@m1a0rz/agent-identity 0.1.8 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README-cn.md +1 -1
- package/README.md +1 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +31 -5
- package/dist/src/actions/identity-actions.d.ts +3 -0
- package/dist/src/actions/identity-actions.d.ts.map +1 -1
- package/dist/src/actions/identity-actions.js +53 -57
- package/dist/src/commands/identity-commands.d.ts.map +1 -1
- package/dist/src/commands/identity-commands.js +2 -1
- package/dist/src/hooks/before-agent-start.d.ts +1 -2
- package/dist/src/hooks/before-agent-start.d.ts.map +1 -1
- package/dist/src/hooks/before-agent-start.js +16 -47
- package/dist/src/hooks/before-tool-call.d.ts +7 -1
- package/dist/src/hooks/before-tool-call.d.ts.map +1 -1
- package/dist/src/hooks/before-tool-call.js +63 -19
- package/dist/src/hooks/llm-input.d.ts +19 -0
- package/dist/src/hooks/llm-input.d.ts.map +1 -0
- package/dist/src/hooks/llm-input.js +20 -0
- package/dist/src/hooks/sessions-send-propagation.d.ts +4 -0
- package/dist/src/hooks/sessions-send-propagation.d.ts.map +1 -1
- package/dist/src/hooks/sessions-send-propagation.js +18 -21
- package/dist/src/hooks/sessions-spawn-propagation.d.ts +5 -1
- package/dist/src/hooks/sessions-spawn-propagation.d.ts.map +1 -1
- package/dist/src/hooks/sessions-spawn-propagation.js +20 -22
- package/dist/src/hooks/subagent-ended-cleanup.d.ts +1 -0
- package/dist/src/hooks/subagent-ended-cleanup.d.ts.map +1 -1
- package/dist/src/hooks/subagent-ended-cleanup.js +3 -2
- package/dist/src/risk/classify-risk.d.ts.map +1 -1
- package/dist/src/risk/classify-risk.js +3 -1
- package/dist/src/risk/llm-risk-check.d.ts.map +1 -1
- package/dist/src/risk/llm-risk-check.js +5 -4
- package/dist/src/services/tip-propagation.d.ts +25 -0
- package/dist/src/services/tip-propagation.d.ts.map +1 -0
- package/dist/src/services/tip-propagation.js +43 -0
- package/dist/src/services/tip-with-refresh.d.ts +24 -0
- package/dist/src/services/tip-with-refresh.d.ts.map +1 -0
- package/dist/src/services/tip-with-refresh.js +68 -0
- package/dist/src/store/skill-path-store.d.ts +10 -0
- package/dist/src/store/skill-path-store.d.ts.map +1 -0
- package/dist/src/store/skill-path-store.js +90 -0
- package/dist/src/tools/identity-approve-tool.d.ts.map +1 -1
- package/dist/src/tools/identity-approve-tool.js +3 -2
- package/dist/src/types.d.ts +13 -6
- package/dist/src/types.d.ts.map +1 -1
- package/dist/src/utils/logger.d.ts +17 -0
- package/dist/src/utils/logger.d.ts.map +1 -0
- package/dist/src/utils/logger.js +21 -0
- package/dist/src/utils/parse-available-skills.d.ts +6 -0
- package/dist/src/utils/parse-available-skills.d.ts.map +1 -0
- package/dist/src/utils/parse-available-skills.js +19 -0
- package/dist/src/utils/token-errors.d.ts +5 -0
- package/dist/src/utils/token-errors.d.ts.map +1 -0
- package/dist/src/utils/token-errors.js +7 -0
- package/openclaw.plugin.json +18 -7
- package/package.json +1 -1
- package/skills/SKILL.md +3 -3
package/README-cn.md
CHANGED
|
@@ -243,7 +243,7 @@ TIP token 通过 `GetWorkloadAccessTokenForJWT` 获取。工作负载行为:
|
|
|
243
243
|
|
|
244
244
|
- **before_agent_start** - 获取 TIP token;按 credential-env-bindings(按 session)将凭据注入到 `process.env`
|
|
245
245
|
- **subagent_spawned** - 在子 agent 创建时将 TIP 传播到子会话
|
|
246
|
-
- **before_tool_call** - 当 authz.
|
|
246
|
+
- **before_tool_call** - 当 authz.toolCheck、authz.skillReadCheck 或 authz.requireRiskApproval 时可选 AuthZ。TIP + CheckPermission 工具/skill;高风险工具需审批。评估命令/路径风险(规则 + 可选 LLM via authz.enableLlmRiskCheck)。
|
|
247
247
|
|
|
248
248
|
## 数据存储
|
|
249
249
|
|
package/README.md
CHANGED
|
@@ -243,7 +243,7 @@ Follow-up messages (login success, credential fetch done) are not delivered when
|
|
|
243
243
|
|
|
244
244
|
- **before_agent_start** - Fetch TIP token; inject credentials into `process.env` per credential-env-bindings (per-session)
|
|
245
245
|
- **subagent_spawned** - Propagate TIP to child session on subagent spawn
|
|
246
|
-
- **before_tool_call** - Optional AuthZ
|
|
246
|
+
- **before_tool_call** - Optional AuthZ when authz.toolCheck, authz.skillReadCheck, or authz.requireRiskApproval. TIP + CheckPermission for tools/skills; risk approval for high-risk tools. Evaluates user-provided commands/paths (rules + optional LLM via authz.enableLlmRiskCheck).
