@m1a0rz/agent-identity 0.4.0 → 0.4.2

package/dist/src/actions/identity-actions.js

@@ -18,7 +18,8 @@ import { getOrRefreshTIPToken } from "../services/tip-with-refresh.js";
 import { fetchOIDCDiscovery, buildAuthorizationUrl, generateState, generatePKCE, generateNonce, } from "../services/oidc-client.js";
 import { loadCredentialEnvBindings, loadAllCredentialEnvBindings, setCredentialEnvBinding, deleteCredentialEnvBinding, } from "../store/credential-env-bindings.js";
 import { loadCredentials, setCredential, getCredential, deleteCredentialsForSession, } from "../store/credential-store.js";
-import { getSession, deleteSession } from "../store/session-store.js";
+import { deleteSession } from "../store/session-store.js";
+import { getSessionWithRefresh } from "../services/session-refresh.js";
 import { createState } from "../store/oidc-state-store.js";
 import { getAllTIPTokens, deleteTIPToken } from "../store/tip-store.js";
 import { extractDelegationChainFromJwt } from "../utils/auth.js";
@@ -30,6 +31,34 @@ function inferFlowFromProvider(info) {
         return "oauth2-m2m";
     return "oauth2-user";
 }
+function buildTipRefreshOptions(deps, ctxAgentId, errorHolder) {
+    if (!deps.getOidcConfigForRefresh)
+        return undefined;
+    return {
+        identityService: deps.identityService,
+        getOidcConfigForRefresh: deps.getOidcConfigForRefresh,
+        configWorkloadName: deps.configWorkloadName,
+        ctxAgentId,
+        logger: deps.logger,
+        ...(errorHolder ? { errorHolder } : {}),
+    };
+}
+async function resolveAndRefreshTIP(deps, sessionKey, config, errorHolder) {
+    const ctxAgentId = resolveAgentId({ sessionKey, config: config });
+    return getOrRefreshTIPToken(deps.storeDir, sessionKey, buildTipRefreshOptions(deps, ctxAgentId, errorHolder));
+}
+function formatCredentialStatus(c) {
+    if (!c)
+        return "—";
+    if (c.type === "oauth2")
+        return c.status;
+    if (c.type === "api_key") {
+        if (c.valueFromEnv)
+            return `from \`${c.valueFromEnv}\``;
+        return c.value ? "✓" : "empty";
+    }
+    return "—";
+}
 const OAUTH_POLL_INTERVAL_MS = 2500;
 const OAUTH_POLL_TIMEOUT_MS = 10 * 60 * 1000;
 const OAUTH_QUICK_RETRY_MS = 1000;
@@ -70,19 +99,9 @@ async function pollOAuthAndNotify(params) {
     await sendCredentialMessage?.(target, `⚠️ Authorization timed out for \`${provider}\`. Run \`/identity fetch ${provider}\` again.`);
 }
 export async function runStatus(deps, sessionKey, config) {
-    const { storeDir, identityService, getOidcConfigForRefresh, configWorkloadName, logger } = deps;
-    const session = await getSession(storeDir, sessionKey);
-    const ctxAgentId = resolveAgentId({ sessionKey, config: config });
-    const tipRefreshOptions = getOidcConfigForRefresh
-        ? {
-            identityService,
-            getOidcConfigForRefresh,
-            configWorkloadName,
-            ctxAgentId,
-            logger,
-        }
-        : undefined;
-    const tip = await getOrRefreshTIPToken(storeDir, sessionKey, tipRefreshOptions);
+    const { storeDir } = deps;
+    const session = await getSessionWithRefresh(storeDir, sessionKey, deps.getOidcConfigForRefresh);
+    const tip = await resolveAndRefreshTIP(deps, sessionKey, config);
     const credentials = await loadCredentials(storeDir, sessionKey);
     const bindings = await loadCredentialEnvBindings(storeDir, sessionKey);
     const tipChain = tip
@@ -92,7 +111,7 @@ export async function runStatus(deps, sessionKey, config) {
         })()
         : undefined;
     return {
-        loggedIn: !!(session && identityService.parseUserToken(session.userToken).valid),
+        loggedIn: !!(session?.userToken),
         sub: session?.sub ?? null,
         hasTip: Boolean(tip),
         sessionLoginAt: session?.loginAt,
@@ -108,22 +127,10 @@ export async function runLogin(deps, sessionKey, options) {
     const { storeDir, identityService, getOidcConfig, logger } = deps;
     const config = options?.config;
     const deliveryTarget = options?.deliveryTarget ?? null;
-    const session = await getSession(storeDir, sessionKey);
-    const hasValidCred = session && identityService.parseUserToken(session.userToken).valid;
