@m1a0rz/agent-identity 0.4.0 → 0.4.2

package/README-cn.md

@@ -193,6 +193,9 @@ openclaw plugins install --link .
 | `credentialsFile` | string | 否 | 凭证 JSON 文件路径。默认 `VOLCENGINE_CREDENTIALS_FILE` 或 `/var/run/secrets/iam/credential` |
 | `credentialsMetadataUrl` | string | 否 | 远程凭据拉取的完整 URL。与 `roleTrn` 同时配置时拉取后做 AssumeRole。404 时回退到 `credentialsFile` |
 | `sessionToken` | string | 否 | STS 临时会话令牌（或 `VOLCENGINE_SESSION_TOKEN`） |
+| `subagentTipPropagation` | boolean | 否 | 将 TIP 和 session 传播到子 agent。默认 false |
+| `webchatSessionExchange` | boolean | 否 | 启用 `identity.session.put` / `identity.session.get` gateway WS 方法供 webchat 客户端使用。默认 false |
+| `personalSessionMode` | boolean | 否 | 个人/单用户模式：TIP、OIDC session、凭据仅存储在 `agent:main:main`（不做按发送者或 per-channel-peer 隔离）。子 agent 会话不变。默认 false；多租户或群聊共享场景勿开启。 |
 
 \* AK/SK 至少通过 `accessKeyId`+`secretAccessKey`、环境变量、`credentialsMetadataUrl`+`roleTrn` 或 `credentialsFile` 之一提供。
 
@@ -235,6 +238,37 @@ TIP token 通过 `GetWorkloadAccessTokenForJWT` 获取。工作负载行为：
 
 **审批消息**（当高风险工具被拦截时）：若要向飞书（或 Telegram、Slack 等）推送审批请求，请在 openclaw.json 中将 `session.dmScope` 设置为 `per-channel-peer` 或 `per-account-channel-peer`。默认 `session.dmScope: "main"` 时，sessionKey 不包含 channel/peer 信息，插件无法推导推送目标，审批消息不会推送。用户仍可在 agent 的错误回复中看到 block/approval_id；使用 `/identity approve <id>` 审批。
 
+### WebChat Session Exchange（Gateway WS 方法）
+
+当 `identity.webchatSessionExchange` 为 `true` 时，插件注册两个 gateway WebSocket 方法，允许 webchat 客户端直接注入和获取 session token，无需走 OIDC 重定向流程：
+
+| 方法 | 参数 | 响应 | 描述 |
+| --- | --- | --- | --- |
+| `identity.session.put` | `{ sessionKey, idToken, refreshToken?, senderId?, channel? }` | `{ sub, expiresAt, effectiveSessionKey, hasTip }` | 将 OIDC id_token 注入到插件 session；可选传入 `refreshToken`（加密存储），用于静默续期。通过 `buildEffectiveSessionKey` 解析实际存储 key（与 hooks/commands 相同的隔离逻辑）。 |
+| `identity.session.get` | `{ sessionKey, senderId?, channel? }` | `{ userToken, sub, expiresAt, effectiveSessionKey, hasRefreshToken }` | 获取指定 session 已存储的 user token。`hasRefreshToken` 表示是否存有 refresh token；响应中不会返回 refresh token 明文。 |
+
+- `senderId` 默认值为 `"openclaw-control-ui"`。对于 main session，实际存储 key 为 `agent:main:main:user:<senderId>`。
+- `channel` 可选；当 session 来源于可发送消息的渠道（feishu、telegram 等）时传入，可启用 per-channel-peer key 提升。
+
+两个方法均**限制为 webchat WS 连接**（`isWebchatConnect` 检查），非 webchat 客户端会收到 `FORBIDDEN` 错误。
+
+**配置：**
+
+```json
+{
+  "identity": {
+    "webchatSessionExchange": true
+  }
+}
+```
+
+**典型流程（BFF → webchat → plugin）：**
+
+1. BFF 完成 3LO 登录并获取用户的 OIDC `id_token`
+2. Webchat 客户端调用 `identity.session.put`，传入 session key 和 `id_token`（若需静默续期，可一并传入 token 响应中的 `refresh_token` 作为 `refreshToken`）
+3. 插件校验 token，存储 session，并获取 TIP
+4. 后续该 session 中的 agent 运行拥有有效身份——无需手动登录
+
 ### WebChat / TUI
 
