@m1a0rz/agent-identity 0.4.1 → 0.4.2

package/dist/src/services/identity-credentials.d.ts

@@ -15,7 +15,7 @@ export type LoadCredentialsOptions = {
 };
 /**
  * Load credentials from config, env, remote metadata, or file (veadk-style).
- * Order: explicit > env > remote metadata (credentialsMetadataUrl + roleTrn) > file.
+ * Order: explicit > env > remote metadata (credentialsMetadataUrl, optional roleTrn) > file.
  * Returns resolved credentials or throws if none found.
  */
 export declare function loadIdentityCredentials(opts?: LoadCredentialsOptions): Promise<IdentityCredentials>;

package/dist/src/services/identity-credentials.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-credentials.d.ts","sourceRoot":"","sources":["../../../src/services/identity-credentials.ts"],"names":[],"mappings":"AAgCA,MAAM,MAAM,mBAAmB,GAAG;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AASF,MAAM,MAAM,sBAAsB,GAAG;IACnC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,kHAAkH;IAClH,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,MAAM,CAAC;CACrC,CAAC;AA0DF;;;;GAIG;AACH,wBAAsB,uBAAuB,CAC3C,IAAI,GAAE,sBAA2B,GAChC,OAAO,CAAC,mBAAmB,CAAC,CA0D9B"}
+{"version":3,"file":"identity-credentials.d.ts","sourceRoot":"","sources":["../../../src/services/identity-credentials.ts"],"names":[],"mappings":"AAgCA,MAAM,MAAM,mBAAmB,GAAG;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AASF,MAAM,MAAM,sBAAsB,GAAG;IACnC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,kHAAkH;IAClH,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,MAAM,CAAC;CACrC,CAAC;AAoEF;;;;GAIG;AACH,wBAAsB,uBAAuB,CAC3C,IAAI,GAAE,sBAA2B,GAChC,OAAO,CAAC,mBAAmB,CAAC,CAgE9B"}

package/dist/src/services/identity-credentials.js

@@ -34,12 +34,11 @@ const DEFAULT_CRED_PATH = "/var/run/secrets/iam/credential";
 const ENV_ROLE_TRN = "RUNTIME_IAM_ROLE_TRN";
 const REMOTE_METADATA_REFRESH_BUFFER_SEC = 300;
 /**
- * Fetch credentials from remote metadata URL (full URL), then AssumeRole with roleTrn.
- * Returns null on 404 or parse failure (fall through).
- * Caches AssumeRole result by ExpiredTime, same as AK/SK + roleTrn flow.
+ * Fetch credentials from remote metadata URL (e.g. ECS instance metadata).
+ * Returns the raw AK/SK/Token from the response, or null on failure.
  */
-async function fetchRemoteMetadataThenAssumeRole(fullUrl, roleTrn) {
-    stsDebugLog("metadata fetch", { url: fullUrl, roleTrn });
+async function fetchRemoteMetadata(fullUrl) {
+    stsDebugLog("metadata fetch", { url: fullUrl });
     let res;
     try {
         res = await fetch(fullUrl);
@@ -62,18 +61,27 @@ async function fetchRemoteMetadataThenAssumeRole(fullUrl, roleTrn) {
     const ak = json.AccessKeyId;
     const sk = json.SecretAccessKey;
     const token = json.SessionToken;
-    if (!ak || !sk || !token)
+    if (!ak || !sk)
         return null;
-    const intermediateCreds = {
+    return {
         accessKeyId: ak.trim(),
         secretAccessKey: sk.trim(),
-        sessionToken: token.trim(),
+        sessionToken: token ? token.trim() : undefined,
     };
+}
+/**
+ * Fetch credentials from remote metadata URL, then AssumeRole with roleTrn.
+ * Returns null on 404 or parse failure (fall through).
+ */
+async function fetchRemoteMetadataThenAssumeRole(fullUrl, roleTrn) {
+    const creds = await fetchRemoteMetadata(fullUrl);
+    if (!creds)
+        return null;
     stsDebugLog("metadata creds ok, calling AssumeRole", { roleTrn });
     return assumeRole({
-        accessKeyId: intermediateCreds.accessKeyId,
-        secretAccessKey: intermediateCreds.secretAccessKey,
-        sessionToken: intermediateCreds.sessionToken,
+        accessKeyId: creds.accessKeyId,
+        secretAccessKey: creds.secretAccessKey,
+        sessionToken: creds.sessionToken,
         roleTrn,
         region: "cn-beijing",
         cacheKey: `metadata:${fullUrl}:${roleTrn}`,
@@ -81,7 +89,7 @@ async function fetchRemoteMetadataThenAssumeRole(fullUrl, roleTrn) {
 }
 /**
  * Load credentials from config, env, remote metadata, or file (veadk-style).
- * Order: explicit > env > remote metadata (credentialsMetadataUrl + roleTrn) > file.
+ * Order: explicit > env > remote metadata (credentialsMetadataUrl, optional roleTrn) > file.
  * Returns resolved credentials or throws if none found.
  */
 export async function loadIdentityCredentials(opts = {}) {
@@ -111,10 +119,18 @@ export async function loadIdentityCredentials(opts = {}) {
             };
         }
     }
-    if (opts.credentialsMetadataUrl && opts.roleTrn) {
-        const cred = await fetchRemoteMetadataThenAssumeRole(opts.credentialsMetadataUrl, opts.roleTrn);
-        if (cred)
-            return cred;
+    if (opts.credentialsMetadataUrl) {
+        if (opts.roleTrn) {
+            const cred = await fetchRemoteMetadataThenAssumeRole(opts.credentialsMetadataUrl, opts.roleTrn);
+            if (cred)
+                return cred;
+        }
+        else {
+            // Use metadata credentials directly (e.g. ECS instance role already bound)
+            const cred = await fetchRemoteMetadata(opts.credentialsMetadataUrl);
+            if (cred)
+                return cred;
+        }
     }
     const credPath = opts.credentialsFile ?? process.env[ENV_CRED_FILE] ?? DEFAULT_CRED_PATH;
     const resolvedPath = resolvePath(credPath);

