@m1a0rz/agent-identity 0.1.2

package/dist/src/tools/identity-unset-binding.d.ts

@@ -0,0 +1,15 @@
+/**
+ * identity_unset_binding: remove credential env binding.
+ */
+import type { PluginToolContext } from "../types.js";
+import type { IdentityActionsDeps } from "../actions/identity-actions.js";
+export declare function createIdentityUnsetBindingTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
+    name: string;
+    label: string;
+    description: string;
+    parameters: import("@sinclair/typebox").TObject<{
+        provider: import("@sinclair/typebox").TString;
+    }>;
+    execute: (_toolCallId: any, params: any) => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
+};
+//# sourceMappingURL=identity-unset-binding.d.ts.map

package/dist/src/tools/identity-unset-binding.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-unset-binding.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-unset-binding.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAG1E,wBAAgB,8BAA8B,CAAC,IAAI,EAAE,mBAAmB,IAC9D,KAAK,iBAAiB;;;;;;;;EAiB/B"}

package/dist/src/tools/identity-unset-binding.js

@@ -0,0 +1,25 @@
+/**
+ * identity_unset_binding: remove credential env binding.
+ */
+import { Type } from "@sinclair/typebox";
+import { jsonResult } from "openclaw/plugin-sdk";
+import { runUnsetBinding } from "../actions/identity-actions.js";
+export function createIdentityUnsetBindingTool(deps) {
+    return (ctx) => ({
+        name: "identity_unset_binding",
+        label: "Identity Unset Binding",
+        description: "Remove credential env binding for a provider.",
+        parameters: Type.Object({
+            provider: Type.String({ description: "Provider name (e.g. google)" }),
+        }),
+        execute: async (_toolCallId, params) => {
+            const sessionKey = ctx.sessionKey;
+            if (!sessionKey) {
+                return jsonResult({ ok: false, error: "No session context" });
+            }
+            const p = params;
+            const result = await runUnsetBinding(deps, sessionKey, { provider: p.provider });
+            return jsonResult(result);
+        },
+    });
+}

package/dist/src/tools/identity-whoami.d.ts

@@ -0,0 +1,13 @@
+/**
+ * identity_whoami: return current session identity (sub, TIP status) for the caller's session.
+ */
+import type { PluginToolContext } from "../types.js";
+import type { IdentityActionsDeps } from "../actions/identity-actions.js";
+export declare function createIdentityWhoamiTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
+    name: string;
+    label: string;
+    description: string;
+    parameters: import("@sinclair/typebox").TObject<{}>;
+    execute: () => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
+};
+//# sourceMappingURL=identity-whoami.d.ts.map

package/dist/src/tools/identity-whoami.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-whoami.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-whoami.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAG1E,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,mBAAmB,IACxD,KAAK,iBAAiB;;;;;;EA+B/B"}

package/dist/src/tools/identity-whoami.js

@@ -0,0 +1,38 @@
+/**
+ * identity_whoami: return current session identity (sub, TIP status) for the caller's session.
+ */
+import { Type } from "@sinclair/typebox";
+import { jsonResult } from "openclaw/plugin-sdk";
+import { runStatus } from "../actions/identity-actions.js";
+export function createIdentityWhoamiTool(deps) {
+    return (ctx) => {
+        const sessionKey = ctx.sessionKey;
+        return {
+            name: "identity_whoami",
+            label: "Identity Whoami",
+            description: "Show the current session's identity (user sub, TIP status).",
+            parameters: Type.Object({}),
+            execute: async () => {
+                if (!sessionKey) {
+                    return jsonResult({ sub: null, hasTip: false, error: "No session context" });
+                }
+                const result = await runStatus(deps, sessionKey, ctx.config);
+                const now = Date.now();
+                return jsonResult({
+                    sub: result.sub,
+                    hasTip: result.hasTip,
+                    loggedIn: result.loggedIn,
+                    sessionKey: sessionKey.slice(0, 40) + (sessionKey.length > 40 ? "..." : ""),
+                    sessionLoginAt: result.sessionLoginAt ?? undefined,
+                    sessionExpiresAt: result.sessionExpiresAt ?? undefined,
+                    tipIssuedAt: result.tipIssuedAt ?? undefined,
+                    tipExpiresAt: result.tipExpiresAt ?? undefined,
+                    tipExpiresInSeconds: result.tipExpiresAt != null && result.tipExpiresAt > now
+                        ? Math.floor((result.tipExpiresAt - now) / 1000)
+                        : undefined,
+                    tipChain: result.tipChain,
+                });
+            },
+        };
+    };
+}

