@m1a0rz/agent-identity 0.1.9 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README-cn.md +1 -1
- package/README.md +1 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +31 -5
- package/dist/src/actions/identity-actions.d.ts +3 -0
- package/dist/src/actions/identity-actions.d.ts.map +1 -1
- package/dist/src/actions/identity-actions.js +52 -56
- package/dist/src/commands/identity-commands.d.ts.map +1 -1
- package/dist/src/commands/identity-commands.js +2 -1
- package/dist/src/hooks/before-agent-start.d.ts +1 -2
- package/dist/src/hooks/before-agent-start.d.ts.map +1 -1
- package/dist/src/hooks/before-agent-start.js +16 -47
- package/dist/src/hooks/before-tool-call.d.ts +7 -1
- package/dist/src/hooks/before-tool-call.d.ts.map +1 -1
- package/dist/src/hooks/before-tool-call.js +62 -18
- package/dist/src/hooks/llm-input.d.ts +19 -0
- package/dist/src/hooks/llm-input.d.ts.map +1 -0
- package/dist/src/hooks/llm-input.js +20 -0
- package/dist/src/hooks/sessions-send-propagation.d.ts +2 -0
- package/dist/src/hooks/sessions-send-propagation.d.ts.map +1 -1
- package/dist/src/hooks/sessions-send-propagation.js +20 -32
- package/dist/src/hooks/sessions-spawn-propagation.d.ts +3 -1
- package/dist/src/hooks/sessions-spawn-propagation.d.ts.map +1 -1
- package/dist/src/hooks/sessions-spawn-propagation.js +22 -33
- package/dist/src/hooks/subagent-ended-cleanup.d.ts +1 -0
- package/dist/src/hooks/subagent-ended-cleanup.d.ts.map +1 -1
- package/dist/src/hooks/subagent-ended-cleanup.js +3 -2
- package/dist/src/risk/classify-risk.d.ts.map +1 -1
- package/dist/src/risk/classify-risk.js +3 -1
- package/dist/src/risk/llm-risk-check.d.ts.map +1 -1
- package/dist/src/risk/llm-risk-check.js +5 -4
- package/dist/src/services/tip-propagation.d.ts +25 -0
- package/dist/src/services/tip-propagation.d.ts.map +1 -0
- package/dist/src/services/tip-propagation.js +43 -0
- package/dist/src/services/tip-with-refresh.d.ts +24 -0
- package/dist/src/services/tip-with-refresh.d.ts.map +1 -0
- package/dist/src/services/tip-with-refresh.js +68 -0
- package/dist/src/store/skill-path-store.d.ts +10 -0
- package/dist/src/store/skill-path-store.d.ts.map +1 -0
- package/dist/src/store/skill-path-store.js +90 -0
- package/dist/src/tools/identity-approve-tool.d.ts.map +1 -1
- package/dist/src/tools/identity-approve-tool.js +3 -2
- package/dist/src/tools/identity-config-suggest.d.ts +118 -0
- package/dist/src/tools/identity-config-suggest.d.ts.map +1 -0
- package/dist/src/tools/identity-config-suggest.js +167 -0
- package/dist/src/types.d.ts +11 -6
- package/dist/src/types.d.ts.map +1 -1
- package/dist/src/utils/logger.d.ts +17 -0
- package/dist/src/utils/logger.d.ts.map +1 -0
- package/dist/src/utils/logger.js +21 -0
- package/dist/src/utils/parse-available-skills.d.ts +6 -0
- package/dist/src/utils/parse-available-skills.d.ts.map +1 -0
- package/dist/src/utils/parse-available-skills.js +19 -0
- package/dist/src/utils/token-errors.d.ts +5 -0
- package/dist/src/utils/token-errors.d.ts.map +1 -0
- package/dist/src/utils/token-errors.js +7 -0
- package/openclaw.plugin.json +14 -8
- package/package.json +2 -2
- package/skills/SKILL.md +21 -5
package/README-cn.md
CHANGED
|
@@ -243,7 +243,7 @@ TIP token 通过 `GetWorkloadAccessTokenForJWT` 获取。工作负载行为:
|
|
|
243
243
|
|
|
244
244
|
- **before_agent_start** - 获取 TIP token;按 credential-env-bindings(按 session)将凭据注入到 `process.env`
|
|
245
245
|
- **subagent_spawned** - 在子 agent 创建时将 TIP 传播到子会话
|
|
246
|
-
- **before_tool_call** - 当 authz.
|
|
246
|
+
- **before_tool_call** - 当 authz.toolCheck、authz.skillReadCheck 或 authz.requireRiskApproval 时可选 AuthZ。TIP + CheckPermission 工具/skill;高风险工具需审批。评估命令/路径风险(规则 + 可选 LLM via authz.enableLlmRiskCheck)。
|
|
247
247
|
|
|
248
248
|
## 数据存储
|
|
249
249
|
|
package/README.md
CHANGED
|
@@ -243,7 +243,7 @@ Follow-up messages (login success, credential fetch done) are not delivered when
|
|
|
243
243
|
|
|
244
244
|
- **before_agent_start** - Fetch TIP token; inject credentials into `process.env` per credential-env-bindings (per-session)
|
|
245
245
|
- **subagent_spawned** - Propagate TIP to child session on subagent spawn
|
|
246
|
-
- **before_tool_call** - Optional AuthZ
|
|
246
|
+
- **before_tool_call** - Optional AuthZ when authz.toolCheck, authz.skillReadCheck, or authz.requireRiskApproval. TIP + CheckPermission for tools/skills; risk approval for high-risk tools. Evaluates user-provided commands/paths (rules + optional LLM via authz.enableLlmRiskCheck).