|
|
247
247
|
|
|
248
248
|
## Data Storage
|
|
249
249
|
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AA6D7D,MAAM,CAAC,OAAO,UAAU,QAAQ,CAAC,GAAG,EAAE,iBAAiB,QAoWtD"}
|
package/dist/index.js
CHANGED
|
@@ -11,10 +11,12 @@
|
|
|
11
11
|
*/
|
|
12
12
|
import { createIdentityCommand, createIdCommand } from "./src/commands/identity-commands.js";
|
|
13
13
|
import { createBeforeAgentStartHandler } from "./src/hooks/before-agent-start.js";
|
|
14
|
+
import { createLlmInputHandler } from "./src/hooks/llm-input.js";
|
|
14
15
|
import { createSessionsSendPropagationHandler } from "./src/hooks/sessions-send-propagation.js";
|
|
15
16
|
import { createSessionsSpawnPropagationHandler } from "./src/hooks/sessions-spawn-propagation.js";
|
|
16
17
|
import { createSubagentEndedCleanupHandler } from "./src/hooks/subagent-ended-cleanup.js";
|
|
17
18
|
import { createBeforeToolCallHandler } from "./src/hooks/before-tool-call.js";
|
|
19
|
+
import * as skillPathStore from "./src/store/skill-path-store.js";
|
|
18
20
|
import { createOIDCCallbackHandler, createOIDCCallbackHandlerLazy, } from "./src/routes/oidc-login.js";
|
|
19
21
|
import { IdentityClient, resolveOIDCConfig, } from "./src/services/identity-client.js";
|
|
20
22
|
import { IdentityService } from "./src/services/identity-service.js";
|
|
@@ -33,6 +35,7 @@ import { createIdentityStatusTool } from "./src/tools/identity-status.js";
|
|
|
33
35
|
import { createIdentityUnsetBindingTool } from "./src/tools/identity-unset-binding.js";
|
|
34
36
|
import { createIdentityWhoamiTool } from "./src/tools/identity-whoami.js";
|
|
35
37
|
import { parseSessionKeyToDeliveryTarget, } from "./src/utils/derive-session-key.js";
|
|
38
|
+
import { logInfo, logWarn } from "./src/utils/logger.js";
|
|
36
39
|
const PLUGIN_STORE_DIR = "~/.openclaw/plugins/identity";
|
|
37
40
|
/**
|
|
38
41
|
* Whether Identity should be enabled.
|
|
@@ -186,7 +189,7 @@ export default function register(api) {
|
|
|
186
189
|
? targetOrSessionKey
|
|
187
190
|
: parseSessionKeyToDeliveryTarget(targetOrSessionKey);
|
|
188
191
|
if (!target) {
|
|
189
|
-
api.logger
|
|
192
|
+
logWarn(api.logger, "Cannot deliver to channel (sessionKey not parseable). Set session.dmScope to per-channel-peer or per-account-channel-peer so approval messages reach Feishu/Telegram/etc.");
|
|
190
193
|
return;
|
|
191
194
|
}
|
|
192
195
|
if (target.channel === "feishu") {
|
|
@@ -195,7 +198,7 @@ export default function register(api) {
|
|
|
195
198
|
await sendNotificationFeishu(cfg, target.to, text, target.accountId);
|
|
196
199
|
}
|
|
197
200
|
catch (err) {
|
|
198
|
-
api.logger
|
|
201
|
+
logWarn(api.logger, `Feishu notification failed (to=${target.to}): ${String(err)}`);
|
|
199
202
|
}
|
|
200
203
|
return;
|
|
201
204
|
}
|
|
@@ -257,6 +260,8 @@ export default function register(api) {
|
|
|
257
260
|
storeDir,
|
|
258
261
|
identityService,
|
|
259
262
|
getOidcConfig: getOidcConfigForCommand,
|
|
263
|
+
getOidcConfigForRefresh: getOidcConfigForRefresh ?? undefined,
|
|
264
|
+
configWorkloadName: identityCfg?.workloadName,
|
|
260
265
|
identityClient: hasIdentity ? identityClient : undefined,
|
|
261
266
|
logger: api.logger,
|
|
262
267
|
pluginConfig,
|
|
@@ -264,7 +269,7 @@ export default function register(api) {
|
|
|
264
269
|
};
|
|
265
270
|
api.registerCommand(createIdentityCommand(identityCommandsDeps));
|
|
266
271
|
api.registerCommand(createIdCommand(identityCommandsDeps));
|
|
267
|
-
api.logger
|
|
272
|
+
logInfo(api.logger, "commands /identity, /id (login, status, logout, list-tips, list-credentials, fetch, set, unset); HTTP callback /identity/oauth/callback (credential OAuth uses Identity callback)");
|
|
268
273
|
// Tools (share deps with commands). Optional = only included when agent allowlist explicitly adds them.
