@m1a0rz/agent-identity 0.2.1 → 0.2.2

package/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README-cn.md

@@ -102,30 +102,36 @@ openclaw plugins install --link .
 
 **A. 平台侧访问配置（Identity）**：用于获取 TIP Token、拉取/托管凭据、做权限校验（可选）。
 
-- `endpoint`：Identity API 地址（例如 `https://id.cn-beijing.volcengineapi.com`）
-- `accessKeyId` / `secretAccessKey`：用于访问 Identity API（也可通过环境变量或凭据文件方式提供）
-- `workloadPoolName` / `workloadName`：用于签发 TIP Token
-- `audience` / `durationSeconds`：可选，令牌受众与有效期
+- `endpoint`：Identity API 地址（例如 `https://id.cn-beijing.volcengineapi.com`）。不填时使用默认值。
+- `accessKeyId` / `secretAccessKey`：用于访问 Identity API。**可选**，可使用环境变量或凭据文件（见下）。
+- `workloadPoolName` / `workloadName`：用于签发 TIP Token。默认：`default`、`openclaw-agent`。
+- `audience` / `durationSeconds`：可选，令牌受众与有效期。
+- `credentialsFile`：凭据 JSON 文件路径。默认：`VOLCENGINE_CREDENTIALS_FILE` 环境变量或 `/var/run/secrets/iam/credential`。
+- `roleTrn`：STS AssumeRole 的 Role TRN。设置后不传 workload name，后端使用 roleName。
+- `sessionToken`：STS 会话令牌（或使用 `VOLCENGINE_SESSION_TOKEN` 环境变量）。
+
+**凭据解析顺序**（AK/SK）：1）显式 config → 2）环境变量（`VOLCENGINE_ACCESS_KEY`、`VOLCENGINE_SECRET_KEY`、`VOLCENGINE_SESSION_TOKEN`）→ 3）凭据文件（config 的 `credentialsFile`，或 `VOLCENGINE_CREDENTIALS_FILE` 环境变量，或 `/var/run/secrets/iam/credential`）。凭据文件格式（VeFaaS）：`access_key_id`、`secret_access_key`、`session_token`（可选）、`role_trn`（可选，用于 AssumeRole）。`RUNTIME_IAM_ROLE_TRN` 环境变量可在从文件加载时提供 role TRN。
 
 **B. 用户登录配置（UserPool / OIDC）**：用于 `/identity login` 的用户登录与会话建立。
 
 - `discoveryUrl`（或 `userPoolName` + `clientName` 动态解析模式）
 - `clientId` / `clientSecret`（动态模式下可自动解析）
-- `callbackUrl`：OpenClaw 网关对外可访问的回调地址，例如 `http://127.0.0.1:18789/identity/oauth/callback"`
+- `callbackUrl`：OpenClaw 网关对外可访问的回调地址，例如 `http://127.0.0.1:18789/identity/oauth/callback`
 - `scope`：一般包含 `openid profile email`
 
-**C. 工具调用权限与风险审批（AuthZ，可选）**：用于 `before_tool_call` 时的 TIP + CheckPermission + 风险评估与用户审批。
+**C. 工具调用权限与风险审批（AuthZ，可选）**：用于 `before_tool_call` 时的 TIP + CheckPermission + 风险评估与用户审批。各开关独立，无统一 `enable`。
 
