@m1a0rz/agent-identity 0.2.0 → 0.2.2

package/dist/src/utils/derive-session-key.js

@@ -1,6 +1,17 @@
-/**
- * Derive sessionKey and agentId from command context.
- * Logic aligned with OpenClaw routing buildAgentPeerSessionKey.
+/*
+ * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 const DEFAULT_AGENT_ID = "main";
 const DEFAULT_ACCOUNT_ID = "default";

package/dist/src/utils/logger.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../../src/utils/logger.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,eAAO,MAAM,UAAU,oBAAoB,CAAC;AAE5C,MAAM,MAAM,YAAY,GAAG;IACzB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC9B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAMF,wBAAgB,QAAQ,CAAC,MAAM,EAAE,YAAY,GAAG,SAAS,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI,CAE5E;AAED,wBAAgB,OAAO,CAAC,MAAM,EAAE,YAAY,GAAG,SAAS,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI,CAE3E;AAED,wBAAgB,OAAO,CAAC,MAAM,EAAE,YAAY,GAAG,SAAS,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI,CAE3E;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,YAAY,GAAG,SAAS,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI,CAE5E"}
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../../src/utils/logger.ts"],"names":[],"mappings":"AAgBA;;;;GAIG;AAEH,eAAO,MAAM,UAAU,oBAAoB,CAAC;AAE5C,MAAM,MAAM,YAAY,GAAG;IACzB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC9B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAMF,wBAAgB,QAAQ,CAAC,MAAM,EAAE,YAAY,GAAG,SAAS,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI,CAE5E;AAED,wBAAgB,OAAO,CAAC,MAAM,EAAE,YAAY,GAAG,SAAS,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI,CAE3E;AAED,wBAAgB,OAAO,CAAC,MAAM,EAAE,YAAY,GAAG,SAAS,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI,CAE3E;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,YAAY,GAAG,SAAS,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI,CAE5E"}

package/dist/src/utils/logger.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 /**
  * Unified logging for agent-identity plugin.
  * Prefix: agent-identity:

package/dist/src/utils/parse-available-skills.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"parse-available-skills.d.ts","sourceRoot":"","sources":["../../../src/utils/parse-available-skills.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,wBAAgB,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,SAAS,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAc1F"}
+{"version":3,"file":"parse-available-skills.d.ts","sourceRoot":"","sources":["../../../src/utils/parse-available-skills.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,wBAAgB,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,SAAS,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAc1F"}

package/dist/src/utils/parse-available-skills.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 /**
  * Parse <available_skills> from system prompt to build path -> skill name mapping.
  * Format: <available_skills><skill><name>...</name><location>...</location></skill></available_skills>

package/dist/src/utils/token-errors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"token-errors.d.ts","sourceRoot":"","sources":["../../../src/utils/token-errors.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAGzD"}
+{"version":3,"file":"token-errors.d.ts","sourceRoot":"","sources":["../../../src/utils/token-errors.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAGzD"}

package/dist/src/utils/token-errors.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 /**
  * Shared token error detection for refresh flows.
  */

package/openclaw.plugin.json

@@ -1,7 +1,7 @@
 {
   "id": "agent-identity",
   "name": "Agent Identity",
-  "description": "UserPool (用户池) login, TIP token (工作负载令牌 GetWorkloadAccessTokenForJWT), credential 3LO (凭据托管), session management. Integrates with Volcengine 智能体身份和权限管理平台. Credentials from config, env, or file; STS AssumeRole supported.",
+  "description": "UserPool (用户池) login, TIP token (工作负载令牌 GetWorkloadAccessTokenForJWT), credential 3LO (凭据托管), session management, optional tool/skill permission control (CheckPermission) and risk approval. Integrates with Volcengine 智能体身份和权限管理平台. Credentials from config, env, or file; STS AssumeRole supported.",
   "skills": ["./skills"],
   "configSchema": {
     "type": "object",

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@m1a0rz/agent-identity",
-  "version": "0.2.0",
-  "description": "Agent Identity: UserPool (用户池) login, TIP token (工作负载令牌), credential hosting (凭据托管 OAuth2/API key), optional tool risk approval. Integrates with Volcengine 智能体身份和权限管理平台.",
+  "version": "0.2.2",
+  "description": "Agent Identity: UserPool (用户池) login, TIP token (工作负载令牌), credential hosting (凭据托管 OAuth2/API key), optional tool/skill permission control (CheckPermission) and risk approval. Integrates with Volcengine 智能体身份和权限管理平台.",
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/skills/SKILL.md

@@ -1,8 +1,8 @@
 ---
 name: identity
 description: |
-  UserPool login, TIP token, credential hosting, and tool risk approval. Activate when user needs to check identity (whoami/status), log in, list/add credentials, manage env bindings, or diagnose/approve risky tool calls.
-  Also activates for: 用户说登录、查身份、获取凭据、添加/配置API密钥、绑定环境变量、审批工具调用、风险检查.
+  UserPool login, TIP token, credential hosting, and tool risk approval. Activate when user needs to check identity (whoami/status), log in, list/add credentials, manage env bindings, configure the plugin, or diagnose/approve risky tool calls.
+  Also activates for: 用户说登录、查身份、获取凭据、添加/配置API密钥、绑定环境变量、配置插件、审批工具调用、风险检查.
 metadata:
   {
     "openclaw":
@@ -53,6 +53,7 @@ Use the agent-identity plugin for UserPool OIDC login (入站授权), TIP token
 | `identity_list_credentials` | `page?`                                        | List providers and credentials (paginated) |
 | `identity_list_tips`        | —                                              | List valid TIP tokens and bindings         |
 | `identity_config`           | —                                              | Show plugin config (secrets redacted)      |
+| `identity_config_suggest`  | `intent?`, `lang?`                             | Generate config snippets for openclaw.json |
 | `identity_fetch`            | `provider`, `flow?`, `redirectUrl?`, `scopes?` | Add credential                             |
 | `identity_set_binding`      | `provider`, `envVar`                           | Bind provider → env var for tool injection |
 | `identity_unset_binding`    | `provider`                                     | Remove env binding                         |
@@ -204,6 +205,21 @@ Returns built-in dangerous command patterns and sensitive paths. No params. Use
 {}
 ```
 
+### identity_config_suggest
+
+Generates config snippets for the agent-identity plugin. **Call when:** user asks to configure identity, login, authz, risk approval, or "如何配置 identity 插件", "帮我配置登录", "怎么开启权限检查".
+
+| Param   | Type   | Required | Description                                                                 |
+| ------- | ------ | -------- | --------------------------------------------------------------------------- |
+| `intent`| string | No       | `identity` (AK/SK), `userpool` (OIDC login), `authz` (permission/approval), `llm_risk` (LLM re-eval), `full` (all). Default: full |
+| `lang`  | string | No       | `en` or `zh` for instructions. Default: en                                  |
+
+Returns: `configPath`, `config` (JSON to merge), `instructions`, `nextSteps`. When `intent` is `identity` or `full`, also returns `identityDefaults` (env vars, credential resolution order, config defaults, credential file format). User must manually add to openclaw.json and restart gateway.
+
+```json
+{ "intent": "userpool", "lang": "zh" }
+```
+
 ## Workflow: Adding a Credential
 
 1. **Check login**: `identity_whoami` (brief) or `identity_status` (full). If not logged in, use `identity_login` first (user opens auth URL).