@m1a0rz/agent-identity 0.1.2

package/dist/src/tools/identity-approve-tool.d.ts

@@ -0,0 +1,24 @@
+/**
+ * identity_approve_tool: approve a high-risk tool call by approval_id.
+ * Used for webchat/TUI flow when user approves via UI then agent retries.
+ */
+import type { PluginToolContext } from "../types.js";
+export type IdentityApproveToolDeps = {
+    approvalTtlMs: number;
+    logger?: {
+        debug?: (msg: string) => void;
+        warn?: (msg: string) => void;
+    };
+};
+export declare function createIdentityApproveTool(deps: IdentityApproveToolDeps): (ctx: PluginToolContext) => {
+    name: string;
+    label: string;
+    description: string;
+    parameters: import("@sinclair/typebox").TObject<{
+        approval_id: import("@sinclair/typebox").TString;
+    }>;
+    execute: (_toolCallId: string, params: {
+        approval_id?: string;
+    }) => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
+};
+//# sourceMappingURL=identity-approve-tool.d.ts.map

package/dist/src/tools/identity-approve-tool.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-approve-tool.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-approve-tool.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAKrD,MAAM,MAAM,uBAAuB,GAAG;IACpC,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CAC1E,CAAC;AAEF,wBAAgB,yBAAyB,CAAC,IAAI,EAAE,uBAAuB,IAC7D,KAAK,iBAAiB;;;;;;;2BAOC,MAAM,UAAU;QAAE,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE;EAwBxE"}

package/dist/src/tools/identity-approve-tool.js

@@ -0,0 +1,36 @@
+/**
+ * identity_approve_tool: approve a high-risk tool call by approval_id.
+ * Used for webchat/TUI flow when user approves via UI then agent retries.
+ */
+import { Type } from "@sinclair/typebox";
+import { jsonResult } from "openclaw/plugin-sdk";
+import * as toolApprovalStore from "../store/tool-approval-store.js";
+export function createIdentityApproveTool(deps) {
+    return (ctx) => ({
+        name: "identity_approve_tool",
+        label: "Approve Tool Call",
+        description: "Approve a pending high-risk tool call by its approval ID. Must run from same session.",
+        parameters: Type.Object({
+            approval_id: Type.String({ description: "Approval ID from the pending tool message" }),
+        }),
+        execute: async (_toolCallId, params) => {
+            const approvalId = (params?.approval_id ?? "").trim();
+            if (!approvalId) {
+                return jsonResult({
+                    ok: false,
+                    error: "approval_id is required",
+                });
+            }
+            const ok = toolApprovalStore.approve(approvalId, deps.approvalTtlMs, ctx.sessionKey);
+            if (ok) {
+                deps.logger?.debug?.(`agent-identity: approved tool call ${approvalId}`);
+                return jsonResult({ ok: true, message: "Tool call approved" });
+            }
+            deps.logger?.warn?.(`agent-identity: approve failed for ${approvalId} (expired or not found)`);
+            return jsonResult({
+                ok: false,
+                error: "Approval not found or expired. Request a new tool execution.",
+            });
+        },
+    });
+}

package/dist/src/tools/identity-config.d.ts

@@ -0,0 +1,13 @@
+/**
+ * identity_config: show identity plugin configuration (redacted).
+ */
+import type { PluginToolContext } from "../types.js";
+import type { IdentityActionsDeps } from "../actions/identity-actions.js";
+export declare function createIdentityConfigTool(deps: IdentityActionsDeps): (_ctx: PluginToolContext) => {
+    name: string;
+    label: string;
+    description: string;
+    parameters: import("@sinclair/typebox").TObject<{}>;
+    execute: () => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
+};
+//# sourceMappingURL=identity-config.d.ts.map

package/dist/src/tools/identity-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-config.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-config.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAG1E,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,mBAAmB,IACxD,MAAM,iBAAiB;;;;;;EAUhC"}

