@m1a0rz/agent-identity 0.4.0 → 0.4.2

package/dist/src/tools/identity-config-suggest.d.ts

@@ -1,3 +1,4 @@
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 declare const INTENTS: {
     readonly identity: {
         readonly label: "Identity API (AK/SK, endpoint)";
@@ -96,18 +97,6 @@ declare const INTENTS: {
     };
 };
 export type ConfigSuggestIntent = keyof typeof INTENTS;
-export declare function createIdentityConfigSuggestTool(): () => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{
-        intent: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
-        lang: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
-    }>;
-    execute: (_toolCallId: string, params: {
-        intent?: ConfigSuggestIntent;
-        lang?: "en" | "zh";
-    }) => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityConfigSuggestTool(): () => AnyAgentTool;
 export {};
 //# sourceMappingURL=identity-config-suggest.d.ts.map

package/dist/src/tools/identity-config-suggest.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-config-suggest.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-config-suggest.ts"],"names":[],"mappings":"AAwDA,QAAA,MAAM,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgGH,CAAC;AAEX,MAAM,MAAM,mBAAmB,GAAG,MAAM,OAAO,OAAO,CAAC;AAEvD,wBAAgB,+BAA+B;;;;;;;;2BAoB5B,MAAM,UACX;QAAE,MAAM,CAAC,EAAE,mBAAmB,CAAC;QAAC,IAAI,CAAC,EAAE,IAAI,GAAG,IAAI,CAAA;KAAE;EA2BjE"}
+{"version":3,"file":"identity-config-suggest.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-config-suggest.ts"],"names":[],"mappings":"AAuBA,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAiC/D,QAAA,MAAM,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgGH,CAAC;AAEX,MAAM,MAAM,mBAAmB,GAAG,MAAM,OAAO,OAAO,CAAC;AAEvD,wBAAgB,+BAA+B,UAClC,YAAY,CA+CxB"}

package/dist/src/tools/identity-config.d.ts

@@ -2,12 +2,7 @@
  * identity_config: show identity plugin configuration (redacted).
  */
 import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
-export declare function createIdentityConfigTool(deps: IdentityActionsDeps): (_ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{}>;
-    execute: () => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityConfigTool(deps: IdentityActionsDeps): (_ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-config.d.ts.map

package/dist/src/tools/identity-config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-config.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-config.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAG1E,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,mBAAmB,IACxD,MAAM,iBAAiB;;;;;;EAUhC"}
+{"version":3,"file":"identity-config.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-config.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAG1E,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,mBAAmB,IACxD,MAAM,iBAAiB,KAAG,YAAY,CAU/C"}

package/dist/src/tools/identity-fetch.d.ts

@@ -4,18 +4,7 @@
  * When returnValue is true and fetch succeeds, returns the credential value for same-turn automation.
  */
 import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
-export declare function createIdentityFetchTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{
-        provider: import("@sinclair/typebox").TString;
-        flow: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TUnsafe<"oauth2-user" | "oauth2-m2m" | "apikey">>;
-        redirectUrl: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
-        scopes: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TArray<import("@sinclair/typebox").TString>>;
-        returnValue: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TBoolean>;
-    }>;
-    execute: (_toolCallId: any, params: any) => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityFetchTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-fetch.d.ts.map

package/dist/src/tools/identity-fetch.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-fetch.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-fetch.ts"],"names":[],"mappings":"AAgBA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAIrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAO1E,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,mBAAmB,IACvD,KAAK,iBAAiB;;;;;;;;;;;;EA8D/B"}
+{"version":3,"file":"identity-fetch.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-fetch.ts"],"names":[],"mappings":"AAgBA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAsB,MAAM,qBAAqB,CAAC;AAEvE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAO1E,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,mBAAmB,IACvD,KAAK,iBAAiB,KAAG,YAAY,CA8D9C"}