-    if (hasValidCred && session) {
-        const ctxAgentId = resolveAgentId({ sessionKey, config: config });
+    const session = await getSessionWithRefresh(storeDir, sessionKey, deps.getOidcConfigForRefresh);
+    if (session) {
         const errorHolder = {};
-        const tipRefreshOptions = deps.getOidcConfigForRefresh
-            ? {
-                identityService,
-                getOidcConfigForRefresh: deps.getOidcConfigForRefresh,
-                configWorkloadName: deps.configWorkloadName,
-                ctxAgentId,
-                logger,
-                errorHolder,
-            }
-            : undefined;
-        const tip = await getOrRefreshTIPToken(storeDir, sessionKey, tipRefreshOptions);
+        const tip = await resolveAndRefreshTIP(deps, sessionKey, config, errorHolder);
         if (tip) {
             return { kind: "already_logged_in", sub: session.sub };
         }
@@ -138,10 +145,13 @@ export async function runLogin(deps, sessionKey, options) {
     try {
         const oidcConfig = await getOidcConfig();
         const discovery = await fetchOIDCDiscovery(oidcConfig.discoveryUrl);
-        const state = await generateState();
+        // Prefer explicit config, then fall back to what resolveOIDCConfig already cached
+        const identityProvider = deps.pluginConfig?.userpool?.identityProvider ?? oidcConfig.identityProvider;
+        const workloadName = deps.configWorkloadName;
+        const state = await generateState({ target: workloadName });
         const { codeVerifier, codeChallenge } = await generatePKCE();
         const nonce = await generateNonce();
-        await createState(storeDir, sessionKey, "", state, deliveryTarget, { codeVerifier, nonce });
+        createState(sessionKey, "", state, deliveryTarget, { codeVerifier, nonce });
         const authUrl = buildAuthorizationUrl({
             authorizationEndpoint: discovery.authorization_endpoint,
             clientId: oidcConfig.clientId,
@@ -151,6 +161,8 @@ export async function runLogin(deps, sessionKey, options) {
             codeChallenge,
             codeChallengeMethod: "S256",
             nonce,
+            redirectRelayUri: oidcConfig.callbackUrl,
+            identityProvider,
         });
         logInfo(logger, `login returning IdP URL for sessionKey=${sessionKey.slice(0, 24)}...`);
         return { kind: "auth_url", authUrl };
@@ -176,11 +188,11 @@ export async function runListCredentials(deps, sessionKey, page = 1, filter) {
     const { storeDir, identityClient, identityService, logger } = deps;
     const creds = await loadCredentials(storeDir, sessionKey);
     const bindings = await loadCredentialEnvBindings(storeDir, sessionKey);
-    let providers = [];
+    let credProviders = [];
     let totalCount = 0;
     if (identityClient) {
-        const session = await getSession(storeDir, sessionKey);
-        if (!session || !identityService.parseUserToken(session.userToken).valid) {
+        const session = await getSessionWithRefresh(storeDir, sessionKey, deps.getOidcConfigForRefresh);
+        if (!session) {
             logWarn(logger, `list-credentials: no valid session for key=${sessionKey.slice(0, 24)}...`);
         }
         else {
@@ -190,12 +202,15 @@ export async function runListCredentials(deps, sessionKey, page = 1, filter) {
                     apiFilter.Name = filter.name;
                 if (filter?.flow)
                     apiFilter.Flow = filter.flow;
+                if (filter?.type)
+                    apiFilter.Type = filter.type;
                 const result = await identityClient.listCredentialProviders({
                     PageNumber: page,
                     PageSize: LIST_PAGE_SIZE,
+                    PoolName: deps.workloadPoolName,
                     ...(Object.keys(apiFilter).length > 0 ? { Filter: apiFilter } : {}),
                 });
-                providers = result.CredentialProviders ?? result.Data ?? [];
+                credProviders = result.CredentialProviders ?? result.Data ?? [];
                 totalCount = result.TotalCount ?? 0;
             }
             catch (e) {
@@ -203,46 +218,23 @@ export async function runListCredentials(deps, sessionKey, page = 1, filter) {