 用户从 WebChat 或 TUI 运行 `/identity` 时，跟进消息不会投递；插件无 API 推送至这些渠道。请使用 `/identity status` 确认结果。

package/README.md

@@ -193,6 +193,9 @@ Add to `openclaw.json` under `plugins.entries.agent-identity.config`:
 | `credentialsFile` | string | No | Path to credential JSON. Default: `VOLCENGINE_CREDENTIALS_FILE` or `/var/run/secrets/iam/credential` |
 | `credentialsMetadataUrl` | string | No | Full URL for remote credential fetch. When set with `roleTrn`, fetches then AssumeRole. 404 falls through to `credentialsFile` |
 | `sessionToken` | string | No | STS session token (or `VOLCENGINE_SESSION_TOKEN`) |
+| `subagentTipPropagation` | boolean | No | Propagate TIP and session to subagents. Default false |
+| `webchatSessionExchange` | boolean | No | Enable `identity.session.put` / `identity.session.get` gateway WS methods for webchat clients. Default false |
+| `personalSessionMode` | boolean | No | Single-user mode: TIP, OIDC session, and credentials are stored only under `agent:main:main` (no per-sender or per-channel-peer keys). Subagent sessions unchanged. Default false — do not enable for multi-tenant or shared groups. |
 
 \* AK/SK must be provided via `accessKeyId`+`secretAccessKey`, environment variables, `credentialsMetadataUrl`+`roleTrn`, or `credentialsFile`.
 
@@ -235,6 +238,37 @@ Login success and credential fetch follow-up messages (e.g. "✓ Credential for
 
 **Approval messages** (when a high-risk tool is blocked): For approval requests to be delivered to Feishu (or Telegram, Slack, etc.), set `session.dmScope` to `per-channel-peer` or `per-account-channel-peer` in openclaw.json. With default `session.dmScope: "main"`, the sessionKey does not include channel/peer info, so the plugin cannot derive a delivery target and approval messages are not pushed. The user will still see the block/approval_id in the agent's error reply; use `/identity approve <id>` to approve.
 
+### WebChat Session Exchange (Gateway WS Methods)
+
+When `identity.webchatSessionExchange` is `true`, the plugin registers two gateway WebSocket methods for webchat clients to inject and retrieve session tokens without going through the OIDC redirect flow:
+
+| Method | Params | Response | Description |
+| --- | --- | --- | --- |
+| `identity.session.put` | `{ sessionKey, idToken, refreshToken?, senderId?, channel? }` | `{ sub, expiresAt, effectiveSessionKey, hasTip }` | Inject an OIDC id_token into a plugin session; optional `refreshToken` is stored encrypted for silent token renewal. Resolves effective storage key via `buildEffectiveSessionKey` (same sender isolation as hooks/commands). |
+| `identity.session.get` | `{ sessionKey, senderId?, channel? }` | `{ userToken, sub, expiresAt, effectiveSessionKey, hasRefreshToken }` | Retrieve the stored user token for a session. `hasRefreshToken` indicates whether a refresh token is stored; the refresh token value is never returned. |
+
+- `senderId` defaults to `"openclaw-control-ui"`. The effective storage key is `agent:main:main:user:<senderId>` for main sessions.
+- `channel` is optional; when the session originates from a sendable channel (feishu, telegram, etc.), pass it to enable per-channel-peer key promotion.
+
+Both methods are **restricted to webchat WS connections only** (`isWebchatConnect` check). Non-webchat clients receive a `FORBIDDEN` error.
+
+**Config:**
+
+```json
+{
+  "identity": {
+    "webchatSessionExchange": true
+  }
+}
+```
+
+**Typical flow (BFF → webchat → plugin):**
+
+1. BFF completes 3LO login and obtains an OIDC `id_token` for the user
+2. Webchat client calls `identity.session.put` with the session key and `id_token` (optionally `refreshToken` from the token response if silent renewal is desired)
+3. Plugin verifies the token, stores the session, and acquires TIP
+4. Subsequent agent runs in that session have a valid identity — no manual login needed
+
 ### WebChat / TUI
 
 Follow-up messages (login success, credential fetch done) are not delivered when the user runs `/identity` from WebChat or TUI; the plugin has no API to push to those channels. Use `/identity status` to confirm results.