package/dist/src/tools/identity-fetch.js

@@ -19,16 +19,16 @@ import { jsonResult } from "openclaw/plugin-sdk";
 import { runFetch } from "../actions/identity-actions.js";
 import { getCredential, resolveCredentialValue } from "../store/credential-store.js";
 import { resolveEffectiveSessionKey } from "../store/sender-session-store.js";
-const FETCH_FLOWS = ["oauth2-user", "oauth2-m2m", "apikey"];
+const FETCH_FLOWS = ["oauth2-user", "oauth2-m2m", "apikey", "user"];
 export function createIdentityFetchTool(deps) {
     return (ctx) => ({
         name: "identity_fetch",
         label: "Identity Fetch Credential",
-        description: "Add credential for a provider. OAuth2-user returns auth URL to open; apikey/oauth2-m2m complete immediately. Set returnValue=true to receive the credential value for same-turn automation (use with care: value may appear in logs).",
+        description: "Add credential for a provider. OAuth2-user returns auth URL to open; apikey/oauth2-m2m/user complete immediately. Set returnValue=true to receive the credential value for same-turn automation (use with care: value may appear in logs).",
         parameters: Type.Object({
             provider: Type.String({ description: "Provider name (e.g. google, openai)" }),
             flow: Type.Optional(optionalStringEnum(FETCH_FLOWS, {
-                description: "oauth2-user (default for 3LO), oauth2-m2m, apikey",
+                description: "oauth2-user (default for 3LO), oauth2-m2m, apikey, user",
             })),
             redirectUrl: Type.Optional(Type.String()),
             scopes: Type.Optional(Type.Array(Type.String())),

package/dist/src/tools/identity-get-role-credentials.d.ts

@@ -0,0 +1,10 @@
+/**
+ * identity_get_role_credentials: obtain STS temporary credentials via a role credential provider.
+ * Skills that need IAM Role access call this tool to get AK/SK/SessionToken,
+ * then use them for downstream API requests.
+ */
+import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
+import type { IdentityActionsDeps } from "../actions/identity-actions.js";
+export declare function createIdentityGetRoleCredentialsTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
+//# sourceMappingURL=identity-get-role-credentials.d.ts.map

package/dist/src/tools/identity-get-role-credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-get-role-credentials.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-get-role-credentials.ts"],"names":[],"mappings":"AAgBA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,oCAAoC,CAAC,IAAI,EAAE,mBAAmB,IACpE,KAAK,iBAAiB,KAAG,YAAY,CAsC9C"}

package/dist/src/tools/identity-get-role-credentials.js

@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { Type } from "@sinclair/typebox";
+import { jsonResult } from "openclaw/plugin-sdk";
+import { runGetRoleCredentials } from "../actions/identity-actions.js";
+import { resolveEffectiveSessionKey } from "../store/sender-session-store.js";
+export function createIdentityGetRoleCredentialsTool(deps) {
+    return (ctx) => ({
+        name: "identity_get_role_credentials",
+        label: "Identity Get Role Credentials",
+        description: "Obtain temporary STS credentials (AccessKeyId, SecretAccessKey, SessionToken) " +
+            "via a role credential provider. Use when a skill or tool needs IAM Role access " +
+            "to call cloud APIs. By default uses the user session token (id_token); " +
+            "set useTip=true to use the TIP token instead.",
+        parameters: Type.Object({
+            providerName: Type.String({
+                description: "Role credential provider name configured in the control plane.",
+            }),
+            useTip: Type.Optional(Type.Boolean({
+                description: "When true, use TIP token as identity token instead of user session token. Default false.",
+            })),
+        }),
+        execute: async (_toolCallId, params) => {
+            const sessionKey = ctx.sessionKey ? resolveEffectiveSessionKey(ctx.sessionKey) : undefined;
+            if (!sessionKey) {
+                return jsonResult({ error: "No session context", success: false });
+            }
+            const p = params;
+            const result = await runGetRoleCredentials(deps, sessionKey, {
+                providerName: p.providerName,
+                useTip: p.useTip ?? false,
+                config: ctx.config,
+            });
+            if (result.kind === "error") {
+                return jsonResult({ success: false, error: result.message });
+            }
+            return jsonResult({
+                success: true,
+                credentials: result.credentials,
+            });
+        },
+    });
+}

