npm - @m1a0rz/agent-identity - Versions diffs - 0.1.2 - Mend

@m1a0rz/agent-identity 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (125) hide show

package/README-cn.md +223 -0
package/README.md +223 -0
package/dist/index.d.ts +14 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +306 -0
package/dist/src/actions/identity-actions.d.ts +142 -0
package/dist/src/actions/identity-actions.d.ts.map +1 -0
package/dist/src/actions/identity-actions.js +429 -0
package/dist/src/commands/identity-commands.d.ts +33 -0
package/dist/src/commands/identity-commands.d.ts.map +1 -0
package/dist/src/commands/identity-commands.js +572 -0
package/dist/src/hooks/after-tool-call.d.ts +22 -0
package/dist/src/hooks/after-tool-call.d.ts.map +1 -0
package/dist/src/hooks/after-tool-call.js +35 -0
package/dist/src/hooks/before-agent-start.d.ts +30 -0
package/dist/src/hooks/before-agent-start.d.ts.map +1 -0
package/dist/src/hooks/before-agent-start.js +93 -0
package/dist/src/hooks/before-tool-call.d.ts +38 -0
package/dist/src/hooks/before-tool-call.d.ts.map +1 -0
package/dist/src/hooks/before-tool-call.js +138 -0
package/dist/src/risk/classify-risk.d.ts +24 -0
package/dist/src/risk/classify-risk.d.ts.map +1 -0
package/dist/src/risk/classify-risk.js +61 -0
package/dist/src/risk/diagnose-risk.d.ts +21 -0
package/dist/src/risk/diagnose-risk.d.ts.map +1 -0
package/dist/src/risk/diagnose-risk.js +37 -0
package/dist/src/risk/llm-risk-check.d.ts +27 -0
package/dist/src/risk/llm-risk-check.d.ts.map +1 -0
package/dist/src/risk/llm-risk-check.js +274 -0
package/dist/src/risk/low-risk-tools.d.ts +5 -0
package/dist/src/risk/low-risk-tools.d.ts.map +1 -0
package/dist/src/risk/low-risk-tools.js +29 -0
package/dist/src/routes/oidc-login.d.ts +51 -0
package/dist/src/routes/oidc-login.d.ts.map +1 -0
package/dist/src/routes/oidc-login.js +153 -0
package/dist/src/services/identity-client.d.ts +366 -0
package/dist/src/services/identity-client.d.ts.map +1 -0
package/dist/src/services/identity-client.js +578 -0
package/dist/src/services/identity-credentials.d.ts +28 -0
package/dist/src/services/identity-credentials.d.ts.map +1 -0
package/dist/src/services/identity-credentials.js +170 -0
package/dist/src/services/identity-service.d.ts +33 -0
package/dist/src/services/identity-service.d.ts.map +1 -0
package/dist/src/services/identity-service.js +53 -0
package/dist/src/services/oidc-client.d.ts +57 -0
package/dist/src/services/oidc-client.d.ts.map +1 -0
package/dist/src/services/oidc-client.js +127 -0
package/dist/src/services/send-notification-feishu.d.ts +27 -0
package/dist/src/services/send-notification-feishu.d.ts.map +1 -0
package/dist/src/services/send-notification-feishu.js +148 -0
package/dist/src/services/session-refresh.d.ts +16 -0
package/dist/src/services/session-refresh.d.ts.map +1 -0
package/dist/src/services/session-refresh.js +38 -0
package/dist/src/store/credential-env-bindings.d.ts +16 -0
package/dist/src/store/credential-env-bindings.d.ts.map +1 -0
package/dist/src/store/credential-env-bindings.js +61 -0
package/dist/src/store/credential-store.d.ts +31 -0
package/dist/src/store/credential-store.d.ts.map +1 -0
package/dist/src/store/credential-store.js +57 -0
package/dist/src/store/oidc-state-store.d.ts +15 -0
package/dist/src/store/oidc-state-store.d.ts.map +1 -0
package/dist/src/store/oidc-state-store.js +32 -0
package/dist/src/store/session-store.d.ts +21 -0
package/dist/src/store/session-store.d.ts.map +1 -0
package/dist/src/store/session-store.js +69 -0
package/dist/src/store/tip-store.d.ts +21 -0
package/dist/src/store/tip-store.d.ts.map +1 -0
package/dist/src/store/tip-store.js +60 -0
package/dist/src/store/tool-approval-store.d.ts +44 -0
package/dist/src/store/tool-approval-store.d.ts.map +1 -0
package/dist/src/store/tool-approval-store.js +147 -0
package/dist/src/tools/identity-approve-tool.d.ts +24 -0
package/dist/src/tools/identity-approve-tool.d.ts.map +1 -0
package/dist/src/tools/identity-approve-tool.js +36 -0
package/dist/src/tools/identity-config.d.ts +13 -0
package/dist/src/tools/identity-config.d.ts.map +1 -0
package/dist/src/tools/identity-config.js +18 -0
package/dist/src/tools/identity-fetch.d.ts +21 -0
package/dist/src/tools/identity-fetch.d.ts.map +1 -0
package/dist/src/tools/identity-fetch.js +63 -0
package/dist/src/tools/identity-list-credentials.d.ts +15 -0
package/dist/src/tools/identity-list-credentials.d.ts.map +1 -0
package/dist/src/tools/identity-list-credentials.js +30 -0
package/dist/src/tools/identity-list-risk-patterns.d.ts +13 -0
package/dist/src/tools/identity-list-risk-patterns.d.ts.map +1 -0
package/dist/src/tools/identity-list-risk-patterns.js +23 -0
package/dist/src/tools/identity-list-tips.d.ts +13 -0
package/dist/src/tools/identity-list-tips.d.ts.map +1 -0
package/dist/src/tools/identity-list-tips.js +21 -0
package/dist/src/tools/identity-login.d.ts +14 -0
package/dist/src/tools/identity-login.d.ts.map +1 -0
package/dist/src/tools/identity-login.js +40 -0
package/dist/src/tools/identity-logout.d.ts +13 -0
package/dist/src/tools/identity-logout.d.ts.map +1 -0
package/dist/src/tools/identity-logout.js +24 -0
package/dist/src/tools/identity-risk-check.d.ts +29 -0
package/dist/src/tools/identity-risk-check.d.ts.map +1 -0
package/dist/src/tools/identity-risk-check.js +54 -0
package/dist/src/tools/identity-set-binding.d.ts +16 -0
package/dist/src/tools/identity-set-binding.d.ts.map +1 -0
package/dist/src/tools/identity-set-binding.js +31 -0
package/dist/src/tools/identity-status.d.ts +13 -0
package/dist/src/tools/identity-status.d.ts.map +1 -0
package/dist/src/tools/identity-status.js +41 -0
package/dist/src/tools/identity-unset-binding.d.ts +15 -0
package/dist/src/tools/identity-unset-binding.d.ts.map +1 -0
package/dist/src/tools/identity-unset-binding.js +25 -0
package/dist/src/tools/identity-whoami.d.ts +13 -0
package/dist/src/tools/identity-whoami.d.ts.map +1 -0
package/dist/src/tools/identity-whoami.js +38 -0
package/dist/src/types.d.ts +93 -0
package/dist/src/types.d.ts.map +1 -0
package/dist/src/types.js +5 -0
package/dist/src/utils/approval-channel.d.ts +11 -0
package/dist/src/utils/approval-channel.d.ts.map +1 -0
package/dist/src/utils/approval-channel.js +13 -0
package/dist/src/utils/auth.d.ts +24 -0
package/dist/src/utils/auth.d.ts.map +1 -0
package/dist/src/utils/auth.js +44 -0
package/dist/src/utils/derive-session-key.d.ts +78 -0
package/dist/src/utils/derive-session-key.d.ts.map +1 -0
package/dist/src/utils/derive-session-key.js +198 -0
package/openclaw.plugin.json +162 -0
package/package.json +33 -0
package/skills/SKILL.md +230 -0