|
|
269
274
|
api.registerTool(createIdentityWhoamiTool(identityCommandsDeps), { optional: false });
|
|
270
275
|
api.registerTool(createIdentityLogoutTool(identityCommandsDeps), { optional: false });
|
|
@@ -297,12 +302,16 @@ export default function register(api) {
|
|
|
297
302
|
storeDir,
|
|
298
303
|
identityService,
|
|
299
304
|
configWorkloadName: identityCfg?.workloadName,
|
|
305
|
+
getOidcConfigForRefresh: getOidcConfigForRefresh ?? undefined,
|
|
306
|
+
subagentTipPropagation: identityCfg?.subagentTipPropagation,
|
|
300
307
|
logger: api.logger,
|
|
301
308
|
}));
|
|
302
309
|
api.on("subagent_spawned", createSessionsSpawnPropagationHandler({
|
|
303
310
|
storeDir,
|
|
304
311
|
identityService,
|
|
305
312
|
configWorkloadName: identityCfg?.workloadName,
|
|
313
|
+
getOidcConfigForRefresh: getOidcConfigForRefresh ?? undefined,
|
|
314
|
+
subagentTipPropagation: identityCfg?.subagentTipPropagation,
|
|
306
315
|
logger: api.logger,
|
|
307
316
|
}));
|
|
308
317
|
api.on("subagent_ended", createSubagentEndedCleanupHandler({
|
|
@@ -310,15 +319,32 @@ export default function register(api) {
|
|
|
310
319
|
logger: api.logger,
|
|
311
320
|
}));
|
|
312
321
|
}
|
|
313
|
-
|
|
322
|
+
const toolCheck = authz?.toolCheck ?? false;
|
|
323
|
+
const skillReadCheck = authz?.skillReadCheck ?? false;
|
|
324
|
+
const requireRiskApproval = authz?.requireRiskApproval ?? false;
|
|
325
|
+
const hasAuthz = toolCheck || skillReadCheck || requireRiskApproval;
|
|
326
|
+
if (skillReadCheck) {
|
|
327
|
+
api.on("llm_input", createLlmInputHandler({
|
|
328
|
+
enabled: true,
|
|
329
|
+
logger: api.logger,
|
|
330
|
+
}));
|
|
331
|
+
api.on("session_end", (_event, ctx) => {
|
|
332
|
+
if (ctx.sessionId)
|
|
333
|
+
skillPathStore.clearSessionById(ctx.sessionId);
|
|
334
|
+
});
|
|
335
|
+
}
|
|
336
|
+
if (hasAuthz) {
|
|
314
337
|
api.on("before_tool_call", createBeforeToolCallHandler({
|
|
315
338
|
storeDir,
|
|
316
339
|
identityClient: hasIdentity ? identityClient : undefined,
|
|
317
|
-
namespaceName: authz
|
|
340
|
+
namespaceName: authz?.namespaceName ?? "default",
|
|
318
341
|
logger: api.logger,
|
|
319
342
|
sendToSession,
|
|
320
343
|
authz,
|
|
321
344
|
approvalTtlMs,
|
|
345
|
+
identityService: hasIdentity ? identityService : undefined,
|
|
346
|
+
getOidcConfigForRefresh: getOidcConfigForRefresh ?? undefined,
|
|
347
|
+
configWorkloadName: identityCfg?.workloadName,
|
|
322
348
|
}));
|
|
323
349
|
}
|
|
324
350
|
}
|
|
@@ -5,6 +5,7 @@
|
|
|
5
5
|
import type { OpenClawConfig } from "openclaw/plugin-sdk";
|
|
6
6
|
import type { IdentityClientInterface } from "../services/identity-client.js";
|
|
7
7
|
import type { IdentityService } from "../services/identity-service.js";
|
|
8
|
+
import type { OIDCConfigForRefresh } from "../services/session-refresh.js";
|
|
8
9
|
import type { PluginConfig } from "../types.js";
|
|
9
10
|
import type { SessionKeyDeliveryTarget } from "../utils/derive-session-key.js";
|
|
10
11
|
import { type CredentialEntry } from "../store/credential-store.js";
|
|
@@ -24,6 +25,8 @@ export type IdentityActionsDeps = {
|
|
|
24
25
|
storeDir: string;
|
|
25
26
|
identityService: IdentityService;
|
|
26
27
|
getOidcConfig: () => Promise<OIDCConfigForCommand>;
|
|
28
|
+
getOidcConfigForRefresh?: () => Promise<OIDCConfigForRefresh>;
|
|
29
|
+
configWorkloadName?: string;
|
|
27
30
|
identityClient?: IdentityClientInterface;
|
|
28
31
|
logger?: IdentityActionsLogger;
|
|
29
32
|
pluginConfig?: PluginConfig;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity-actions.d.ts","sourceRoot":"","sources":["../../../src/actions/identity-actions.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;
|
|
1
|
+