             }
         }
     }
-    const providerNames = new Set(providers.map((p) => p.Name));
+    const providerNames = new Set(credProviders.map((p) => p.Name));
     const storedNames = Object.keys(creds);
-    const providerRows = providers.map((p) => {
-        const c = creds[p.Name];
-        const bind = bindings[p.Name];
-        const typeLabel = p.Type === "api_key" ? "api_key" : `oauth2${p.Flow === "M2M" ? " (m2m)" : ""}`;
-        const status = c?.type === "oauth2"
-            ? c.status
-            : c?.type === "api_key"
-                ? c.valueFromEnv
-                    ? `from \`${c.valueFromEnv}\``
-                    : c.value
-                        ? "✓"
-                        : "empty"
-                : "—";
-        return {
-            name: p.Name,
-            type: typeLabel,
-            flow: p.Flow,
-            status,
-            binding: bind,
-        };
-    });
+    const providerRows = credProviders.map((p) => ({
+        name: p.Name,
+        type: p.Type === "api_key" ? "api_key" : `oauth2${p.Flow === "M2M" ? " (m2m)" : ""}`,
+        flow: p.Flow,
+        status: formatCredentialStatus(creds[p.Name]),
+        binding: bindings[p.Name],
+    }));
     const storedOnly = storedNames
         .filter((n) => !providerNames.has(n))
         .sort()
-        .map((name) => {
-        const c = creds[name];
-        const bind = bindings[name];
-        const status = c.type === "oauth2"
-            ? c.status
-            : c.type === "api_key"
-                ? c.valueFromEnv
-                    ? `from \`${c.valueFromEnv}\``
-                    : c.value
-                        ? "✓"
-                        : "empty"
-                : "—";
-        return { name, status, binding: bind };
-    });
+        .map((name) => ({
+        name,
+        status: formatCredentialStatus(creds[name]),
+        binding: bindings[name],
+    }));
     return {
         providers: providerRows,
         storedOnly,
@@ -251,6 +243,48 @@ export async function runListCredentials(deps, sessionKey, page = 1, filter) {
         totalCount,
     };
 }
+export async function runListRoleCredentials(deps, sessionKey, filter) {
+    const { storeDir, identityClient, identityService, logger } = deps;
+    let roleProviders = [];
+    if (identityClient) {
+        const session = await getSessionWithRefresh(storeDir, sessionKey, deps.getOidcConfigForRefresh);
+        if (!session) {
+            logWarn(logger, `list-roles: no valid session for key=${sessionKey.slice(0, 24)}...`);
+        }
+        else {
+            try {
+                const roleResult = await identityClient.listRoleCredentialProviders({
+                    PageNumber: 1,
+                    PageSize: 50,
+                    PoolName: deps.workloadPoolName,
+                    UserPoolName: deps.userPoolName,
+                });
+                roleProviders = roleResult.RoleCredentialProviders ?? [];
+                if (filter?.name) {
+                    const n = filter.name.toLowerCase();
+                    roleProviders = roleProviders.filter((rp) => rp.Name.toLowerCase().includes(n));
+                }
+            }
+            catch (e) {
+                logWarn(logger, `list-role-credential-providers API error: ${String(e)}`);
+            }
+        }
+    }
+    const providerRows = roleProviders.map((rp) => {
+        const pool = rp.Config?.IdentityPool;
+        const identitySource = pool?.UserPool?.PoolName
+            ? `userpool:${pool.UserPool.PoolName}`
+            : pool?.AgentPool?.PoolName
+                ? `agentpool:${pool.AgentPool.PoolName}`
+                : undefined;
+        return { name: rp.Name, identitySource };
+    });
+    return {
+        providers: providerRows,
+        page: 1,
+        hasMore: roleProviders.length >= 50,
+    };
+}
 export async function runListTips(deps) {
     const { storeDir } = deps;
     const tokens = getAllTIPTokens();
@@ -318,17 +352,7 @@ export async function runFetch(deps, sessionKey, params) {
     if (!identityClient) {
         return { kind: "error", message: "Identity service not configured. Cannot add credentials." };