package/dist/src/services/identity-credentials.js ADDED Viewed

@@ -0,0 +1,170 @@
+/**
+ * Identity credentials loader (veadk-style).
+ * Loads AK/SK from:
+ * 1. Explicit config (accessKeyId, secretAccessKey, sessionToken)
+ * 2. Environment variables (VOLCENGINE_ACCESS_KEY, VOLCENGINE_SECRET_KEY, VOLCENGINE_SESSION_TOKEN)
+ * 3. Credential file (VOLCENGINE_CREDENTIALS_FILE or /var/run/secrets/iam/credential)
+ * Supports STS session token. Optional AssumeRole via roleTrn.
+ */
+import { existsSync } from "node:fs";
+import { readFile } from "node:fs/promises";
+import { resolve } from "node:path";
+const ENV_AK = "VOLCENGINE_ACCESS_KEY";
+const ENV_SK = "VOLCENGINE_SECRET_KEY";
+const ENV_SESSION = "VOLCENGINE_SESSION_TOKEN";
+const ENV_CRED_FILE = "VOLCENGINE_CREDENTIALS_FILE";
+const DEFAULT_CRED_PATH = "/var/run/secrets/iam/credential";
+const ENV_ROLE_TRN = "RUNTIME_IAM_ROLE_TRN";
+/**
+ * Load credentials from config, env, or file (veadk-style).
+ * Order: explicit > env > file.
+ * Returns resolved credentials or throws if none found.
+ */
+export async function loadIdentityCredentials(opts = {}) {
+    const resolvePath = opts.resolvePath ?? ((p) => resolve(p));
+    let ak = opts.accessKeyId ?? process.env[ENV_AK] ?? "";
+    let sk = opts.secretAccessKey ?? process.env[ENV_SK] ?? "";
+    let sessionToken = opts.sessionToken ?? process.env[ENV_SESSION] ?? "";
+    if (ak && sk) {
+        if (sessionToken || !opts.roleTrn) {
+            return {
+                accessKeyId: ak.trim(),
+                secretAccessKey: sk.trim(),
+                sessionToken: sessionToken ? sessionToken.trim() : undefined,
+            };
+        }
+        if (opts.roleTrn) {
+            const stsCred = await assumeRole({
+                accessKeyId: ak,
+                secretAccessKey: sk,
+                roleTrn: opts.roleTrn,
+                region: "cn-beijing",
+            });
+            return {
+                accessKeyId: stsCred.accessKeyId,
+                secretAccessKey: stsCred.secretAccessKey,
+                sessionToken: stsCred.sessionToken,
+            };
+        }
+    }
+    const credPath = opts.credentialsFile ?? process.env[ENV_CRED_FILE] ?? DEFAULT_CRED_PATH;
+    const resolvedPath = resolvePath(credPath);
+    if (existsSync(resolvedPath)) {
+        const cred = await loadCredentialsFromFile(resolvedPath);
+        const { roleTrn: _rn, ...rest } = cred;
+        const roleTrn = cred.roleTrn ?? opts.roleTrn ?? process.env[ENV_ROLE_TRN];
+        if (roleTrn && cred.accessKeyId && cred.secretAccessKey && !cred.sessionToken) {
+            const stsCred = await assumeRole({
+                accessKeyId: cred.accessKeyId,
+                secretAccessKey: cred.secretAccessKey,
+                roleTrn,
+                region: "cn-beijing",
+            });
+            return stsCred;
+        }
+        return rest;
+    }
+    throw new Error(`Identity credentials not found. Set ${ENV_AK}/${ENV_SK} or ${ENV_CRED_FILE} (default: ${DEFAULT_CRED_PATH})`);
+}
+async function loadCredentialsFromFile(path) {
+    const raw = await readFile(path, "utf-8");
+    const data = JSON.parse(raw);
+    const ak = data.access_key_id ?? "";
+    const sk = data.secret_access_key ?? "";
+    const sessionToken = data.session_token ?? "";
+    const roleTrn = data.role_trn?.trim();
+    if (!ak || !sk) {
+        throw new Error(`Credential file ${path} missing access_key_id or secret_access_key`);
+    }
+    return {
+        accessKeyId: ak.trim(),
+        secretAccessKey: sk.trim(),