-- `enable`：是否启用 AuthZ（TIP、CheckPermission、风险审批），默认 false
-- `namespaceName`：CheckPermission Cedar 策略命名空间，默认 `default`
-- `lowRiskBypass`：内置低风险工具是否跳过 TIP+CheckPermission，默认 true
-- `lowRiskTools`：额外视为低风险的工具名列表
-- `requireRiskApproval`：高风险工具调用是否需用户审批，默认 true
-- `enableLlmRiskCheck`：规则返回 medium 时是否用 LLM 二次评估，默认 false
-- `llmRiskCheck`：LLM 配置（`endpoint`、`api`、`model`、`apiKey`、`timeoutMs`、`cacheTtlMs`）。`enableLlmRiskCheck` 为 true 时必填
-- `approvalTtlSeconds`：审批链接/命令的 TTL（秒），默认 300
+- `toolCheck`：对工具调用执行 CheckPermission（resource type tool）。默认 false。
+- `skillReadCheck`：对 SKILL.md 读取执行 CheckPermission（resource type skill）。解析 system prompt 中的 available_skills。默认 false。
+- `requireRiskApproval`：高风险工具调用需用户审批。默认 false。
+- `namespaceName`：CheckPermission Cedar 策略命名空间。默认 `default`。
+- `lowRiskBypass`：内置低风险工具是否跳过 TIP+CheckPermission。默认 true。
+- `lowRiskTools`：额外视为低风险的工具名列表。
+- `enableLlmRiskCheck`：规则返回 medium 时是否用 LLM 二次评估。默认 false。
+- `llmRiskCheck`：LLM 配置（`endpoint`、`api`、`model`、`apiKey`、`timeoutMs`、`cacheTtlMs`）。`enableLlmRiskCheck` 为 true 时必填。
+- `approvalTtlSeconds`：审批链接/命令的 TTL（秒）。默认 300。
 
-**预期结果**：配置完成后，插件可正常发起登录、获取 TIP Token。启用 AuthZ 后，高风险工具调用需用户通过 `/identity approve <approval_id>` 审批通过后才能执行。
+**预期结果**：配置完成后，插件可正常发起登录、获取 TIP Token。开启 AuthZ 相关开关后，工具/skill 权限检查与高风险审批生效；使用 `/identity approve <approval_id>` 审批被拦截的调用。
 