     }
-    const ctxAgentId = resolveAgentId({ sessionKey, config: config });
-    const tipRefreshOptions = deps.getOidcConfigForRefresh
-        ? {
-            identityService: deps.identityService,
-            getOidcConfigForRefresh: deps.getOidcConfigForRefresh,
-            configWorkloadName: deps.configWorkloadName,
-            ctxAgentId,
-            logger: deps.logger,
-        }
-        : undefined;
-    const tip = await getOrRefreshTIPToken(storeDir, sessionKey, tipRefreshOptions);
+    const tip = await resolveAndRefreshTIP(deps, sessionKey, config);
     if (!tip) {
         return {
             kind: "error",
@@ -341,6 +365,7 @@ export async function runFetch(deps, sessionKey, params) {
             const listResult = await identityClient.listCredentialProviders({
                 PageNumber: 1,
                 PageSize: 20,
+                PoolName: deps.workloadPoolName,
                 Filter: { Name: provider },
             });
             const list = listResult.CredentialProviders ?? listResult.Data ?? [];
@@ -365,6 +390,18 @@ export async function runFetch(deps, sessionKey, params) {
             });
             return { kind: "success", message: `✓ API key for \`${provider}\` added.` };
         }
+        if (effectiveFlow === "user") {
+            const result = await identityClient.getUserCredential({
+                credentialId: provider,
+                identityToken: tip.token,
+            });
+            await setCredential(storeDir, sessionKey, provider, {
+                type: "user",
+                key: result.credentialId,
+                value: result.credentialData,
+            });
+            return { kind: "success", message: `✓ User credential for \`${provider}\` added.` };
+        }
         const oauth2Flow = effectiveFlow === "oauth2-m2m" ? "M2M" : "USER_FEDERATION";
         const oauthResult = await identityClient.getResourceOauth2Token({
             providerName: provider,
@@ -498,3 +535,92 @@ export async function runUnsetBinding(deps, sessionKey, params) {
     await deleteCredentialEnvBinding(storeDir, sessionKey, provider);
     return { ok: true, message: `✓ Unset env binding for \`${provider}\`.` };
 }
+export async function runGetRoleCredentials(deps, sessionKey, params) {
+    const { identityClient, storeDir, logger } = deps;
+    if (!identityClient) {
+        return { kind: "error", message: "Identity service not configured." };
+    }
+    let identityToken;
+    if (params.useTip) {
+        const tip = await resolveAndRefreshTIP(deps, sessionKey, params.config);
+        if (!tip) {
+            return {
+                kind: "error",
+                message: "No TIP token available. Login first with `/identity login`.",
+            };
+        }
+        identityToken = tip.token;
+    }
+    else {
+        const session = await getSessionWithRefresh(storeDir, sessionKey, deps.getOidcConfigForRefresh);
+        if (!session?.userToken) {
+            return {
+                kind: "error",
+                message: "No session found. Login first with `/identity login`.",
+            };
+        }
+        identityToken = session.userToken;
+    }
+    try {
+        const result = await identityClient.getRoleCredentials({
+            IdentityToken: identityToken,
+            ProviderName: params.providerName,
+            PoolName: deps.workloadPoolName,
+        });
+        logInfo(logger, `getRoleCredentials OK for provider=${params.providerName}`);
+        return {
+            kind: "success",
+            credentials: {
+                AccessKeyId: result.Credentials.AccessKeyId,
+                SecretAccessKey: result.Credentials.SecretAccessKey,
+                SessionToken: result.Credentials.SessionToken,
+                Expiration: result.Credentials.Expiration,
+            },
+        };
+    }
+    catch (err) {
+        logWarn(logger, `getRoleCredentials failed: ${String(err)}`);
+        return {
+            kind: "error",
+            message: `Failed to get role credentials: ${err.message}`,
+        };
+    }
+}
+/**
+ * Return the current TIP JWT for the session (refresh/obtain via user token if needed).