package/dist/src/services/oidc-client.d.ts

@@ -21,6 +21,10 @@ export declare function buildAuthorizationUrl(params: {
     codeChallenge?: string;
     codeChallengeMethod?: string;
     nonce?: string;
+    /** Relay URI passed as redirect_relay_uri (same value as redirectUri). */
+    redirectRelayUri?: string;
+    /** Identity provider name passed as identity_provider query param. */
+    identityProvider?: string;
 }): string;
 /** Generate PKCE code_verifier and code_challenge (S256). */
 export declare function generatePKCE(): Promise<{
@@ -72,5 +76,12 @@ export declare function refreshAccessToken(params: {
     refresh_token?: string;
     expires_in?: number;
 }>;
-export declare function generateState(): Promise<string>;
+/**
+ * Generate an opaque OIDC state value encoded as base64url(JSON).
+ * The JSON payload carries a random nonce for CSRF protection and an
+ * optional `target` (workload name) for the IdP to route back correctly.
+ */
+export declare function generateState(params?: {
+    target?: string;
+}): Promise<string>;
 //# sourceMappingURL=oidc-client.d.ts.map

package/dist/src/services/oidc-client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oidc-client.d.ts","sourceRoot":"","sources":["../../../src/services/oidc-client.ts"],"names":[],"mappings":"AA4BA,uFAAuF;AACvF,eAAO,MAAM,kBAAkB,wCAAwC,CAAC;AAaxE,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,sBAAsB,EAAE,MAAM,CAAC;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;CACrC,CAAC;AAEF,wBAAsB,kBAAkB,CACtC,YAAY,EAAE,MAAM,EACpB,SAAS,SAAS,GACjB,OAAO,CAAC,aAAa,CAAC,CAoBxB;AAED,wBAAgB,qBAAqB,CAAC,MAAM,EAAE;IAC5C,qBAAqB,EAAE,MAAM,CAAC;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,GAAG,MAAM,CA8BT;AAED,6DAA6D;AAC7D,wBAAsB,YAAY,IAAI,OAAO,CAAC;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAA;CAAE,CAAC,CAK7F;AAED,wBAAsB,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC,CAGrD;AAED,wBAAsB,qBAAqB,CAAC,MAAM,EAAE;IAClD,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,GAAG,OAAO,CAAC;IACV,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC,CA6CD;AAED,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,yEAAyE;IACzE,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF;;;;;GAKG;AACH,wBAAsB,aAAa,CAAC,MAAM,EAAE,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CA0B7F;AAED,yDAAyD;AACzD,wBAAsB,kBAAkB,CAAC,MAAM,EAAE;IAC/C,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;CACtB,GAAG,OAAO,CAAC;IACV,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC,CAwCD;AAED,wBAAsB,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC,CAGrD"}
+{"version":3,"file":"oidc-client.d.ts","sourceRoot":"","sources":["../../../src/services/oidc-client.ts"],"names":[],"mappings":"AA4BA,uFAAuF;AACvF,eAAO,MAAM,kBAAkB,wCAAwC,CAAC;AAaxE,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,sBAAsB,EAAE,MAAM,CAAC;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;CACrC,CAAC;AAEF,wBAAsB,kBAAkB,CACtC,YAAY,EAAE,MAAM,EACpB,SAAS,SAAS,GACjB,OAAO,CAAC,aAAa,CAAC,CAoBxB;AAED,wBAAgB,qBAAqB,CAAC,MAAM,EAAE;IAC5C,qBAAqB,EAAE,MAAM,CAAC;