+        sessionToken: sessionToken ? sessionToken.trim() : undefined,
+        roleTrn,
+    };
+}
+const STS_ENDPOINT = "https://sts.volcengineapi.com";
+/**
+ * Call STS AssumeRole to get temporary credentials.
+ * Caches result and refreshes when expired (5 min buffer).
+ */
+const assumeRoleCache = new Map();
+const CACHE_KEY_BUFFER_SEC = 300;
+async function assumeRole(params) {
+    const { accessKeyId, secretAccessKey, roleTrn, region = "cn-beijing", roleSessionName = "clawdbot-identity", } = params;
+    const cacheKey = `${roleTrn}:${roleSessionName}`;
+    const cached = assumeRoleCache.get(cacheKey);
+    const nowSec = Math.floor(Date.now() / 1000);
+    if (cached && cached.expiresAt > nowSec + CACHE_KEY_BUFFER_SEC) {
+        return cached.cred;
+    }
+    const body = {
+        RoleTrn: roleTrn,
+        RoleSessionName: roleSessionName,
+        DurationSeconds: 3600,
+    };
+    const bodyStr = JSON.stringify(body);
+    const xDate = new Date()
+        .toISOString()
+        .replace(/\.\d{3}Z$/, "Z")
+        .replace(/[:\-]/g, "");
+    const { createHash, createHmac } = await import("node:crypto");
+    const sha256 = (s) => createHash("sha256").update(s, "utf-8").digest("hex");
+    const hmac = (key, data) => createHmac("sha256", key).update(data, "utf-8").digest();
+    const xContentSha256 = sha256(bodyStr);
+    const canonicalQuery = ["Action=AssumeRole", "Version=2018-01-01"].join("&");
+    const url = new URL(`${STS_ENDPOINT}?${canonicalQuery}`);
+    const signedHeaders = "host;x-content-sha256;x-date";
+    const canonicalRequest = [
+        "POST",
+        url.pathname || "/",
+        canonicalQuery,
+        `host:${url.host}`,
+        `x-content-sha256:${xContentSha256}`,
+        `x-date:${xDate}`,
+        "",
+        signedHeaders,
+        xContentSha256,
+    ].join("\n");
+    const credentialScope = `${xDate.slice(0, 8)}/${region}/sts/request`;
+    const stringToSign = ["HMAC-SHA256", xDate, credentialScope, sha256(canonicalRequest)].join("\n");
+    const kDate = hmac(secretAccessKey, xDate.slice(0, 8));
+    const kRegion = hmac(kDate, region);
+    const kService = hmac(kRegion, "sts");
+    const kSigning = hmac(kService, "request");
+    const signature = createHmac("sha256", kSigning).update(stringToSign, "utf-8").digest("hex");
+    const authorization = `HMAC-SHA256 Credential=${accessKeyId}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;
+    const res = await fetch(url.toString(), {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json; charset=UTF-8",
+            "X-Date": xDate,
+            "X-Content-Sha256": xContentSha256,
+            Authorization: authorization,
+        },
+        body: bodyStr,
+    });
+    if (!res.ok) {
+        const text = await res.text();
+        throw new Error(`STS AssumeRole failed ${res.status}: ${text}`);
+    }
+    const json = (await res.json());
+    const creds = json.Result?.Credentials;
+    if (!creds?.AccessKeyId || !creds?.SecretAccessKey || !creds?.SessionToken) {
+        throw new Error("STS AssumeRole response missing credentials");
+    }
+    let expiresAt = nowSec + 3600;
+    if (creds.ExpiredTime) {
+        const parsed = Date.parse(creds.ExpiredTime);
+        if (!Number.isNaN(parsed)) {
+            expiresAt = Math.floor(parsed / 1000);
+        }
+    }
+    const result = {
+        accessKeyId: creds.AccessKeyId,
+        secretAccessKey: creds.SecretAccessKey,
+        sessionToken: creds.SessionToken,
+    };
+    assumeRoleCache.set(cacheKey, { cred: result, expiresAt });
+    return result;
+}