 ---
 
@@ -139,12 +145,8 @@ openclaw plugins install --link .
         "config": {
           "identity": {
             "endpoint": "https://id.cn-beijing.volcengineapi.com",
-            "accessKeyId": "<your-ak>",
-            "secretAccessKey": "<your-sk>",
             "workloadPoolName": "default",
-            "workloadName": "openclaw-agent",
-            "audience": ["asi-gateway"],
-            "durationSeconds": 3600
+            "workloadName": "openclaw-agent"
           },
           "userpool": {
             "discoveryUrl": "https://userpool-xxx.userpool.auth.id.cn-beijing.volces.com",
@@ -154,14 +156,13 @@ openclaw plugins install --link .
             "scope": "openid profile email"
           },
           "authz": {
-            "enable": false,
+            "toolCheck": false,
+            "skillReadCheck": false,
+            "requireRiskApproval": false,
             "namespaceName": "default",
+            "lowRiskBypass": true,
             "enableLlmRiskCheck": false,
-            "llmRiskCheck": {
-              "endpoint": "http://localhost:11434",
-              "api": "ollama",
-              "model": "qwen3:8b"
-            }
+            "approvalTtlSeconds": 300
           }
         }
       }
@@ -170,6 +171,8 @@ openclaw plugins install --link .
 }
 ```
 
+**Identity 凭据**：省略 `accessKeyId`/`secretAccessKey` 时，使用环境变量（`VOLCENGINE_ACCESS_KEY`、`VOLCENGINE_SECRET_KEY`）或凭据文件（`VOLCENGINE_CREDENTIALS_FILE` 或 `/var/run/secrets/iam/credential`）。
+
 ### identity 配置（必填与可选）
 
 | 参数 | 类型 | 必填 | 含义 |
@@ -187,6 +190,8 @@ openclaw plugins install --link .
 
 \* AK/SK 至少通过 `accessKeyId`+`secretAccessKey`、环境变量或 `credentialsFile` 之一提供。
 
+**环境变量**：`VOLCENGINE_ACCESS_KEY`、`VOLCENGINE_SECRET_KEY`、`VOLCENGINE_SESSION_TOKEN`、`VOLCENGINE_CREDENTIALS_FILE`、`RUNTIME_IAM_ROLE_TRN`（从文件加载时用于 AssumeRole）。
+
 ### userpool 配置（OIDC 登录）
 
 **Explicit 模式**（必填）：`discoveryUrl`、`clientId`、`clientSecret`、`callbackUrl`、`scope`
@@ -195,15 +200,19 @@ openclaw plugins install --link .
 
 OAuth2 credential fetch 使用控制台配置的 redirect URL 和 scopes。可通过 `/identity fetch <provider> --redirectUrl` 和 `--scopes` 覆盖。
 
-### authz 配置（可选，默认关闭）
+### authz 配置（可选，各开关独立）
 
 | 参数 | 类型 | 含义 |
 |------|------|------|
-| `enable` | boolean | 是否启用 TIP + CheckPermission + 风险审批，默认 false |
-| `namespaceName` | string | CheckPermission 命名空间，默认 `default` |
-| `requireRiskApproval` | boolean | 高风险工具调用需用户审批，默认 true |
-| `enableLlmRiskCheck` | boolean | 规则返回 medium 时用 LLM 二次评估，默认 false |
-| `llmRiskCheck` | object | LLM 配置：`endpoint`、`api`、`model` 等 |
+| `toolCheck` | boolean | 对工具调用执行 CheckPermission（resource type tool）。默认 false。 |
+| `skillReadCheck` | boolean | 对 SKILL.md 读取执行 CheckPermission（resource type skill）。默认 false。 |
+| `requireRiskApproval` | boolean | 高风险工具调用需用户审批。默认 false。 |
+| `namespaceName` | string | CheckPermission Cedar 命名空间。默认 `default`。 |
+| `lowRiskBypass` | boolean | 内置低风险工具是否跳过 TIP+CheckPermission。默认 true。 |
+| `lowRiskTools` | string[] | 额外视为低风险的工具名列表。 |
+| `enableLlmRiskCheck` | boolean | 规则返回 medium 时用 LLM 二次评估。默认 false。 |
+| `llmRiskCheck` | object | LLM 配置：`endpoint`、`api`、`model` 等。`enableLlmRiskCheck` 为 true 时必填。 |
+| `approvalTtlSeconds` | number | 审批 TTL（秒）。默认 300。 |
 
 ### 工作负载与 TIP
 
@@ -232,6 +241,7 @@ TIP token 通过 `GetWorkloadAccessTokenForJWT` 获取。工作负载行为：
 - **identity_list_credentials** - 列出 provider 和凭据（分页）
 - **identity_list_tips** - 列出有效 TIP 令牌和绑定
 - **identity_config** - 显示插件配置（脱敏）
+- **identity_config_suggest** - 生成 openclaw.json 配置片段（intent、lang）
 - **identity_fetch** - 添加凭据（provider、flow?、redirectUrl?、scopes?）
 - **identity_set_binding** - 绑定 provider → 环境变量
 - **identity_unset_binding** - 移除环境变量绑定

package/README.md

@@ -102,30 +102,36 @@ The plugin typically needs three types of config:
 
 **A. Platform access (Identity)**: For TIP Token, credential fetch/hosting, and optional permission checks.
 
-- `endpoint`: Identity API URL (e.g. `https://id.cn-beijing.volcengineapi.com`)
-- `accessKeyId` / `secretAccessKey`: For Identity API access (or via env vars / credentials file)
-- `workloadPoolName` / `workloadName`: For issuing TIP Token
-- `audience` / `durationSeconds`: Optional, token audience and validity
+- `endpoint`: Identity API URL (e.g. `https://id.cn-beijing.volcengineapi.com`). Default when omitted.
+- `accessKeyId` / `secretAccessKey`: For Identity API access. **Optional** when using env vars or credential file (see below).
+- `workloadPoolName` / `workloadName`: For issuing TIP Token. Defaults: `default`, `openclaw-agent`.
+- `audience` / `durationSeconds`: Optional, token audience and validity.
+- `credentialsFile`: Path to credential JSON. Default: `VOLCENGINE_CREDENTIALS_FILE` env or `/var/run/secrets/iam/credential`.
+- `roleTrn`: Role TRN for STS AssumeRole. When set, workload name is omitted; backend uses roleName.