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,0EAA0E;IAC1E,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,sEAAsE;IACtE,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,GAAG,MAAM,CAsCT;AAED,6DAA6D;AAC7D,wBAAsB,YAAY,IAAI,OAAO,CAAC;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAA;CAAE,CAAC,CAK7F;AAED,wBAAsB,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC,CAGrD;AAED,wBAAsB,qBAAqB,CAAC,MAAM,EAAE;IAClD,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,GAAG,OAAO,CAAC;IACV,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC,CA6CD;AAED,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,yEAAyE;IACzE,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF;;;;;GAKG;AACH,wBAAsB,aAAa,CAAC,MAAM,EAAE,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CA0B7F;AAED,yDAAyD;AACzD,wBAAsB,kBAAkB,CAAC,MAAM,EAAE;IAC/C,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;CACtB,GAAG,OAAO,CAAC;IACV,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC,CAwCD;AAED;;;;GAIG;AACH,wBAAsB,aAAa,CAAC,MAAM,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CASjF"}

package/dist/src/services/oidc-client.js

@@ -57,7 +57,7 @@ export async function fetchOIDCDiscovery(discoveryUrl, timeoutMs = 10_000) {
     }
 }
 export function buildAuthorizationUrl(params) {
-    const { authorizationEndpoint, clientId, redirectUri, scope = DEFAULT_OIDC_SCOPE, state, responseType = "code", codeChallenge, codeChallengeMethod, nonce, } = params;
+    const { authorizationEndpoint, clientId, redirectUri, scope = DEFAULT_OIDC_SCOPE, state, responseType = "code", codeChallenge, codeChallengeMethod, nonce, redirectRelayUri, identityProvider, } = params;
     const search = new URLSearchParams({
         response_type: responseType,
         client_id: clientId,
@@ -72,6 +72,12 @@ export function buildAuthorizationUrl(params) {
     if (nonce) {
         search.set("nonce", nonce);
     }
+    if (redirectRelayUri) {
+        search.set("redirect_relay_uri", redirectRelayUri);
+    }
+    if (identityProvider) {
+        search.set("identity_provider", identityProvider);
+    }
     const sep = authorizationEndpoint.includes("?") ? "&" : "?";
     return `${authorizationEndpoint}${sep}${search.toString()}`;
 }
@@ -192,7 +198,18 @@ export async function refreshAccessToken(params) {
         expires_in: typeof data.expires_in === "number" ? data.expires_in : undefined,
     };
 }
-export async function generateState() {
+/**
+ * Generate an opaque OIDC state value encoded as base64url(JSON).
+ * The JSON payload carries a random nonce for CSRF protection and an
+ * optional `target` (workload name) for the IdP to route back correctly.
+ */
+export async function generateState(params) {
     const { randomBytes } = await import("node:crypto");
-    return randomBytes(32).toString("base64url");
+    const payload = {
+        nonce: randomBytes(32).toString("base64url"),
+    };
+    if (params?.target) {
+        payload.target = params.target;
+    }
+    return Buffer.from(JSON.stringify(payload)).toString("base64url");
 }