package/dist/src/services/identity-service.d.ts ADDED Viewed

@@ -0,0 +1,33 @@
+/**
+ * Identity service: bridges session store with CIS client.
+ * getWorkloadAccessToken: fetches TIP token for a session's userToken via CIS GetWorkloadAccessTokenForJWT.
+ */
+import type { TIPTokenEntry } from "../store/tip-store.js";
+import type { IdentityClientInterface } from "./identity-client.js";
+export type IdentityServiceConfig = {
+    identityClient: IdentityClientInterface;
+    workloadPoolName?: string;
+    workloadName?: string;
+    audience?: string[];
+    durationSeconds?: number;
+    /** When set (AssumeRole), do not pass workload name; backend uses roleName. */
+    roleTrn?: string;
+};
+export declare class IdentityService {
+    private readonly config;
+    constructor(config: IdentityServiceConfig);
+    getWorkloadAccessToken(params: {
+        agentId?: string;
+        userToken: string;
+        sub?: string;
+    }): Promise<TIPTokenEntry>;
+    /**
+     * Validate user token (basic JWT decode for sub; full validation would use UserPool JWKS).
+     * For now we trust tokens that are stored via login flow.
+     */
+    parseUserToken(userToken: string): {
+        valid: boolean;
+        sub?: string;
+    };
+}
+//# sourceMappingURL=identity-service.d.ts.map

package/dist/src/services/identity-service.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"identity-service.d.ts","sourceRoot":"","sources":["../../../src/services/identity-service.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAC;AAEpE,MAAM,MAAM,qBAAqB,GAAG;IAClC,cAAc,EAAE,uBAAuB,CAAC;IACxC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,+EAA+E;IAC/E,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,qBAAa,eAAe;IACd,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,qBAAqB;IAEpD,sBAAsB,CAAC,MAAM,EAAE;QACnC,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,SAAS,EAAE,MAAM,CAAC;QAClB,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,GAAG,OAAO,CAAC,aAAa,CAAC;IA2B1B;;;OAGG;IACH,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAA;KAAE;CAiBpE"}