|
|
247
247
|
|
|
248
248
|
## Data Storage
|
|
249
249
|
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AA8D7D,MAAM,CAAC,OAAO,UAAU,QAAQ,CAAC,GAAG,EAAE,iBAAiB,QAqWtD"}
|
package/dist/index.js
CHANGED
|
@@ -11,16 +11,19 @@
|
|
|
11
11
|
*/
|
|
12
12
|
import { createIdentityCommand, createIdCommand } from "./src/commands/identity-commands.js";
|
|
13
13
|
import { createBeforeAgentStartHandler } from "./src/hooks/before-agent-start.js";
|
|
14
|
+
import { createLlmInputHandler } from "./src/hooks/llm-input.js";
|
|
14
15
|
import { createSessionsSendPropagationHandler } from "./src/hooks/sessions-send-propagation.js";
|
|
15
16
|
import { createSessionsSpawnPropagationHandler } from "./src/hooks/sessions-spawn-propagation.js";
|
|
16
17
|
import { createSubagentEndedCleanupHandler } from "./src/hooks/subagent-ended-cleanup.js";
|
|
17
18
|
import { createBeforeToolCallHandler } from "./src/hooks/before-tool-call.js";
|
|
19
|
+
import * as skillPathStore from "./src/store/skill-path-store.js";
|
|
18
20
|
import { createOIDCCallbackHandler, createOIDCCallbackHandlerLazy, } from "./src/routes/oidc-login.js";
|
|
19
21
|
import { IdentityClient, resolveOIDCConfig, } from "./src/services/identity-client.js";
|
|
20
22
|
import { IdentityService } from "./src/services/identity-service.js";
|
|
21
23
|
import { sendNotificationFeishu } from "./src/services/send-notification-feishu.js";
|
|
22
24
|
import { createIdentityApproveTool } from "./src/tools/identity-approve-tool.js";
|
|
23
25
|
import { createIdentityConfigTool } from "./src/tools/identity-config.js";
|
|
26
|
+
import { createIdentityConfigSuggestTool } from "./src/tools/identity-config-suggest.js";
|
|
24
27
|
import { createIdentityListRiskPatternsTool } from "./src/tools/identity-list-risk-patterns.js";
|
|
25
28
|
import { createIdentityRiskCheckTool } from "./src/tools/identity-risk-check.js";
|
|
26
29
|
import { createIdentityFetchTool } from "./src/tools/identity-fetch.js";
|
|
@@ -33,6 +36,7 @@ import { createIdentityStatusTool } from "./src/tools/identity-status.js";
|
|
|
33
36
|
import { createIdentityUnsetBindingTool } from "./src/tools/identity-unset-binding.js";
|
|
34
37
|
import { createIdentityWhoamiTool } from "./src/tools/identity-whoami.js";
|
|
35
38
|
import { parseSessionKeyToDeliveryTarget, } from "./src/utils/derive-session-key.js";
|
|
39
|
+
import { logInfo, logWarn } from "./src/utils/logger.js";
|
|
36
40
|
const PLUGIN_STORE_DIR = "~/.openclaw/plugins/identity";
|
|
37
41
|
/**
|
|
38
42
|
* Whether Identity should be enabled.
|
|
@@ -186,7 +190,7 @@ export default function register(api) {
|
|
|
186
190
|
? targetOrSessionKey
|
|
187
191
|
: parseSessionKeyToDeliveryTarget(targetOrSessionKey);
|
|
188
192
|
if (!target) {
|
|
189
|
-
api.logger
|
|
193
|
+
logWarn(api.logger, "Cannot deliver to channel (sessionKey not parseable). Set session.dmScope to per-channel-peer or per-account-channel-peer so approval messages reach Feishu/Telegram/etc.");
|
|
190
194
|
return;
|
|
191
195
|
}
|
|
192
196
|
if (target.channel === "feishu") {
|
|
@@ -195,7 +199,7 @@ export default function register(api) {
|
|
|
195
199
|
await sendNotificationFeishu(cfg, target.to, text, target.accountId);
|
|
196
200
|
}
|
|
197
201
|
catch (err) {
|
|
198
|
-
api.logger
|
|
202
|
+
logWarn(api.logger, `Feishu notification failed (to=${target.to}): ${String(err)}`);
|
|
199
203
|
}
|
|
200
204
|
return;
|
|
201
205
|
}
|
|
@@ -257,6 +261,8 @@ export default function register(api) {
|
|
|
257
261
|
storeDir,
|
|
258
262
|
identityService,
|
|
259
263
|
getOidcConfig: getOidcConfigForCommand,
|
|
264
|
+
getOidcConfigForRefresh: getOidcConfigForRefresh ?? undefined,
|
|
265
|
+
configWorkloadName: identityCfg?.workloadName,
|
|
260
266
|
identityClient: hasIdentity ? identityClient : undefined,
|
|
261
267
|
logger: api.logger,
|
|
262
268
|
pluginConfig,
|
|
@@ -264,7 +270,7 @@ export default function register(api) {
|
|
|
264
270
|
};
|
|
265
271
|
api.registerCommand(createIdentityCommand(identityCommandsDeps));
|
|
266
272
|
api.registerCommand(createIdCommand(identityCommandsDeps));
|
|
267
|
-
api.logger
|
|
273
|
+
logInfo(api.logger, "commands /identity, /id (login, status, logout, list-tips, list-credentials, fetch, set, unset); HTTP callback /identity/oauth/callback (credential OAuth uses Identity callback)");
|
|
268
274
|
// Tools (share deps with commands). Optional = only included when agent allowlist explicitly adds them.