package/dist/src/tools/identity-config.js

@@ -0,0 +1,18 @@
+/**
+ * identity_config: show identity plugin configuration (redacted).
+ */
+import { Type } from "@sinclair/typebox";
+import { jsonResult } from "openclaw/plugin-sdk";
+import { runConfig } from "../actions/identity-actions.js";
+export function createIdentityConfigTool(deps) {
+    return (_ctx) => ({
+        name: "identity_config",
+        label: "Identity Config",
+        description: "Show identity plugin configuration (secrets redacted).",
+        parameters: Type.Object({}),
+        execute: async () => {
+            const result = await runConfig(deps);
+            return jsonResult(result);
+        },
+    });
+}

package/dist/src/tools/identity-fetch.d.ts

@@ -0,0 +1,21 @@
+/**
+ * identity_fetch: add credential for a provider (OAuth2 or API key).
+ * For OAuth2 user flow, returns auth URL; polling runs in background.
+ * When returnValue is true and fetch succeeds, returns the credential value for same-turn automation.
+ */
+import type { PluginToolContext } from "../types.js";
+import type { IdentityActionsDeps } from "../actions/identity-actions.js";
+export declare function createIdentityFetchTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
+    name: string;
+    label: string;
+    description: string;
+    parameters: import("@sinclair/typebox").TObject<{
+        provider: import("@sinclair/typebox").TString;
+        flow: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TUnsafe<"oauth2-user" | "oauth2-m2m" | "apikey">>;
+        redirectUrl: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
+        scopes: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TArray<import("@sinclair/typebox").TString>>;
+        returnValue: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TBoolean>;
+    }>;
+    execute: (_toolCallId: any, params: any) => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
+};
+//# sourceMappingURL=identity-fetch.d.ts.map

package/dist/src/tools/identity-fetch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-fetch.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-fetch.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAIrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAM1E,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,mBAAmB,IACvD,KAAK,iBAAiB;;;;;;;;;;;;EA6D/B"}

package/dist/src/tools/identity-fetch.js

@@ -0,0 +1,63 @@
+/**
+ * identity_fetch: add credential for a provider (OAuth2 or API key).
+ * For OAuth2 user flow, returns auth URL; polling runs in background.
+ * When returnValue is true and fetch succeeds, returns the credential value for same-turn automation.
+ */
+import { Type } from "@sinclair/typebox";
+import { optionalStringEnum } from "openclaw/plugin-sdk";
+import { jsonResult } from "openclaw/plugin-sdk";
+import { runFetch } from "../actions/identity-actions.js";
+import { getCredential, resolveCredentialValue } from "../store/credential-store.js";
+const FETCH_FLOWS = ["oauth2-user", "oauth2-m2m", "apikey"];
+export function createIdentityFetchTool(deps) {
+    return (ctx) => ({
+        name: "identity_fetch",
+        label: "Identity Fetch Credential",
+        description: "Add credential for a provider. OAuth2-user returns auth URL to open; apikey/oauth2-m2m complete immediately. Set returnValue=true to receive the credential value for same-turn automation (use with care: value may appear in logs).",
+        parameters: Type.Object({
+            provider: Type.String({ description: "Provider name (e.g. google, openai)" }),
+            flow: Type.Optional(optionalStringEnum(FETCH_FLOWS, {
+                description: "oauth2-user (default for 3LO), oauth2-m2m, apikey",
+            })),
+            redirectUrl: Type.Optional(Type.String()),
+            scopes: Type.Optional(Type.Array(Type.String())),
+            returnValue: Type.Optional(Type.Boolean({
+                description: "When true and fetch succeeds, include credential value in result for same-turn use. Default false.",
+            })),
+        }),
+        execute: async (_toolCallId, params) => {
+            const sessionKey = ctx.sessionKey;
+            if (!sessionKey) {
+                return jsonResult({ error: "No session context", success: false });
+            }
+            const p = params;
+            const result = await runFetch(deps, sessionKey, {
+                provider: p.provider,
+                flow: p.flow ?? "oauth2-user",
+                flowExplicit: p.flow != null,
+                redirectUrl: p.redirectUrl,
+                scopes: p.scopes,
+                deliveryTarget: null,
+                config: ctx.config,
+            });
+            if (result.kind === "success") {
+                const out = { success: true, message: result.message };
+                if (p.returnValue === true) {
+                    const cred = await getCredential(deps.storeDir, sessionKey, p.provider);
+                    const value = cred ? resolveCredentialValue(cred) : undefined;
+                    if (value)
+                        out.value = value;
+                }
+                return jsonResult(out);
+            }
+            if (result.kind === "auth_url") {
+                return jsonResult({
+                    success: false,
+                    authUrl: result.authUrl,
+                    message: result.message,
+                });
+            }
+            return jsonResult({ success: false, error: result.message });
+        },
+    });
+}