+- `sessionToken`: STS session token (or use `VOLCENGINE_SESSION_TOKEN` env).
+
+**Credential resolution order** (AK/SK): 1) Explicit config → 2) Env vars (`VOLCENGINE_ACCESS_KEY`, `VOLCENGINE_SECRET_KEY`, `VOLCENGINE_SESSION_TOKEN`) → 3) Credential file (`credentialsFile` config, or `VOLCENGINE_CREDENTIALS_FILE` env, or `/var/run/secrets/iam/credential`). Credential file format (VeFaaS): `access_key_id`, `secret_access_key`, `session_token` (optional), `role_trn` (optional for AssumeRole). `RUNTIME_IAM_ROLE_TRN` env can supply role TRN when loading from file.
 
 **B. User login (UserPool / OIDC)**: For `/identity login` and session setup.
 
 - `discoveryUrl` (or `userPoolName` + `clientName` for dynamic resolution)
 - `clientId` / `clientSecret` (auto-resolved in dynamic mode)
-- `callbackUrl`: Public callback URL for OpenClaw gateway, e.g. `http://127.0.0.1:18789/identity/oauth/callback"`
+- `callbackUrl`: Public callback URL for OpenClaw gateway, e.g. `http://127.0.0.1:18789/identity/oauth/callback`
 - `scope`: Typically `openid profile email`
 
-**C. Tool call AuthZ and risk approval (optional)**: For TIP + CheckPermission + risk evaluation and user approval in `before_tool_call`.
+**C. Tool call AuthZ and risk approval (optional)**: For TIP + CheckPermission + risk evaluation and user approval in `before_tool_call`. Each flag is independent; no single "enable" switch.
 
-- `enable`: Enable AuthZ (TIP, CheckPermission, risk approval), default false
-- `namespaceName`: CheckPermission Cedar policy namespace, default `default`
-- `lowRiskBypass`: Skip TIP+CheckPermission for built-in low-risk tools, default true
-- `lowRiskTools`: Extra tool names treated as low-risk
-- `requireRiskApproval`: Require user approval for high-risk tool calls, default true
-- `enableLlmRiskCheck`: Use LLM to re-evaluate when rules return medium, default false
-- `llmRiskCheck`: LLM config (`endpoint`, `api`, `model`, `apiKey`, `timeoutMs`, `cacheTtlMs`). Required when `enableLlmRiskCheck` is true
-- `approvalTtlSeconds`: Approval link/command TTL (seconds), default 300
+- `toolCheck`: Run CheckPermission for tools (resource type tool). Default false.
+- `skillReadCheck`: Run CheckPermission for read of SKILL.md (resource type skill). Parses available_skills from system prompt. Default false.
+- `requireRiskApproval`: Require user approval for high-risk tool calls. Default false.
+- `namespaceName`: CheckPermission Cedar policy namespace. Default `default`.
+- `lowRiskBypass`: Skip TIP+CheckPermission for built-in low-risk tools. Default true.
+- `lowRiskTools`: Extra tool names treated as low-risk.
+- `enableLlmRiskCheck`: Use LLM to re-evaluate when rules return medium. Default false.
+- `llmRiskCheck`: LLM config (`endpoint`, `api`, `model`, `apiKey`, `timeoutMs`, `cacheTtlMs`). Required when `enableLlmRiskCheck` is true.
+- `approvalTtlSeconds`: Approval link/command TTL (seconds). Default 300.
 
-**Expected outcome**: After config, the plugin can initiate login and obtain TIP Token. With AuthZ enabled, high-risk tool calls require user approval via `/identity approve <approval_id>` before execution.
+**Expected outcome**: After config, the plugin can initiate login and obtain TIP Token. With AuthZ flags enabled, tool/skill permission checks and high-risk approvals apply; use `/identity approve <approval_id>` to approve blocked calls.
 
 ---
 
@@ -139,12 +145,8 @@ Add to `openclaw.json` under `plugins.entries.agent-identity.config`:
         "config": {
           "identity": {
             "endpoint": "https://id.cn-beijing.volcengineapi.com",
-            "accessKeyId": "<your-ak>",
-            "secretAccessKey": "<your-sk>",
             "workloadPoolName": "default",
-            "workloadName": "openclaw-agent",
-            "audience": ["asi-gateway"],
-            "durationSeconds": 3600
+            "workloadName": "openclaw-agent"
           },
           "userpool": {
             "discoveryUrl": "https://userpool-xxx.userpool.auth.id.cn-beijing.volces.com",
@@ -154,14 +156,13 @@ Add to `openclaw.json` under `plugins.entries.agent-identity.config`:
             "scope": "openid profile email"
           },
           "authz": {
-            "enable": false,
+            "toolCheck": false,
+            "skillReadCheck": false,
+            "requireRiskApproval": false,
             "namespaceName": "default",
+            "lowRiskBypass": true,
             "enableLlmRiskCheck": false,
-            "llmRiskCheck": {
-              "endpoint": "http://localhost:11434",
-              "api": "ollama",
-              "model": "qwen3:8b"
-            }
+            "approvalTtlSeconds": 300
           }
         }
       }
@@ -170,6 +171,8 @@ Add to `openclaw.json` under `plugins.entries.agent-identity.config`:
 }
 ```
 