|
|
269
275
|
api.registerTool(createIdentityWhoamiTool(identityCommandsDeps), { optional: false });
|
|
270
276
|
api.registerTool(createIdentityLogoutTool(identityCommandsDeps), { optional: false });
|
|
@@ -273,6 +279,7 @@ export default function register(api) {
|
|
|
273
279
|
api.registerTool(createIdentityListCredentialsTool(identityCommandsDeps), { optional: false });
|
|
274
280
|
api.registerTool(createIdentityListTipsTool(identityCommandsDeps), { optional: false });
|
|
275
281
|
api.registerTool(createIdentityConfigTool(identityCommandsDeps), { optional: false });
|
|
282
|
+
api.registerTool(createIdentityConfigSuggestTool(), { optional: false });
|
|
276
283
|
api.registerTool(createIdentityFetchTool(identityCommandsDeps), { optional: false });
|
|
277
284
|
api.registerTool(createIdentitySetBindingTool(identityCommandsDeps), { optional: true });
|
|
278
285
|
api.registerTool(createIdentityUnsetBindingTool(identityCommandsDeps), { optional: true });
|
|
@@ -297,6 +304,7 @@ export default function register(api) {
|
|
|
297
304
|
storeDir,
|
|
298
305
|
identityService,
|
|
299
306
|
configWorkloadName: identityCfg?.workloadName,
|
|
307
|
+
getOidcConfigForRefresh: getOidcConfigForRefresh ?? undefined,
|
|
300
308
|
subagentTipPropagation: identityCfg?.subagentTipPropagation,
|
|
301
309
|
logger: api.logger,
|
|
302
310
|
}));
|
|
@@ -304,6 +312,7 @@ export default function register(api) {
|
|
|
304
312
|
storeDir,
|
|
305
313
|
identityService,
|
|
306
314
|
configWorkloadName: identityCfg?.workloadName,
|
|
315
|
+
getOidcConfigForRefresh: getOidcConfigForRefresh ?? undefined,
|
|
307
316
|
subagentTipPropagation: identityCfg?.subagentTipPropagation,
|
|
308
317
|
logger: api.logger,
|
|
309
318
|
}));
|
|
@@ -312,15 +321,32 @@ export default function register(api) {
|
|
|
312
321
|
logger: api.logger,
|
|
313
322
|
}));
|
|
314
323
|
}
|
|
315
|
-
|
|
324
|
+
const toolCheck = authz?.toolCheck ?? false;
|
|
325
|
+
const skillReadCheck = authz?.skillReadCheck ?? false;
|
|
326
|
+
const requireRiskApproval = authz?.requireRiskApproval ?? false;
|
|
327
|
+
const hasAuthz = toolCheck || skillReadCheck || requireRiskApproval;
|
|
328
|
+
if (skillReadCheck) {
|
|
329
|
+
api.on("llm_input", createLlmInputHandler({
|
|
330
|
+
enabled: true,
|
|
331
|
+
logger: api.logger,
|
|
332
|
+
}));
|
|
333
|
+
api.on("session_end", (_event, ctx) => {
|
|
334
|
+
if (ctx.sessionId)
|
|
335
|
+
skillPathStore.clearSessionById(ctx.sessionId);
|
|
336
|
+
});
|
|
337
|
+
}
|
|
338
|
+
if (hasAuthz) {
|
|
316
339
|
api.on("before_tool_call", createBeforeToolCallHandler({
|
|
317
340
|
storeDir,
|
|
318
341
|
identityClient: hasIdentity ? identityClient : undefined,
|
|
319
|
-
namespaceName: authz
|
|
342
|
+
namespaceName: authz?.namespaceName ?? "default",
|
|
320
343
|
logger: api.logger,
|
|
321
344
|
sendToSession,
|
|
322
345
|
authz,
|
|
323
346
|
approvalTtlMs,
|
|
347
|
+
identityService: hasIdentity ? identityService : undefined,
|
|
348
|
+
getOidcConfigForRefresh: getOidcConfigForRefresh ?? undefined,
|
|
349
|
+
configWorkloadName: identityCfg?.workloadName,
|
|
324
350
|
}));
|
|
325
351
|
}
|
|
326
352
|
}
|
|
@@ -5,6 +5,7 @@
|
|
|
5
5
|
import type { OpenClawConfig } from "openclaw/plugin-sdk";
|
|
6
6
|
import type { IdentityClientInterface } from "../services/identity-client.js";
|
|
7
7
|
import type { IdentityService } from "../services/identity-service.js";
|
|
8
|
+
import type { OIDCConfigForRefresh } from "../services/session-refresh.js";
|
|
8
9
|
import type { PluginConfig } from "../types.js";
|
|
9
10
|
import type { SessionKeyDeliveryTarget } from "../utils/derive-session-key.js";
|
|
10
11
|
import { type CredentialEntry } from "../store/credential-store.js";
|
|
@@ -24,6 +25,8 @@ export type IdentityActionsDeps = {
|
|
|
24
25
|
storeDir: string;
|
|
25
