@m1a0rz/agent-identity 0.4.1 → 0.4.3

package/dist/src/store/skill-contract-store.d.ts

@@ -0,0 +1,19 @@
+/**
+ * In-memory stores for identity contract injection:
+ *
+ * 1. Contract spec cache: normalizedSkillPath -> parsed bindings (LRU eviction).
+ * 2. Pending injection map: toolCallId -> rendered contract text (one-time consume + TTL).
+ */
+import type { CredentialBinding } from "../services/skill-contract-metadata.js";
+export type SkillContractSpec = {
+    skillName: string;
+    skillPath: string;
+    bindings: CredentialBinding[];
+    parsedAt: number;
+};
+export declare function setContractSpec(skillPath: string, spec: Omit<SkillContractSpec, "parsedAt">): void;
+export declare function getContractSpec(skillPath: string): SkillContractSpec | undefined;
+export declare function setPending(toolCallId: string, renderedText: string): void;
+export declare function consumePending(toolCallId: string): string | undefined;
+export declare function cleanupExpiredPending(): number;
+//# sourceMappingURL=skill-contract-store.d.ts.map

package/dist/src/store/skill-contract-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"skill-contract-store.d.ts","sourceRoot":"","sources":["../../../src/store/skill-contract-store.ts"],"names":[],"mappings":"AAgBA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,wCAAwC,CAAC;AAKhF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,iBAAiB,EAAE,CAAC;IAC9B,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAKF,wBAAgB,eAAe,CAC7B,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,IAAI,CAAC,iBAAiB,EAAE,UAAU,CAAC,GACxC,IAAI,CAQN;AAED,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,iBAAiB,GAAG,SAAS,CAGhF;AAaD,wBAAgB,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,IAAI,CAOzE;AAED,wBAAgB,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAKrE;AAED,wBAAgB,qBAAqB,IAAI,MAAM,CAU9C"}

package/dist/src/store/skill-contract-store.js

@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { skillDirForCacheKey } from "./skill-path-store.js";
+const specCache = new Map();
+const MAX_SPEC_ENTRIES = 256;
+export function setContractSpec(skillPath, spec) {
+    if (!skillPath)
+        return;
+    const key = skillDirForCacheKey(skillPath);
+    if (specCache.size >= MAX_SPEC_ENTRIES) {
+        const first = specCache.keys().next().value;
+        if (first)
+            specCache.delete(first);
+    }
+    specCache.set(key, { ...spec, parsedAt: Date.now() });
+}
+export function getContractSpec(skillPath) {
+    if (!skillPath)
+        return undefined;
+    return specCache.get(skillDirForCacheKey(skillPath));
+}
+const pendingMap = new Map();
+const PENDING_TTL_MS = 10 * 60 * 1000;
+const MAX_PENDING_ENTRIES = 512;
+export function setPending(toolCallId, renderedText) {
+    if (!toolCallId)
+        return;
+    if (pendingMap.size >= MAX_PENDING_ENTRIES) {
+        const first = pendingMap.keys().next().value;
+        if (first)
+            pendingMap.delete(first);
+    }
+    pendingMap.set(toolCallId, { renderedText, createdAt: Date.now() });
+}
+export function consumePending(toolCallId) {
+    if (!toolCallId)
+        return undefined;
+    const entry = pendingMap.get(toolCallId);
+    pendingMap.delete(toolCallId);
+    return entry?.renderedText;
+}
+export function cleanupExpiredPending() {
+    const now = Date.now();
+    let removed = 0;
+    for (const [key, entry] of pendingMap.entries()) {
+        if (now - entry.createdAt > PENDING_TTL_MS) {
+            pendingMap.delete(key);
+            removed++;
+        }
+    }
+    return removed;
+}