package/dist/src/tools/identity-get-session-token.d.ts

@@ -0,0 +1,8 @@
+/**
+ * identity_get_session_token: obtain the OIDC id_token (session / user token) for the current session.
+ */
+import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
+import type { IdentityActionsDeps } from "../actions/identity-actions.js";
+export declare function createIdentityGetSessionTokenTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
+//# sourceMappingURL=identity-get-session-token.d.ts.map

package/dist/src/tools/identity-get-session-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-get-session-token.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-get-session-token.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,iCAAiC,CAAC,IAAI,EAAE,mBAAmB,IACjE,KAAK,iBAAiB,KAAG,YAAY,CA0B9C"}

package/dist/src/tools/identity-get-session-token.js

@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { Type } from "@sinclair/typebox";
+import { jsonResult } from "openclaw/plugin-sdk";
+import { runGetSessionToken } from "../actions/identity-actions.js";
+import { resolveEffectiveSessionKey } from "../store/sender-session-store.js";
+export function createIdentityGetSessionTokenTool(deps) {
+    return (ctx) => ({
+        name: "identity_get_session_token",
+        label: "Identity Get Session Token",
+        description: "Obtain the OIDC id_token stored for this session (UserPool / session identity token). " +
+            "Use when a skill needs the end-user JWT instead of the TIP workload token. " +
+            "The value is sensitive; do not print it in chat.",
+        parameters: Type.Object({}),
+        execute: async () => {
+            const sessionKey = ctx.sessionKey ? resolveEffectiveSessionKey(ctx.sessionKey) : undefined;
+            if (!sessionKey) {
+                return jsonResult({ success: false, error: "No session context" });
+            }
+            const result = await runGetSessionToken(deps, sessionKey);
+            if (result.kind === "error") {
+                return jsonResult({ success: false, error: result.message });
+            }
+            return jsonResult({
+                success: true,
+                sessionIdToken: result.sessionIdToken,
+                sub: result.sub,
+                loginAt: result.loginAt,
+                expiresAt: result.expiresAt,
+            });
+        },
+    });
+}

package/dist/src/tools/identity-get-tip-token.d.ts

@@ -0,0 +1,8 @@
+/**
+ * identity_get_tip_token: obtain the workload TIP JWT for the current session.
+ */
+import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
+import type { IdentityActionsDeps } from "../actions/identity-actions.js";
+export declare function createIdentityGetTipTokenTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
+//# sourceMappingURL=identity-get-tip-token.d.ts.map

package/dist/src/tools/identity-get-tip-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-get-tip-token.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-get-tip-token.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,mBAAmB,IAC7D,KAAK,iBAAiB,KAAG,YAAY,CA0B9C"}

package/dist/src/tools/identity-get-tip-token.js

@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { Type } from "@sinclair/typebox";
+import { jsonResult } from "openclaw/plugin-sdk";
+import { runGetTipToken } from "../actions/identity-actions.js";
+import { resolveEffectiveSessionKey } from "../store/sender-session-store.js";
+export function createIdentityGetTipTokenTool(deps) {
+    return (ctx) => ({
+        name: "identity_get_tip_token",
+        label: "Identity Get TIP Token",
+        description: "Obtain the Trusted Identity Provider (TIP) JWT for this session. " +
+            "Use when a skill needs the workload token for downstream APIs. " +
+            "The value is sensitive; do not print it in chat.",
+        parameters: Type.Object({}),
+        execute: async () => {
+            const sessionKey = ctx.sessionKey ? resolveEffectiveSessionKey(ctx.sessionKey) : undefined;
+            if (!sessionKey) {
+                return jsonResult({ success: false, error: "No session context" });
+            }
+            const result = await runGetTipToken(deps, sessionKey, ctx.config);
+            if (result.kind === "error") {
+                return jsonResult({ success: false, error: result.message });
+            }
+            return jsonResult({
+                success: true,
+                tipToken: result.tipToken,
+                sub: result.sub,
+                issuedAt: result.issuedAt,
+                expiresAt: result.expiresAt,
+            });
+        },
+    });
+}