26
|
identityService: IdentityService;
|
|
26
27
|
getOidcConfig: () => Promise<OIDCConfigForCommand>;
|
|
28
|
+
getOidcConfigForRefresh?: () => Promise<OIDCConfigForRefresh>;
|
|
29
|
+
configWorkloadName?: string;
|
|
27
30
|
identityClient?: IdentityClientInterface;
|
|
28
31
|
logger?: IdentityActionsLogger;
|
|
29
32
|
pluginConfig?: PluginConfig;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity-actions.d.ts","sourceRoot":"","sources":["../../../src/actions/identity-actions.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;
|
|
1
|
+
{"version":3,"file":"identity-actions.d.ts","sourceRoot":"","sources":["../../../src/actions/identity-actions.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;AAc/E,OAAO,EAKL,KAAK,eAAe,EACrB,MAAM,8BAA8B,CAAC;AAUtC,MAAM,MAAM,oBAAoB,GAAG;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,aAAa,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACnD,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,MAAM,CAAC,EAAE,qBAAqB,CAAC;IAC/B,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,qBAAqB,CAAC,EAAE,CACtB,kBAAkB,EAAE,wBAAwB,GAAG,MAAM,EACrD,IAAI,EAAE,MAAM,KACT,OAAO,CAAC,IAAI,CAAC,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG,aAAa,GAAG,YAAY,GAAG,QAAQ,CAAC;AA+EhE,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,EAAE,OAAO,CAAC;IAClB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;IAChB,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wDAAwD;IACxD,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,4BAA4B;IAC5B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uBAAuB;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAC7C,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC,CAAC;AAEF,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,cAAc,GACtB,OAAO,CAAC,YAAY,CAAC,CAsCvB;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,mBAAmB,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAC1C;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACrC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,cAAc,CAAC;IAAC,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAA;CAAE,GACtF,OAAO,CAAC,WAAW,CAAC,CAqDtB;AAED,MAAM,MAAM,YAAY,GAAG;IAAE,EAAE,EAAE,OAAO,CAAA;CAAE,CAAC;AAE3C,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,YAAY,CAAC,CAWvB;AAID,MAAM,MAAM,qBAAqB,GAAG;IAClC,SAAS,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClG,UAAU,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtE,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE,MAAU,GACf,OAAO,CAAC,qBAAqB,CAAC,CA2EhC;AAED,MAAM,MAAM,cAAc,GAAG;IAC3B,IAAI,EAAE,KAAK,CAAC;QACV,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC,CAAC;IACH,oDAAoD;IACpD,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CAC3D,CAAC;AAEF,wBAAsB,WAAW,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,cAAc,CAAC,CAsBpF;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,CAAC;AAEF,wBAAsB,SAAS,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,YAAY,CAAC,CA2ChF;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACpC;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACtD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IACN,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,SAAS,CAAC;IAChB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAC;IACjD,MAAM,CAAC,EAAE,cAAc,CAAC;CACzB,GACA,OAAO,CAAC,WAAW,CAAC,CAsHtB;AAED,MAAM,MAAM,gBAAgB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEjF,wBAAsB,aAAa,CACjC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC3C,OAAO,CAAC,gBAAgB,CAAC,CAkC3B;AAED,MAAM,MAAM,kBAAkB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnF,wBAAsB,eAAe,CACnC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC3B,OAAO,CAAC,kBAAkB,CAAC,CAW7B"}
|
|
@@ -2,12 +2,14 @@
|
|
|
2
2
|
* Shared identity actions: pure logic returning structured data.
|
|
3
3
|
* Used by both commands (format to text) and tools (return jsonResult).