package/dist/src/services/identity-service.js ADDED Viewed

@@ -0,0 +1,53 @@
+/**
+ * Identity service: bridges session store with CIS client.
+ * getWorkloadAccessToken: fetches TIP token for a session's userToken via CIS GetWorkloadAccessTokenForJWT.
+ */
+export class IdentityService {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    async getWorkloadAccessToken(params) {
+        const { identityClient } = this.config;
+        // When roleTrn is set (AssumeRole), backend uses roleName; do not pass name/agentId.
+        const name = this.config.roleTrn
+            ? undefined
+            : this.config.workloadName ?? params.agentId ?? "openclaw-agent";
+        const result = await identityClient.getWorkloadAccessTokenForJWT({
+            userToken: params.userToken,
+            workloadPoolName: this.config.workloadPoolName,
+            name,
+            audience: this.config.audience,
+            durationSeconds: this.config.durationSeconds,
+        });
+        const expiresAtMs = new Date(result.expiresAt).getTime();
+        return {
+            token: result.workloadAccessToken,
+            sub: params.sub ?? "unknown",
+            agentId: params.agentId,
+            chain: [],
+            issuedAt: Date.now(),
+            expiresAt: expiresAtMs,
+        };
+    }
+    /**
+     * Validate user token (basic JWT decode for sub; full validation would use UserPool JWKS).
+     * For now we trust tokens that are stored via login flow.
+     */
+    parseUserToken(userToken) {
+        try {
+            const parts = userToken.split(".");
+            if (parts.length !== 3)
+                return { valid: false };
+            const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString("utf-8"));
+            const sub = payload.sub;
+            if (payload.exp && payload.exp * 1000 < Date.now()) {
+                return { valid: false };
+            }
+            return { valid: true, sub };
+        }
+        catch {
+            return { valid: false };
+        }
+    }
+}

package/dist/src/services/oidc-client.d.ts ADDED Viewed

@@ -0,0 +1,57 @@
+/**
+ * OIDC client for UserPool login flow.
+ * Fetches .well-known/openid-configuration from data plane, then:
+ * - Build authorization URL for login
+ * - Exchange code for tokens
+ *
+ * Reference: veadk auth/middleware/oauth2_auth.py
+ */
+export type OIDCDiscovery = {
+    issuer: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    userinfo_endpoint?: string;
+    end_session_endpoint?: string;
+    jwks_uri?: string;
+    scopes_supported?: string[];
+    response_types_supported?: string[];
+};
+export declare function fetchOIDCDiscovery(discoveryUrl: string, timeoutMs?: number): Promise<OIDCDiscovery>;
+export declare function buildAuthorizationUrl(params: {
+    authorizationEndpoint: string;
+    clientId: string;
+    redirectUri: string;
+    scope?: string;
+    state: string;
+    responseType?: string;
+    codeChallenge?: string;
+    codeChallengeMethod?: string;
+}): string;
+export declare function exchangeCodeForTokens(params: {
+    tokenEndpoint: string;
+    clientId: string;
+    clientSecret?: string;
+    code: string;
+    redirectUri: string;
+    codeVerifier?: string;
+}): Promise<{
+    access_token: string;
+    token_type?: string;
+    expires_in?: number;
+    refresh_token?: string;
+    id_token?: string;
+}>;
+/** Refresh access/id token using refresh_token grant. */
+export declare function refreshAccessToken(params: {
+    tokenEndpoint: string;
+    clientId: string;
+    clientSecret?: string;
+    refreshToken: string;
+}): Promise<{
+    access_token: string;
+    id_token?: string;
+    refresh_token?: string;
+    expires_in?: number;
+}>;
+export declare function generateState(): Promise<string>;
+//# sourceMappingURL=oidc-client.d.ts.map

package/dist/src/services/oidc-client.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oidc-client.d.ts","sourceRoot":"","sources":["../../../src/services/oidc-client.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,sBAAsB,EAAE,MAAM,CAAC;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;CACrC,CAAC;AAEF,wBAAsB,kBAAkB,CACtC,YAAY,EAAE,MAAM,EACpB,SAAS,SAAS,GACjB,OAAO,CAAC,aAAa,CAAC,CAoBxB;AAED,wBAAgB,qBAAqB,CAAC,MAAM,EAAE;IAC5C,qBAAqB,EAAE,MAAM,CAAC;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B,GAAG,MAAM,CA0BT;AAED,wBAAsB,qBAAqB,CAAC,MAAM,EAAE;IAClD,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,GAAG,OAAO,CAAC;IACV,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC,CA6CD;AAED,yDAAyD;AACzD,wBAAsB,kBAAkB,CAAC,MAAM,EAAE;IAC/C,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;CACtB,GAAG,OAAO,CAAC;IACV,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC,CAwCD;AAED,wBAAsB,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC,CAGrD"}