package/dist/src/services/session-refresh.d.ts

@@ -1,8 +1,18 @@
+/**
+ * Session token refresh: when userToken expires, use refresh_token to get new tokens.
+ * Used by before_agent_start when GetWorkloadAccessTokenForJWT fails with "token has expired".
+ */
+import type { SessionEntry } from "../store/session-store.js";
 export type OIDCConfigForRefresh = {
     discoveryUrl: string;
     clientId: string;
     clientSecret?: string;
 };
+/**
+ * Get session, refreshing userToken proactively when it is expiring or expired and refreshToken exists.
+ * When getOidcConfigForRefresh is omitted, behaves like getSession.
+ */
+export declare function getSessionWithRefresh(storeDir: string, sessionKey: string, getOidcConfigForRefresh?: () => Promise<OIDCConfigForRefresh>): Promise<SessionEntry | null>;
 /**
  * Refresh session userToken using refresh_token grant.
  * Updates session with new userToken (and rotated refresh_token if returned).

package/dist/src/services/session-refresh.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"session-refresh.d.ts","sourceRoot":"","sources":["../../../src/services/session-refresh.ts"],"names":[],"mappings":"AAwBA,MAAM,MAAM,oBAAoB,GAAG;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF;;;;GAIG;AACH,wBAAsB,uBAAuB,CAC3C,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,GACjD,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAsCxB"}
+{"version":3,"file":"session-refresh.d.ts","sourceRoot":"","sources":["../../../src/services/session-refresh.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAI9D,MAAM,MAAM,oBAAoB,GAAG;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AAUF;;;GAGG;AACH,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,GAC5D,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAqB9B;AAED;;;;GAIG;AACH,wBAAsB,uBAAuB,CAC3C,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,GACjD,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CA0CxB"}

package/dist/src/services/session-refresh.js

@@ -13,12 +13,35 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-/**
- * Session token refresh: when userToken expires, use refresh_token to get new tokens.
- * Used by before_agent_start when GetWorkloadAccessTokenForJWT fails with "token has expired".
- */
 import { getSession, setSession } from "../store/session-store.js";
 import { fetchOIDCDiscovery, refreshAccessToken, verifyIdToken } from "./oidc-client.js";
+/** Default threshold: refresh when token expires within 5 minutes. */
+const REFRESH_THRESHOLD_MS = 5 * 60 * 1000;
+function isExpiringOrExpired(entry) {
+    if (!entry.expiresAt)
+        return false;
+    return entry.expiresAt - Date.now() < REFRESH_THRESHOLD_MS;
+}
+/**
+ * Get session, refreshing userToken proactively when it is expiring or expired and refreshToken exists.
+ * When getOidcConfigForRefresh is omitted, behaves like getSession.
+ */
+export async function getSessionWithRefresh(storeDir, sessionKey, getOidcConfigForRefresh) {
+    const session = await getSession(storeDir, sessionKey);
+    if (!session)
+        return null;
+    if (!getOidcConfigForRefresh ||
+        !session.refreshToken ||
+        !isExpiringOrExpired(session)) {
+        return session;
+    }
+    const refreshed = await refreshSessionUserToken(storeDir, sessionKey, getOidcConfigForRefresh);
+    if (!refreshed) {
+        console.warn(`[agent-identity] getSessionWithRefresh: refresh failed, returning existing session for key=${sessionKey.slice(0, 36)}...`);
+        return session;
+    }
+    return getSession(storeDir, sessionKey);
+}
 /**
  * Refresh session userToken using refresh_token grant.
  * Updates session with new userToken (and rotated refresh_token if returned).
@@ -56,7 +79,8 @@ export async function refreshSessionUserToken(storeDir, sessionKey, getOidcConfi
         });
         return userToken;
     }
-    catch {
+    catch (err) {
+        console.warn(`[agent-identity] refreshSessionUserToken failed for key=${sessionKey.slice(0, 36)}...:`, err instanceof Error ? err.message : String(err));
         return null;
     }
 }

package/dist/src/services/skill-contract-metadata.d.ts

@@ -0,0 +1,35 @@
+export type CredentialBinding = {
+    type: "sts";
+    provider: string;
+    useTip?: boolean;
+    /** [AK env, SK env, SessionToken env] */
+    env?: [string, string, string];
+    required?: boolean;
+} | {
+    type: "apikey";
+    provider: string;
+    env: string;
+    required?: boolean;
+} | {
+    type: "oauth";
+    provider: string;
+    flow?: "oauth2-user" | "oauth2-m2m";
+    env: string;
+    required?: boolean;
+} | {
+    /** Workload TIP JWT from identity_get_tip_token. */
+    type: "tip";
+    env: string;
+    required?: boolean;
+} | {
+    /** OIDC id_token (session / user token) from identity_get_session_token. */
+    type: "user";
+    env: string;
+    required?: boolean;
+};
+/**
+ * Parse frontmatter from SKILL.md content and extract credential bindings.
+ * Returns undefined if metadata is missing or identity bindings are empty.
+ */
+export declare function parseIdentityBindingsFromSkillContent(content: string): CredentialBinding[] | undefined;
+//# sourceMappingURL=skill-contract-metadata.d.ts.map