|
|
4
4
|
*/
|
|
5
|
+
import { logDebug, logInfo, logWarn } from "../utils/logger.js";
|
|
6
|
+
import { getOrRefreshTIPToken } from "../services/tip-with-refresh.js";
|
|
5
7
|
import { fetchOIDCDiscovery, buildAuthorizationUrl, generateState, } from "../services/oidc-client.js";
|
|
6
8
|
import { loadCredentialEnvBindings, loadAllCredentialEnvBindings, setCredentialEnvBinding, deleteCredentialEnvBinding, } from "../store/credential-env-bindings.js";
|
|
7
9
|
import { loadCredentials, setCredential, getCredential, deleteCredentialsForSession, } from "../store/credential-store.js";
|
|
8
10
|
import { getSession, deleteSession } from "../store/session-store.js";
|
|
9
11
|
import { createState } from "../store/oidc-state-store.js";
|
|
10
|
-
import {
|
|
12
|
+
import { loadTIPTokens, saveTIPTokens } from "../store/tip-store.js";
|
|
11
13
|
import { extractDelegationChainFromJwt } from "../utils/auth.js";
|
|
12
14
|
import { resolveAgentId, } from "../utils/derive-session-key.js";
|
|
13
15
|
function inferFlowFromProvider(info) {
|
|
@@ -49,46 +51,26 @@ async function pollOAuthAndNotify(params) {
|
|
|
49
51
|
}
|
|
50
52
|
}
|
|
51
53
|
catch (err) {
|
|
52
|
-
logger
|
|
54
|
+
logDebug(logger, `fetch poll attempt failed: ${String(err)}`);
|
|
53
55
|
}
|
|
54
56
|
}
|
|
55
57
|
const target = deliveryTarget ?? sessionKey;
|
|
56
58
|
await sendCredentialMessage?.(target, `⚠️ Authorization timed out for \`${provider}\`. Run \`/identity fetch ${provider}\` again.`);
|
|
57
59
|
}
|
|
58
60
|
export async function runStatus(deps, sessionKey, config) {
|
|
59
|
-
const { storeDir, identityService, logger } = deps;
|
|
61
|
+
const { storeDir, identityService, getOidcConfigForRefresh, configWorkloadName, logger } = deps;
|
|
60
62
|
const session = await getSession(storeDir, sessionKey);
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
});
|
|
70
|
-
await setTIPToken(storeDir, sessionKey, fresh);
|
|
71
|
-
tip = fresh;
|
|
72
|
-
}
|
|
73
|
-
catch (err) {
|
|
74
|
-
logger?.debug?.(`[identity status] TIP refresh failed: ${err.message}`);
|
|
63
|
+
const ctxAgentId = resolveAgentId({ sessionKey, config: config });
|
|
64
|
+
const tipRefreshOptions = getOidcConfigForRefresh
|
|
65
|
+
? {
|
|
66
|
+
identityService,
|
|
67
|
+
getOidcConfigForRefresh,
|
|
68
|
+
configWorkloadName,
|
|
69
|
+
ctxAgentId,
|
|
70
|
+
logger,
|
|
75
71
|
}
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
try {
|
|
79
|
-
const agentId = resolveAgentId({ sessionKey, config: config });
|
|
80
|
-
const fresh = await identityService.getWorkloadAccessToken({
|
|
81
|
-
agentId,
|
|
82
|
-
userToken: session.userToken,
|
|
83
|
-
sub: session.sub,
|
|
84
|
-
});
|
|
85
|
-
await setTIPToken(storeDir, sessionKey, fresh);
|
|
86
|
-
tip = fresh;
|
|
87
|
-
}
|
|
88
|
-
catch (err) {
|
|
89
|
-
logger?.debug?.(`[identity status] TIP refresh failed: ${err.message}`);
|
|
90
|
-
}
|
|
91
|
-
}
|
|
72
|
+
: undefined;
|
|
73
|
+
const tip = await getOrRefreshTIPToken(storeDir, sessionKey, tipRefreshOptions);
|
|
92
74
|
const credentials = await loadCredentials(storeDir, sessionKey);
|
|
93
75
|
const bindings = await loadCredentialEnvBindings(storeDir, sessionKey);
|
|
94
76
|
const tipChain = tip
|
|
@@ -117,22 +99,24 @@ export async function runLogin(deps, sessionKey, options) {
|
|
|
117
99
|
const session = await getSession(storeDir, sessionKey);
|
|
118
100
|
const hasValidCred = session && identityService.parseUserToken(session.userToken).valid;
|
|
119
101
|
if (hasValidCred && session) {
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
102
|
+
const ctxAgentId = resolveAgentId({ sessionKey, config: config });
|
|
103
|
+
const tipRefreshOptions = deps.getOidcConfigForRefresh
|
|
104
|
+
? {
|
|
105
|
+
identityService,
|
|
106
|
+
getOidcConfigForRefresh: deps.getOidcConfigForRefresh,
|
|
107
|
+
configWorkloadName: deps.configWorkloadName,
|
|
108
|
+
ctxAgentId,
|
|
109
|
+
logger,
|
|
110
|
+
}
|
|
111
|
+
: undefined;
|
|
112
|
+
const tip = await getOrRefreshTIPToken(storeDir, sessionKey, tipRefreshOptions);
|
|
113
|
+
if (tip) {
|
|
128
114
|
return { kind: "already_logged_in", sub: session.sub };
|
|
129
115
|
}
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
};
|
|
135
|
-
}
|
|
116
|
+
return {
|
|
117
|
+
kind: "error",
|
|
118
|
+
message: "Session valid but TIP refresh failed. Ensure userToken is valid or refresh token is available.",
|
|
119
|
+
};
|
|
136
