npm - @m1a0rz/agent-identity - Versions diffs - 0.2.3 → 0.2.5 - Mend

@m1a0rz/agent-identity 0.2.3 → 0.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/dist/index.js +4 -4
package/dist/src/actions/identity-actions.js +1 -1
package/dist/src/hooks/before-agent-start.d.ts.map +1 -1
package/dist/src/hooks/before-agent-start.js +12 -11
package/dist/src/hooks/before-tool-call.d.ts.map +1 -1
package/dist/src/hooks/before-tool-call.js +3 -1
package/dist/src/services/identity-client.js +1 -1
package/dist/src/services/oidc-client.d.ts +2 -0
package/dist/src/services/oidc-client.d.ts.map +1 -1
package/dist/src/services/oidc-client.js +11 -1
package/dist/src/services/tip-with-refresh.d.ts.map +1 -1
package/dist/src/services/tip-with-refresh.js +5 -5
package/dist/src/store/session-store.d.ts.map +1 -1
package/dist/src/store/session-store.js +15 -1
package/dist/src/tools/identity-config-suggest.d.ts +2 -2
package/dist/src/tools/identity-config-suggest.js +2 -2
package/dist/src/utils/token-errors.d.ts.map +1 -1
package/dist/src/utils/token-errors.js +1 -1
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -148,7 +148,7 @@ export default function register(api) {
                 userPoolName: userpool.userPoolName,
                 clientName: userpool.clientName,
                 redirectUri: userpool.callbackUrl,
-                scope: userpool.scope,
+                scope: userpool.scope ?? "openid profile email offline_access",
                 autoCreate: userpool.autoCreate ?? true,
             });
             return cached;
@@ -159,7 +159,7 @@ export default function register(api) {
             discoveryUrl: userpool.discoveryUrl,
             clientId: userpool.clientId,
             clientSecret: userpool.clientSecret,
-            scope: userpool.scope,
+            scope: userpool.scope ?? "openid profile email offline_access",
             callbackUrl: userpool.callbackUrl,
         });
     }
@@ -236,7 +236,7 @@ export default function register(api) {
             discoveryUrl: userpool.discoveryUrl,
             clientId: userpool.clientId,
             clientSecret: userpool.clientSecret,
-            scope: userpool.scope,
+            scope: userpool.scope ?? "openid profile email offline_access",
             callbackUrl: userpool.callbackUrl,
         };
         api.registerHttpRoute({
@@ -257,7 +257,7 @@ export default function register(api) {
                 discoveryUrl: userpool.discoveryUrl,
                 clientId: userpool.clientId,
                 clientSecret: userpool.clientSecret,
-                scope: userpool.scope,
+                scope: userpool.scope ?? "openid profile email offline_access",
                 callbackUrl: userpool.callbackUrl,
             })
             : async () => {

package/dist/src/actions/identity-actions.js CHANGED Viewed

@@ -138,7 +138,7 @@ export async function runLogin(deps, sessionKey, options) {
             authorizationEndpoint: discovery.authorization_endpoint,
             clientId: oidcConfig.clientId,
             redirectUri: oidcConfig.callbackUrl,
-            scope: oidcConfig.scope ?? "openid profile email",
+            scope: oidcConfig.scope ?? "openid profile email offline_access",
             state,
         });
         logInfo(logger, `login returning IdP URL for sessionKey=${sessionKey.slice(0, 24)}...`);

package/dist/src/hooks/before-agent-start.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"before-agent-start.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-agent-start.ts"],"names":[],"mappings":"AAgBA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAO3E,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CACxE,CAAC;AAEF,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,oBAAoB,~~IAcpE~~,QAAQ;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,OAAO,EAAE,CAAA;CAAE,EAChD,KAAK;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,KAC7C,OAAO,CAAC;IAAE,cAAc,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,~~CA2B~~/C"}
1	+ {"version":3,"file":"before-agent-start.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-agent-start.ts"],"names":[],"mappings":"AAgBA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAO3E,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CACxE,CAAC;AAEF,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,oBAAoB,IAapE,QAAQ;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,OAAO,EAAE,CAAA;CAAE,EAChD,KAAK;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,KAC7C,OAAO,CAAC;IAAE,cAAc,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CA4B/C"}