+ */
+export async function runGetTipToken(deps, sessionKey, config) {
+    const tip = await resolveAndRefreshTIP(deps, sessionKey, config);
+    if (!tip) {
+        return {
+            kind: "error",
+            message: "No TIP token available. Log in with `/identity login` or ensure the session has a valid OIDC user token.",
+        };
+    }
+    return {
+        kind: "success",
+        tipToken: tip.token,
+        sub: tip.sub,
+        issuedAt: tip.issuedAt,
+        expiresAt: tip.expiresAt,
+    };
+}
+/**
+ * Return the OIDC id_token (user / session identity token) for the session.
+ */
+export async function runGetSessionToken(deps, sessionKey) {
+    const session = await getSessionWithRefresh(deps.storeDir, sessionKey, deps.getOidcConfigForRefresh);
+    if (!session?.userToken) {
+        return {
+            kind: "error",
+            message: "No OIDC session. Log in with `/identity login` or use identity.session.put to inject a token.",
+        };
+    }
+    return {
+        kind: "success",
+        sessionIdToken: session.userToken,
+        sub: session.sub,
+        loginAt: session.loginAt,
+        expiresAt: session.expiresAt,
+    };
+}

package/dist/src/commands/identity-commands.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-commands.d.ts","sourceRoot":"","sources":["../../../src/commands/identity-commands.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAUL,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,SAAS,EACf,MAAM,gCAAgC,CAAC;AAYxC,YAAY,EAAE,oBAAoB,EAAE,SAAS,EAAE,CAAC;AAEhD,MAAM,MAAM,sBAAsB,GAAG;IACnC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG,mBAAmB,CAAC;AAyoBvD,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,oBAAoB;;;;;mBAlf3C,oBAAoB,KAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;EA2fpE;AAED,0CAA0C;AAC1C,wBAAgB,eAAe,CAAC,IAAI,EAAE,oBAAoB;;;;;mBA9frC,oBAAoB,KAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;EAugBpE"}
+{"version":3,"file":"identity-commands.d.ts","sourceRoot":"","sources":["../../../src/commands/identity-commands.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAYL,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,SAAS,EACf,MAAM,gCAAgC,CAAC;AAaxC,YAAY,EAAE,oBAAoB,EAAE,SAAS,EAAE,CAAC;AAEhD,MAAM,MAAM,sBAAsB,GAAG;IACnC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG,mBAAmB,CAAC;AAyxBvD,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,oBAAoB;;;;;mBA3nB3C,oBAAoB,KAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;EAooBpE;AAED,0CAA0C;AAC1C,wBAAgB,eAAe,CAAC,IAAI,EAAE,oBAAoB;;;;;mBAvoBrC,oBAAoB,KAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;EAgpBpE"}

package/dist/src/commands/identity-commands.js

@@ -13,9 +13,10 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-import { runStatus, runLogin, runLogout, runListCredentials, runListTips, runConfig, runFetch, runSetBinding, runUnsetBinding, } from "../actions/identity-actions.js";
+import { runStatus, runLogin, runLogout, runListCredentials, runListRoleCredentials, runGetRoleCredentials, runListTips, runConfig, runFetch, runSetBinding, runUnsetBinding, } from "../actions/identity-actions.js";
 import { deriveSessionKey, deriveDeliveryTargetFromContext, } from "../utils/derive-session-key.js";
 import { buildEffectiveSessionKey } from "../store/sender-session-store.js";
+import { pluginState } from "../preflight/plugin-state.js";
 import { logDebug } from "../utils/logger.js";
 import { diagnoseRisk } from "../risk/diagnose-risk.js";
 import { getRiskPatterns } from "../risk/classify-risk.js";
@@ -27,10 +28,12 @@ Subcommands:
 • \`status\` – Full status: session/TIP details (issued, expires, chain), credentials, bindings
 • \`login\` – Log in via OIDC (returns auth URL if not logged in)
 • \`logout\` – Clear session and TIP
-• \`list-credentials\` or \`list [page]\` – List providers and credentials (paginated; shows bound env)
+• \`list-credentials\` or \`list [page]\` – List credential providers (OAuth/API key) and stored credentials
+• \`list-roles\` – List role credential providers (STS)
+• \`get-role <provider> [--use-tip] [--show-secrets]\` – Get STS credentials for a role provider (credentials masked by default)
 • \`list-tips\` – List all valid TIP tokens with delegation chain and bindings
 • \`config\` – Show identity plugin configuration (redacted)
-• \`fetch <provider> [--flow=oauth2-user|oauth2-m2m|apikey] [--redirectUrl=<url>] [--scopes=a,b]\` – Add credential
+• \`fetch <provider> [--flow=oauth2-user|oauth2-m2m|apikey|user] [--redirectUrl=<url>] [--scopes=a,b]\` – Add credential
 • \`set <provider> <envVar>\` – Bind credential to env var for tool injection
 • \`unset <provider>\` – Remove credential env binding
 • \`risk <command>\` – Diagnose risk for a shell command (e.g. exec)
@@ -38,7 +41,7 @@ Subcommands:
 • \`approve <approval_id>\` – Approve a pending high-risk tool call
 • \`reject <approval_id>\` – Reject a pending high-risk tool call
 
-Fetch: flow auto-inferred from control-plane provider type; override with \`--flow=oauth2-user|oauth2-m2m|apikey\`.
+Fetch: flow auto-inferred from control-plane provider type; override with \`--flow=oauth2-user|oauth2-m2m|apikey|user\`.
 
 Examples:
 \`/identity\` – show this help
@@ -48,6 +51,8 @@ Examples:
 \`/identity fetch google\`
 \`/identity fetch openai --flow=apikey\`
 \`/identity list 2\` – load more (page 2)
+\`/identity list-roles\` – list role credential providers (STS)
+\`/identity get-role test_for_workload_token\` – get STS credentials
 \`/identity risk "rm -rf /"\` – check if command would require approval
 \`/identity risk-patterns\` – list risky patterns
 \`/identity approve abc123\` – approve pending tool call
@@ -88,7 +93,7 @@ function parseSubcommand(args) {
         rest: raw.slice(space + 1).trim(),
     };
 }
-/** Parse list args: optional page and filters. E.g. "list", "list 2", "list --name=github --flow=M2M". */
+/** Parse list args: optional page and filters. E.g. "list", "list 2", "list --name=github --flow=M2M --type=api_key". */
 function parseListArgs(rest) {
     const parts = rest.split(/\s+/).filter(Boolean);
     const flags = {};
@@ -108,6 +113,7 @@ function parseListArgs(rest) {
         page: Number.isFinite(page) && page >= 1 ? page : 1,
         name: flags.name || undefined,
         flow: flags.flow || undefined,
+        type: flags.type || undefined,
     };
 }
 /** Parse fetch args: provider and flags (--flow, --redirectUrl, --scopes). flow can be omitted to auto-infer from provider. */
@@ -129,7 +135,7 @@ function parseFetchArgs(rest) {
     const provider = positional[0]?.trim();
     if (!provider) {
         return {
-            error: "Usage: `/identity fetch <provider> [--flow=oauth2-user|oauth2-m2m|apikey] [--redirectUrl=<url>] [--scopes=a,b,c]`",
+            error: "Usage: `/identity fetch <provider> [--flow=oauth2-user|oauth2-m2m|apikey|user] [--redirectUrl=<url>] [--scopes=a,b,c]`",
         };
     }
     const flowRaw = flags.flow;
@@ -139,7 +145,9 @@ function parseFetchArgs(rest) {
             ? "apikey"
             : flowRaw === "oauth2-user"
                 ? "oauth2-user"
-                : undefined;
+                : flowRaw === "user"
+                    ? "user"