package/dist/src/services/skill-contract-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"skill-contract-metadata.d.ts","sourceRoot":"","sources":["../../../src/services/skill-contract-metadata.ts"],"names":[],"mappings":"AA0BA,MAAM,MAAM,iBAAiB,GACzB;IACE,IAAI,EAAE,KAAK,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,yCAAyC;IACzC,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,GACD;IACE,IAAI,EAAE,QAAQ,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,GACD;IACE,IAAI,EAAE,OAAO,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,aAAa,GAAG,YAAY,CAAC;IACpC,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,GACD;IACE,oDAAoD;IACpD,IAAI,EAAE,KAAK,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,GACD;IACE,4EAA4E;IAC5E,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,CAAC;AAiFN;;;GAGG;AACH,wBAAgB,qCAAqC,CACnD,OAAO,EAAE,MAAM,GACd,iBAAiB,EAAE,GAAG,SAAS,CAWjC"}

package/dist/src/services/skill-contract-metadata.js

@@ -0,0 +1,145 @@
+/*
+ * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/**
+ * Parse openclaw.identity from SKILL.md frontmatter metadata.
+ * Uses same approach as OpenClaw: extract block + YAML.parse, then resolve metadata.
+ * Supports metadata as JSON5 string or YAML-parsed object.
+ * identity can be a direct array or identity.bindings for backward compat.
+ */
+import YAML from "yaml";
+import JSON5 from "json5";
+const DEFAULT_ROLE_STS_ENV = [
+    "VOLCENGINE_ACCESS_KEY",
+    "VOLCENGINE_SECRET_KEY",
+    "VOLCENGINE_SESSION_TOKEN",
+];
+function getMetadataObject(frontmatter) {
+    const raw = frontmatter.metadata;
+    if (typeof raw === "string") {
+        try {
+            const parsed = JSON5.parse(raw);
+            return parsed && typeof parsed === "object" ? parsed : undefined;
+        }
+        catch {
+            return undefined;
+        }
+    }
+    if (raw && typeof raw === "object") {
+        return raw;
+    }
+    return undefined;
+}
+function extractIdentityBindings(metadataObj) {
+    const openclaw = metadataObj.openclaw;
+    if (!openclaw || typeof openclaw !== "object")
+        return undefined;
+    const identity = openclaw.identity;
+    if (Array.isArray(identity)) {
+        return identity.filter(isValidCredentialBinding);
+    }
+    if (identity && typeof identity === "object") {
+        const bindings = identity.bindings;
+        if (Array.isArray(bindings)) {
+            return bindings.filter(isValidCredentialBinding);
+        }
+    }
+    return undefined;
+}
+function isValidCredentialBinding(x) {
+    if (!x || typeof x !== "object")
+        return false;
+    const o = x;
+    const type = o.type;
+    if (type === "tip" || type === "user") {
+        return typeof o.env === "string" && Boolean(o.env.trim());
+    }
+    if (type !== "sts" && type !== "apikey" && type !== "oauth")
+        return false;
+    if (typeof o.provider !== "string" || !o.provider.trim())
+        return false;
+    if (type === "sts") {
+        if (o.env != null && !Array.isArray(o.env))
+            return false;
+        if (Array.isArray(o.env) && o.env.length !== 3)
+            return false;
+    }
+    else {
+        if (typeof o.env !== "string" || !o.env.trim())
+            return false;
+    }
+    return true;
+}
+function normalizeBinding(b) {
+    if (b.type === "tip" || b.type === "user") {
+        return { ...b, required: b.required ?? false };
+    }
+    if (b.type === "sts") {
+        const env = Array.isArray(b.env) && b.env.length === 3
+            ? b.env
+            : DEFAULT_ROLE_STS_ENV;
+        return {
+            type: "sts",
+            provider: b.provider,
+            useTip: b.useTip ?? true,
+            env,
+            required: b.required ?? false,
+        };
+    }
+    return {
+        ...b,
+        required: b.required ?? false,
+    };
+}
+/**
+ * Parse frontmatter from SKILL.md content and extract credential bindings.
+ * Returns undefined if metadata is missing or identity bindings are empty.
+ */
+export function parseIdentityBindingsFromSkillContent(content) {
+    const frontmatter = parseFrontmatter(content);
+    if (!frontmatter)
+        return undefined;
+    const metadataObj = getMetadataObject(frontmatter);
+    if (!metadataObj)
+        return undefined;
+    const bindings = extractIdentityBindings(metadataObj);
+    if (!bindings || bindings.length === 0)
+        return undefined;
+    return bindings.map(normalizeBinding);
+}
+/** Extract frontmatter block between --- delimiters (same as OpenClaw markdown/frontmatter). */
+function extractFrontmatterBlock(content) {
+    const normalized = content.replace(/\r\n/g, "\n").replace(/\r/g, "\n");
+    if (!normalized.startsWith("---"))
+        return undefined;
+    const endIndex = normalized.indexOf("\n---", 3);
+    if (endIndex === -1)
+        return undefined;
+    return normalized.slice(4, endIndex);
+}
+function parseFrontmatter(content) {
+    const block = extractFrontmatterBlock(content);
+    if (!block)
+        return undefined;
+    try {
+        const parsed = YAML.parse(block, { schema: "core" });
+        return parsed && typeof parsed === "object" && !Array.isArray(parsed)
+            ? parsed
+            : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}

