@m1a0rz/agent-identity 0.1.5 → 0.1.6

package/dist/index.d.ts

@@ -4,7 +4,7 @@
  * - UserPool login via /identity login (OIDC URL returned directly, no HTTP start endpoint)
  * - Credential hosting: list-credentials, fetch <provider>, set <provider> <envVar>
  * - TIP token via AgentIdentity GetWorkloadAccessTokenForJWT in before_agent_start
- * - TIP/session propagation in before_tool_call when sessions_send is used (params.sessionKey only)
+ * - TIP/session propagation: before_tool_call (sessions_send params.sessionKey), subagent_spawned (sessions_spawn)
  * - Optional AuthZ in before_tool_call
  * - HTTP callback: /identity/oauth/callback (OIDC login). Credential OAuth uses Identity-provided callback.
  * - Tools: identity_whoami, identity_logout

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAwD7D,MAAM,CAAC,OAAO,UAAU,QAAQ,CAAC,GAAG,EAAE,iBAAiB,QAyTtD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAyD7D,MAAM,CAAC,OAAO,UAAU,QAAQ,CAAC,GAAG,EAAE,iBAAiB,QAkUtD"}

package/dist/index.js

@@ -4,7 +4,7 @@
  * - UserPool login via /identity login (OIDC URL returned directly, no HTTP start endpoint)
  * - Credential hosting: list-credentials, fetch <provider>, set <provider> <envVar>
  * - TIP token via AgentIdentity GetWorkloadAccessTokenForJWT in before_agent_start
- * - TIP/session propagation in before_tool_call when sessions_send is used (params.sessionKey only)
+ * - TIP/session propagation: before_tool_call (sessions_send params.sessionKey), subagent_spawned (sessions_spawn)
  * - Optional AuthZ in before_tool_call
  * - HTTP callback: /identity/oauth/callback (OIDC login). Credential OAuth uses Identity-provided callback.
  * - Tools: identity_whoami, identity_logout
@@ -12,6 +12,7 @@
 import { createIdentityCommand, createIdCommand } from "./src/commands/identity-commands.js";
 import { createBeforeAgentStartHandler } from "./src/hooks/before-agent-start.js";
 import { createSessionsSendPropagationHandler } from "./src/hooks/sessions-send-propagation.js";
+import { createSessionsSpawnPropagationHandler } from "./src/hooks/sessions-spawn-propagation.js";
 import { createBeforeToolCallHandler } from "./src/hooks/before-tool-call.js";
 import { createOIDCCallbackHandler, createOIDCCallbackHandlerLazy, } from "./src/routes/oidc-login.js";
 import { IdentityClient, resolveOIDCConfig, } from "./src/services/identity-client.js";
@@ -189,7 +190,7 @@ export default function register(api) {
         }
         if (target.channel === "feishu") {
             try {
-                const cfg = await api.runtime.config.loadConfig();
+                const cfg = api.runtime.config.loadConfig();
                 await sendNotificationFeishu(cfg, target.to, text, target.accountId);
             }
             catch (err) {
@@ -297,6 +298,12 @@ export default function register(api) {
             configWorkloadName: identityCfg?.workloadName,
             logger: api.logger,
         }));
+        api.on("subagent_spawned", createSessionsSpawnPropagationHandler({
+            storeDir,
+            identityService,
+            configWorkloadName: identityCfg?.workloadName,
+            logger: api.logger,
+        }));
     }
     if (authz?.enable) {
         api.on("before_tool_call", createBeforeToolCallHandler({

package/dist/src/hooks/sessions-spawn-propagation.d.ts

@@ -0,0 +1,27 @@
+/**
+ * subagent_spawned hook: propagate TIP and session to child when sessions_spawn
+ * creates a subagent.
+ *
+ * First-time spawn does not go through sessions_send, so we handle it here.
+ * Uses requester's TIP token as JWT input for delegation (user → main → sub).
+ * Copies session (userToken) to child.
+ */
+import type { IdentityService } from "../services/identity-service.js";
+export type SessionsSpawnPropagationDeps = {
+    storeDir: string;
+    identityService: IdentityService;
+    configWorkloadName?: string;
+    logger: {
+        info?: (msg: string) => void;
+        debug?: (msg: string) => void;
+    };
+};
+export declare function createSessionsSpawnPropagationHandler(deps: SessionsSpawnPropagationDeps): (_event: {
+    childSessionKey: string;
+    runId: string;
+    agentId: string;
+}, ctx: {
+    requesterSessionKey?: string;
+    childSessionKey?: string;
+}) => Promise<void>;
+//# sourceMappingURL=sessions-spawn-propagation.d.ts.map