package/dist/src/hooks/before-agent-start.js CHANGED Viewed

@@ -20,14 +20,14 @@ import { getCredential, resolveCredentialValue } from "../store/credential-store
 import { isSubagentSessionKey } from "../utils/derive-session-key.js";
 export function createBeforeAgentStartHandler(deps) {
     const { storeDir, identityService, configWorkloadName, getOidcConfigForRefresh, logger } = deps;
-    const tipRefreshOptions = getOidcConfigForRefresh
-        ? {
-            identityService,
-            getOidcConfigForRefresh,
-            configWorkloadName,
-            logger,
-        }
-        : undefined;
+    // Always pass identityService so we can try fetch with session.userToken when TIP is missing/expired.
+    // getOidcConfigForRefresh is only needed for refresh when userToken itself has expired.
+    const tipRefreshOptions = {
+        identityService,
+        getOidcConfigForRefresh,
+        configWorkloadName,
+        logger,
+    };
     return async (_event, ctx) => {
         const sessionKey = ctx.sessionKey;
         if (!sessionKey)
@@ -49,9 +49,10 @@ export function createBeforeAgentStartHandler(deps) {
             /* best-effort */
         }
         try {
-            const tip = await getOrRefreshTIPToken(storeDir, sessionKey, tipRefreshOptions
-                ? { ...tipRefreshOptions, ctxAgentId: ctx.agentId }
-                : undefined);
+            const tip = await getOrRefreshTIPToken(storeDir, sessionKey, {
+                ...tipRefreshOptions,
+                ctxAgentId: ctx.agentId,
+            });
             if (!tip)
                 return;
         }

package/dist/src/hooks/before-tool-call.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"before-tool-call.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-tool-call.ts"],"names":[],"mappings":"AAgBA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAUhD,MAAM,MAAM,kBAAkB,GAAG;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,uGAAuG;IACvG,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,kFAAkF;IAClF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;IACxE,sEAAsE;IACtE,aAAa,CAAC,EAAE,CAAC,kBAAkB,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5E,oBAAoB;IACpB,KAAK,CAAC,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,+EAA+E;IAC/E,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAwCF,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,kBAAkB,~~IA6BhE~~,OAAO;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,EAC5D,KAAK;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,KAC/D,OAAO,CAAC;IAAE,KAAK,CAAC,EAAE,OAAO,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAyK7D"}
1	+ {"version":3,"file":"before-tool-call.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-tool-call.ts"],"names":[],"mappings":"AAgBA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAUhD,MAAM,MAAM,kBAAkB,GAAG;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,uGAAuG;IACvG,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,kFAAkF;IAClF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;IACxE,sEAAsE;IACtE,aAAa,CAAC,EAAE,CAAC,kBAAkB,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5E,oBAAoB;IACpB,KAAK,CAAC,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,+EAA+E;IAC/E,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAwCF,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,kBAAkB,IA8BhE,OAAO;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,EAC5D,KAAK;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,KAC/D,OAAO,CAAC;IAAE,KAAK,CAAC,EAAE,OAAO,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAyK7D"}

package/dist/src/hooks/before-tool-call.js CHANGED Viewed

@@ -47,7 +47,9 @@ function isSkillReadPath(pathStr) {
 export function createBeforeToolCallHandler(deps) {
     const { storeDir, identityClient, namespaceName = "default", logger, sendToSession, authz, approvalTtlMs, identityService, getOidcConfigForRefresh, configWorkloadName, } = deps;
     const flags = resolveAuthzFlags(authz);
-    const tipRefreshOptions = identityService && getOidcConfigForRefresh
+    // Pass identityService when available so we can try fetch with session.userToken when TIP is missing/expired.
+    // getOidcConfigForRefresh is only needed for refresh when userToken itself has expired.
+    const tipRefreshOptions = identityService
         ? {
             identityService,
             getOidcConfigForRefresh,

package/dist/src/services/identity-client.js CHANGED Viewed

@@ -497,7 +497,7 @@ export class IdentityClient {
  * Returns discoveryUrl, clientId, clientSecret, callbackUrl for OIDC flow.
  */
 export async function resolveOIDCConfig(client, params) {
-    const { userPoolName, userPoolUid, clientName, clientUid, redirectUri, scope = "openid profile email", autoCreate = true, clientType = "WEB_APPLICATION", } = params;
+    const { userPoolName, userPoolUid, clientName, clientUid, redirectUri, scope = "openid profile email offline_access", autoCreate = true, clientType = "WEB_APPLICATION", } = params;
     if (!userPoolName && !userPoolUid) {
         throw new Error("Either userPoolName or userPoolUid must be provided");
     }