{"version":3,"file":"identity-actions.d.ts","sourceRoot":"","sources":["../../../src/actions/identity-actions.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;AAc/E,OAAO,EAKL,KAAK,eAAe,EACrB,MAAM,8BAA8B,CAAC;AAUtC,MAAM,MAAM,oBAAoB,GAAG;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,aAAa,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACnD,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,MAAM,CAAC,EAAE,qBAAqB,CAAC;IAC/B,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,qBAAqB,CAAC,EAAE,CACtB,kBAAkB,EAAE,wBAAwB,GAAG,MAAM,EACrD,IAAI,EAAE,MAAM,KACT,OAAO,CAAC,IAAI,CAAC,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG,aAAa,GAAG,YAAY,GAAG,QAAQ,CAAC;AA+EhE,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,EAAE,OAAO,CAAC;IAClB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;IAChB,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wDAAwD;IACxD,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,4BAA4B;IAC5B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uBAAuB;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAC7C,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC,CAAC;AAEF,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,cAAc,GACtB,OAAO,CAAC,YAAY,CAAC,CAsCvB;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,mBAAmB,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAC1C;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACrC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,cAAc,CAAC;IAAC,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAA;CAAE,GACtF,OAAO,CAAC,WAAW,CAAC,CAqDtB;AAED,MAAM,MAAM,YAAY,GAAG;IAAE,EAAE,EAAE,OAAO,CAAA;CAAE,CAAC;AAE3C,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,YAAY,CAAC,CAWvB;AAID,MAAM,MAAM,qBAAqB,GAAG;IAClC,SAAS,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClG,UAAU,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtE,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE,MAAU,GACf,OAAO,CAAC,qBAAqB,CAAC,CA2EhC;AAED,MAAM,MAAM,cAAc,GAAG;IAC3B,IAAI,EAAE,KAAK,CAAC;QACV,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC,CAAC;IACH,oDAAoD;IACpD,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CAC3D,CAAC;AAEF,wBAAsB,WAAW,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,cAAc,CAAC,CAsBpF;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,CAAC;AAEF,wBAAsB,SAAS,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,YAAY,CAAC,CA2ChF;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACpC;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACtD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IACN,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,SAAS,CAAC;IAChB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAC;IACjD,MAAM,CAAC,EAAE,cAAc,CAAC;CACzB,GACA,OAAO,CAAC,WAAW,CAAC,CAsHtB;AAED,MAAM,MAAM,gBAAgB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEjF,wBAAsB,aAAa,CACjC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC3C,OAAO,CAAC,gBAAgB,CAAC,CAkC3B;AAED,MAAM,MAAM,kBAAkB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnF,wBAAsB,eAAe,CACnC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC3B,OAAO,CAAC,kBAAkB,CAAC,CAW7B"}
|
|
@@ -2,12 +2,14 @@
|
|
|
2
2
|
* Shared identity actions: pure logic returning structured data.
|
|
3
3
|
* Used by both commands (format to text) and tools (return jsonResult).
|
|
4
4
|
*/
|
|
5
|
+
import { logDebug, logInfo, logWarn } from "../utils/logger.js";
|
|
6
|
+
import { getOrRefreshTIPToken } from "../services/tip-with-refresh.js";
|
|
5
7
|
import { fetchOIDCDiscovery, buildAuthorizationUrl, generateState, } from "../services/oidc-client.js";
|
|
6
8
|
import { loadCredentialEnvBindings, loadAllCredentialEnvBindings, setCredentialEnvBinding, deleteCredentialEnvBinding, } from "../store/credential-env-bindings.js";
|
|
7
9
|
import { loadCredentials, setCredential, getCredential, deleteCredentialsForSession, } from "../store/credential-store.js";
|
|
8
10
|
import { getSession, deleteSession } from "../store/session-store.js";
|
|
9
11
|
import { createState } from "../store/oidc-state-store.js";
|
|
10
|
-
import {
|
|
12
|
+
import { loadTIPTokens, saveTIPTokens } from "../store/tip-store.js";
|
|
11
13
|
import { extractDelegationChainFromJwt } from "../utils/auth.js";
|
|
12
14
|
import { resolveAgentId, } from "../utils/derive-session-key.js";
|
|
13
15
|
function inferFlowFromProvider(info) {
|
|
@@ -49,46 +51,26 @@ async function pollOAuthAndNotify(params) {
|
|
|
49
51
|
}
|
|
50
52
|
}
|
|
51
53
|
catch (err) {
|
|
52
|
-
logger
|
|
54
|
+
logDebug(logger, `fetch poll attempt failed: ${String(err)}`);
|
|
53
55
|
}
|
|
54
56
|
}
|
|
55
57
|
const target = deliveryTarget ?? sessionKey;
|
|
56
58
|