package/dist/src/tools/identity-list-credentials.d.ts

@@ -2,16 +2,7 @@
  * identity_list_credentials: list credential providers and stored credentials (paginated).
  */
 import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
-export declare function createIdentityListCredentialsTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{
-        page: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TNumber>;
-        name: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
-        flow: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
-    }>;
-    execute: (_toolCallId: any, params: any) => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityListCredentialsTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-list-credentials.d.ts.map

package/dist/src/tools/identity-list-credentials.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-list-credentials.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-credentials.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,iCAAiC,CAAC,IAAI,EAAE,mBAAmB,IACjE,KAAK,iBAAiB;;;;;;;;;;EAyB/B"}
+{"version":3,"file":"identity-list-credentials.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-credentials.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,iCAAiC,CAAC,IAAI,EAAE,mBAAmB,IACjE,KAAK,iBAAiB,KAAG,YAAY,CA0B9C"}

package/dist/src/tools/identity-list-credentials.js

@@ -21,19 +21,20 @@ export function createIdentityListCredentialsTool(deps) {
     return (ctx) => ({
         name: "identity_list_credentials",
         label: "Identity List Credentials",
-        description: "List credential providers and stored credentials. Supports filtering by name or flow to locate a specific provider without paging through all results.",
+        description: "List credential providers (OAuth/API key) and stored credentials. Use identity_list_roles for role credential providers (STS).",
         parameters: Type.Object({
             page: Type.Optional(Type.Number({ minimum: 1, default: 1 })),
             name: Type.Optional(Type.String({ description: "Filter providers by name (exact or prefix match)." })),
             flow: Type.Optional(Type.String({ description: "Filter providers by flow, e.g. 'M2M' or 'USER_FEDERATION'." })),
+            type: Type.Optional(Type.String({ description: "Filter credential providers by type, e.g. 'api_key' or 'oauth2'." })),
         }),
         execute: async (_toolCallId, params) => {
             const sessionKey = ctx.sessionKey ? resolveEffectiveSessionKey(ctx.sessionKey) : undefined;
             if (!sessionKey) {
                 return jsonResult({ error: "No session context", providers: [], storedOnly: [] });
             }
-            const { page, name, flow } = params;
-            const filter = name || flow ? { name, flow } : undefined;
+            const { page, name, flow, type } = params;
+            const filter = name || flow || type ? { name, flow, type } : undefined;
             const result = await runListCredentials(deps, sessionKey, page ?? 1, filter);
             return jsonResult({
                 providers: result.providers,

package/dist/src/tools/identity-list-risk-patterns.d.ts

@@ -3,11 +3,6 @@
  * Use to understand what the plugin considers high-risk before running commands.
  */
 import type { PluginToolContext } from "../types.js";
-export declare function createIdentityListRiskPatternsTool(): (_ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{}>;
-    execute: () => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+import { AnyAgentTool } from "openclaw/plugin-sdk";
+export declare function createIdentityListRiskPatternsTool(): (_ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-list-risk-patterns.d.ts.map

package/dist/src/tools/identity-list-risk-patterns.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-list-risk-patterns.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-risk-patterns.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAKrD,wBAAgB,kCAAkC,KACxC,MAAM,iBAAiB;;;;;;EAehC"}
+{"version":3,"file":"identity-list-risk-patterns.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-risk-patterns.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAG/D,wBAAgB,kCAAkC,KACxC,MAAM,iBAAiB,KAAG,YAAY,CAe/C"}

package/dist/src/tools/identity-list-roles.d.ts

@@ -0,0 +1,8 @@
+/**
+ * identity_list_roles: list role credential providers (STS).
+ */
+import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
+import type { IdentityActionsDeps } from "../actions/identity-actions.js";
+export declare function createIdentityListRolesTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
+//# sourceMappingURL=identity-list-roles.d.ts.map

package/dist/src/tools/identity-list-roles.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-list-roles.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-roles.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,mBAAmB,IAC3D,KAAK,iBAAiB,KAAG,YAAY,CAsB9C"}