package/dist/src/store/skill-path-store.d.ts

@@ -1,5 +1,10 @@
+export declare function normalizePathForLookup(pathStr: string, workspaceDir?: string): string;
+/** Skill directory path for cache key (strips trailing /SKILL.md). */
+export declare function skillDirForCacheKey(normalizedPath: string): string;
 export declare function setSkillPathsForSession(sessionKey: string, pathToSkill: Map<string, string>, workspaceDir?: string, sessionId?: string): void;
 export declare function getSkillNameForPath(sessionKey: string, pathStr: string, workspaceDir?: string): string | undefined;
+/** Get all skill path entries for a session (normalizedPath -> skillName). Used by contract cache. */
+export declare function getSkillPathEntries(sessionKey: string): Array<[string, string]>;
 export declare function clearSessionByKey(sessionKey: string): void;
 export declare function clearSessionById(sessionId: string): void;
 //# sourceMappingURL=skill-path-store.d.ts.map

package/dist/src/store/skill-path-store.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"skill-path-store.d.ts","sourceRoot":"","sources":["../../../src/store/skill-path-store.ts"],"names":[],"mappings":"AAgDA,wBAAgB,uBAAuB,CACrC,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,EAChC,YAAY,CAAC,EAAE,MAAM,EACrB,SAAS,CAAC,EAAE,MAAM,GACjB,IAAI,CA0BN;AAED,wBAAgB,mBAAmB,CACjC,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,MAAM,EACf,YAAY,CAAC,EAAE,MAAM,GACpB,MAAM,GAAG,SAAS,CAMpB;AAED,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAS1D;AAED,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAKxD"}
+{"version":3,"file":"skill-path-store.d.ts","sourceRoot":"","sources":["../../../src/store/skill-path-store.ts"],"names":[],"mappings":"AA8BA,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,GAAG,MAAM,CAgBrF;AAED,sEAAsE;AACtE,wBAAgB,mBAAmB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAGlE;AAED,wBAAgB,uBAAuB,CACrC,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,EAChC,YAAY,CAAC,EAAE,MAAM,EACrB,SAAS,CAAC,EAAE,MAAM,GACjB,IAAI,CA0BN;AAED,wBAAgB,mBAAmB,CACjC,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,MAAM,EACf,YAAY,CAAC,EAAE,MAAM,GACpB,MAAM,GAAG,SAAS,CAMpB;AAED,sGAAsG;AACtG,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,MAAM,GAAG,KAAK,CAAC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAI/E;AAED,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAS1D;AAED,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAKxD"}

package/dist/src/store/skill-path-store.js

@@ -24,7 +24,7 @@ const pathToSkillBySessionKey = new Map();
 const sessionIdToSessionKey = new Map();
 const MAX_SESSIONS = 512;
 const MAX_PATHS_PER_SESSION = 256;
-function normalizePathForLookup(pathStr, workspaceDir) {
+export function normalizePathForLookup(pathStr, workspaceDir) {
     const s = String(pathStr).trim();
     if (!s)
         return "";
@@ -44,6 +44,11 @@ function normalizePathForLookup(pathStr, workspaceDir) {
     }
     return path.normalize(normalized);
 }
+/** Skill directory path for cache key (strips trailing /SKILL.md). */
+export function skillDirForCacheKey(normalizedPath) {
+    const p = normalizedPath.replace(/\\/g, "/");
+    return p.endsWith("/SKILL.md") ? p.slice(0, -"/SKILL.md".length) : p;
+}
 export function setSkillPathsForSession(sessionKey, pathToSkill, workspaceDir, sessionId) {
     if (!sessionKey)
         return;
@@ -84,6 +89,13 @@ export function getSkillNameForPath(sessionKey, pathStr, workspaceDir) {
     const normalized = normalizePathForLookup(pathStr, workspaceDir);
     return map.get(normalized);
 }
+/** Get all skill path entries for a session (normalizedPath -> skillName). Used by contract cache. */
+export function getSkillPathEntries(sessionKey) {
+    const map = pathToSkillBySessionKey.get(sessionKey);
+    if (!map)
+        return [];
+    return [...map.entries()];
+}
 export function clearSessionByKey(sessionKey) {
     if (!sessionKey)
         return;