package/dist/src/services/skill-contract-renderer.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Render Identity Credential Runtime Contract from credential bindings,
+ * and patch toolResult messages with the rendered contract section.
+ */
+import type { CredentialBinding } from "./skill-contract-metadata.js";
+export declare function renderContractSection(bindings: CredentialBinding[]): string;
+type AgentMessage = {
+    role?: string;
+    content?: unknown;
+    [k: string]: unknown;
+};
+export declare function patchToolResultContent(message: AgentMessage, contractText: string): AgentMessage;
+export {};
+//# sourceMappingURL=skill-contract-renderer.d.ts.map

package/dist/src/services/skill-contract-renderer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"skill-contract-renderer.d.ts","sourceRoot":"","sources":["../../../src/services/skill-contract-renderer.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AAMtE,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,iBAAiB,EAAE,GAAG,MAAM,CAwF3E;AAID,KAAK,YAAY,GAAG;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;CACtB,CAAC;AAEF,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,YAAY,EACrB,YAAY,EAAE,MAAM,GACnB,YAAY,CAgCd"}

package/dist/src/services/skill-contract-renderer.js

@@ -0,0 +1,120 @@
+/*
+ * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const CONTRACT_MARKER = "<!-- identity-contract-injected -->";
+// ─── Render contract text from bindings ──────────────────────────────
+export function renderContractSection(bindings) {
+    if (!bindings.length)
+        return "";
+    const roleStsLines = [];
+    const apikeyLines = [];
+    const oauthLines = [];
+    const tipLines = [];
+    const userSessionLines = [];
+    for (const b of bindings) {
+        if (b.type === "sts") {
+            const [ak, sk, st] = b.env ?? [
+                "VOLCENGINE_ACCESS_KEY",
+                "VOLCENGINE_SECRET_KEY",
+                "VOLCENGINE_SESSION_TOKEN",
+            ];
+            roleStsLines.push(`- Call \`identity_get_role_credentials(provider="${b.provider}", useTip=${b.useTip ?? true})\`.`, `  Map result fields to env: \`credentials.AccessKeyId\` -> \`${ak}\`, \`credentials.SecretAccessKey\` -> \`${sk}\`, \`credentials.SessionToken\` -> \`${st}\`.`, b.required ? `  Required: if fetch fails, do not continue with private API calls.` : "");
+        }
+        else if (b.type === "apikey") {
+            apikeyLines.push(`- Call \`identity_fetch(provider="${b.provider}", flow="apikey", returnValue=true)\`.`, `  Map returned value to env: \`${b.env}\`.`, b.required ? `  Required: if fetch fails, do not continue.` : "");
+        }
+        else if (b.type === "oauth") {
+            const flow = b.flow ?? "oauth2-user";
+            oauthLines.push(`- Call \`identity_fetch(provider="${b.provider}", flow="${flow}", returnValue=true)\`.`, `  Map access token to env: \`${b.env}\`.`, b.required ? `  Required: if fetch fails, do not continue.` : "");
+        }
+        else if (b.type === "tip") {
+            tipLines.push(`- Call \`identity_get_tip_token()\`.`, `  Map result field \`tipToken\` to env: \`${b.env}\`.`, b.required ? `  Required: if the call fails, do not continue with private API calls.` : "");
+        }
+        else if (b.type === "user") {
+            userSessionLines.push(`- Call \`identity_get_session_token()\`.`, `  Map result field \`sessionIdToken\` (OIDC id_token) to env: \`${b.env}\`.`, b.required ? `  Required: if the call fails, do not continue.` : "");
+        }
+    }