package/dist/src/tools/identity-list-credentials.d.ts

@@ -0,0 +1,15 @@
+/**
+ * identity_list_credentials: list credential providers and stored credentials (paginated).
+ */
+import type { PluginToolContext } from "../types.js";
+import type { IdentityActionsDeps } from "../actions/identity-actions.js";
+export declare function createIdentityListCredentialsTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
+    name: string;
+    label: string;
+    description: string;
+    parameters: import("@sinclair/typebox").TObject<{
+        page: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TNumber>;
+    }>;
+    execute: (_toolCallId: any, params: any) => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
+};
+//# sourceMappingURL=identity-list-credentials.d.ts.map

package/dist/src/tools/identity-list-credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-list-credentials.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-credentials.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAG1E,wBAAgB,iCAAiC,CAAC,IAAI,EAAE,mBAAmB,IACjE,KAAK,iBAAiB;;;;;;;;EAsB/B"}

package/dist/src/tools/identity-list-credentials.js

@@ -0,0 +1,30 @@
+/**
+ * identity_list_credentials: list credential providers and stored credentials (paginated).
+ */
+import { Type } from "@sinclair/typebox";
+import { jsonResult } from "openclaw/plugin-sdk";
+import { runListCredentials } from "../actions/identity-actions.js";
+export function createIdentityListCredentialsTool(deps) {
+    return (ctx) => ({
+        name: "identity_list_credentials",
+        label: "Identity List Credentials",
+        description: "List credential providers and stored credentials (paginated).",
+        parameters: Type.Object({
+            page: Type.Optional(Type.Number({ minimum: 1, default: 1 })),
+        }),
+        execute: async (_toolCallId, params) => {
+            const sessionKey = ctx.sessionKey;
+            if (!sessionKey) {
+                return jsonResult({ error: "No session context", providers: [], storedOnly: [] });
+            }
+            const page = params.page ?? 1;
+            const result = await runListCredentials(deps, sessionKey, page);
+            return jsonResult({
+                providers: result.providers,
+                storedOnly: result.storedOnly,
+                page: result.page,
+                hasMore: result.hasMore,
+            });
+        },
+    });
+}

package/dist/src/tools/identity-list-risk-patterns.d.ts

@@ -0,0 +1,13 @@
+/**
+ * identity_list_risk_patterns: list built-in dangerous command patterns and sensitive paths.
+ * Use to understand what the plugin considers high-risk before running commands.
+ */
+import type { PluginToolContext } from "../types.js";
+export declare function createIdentityListRiskPatternsTool(): (_ctx: PluginToolContext) => {
+    name: string;
+    label: string;
+    description: string;
+    parameters: import("@sinclair/typebox").TObject<{}>;
+    execute: () => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
+};
+//# sourceMappingURL=identity-list-risk-patterns.d.ts.map

package/dist/src/tools/identity-list-risk-patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-list-risk-patterns.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-risk-patterns.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAKrD,wBAAgB,kCAAkC,KACxC,MAAM,iBAAiB;;;;;;EAehC"}