package/dist/src/services/oidc-client.d.ts CHANGED Viewed

@@ -6,6 +6,8 @@
  *
  * Reference: veadk auth/middleware/oauth2_auth.py
  */
+/** Default OIDC scope for login. Includes offline_access for refresh_token support. */
+export declare const DEFAULT_OIDC_SCOPE = "openid profile email offline_access";
 export type OIDCDiscovery = {
     issuer: string;
     authorization_endpoint: string;

package/dist/src/services/oidc-client.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"oidc-client.d.ts","sourceRoot":"","sources":["../../../src/services/oidc-client.ts"],"names":[],"mappings":"AAgBA;;;;;;;GAOG;AAEH,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,sBAAsB,EAAE,MAAM,CAAC;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;CACrC,CAAC;AAEF,wBAAsB,kBAAkB,CACtC,YAAY,EAAE,MAAM,EACpB,SAAS,SAAS,GACjB,OAAO,CAAC,aAAa,CAAC,CAoBxB;AAED,wBAAgB,qBAAqB,CAAC,MAAM,EAAE;IAC5C,qBAAqB,EAAE,MAAM,CAAC;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B,GAAG,MAAM,CA0BT;AAED,wBAAsB,qBAAqB,CAAC,MAAM,EAAE;IAClD,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,GAAG,OAAO,CAAC;IACV,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC,CA6CD;AAED,yDAAyD;AACzD,wBAAsB,kBAAkB,CAAC,MAAM,EAAE;IAC/C,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;CACtB,GAAG,OAAO,CAAC;IACV,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC,CAwCD;AAED,wBAAsB,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC,CAGrD"}
1	+ {"version":3,"file":"oidc-client.d.ts","sourceRoot":"","sources":["../../../src/services/oidc-client.ts"],"names":[],"mappings":"AAgBA;;;;;;;GAOG;AAEH,uFAAuF;AACvF,eAAO,MAAM,kBAAkB,wCAAwC,CAAC;AAExE,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,sBAAsB,EAAE,MAAM,CAAC;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;CACrC,CAAC;AAEF,wBAAsB,kBAAkB,CACtC,YAAY,EAAE,MAAM,EACpB,SAAS,SAAS,GACjB,OAAO,CAAC,aAAa,CAAC,CAoBxB;AAED,wBAAgB,qBAAqB,CAAC,MAAM,EAAE;IAC5C,qBAAqB,EAAE,MAAM,CAAC;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B,GAAG,MAAM,CA0BT;AAED,wBAAsB,qBAAqB,CAAC,MAAM,EAAE;IAClD,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,GAAG,OAAO,CAAC;IACV,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC,CA6CD;AAED,yDAAyD;AACzD,wBAAsB,kBAAkB,CAAC,MAAM,EAAE;IAC/C,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;CACtB,GAAG,OAAO,CAAC;IACV,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC,CAwCD;AAED,wBAAsB,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC,CAGrD"}

package/dist/src/services/oidc-client.js CHANGED Viewed

@@ -13,6 +13,16 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+/**
+ * OIDC client for UserPool login flow.
+ * Fetches .well-known/openid-configuration from data plane, then:
+ * - Build authorization URL for login
+ * - Exchange code for tokens
+ *
+ * Reference: veadk auth/middleware/oauth2_auth.py
+ */
+/** Default OIDC scope for login. Includes offline_access for refresh_token support. */
+export const DEFAULT_OIDC_SCOPE = "openid profile email offline_access";
 export async function fetchOIDCDiscovery(discoveryUrl, timeoutMs = 10_000) {
     const controller = new AbortController();
     const timer = setTimeout(() => controller.abort(), timeoutMs);
@@ -36,7 +46,7 @@ export async function fetchOIDCDiscovery(discoveryUrl, timeoutMs = 10_000) {
     }
 }
 export function buildAuthorizationUrl(params) {
-    const { authorizationEndpoint, clientId, redirectUri, scope = "openid profile email", state, responseType = "code", codeChallenge, codeChallengeMethod, } = params;
+    const { authorizationEndpoint, clientId, redirectUri, scope = DEFAULT_OIDC_SCOPE, state, responseType = "code", codeChallenge, codeChallengeMethod, } = params;
     const search = new URLSearchParams({
         response_type: responseType,
         client_id: clientId,