package/dist/src/services/oidc-client.js ADDED Viewed

@@ -0,0 +1,127 @@
+/**
+ * OIDC client for UserPool login flow.
+ * Fetches .well-known/openid-configuration from data plane, then:
+ * - Build authorization URL for login
+ * - Exchange code for tokens
+ *
+ * Reference: veadk auth/middleware/oauth2_auth.py
+ */
+export async function fetchOIDCDiscovery(discoveryUrl, timeoutMs = 10_000) {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    try {
+        const res = await fetch(discoveryUrl, { signal: controller.signal });
+        clearTimeout(timer);
+        if (!res.ok) {
+            throw new Error(`OIDC discovery failed: HTTP ${res.status} from ${discoveryUrl}`);
+        }
+        const data = (await res.json());
+        if (!data.authorization_endpoint || !data.token_endpoint) {
+            throw new Error("OIDC discovery missing authorization_endpoint or token_endpoint");
+        }
+        return data;
+    }
+    catch (err) {
+        clearTimeout(timer);
+        if (err instanceof Error)
+            throw err;
+        throw new Error(String(err));
+    }
+}
+export function buildAuthorizationUrl(params) {
+    const { authorizationEndpoint, clientId, redirectUri, scope = "openid profile email", state, responseType = "code", codeChallenge, codeChallengeMethod, } = params;
+    const search = new URLSearchParams({
+        response_type: responseType,
+        client_id: clientId,
+        scope,
+        redirect_uri: redirectUri,
+        state,
+    });
+    if (codeChallenge) {
+        search.set("code_challenge", codeChallenge);
+        search.set("code_challenge_method", codeChallengeMethod ?? "S256");
+    }
+    const sep = authorizationEndpoint.includes("?") ? "&" : "?";
+    return `${authorizationEndpoint}${sep}${search.toString()}`;
+}
+export async function exchangeCodeForTokens(params) {
+    const { tokenEndpoint, clientId, clientSecret, code, redirectUri, codeVerifier } = params;
+    const body = new URLSearchParams({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: redirectUri,
+    });
+    if (codeVerifier)
+        body.set("code_verifier", codeVerifier);
+    const headers = {
+        "Content-Type": "application/x-www-form-urlencoded",
+    };
+    if (clientSecret) {
+        const creds = Buffer.from(`${clientId}:${clientSecret}`).toString("base64");
+        headers["Authorization"] = `Basic ${creds}`;
+    }
+    else {
+        body.set("client_id", clientId);
+    }
+    const res = await fetch(tokenEndpoint, {
+        method: "POST",
+        headers,
+        body: body.toString(),
+    });
+    if (!res.ok) {
+        const text = await res.text();
+        throw new Error(`Token exchange failed: HTTP ${res.status} - ${text}`);
+    }
+    const data = (await res.json());
+    const accessToken = data.access_token;
+    if (!accessToken || typeof accessToken !== "string") {
+        throw new Error("Token response missing access_token");
+    }
+    return {
+        access_token: accessToken,
+        token_type: data.token_type,
+        expires_in: typeof data.expires_in === "number" ? data.expires_in : undefined,
+        refresh_token: data.refresh_token,
+        id_token: data.id_token,
+    };
+}
+/** Refresh access/id token using refresh_token grant. */
+export async function refreshAccessToken(params) {
+    const { tokenEndpoint, clientId, clientSecret, refreshToken } = params;
+    const body = new URLSearchParams({
+        grant_type: "refresh_token",
+        refresh_token: refreshToken,
+    });
+    body.set("client_id", clientId);
+    const headers = {
+        "Content-Type": "application/x-www-form-urlencoded",
+    };
+    if (clientSecret) {
+        const creds = Buffer.from(`${clientId}:${clientSecret}`).toString("base64");
+        headers["Authorization"] = `Basic ${creds}`;
+    }
+    const res = await fetch(tokenEndpoint, {
+        method: "POST",
+        headers,
+        body: body.toString(),
+    });
+    if (!res.ok) {
+        const text = await res.text();
+        throw new Error(`Token refresh failed: HTTP ${res.status} - ${text}`);
+    }
+    const data = (await res.json());
+    const accessToken = data.access_token;
+    if (!accessToken || typeof accessToken !== "string") {
+        throw new Error("Token refresh response missing access_token");
+    }
+    return {
+        access_token: accessToken,
+        id_token: data.id_token,
+        refresh_token: data.refresh_token,
+        expires_in: typeof data.expires_in === "number" ? data.expires_in : undefined,
+    };
+}
+export async function generateState() {
+    const { randomBytes } = await import("node:crypto");
+    return randomBytes(32).toString("base64url");
+}