package/dist/src/types.d.ts

@@ -0,0 +1,93 @@
+/**
+ * Shared types for this plugin.
+ * Keep this file dependency-free (types only) so it can be safely imported from entrypoints.
+ */
+import type { OpenClawConfig } from "openclaw/plugin-sdk";
+/**
+ * Context passed to plugin tool factories. Mirrors OpenClawPluginToolContext (not exported from SDK).
+ */
+export type PluginToolContext = {
+    config?: OpenClawConfig;
+    workspaceDir?: string;
+    agentDir?: string;
+    agentId?: string;
+    sessionKey?: string;
+    messageChannel?: string;
+    agentAccountId?: string;
+    sandboxed?: boolean;
+};
+export type IdentityConfig = {
+    endpoint?: string;
+    accessKeyId?: string;
+    secretAccessKey?: string;
+    sessionToken?: string;
+    credentialsFile?: string;
+    roleTrn?: string;
+    workloadPoolName?: string;
+    workloadName?: string;
+    audience?: string[];
+    durationSeconds?: number;
+};
+export type UserPoolConfig = {
+    /** Explicit: discovery URL for OIDC. */
+    discoveryUrl?: string;
+    clientId?: string;
+    clientSecret?: string;
+    callbackUrl?: string;
+    scope?: string;
+    /** Dynamic (from_veidentity): resolve by name, no manual clientId needed. */
+    userPoolName?: string;
+    clientName?: string;
+    autoCreate?: boolean;
+};
+export type AuthzConfig = {
+    /** Enable AuthZ (TIP + CheckPermission + risk approval). Default: false. */
+    enable?: boolean;
+    /** Namespace for CheckPermission (Cedar policy). Default: "default". */
+    namespaceName?: string;
+    /** Skip TIP+CheckPermission for built-in low-risk tools. Default: true. */
+    lowRiskBypass?: boolean;
+    /** Extra tool names to treat as low-risk. */
+    lowRiskTools?: string[];
+    /** Require user approval for high-risk tools after CheckPermission. Default: true when enable. */
+    requireRiskApproval?: boolean;
+    /** Use LLM for risk evaluation when rules are ambiguous. Default: false. */
+    enableLlmRiskCheck?: boolean;
+    /** LLM provider config for risk check. Required when enableLlmRiskCheck is true. */
+    llmRiskCheck?: {
+        /** Base URL: Ollama (http://localhost:11434) or OpenAI-compatible (https://api.openai.com/v1) */
+        endpoint: string;
+        /** "ollama" for /api/generate, "openai-completions" for /chat/completions */
+        api?: "ollama" | "openai-completions";
+        /** Model name (e.g. qwen3:8b, gpt-4o-mini) */
+        model: string;
+        /** API key for OpenAI-compatible providers (omit for Ollama) */
+        apiKey?: string;
+        /** Timeout in ms. Default: 10000 */
+        timeoutMs?: number;
+        /** Cache TTL in ms for same tool+params. Default: 300000 (5 min). Set 0 to disable. */
+        cacheTtlMs?: number;
+    };
+    /** Approval TTL in seconds. Default: 300. */
+    approvalTtlSeconds?: number;
+};
+export type PluginConfig = {
+    /** Identity service config. Alias: cis (deprecated). */
+    identity?: IdentityConfig;
+    cis?: IdentityConfig;
+    userpool?: UserPoolConfig;
+    authz?: AuthzConfig;
+};
+export type PluginCommandContext = {
+    senderId?: string;
+    channel: string;
+    channelId?: string;
+    isAuthorizedSender: boolean;
+    args?: string;
+    commandBody: string;
+    config: OpenClawConfig;
+    from?: string;
+    to?: string;
+    accountId?: string;
+};
+//# sourceMappingURL=types.d.ts.map