package/dist/src/tools/identity-list-roles.js

@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { Type } from "@sinclair/typebox";
+import { jsonResult } from "openclaw/plugin-sdk";
+import { runListRoleCredentials } from "../actions/identity-actions.js";
+import { resolveEffectiveSessionKey } from "../store/sender-session-store.js";
+export function createIdentityListRolesTool(deps) {
+    return (ctx) => ({
+        name: "identity_list_roles",
+        label: "Identity List Roles",
+        description: "List role credential providers (STS). Use identity_get_role_credentials to obtain credentials for a provider.",
+        parameters: Type.Object({
+            name: Type.Optional(Type.String({ description: "Filter providers by name (prefix match)." })),
+        }),
+        execute: async (_toolCallId, params) => {
+            const sessionKey = ctx.sessionKey ? resolveEffectiveSessionKey(ctx.sessionKey) : undefined;
+            if (!sessionKey) {
+                return jsonResult({ error: "No session context", providers: [] });
+            }
+            const { name } = params;
+            const filter = name ? { name } : undefined;
+            const result = await runListRoleCredentials(deps, sessionKey, filter);
+            return jsonResult({
+                providers: result.providers,
+                page: result.page,
+                hasMore: result.hasMore,
+            });
+        },
+    });
+}

package/dist/src/tools/identity-list-tips.d.ts

@@ -2,12 +2,7 @@
  * identity_list_tips: list valid TIP tokens and env bindings.
  */
 import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
-export declare function createIdentityListTipsTool(deps: IdentityActionsDeps): (_ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{}>;
-    execute: () => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityListTipsTool(deps: IdentityActionsDeps): (_ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-list-tips.d.ts.map

package/dist/src/tools/identity-list-tips.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-list-tips.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-tips.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAG1E,wBAAgB,0BAA0B,CAAC,IAAI,EAAE,mBAAmB,IAC1D,MAAM,iBAAiB;;;;;;EAahC"}
+{"version":3,"file":"identity-list-tips.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-tips.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAG1E,wBAAgB,0BAA0B,CAAC,IAAI,EAAE,mBAAmB,IAC1D,MAAM,iBAAiB,KAAG,YAAY,CAa/C"}

package/dist/src/tools/identity-login.d.ts

@@ -3,12 +3,7 @@
  * Returns auth URL when login needed; tools don't have deliveryTarget so callback falls back to sessionKey.
  */
 import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
-export declare function createIdentityLoginTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{}>;
-    execute: () => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityLoginTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-login.d.ts.map

package/dist/src/tools/identity-login.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-login.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-login.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,mBAAmB,IACvD,KAAK,iBAAiB;;;;;;EAiC/B"}
+{"version":3,"file":"identity-login.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-login.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,mBAAmB,IACvD,KAAK,iBAAiB,KAAG,YAAY,CAiC9C"}

package/dist/src/tools/identity-logout.d.ts

@@ -2,12 +2,7 @@
  * identity_logout: clear session and TIP for the caller's session.
  */
 import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
-export declare function createIdentityLogoutTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{}>;
-    execute: () => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityLogoutTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-logout.d.ts.map

package/dist/src/tools/identity-logout.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-logout.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-logout.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,mBAAmB,IACxD,KAAK,iBAAiB;;;;;;EAgB/B"}
+{"version":3,"file":"identity-logout.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-logout.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,mBAAmB,IACxD,KAAK,iBAAiB,KAAG,YAAY,CAgB9C"}

package/dist/src/tools/identity-risk-check.d.ts

@@ -2,8 +2,8 @@
  * identity_risk_check: diagnose risk for a command or tool call without executing.
  * Use before running exec/write to see if it would require approval.
  */
-import type { PluginToolContext } from "../types.js";
-import type { PluginConfig } from "../types.js";
+import type { PluginToolContext, PluginConfig } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 export type IdentityRiskCheckDeps = {
     pluginConfig: PluginConfig;
     logger?: {
@@ -11,19 +11,5 @@ export type IdentityRiskCheckDeps = {
         warn?: (msg: string) => void;
     };
 };
-export declare function createIdentityRiskCheckTool(deps: IdentityRiskCheckDeps): (_ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{
-        command: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
-        toolName: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
-        params: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TRecord<import("@sinclair/typebox").TString, import("@sinclair/typebox").TUnknown>>;
-    }>;
-    execute: (_toolCallId: string, params: {
-        command?: string;
-        toolName?: string;
-        params?: Record<string, unknown>;
-    }) => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityRiskCheckTool(deps: IdentityRiskCheckDeps): (_ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-risk-check.d.ts.map