package/dist/src/tools/identity-list-risk-patterns.js

@@ -0,0 +1,23 @@
+/**
+ * identity_list_risk_patterns: list built-in dangerous command patterns and sensitive paths.
+ * Use to understand what the plugin considers high-risk before running commands.
+ */
+import { Type } from "@sinclair/typebox";
+import { jsonResult } from "openclaw/plugin-sdk";
+import { getRiskPatterns } from "../risk/classify-risk.js";
+export function createIdentityListRiskPatternsTool() {
+    return (_ctx) => ({
+        name: "identity_list_risk_patterns",
+        label: "List Risk Patterns",
+        description: "List built-in dangerous command patterns and sensitive paths. Shows what would trigger high-risk approval.",
+        parameters: Type.Object({}),
+        execute: async () => {
+            const { commandPatterns, sensitivePaths } = getRiskPatterns();
+            return jsonResult({
+                commandPatterns,
+                sensitivePaths,
+                note: "Commands matching these patterns (exec/process) or paths (write/edit/apply_patch) require approval when authz is enabled.",
+            });
+        },
+    });
+}

package/dist/src/tools/identity-list-tips.d.ts

@@ -0,0 +1,13 @@
+/**
+ * identity_list_tips: list valid TIP tokens and env bindings.
+ */
+import type { PluginToolContext } from "../types.js";
+import type { IdentityActionsDeps } from "../actions/identity-actions.js";
+export declare function createIdentityListTipsTool(deps: IdentityActionsDeps): (_ctx: PluginToolContext) => {
+    name: string;
+    label: string;
+    description: string;
+    parameters: import("@sinclair/typebox").TObject<{}>;
+    execute: () => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
+};
+//# sourceMappingURL=identity-list-tips.d.ts.map

package/dist/src/tools/identity-list-tips.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-list-tips.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-tips.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAG1E,wBAAgB,0BAA0B,CAAC,IAAI,EAAE,mBAAmB,IAC1D,MAAM,iBAAiB;;;;;;EAahC"}

package/dist/src/tools/identity-list-tips.js

@@ -0,0 +1,21 @@
+/**
+ * identity_list_tips: list valid TIP tokens and env bindings.
+ */
+import { Type } from "@sinclair/typebox";
+import { jsonResult } from "openclaw/plugin-sdk";
+import { runListTips } from "../actions/identity-actions.js";
+export function createIdentityListTipsTool(deps) {
+    return (_ctx) => ({
+        name: "identity_list_tips",
+        label: "Identity List Tips",
+        description: "List valid TIP tokens and credential env bindings.",
+        parameters: Type.Object({}),
+        execute: async () => {
+            const result = await runListTips(deps);
+            return jsonResult({
+                tips: result.tips,
+                bindingsBySession: result.bindingsBySession,
+            });
+        },
+    });
+}

package/dist/src/tools/identity-login.d.ts

@@ -0,0 +1,14 @@
+/**
+ * identity_login: initiate OIDC login or refresh TIP when already logged in.
+ * Returns auth URL when login needed; tools don't have deliveryTarget so callback falls back to sessionKey.
+ */
+import type { PluginToolContext } from "../types.js";
+import type { IdentityActionsDeps } from "../actions/identity-actions.js";
+export declare function createIdentityLoginTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
+    name: string;
+    label: string;
+    description: string;
+    parameters: import("@sinclair/typebox").TObject<{}>;
+    execute: () => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
+};
+//# sourceMappingURL=identity-login.d.ts.map

package/dist/src/tools/identity-login.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-login.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-login.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAG1E,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,mBAAmB,IACvD,KAAK,iBAAiB;;;;;;EAiC/B"}