package/dist/src/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAE1D;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG;IAC9B,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,wCAAwC;IACxC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,6EAA6E;IAC7E,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG;IACxB,4EAA4E;IAC5E,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,wEAAwE;IACxE,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,2EAA2E;IAC3E,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,6CAA6C;IAC7C,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,kGAAkG;IAClG,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,4EAA4E;IAC5E,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,oFAAoF;IACpF,YAAY,CAAC,EAAE;QACb,iGAAiG;QACjG,QAAQ,EAAE,MAAM,CAAC;QACjB,6EAA6E;QAC7E,GAAG,CAAC,EAAE,QAAQ,GAAG,oBAAoB,CAAC;QACtC,8CAA8C;QAC9C,KAAK,EAAE,MAAM,CAAC;QACd,gEAAgE;QAChE,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,oCAAoC;QACpC,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,uFAAuF;QACvF,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;IACF,6CAA6C;IAC7C,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACzB,wDAAwD;IACxD,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,GAAG,CAAC,EAAE,cAAc,CAAC;IACrB,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,KAAK,CAAC,EAAE,WAAW,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,cAAc,CAAC;IACvB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC"}

package/dist/src/types.js

@@ -0,0 +1,5 @@
+/**
+ * Shared types for this plugin.
+ * Keep this file dependency-free (types only) so it can be safely imported from entrypoints.
+ */
+export {};

package/dist/src/utils/approval-channel.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Determine if session supports sync approval (sendMessage + poll).
+ * Channel sessions (Feishu, Telegram, etc.) support it; webchat/TUI do not.
+ */
+/**
+ * Returns true when sessionKey can be delivered to (sendMessage works).
+ * Those sessions use sync approval (poll until user approves).
+ * Returns false for webchat/TUI (agent:main:main etc) - use retry flow.
+ */
+export declare function supportsSyncApproval(sessionKey: string | undefined | null): boolean;
+//# sourceMappingURL=approval-channel.d.ts.map

package/dist/src/utils/approval-channel.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval-channel.d.ts","sourceRoot":"","sources":["../../../src/utils/approval-channel.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAEnF"}

package/dist/src/utils/approval-channel.js

@@ -0,0 +1,13 @@
+/**
+ * Determine if session supports sync approval (sendMessage + poll).
+ * Channel sessions (Feishu, Telegram, etc.) support it; webchat/TUI do not.
+ */
+import { parseSessionKeyToDeliveryTarget } from "./derive-session-key.js";
+/**
+ * Returns true when sessionKey can be delivered to (sendMessage works).
+ * Those sessions use sync approval (poll until user approves).
+ * Returns false for webchat/TUI (agent:main:main etc) - use retry flow.
+ */
+export function supportsSyncApproval(sessionKey) {
+    return parseSessionKeyToDeliveryTarget(sessionKey ?? "") !== null;
+}