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAgBA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAsE7D,MAAM,CAAC,OAAO,UAAU,QAAQ,CAAC,GAAG,EAAE,iBAAiB,QA2ZtD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAgBA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAkF7D,MAAM,CAAC,OAAO,UAAU,QAAQ,CAAC,GAAG,EAAE,iBAAiB,QA8etD"}

package/dist/index.js

@@ -13,15 +13,18 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+import { runPluginPreflight } from "./src/preflight/plugin-preflight.js";
+import { pluginState } from "./src/preflight/plugin-state.js";
 import { createIdentityCommand, createIdCommand } from "./src/commands/identity-commands.js";
 import { createBeforeAgentStartHandler } from "./src/hooks/before-agent-start.js";
 import { createLlmInputHandler } from "./src/hooks/llm-input.js";
 import { createSessionsSendPropagationHandler } from "./src/hooks/sessions-send-propagation.js";
 import { createSessionsSpawnPropagationHandler } from "./src/hooks/sessions-spawn-propagation.js";
 import { createSubagentEndedCleanupHandler } from "./src/hooks/subagent-ended-cleanup.js";
-import { setSender, clearSender } from "./src/store/sender-session-store.js";
+import { setSender, clearSender, setPersonalSessionMode } from "./src/store/sender-session-store.js";
 import { deriveSessionKey, needsSenderIsolation, } from "./src/utils/derive-session-key.js";
 import { createBeforeToolCallHandler } from "./src/hooks/before-tool-call.js";
+import { createToolResultPersistHandler } from "./src/hooks/tool-result-persist.js";
 import { createAfterToolCallHandler } from "./src/hooks/after-tool-call.js";
 import * as skillPathStore from "./src/store/skill-path-store.js";
 import { createOIDCCallbackHandler, createOIDCCallbackHandlerLazy, } from "./src/routes/oidc-login.js";
@@ -34,7 +37,11 @@ import { createIdentityConfigSuggestTool } from "./src/tools/identity-config-sug
 import { createIdentityListRiskPatternsTool } from "./src/tools/identity-list-risk-patterns.js";
 import { createIdentityRiskCheckTool } from "./src/tools/identity-risk-check.js";
 import { createIdentityFetchTool } from "./src/tools/identity-fetch.js";
+import { createIdentityGetRoleCredentialsTool } from "./src/tools/identity-get-role-credentials.js";
+import { createIdentityGetTipTokenTool } from "./src/tools/identity-get-tip-token.js";
+import { createIdentityGetSessionTokenTool } from "./src/tools/identity-get-session-token.js";
 import { createIdentityListCredentialsTool } from "./src/tools/identity-list-credentials.js";
+import { createIdentityListRolesTool } from "./src/tools/identity-list-roles.js";
 import { createIdentityListTipsTool } from "./src/tools/identity-list-tips.js";
 import { createIdentityLoginTool } from "./src/tools/identity-login.js";
 import { createIdentityLogoutTool } from "./src/tools/identity-logout.js";
@@ -43,6 +50,7 @@ import { createIdentityStatusTool } from "./src/tools/identity-status.js";
 import { createIdentityUnsetBindingTool } from "./src/tools/identity-unset-binding.js";
 import { createIdentityWhoamiTool } from "./src/tools/identity-whoami.js";
 import { parseSessionKeyToDeliveryTarget, } from "./src/utils/derive-session-key.js";
+import { createSessionPutHandler, createSessionGetHandler, } from "./src/gateway/identity-session-methods.js";
 import { logDebug, logInfo, logWarn } from "./src/utils/logger.js";
 import { initEncryptionKey } from "./src/store/encryption.js";
 const PLUGIN_STORE_DIR = "~/.openclaw/plugins/identity";
@@ -69,6 +77,10 @@ export default function register(api) {
     const storeDir = api.resolvePath(PLUGIN_STORE_DIR);
     initEncryptionKey(storeDir);
     const identityCfg = pluginConfig.identity;
+    setPersonalSessionMode(identityCfg?.personalSessionMode === true);
+    if (identityCfg?.personalSessionMode) {
+        logInfo(api.logger, "identity.personalSessionMode: non-subagent TIP/session/credentials use agent:main:main only");
+    }
     const hasIdentity = hasAnyIdentityConfig(identityCfg);
     const userpool = pluginConfig.userpool;
     const identityClient = hasIdentity
@@ -95,6 +107,9 @@ export default function register(api) {
             getResourceApiKey: async () => {
                 throw new Error("Identity not configured.");
             },
+            getUserCredential: async () => {
+                throw new Error("Identity not configured.");
+            },
             checkPermission: async () => {
                 throw new Error("Identity not configured.");
             },
@@ -105,9 +120,24 @@ export default function register(api) {
                 PageNumber: 1,
                 PageSize: 20,
             }),
+            listRoleCredentialProviders: async () => ({
+                RoleCredentialProviders: [],
+                TotalCount: 0,
+                PageNumber: 1,
+                PageSize: 20,
+            }),
+            getRoleCredentials: async () => {
+                throw new Error("Identity not configured.");
+            },
             getUserPool: async () => {
                 throw new Error("Identity not configured.");
             },
+            listIdentityProviders: async () => ({
+                pageNumber: 1,
+                pageSize: 10,
+                totalCount: 0,
+                data: [],
+            }),
             listUserPools: async () => ({
                 pageNumber: 1,
                 pageSize: 10,
@@ -277,23 +307,29 @@ export default function register(api) {
         getOidcConfigForRefresh: getOidcConfigForRefresh ?? undefined,
         configWorkloadName: identityCfg?.workloadName,
         identityClient: hasIdentity ? identityClient : undefined,
+        workloadPoolName: identityCfg?.workloadPoolName ?? "default",
+        userPoolName: userpool?.userPoolName,
         logger: api.logger,
         pluginConfig,