+**Identity credentials**: Omit `accessKeyId`/`secretAccessKey` to use env vars (`VOLCENGINE_ACCESS_KEY`, `VOLCENGINE_SECRET_KEY`) or credential file (`VOLCENGINE_CREDENTIALS_FILE` or `/var/run/secrets/iam/credential`).
+
 ### identity config (required vs optional)
 
 | Param | Type | Required | Description |
@@ -187,6 +190,8 @@ Add to `openclaw.json` under `plugins.entries.agent-identity.config`:
 
 \* AK/SK must be provided via `accessKeyId`+`secretAccessKey`, environment variables, or `credentialsFile`.
 
+**Environment variables**: `VOLCENGINE_ACCESS_KEY`, `VOLCENGINE_SECRET_KEY`, `VOLCENGINE_SESSION_TOKEN`, `VOLCENGINE_CREDENTIALS_FILE`, `RUNTIME_IAM_ROLE_TRN` (for AssumeRole when loading from file).
+
 ### userpool config (OIDC login)
 
 **Explicit mode** (required): `discoveryUrl`, `clientId`, `clientSecret`, `callbackUrl`, `scope`
@@ -195,15 +200,19 @@ Add to `openclaw.json` under `plugins.entries.agent-identity.config`:
 
 OAuth2 credential fetch uses control-plane redirect URL and scopes. Override via `/identity fetch <provider> --redirectUrl` and `--scopes`.
 
-### authz config (optional, disabled by default)
+### authz config (optional, each flag independent)
 
 | Param | Type | Description |
 |-------|------|-------------|
-| `enable` | boolean | Enable TIP + CheckPermission + risk approval, default false |
-| `namespaceName` | string | CheckPermission namespace, default `default` |
-| `requireRiskApproval` | boolean | Require user approval for high-risk tools, default true |
-| `enableLlmRiskCheck` | boolean | Re-evaluate with LLM when rules return medium, default false |
-| `llmRiskCheck` | object | LLM config: `endpoint`, `api`, `model`, etc. |
+| `toolCheck` | boolean | Run CheckPermission for tools (resource type tool). Default false. |
+| `skillReadCheck` | boolean | Run CheckPermission for read of SKILL.md (resource type skill). Default false. |
+| `requireRiskApproval` | boolean | Require user approval for high-risk tools. Default false. |
+| `namespaceName` | string | CheckPermission Cedar namespace. Default `default`. |
+| `lowRiskBypass` | boolean | Skip TIP+CheckPermission for built-in low-risk tools. Default true. |
+| `lowRiskTools` | string[] | Extra tool names treated as low-risk. |
+| `enableLlmRiskCheck` | boolean | Re-evaluate with LLM when rules return medium. Default false. |
+| `llmRiskCheck` | object | LLM config: `endpoint`, `api`, `model`, etc. Required when `enableLlmRiskCheck` is true. |
+| `approvalTtlSeconds` | number | Approval TTL (seconds). Default 300. |
 