package/dist/src/utils/auth.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Auth utilities (veadk-style).
+ * Parse TIP token for principal and delegation chain per RFC 8693.
+ *
+ * @see https://github.com/volcengine/veadk-python/blob/main/veadk/utils/auth.py
+ */
+export type DelegationChain = {
+    /** End user subject from JWT `sub`. */
+    principalId: string;
+    /** Actors from nested `act` claims (outermost first, e.g. [agent1, agent2]). */
+    actors: string[];
+};
+/**
+ * Extract subject and delegation chain from JWT (TIP / workload token).
+ * Returns the primary subject (user) and the chain of actors who acted on behalf.
+ *
+ * @example
+ * // User → Agent1 → Agent2
+ * const { principalId, actors } = extractDelegationChainFromJwt(token);
+ * // Returns: { principalId: "user1", actors: ["agent1", "agent2"] }
+ * // principal = user1, originalCallers = [agent1, agent2]
+ */
+export declare function extractDelegationChainFromJwt(token: string): DelegationChain | null;
+//# sourceMappingURL=auth.d.ts.map

package/dist/src/utils/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/utils/auth.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,MAAM,eAAe,GAAG;IAC5B,uCAAuC;IACvC,WAAW,EAAE,MAAM,CAAC;IACpB,gFAAgF;IAChF,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB,CAAC;AAEF;;;;;;;;;GASG;AACH,wBAAgB,6BAA6B,CAAC,KAAK,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CA6BnF"}

package/dist/src/utils/auth.js

@@ -0,0 +1,44 @@
+/**
+ * Auth utilities (veadk-style).
+ * Parse TIP token for principal and delegation chain per RFC 8693.
+ *
+ * @see https://github.com/volcengine/veadk-python/blob/main/veadk/utils/auth.py
+ */
+/**
+ * Extract subject and delegation chain from JWT (TIP / workload token).
+ * Returns the primary subject (user) and the chain of actors who acted on behalf.
+ *
+ * @example
+ * // User → Agent1 → Agent2
+ * const { principalId, actors } = extractDelegationChainFromJwt(token);
+ * // Returns: { principalId: "user1", actors: ["agent1", "agent2"] }
+ * // principal = user1, originalCallers = [agent1, agent2]
+ */
+export function extractDelegationChainFromJwt(token) {
+    try {
+        const raw = token.startsWith("Bearer ") || token.startsWith("bearer ") ? token.slice(7) : token;
+        const parts = raw.split(".");
+        if (parts.length !== 3)
+            return null;
+        let payloadPart = parts[1];
+        const pad = payloadPart.length % 4;
+        if (pad)
+            payloadPart += "=".repeat(4 - pad);
+        const payload = JSON.parse(Buffer.from(payloadPart, "base64url").toString("utf-8"));
+        const sub = payload.sub;
+        if (!sub)
+            return null;
+        const actors = [];
+        let act = payload.act;
+        while (act && typeof act === "object") {
+            const actorSub = act.sub;
+            if (actorSub)
+                actors.push(String(actorSub));
+            act = act.act;
+        }
+        return { principalId: String(sub), actors };
+    }
+    catch {
+        return null;
+    }
+}