+                    : undefined;
     const redirectUrl = flags.redirectUrl?.trim() || undefined;
     const scopes = flags.scopes
         ? flags.scopes
@@ -179,6 +187,8 @@ function createIdentityHandler(deps) {
             "fetch",
             "list-credentials",
             "list",
+            "list-roles",
+            "get-role",
             "set",
             "unset",
             "approve",
@@ -204,6 +214,10 @@ function createIdentityHandler(deps) {
             case "list-credentials":
             case "list":
                 return handleListCredentials(deps, sessionKey, rest);
+            case "list-roles":
+                return handleListRoles(deps, sessionKey, rest);
+            case "get-role":
+                return handleGetRoleCredentials(ctx, deps, sessionKey, rest);
             case "fetch":
                 return handleFetch(ctx, deps, sessionKey, rest);
             case "set":
@@ -266,6 +280,16 @@ async function handleStatus(ctx, deps, sessionKey) {
     const result = await runStatus(deps, sessionKey, ctx.config);
     const lines = [];
     const now = Date.now();
+    // Show degraded banner when preflight detected config problems
+    if (pluginState.degraded && pluginState.failures.length > 0) {
+        lines.push("⚠️ **[DEGRADED] Plugin is running in degraded mode. Interception disabled.**");
+        lines.push("All login prompts and tool authorization checks are skipped until the following issues are resolved:");
+        lines.push("");
+        for (const f of pluginState.failures) {
+            lines.push(`• **${f.check}**: ${f.reason}`);
+        }
+        lines.push("");
+    }
     if (result.loggedIn) {
         lines.push(`✓ Logged in as \`${result.sub}\``);
         lines.push("");
@@ -334,13 +358,117 @@ async function handleLogout(deps, sessionKey) {
     await runLogout(deps, sessionKey);
     return { text: "✓ Logged out." };
 }
+/** Parse list-roles args: optional name filter. E.g. "list-roles", "list-roles github", "list-roles --name=foo". */
+function parseListRolesArgs(rest) {
+    const parts = rest.split(/\s+/).filter(Boolean);
+    const flags = {};
+    const positional = [];
+    for (const p of parts) {
+        if (p.startsWith("--")) {
+            const eq = p.indexOf("=");
+            if (eq > 2)
+                flags[p.slice(2, eq)] = p.slice(eq + 1);
+        }
+        else {
+            positional.push(p);
+        }
+    }
+    return {
+        name: flags.name || positional[0] || undefined,
+    };
+}
+async function handleListRoles(deps, sessionKey, rest) {
+    const { name } = parseListRolesArgs(rest);
+    const filter = name ? { name } : undefined;
+    const result = await runListRoleCredentials(deps, sessionKey, filter);
+    if (result.providers.length === 0) {
+        return {
+            text: "No role credential providers. Configure role providers in the control plane, or use `/identity list` for OAuth/API key providers.",
+        };
+    }
+    const lines = ["**Role credential providers (STS):**"];
+    for (const p of result.providers) {
+        const src = p.identitySource ? ` [${p.identitySource}]` : "";
+        lines.push(`• **${p.name}**${src}`);
+    }
+    lines.push("");
+    lines.push("Use `identity_get_role_credentials` tool to obtain STS credentials for a provider.");
+    return { text: lines.join("\n") };
+}
+/** Mask sensitive value: show prefix + suffix only. Returns full value when showSecrets is true. */
+function maskSecret(value, showSecrets) {
+    if (showSecrets)
+        return value;