120
|
}
|
|
137
121
|
try {
|
|
138
122
|
const oidcConfig = await getOidcConfig();
|
|
@@ -146,11 +130,11 @@ export async function runLogin(deps, sessionKey, options) {
|
|
|
146
130
|
scope: oidcConfig.scope ?? "openid profile email",
|
|
147
131
|
state,
|
|
148
132
|
});
|
|
149
|
-
logger
|
|
133
|
+
logInfo(logger, `login returning IdP URL for sessionKey=${sessionKey.slice(0, 24)}...`);
|
|
150
134
|
return { kind: "auth_url", authUrl };
|
|
151
135
|
}
|
|
152
136
|
catch (err) {
|
|
153
|
-
logger
|
|
137
|
+
logWarn(logger, `login error: ${String(err)}`);
|
|
154
138
|
return {
|
|
155
139
|
kind: "error",
|
|
156
140
|
message: `${err.message}. Ensure userpool is configured (discoveryUrl+clientId+callbackUrl or userPoolName+clientName+callbackUrl).`,
|
|
@@ -159,7 +143,7 @@ export async function runLogin(deps, sessionKey, options) {
|
|
|
159
143
|
}
|
|
160
144
|
export async function runLogout(deps, sessionKey) {
|
|
161
145
|
const { storeDir, logger } = deps;
|
|
162
|
-
logger
|
|
146
|
+
logDebug(logger, `logout sessionKey=${sessionKey.slice(0, 24)}...`);
|
|
163
147
|
await deleteSession(storeDir, sessionKey);
|
|
164
148
|
const tokens = await loadTIPTokens(storeDir);
|
|
165
149
|
delete tokens[sessionKey];
|
|
@@ -184,7 +168,7 @@ export async function runListCredentials(deps, sessionKey, page = 1) {
|
|
|
184
168
|
totalCount = result.TotalCount ?? 0;
|
|
185
169
|
}
|
|
186
170
|
catch (e) {
|
|
187
|
-
logger
|
|
171
|
+
logWarn(logger, `list-credentials API error: ${String(e)}`);
|
|
188
172
|
}
|
|
189
173
|
}
|
|
190
174
|
const providerNames = new Set(providers.map((p) => p.Name));
|
|
@@ -287,7 +271,9 @@ export async function runConfig(deps) {
|
|
|
287
271
|
}
|
|
288
272
|
if (cfg.authz) {
|
|
289
273
|
out.authz = {
|
|
290
|
-
|
|
274
|
+
toolCheck: cfg.authz.toolCheck,
|
|
275
|
+
skillReadCheck: cfg.authz.skillReadCheck,
|
|
276
|
+
requireRiskApproval: cfg.authz.requireRiskApproval,
|
|
291
277
|
namespaceName: cfg.authz.namespaceName,
|
|
292
278
|
};
|
|
293
279
|
}
|
|
@@ -316,7 +302,17 @@ export async function runFetch(deps, sessionKey, params) {
|
|
|
316
302
|
// keep default
|
|
317
303
|
}
|
|
318
304
|
}
|
|
319
|
-
const
|
|
305
|
+
const ctxAgentId = resolveAgentId({ sessionKey, config: config });
|
|
306
|
+
const tipRefreshOptions = deps.getOidcConfigForRefresh
|
|
307
|
+
? {
|
|
308
|
+
identityService: deps.identityService,
|
|
309
|
+
getOidcConfigForRefresh: deps.getOidcConfigForRefresh,
|
|
310
|
+
configWorkloadName: deps.configWorkloadName,
|
|
311
|
+
ctxAgentId,
|
|
312
|
+
logger: deps.logger,
|
|
313
|
+
}
|
|
314
|
+
: undefined;
|
|
315
|
+
const tip = await getOrRefreshTIPToken(storeDir, sessionKey, tipRefreshOptions);
|
|
320
316
|
if (!tip) {
|
|
321
317
|
return {
|
|
322
318
|
kind: "error",
|
|
@@ -354,7 +350,7 @@ export async function runFetch(deps, sessionKey, params) {
|
|
|
354
350
|
return { kind: "success", message: `✓ Credential for \`${provider}\` added (direct token).` };
|
|
355
351
|
}
|
|
356
352
|
if (oauthResult.authorizationUrl) {
|
|
357
|
-
logger
|
|
353
|
+
logInfo(logger, `fetch returning auth URL for provider=${provider}, starting poll`);
|
|
358
354
|
const target = deliveryTarget ?? sessionKey;
|
|
359
355
|
pollOAuthAndNotify({
|
|
360
356
|
identityClient,
|
|
@@ -369,7 +365,7 @@ export async function runFetch(deps, sessionKey, params) {
|
|
|
369
365
|
sendCredentialMessage,
|
|
370
366
|
logger,
|
|
371
367
|
}).catch((err) => {
|
|
372
|
-
logger
|
|
368
|
+
logWarn(logger, `fetch poll error: ${String(err)}`);
|
|
373
369
|
void sendCredentialMessage?.(target, `⚠️ Credential fetch failed: ${err.message}`).catch(() => { });
|
|
374
370
|
});
|
|
375
371
|
return {
|
|
@@ -384,7 +380,7 @@ export async function runFetch(deps, sessionKey, params) {
|
|
|
384
380
|
};
|
|
385
381
|
}
|
|
386
382
|
catch (err) {
|
|
387
|
-
logger
|
|
383
|
+
logWarn(logger, `fetch error: ${String(err)}`);
|
|
388
384
|
return {
|
|
389
385
|
kind: "error",
|
|
390
386
|
message: `Credential setup failed: ${err.message}`,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity-commands.d.ts","sourceRoot":"","sources":["../../../src/commands/identity-commands.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAUL,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,SAAS,EACf,MAAM,gCAAgC,CAAC;
|
|
1
|
+