package/dist/src/utils/derive-session-key.d.ts

@@ -0,0 +1,78 @@
+/**
+ * Derive sessionKey and agentId from command context.
+ * Logic aligned with OpenClaw routing buildAgentPeerSessionKey.
+ */
+/** Minimal config shape for session/agent resolution. Compatible with OpenClawConfig. */
+export type ConfigWithSession = {
+    session?: {
+        dmScope?: string;
+    };
+    agents?: {
+        defaults?: {
+            id?: string;
+            agentId?: string;
+        };
+    };
+};
+type DeriveSessionKeyParams = {
+    channel: string;
+    senderId?: string;
+    from?: string;
+    to?: string;
+    accountId?: string;
+    config: ConfigWithSession;
+};
+/**
+ * Derive agentId from config. Fallback when ctx.agentId and sessionKey are not available.
+ */
+export declare function deriveAgentId(config: ConfigWithSession): string;
+/**
+ * Parse agentId from sessionKey. Format: agent:{agentId}:{rest}
+ * Returns null if sessionKey is not in agent: form.
+ */
+export declare function parseAgentIdFromSessionKey(sessionKey: string | undefined | null): string | null;
+export type ResolveAgentIdParams = {
+    /** From hook ctx.agentId - preferred when available (sub-agent, workspace-bound). */
+    agentId?: string;
+    /** Parse from sessionKey when agentId not provided. */
+    sessionKey?: string;
+    /** Fallback when neither agentId nor sessionKey yields a value. */
+    config?: ConfigWithSession;
+};
+/**
+ * Resolve agentId with priority: ctx.agentId > parse from sessionKey > config.
+ * Use in hooks (prefer ctx.agentId) and commands (parse from sessionKey or config).
+ */
+export declare function resolveAgentId(params: ResolveAgentIdParams): string;
+/**
+ * Derive sessionKey from command context.
+ * Matches OpenClaw routing buildAgentPeerSessionKey for common cases.
+ */
+export declare function deriveSessionKey(params: DeriveSessionKeyParams): string | null;
+export type SessionKeyDeliveryTarget = {
+    channel: string;
+    to: string;
+    /** For feishu per-account sessions (agent:main:feishu:default:direct:ou_xxx). */
+    accountId?: string;
+};
+/** Command context shape (subset of PluginCommandContext). */
+export type CommandContextForDelivery = {
+    channel: string;
+    from?: string;
+    to?: string;
+    accountId?: string;
+};
+/**
+ * Derive delivery target directly from command context (channel, from, to).
+ * Use this when sessionKey cannot be parsed reliably.
+ * ctx.to/from are channel-scoped (e.g. "telegram:123", "feishu:user:ou_xxx").
+ */
+export declare function deriveDeliveryTargetFromContext(ctx: CommandContextForDelivery): SessionKeyDeliveryTarget | null;
+/**
+ * Parse sessionKey to delivery target for sending a message back to the user's channel.
+ * Returns null if sessionKey cannot be parsed or channel is not sendable.
+ * Used after OIDC login to notify the user in their chat.
+ */
+export declare function parseSessionKeyToDeliveryTarget(sessionKey: string | undefined | null): SessionKeyDeliveryTarget | null;
+export {};
+//# sourceMappingURL=derive-session-key.d.ts.map

package/dist/src/utils/derive-session-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"derive-session-key.d.ts","sourceRoot":"","sources":["../../../src/utils/derive-session-key.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,yFAAyF;AACzF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,OAAO,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC/B,MAAM,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE;YAAE,EAAE,CAAC,EAAE,MAAM,CAAC;YAAC,OAAO,CAAC,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,CAAC;CAC3D,CAAC;AAEF,KAAK,sBAAsB,GAAG;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,iBAAiB,CAAC;CAC3B,CAAC;AAUF;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,iBAAiB,GAAG,MAAM,CAE/D;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAM/F;AAED,MAAM,MAAM,oBAAoB,GAAG;IACjC,qFAAqF;IACrF,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mEAAmE;IACnE,MAAM,CAAC,EAAE,iBAAiB,CAAC;CAC5B,CAAC;AAEF;;;GAGG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,oBAAoB,GAAG,MAAM,CASnE;AAyBD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,sBAAsB,GAAG,MAAM,GAAG,IAAI,CA4B9E;AAED,MAAM,MAAM,wBAAwB,GAAG;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,EAAE,EAAE,MAAM,CAAC;IACX,iFAAiF;IACjF,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAaF,8DAA8D;AAC9D,MAAM,MAAM,yBAAyB,GAAG;IACtC,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,+BAA+B,CAC7C,GAAG,EAAE,yBAAyB,GAC7B,wBAAwB,GAAG,IAAI,CAmBjC;AAED;;;;GAIG;AACH,wBAAgB,+BAA+B,CAC7C,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GACpC,wBAAwB,GAAG,IAAI,CAyDjC"}