+    if (!value || value.length <= 8)
+        return "***";
+    return `${value.slice(0, 4)}...${value.slice(-4)}`;
+}
+/** Parse get-role args: provider name (required), optional --use-tip, --show-secrets. */
+function parseGetRoleArgs(rest) {
+    const parts = rest.split(/\s+/).filter(Boolean);
+    const flags = {};
+    const positional = [];
+    for (const p of parts) {
+        if (p.startsWith("--")) {
+            const eq = p.indexOf("=");
+            if (eq > 2)
+                flags[p.slice(2, eq)] = p.slice(eq + 1);
+            else
+                flags[p.slice(2)] = "true";
+        }
+        else {
+            positional.push(p);
+        }
+    }
+    const providerName = positional[0]?.trim();
+    if (!providerName) {
+        return {
+            error: "Usage: `/identity get-role <provider> [--use-tip] [--show-secrets]`\nExample: `/identity get-role test_for_workload_token`",
+        };
+    }
+    const useTip = flags["use-tip"] === "true" || flags.useTip === "true";
+    const showSecrets = flags["show-secrets"] === "true" || flags.showSecrets === "true";
+    return { providerName, useTip, showSecrets };
+}
+async function handleGetRoleCredentials(ctx, deps, sessionKey, rest) {
+    const parsed = parseGetRoleArgs(rest);
+    if ("error" in parsed)
+        return { text: parsed.error };
+    const result = await runGetRoleCredentials(deps, sessionKey, {
+        providerName: parsed.providerName,
+        useTip: parsed.useTip,
+        config: ctx.config,
+    });
+    if (result.kind === "error") {
+        return { text: `⚠️ ${result.message}` };
+    }
+    const c = result.credentials;
+    const showSecrets = parsed.showSecrets;
+    const lines = [
+        `✓ STS credentials for \`${parsed.providerName}\``,
+        "",
+        "**Credentials:**",
+        `• AccessKeyId: \`${maskSecret(c.AccessKeyId, showSecrets)}\``,
+        `• SecretAccessKey: \`${maskSecret(c.SecretAccessKey, showSecrets)}\``,
+        `• SessionToken: \`${maskSecret(c.SessionToken, showSecrets)}\``,
+    ];
+    if (c.Expiration)
+        lines.push(`• Expiration: ${c.Expiration}`);
+    if (showSecrets) {
+        lines.push("", "⚠️ **Sensitive values are visible.** Avoid sharing this output.");
+    }
+    else {
+        lines.push("", "Use `--show-secrets` to reveal full values (use with caution).");
+    }
+    return { text: lines.join("\n") };
+}
 async function handleListCredentials(deps, sessionKey, rest) {
-    const { page, name, flow } = parseListArgs(rest);
-    const filter = name || flow ? { name, flow } : undefined;
+    const { page, name, flow, type } = parseListArgs(rest);
+    const filter = name || flow || type ? { name, flow, type } : undefined;
     const result = await runListCredentials(deps, sessionKey, page, filter);
     const lines = [];
     if (result.providers.length > 0) {
-        lines.push(`**Available (page ${result.page}):**`);
+        lines.push(`**Providers (page ${result.page}):**`);
         for (const p of result.providers) {
             const bind = p.binding ? ` → \`${p.binding}\`` : "";
             lines.push(`• **${p.name}** (${p.type}): ${p.status}${bind}`);
@@ -361,7 +489,7 @@ async function handleListCredentials(deps, sessionKey, rest) {
         };
     }
     const footer = [];
-    footer.push("Use `/identity set <provider> <envVar>` to bind.");
+    footer.push("Use `/identity set <provider> <envVar>` to bind, or `/identity fetch <provider>` to add credentials.");
     if (result.hasMore) {
         footer.push(`\`/identity list ${result.page + 1}\` to load more.`);
     }