package/dist/src/tools/identity-risk-check.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-risk-check.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-risk-check.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAIrD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEhD,MAAM,MAAM,qBAAqB,GAAG;IAClC,YAAY,EAAE,YAAY,CAAC;IAC3B,MAAM,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CAC1E,CAAC;AAEF,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,qBAAqB,IAC7D,MAAM,iBAAiB;;;;;;;;;2BAuBd,MAAM,UACX;QAAE,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE;EAuCtF"}
+{"version":3,"file":"identity-risk-check.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-risk-check.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEnE,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAG/D,MAAM,MAAM,qBAAqB,GAAG;IAClC,YAAY,EAAE,YAAY,CAAC;IAC3B,MAAM,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CAC1E,CAAC;AAEF,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,qBAAqB,IAC7D,MAAM,iBAAiB,KAAG,YAAY,CA+D/C"}

package/dist/src/tools/identity-set-binding.d.ts

@@ -2,15 +2,7 @@
  * identity_set_binding: bind a credential provider to an env var for tool injection.
  */
 import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
-export declare function createIdentitySetBindingTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{
-        provider: import("@sinclair/typebox").TString;
-        envVar: import("@sinclair/typebox").TString;
-    }>;
-    execute: (_toolCallId: any, params: any) => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentitySetBindingTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-set-binding.d.ts.map

package/dist/src/tools/identity-set-binding.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-set-binding.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-set-binding.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,4BAA4B,CAAC,IAAI,EAAE,mBAAmB,IAC5D,KAAK,iBAAiB;;;;;;;;;EAwB/B"}
+{"version":3,"file":"identity-set-binding.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-set-binding.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,4BAA4B,CAAC,IAAI,EAAE,mBAAmB,IAC5D,KAAK,iBAAiB,KAAG,YAAY,CAwB9C"}

package/dist/src/tools/identity-status.d.ts

@@ -2,12 +2,7 @@
  * identity_status: return login status, credentials, and env bindings for the caller's session.
  */
 import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
-export declare function createIdentityStatusTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{}>;
-    execute: () => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityStatusTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-status.d.ts.map

package/dist/src/tools/identity-status.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-status.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-status.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,mBAAmB,IACxD,KAAK,iBAAiB;;;;;;EAiC/B"}
+{"version":3,"file":"identity-status.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-status.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,mBAAmB,IACxD,KAAK,iBAAiB,KAAG,YAAY,CAiC9C"}

package/dist/src/tools/identity-unset-binding.d.ts

@@ -2,14 +2,7 @@
  * identity_unset_binding: remove credential env binding.
  */
 import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
-export declare function createIdentityUnsetBindingTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{
-        provider: import("@sinclair/typebox").TString;
-    }>;
-    execute: (_toolCallId: any, params: any) => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityUnsetBindingTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-unset-binding.d.ts.map

package/dist/src/tools/identity-unset-binding.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-unset-binding.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-unset-binding.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,8BAA8B,CAAC,IAAI,EAAE,mBAAmB,IAC9D,KAAK,iBAAiB;;;;;;;;EAiB/B"}
+{"version":3,"file":"identity-unset-binding.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-unset-binding.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,8BAA8B,CAAC,IAAI,EAAE,mBAAmB,IAC9D,KAAK,iBAAiB,KAAG,YAAY,CAiB9C"}

package/dist/src/tools/identity-whoami.d.ts

@@ -2,12 +2,7 @@
  * identity_whoami: return current session identity (sub, TIP status) for the caller's session.
  */
 import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
-export declare function createIdentityWhoamiTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{}>;
-    execute: () => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityWhoamiTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-whoami.d.ts.map