package/dist/src/utils/derive-session-key.js

@@ -0,0 +1,198 @@
+/**
+ * Derive sessionKey and agentId from command context.
+ * Logic aligned with OpenClaw routing buildAgentPeerSessionKey.
+ */
+const DEFAULT_AGENT_ID = "main";
+const DEFAULT_ACCOUNT_ID = "default";
+function normalizeAgentId(value) {
+    const trimmed = (value ?? "").trim();
+    return trimmed ? trimmed.toLowerCase() : DEFAULT_AGENT_ID;
+}
+/**
+ * Derive agentId from config. Fallback when ctx.agentId and sessionKey are not available.
+ */
+export function deriveAgentId(config) {
+    return normalizeAgentId(config.agents?.defaults?.id ?? DEFAULT_AGENT_ID);
+}
+/**
+ * Parse agentId from sessionKey. Format: agent:{agentId}:{rest}
+ * Returns null if sessionKey is not in agent: form.
+ */
+export function parseAgentIdFromSessionKey(sessionKey) {
+    const raw = (sessionKey ?? "").trim();
+    if (!raw || !raw.toLowerCase().startsWith("agent:"))
+        return null;
+    const parts = raw.split(":");
+    const agentId = parts[1]?.trim();
+    return agentId ? agentId : null;
+}
+/**
+ * Resolve agentId with priority: ctx.agentId > parse from sessionKey > config.
+ * Use in hooks (prefer ctx.agentId) and commands (parse from sessionKey or config).
+ */
+export function resolveAgentId(params) {
+    const { agentId, sessionKey, config } = params;
+    if (agentId != null && agentId.trim()) {
+        return normalizeAgentId(agentId);
+    }
+    const fromSessionKey = parseAgentIdFromSessionKey(sessionKey);
+    if (fromSessionKey)
+        return normalizeAgentId(fromSessionKey);
+    if (config)
+        return deriveAgentId(config);
+    return DEFAULT_AGENT_ID;
+}
+function normalizeAccountId(value) {
+    const trimmed = (value ?? "").trim().toLowerCase();
+    return trimmed || DEFAULT_ACCOUNT_ID;
+}
+/**
+ * Extract peer/chat id from from/to for group sessions.
+ * Channel-specific heuristics (e.g. telegram:group:123 or telegram:123 for group chat).
+ */
+function extractGroupPeerId(channel, from, to) {
+    const raw = (to ?? from ?? "").trim();
+    if (!raw)
+        return null;
+    const lower = raw.toLowerCase();
+    const channelPrefix = `${channel}:`;
+    if (lower.startsWith(channelPrefix)) {
+        const rest = raw.slice(channelPrefix.length);
+        const parts = rest.split(":");
+        if (parts[0] === "group" && parts[1])
+            return parts[1];
+        if (parts.length >= 1)
+            return parts[0];
+    }
+    return null;
+}
+/**
+ * Derive sessionKey from command context.
+ * Matches OpenClaw routing buildAgentPeerSessionKey for common cases.
+ */
+export function deriveSessionKey(params) {
+    const { channel, senderId, from, to, accountId, config } = params;
+    const agentId = deriveAgentId(config);
+    const dmScope = config.session?.dmScope;
+    const ch = (channel ?? "").trim().toLowerCase() || "unknown";
+    const groupPeerId = extractGroupPeerId(ch, from, to);
+    const isGroup = Boolean(groupPeerId);
+    if (isGroup && groupPeerId) {
+        return `agent:${agentId}:${ch}:group:${groupPeerId.toLowerCase()}`;
+    }
+    const peerId = (senderId ?? "").trim().toLowerCase();
+    if (!peerId)
+        return null;
+    if (dmScope === "per-account-channel-peer") {
+        const acc = normalizeAccountId(accountId);
+        return `agent:${agentId}:${ch}:${acc}:direct:${peerId}`;
+    }
+    if (dmScope === "per-channel-peer") {
+        return `agent:${agentId}:${ch}:direct:${peerId}`;
+    }
+    if (dmScope === "per-peer") {
+        return `agent:${agentId}:direct:${peerId}`;
+    }
+    return `agent:${agentId}:main`;