         sendCredentialMessage: sendToSession,
     };
     api.registerCommand(createIdentityCommand(identityCommandsDeps));
     api.registerCommand(createIdCommand(identityCommandsDeps));
-    logInfo(api.logger, "commands /identity, /id (login, status, logout, list-tips, list-credentials, fetch, set, unset); HTTP callback /identity/oauth/callback (credential OAuth uses Identity callback)");
+    logInfo(api.logger, "commands /identity, /id (login, status, logout, list, list-roles, list-tips, fetch, set, unset); HTTP callback /identity/oauth/callback (credential OAuth uses Identity callback)");
     // Tools (share deps with commands). Optional = only included when agent allowlist explicitly adds them.
     api.registerTool(createIdentityWhoamiTool(identityCommandsDeps), { optional: false });
     api.registerTool(createIdentityLogoutTool(identityCommandsDeps), { optional: false });
     api.registerTool(createIdentityStatusTool(identityCommandsDeps), { optional: false });
     api.registerTool(createIdentityLoginTool(identityCommandsDeps), { optional: false });
     api.registerTool(createIdentityListCredentialsTool(identityCommandsDeps), { optional: false });
+    api.registerTool(createIdentityListRolesTool(identityCommandsDeps), { optional: false });
     api.registerTool(createIdentityListTipsTool(identityCommandsDeps), { optional: false });
     api.registerTool(createIdentityConfigTool(identityCommandsDeps), { optional: false });
     api.registerTool(createIdentityConfigSuggestTool(), { optional: false });
     api.registerTool(createIdentityFetchTool(identityCommandsDeps), { optional: false });
+    api.registerTool(createIdentityGetRoleCredentialsTool(identityCommandsDeps), { optional: false });
+    api.registerTool(createIdentityGetTipTokenTool(identityCommandsDeps), { optional: false });
+    api.registerTool(createIdentityGetSessionTokenTool(identityCommandsDeps), { optional: false });
     api.registerTool(createIdentitySetBindingTool(identityCommandsDeps), { optional: true });
     api.registerTool(createIdentityUnsetBindingTool(identityCommandsDeps), { optional: true });
     api.registerTool(createIdentityRiskCheckTool({ pluginConfig, logger: api.logger }), { optional: true });
@@ -390,12 +426,12 @@ export default function register(api) {
         logger: api.logger,
     }));
     if (skillReadCheck) {
-        api.on("session_end", (_event, ctx) => {
-            if (ctx.sessionId)
-                skillPathStore.clearSessionById(ctx.sessionId);
+        api.on("session_end", (event) => {
+            if (event.sessionId)
+                skillPathStore.clearSessionById(event.sessionId);
         });
     }
-    // before_tool_call: authz, credential injection, group sender context
+    // before_tool_call: authz, credential injection, group sender context, contract injection
     api.on("before_tool_call", createBeforeToolCallHandler({
         storeDir,
         identityClient: hasIdentity ? identityClient : undefined,
@@ -407,7 +443,56 @@ export default function register(api) {
         identityService: hasIdentity ? identityService : undefined,
         getOidcConfigForRefresh: getOidcConfigForRefresh ?? undefined,
         configWorkloadName: identityCfg?.workloadName,
+        workspaceDir: api.resolvePath?.(".") ?? undefined,
     }));
     // Companion after_tool_call: restore env snapshot set by credential injection
     api.on("after_tool_call", createAfterToolCallHandler({ logger: api.logger }));
+    api.on("tool_result_persist", createToolResultPersistHandler({ logger: api.logger }));
+    // Gateway WS methods: webchat session exchange (inject / retrieve user token)
+    if (identityCfg?.webchatSessionExchange && hasIdentity) {
+        const sessionMethodDeps = {
+            storeDir,
+            identityService,
+            getOidcConfigForRefresh: getOidcConfigForRefresh ?? undefined,
+            configWorkloadName: identityCfg?.workloadName,
+            logger: api.logger,
+        };
+        api.registerGatewayMethod("identity.session.put", createSessionPutHandler(sessionMethodDeps));
+        api.registerGatewayMethod("identity.session.get", createSessionGetHandler(sessionMethodDeps));
+        logInfo(api.logger, "gateway methods: identity.session.put, identity.session.get (webchat session exchange)");
+    }
+    // Preflight: run async after register() returns so startup is never blocked.
+    // On any failure, set pluginState.degraded so hooks skip all interception.
+    const authzEnabled = !!(authz?.agentCheck || authz?.toolCheck || authz?.requireRiskApproval);
+    runPluginPreflight({
+        identityClient,
+        identityService,
+        hasIdentity,
+        credentialConfig: identityCfg
+            ? {
+                accessKeyId: identityCfg.accessKeyId,
+                secretAccessKey: identityCfg.secretAccessKey,
+                sessionToken: identityCfg.sessionToken,
+                credentialsFile: identityCfg.credentialsFile,
+                credentialsMetadataUrl: identityCfg.credentialsMetadataUrl,
+                roleTrn: identityCfg.roleTrn,
+            }
+            : undefined,
+        userpool: dynamicOidcEnabled
+            ? { mode: "dynamic", userPoolName: userpool?.userPoolName }
+            : explicitOidcEnabled
+                ? { mode: "explicit", discoveryUrl: userpool?.discoveryUrl }
+                : undefined,
+        workloadPoolName: identityCfg?.workloadPoolName,
+        authzEnabled,
+        namespaceName: authz?.namespaceName ?? "default",
+        logger: api.logger,
+    }).then((result) => {
+        if (!result.ok) {
+            pluginState.degraded = true;
+            pluginState.failures = result.failures;
+        }
+    }).catch((err) => {
+        logWarn(api.logger, `[identity] preflight threw unexpectedly: ${String(err)}`);
+    });
 }