package/dist/src/hooks/sessions-spawn-propagation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessions-spawn-propagation.d.ts","sourceRoot":"","sources":["../../../src/hooks/sessions-spawn-propagation.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AAKvE,MAAM,MAAM,4BAA4B,GAAG;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CACzE,CAAC;AAEF,wBAAgB,qCAAqC,CAAC,IAAI,EAAE,4BAA4B,IAIpF,QAAQ;IAAE,eAAe,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,EACnE,KAAK;IAAE,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAAC,eAAe,CAAC,EAAE,MAAM,CAAA;CAAE,KAC9D,OAAO,CAAC,IAAI,CAAC,CAsCjB"}

package/dist/src/hooks/sessions-spawn-propagation.js

@@ -0,0 +1,45 @@
+/**
+ * subagent_spawned hook: propagate TIP and session to child when sessions_spawn
+ * creates a subagent.
+ *
+ * First-time spawn does not go through sessions_send, so we handle it here.
+ * Uses requester's TIP token as JWT input for delegation (user → main → sub).
+ * Copies session (userToken) to child.
+ */
+import { getSession, setSession } from "../store/session-store.js";
+import { getTIPToken } from "../store/tip-store.js";
+import { fetchAndStoreTIP } from "../services/tip-acquisition.js";
+export function createSessionsSpawnPropagationHandler(deps) {
+    const { storeDir, identityService, configWorkloadName, logger } = deps;
+    return async (_event, ctx) => {
+        const callerSessionKey = ctx.requesterSessionKey;
+        const targetSessionKey = ctx.childSessionKey ?? _event.childSessionKey;
+        if (!callerSessionKey || !targetSessionKey || callerSessionKey === targetSessionKey) {
+            return;
+        }
+        try {
+            const callerTIP = await getTIPToken(storeDir, callerSessionKey);
+            if (!callerTIP) {
+                logger.debug?.(`agent-identity: sessions_spawn skip (requester ${callerSessionKey.slice(0, 24)}... has no TIP)`);
+                return;
+            }
+            await fetchAndStoreTIP({
+                storeDir,
+                sessionKey: targetSessionKey,
+                identityService,
+                jwtForExchange: callerTIP.token,
+                sub: callerTIP.sub,
+                configWorkloadName,
+                parentSessionKey: callerSessionKey,
+            });
+            logger.info?.(`agent-identity: TIP propagated to ${targetSessionKey.slice(0, 24)}... via sessions_spawn`);
+            const callerSession = await getSession(storeDir, callerSessionKey);
+            if (callerSession) {
+                await setSession(storeDir, targetSessionKey, callerSession);
+            }
+        }
+        catch (err) {
+            logger.info?.(`agent-identity: sessions_spawn propagation failed: ${String(err)}`);
+        }
+    };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@m1a0rz/agent-identity",
-  "version": "0.1.5",
+  "version": "0.1.6",
   "description": "Agent Identity: UserPool (用户池) login, TIP token (工作负载令牌), credential hosting (凭据托管 OAuth2/API key), optional tool risk approval. Integrates with Volcengine 智能体身份和权限管理平台.",
   "type": "module",
   "main": "dist/index.js",

package/dist/src/hooks/after-tool-call.d.ts

@@ -1,22 +0,0 @@
-/**
- * after_tool_call hook: propagate TIP token to child session on sessions_spawn.
- * When parent spawns a sub-agent, inherit TIP with extended chain-of-custody.
- */
-export type AfterToolCallDeps = {
-    storeDir: string;
-    logger: {
-        info?: (msg: string) => void;
-    };
-};
-export declare function createAfterToolCallHandler(deps: AfterToolCallDeps): (event: {
-    toolName: string;
-    params: Record<string, unknown>;
-    result?: unknown;
-    error?: string;
-    durationMs?: number;
-}, ctx: {
-    agentId?: string;
-    sessionKey?: string;
-    toolName: string;
-}) => Promise<void>;
-//# sourceMappingURL=after-tool-call.d.ts.map

package/dist/src/hooks/after-tool-call.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"after-tool-call.d.ts","sourceRoot":"","sources":["../../../src/hooks/after-tool-call.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,MAAM,MAAM,iBAAiB,GAAG;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CAC1C,CAAC;AAEF,wBAAgB,0BAA0B,CAAC,IAAI,EAAE,iBAAiB,IAI9D,OAAO;IACL,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,EACD,KAAK;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,KAC/D,OAAO,CAAC,IAAI,CAAC,CA4BjB"}