 ### Workload and TIP
 
@@ -232,6 +241,7 @@ Follow-up messages (login success, credential fetch done) are not delivered when
 - **identity_list_credentials** - List providers and credentials (paginated)
 - **identity_list_tips** - List valid TIP tokens and bindings
 - **identity_config** - Show plugin config (redacted)
+- **identity_config_suggest** - Generate config snippets for openclaw.json (intent, lang)
 - **identity_fetch** - Add credential (provider, flow?, redirectUrl?, scopes?)
 - **identity_set_binding** - Bind provider → env var
 - **identity_unset_binding** - Remove env binding

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AA8D7D,MAAM,CAAC,OAAO,UAAU,QAAQ,CAAC,GAAG,EAAE,iBAAiB,QAqWtD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAgBA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AA8D7D,MAAM,CAAC,OAAO,UAAU,QAAQ,CAAC,GAAG,EAAE,iBAAiB,QAuWtD"}

package/dist/index.js

@@ -1,13 +1,17 @@
-/**
- * Agent Identity Plugin
+/*
+ * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * - UserPool login via /identity login (OIDC URL returned directly, no HTTP start endpoint)
- * - Credential hosting: list-credentials, fetch <provider>, set <provider> <envVar>
- * - TIP token via AgentIdentity GetWorkloadAccessTokenForJWT in before_agent_start
- * - TIP/session propagation: before_tool_call (sessions_send params.sessionKey), subagent_spawned (sessions_spawn)
- * - Optional AuthZ in before_tool_call
- * - HTTP callback: /identity/oauth/callback (OIDC login). Credential OAuth uses Identity-provided callback.
- * - Tools: identity_whoami, identity_logout
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 import { createIdentityCommand, createIdCommand } from "./src/commands/identity-commands.js";
 import { createBeforeAgentStartHandler } from "./src/hooks/before-agent-start.js";
@@ -218,6 +222,7 @@ export default function register(api) {
     if (dynamicOidcEnabled && getResolvedOidcConfig) {
         api.registerHttpRoute({
             path: "/identity/oauth/callback",
+            auth: "plugin",
             handler: createOIDCCallbackHandlerLazy({
                 storeDir,
                 getOidcConfig: getResolvedOidcConfig,
@@ -236,6 +241,7 @@ export default function register(api) {
         };
         api.registerHttpRoute({
             path: "/identity/oauth/callback",
+            auth: "plugin",
             handler: createOIDCCallbackHandler({
                 storeDir,
                 config: oidcConfig,