package/dist/src/services/tip-with-refresh.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"tip-with-refresh.d.ts","sourceRoot":"","sources":["../../../src/services/tip-with-refresh.ts"],"names":[],"mappings":"AAgBA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAEjE,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAMpD,MAAM,MAAM,sBAAsB,GAAG;IACnC,eAAe,EAAE,eAAe,CAAC;IACjC,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CAC1E,CAAC;AAEF;;;GAGG;AACH,wBAAsB,oBAAoB,CACxC,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC,CAAC,~~CA6DlD~~"}
1	+ {"version":3,"file":"tip-with-refresh.d.ts","sourceRoot":"","sources":["../../../src/services/tip-with-refresh.ts"],"names":[],"mappings":"AAgBA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAEjE,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAMpD,MAAM,MAAM,sBAAsB,GAAG;IACnC,eAAe,EAAE,eAAe,CAAC;IACjC,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CAC1E,CAAC;AAEF;;;GAGG;AACH,wBAAsB,oBAAoB,CACxC,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC,CAAC,CAgElD"}

package/dist/src/services/tip-with-refresh.js CHANGED Viewed

@@ -27,10 +27,11 @@ export async function getOrRefreshTIPToken(storeDir, sessionKey, options) {
     const cached = await getTIPToken(storeDir, sessionKey);
     if (cached)
         return cached;
-    if (!options)
+    if (!options) {
         return null;
+    }
     const { identityService, getOidcConfigForRefresh, configWorkloadName, ctxAgentId, logger, } = options;
-    let session = await getSession(storeDir, sessionKey);
+    const session = await getSession(storeDir, sessionKey);
     if (!session)
         return null;
     try {
@@ -47,9 +48,8 @@ export async function getOrRefreshTIPToken(storeDir, sessionKey, options) {
         return getTIPToken(storeDir, sessionKey);
     }
     catch (err) {
-        if (!isTokenExpiredError(err) ||
-            !getOidcConfigForRefresh ||
-            !session.refreshToken) {
+        const canRefresh = isTokenExpiredError(err) && !!getOidcConfigForRefresh && !!session.refreshToken;
+        if (!canRefresh) {
             return null;
         }
         const refreshed = await refreshSessionUserToken(storeDir, sessionKey, getOidcConfigForRefresh);

package/dist/src/store/session-store.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"session-store.d.ts","sourceRoot":"","sources":["../../../src/store/session-store.ts"],"names":[],"mappings":"AAyBA,MAAM,MAAM,YAAY,GAAG;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,mDAAmD;IACnD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;~~AAMF~~,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAEpE;~~AAeD~~,wBAAsB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,CAc1F;AAED,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,GACrC,OAAO,CAAC,IAAI,CAAC,CAKf;AAED,wBAAsB,UAAU,CAC9B,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,~~CAU9B~~;AAED,wBAAsB,UAAU,CAC9B,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,IAAI,CAAC,CAIf;AAED,wBAAsB,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAIvF"}
1	+ {"version":3,"file":"session-store.d.ts","sourceRoot":"","sources":["../../../src/store/session-store.ts"],"names":[],"mappings":"AAyBA,MAAM,MAAM,YAAY,GAAG;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,mDAAmD;IACnD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAQF,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAEpE;AAoBD,wBAAsB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,CAc1F;AAED,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,GACrC,OAAO,CAAC,IAAI,CAAC,CAKf;AAED,wBAAsB,UAAU,CAC9B,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAgB9B;AAED,wBAAsB,UAAU,CAC9B,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,IAAI,CAAC,CAIf;AAED,wBAAsB,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAIvF"}