await sendCredentialMessage?.(target, `⚠️ Authorization timed out for \`${provider}\`. Run \`/identity fetch ${provider}\` again.`);
|
|
57
59
|
}
|
|
58
60
|
export async function runStatus(deps, sessionKey, config) {
|
|
59
|
-
const { storeDir, identityService, logger } = deps;
|
|
61
|
+
const { storeDir, identityService, getOidcConfigForRefresh, configWorkloadName, logger } = deps;
|
|
60
62
|
const session = await getSession(storeDir, sessionKey);
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
});
|
|
70
|
-
await setTIPToken(storeDir, sessionKey, fresh);
|
|
71
|
-
tip = fresh;
|
|
72
|
-
}
|
|
73
|
-
catch (err) {
|
|
74
|
-
logger?.debug?.(`[identity status] TIP refresh failed: ${err.message}`);
|
|
63
|
+
const ctxAgentId = resolveAgentId({ sessionKey, config: config });
|
|
64
|
+
const tipRefreshOptions = getOidcConfigForRefresh
|
|
65
|
+
? {
|
|
66
|
+
identityService,
|
|
67
|
+
getOidcConfigForRefresh,
|
|
68
|
+
configWorkloadName,
|
|
69
|
+
ctxAgentId,
|
|
70
|
+
logger,
|
|
75
71
|
}
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
try {
|
|
79
|
-
const agentId = resolveAgentId({ sessionKey, config: config });
|
|
80
|
-
const fresh = await identityService.getWorkloadAccessToken({
|
|
81
|
-
agentId,
|
|
82
|
-
userToken: session.userToken,
|
|
83
|
-
sub: session.sub,
|
|
84
|
-
});
|
|
85
|
-
await setTIPToken(storeDir, sessionKey, fresh);
|
|
86
|
-
tip = fresh;
|
|
87
|
-
}
|
|
88
|
-
catch (err) {
|
|
89
|
-
logger?.debug?.(`[identity status] TIP refresh failed: ${err.message}`);
|
|
90
|
-
}
|
|
91
|
-
}
|
|
72
|
+
: undefined;
|
|
73
|
+
const tip = await getOrRefreshTIPToken(storeDir, sessionKey, tipRefreshOptions);
|
|
92
74
|
const credentials = await loadCredentials(storeDir, sessionKey);
|
|
93
75
|
const bindings = await loadCredentialEnvBindings(storeDir, sessionKey);
|
|
94
76
|
const tipChain = tip
|
|
@@ -117,22 +99,24 @@ export async function runLogin(deps, sessionKey, options) {
|
|
|
117
99
|
const session = await getSession(storeDir, sessionKey);
|
|
118
100
|
const hasValidCred = session && identityService.parseUserToken(session.userToken).valid;
|
|
119
101
|
if (hasValidCred && session) {
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
102
|
+
const ctxAgentId = resolveAgentId({ sessionKey, config: config });
|
|
103
|
+
const tipRefreshOptions = deps.getOidcConfigForRefresh
|
|
104
|
+
? {
|
|
105
|
+
identityService,
|
|
106
|
+
getOidcConfigForRefresh: deps.getOidcConfigForRefresh,
|
|
107
|
+
configWorkloadName: deps.configWorkloadName,
|
|
108
|
+
ctxAgentId,
|
|
109
|
+
logger,
|
|
110
|
+
}
|
|
111
|
+
: undefined;
|
|
112
|
+
const tip = await getOrRefreshTIPToken(storeDir, sessionKey, tipRefreshOptions);
|
|
113
|
+
if (tip) {
|
|
128
114
|
return { kind: "already_logged_in", sub: session.sub };
|
|
129
115
|
}
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
};
|
|
135
|
-
}
|
|
116
|
+
return {
|
|
117
|
+
kind: "error",
|
|
118
|
+
message: "Session valid but TIP refresh failed. Ensure userToken is valid or refresh token is available.",
|
|
119
|
+
};
|
|
136
120
|
}
|
|
137
121
|
try {
|
|
138
122
|
const oidcConfig = await getOidcConfig();
|
|
@@ -146,11 +130,11 @@ export async function runLogin(deps, sessionKey, options) {
|
|
|
146
130
|
scope: oidcConfig.scope ?? "openid profile email",
|
|
147
131
|
state,
|
|
148
132
|
});
|
|
149
|
-
logger
|
|
133
|
+
logInfo(logger, `login returning IdP URL for sessionKey=${sessionKey.slice(0, 24)}...`);
|
|
150
134
|
return { kind: "auth_url", authUrl };
|
|
151
135
|
}
|
|
152
136
|
catch (err) {
|
|
153
|
-
logger
|
|
137
|
+
logWarn(logger, `login error: ${String(err)}`);
|
|
154
138
|
return {
|
|
155
139
|
kind: "error",
|
|
156
140
|
message: `${err.message}. Ensure userpool is configured (discoveryUrl+clientId+callbackUrl or userPoolName+clientName+callbackUrl).`,
|
|
@@ -159,7 +143,7 @@ export async function runLogin(deps, sessionKey, options) {
|
|
|
159
143
|
}
|
|
160
144
|
export async function runLogout(deps, sessionKey) {
|
|
161
145
|
const { storeDir, logger } = deps;
|
|
162
|
-
logger
|
|
146
|
+
logDebug(logger, `logout sessionKey=${sessionKey.slice(0, 24)}...`);
|
|
163
147
|
await deleteSession(storeDir, sessionKey);
|
|
164
148
|