{"version":3,"file":"identity-commands.d.ts","sourceRoot":"","sources":["../../../src/commands/identity-commands.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAUL,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,SAAS,EACf,MAAM,gCAAgC,CAAC;AAWxC,YAAY,EAAE,oBAAoB,EAAE,SAAS,EAAE,CAAC;AAEhD,MAAM,MAAM,sBAAsB,GAAG;IACnC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG,mBAAmB,CAAC;AAioBvD,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,oBAAoB;;;;;mBA9e3C,oBAAoB,KAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;EAufpE;AAED,0CAA0C;AAC1C,wBAAgB,eAAe,CAAC,IAAI,EAAE,oBAAoB;;;;;mBA1frC,oBAAoB,KAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;EAmgBpE"}
|
|
@@ -4,6 +4,7 @@
|
|
|
4
4
|
*/
|
|
5
5
|
import { runStatus, runLogin, runLogout, runListCredentials, runListTips, runConfig, runFetch, runSetBinding, runUnsetBinding, } from "../actions/identity-actions.js";
|
|
6
6
|
import { deriveSessionKey, deriveDeliveryTargetFromContext, } from "../utils/derive-session-key.js";
|
|
7
|
+
import { logDebug } from "../utils/logger.js";
|
|
7
8
|
import { diagnoseRisk } from "../risk/diagnose-risk.js";
|
|
8
9
|
import { getRiskPatterns } from "../risk/classify-risk.js";
|
|
9
10
|
import * as toolApprovalStore from "../store/tool-approval-store.js";
|
|
@@ -142,7 +143,7 @@ function createIdentityHandler(deps) {
|
|
|
142
143
|
const { logger } = deps;
|
|
143
144
|
return async (ctx) => {
|
|
144
145
|
const { sub, rest } = parseSubcommand(ctx.args);
|
|
145
|
-
logger
|
|
146
|
+
logDebug(logger, `command sub=${sub} rest=${rest.slice(0, 40)}...`);
|
|
146
147
|
const sessionKey = deriveSessionKey({
|
|
147
148
|
channel: ctx.channel,
|
|
148
149
|
senderId: ctx.senderId,
|
|
@@ -2,8 +2,7 @@
|
|
|
2
2
|
* before_agent_start hook: fetch TIP token for main agent only.
|
|
3
3
|
* 1. Inject credentials into process.env per credential-env-bindings
|
|
4
4
|
* 2. Subagent: skip (TIP comes from sessions_send propagation)
|
|
5
|
-
* 3. Main:
|
|
6
|
-
* 4. On token expired: refresh userToken via refresh_token grant, retry
|
|
5
|
+
* 3. Main: getOrRefreshTIPToken (fetches TIP, refreshes userToken if expired)
|
|
7
6
|
*/
|
|
8
7
|
import type { IdentityService } from "../services/identity-service.js";
|
|
9
8
|
import type { OIDCConfigForRefresh } from "../services/session-refresh.js";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"before-agent-start.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-agent-start.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"before-agent-start.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-agent-start.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAO3E,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CACxE,CAAC;AAEF,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,oBAAoB,IAcpE,QAAQ;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,OAAO,EAAE,CAAA;CAAE,EAChD,KAAK;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,KAC7C,OAAO,CAAC;IAAE,cAAc,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CA2B/C"}
|
|
@@ -2,22 +2,23 @@
|
|
|
2
2
|
* before_agent_start hook: fetch TIP token for main agent only.
|
|
3
3
|
* 1. Inject credentials into process.env per credential-env-bindings
|
|
4
4
|
* 2. Subagent: skip (TIP comes from sessions_send propagation)
|
|
5
|
-
* 3. Main:
|
|
6
|
-
* 4. On token expired: refresh userToken via refresh_token grant, retry
|
|
5
|
+
* 3. Main: getOrRefreshTIPToken (fetches TIP, refreshes userToken if expired)
|
|
7
6
|
*/
|
|
8
|
-
import {
|
|
7
|
+
import { getOrRefreshTIPToken } from "../services/tip-with-refresh.js";
|
|
8
|
+
import { logWarn } from "../utils/logger.js";
|
|
9
9
|
import { loadCredentialEnvBindings } from "../store/credential-env-bindings.js";
|
|
10
10
|
import { getCredential, resolveCredentialValue } from "../store/credential-store.js";
|
|
11
|
-
import { getSession } from "../store/session-store.js";
|
|
12
|
-
import { getTIPToken } from "../store/tip-store.js";
|
|
13
|
-
import { fetchAndStoreTIP } from "../services/tip-acquisition.js";
|
|
14
11
|
import { isSubagentSessionKey } from "../utils/derive-session-key.js";
|
|
15
|
-
function isTokenExpiredError(err) {
|
|
16
|
-
const msg = err instanceof Error ? err.message : String(err);
|
|
17
|
-
return /token has expired|Invalid token/i.test(msg);
|
|
18
|
-
}
|
|
19
12
|
export function createBeforeAgentStartHandler(deps) {
|
|
20
13
|
const { storeDir, identityService, configWorkloadName, getOidcConfigForRefresh, logger } = deps;
|
|
14
|
+
const tipRefreshOptions = getOidcConfigForRefresh
|
|
15
|