+}
+const SENDABLE_CHANNELS = new Set([
+    "telegram",
+    "slack",
+    "discord",
+    "signal",
+    "imessage",
+    "whatsapp",
+    "line",
+    "feishu",
+]);
+/**
+ * Derive delivery target directly from command context (channel, from, to).
+ * Use this when sessionKey cannot be parsed reliably.
+ * ctx.to/from are channel-scoped (e.g. "telegram:123", "feishu:user:ou_xxx").
+ */
+export function deriveDeliveryTargetFromContext(ctx) {
+    const ch = (ctx.channel ?? "").trim().toLowerCase();
+    if (!ch || !SENDABLE_CHANNELS.has(ch))
+        return null;
+    const rawTo = (ctx.to ?? ctx.from ?? "").trim();
+    if (!rawTo)
+        return null;
+    const lowerTo = rawTo.toLowerCase();
+    let to = rawTo;
+    if (lowerTo.startsWith(`${ch}:`)) {
+        to = rawTo.slice(ch.length + 1);
+    }
+    if (ch === "feishu") {
+        if (!to.startsWith("user:") && !to.startsWith("chat:") && !to.startsWith("open_id:")) {
+            to = to.startsWith("oc_") ? `chat:${to}` : `user:${to}`;
+        }
+    }
+    if (ch === "slack" && /^[UW]\w+$/i.test(to)) {
+        to = `user:${to}`;
+    }
+    return { channel: ch, to, accountId: ctx.accountId };
+}
+/**
+ * Parse sessionKey to delivery target for sending a message back to the user's channel.
+ * Returns null if sessionKey cannot be parsed or channel is not sendable.
+ * Used after OIDC login to notify the user in their chat.
+ */
+export function parseSessionKeyToDeliveryTarget(sessionKey) {
+    const raw = (sessionKey ?? "").trim();
+    if (!raw || !raw.toLowerCase().startsWith("agent:"))
+        return null;
+    const parts = raw.split(":");
+    if (parts.length < 5)
+        return null;
+    const channel = parts[2]?.toLowerCase();
+    if (!channel || !SENDABLE_CHANNELS.has(channel))
+        return null;
+    const scope = parts[3]?.toLowerCase();
+    const isDirect = scope === "direct" || scope === "dm";
+    if (isDirect) {
+        const peerId = parts[4]?.trim();
+        if (!peerId)
+            return null;
+        if (channel === "slack") {
+            return {
+                channel,
+                to: peerId.startsWith("U") || peerId.startsWith("W") ? `user:${peerId}` : peerId,
+            };
+        }
+        if (channel === "feishu") {
+            return { channel, to: `user:${peerId}` };
+        }
+        return { channel, to: `${channel}:${peerId}` };
+    }
+    if (scope === "group") {
+        const groupId = parts[4]?.trim();
+        if (!groupId)
+            return null;
+        if (channel === "feishu") {
+            return { channel, to: `chat:${groupId}` };
+        }
+        if (parts[5]?.toLowerCase() === "topic" && parts[6]) {
+            return { channel, to: `${channel}:group:${groupId}:topic:${parts[6]}` };
+        }
+        return { channel, to: `${channel}:group:${groupId}` };
+    }
+    // per-account-channel-peer: agent:main:feishu:default:direct:ou_xxx
+    if (scope && !isDirect && scope !== "group" && parts[4]?.toLowerCase() === "direct") {
+        const peerId = parts[5]?.trim();
+        if (!peerId)
+            return null;
+        const accountId = scope;
+        if (channel === "slack") {
+            return {
+                channel,
+                to: peerId.startsWith("U") || peerId.startsWith("W") ? `user:${peerId}` : peerId,
+                accountId,
+            };
+        }
+        if (channel === "feishu") {
+            return { channel, to: `user:${peerId}`, accountId };
+        }
+        return { channel, to: `${channel}:${peerId}`, accountId };
+    }
+    return null;
+}