const tokens = await loadTIPTokens(storeDir);
|
|
165
149
|
delete tokens[sessionKey];
|
|
@@ -184,7 +168,7 @@ export async function runListCredentials(deps, sessionKey, page = 1) {
|
|
|
184
168
|
totalCount = result.TotalCount ?? 0;
|
|
185
169
|
}
|
|
186
170
|
catch (e) {
|
|
187
|
-
logger
|
|
171
|
+
logWarn(logger, `list-credentials API error: ${String(e)}`);
|
|
188
172
|
}
|
|
189
173
|
}
|
|
190
174
|
const providerNames = new Set(providers.map((p) => p.Name));
|
|
@@ -248,7 +232,7 @@ export async function runListTips(deps) {
|
|
|
248
232
|
tips.push({
|
|
249
233
|
sessionKey: key,
|
|
250
234
|
sub: entry.sub,
|
|
251
|
-
chain: chain ? [chain.principalId, ...chain.actors] : [],
|
|
235
|
+
chain: chain ? [chain.principalId, ...chain.actors.slice().reverse()] : [],
|
|
252
236
|
expiresAt: entry.expiresAt,
|
|
253
237
|
ttlSec: Math.floor((entry.expiresAt - now) / 1000),
|
|
254
238
|
});
|
|
@@ -287,7 +271,9 @@ export async function runConfig(deps) {
|
|
|
287
271
|
}
|
|
288
272
|
if (cfg.authz) {
|
|
289
273
|
out.authz = {
|
|
290
|
-
|
|
274
|
+
toolCheck: cfg.authz.toolCheck,
|
|
275
|
+
skillReadCheck: cfg.authz.skillReadCheck,
|
|
276
|
+
requireRiskApproval: cfg.authz.requireRiskApproval,
|
|
291
277
|
namespaceName: cfg.authz.namespaceName,
|
|
292
278
|
};
|
|
293
279
|
}
|
|
@@ -316,7 +302,17 @@ export async function runFetch(deps, sessionKey, params) {
|
|
|
316
302
|
// keep default
|
|
317
303
|
}
|
|
318
304
|
}
|
|
319
|
-
const
|
|
305
|
+
const ctxAgentId = resolveAgentId({ sessionKey, config: config });
|
|
306
|
+
const tipRefreshOptions = deps.getOidcConfigForRefresh
|
|
307
|
+
? {
|
|
308
|
+
identityService: deps.identityService,
|
|
309
|
+
getOidcConfigForRefresh: deps.getOidcConfigForRefresh,
|
|
310
|
+
configWorkloadName: deps.configWorkloadName,
|
|
311
|
+
ctxAgentId,
|
|
312
|
+
logger: deps.logger,
|
|
313
|
+
}
|
|
314
|
+
: undefined;
|
|
315
|
+
const tip = await getOrRefreshTIPToken(storeDir, sessionKey, tipRefreshOptions);
|
|
320
316
|
if (!tip) {
|
|
321
317
|
return {
|
|
322
318
|
kind: "error",
|
|
@@ -354,7 +350,7 @@ export async function runFetch(deps, sessionKey, params) {
|
|
|
354
350
|
return { kind: "success", message: `✓ Credential for \`${provider}\` added (direct token).` };
|
|
355
351
|
}
|
|
356
352
|
if (oauthResult.authorizationUrl) {
|
|
357
|
-
logger
|
|
353
|
+
logInfo(logger, `fetch returning auth URL for provider=${provider}, starting poll`);
|
|
358
354
|
const target = deliveryTarget ?? sessionKey;
|
|
359
355
|
pollOAuthAndNotify({
|
|
360
356
|
identityClient,
|
|
@@ -369,7 +365,7 @@ export async function runFetch(deps, sessionKey, params) {
|
|
|
369
365
|
sendCredentialMessage,
|
|
370
366
|
logger,
|
|
371
367
|
}).catch((err) => {
|
|
372
|
-
logger
|
|
368
|
+
logWarn(logger, `fetch poll error: ${String(err)}`);
|
|
373
369
|
void sendCredentialMessage?.(target, `⚠️ Credential fetch failed: ${err.message}`).catch(() => { });
|
|
374
370
|
});
|
|
375
371
|
return {
|
|
@@ -384,7 +380,7 @@ export async function runFetch(deps, sessionKey, params) {
|
|
|
384
380
|
};
|
|
385
381
|
}
|
|
386
382
|
catch (err) {
|
|
387
|
-
logger
|
|
383
|
+
logWarn(logger, `fetch error: ${String(err)}`);
|
|
388
384
|
return {
|
|
389
385
|
kind: "error",
|
|
390
386
|
message: `Credential setup failed: ${err.message}`,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity-commands.d.ts","sourceRoot":"","sources":["../../../src/commands/identity-commands.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAUL,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,SAAS,EACf,MAAM,gCAAgC,CAAC;
|
|
1
|
+
{"version":3,"file":"identity-commands.d.ts","sourceRoot":"","sources":["../../../src/commands/identity-commands.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAUL,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,SAAS,EACf,MAAM,gCAAgC,CAAC;AAWxC,YAAY,EAAE,oBAAoB,EAAE,SAAS,EAAE,CAAC;AAEhD,MAAM,MAAM,sBAAsB,GAAG;IACnC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG,mBAAmB,CAAC;AAioBvD,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,oBAAoB;;;;;mBA9e3C,oBAAoB,KAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;EAufpE;AAED,0CAA0C;AAC1C,wBAAgB,eAAe,CAAC,IAAI,EAAE,oBAAoB;;;;;mBA1frC,oBAAoB,KAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;EAmgBpE"}