+    const sections = [];
+    if (roleStsLines.length) {
+        sections.push("**Role STS**\n" + roleStsLines.filter(Boolean).join("\n"));
+    }
+    if (apikeyLines.length) {
+        sections.push("**API Key**\n" + apikeyLines.filter(Boolean).join("\n"));
+    }
+    if (oauthLines.length) {
+        sections.push("**OAuth**\n" + oauthLines.filter(Boolean).join("\n"));
+    }
+    if (tipLines.length) {
+        sections.push("**TIP (workload token)**\n" + tipLines.filter(Boolean).join("\n"));
+    }
+    if (userSessionLines.length) {
+        sections.push("**User session (OIDC id_token)**\n" + userSessionLines.filter(Boolean).join("\n"));
+    }
+    const executionFlow = sections.length
+        ? sections.join("\n\n")
+        : "No credential bindings.";
+    return `${CONTRACT_MARKER}
+
+## Identity Credential Runtime Contract
+
+### Agent Rules
+- Before any private API operation requiring credentials, call the identity tools as specified below.
+- Never ask users to provide credentials manually.
+- Never print credential values (AccessKeyId, SecretAccessKey, SessionToken, tokens) in chat output.
+- Never put secrets directly into command strings.
+
+### Execution Flow
+${executionFlow}
+
+### Failure Handling
+- If a required credential fetch fails, do not continue with private API calls.
+- If the execution tool does not support secure env injection, stop and report unsupported secure runtime.
+`;
+}
+export function patchToolResultContent(message, contractText) {
+    if (message.role !== "toolResult")
+        return message;
+    const content = message.content;
+    if (content == null)
+        return message;
+    const existingText = extractTextFromContent(content);
+    if (existingText && existingText.includes(CONTRACT_MARKER))
+        return message;
+    const suffix = `\n\n---\n\n${contractText}`;
+    if (typeof content === "string") {
+        return { ...message, content: content + suffix };
+    }
+    if (Array.isArray(content)) {
+        const textBlock = content.find((b) => b && typeof b === "object" && b.type === "text");
+        if (textBlock && typeof textBlock.text === "string") {
+            const newContent = content.map((b) => b === textBlock ? { ...textBlock, text: textBlock.text + suffix } : b);
+            return { ...message, content: newContent };
+        }
+        return {
+            ...message,
+            content: [...content, { type: "text", text: suffix.trimStart() }],
+        };
+    }
+    return message;
+}
+function extractTextFromContent(content) {
+    if (typeof content === "string")
+        return content;
+    if (Array.isArray(content)) {
+        const textBlock = content.find((b) => b && typeof b === "object" && b.type === "text");
+        return textBlock?.text;
+    }
+    return undefined;
+}

package/dist/src/services/tip-propagation.d.ts

@@ -2,6 +2,7 @@
  * Shared TIP propagation logic for sessions_send and sessions_spawn.
  */
 import type { IdentityService } from "./identity-service.js";
+import type { OIDCConfigForRefresh } from "./session-refresh.js";
 import type { TIPTokenEntry } from "../store/tip-store.js";
 export type PropagateTIPParams = {
     storeDir: string;
@@ -11,6 +12,7 @@ export type PropagateTIPParams = {
     configWorkloadName?: string;
     subagentTipPropagation?: boolean;
     ctxAgentId?: string;
+    getOidcConfigForRefresh?: () => Promise<OIDCConfigForRefresh>;
     getCallerTIP: () => Promise<TIPTokenEntry | null>;
     logger: {
         info?: (msg: string) => void;