package/dist/src/services/send-notification-feishu.d.ts ADDED Viewed

@@ -0,0 +1,27 @@
+/**
+ * Minimal Feishu notification sender using Open API (no @larksuiteoapi dependency).
+ * Credentials resolved from cfg.channels.feishu same as feishu extension listEnabledFeishuAccounts.
+ * See https://open.feishu.cn/document/ukTMukTMukTM/uYjM04SO2QjL1IDN
+ */
+import type { OpenClawConfig } from "openclaw/plugin-sdk";
+type ResolvedCreds = {
+    appId: string;
+    appSecret: string;
+    baseUrl: string;
+};
+/**
+ * Resolve Feishu credentials from main config channels.feishu.
+ * Same merge logic as feishu extension resolveFeishuAccount.
+ */
+export declare function resolveFeishuCredsFromConfig(cfg: OpenClawConfig, accountId?: string | null): ResolvedCreds | null;
+/**
+ * Pick first enabled+configured account when accountId not specified.
+ */
+export declare function resolveDefaultFeishuCreds(cfg: OpenClawConfig): ResolvedCreds | null;
+/**
+ * Send a text message to a Feishu user or chat.
+ * Credentials from cfg.channels.feishu (same source as listEnabledFeishuAccounts).
+ */
+export declare function sendNotificationFeishu(cfg: OpenClawConfig, to: string, text: string, accountId?: string | null): Promise<void>;
+export {};
+//# sourceMappingURL=send-notification-feishu.d.ts.map

package/dist/src/services/send-notification-feishu.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"send-notification-feishu.d.ts","sourceRoot":"","sources":["../../../src/services/send-notification-feishu.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAY1D,KAAK,aAAa,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAmB3E;;;GAGG;AACH,wBAAgB,4BAA4B,CAC1C,GAAG,EAAE,cAAc,EACnB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,GACxB,aAAa,GAAG,IAAI,CAetB;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,GAAG,EAAE,cAAc,GAAG,aAAa,GAAG,IAAI,CAOnF;AAiED;;;GAGG;AACH,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,cAAc,EACnB,EAAE,EAAE,MAAM,EACV,IAAI,EAAE,MAAM,EACZ,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,GACxB,OAAO,CAAC,IAAI,CAAC,CAgDf"}