|
|
@@ -4,6 +4,7 @@
|
|
|
4
4
|
*/
|
|
5
5
|
import { runStatus, runLogin, runLogout, runListCredentials, runListTips, runConfig, runFetch, runSetBinding, runUnsetBinding, } from "../actions/identity-actions.js";
|
|
6
6
|
import { deriveSessionKey, deriveDeliveryTargetFromContext, } from "../utils/derive-session-key.js";
|
|
7
|
+
import { logDebug } from "../utils/logger.js";
|
|
7
8
|
import { diagnoseRisk } from "../risk/diagnose-risk.js";
|
|
8
9
|
import { getRiskPatterns } from "../risk/classify-risk.js";
|
|
9
10
|
import * as toolApprovalStore from "../store/tool-approval-store.js";
|
|
@@ -142,7 +143,7 @@ function createIdentityHandler(deps) {
|
|
|
142
143
|
const { logger } = deps;
|
|
143
144
|
return async (ctx) => {
|
|
144
145
|
const { sub, rest } = parseSubcommand(ctx.args);
|
|
145
|
-
logger
|
|
146
|
+
logDebug(logger, `command sub=${sub} rest=${rest.slice(0, 40)}...`);
|
|
146
147
|
const sessionKey = deriveSessionKey({
|
|
147
148
|
channel: ctx.channel,
|
|
148
149
|
senderId: ctx.senderId,
|
|
@@ -2,8 +2,7 @@
|
|
|
2
2
|
* before_agent_start hook: fetch TIP token for main agent only.
|
|
3
3
|
* 1. Inject credentials into process.env per credential-env-bindings
|
|
4
4
|
* 2. Subagent: skip (TIP comes from sessions_send propagation)
|
|
5
|
-
* 3. Main:
|
|
6
|
-
* 4. On token expired: refresh userToken via refresh_token grant, retry
|
|
5
|
+
* 3. Main: getOrRefreshTIPToken (fetches TIP, refreshes userToken if expired)
|
|
7
6
|
*/
|
|
8
7
|
import type { IdentityService } from "../services/identity-service.js";
|
|
9
8
|
import type { OIDCConfigForRefresh } from "../services/session-refresh.js";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"before-agent-start.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-agent-start.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"before-agent-start.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-agent-start.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAO3E,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CACxE,CAAC;AAEF,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,oBAAoB,IAcpE,QAAQ;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,OAAO,EAAE,CAAA;CAAE,EAChD,KAAK;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,KAC7C,OAAO,CAAC;IAAE,cAAc,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CA2B/C"}
|
|
@@ -2,22 +2,23 @@
|
|
|
2
2
|
* before_agent_start hook: fetch TIP token for main agent only.
|
|
3
3
|
* 1. Inject credentials into process.env per credential-env-bindings
|
|
4
4
|
* 2. Subagent: skip (TIP comes from sessions_send propagation)
|
|
5
|
-
* 3. Main:
|
|
6
|
-
* 4. On token expired: refresh userToken via refresh_token grant, retry
|
|
5
|
+
* 3. Main: getOrRefreshTIPToken (fetches TIP, refreshes userToken if expired)
|
|
7
6
|
*/
|
|
8
|
-
import {
|
|
7
|
+
import { getOrRefreshTIPToken } from "../services/tip-with-refresh.js";
|
|
8
|
+
import { logWarn } from "../utils/logger.js";
|
|
9
9
|
import { loadCredentialEnvBindings } from "../store/credential-env-bindings.js";
|
|
10
10
|
import { getCredential, resolveCredentialValue } from "../store/credential-store.js";
|
|
11
|
-
import { getSession } from "../store/session-store.js";
|
|
12
|
-
import { getTIPToken } from "../store/tip-store.js";
|
|
13
|
-
import { fetchAndStoreTIP } from "../services/tip-acquisition.js";
|
|
14
11
|
import { isSubagentSessionKey } from "../utils/derive-session-key.js";
|
|
15
|
-
function isTokenExpiredError(err) {
|
|
16
|
-
const msg = err instanceof Error ? err.message : String(err);
|
|
17
|
-
return /token has expired|Invalid token/i.test(msg);
|
|
18
|
-
}
|
|
19
12
|
export function createBeforeAgentStartHandler(deps) {
|
|
20
13
|
const { storeDir, identityService, configWorkloadName, getOidcConfigForRefresh, logger } = deps;
|
|
14
|
+
const tipRefreshOptions = getOidcConfigForRefresh
|
|
15
|
+
? {
|
|
16
|
+
identityService,
|
|
17
|
+
getOidcConfigForRefresh,
|
|
18
|
+
configWorkloadName,
|
|
19
|
+
logger,
|
|
20
|
+
}
|
|
21
|
+
: undefined;
|
|
21
22
|
return async (_event, ctx) => {
|
|
22
23
|
const sessionKey = ctx.sessionKey;