package/dist/src/hooks/after-tool-call.js

@@ -1,35 +0,0 @@
-/**
- * after_tool_call hook: propagate TIP token to child session on sessions_spawn.
- * When parent spawns a sub-agent, inherit TIP with extended chain-of-custody.
- */
-import { getTIPToken, setTIPToken } from "../store/tip-store.js";
-export function createAfterToolCallHandler(deps) {
-    const { storeDir, logger } = deps;
-    return async (event, ctx) => {
-        if (event.toolName !== "sessions_spawn")
-            return;
-        const result = event.result;
-        const childSessionKey = result?.childSessionKey;
-        if (!childSessionKey || typeof childSessionKey !== "string")
-            return;
-        const parentSessionKey = ctx.sessionKey;
-        if (!parentSessionKey)
-            return;
-        try {
-            const parentTIP = await getTIPToken(storeDir, parentSessionKey);
-            if (!parentTIP)
-                return;
-            const childTIP = {
-                ...parentTIP,
-                chain: [...(parentTIP.chain ?? []), ctx.agentId ?? "unknown"],
-                parentSessionKey,
-                issuedAt: Date.now(),
-            };
-            await setTIPToken(storeDir, childSessionKey, childTIP);
-            logger.info?.(`agent-identity: TIP propagated to child ${childSessionKey.slice(0, 32)}...`);
-        }
-        catch (err) {
-            logger.info?.(`agent-identity: failed to propagate TIP to child: ${String(err)}`);
-        }
-    };
-}

package/dist/src/hooks/subagent-spawned.d.ts

@@ -1,30 +0,0 @@
-/**
- * subagent_spawned hook: propagate TIP token to child session.
- * Replaces after_tool_call (sessions_spawn) with dedicated lifecycle hook.
- * When parent spawns a sub-agent, inherit TIP with extended chain-of-custody.
- */
-export type SubagentSpawnedDeps = {
-    storeDir: string;
-    logger: {
-        info?: (msg: string) => void;
-    };
-};
-export declare function createSubagentSpawnedHandler(deps: SubagentSpawnedDeps): (event: {
-    runId: string;
-    childSessionKey: string;
-    agentId: string;
-    label?: string;
-    mode: "run" | "session";
-    requester?: {
-        channel?: string;
-        accountId?: string;
-        to?: string;
-        threadId?: string | number;
-    };
-    threadRequested: boolean;
-}, ctx: {
-    runId?: string;
-    childSessionKey?: string;
-    requesterSessionKey?: string;
-}) => Promise<void>;
-//# sourceMappingURL=subagent-spawned.d.ts.map

package/dist/src/hooks/subagent-spawned.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"subagent-spawned.d.ts","sourceRoot":"","sources":["../../../src/hooks/subagent-spawned.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CAC1C,CAAC;AAEF,wBAAgB,4BAA4B,CAAC,IAAI,EAAE,mBAAmB,IAIlE,OAAO;IACL,KAAK,EAAE,MAAM,CAAC;IACd,eAAe,EAAE,MAAM,CAAC;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,KAAK,GAAG,SAAS,CAAC;IACxB,SAAS,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,EAAE,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAC;IAC9F,eAAe,EAAE,OAAO,CAAC;CAC1B,EACD,KAAK;IAAE,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,eAAe,CAAC,EAAE,MAAM,CAAC;IAAC,mBAAmB,CAAC,EAAE,MAAM,CAAA;CAAE,KAC9E,OAAO,CAAC,IAAI,CAAC,CAsBjB"}

package/dist/src/hooks/subagent-spawned.js

@@ -1,30 +0,0 @@
-/**
- * subagent_spawned hook: propagate TIP token to child session.
- * Replaces after_tool_call (sessions_spawn) with dedicated lifecycle hook.
- * When parent spawns a sub-agent, inherit TIP with extended chain-of-custody.
- */
-import { getTIPToken, setTIPToken } from "../store/tip-store.js";
-export function createSubagentSpawnedHandler(deps) {
-    const { storeDir, logger } = deps;
-    return async (event, ctx) => {
-        const parentSessionKey = ctx.requesterSessionKey;
-        if (!parentSessionKey)
-            return;
-        try {
-            const parentTIP = await getTIPToken(storeDir, parentSessionKey);
-            if (!parentTIP)
-                return;
-            const childTIP = {
-                ...parentTIP,
-                chain: [...(parentTIP.chain ?? []), event.agentId ?? "unknown"],
-                parentSessionKey,
-                issuedAt: Date.now(),
-            };
-            await setTIPToken(storeDir, event.childSessionKey, childTIP);
-            logger.info?.(`agent-identity: TIP propagated to child ${event.childSessionKey.slice(0, 32)}...`);
-        }
-        catch (err) {
-            logger.info?.(`agent-identity: failed to propagate TIP to child: ${String(err)}`);
-        }
-    };
-}