package/dist/src/services/send-notification-feishu.js ADDED Viewed

@@ -0,0 +1,148 @@
+/**
+ * Minimal Feishu notification sender using Open API (no @larksuiteoapi dependency).
+ * Credentials resolved from cfg.channels.feishu same as feishu extension listEnabledFeishuAccounts.
+ * See https://open.feishu.cn/document/ukTMukTMukTM/uYjM04SO2QjL1IDN
+ */
+import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "openclaw/plugin-sdk/account-id";
+function listFeishuAccountIds(cfg) {
+    const feishu = cfg.channels?.feishu;
+    const accounts = feishu?.accounts;
+    if (!accounts || typeof accounts !== "object") {
+        return [DEFAULT_ACCOUNT_ID];
+    }
+    const ids = Object.keys(accounts).filter(Boolean);
+    return ids.length > 0 ? [...ids].sort((a, b) => a.localeCompare(b)) : [DEFAULT_ACCOUNT_ID];
+}
+function mergeFeishuAccountConfig(cfg, accountId) {
+    const feishu = cfg.channels?.feishu;
+    const { accounts: _ignored, ...base } = feishu ?? {};
+    const account = feishu?.accounts?.[accountId] ?? {};
+    return { ...base, ...account };
+}
+/**
+ * Resolve Feishu credentials from main config channels.feishu.
+ * Same merge logic as feishu extension resolveFeishuAccount.
+ */
+export function resolveFeishuCredsFromConfig(cfg, accountId) {
+    const accId = normalizeAccountId(accountId);
+    const merged = mergeFeishuAccountConfig(cfg, accId);
+    if (merged.enabled === false)
+        return null;
+    const appId = merged.appId?.trim();
+    const appSecret = merged.appSecret?.trim();
+    if (!appId || !appSecret)
+        return null;
+    const domain = merged.domain ?? "feishu";
+    const baseUrl = domain === "lark"
+        ? "https://open.larksuite.com"
+        : domain.startsWith("https://")
+            ? domain.replace(/\/$/, "")
+            : "https://open.feishu.cn";
+    return { appId, appSecret, baseUrl };
+}
+/**
+ * Pick first enabled+configured account when accountId not specified.
+ */
+export function resolveDefaultFeishuCreds(cfg) {
+    const ids = listFeishuAccountIds(cfg);
+    for (const id of ids) {
+        const creds = resolveFeishuCredsFromConfig(cfg, id);
+        if (creds)
+            return creds;
+    }
+    return null;
+}
+let cachedToken = null;
+const TOKEN_BUFFER_MS = 5 * 60 * 1000;
+async function getTenantAccessToken(creds) {
+    const now = Date.now();
+    if (cachedToken &&
+        cachedToken.baseUrl === creds.baseUrl &&
+        cachedToken.expiresAt > now + TOKEN_BUFFER_MS) {
+        return cachedToken.token;
+    }
+    const res = await fetch(`${creds.baseUrl}/open-apis/auth/v3/tenant_access_token/internal`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+            app_id: creds.appId,
+            app_secret: creds.appSecret,
+        }),
+    });
+    if (!res.ok) {
+        throw new Error(`Feishu auth failed: ${res.status} ${await res.text()}`);
+    }
+    const json = (await res.json());
+    if (json.code !== 0 || !json.tenant_access_token) {
+        throw new Error(`Feishu auth error: ${json.msg ?? json.code ?? "unknown"}`);
+    }
+    const expireMs = (json.expire ?? 7200) * 1000;
+    cachedToken = {
+        token: json.tenant_access_token,
+        expiresAt: now + expireMs,
+        baseUrl: creds.baseUrl,
+    };
+    return cachedToken.token;
+}
+function resolveReceiveIdType(to) {
+    const t = to.trim().toLowerCase();
+    if (t.startsWith("chat:"))
+        return "chat_id";
+    if (t.startsWith("user:"))
+        return "open_id";
+    if (t.startsWith("open_id:"))
+        return "open_id";
+    if (t.startsWith("oc_"))
+        return "chat_id";
+    if (t.startsWith("ou_"))
+        return "open_id";
+    return "user_id";
+}
+function extractReceiveId(to) {
+    const t = to.trim();
+    if (/^(chat|user|open_id):/i.test(t)) {
+        return t.replace(/^(chat|user|open_id):/i, "").trim();
+    }
+    return t;
+}
+/**
+ * Send a text message to a Feishu user or chat.
+ * Credentials from cfg.channels.feishu (same source as listEnabledFeishuAccounts).
+ */
+export async function sendNotificationFeishu(cfg, to, text, accountId) {
+    const creds = accountId != null
+        ? resolveFeishuCredsFromConfig(cfg, accountId)
+        : resolveDefaultFeishuCreds(cfg);
+    if (!creds) {
+        throw new Error("Feishu not configured. Set channels.feishu.appId and appSecret in openclaw.json.");
+    }
+    const token = await getTenantAccessToken(creds);
+    const receiveId = extractReceiveId(to);
+    const receiveIdType = resolveReceiveIdType(to);
+    if (!receiveId) {
+        throw new Error(`Invalid Feishu target: ${to}`);
+    }
+    const content = JSON.stringify({
+        zh_cn: { title: "", content: [[{ tag: "text", text }]] },
+        en_us: { title: "", content: [[{ tag: "text", text }]] },
+    });
+    const res = await fetch(`${creds.baseUrl}/open-apis/im/v1/messages?receive_id_type=${receiveIdType}`, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${token}`,
+        },
+        body: JSON.stringify({
+            receive_id: receiveId,
+            msg_type: "post",
+            content,
+        }),
+    });
+    if (!res.ok) {
+        throw new Error(`Feishu send failed: ${res.status} ${await res.text()}`);
+    }
+    const json = (await res.json());
+    if (json.code !== 0) {
+        throw new Error(`Feishu send error: ${json.msg ?? json.code ?? "unknown"}`);
+    }
+}

package/dist/src/services/session-refresh.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+/**
+ * Session token refresh: when userToken expires, use refresh_token to get new tokens.
+ * Used by before_agent_start when GetWorkloadAccessTokenForJWT fails with "token has expired".
+ */
+export type OIDCConfigForRefresh = {
+    discoveryUrl: string;
+    clientId: string;
+    clientSecret?: string;
+};
+/**
+ * Refresh session userToken using refresh_token grant.
+ * Updates session with new userToken (and rotated refresh_token if returned).
+ * Returns the new userToken or null if refresh failed or no refresh token.
+ */
+export declare function refreshSessionUserToken(storeDir: string, sessionKey: string, getOidcConfig: () => Promise<OIDCConfigForRefresh>): Promise<string | null>;
+//# sourceMappingURL=session-refresh.d.ts.map

package/dist/src/services/session-refresh.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"session-refresh.d.ts","sourceRoot":"","sources":["../../../src/services/session-refresh.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,MAAM,MAAM,oBAAoB,GAAG;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF;;;;GAIG;AACH,wBAAsB,uBAAuB,CAC3C,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,GACjD,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CA4BxB"}