+
? {
|
|
16
|
+
identityService,
|
|
17
|
+
getOidcConfigForRefresh,
|
|
18
|
+
configWorkloadName,
|
|
19
|
+
logger,
|
|
20
|
+
}
|
|
21
|
+
: undefined;
|
|
21
22
|
return async (_event, ctx) => {
|
|
22
23
|
const sessionKey = ctx.sessionKey;
|
|
23
24
|
if (!sessionKey)
|
|
@@ -39,46 +40,14 @@ export function createBeforeAgentStartHandler(deps) {
|
|
|
39
40
|
/* best-effort */
|
|
40
41
|
}
|
|
41
42
|
try {
|
|
42
|
-
const
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
if (!session)
|
|
43
|
+
const tip = await getOrRefreshTIPToken(storeDir, sessionKey, tipRefreshOptions
|
|
44
|
+
? { ...tipRefreshOptions, ctxAgentId: ctx.agentId }
|
|
45
|
+
: undefined);
|
|
46
|
+
if (!tip)
|
|
47
47
|
return;
|
|
48
|
-
try {
|
|
49
|
-
await fetchAndStoreTIP({
|
|
50
|
-
storeDir,
|
|
51
|
-
sessionKey,
|
|
52
|
-
identityService,
|
|
53
|
-
jwtForExchange: session.userToken,
|
|
54
|
-
sub: session.sub,
|
|
55
|
-
ctxAgentId: ctx.agentId,
|
|
56
|
-
configWorkloadName,
|
|
57
|
-
});
|
|
58
|
-
logger.info?.(`agent-identity: TIP acquired for ${sessionKey.slice(0, 24)}...`);
|
|
59
|
-
}
|
|
60
|
-
catch (err) {
|
|
61
|
-
if (!isTokenExpiredError(err) || !getOidcConfigForRefresh || !session.refreshToken) {
|
|
62
|
-
throw err;
|
|
63
|
-
}
|
|
64
|
-
const refreshed = await refreshSessionUserToken(storeDir, sessionKey, getOidcConfigForRefresh);
|
|
65
|
-
if (!refreshed)
|
|
66
|
-
throw err;
|
|
67
|
-
session = (await getSession(storeDir, sessionKey)) ?? session;
|
|
68
|
-
await fetchAndStoreTIP({
|
|
69
|
-
storeDir,
|
|
70
|
-
sessionKey,
|
|
71
|
-
identityService,
|
|
72
|
-
jwtForExchange: refreshed,
|
|
73
|
-
sub: session.sub,
|
|
74
|
-
ctxAgentId: ctx.agentId,
|
|
75
|
-
configWorkloadName,
|
|
76
|
-
});
|
|
77
|
-
logger.info?.(`agent-identity: TIP acquired after refresh for ${sessionKey.slice(0, 24)}...`);
|
|
78
|
-
}
|
|
79
48
|
}
|
|
80
49
|
catch (err) {
|
|
81
|
-
logger
|
|
50
|
+
logWarn(logger, `failed to get TIP for ${sessionKey}: ${String(err)}`);
|
|
82
51
|
}
|
|
83
52
|
};
|
|
84
53
|
}
|
|
@@ -7,6 +7,8 @@
|
|
|
7
7
|
* @see https://github.com/volcengine/veadk-python/blob/main/veadk/tools/builtin_tools/agent_authorization.py
|
|
8
8
|
*/
|
|
9
9
|
import type { IdentityClientInterface } from "../services/identity-client.js";
|
|
10
|
+
import type { IdentityService } from "../services/identity-service.js";
|
|
11
|
+
import type { OIDCConfigForRefresh } from "../services/session-refresh.js";
|
|
10
12
|
import type { PluginConfig } from "../types.js";
|
|
11
13
|
export type BeforeToolCallDeps = {
|
|
12
14
|
storeDir: string;
|
|
@@ -20,9 +22,13 @@ export type BeforeToolCallDeps = {
|
|
|
20
22
|
};
|
|
21
23
|
/** Send message to session (Channel only). For sync approval flow. */
|
|
22
24
|
sendToSession?: (targetOrSessionKey: string, text: string) => Promise<void>;
|
|
23
|
-
/** Authz config
|
|
25
|
+
/** Authz config. */
|
|
24
26
|
authz?: PluginConfig["authz"];
|
|
25
27
|
approvalTtlMs: number;
|
|
28
|
+
/** When set, attempt TIP refresh when expired (uses session refresh_token). */
|
|
29
|
+
identityService?: IdentityService;
|
|
30
|
+
getOidcConfigForRefresh?: () => Promise<OIDCConfigForRefresh>;
|
|
31
|
+
configWorkloadName?: string;
|
|
26
32
|
};
|
|
27
33
|
export declare function createBeforeToolCallHandler(deps: BeforeToolCallDeps): (event: {
|
|
28
34
|
toolName: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"before-tool-call.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-tool-call.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"before-tool-call.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-tool-call.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAUhD,MAAM,MAAM,kBAAkB,GAAG;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,uGAAuG;IACvG,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,kFAAkF;IAClF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;IACxE,sEAAsE;IACtE,aAAa,CAAC,EAAE,CAAC,kBAAkB,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5E,oBAAoB;IACpB,KAAK,CAAC,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,+EAA+E;IAC/E,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAwCF,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,kBAAkB,IA6BhE,OAAO;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,EAC5D,KAAK;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,KAC/D,OAAO,CAAC;IAAE,KAAK,CAAC,EAAE,OAAO,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAyK7D"}
|