package/dist/src/tools/identity-login.js

@@ -0,0 +1,40 @@
+/**
+ * identity_login: initiate OIDC login or refresh TIP when already logged in.
+ * Returns auth URL when login needed; tools don't have deliveryTarget so callback falls back to sessionKey.
+ */
+import { Type } from "@sinclair/typebox";
+import { jsonResult } from "openclaw/plugin-sdk";
+import { runLogin } from "../actions/identity-actions.js";
+export function createIdentityLoginTool(deps) {
+    return (ctx) => ({
+        name: "identity_login",
+        label: "Identity Login",
+        description: "Start OIDC login (returns auth URL to open) or refresh TIP when already logged in. User must open the URL in a browser.",
+        parameters: Type.Object({}),
+        execute: async () => {
+            const sessionKey = ctx.sessionKey;
+            if (!sessionKey) {
+                return jsonResult({ error: "No session context", authUrl: null });
+            }
+            const result = await runLogin(deps, sessionKey, {
+                config: ctx.config,
+                deliveryTarget: null,
+            });
+            if (result.kind === "already_logged_in") {
+                return jsonResult({
+                    ok: true,
+                    sub: result.sub,
+                    message: "Already logged in. TIP refreshed.",
+                });
+            }
+            if (result.kind === "auth_url") {
+                return jsonResult({
+                    ok: false,
+                    authUrl: result.authUrl,
+                    message: "Open this URL in a browser to log in. After authorization, a success message will be sent.",
+                });
+            }
+            return jsonResult({ error: result.message, authUrl: null });
+        },
+    });
+}

package/dist/src/tools/identity-logout.d.ts

@@ -0,0 +1,13 @@
+/**
+ * identity_logout: clear session and TIP for the caller's session.
+ */
+import type { PluginToolContext } from "../types.js";
+import type { IdentityActionsDeps } from "../actions/identity-actions.js";
+export declare function createIdentityLogoutTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
+    name: string;
+    label: string;
+    description: string;
+    parameters: import("@sinclair/typebox").TObject<{}>;
+    execute: () => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
+};
+//# sourceMappingURL=identity-logout.d.ts.map

package/dist/src/tools/identity-logout.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-logout.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-logout.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAG1E,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,mBAAmB,IACxD,KAAK,iBAAiB;;;;;;EAgB/B"}

package/dist/src/tools/identity-logout.js

@@ -0,0 +1,24 @@
+/**
+ * identity_logout: clear session and TIP for the caller's session.
+ */
+import { Type } from "@sinclair/typebox";
+import { jsonResult } from "openclaw/plugin-sdk";
+import { runLogout } from "../actions/identity-actions.js";
+export function createIdentityLogoutTool(deps) {
+    return (ctx) => {
+        const sessionKey = ctx.sessionKey;
+        return {
+            name: "identity_logout",
+            label: "Identity Logout",
+            description: "Log out the current session and clear TIP cache.",
+            parameters: Type.Object({}),
+            execute: async () => {
+                if (!sessionKey) {
+                    return jsonResult({ ok: false, error: "No session context" });
+                }
+                await runLogout(deps, sessionKey);
+                return jsonResult({ ok: true });
+            },
+        };
+    };
+}

package/dist/src/tools/identity-risk-check.d.ts

@@ -0,0 +1,29 @@
+/**
+ * identity_risk_check: diagnose risk for a command or tool call without executing.
+ * Use before running exec/write to see if it would require approval.
+ */
+import type { PluginToolContext } from "../types.js";
+import type { PluginConfig } from "../types.js";
+export type IdentityRiskCheckDeps = {
+    pluginConfig: PluginConfig;
+    logger?: {
+        debug?: (msg: string) => void;
+        warn?: (msg: string) => void;
+    };
+};
+export declare function createIdentityRiskCheckTool(deps: IdentityRiskCheckDeps): (_ctx: PluginToolContext) => {
+    name: string;
+    label: string;
+    description: string;
+    parameters: import("@sinclair/typebox").TObject<{
+        command: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
+        toolName: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
+        params: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TRecord<import("@sinclair/typebox").TString, import("@sinclair/typebox").TUnknown>>;
+    }>;
+    execute: (_toolCallId: string, params: {
+        command?: string;
+        toolName?: string;
+        params?: Record<string, unknown>;
+    }) => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
+};
+//# sourceMappingURL=identity-risk-check.d.ts.map