package/dist/src/store/session-store.js CHANGED Viewed

@@ -23,6 +23,8 @@ import path from "node:path";
 const SESSIONS_FILENAME = "sessions.json";
 /** Max session age when no expiresAt (e.g. legacy entries). Default 30 days. */
 const MAX_SESSION_AGE_MS = 30 * 24 * 60 * 60 * 1000;
+/** Absolute max session lifetime regardless of refresh token. Default 30 days. */
+const MAX_SESSION_ABSOLUTE_AGE_MS = 30 * 24 * 60 * 60 * 1000;
 export async function ensureStoreDir(storeDir) {
     await fs.mkdir(storeDir, { recursive: true });
 }
@@ -30,6 +32,12 @@ function pruneExpiredSessions(sessions) {
     const now = Date.now();
     const pruned = {};
     for (const [k, v] of Object.entries(sessions)) {
+        if (now - v.loginAt > MAX_SESSION_ABSOLUTE_AGE_MS)
+            continue;
+        if (v.refreshToken) {
+            pruned[k] = v;
+            continue;
+        }
         if (v.expiresAt != null && v.expiresAt < now)
             continue;
         if (v.expiresAt == null && now - v.loginAt > MAX_SESSION_AGE_MS)
@@ -65,7 +73,13 @@ export async function getSession(storeDir, sessionKey) {
     const entry = sessions[sessionKey];
     if (!entry)
         return null;
-    if (entry.expiresAt && entry.expiresAt < Date.now()) {
+    const now = Date.now();
+    if (now - entry.loginAt > MAX_SESSION_ABSOLUTE_AGE_MS) {
+        delete sessions[sessionKey];
+        await saveSessions(storeDir, sessions);
+        return null;
+    }
+    if (entry.expiresAt && entry.expiresAt < now && !entry.refreshToken) {
         delete sessions[sessionKey];
         await saveSessions(storeDir, sessions);
         return null;

package/dist/src/tools/identity-config-suggest.d.ts CHANGED Viewed

@@ -23,7 +23,7 @@ declare const INTENTS: {
                 readonly clientId: "<your-client-id>";
                 readonly clientSecret: "<optional-for-public-clients>";
                 readonly callbackUrl: "https://your-gateway/identity/oauth/callback";
-                readonly scope: "openid profile email";
+                readonly scope: "openid profile email offline_access";
             };
         };
         readonly instructions: {
@@ -80,7 +80,7 @@ declare const INTENTS: {
                 readonly discoveryUrl: "https://your-idp.com/.well-known/openid-configuration";
                 readonly clientId: "<your-client-id>";
                 readonly callbackUrl: "https://your-gateway/identity/oauth/callback";
-                readonly scope: "openid profile email";
+                readonly scope: "openid profile email offline_access";
             };
             readonly authz: {
                 readonly toolCheck: false;

package/dist/src/tools/identity-config-suggest.js CHANGED Viewed

@@ -73,7 +73,7 @@ const INTENTS = {
                 clientId: "<your-client-id>",
                 clientSecret: "<optional-for-public-clients>",
                 callbackUrl: "https://your-gateway/identity/oauth/callback",
-                scope: "openid profile email",
+                scope: "openid profile email offline_access",
             },
         },
         instructions: {
@@ -130,7 +130,7 @@ const INTENTS = {
                 discoveryUrl: "https://your-idp.com/.well-known/openid-configuration",
                 clientId: "<your-client-id>",
                 callbackUrl: "https://your-gateway/identity/oauth/callback",
-                scope: "openid profile email",
+                scope: "openid profile email offline_access",
             },
             authz: {
                 toolCheck: false,

package/dist/src/utils/token-errors.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"token-errors.d.ts","sourceRoot":"","sources":["../../../src/utils/token-errors.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,~~CAGzD~~"}
1	+ {"version":3,"file":"token-errors.d.ts","sourceRoot":"","sources":["../../../src/utils/token-errors.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAOzD"}

package/dist/src/utils/token-errors.js CHANGED Viewed

@@ -18,5 +18,5 @@
  */
 export function isTokenExpiredError(err) {
     const msg = err instanceof Error ? err.message : String(err);
-    return /token has expired|Invalid token/i.test(msg);
+    return (/token has expired|Invalid token|JWT expired|access token expired|id_token expired|token expired/i.test(msg));
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@m1a0rz/agent-identity",
-  "version": "0.2.3",
+  "version": "0.2.5",
   "description": "Agent Identity: UserPool (用户池) login, TIP token (工作负载令牌), credential hosting (凭据托管 OAuth2/API key), optional tool/skill permission control (CheckPermission) and risk approval. Integrates with Volcengine 智能体身份和权限管理平台.",
   "type": "module",
   "main": "dist/index.js",