package/dist/scripts/demo-get-session.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Demo: read local sessions.json (with field-level decryption), resolve one sessionKey, print userToken.
+ *
+ * Same path as the plugin: initEncryptionKey(storeDir) then getSession(storeDir, sessionKey).
+ *
+ * Usage (after `pnpm build`):
+ *   node dist/scripts/demo-get-session.js <sessionKey>
+ *   node dist/scripts/demo-get-session.js <storeDir> <sessionKey>
+ *   pnpm demo:get-session -- <sessionKey>
+ *
+ * Flags:
+ *   --print-token  Print full userToken (default: only prefix + length)
+ */
+export {};
+//# sourceMappingURL=demo-get-session.d.ts.map

package/dist/scripts/demo-get-session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"demo-get-session.d.ts","sourceRoot":"","sources":["../../scripts/demo-get-session.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG"}

package/dist/scripts/demo-get-session.js

@@ -0,0 +1,58 @@
+/**
+ * Demo: read local sessions.json (with field-level decryption), resolve one sessionKey, print userToken.
+ *
+ * Same path as the plugin: initEncryptionKey(storeDir) then getSession(storeDir, sessionKey).
+ *
+ * Usage (after `pnpm build`):
+ *   node dist/scripts/demo-get-session.js <sessionKey>
+ *   node dist/scripts/demo-get-session.js <storeDir> <sessionKey>
+ *   pnpm demo:get-session -- <sessionKey>
+ *
+ * Flags:
+ *   --print-token  Print full userToken (default: only prefix + length)
+ */
+import path from "node:path";
+import os from "node:os";
+import { initEncryptionKey } from "../src/store/encryption.js";
+import { getSession } from "../src/store/session-store.js";
+function usage() {
+    console.error(`Usage: demo-get-session [--print-token] <sessionKey>
+       demo-get-session [--print-token] <storeDir> <sessionKey>
+
+  storeDir defaults to ~/.openclaw/plugins/identity`);
+    process.exit(1);
+}
+async function main() {
+    const printToken = process.argv.includes("--print-token");
+    const args = process.argv.slice(2).filter((a) => a !== "--print-token");
+    if (args.length < 1 || args.length > 2)
+        usage();
+    const storeDir = args.length === 2
+        ? path.resolve(args[0])
+        : path.join(os.homedir(), ".openclaw", "plugins", "identity");
+    const sessionKey = args.length === 2 ? args[1] : args[0];
+    initEncryptionKey(storeDir);
+    const session = await getSession(storeDir, sessionKey);
+    if (!session) {
+        console.log(JSON.stringify({ ok: false, reason: "no session or expired", storeDir, sessionKey }, null, 2));
+        process.exit(2);
+    }
+    const tokenPreview = printToken
+        ? session.userToken
+        : `${session.userToken.slice(0, 12)}… (${session.userToken.length} chars)`;
+    console.log(JSON.stringify({
+        ok: true,
+        storeDir,
+        sessionKey,
+        sub: session.sub,
+        loginAt: session.loginAt,
+        expiresAt: session.expiresAt ?? null,
+        hasRefreshToken: Boolean(session.refreshToken),
+        claims: session.claims ?? null,
+        userToken: tokenPreview,
+    }, null, 2));
+}
+main().catch((err) => {
+    console.error(err);
+    process.exit(1);
+});

package/dist/src/actions/identity-actions.d.ts

@@ -15,6 +15,10 @@ export type OIDCConfigForCommand = {
     clientSecret?: string;
     scope?: string;
     callbackUrl: string;
+    /** UserPool UID (available when resolved dynamically via resolveOIDCConfig). */
+    poolUid?: string;
+    /** First identity provider cached at config resolve time. */
+    identityProvider?: string;
 };
 export type IdentityActionsLogger = {
     info?: (msg: string) => void;
@@ -28,11 +32,13 @@ export type IdentityActionsDeps = {