package/dist/src/tools/identity-risk-check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-risk-check.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-risk-check.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAIrD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEhD,MAAM,MAAM,qBAAqB,GAAG;IAClC,YAAY,EAAE,YAAY,CAAC;IAC3B,MAAM,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CAC1E,CAAC;AAEF,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,qBAAqB,IAC7D,MAAM,iBAAiB;;;;;;;;;2BAuBd,MAAM,UACX;QAAE,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE;EAuCtF"}

package/dist/src/tools/identity-risk-check.js

@@ -0,0 +1,54 @@
+/**
+ * identity_risk_check: diagnose risk for a command or tool call without executing.
+ * Use before running exec/write to see if it would require approval.
+ */
+import { Type } from "@sinclair/typebox";
+import { jsonResult } from "openclaw/plugin-sdk";
+import { diagnoseRisk } from "../risk/diagnose-risk.js";
+export function createIdentityRiskCheckTool(deps) {
+    return (_ctx) => ({
+        name: "identity_risk_check",
+        label: "Risk Check",
+        description: "Diagnose risk for a shell command or tool call. Pass 'command' for exec, or 'toolName' and 'params' for other tools. Returns risk level and reason.",
+        parameters: Type.Object({
+            command: Type.Optional(Type.String({
+                description: "Shell command to evaluate (treated as exec tool)",
+            })),
+            toolName: Type.Optional(Type.String({
+                description: "Tool name to evaluate (e.g. write, apply_patch). Use with params.",
+            })),
+            params: Type.Optional(Type.Record(Type.String(), Type.Unknown(), {
+                description: "Tool params as object. For exec: {command}. For write: {path, content}.",
+            })),
+        }),
+        execute: async (_toolCallId, params) => {
+            const { command, toolName, params: p } = params ?? {};
+            let effectiveToolName;
+            let effectiveParams;
+            if (command != null && command !== "") {
+                effectiveToolName = "exec";
+                effectiveParams = { command: String(command) };
+            }
+            else if (toolName != null && toolName.trim() !== "") {
+                effectiveToolName = toolName.trim();
+                effectiveParams = (p && typeof p === "object" ? p : {});
+            }
+            else {
+                return jsonResult({
+                    error: "Provide either 'command' (for exec) or 'toolName' (with optional params)",
+                });
+            }
+            const llmConfig = deps.pluginConfig?.authz?.enableLlmRiskCheck && deps.pluginConfig?.authz?.llmRiskCheck
+                ? deps.pluginConfig.authz.llmRiskCheck
+                : undefined;
+            const result = await diagnoseRisk(effectiveToolName, effectiveParams, llmConfig, deps.logger);
+            return jsonResult({
+                toolName: effectiveToolName,
+                params: effectiveParams,
+                risk: result.risk,
+                reason: result.reason ?? undefined,
+                source: result.source,
+            });
+        },
+    });
+}

package/dist/src/tools/identity-set-binding.d.ts

@@ -0,0 +1,16 @@
+/**
+ * identity_set_binding: bind a credential provider to an env var for tool injection.
+ */
+import type { PluginToolContext } from "../types.js";
+import type { IdentityActionsDeps } from "../actions/identity-actions.js";
+export declare function createIdentitySetBindingTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
+    name: string;
+    label: string;
+    description: string;
+    parameters: import("@sinclair/typebox").TObject<{
+        provider: import("@sinclair/typebox").TString;
+        envVar: import("@sinclair/typebox").TString;
+    }>;
+    execute: (_toolCallId: any, params: any) => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
+};
+//# sourceMappingURL=identity-set-binding.d.ts.map