package/dist/src/actions/identity-actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-actions.d.ts","sourceRoot":"","sources":["../../../src/actions/identity-actions.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;AAc/E,OAAO,EAKL,KAAK,eAAe,EACrB,MAAM,8BAA8B,CAAC;AAUtC,MAAM,MAAM,oBAAoB,GAAG;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,aAAa,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACnD,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,MAAM,CAAC,EAAE,qBAAqB,CAAC;IAC/B,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,qBAAqB,CAAC,EAAE,CACtB,kBAAkB,EAAE,wBAAwB,GAAG,MAAM,EACrD,IAAI,EAAE,MAAM,KACT,OAAO,CAAC,IAAI,CAAC,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG,aAAa,GAAG,YAAY,GAAG,QAAQ,CAAC;AA+EhE,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,EAAE,OAAO,CAAC;IAClB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;IAChB,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wDAAwD;IACxD,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,4BAA4B;IAC5B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uBAAuB;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAC7C,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC,CAAC;AAEF,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,cAAc,GACtB,OAAO,CAAC,YAAY,CAAC,CAsCvB;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,mBAAmB,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAC1C;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACrC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,cAAc,CAAC;IAAC,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAA;CAAE,GACtF,OAAO,CAAC,WAAW,CAAC,CAqDtB;AAED,MAAM,MAAM,YAAY,GAAG;IAAE,EAAE,EAAE,OAAO,CAAA;CAAE,CAAC;AAE3C,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,YAAY,CAAC,CAWvB;AAID,MAAM,MAAM,qBAAqB,GAAG;IAClC,SAAS,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClG,UAAU,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtE,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE,MAAU,GACf,OAAO,CAAC,qBAAqB,CAAC,CA2EhC;AAED,MAAM,MAAM,cAAc,GAAG;IAC3B,IAAI,EAAE,KAAK,CAAC;QACV,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC,CAAC;IACH,oDAAoD;IACpD,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CAC3D,CAAC;AAEF,wBAAsB,WAAW,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,cAAc,CAAC,CAsBpF;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,CAAC;AAEF,wBAAsB,SAAS,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,YAAY,CAAC,CA2ChF;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACpC;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACtD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IACN,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,SAAS,CAAC;IAChB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAC;IACjD,MAAM,CAAC,EAAE,cAAc,CAAC;CACzB,GACA,OAAO,CAAC,WAAW,CAAC,CAsHtB;AAED,MAAM,MAAM,gBAAgB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEjF,wBAAsB,aAAa,CACjC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC3C,OAAO,CAAC,gBAAgB,CAAC,CAkC3B;AAED,MAAM,MAAM,kBAAkB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnF,wBAAsB,eAAe,CACnC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC3B,OAAO,CAAC,kBAAkB,CAAC,CAW7B"}
+{"version":3,"file":"identity-actions.d.ts","sourceRoot":"","sources":["../../../src/actions/identity-actions.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;AAc/E,OAAO,EAKL,KAAK,eAAe,EACrB,MAAM,8BAA8B,CAAC;AAUtC,MAAM,MAAM,oBAAoB,GAAG;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,aAAa,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACnD,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,MAAM,CAAC,EAAE,qBAAqB,CAAC;IAC/B,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,qBAAqB,CAAC,EAAE,CACtB,kBAAkB,EAAE,wBAAwB,GAAG,MAAM,EACrD,IAAI,EAAE,MAAM,KACT,OAAO,CAAC,IAAI,CAAC,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG,aAAa,GAAG,YAAY,GAAG,QAAQ,CAAC;AA+EhE,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,EAAE,OAAO,CAAC;IAClB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;IAChB,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wDAAwD;IACxD,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,4BAA4B;IAC5B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uBAAuB;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAC7C,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC,CAAC;AAEF,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,cAAc,GACtB,OAAO,CAAC,YAAY,CAAC,CAsCvB;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,mBAAmB,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAC1C;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACrC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,cAAc,CAAC;IAAC,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAA;CAAE,GACtF,OAAO,CAAC,WAAW,CAAC,CAqDtB;AAED,MAAM,MAAM,YAAY,GAAG;IAAE,EAAE,EAAE,OAAO,CAAA;CAAE,CAAC;AAE3C,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,YAAY,CAAC,CAWvB;AAID,MAAM,MAAM,qBAAqB,GAAG;IAClC,SAAS,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClG,UAAU,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtE,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE,MAAU,GACf,OAAO,CAAC,qBAAqB,CAAC,CA2EhC;AAED,MAAM,MAAM,cAAc,GAAG;IAC3B,IAAI,EAAE,KAAK,CAAC;QACV,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC,CAAC;IACH,oDAAoD;IACpD,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CAC3D,CAAC;AAEF,wBAAsB,WAAW,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,cAAc,CAAC,CAsBpF;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,CAAC;AAEF,wBAAsB,SAAS,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,YAAY,CAAC,CA2ChF;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACpC;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACtD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IACN,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,SAAS,CAAC;IAChB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAC;IACjD,MAAM,CAAC,EAAE,cAAc,CAAC;CACzB,GACA,OAAO,CAAC,WAAW,CAAC,CAsHtB;AAED,MAAM,MAAM,gBAAgB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEjF,wBAAsB,aAAa,CACjC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC3C,OAAO,CAAC,gBAAgB,CAAC,CAkC3B;AAED,MAAM,MAAM,kBAAkB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnF,wBAAsB,eAAe,CACnC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC3B,OAAO,CAAC,kBAAkB,CAAC,CAW7B"}