     getOidcConfigForRefresh?: () => Promise<OIDCConfigForRefresh>;
     configWorkloadName?: string;
     identityClient?: IdentityClientInterface;
+    workloadPoolName?: string;
+    userPoolName?: string;
     logger?: IdentityActionsLogger;
     pluginConfig?: PluginConfig;
     sendCredentialMessage?: (targetOrSessionKey: SessionKeyDeliveryTarget | string, text: string) => Promise<void>;
 };
-export type FetchFlow = "oauth2-user" | "oauth2-m2m" | "apikey";
+export type FetchFlow = "oauth2-user" | "oauth2-m2m" | "apikey" | "user";
 export type StatusResult = {
     loggedIn: boolean;
     sub: string | null;
@@ -69,14 +75,15 @@ export type LogoutResult = {
     ok: boolean;
 };
 export declare function runLogout(deps: IdentityActionsDeps, sessionKey: string): Promise<LogoutResult>;
+export type ProviderRow = {
+    name: string;
+    type: string;
+    flow?: string;
+    status: string;
+    binding?: string;
+};
 export type ListCredentialsResult = {
-    providers: Array<{
-        name: string;
-        type: string;
-        flow?: string;
-        status: string;
-        binding?: string;
-    }>;
+    providers: ProviderRow[];
     storedOnly: Array<{
         name: string;
         status: string;
@@ -89,8 +96,21 @@ export type ListCredentialsResult = {
 export type ListCredentialsFilter = {
     name?: string;
     flow?: string;
+    type?: string;
 };
 export declare function runListCredentials(deps: IdentityActionsDeps, sessionKey: string, page?: number, filter?: ListCredentialsFilter): Promise<ListCredentialsResult>;
+export type RoleProviderRow = {
+    name: string;
+    identitySource?: string;
+};
+export type ListRoleCredentialsResult = {
+    providers: RoleProviderRow[];
+    page: number;
+    hasMore: boolean;
+};
+export declare function runListRoleCredentials(deps: IdentityActionsDeps, sessionKey: string, filter?: {
+    name?: string;
+}): Promise<ListRoleCredentialsResult>;
 export type ListTipsResult = {
     tips: Array<{
         sessionKey: string;
@@ -148,4 +168,50 @@ export type UnsetBindingResult = {
 export declare function runUnsetBinding(deps: IdentityActionsDeps, sessionKey: string, params: {
     provider: string;
 }): Promise<UnsetBindingResult>;
+export type GetRoleCredentialsActionResult = {
+    kind: "success";
+    credentials: {
+        AccessKeyId: string;
+        SecretAccessKey: string;
+        SessionToken: string;
+        Expiration?: string;
+    };
+} | {
+    kind: "error";
+    message: string;
+};
+export declare function runGetRoleCredentials(deps: IdentityActionsDeps, sessionKey: string, params: {
+    providerName: string;
+    useTip?: boolean;
+    config?: import("openclaw/plugin-sdk").OpenClawConfig;
+}): Promise<GetRoleCredentialsActionResult>;
+export type GetTipTokenResult = {
+    kind: "success";
+    tipToken: string;
+    sub: string;
+    issuedAt: number;
+    expiresAt: number;
+} | {
+    kind: "error";
+    message: string;
+};
+/**
+ * Return the current TIP JWT for the session (refresh/obtain via user token if needed).
+ */
+export declare function runGetTipToken(deps: IdentityActionsDeps, sessionKey: string, config?: OpenClawConfig): Promise<GetTipTokenResult>;
+export type GetSessionTokenResult = {
+    kind: "success";
+    /** OIDC id_token stored for the session. */
+    sessionIdToken: string;
+    sub: string;
+    loginAt: number;
+    expiresAt?: number;
+} | {
+    kind: "error";
+    message: string;
+};
+/**
+ * Return the OIDC id_token (user / session identity token) for the session.
+ */
+export declare function runGetSessionToken(deps: IdentityActionsDeps, sessionKey: string): Promise<GetSessionTokenResult>;
 //# sourceMappingURL=identity-actions.d.ts.map