package/dist/src/tools/identity-set-binding.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-set-binding.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-set-binding.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAG1E,wBAAgB,4BAA4B,CAAC,IAAI,EAAE,mBAAmB,IAC5D,KAAK,iBAAiB;;;;;;;;;EAwB/B"}

package/dist/src/tools/identity-set-binding.js

@@ -0,0 +1,31 @@
+/**
+ * identity_set_binding: bind a credential provider to an env var for tool injection.
+ */
+import { Type } from "@sinclair/typebox";
+import { jsonResult } from "openclaw/plugin-sdk";
+import { runSetBinding } from "../actions/identity-actions.js";
+export function createIdentitySetBindingTool(deps) {
+    return (ctx) => ({
+        name: "identity_set_binding",
+        label: "Identity Set Binding",
+        description: "Bind credential provider to env var. If credential exists, binds it; else imports from process.env[envVar] as api_key.",
+        parameters: Type.Object({
+            provider: Type.String({ description: "Provider name (e.g. google)" }),
+            envVar: Type.String({
+                description: "Env var name for injection (e.g. GOOGLE_ACCESS_TOKEN)",
+            }),
+        }),
+        execute: async (_toolCallId, params) => {
+            const sessionKey = ctx.sessionKey;
+            if (!sessionKey) {
+                return jsonResult({ ok: false, error: "No session context" });
+            }
+            const p = params;
+            const result = await runSetBinding(deps, sessionKey, {
+                provider: p.provider,
+                envVar: p.envVar,
+            });
+            return jsonResult(result);
+        },
+    });
+}

package/dist/src/tools/identity-status.d.ts

@@ -0,0 +1,13 @@
+/**
+ * identity_status: return login status, credentials, and env bindings for the caller's session.
+ */
+import type { PluginToolContext } from "../types.js";
+import type { IdentityActionsDeps } from "../actions/identity-actions.js";
+export declare function createIdentityStatusTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
+    name: string;
+    label: string;
+    description: string;
+    parameters: import("@sinclair/typebox").TObject<{}>;
+    execute: () => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
+};
+//# sourceMappingURL=identity-status.d.ts.map

package/dist/src/tools/identity-status.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-status.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-status.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAG1E,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,mBAAmB,IACxD,KAAK,iBAAiB;;;;;;EAiC/B"}

package/dist/src/tools/identity-status.js

@@ -0,0 +1,41 @@
+/**
+ * identity_status: return login status, credentials, and env bindings for the caller's session.
+ */
+import { Type } from "@sinclair/typebox";
+import { jsonResult } from "openclaw/plugin-sdk";
+import { runStatus } from "../actions/identity-actions.js";
+export function createIdentityStatusTool(deps) {
+    return (ctx) => ({
+        name: "identity_status",
+        label: "Identity Status",
+        description: "Show login status, credentials, and env bindings for the current session.",
+        parameters: Type.Object({}),
+        execute: async () => {
+            const sessionKey = ctx.sessionKey;
+            if (!sessionKey) {
+                return jsonResult({ error: "No session context", loggedIn: false });
+            }
+            const result = await runStatus(deps, sessionKey, ctx.config);
+            return jsonResult({
+                loggedIn: result.loggedIn,
+                sub: result.sub,
+                hasTip: result.hasTip,
+                session: result.sessionLoginAt
+                    ? {
+                        loginAt: result.sessionLoginAt,
+                        expiresAt: result.sessionExpiresAt ?? undefined,
+                    }
+                    : undefined,
+                tip: result.hasTip && result.tipExpiresAt
+                    ? {
+                        issuedAt: result.tipIssuedAt,
+                        expiresAt: result.tipExpiresAt,
+                        chain: result.tipChain,
+                    }
+                    : undefined,
+                credentialProviders: Object.keys(result.credentials),
+                bindings: result.bindings,
+            });
+        },
+    });
+}