|
|
23
24
|
if (!sessionKey)
|
|
@@ -39,46 +40,14 @@ export function createBeforeAgentStartHandler(deps) {
|
|
|
39
40
|
/* best-effort */
|
|
40
41
|
}
|
|
41
42
|
try {
|
|
42
|
-
const
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
if (!session)
|
|
43
|
+
const tip = await getOrRefreshTIPToken(storeDir, sessionKey, tipRefreshOptions
|
|
44
|
+
? { ...tipRefreshOptions, ctxAgentId: ctx.agentId }
|
|
45
|
+
: undefined);
|
|
46
|
+
if (!tip)
|
|
47
47
|
return;
|
|
48
|
-
try {
|
|
49
|
-
await fetchAndStoreTIP({
|
|
50
|
-
storeDir,
|
|
51
|
-
sessionKey,
|
|
52
|
-
identityService,
|
|
53
|
-
jwtForExchange: session.userToken,
|
|
54
|
-
sub: session.sub,
|
|
55
|
-
ctxAgentId: ctx.agentId,
|
|
56
|
-
configWorkloadName,
|
|
57
|
-
});
|
|
58
|
-
logger.info?.(`agent-identity: TIP acquired for ${sessionKey.slice(0, 24)}...`);
|
|
59
|
-
}
|
|
60
|
-
catch (err) {
|
|
61
|
-
if (!isTokenExpiredError(err) || !getOidcConfigForRefresh || !session.refreshToken) {
|
|
62
|
-
throw err;
|
|
63
|
-
}
|
|
64
|
-
const refreshed = await refreshSessionUserToken(storeDir, sessionKey, getOidcConfigForRefresh);
|
|
65
|
-
if (!refreshed)
|
|
66
|
-
throw err;
|
|
67
|
-
session = (await getSession(storeDir, sessionKey)) ?? session;
|
|
68
|
-
await fetchAndStoreTIP({
|
|
69
|
-
storeDir,
|
|
70
|
-
sessionKey,
|
|
71
|
-
identityService,
|
|
72
|
-
jwtForExchange: refreshed,
|
|
73
|
-
sub: session.sub,
|
|
74
|
-
ctxAgentId: ctx.agentId,
|
|
75
|
-
configWorkloadName,
|
|
76
|
-
});
|
|
77
|
-
logger.info?.(`agent-identity: TIP acquired after refresh for ${sessionKey.slice(0, 24)}...`);
|
|
78
|
-
}
|
|
79
48
|
}
|
|
80
49
|
catch (err) {
|
|
81
|
-
logger
|
|
50
|
+
logWarn(logger, `failed to get TIP for ${sessionKey}: ${String(err)}`);
|
|
82
51
|
}
|
|
83
52
|
};
|
|
84
53
|
}
|
|
@@ -7,6 +7,8 @@
|
|
|
7
7
|
* @see https://github.com/volcengine/veadk-python/blob/main/veadk/tools/builtin_tools/agent_authorization.py
|
|
8
8
|
*/
|
|
9
9
|
import type { IdentityClientInterface } from "../services/identity-client.js";
|
|
10
|
+
import type { IdentityService } from "../services/identity-service.js";
|
|
11
|
+
import type { OIDCConfigForRefresh } from "../services/session-refresh.js";
|
|
10
12
|
import type { PluginConfig } from "../types.js";
|
|
11
13
|
export type BeforeToolCallDeps = {
|
|
12
14
|
storeDir: string;
|
|
@@ -20,9 +22,13 @@ export type BeforeToolCallDeps = {
|
|
|
20
22
|
};
|
|
21
23
|
/** Send message to session (Channel only). For sync approval flow. */
|
|
22
24
|
sendToSession?: (targetOrSessionKey: string, text: string) => Promise<void>;
|
|
23
|
-
/** Authz config
|
|
25
|
+
/** Authz config. */
|
|
24
26
|
authz?: PluginConfig["authz"];
|
|
25
27
|
approvalTtlMs: number;
|
|
28
|
+
/** When set, attempt TIP refresh when expired (uses session refresh_token). */
|
|
29
|
+
identityService?: IdentityService;
|
|
30
|
+
getOidcConfigForRefresh?: () => Promise<OIDCConfigForRefresh>;
|
|
31
|
+
configWorkloadName?: string;
|
|
26
32
|
};
|
|
27
33
|
export declare function createBeforeToolCallHandler(deps: BeforeToolCallDeps): (event: {
|
|
28
34
|
toolName: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"before-tool-call.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-tool-call.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"before-tool-call.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-tool-call.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAUhD,MAAM,MAAM,kBAAkB,GAAG;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,uGAAuG;IACvG,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,kFAAkF;IAClF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;IACxE,sEAAsE;IACtE,aAAa,CAAC,EAAE,CAAC,kBAAkB,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5E,oBAAoB;IACpB,KAAK,CAAC,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,+EAA+E;IAC/E,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAwCF,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,kBAAkB,IA6BhE,OAAO;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,EAC5D,KAAK;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,KAC/D,OAAO,CAAC;IAAE,KAAK,CAAC,EAAE,OAAO,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAyK7D"}
|