package/dist/src/actions/identity-actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-actions.d.ts","sourceRoot":"","sources":["../../../src/actions/identity-actions.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;AAgB/E,OAAO,EAKL,KAAK,eAAe,EACrB,MAAM,8BAA8B,CAAC;AAUtC,MAAM,MAAM,oBAAoB,GAAG;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,aAAa,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACnD,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,MAAM,CAAC,EAAE,qBAAqB,CAAC;IAC/B,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,qBAAqB,CAAC,EAAE,CACtB,kBAAkB,EAAE,wBAAwB,GAAG,MAAM,EACrD,IAAI,EAAE,MAAM,KACT,OAAO,CAAC,IAAI,CAAC,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG,aAAa,GAAG,YAAY,GAAG,QAAQ,CAAC;AAgFhE,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,EAAE,OAAO,CAAC;IAClB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;IAChB,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wDAAwD;IACxD,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,4BAA4B;IAC5B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uBAAuB;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAC7C,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC,CAAC;AAEF,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,cAAc,GACtB,OAAO,CAAC,YAAY,CAAC,CAsCvB;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,mBAAmB,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAC1C;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACrC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,cAAc,CAAC;IAAC,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAA;CAAE,GACtF,OAAO,CAAC,WAAW,CAAC,CA8DtB;AAED,MAAM,MAAM,YAAY,GAAG;IAAE,EAAE,EAAE,OAAO,CAAA;CAAE,CAAC;AAE3C,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,YAAY,CAAC,CASvB;AAID,MAAM,MAAM,qBAAqB,GAAG;IAClC,SAAS,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClG,UAAU,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtE,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,CAAC;AAEF,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE,MAAU,EAChB,MAAM,CAAC,EAAE,qBAAqB,GAC7B,OAAO,CAAC,qBAAqB,CAAC,CAqFhC;AAED,MAAM,MAAM,cAAc,GAAG;IAC3B,IAAI,EAAE,KAAK,CAAC;QACV,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC,CAAC;IACH,oDAAoD;IACpD,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CAC3D,CAAC;AAEF,wBAAsB,WAAW,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,cAAc,CAAC,CAsBpF;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,CAAC;AAEF,wBAAsB,SAAS,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,YAAY,CAAC,CA4ChF;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACpC;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACtD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IACN,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,SAAS,CAAC;IAChB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAC;IACjD,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,kFAAkF;IAClF,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CAC7B,GACA,OAAO,CAAC,WAAW,CAAC,CA4JtB;AAED,MAAM,MAAM,gBAAgB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEjF,wBAAsB,aAAa,CACjC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC3C,OAAO,CAAC,gBAAgB,CAAC,CAkC3B;AAED,MAAM,MAAM,kBAAkB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnF,wBAAsB,eAAe,CACnC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC3B,OAAO,CAAC,kBAAkB,CAAC,CAW7B"}
+{"version":3,"file":"identity-actions.d.ts","sourceRoot":"","sources":["../../../src/actions/identity-actions.