey: string): PendingEntry[];
+/**
+ * Poll until approved or timeout.
+ */
+export declare function pollForApproval(approvalId: string, timeoutMs: number, onCheck?: () => void): Promise<boolean>;
+//# sourceMappingURL=tool-approval-store.d.ts.map

package/dist/src/store/tool-approval-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-approval-store.d.ts","sourceRoot":"","sources":["../../../src/store/tool-approval-store.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAMH,MAAM,MAAM,YAAY,GAAG;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAoBF;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAGxF;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAExD;AAaD,wBAAgB,aAAa,CAAC,MAAM,EAAE;IACpC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,KAAK,EAAE,MAAM,CAAC;CACf,GAAG,IAAI,CAUP;AAED,wBAAgB,UAAU,CAAC,UAAU,EAAE,MAAM,GAAG,YAAY,GAAG,SAAS,CAOvE;AAED;;;GAGG;AACH,wBAAgB,OAAO,CACrB,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,MAAM,EACb,kBAAkB,CAAC,EAAE,MAAM,GAAG,IAAI,GACjC,OAAO,CAkBT;AAED;;GAEG;AACH,wBAAgB,MAAM,CAAC,UAAU,EAAE,MAAM,EAAE,kBAAkB,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAatF;AAED,wBAAgB,iBAAiB,CAC/B,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,OAAO,CAQT;AAED,wBAAgB,eAAe,CAC7B,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,OAAO,CAST;AAED,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,YAAY,EAAE,CASvE;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,UAAU,EAAE,MAAM,EAClB,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE,MAAM,IAAI,GACnB,OAAO,CAAC,OAAO,CAAC,CAwBlB"}

package/dist/src/store/tool-approval-store.js

@@ -0,0 +1,147 @@
+/**
+ * In-memory store for tool approval flow.
+ * Pending: awaiting user approval. Approval: recorded for retry-path allow.
+ */
+import { createHash } from "node:crypto";
+const POLL_INTERVAL_MS = 500;
+const pendingByApprovalId = new Map();
+const approvalKeys = new Map(); // key -> expiresAtMs (for retry-path)
+const approvedById = new Map(); // approvalId -> expiresAtMs (for poll-path)
+/**
+ * Canonical JSON for stable hashing (sorted keys, no functions).
+ */
+function canonicalJson(obj) {
+    if (obj === null || obj === undefined)
+        return "null";
+    if (typeof obj !== "object")
+        return JSON.stringify(obj);
+    if (Array.isArray(obj))
+        return "[" + obj.map(canonicalJson).join(",") + "]";
+    const keys = Object.keys(obj).sort();
+    const pairs = keys.map((k) => `${JSON.stringify(k)}:${canonicalJson(obj[k])}`);
+    return "{" + pairs.join(",") + "}";
+}
+/**
+ * Hash for tool+params, used as approval key and short approval id.
+ */
+export function hashToolParams(toolName, params) {
+    const payload = `${toolName}:${canonicalJson(params)}`;
+    return createHash("sha256").update(payload, "utf-8").digest("hex");
+}
+/**
+ * Short id for approval messages (first 8 chars of hash).
+ */
+export function shortApprovalId(fullHash) {
+    return fullHash.slice(0, 8);
+}
+/**
+ * Approval key for hasRecentApproval lookup.
+ */
+function approvalKey(sessionKey, toolName, params) {
+    return `${sessionKey}:${hashToolParams(toolName, params)}`;
+}
+export function createPending(params) {
+    const { approvalId, sessionKey, toolName, params: p, ttlMs } = params;
+    const expiresAtMs = Date.now() + ttlMs;
+    pendingByApprovalId.set(approvalId, {
+        approvalId,
+        sessionKey,
+        toolName,
+        params: p,
+        expiresAtMs,
+    });
+}
+export function getPending(approvalId) {
+    const entry = pendingByApprovalId.get(approvalId);
+    if (!entry || Date.now() > entry.expiresAtMs) {
+        pendingByApprovalId.delete(approvalId);
+        return undefined;
+    }
+    return entry;
+}
+/**
+ * Approve a pending request. Records approval for retry-path and poll-path; removes from pending.
+ * When approverSessionKey is provided, verifies it matches the pending entry's sessionKey.
+ */
+export function approve(approvalId, ttlMs, approverSessionKey) {
+    const entry = getPending(approvalId);
+    if (!entry)
+        return false;
+    if (approverSessionKey != null &&
+        approverSessionKey.trim() !== "" &&
+        entry.sessionKey !== approverSessionKey) {
+        return false;
+    }
+    const expiresAtMs = Date.now() + ttlMs;
+    pendingByApprovalId.delete(approvalId);
+    const key = approvalKey(entry.sessionKey, entry.toolName, entry.params);
+    approvalKeys.set(key, expiresAtMs);
+    approvedById.set(approvalId, expiresAtMs);
+    return true;
+}
+/**
+ * Reject a pending request. When rejecterSessionKey is provided, verifies it matches.
+ */
+export function reject(approvalId, rejecterSessionKey) {
+    const entry = getPending(approvalId);
+    if (!entry)
+        return false;
+    if (rejecterSessionKey != null &&
+        rejecterSessionKey.trim() !== "" &&
+        entry.sessionKey !== rejecterSessionKey) {
+        return false;
+    }
+    return pendingByApprovalId.delete(approvalId);
+}
+export function hasRecentApproval(sessionKey, toolName, params) {
+    const key = approvalKey(sessionKey, toolName, params);
+    const expiresAt = approvalKeys.get(key);
+    if (!expiresAt || Date.now() > expiresAt) {
+        approvalKeys.delete(key);
+        return false;
+    }
+    return true;
+}
+export function consumeApproval(sessionKey, toolName, params) {
+    const key = approvalKey(sessionKey, toolName, params);
+    const expiresAt = approvalKeys.get(key);
+    if (!expiresAt || Date.now() > expiresAt) {
+        approvalKeys.delete(key);
+        return false;
+    }
+    approvalKeys.delete(key);
+    return true;
+}
+export function getPendingForSession(sessionKey) {
+    const now = Date.now();
+    const result = [];
+    for (const entry of pendingByApprovalId.values()) {
+        if (entry.sessionKey === sessionKey && entry.expiresAtMs > now) {
+            result.push(entry);
+        }
+    }
+    return result;
+}
+/**
+ * Poll until approved or timeout.
+ */
+export async function pollForApproval(approvalId, timeoutMs, onCheck) {
+    const deadline = Date.now() + timeoutMs;
+    while (Date.now() < deadline) {
+        onCheck?.();
+        if (approvedById.has(approvalId)) {
+            const expiresAt = approvedById.get(approvalId);
+            if (Date.now() <= expiresAt) {
+                approvedById.delete(approvalId);
+                return true;
+            }
+            approvedById.delete(approvalId);
+        }
+        const entry = getPending(approvalId);
+        if (!entry) {
+            return false;
+        }
+        await new Promise((r) => setTimeout(r, POLL_INTERVAL_MS));
+    }
+    return false;
+}