package/dist/src/services/tip-propagation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tip-propagation.d.ts","sourceRoot":"","sources":["../../../src/services/tip-propagation.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAM3D,MAAM,MAAM,kBAAkB,GAAG;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,eAAe,EAAE,eAAe,CAAC;IACjC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;IAClD,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CACzE,CAAC;AAEF;;;GAGG;AACH,wBAAsB,oBAAoB,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CpF"}
+{"version":3,"file":"tip-propagation.d.ts","sourceRoot":"","sources":["../../../src/services/tip-propagation.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AACjE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAO3D,MAAM,MAAM,kBAAkB,GAAG;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,eAAe,EAAE,eAAe,CAAC;IACjC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,YAAY,EAAE,MAAM,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;IAClD,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CACzE,CAAC;AAEF;;;GAGG;AACH,wBAAsB,oBAAoB,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CA2CpF"}

package/dist/src/services/tip-propagation.js

@@ -13,7 +13,8 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-import { getSession, setSession } from "../store/session-store.js";
+import { setSession } from "../store/session-store.js";
+import { getSessionWithRefresh } from "./session-refresh.js";
 import { setTIPToken } from "../store/tip-store.js";
 import { logDebug, logInfo } from "../utils/logger.js";
 import { fetchAndStoreTIP } from "./tip-acquisition.js";
@@ -22,7 +23,7 @@ import { fetchAndStoreTIP } from "./tip-acquisition.js";
  * Uses getCallerTIP() to obtain caller's TIP (supports refresh).
  */
 export async function propagateTIPToTarget(params) {
-    const { storeDir, callerSessionKey, targetSessionKey, identityService, configWorkloadName, subagentTipPropagation, ctxAgentId, getCallerTIP, logger, } = params;
+    const { storeDir, callerSessionKey, targetSessionKey, identityService, configWorkloadName, subagentTipPropagation, ctxAgentId, getOidcConfigForRefresh, getCallerTIP, logger, } = params;
     const callerTIP = await getCallerTIP();
     if (!callerTIP) {
         logDebug(logger, `propagation skip (caller ${callerSessionKey.slice(0, 24)}... has no TIP)`);
@@ -47,7 +48,7 @@ export async function propagateTIPToTarget(params) {
         });
         logDebug(logger, `TIP passed through to ${targetSessionKey.slice(0, 24)}...`);
     }
-    const callerSession = await getSession(storeDir, callerSessionKey);
+    const callerSession = await getSessionWithRefresh(storeDir, callerSessionKey, getOidcConfigForRefresh);
     if (callerSession) {
         await setSession(storeDir, targetSessionKey, callerSession);
     }

package/dist/src/services/tip-with-refresh.d.ts

@@ -22,7 +22,7 @@ export type GetOrRefreshTIPOptions = {
 };
 /**
  * Get TIP token for session. If missing or expired and refresh options provided,
- * attempts to fetch TIP (refreshing userToken if needed).
+ * attempts to fetch TIP (refreshing userToken if needed, with one retry).
  */
 export declare function getOrRefreshTIPToken(storeDir: string, sessionKey: string, options?: GetOrRefreshTIPOptions): Promise<ReturnType<typeof getTIPToken>>;
 //# sourceMappingURL=tip-with-refresh.d.ts.map

package/dist/src/services/tip-with-refresh.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tip-with-refresh.d.ts","sourceRoot":"","sources":["../../../src/services/tip-with-refresh.ts"],"names":[],"mappings":"AAgBA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAEjE,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAMpD,MAAM,MAAM,sBAAsB,GAAG;IACnC,eAAe,EAAE,eAAe,CAAC;IACjC,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;IACzE,uFAAuF;IACvF,WAAW,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;CACnC,CAAC;AAEF;;;GAGG;AACH,wBAAsB,oBAAoB,CACxC,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC,CAgEzC"}
+{"version":3,"file":"tip-with-refresh.d.ts","sourceRoot":"","sources":["../../../src/services/tip-with-refresh.ts"],"names":[],"mappings":"AAgBA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAEjE,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAKpD,MAAM,MAAM,sBAAsB,GAAG;IACnC,eAAe,EAAE,eAAe,CAAC;IACjC,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;IACzE,uFAAuF;IACvF,WAAW,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;CACnC,CAAC;AAEF;;;GAGG;AACH,wBAAsB,oBAAoB,CACxC,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC,CA8CzC"}