package/dist/src/actions/identity-actions.js

@@ -1,6 +1,17 @@
-/**
- * Shared identity actions: pure logic returning structured data.
- * Used by both commands (format to text) and tools (return jsonResult).
+/*
+ * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 import { logDebug, logInfo, logWarn } from "../utils/logger.js";
 import { getOrRefreshTIPToken } from "../services/tip-with-refresh.js";

package/dist/src/commands/identity-commands.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-commands.d.ts","sourceRoot":"","sources":["../../../src/commands/identity-commands.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAUL,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,SAAS,EACf,MAAM,gCAAgC,CAAC;AAWxC,YAAY,EAAE,oBAAoB,EAAE,SAAS,EAAE,CAAC;AAEhD,MAAM,MAAM,sBAAsB,GAAG;IACnC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG,mBAAmB,CAAC;AAioBvD,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,oBAAoB;;;;;mBA9e3C,oBAAoB,KAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;EAufpE;AAED,0CAA0C;AAC1C,wBAAgB,eAAe,CAAC,IAAI,EAAE,oBAAoB;;;;;mBA1frC,oBAAoB,KAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;EAmgBpE"}
+{"version":3,"file":"identity-commands.d.ts","sourceRoot":"","sources":["../../../src/commands/identity-commands.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAUL,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,SAAS,EACf,MAAM,gCAAgC,CAAC;AAWxC,YAAY,EAAE,oBAAoB,EAAE,SAAS,EAAE,CAAC;AAEhD,MAAM,MAAM,sBAAsB,GAAG;IACnC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG,mBAAmB,CAAC;AAioBvD,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,oBAAoB;;;;;mBA9e3C,oBAAoB,KAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;EAufpE;AAED,0CAA0C;AAC1C,wBAAgB,eAAe,CAAC,IAAI,EAAE,oBAAoB;;;;;mBA1frC,oBAAoB,KAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;EAmgBpE"}

package/dist/src/commands/identity-commands.js

@@ -1,6 +1,17 @@
-/**
- * Unified /identity command: login, status, logout, list-credentials, fetch, set.
- * UserPool OIDC + credential hosting. Uses shared identity-actions for logic.
+/*
+ * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 import { runStatus, runLogin, runLogout, runListCredentials, runListTips, runConfig, runFetch, runSetBinding, runUnsetBinding, } from "../actions/identity-actions.js";
 import { deriveSessionKey, deriveDeliveryTargetFromContext, } from "../utils/derive-session-key.js";

package/dist/src/hooks/before-agent-start.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"before-agent-start.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-agent-start.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAO3E,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CACxE,CAAC;AAEF,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,oBAAoB,IAcpE,QAAQ;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,OAAO,EAAE,CAAA;CAAE,EAChD,KAAK;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,KAC7C,OAAO,CAAC;IAAE,cAAc,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CA2B/C"}
+{"version":3,"file":"before-agent-start.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-agent-start.ts"],"names":[],"mappings":"AAgBA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAO3E,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CACxE,CAAC;AAEF,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,oBAAoB,IAcpE,QAAQ;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,OAAO,EAAE,CAAA;CAAE,EAChD,KAAK;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,KAC7C,OAAO,CAAC;IAAE,cAAc,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CA2B/C"}