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,KAAK,EAEV,uBAAuB,EAExB,MAAM,gCAAgC,CAAC;AACxC,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;AAgB/E,OAAO,EAKL,KAAK,eAAe,EACrB,MAAM,8BAA8B,CAAC;AAWtC,MAAM,MAAM,oBAAoB,GAAG;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,gFAAgF;IAChF,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,6DAA6D;IAC7D,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,aAAa,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACnD,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,qBAAqB,CAAC;IAC/B,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,qBAAqB,CAAC,EAAE,CACtB,kBAAkB,EAAE,wBAAwB,GAAG,MAAM,EACrD,IAAI,EAAE,MAAM,KACT,OAAO,CAAC,IAAI,CAAC,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG,aAAa,GAAG,YAAY,GAAG,QAAQ,GAAG,MAAM,CAAC;AAgHzE,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,EAAE,OAAO,CAAC;IAClB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;IAChB,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wDAAwD;IACxD,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,4BAA4B;IAC5B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uBAAuB;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAC7C,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC,CAAC;AAEF,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,cAAc,GACtB,OAAO,CAAC,YAAY,CAAC,CA4BvB;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,mBAAmB,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAC1C;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACrC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,cAAc,CAAC;IAAC,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAA;CAAE,GACtF,OAAO,CAAC,WAAW,CAAC,CAyDtB;AAED,MAAM,MAAM,YAAY,GAAG;IAAE,EAAE,EAAE,OAAO,CAAA;CAAE,CAAC;AAE3C,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,YAAY,CAAC,CASvB;AAID,MAAM,MAAM,WAAW,GAAG;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,SAAS,EAAE,WAAW,EAAE,CAAC;IACzB,UAAU,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtE,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,CAAC;AAEF,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE,MAAU,EAChB,MAAM,CAAC,EAAE,qBAAqB,GAC7B,OAAO,CAAC,qBAAqB,CAAC,CA6DhC;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,yBAAyB,GAAG;IACtC,SAAS,EAAE,eAAe,EAAE,CAAC;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,OAAO,CAAC;CAClB,CAAC;AAEF,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,GACzB,OAAO,CAAC,yBAAyB,CAAC,CA2CpC;AAED,MAAM,MAAM,cAAc,GAAG;IAC3B,IAAI,EAAE,KAAK,CAAC;QACV,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC,CAAC;IACH,oDAAoD;IACpD,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CAC3D,CAAC;AAEF,wBAAsB,WAAW,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,cAAc,CAAC,CAsBpF;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,CAAC;AAEF,wBAAsB,SAAS,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,YAAY,CAAC,CA4ChF;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACpC;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACtD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IACN,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,SAAS,CAAC;IAChB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAC;IACjD,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,kFAAkF;IAClF,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CAC7B,GACA,OAAO,CAAC,WAAW,CAAC,CAgKtB;AAED,MAAM,MAAM,gBAAgB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEjF,wBAAsB,aAAa,CACjC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC3C,OAAO,CAAC,gBAAgB,CAAC,CAkC3B;AAED,MAAM,MAAM,kBAAkB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnF,wBAAsB,eAAe,CACnC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC3B,OAAO,CAAC,kBAAkB,CAAC,CAW7B;AAED,MAAM,MAAM,8BAA8B,GACtC;IACE,IAAI,EAAE,SAAS,CAAC;IAChB,WAAW,EAAE;QACX,WAAW,EAAE,MAAM,CAAC;QACpB,eAAe,EAAE,MAAM,CAAC;QACxB,YAAY,EAAE,MAAM,CAAC;QACrB,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;CACH,GACD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,qBAAqB,CACzC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IACN,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,OAAO,qBAAqB,EAAE,cAAc,CAAC;CACvD,GACA,OAAO,CAAC,8BAA8B,CAAC,CAsDzC;AAED,MAAM,MAAM,iBAAiB,GACzB;IACE,IAAI,EAAE,SAAS,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB,GACD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC;;GAEG;AACH,wBAAsB,cAAc,CAClC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,cAAc,GACtB,OAAO,CAAC,iBAAiB,CAAC,CAgB5B;AAED,MAAM,MAAM,qBAAqB,GAC7B;IACE,IAAI,EAAE,SAAS,CAAC;IAChB,4CAA4C;IAC5C,cAAc,EAAE,MAAM,CAAC;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GACD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,qBAAqB,CAAC,CAoBhC"}