package/dist/src/tools/identity-approve-tool.d.ts

@@ -3,6 +3,7 @@
  * Used for webchat/TUI flow when user approves via UI then agent retries.
  */
 import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 export type IdentityApproveToolDeps = {
     approvalTtlMs: number;
     logger?: {
@@ -10,15 +11,5 @@ export type IdentityApproveToolDeps = {
         warn?: (msg: string) => void;
     };
 };
-export declare function createIdentityApproveTool(deps: IdentityApproveToolDeps): (ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{
-        approval_id: import("@sinclair/typebox").TString;
-    }>;
-    execute: (_toolCallId: string, params: {
-        approval_id?: string;
-    }) => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityApproveTool(deps: IdentityApproveToolDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-approve-tool.d.ts.map

package/dist/src/tools/identity-approve-tool.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-approve-tool.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-approve-tool.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAOrD,MAAM,MAAM,uBAAuB,GAAG;IACpC,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CAC1E,CAAC;AAEF,wBAAgB,yBAAyB,CAAC,IAAI,EAAE,uBAAuB,IAC7D,KAAK,iBAAiB;;;;;;;2BAOC,MAAM,UAAU;QAAE,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE;EAuBxE"}
+{"version":3,"file":"identity-approve-tool.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-approve-tool.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAK/D,MAAM,MAAM,uBAAuB,GAAG;IACpC,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CAC1E,CAAC;AAEF,wBAAgB,yBAAyB,CAAC,IAAI,EAAE,uBAAuB,IAC7D,KAAK,iBAAiB,KAAG,YAAY,CA8B9C"}

package/dist/src/tools/identity-config-suggest.d.ts

@@ -1,3 +1,4 @@
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 declare const INTENTS: {
     readonly identity: {
         readonly label: "Identity API (AK/SK, endpoint)";
@@ -96,18 +97,6 @@ declare const INTENTS: {
     };
 };
 export type ConfigSuggestIntent = keyof typeof INTENTS;
-export declare function createIdentityConfigSuggestTool(): () => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{
-        intent: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
-        lang: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
-    }>;
-    execute: (_toolCallId: string, params: {
-        intent?: ConfigSuggestIntent;
-        lang?: "en" | "zh";
-    }) => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityConfigSuggestTool(): () => AnyAgentTool;
 export {};
 //# sourceMappingURL=identity-config-suggest.d.ts.map

package/dist/src/tools/identity-config-suggest.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-config-suggest.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-config-suggest.ts"],"names":[],"mappings":"AAwDA,QAAA,MAAM,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgGH,CAAC;AAEX,MAAM,MAAM,mBAAmB,GAAG,MAAM,OAAO,OAAO,CAAC;AAEvD,wBAAgB,+BAA+B;;;;;;;;2BAoB5B,MAAM,UACX;QAAE,MAAM,CAAC,EAAE,mBAAmB,CAAC;QAAC,IAAI,CAAC,EAAE,IAAI,GAAG,IAAI,CAAA;KAAE;EA2BjE"}
+{"version":3,"file":"identity-config-suggest.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-config-suggest.ts"],"names":[],"mappings":"AAuBA,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAiC/D,QAAA,MAAM,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgGH,CAAC;AAEX,MAAM,MAAM,mBAAmB,GAAG,MAAM,OAAO,OAAO,CAAC;AAEvD,wBAAgB,+BAA+B,UAClC,YAAY,CA+CxB"}

package/dist/src/tools/identity-config.d.ts

@@ -2,12 +2,7 @@
  * identity_config: show identity plugin configuration (redacted).
  */
 import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
-export declare function createIdentityConfigTool(deps: IdentityActionsDeps): (_ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{}>;
-    execute: () => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityConfigTool(deps: IdentityActionsDeps): (_ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-config.d.ts.map

package/dist/src/tools/identity-config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-config.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-config.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAG1E,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,mBAAmB,IACxD,MAAM,iBAAiB;;;;;;EAUhC"}
+{"version":3,"file":"identity-config.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-config.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAG1E,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,mBAAmB,IACxD,MAAM,iBAAiB,KAAG,YAAY,CAU/C"}

package/dist/src/tools/identity-fetch.d.ts

@@ -4,18 +4,7 @@
  * When returnValue is true and fetch succeeds, returns the credential value for same-turn automation.
  */
 import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
-export declare function createIdentityFetchTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{
-        provider: import("@sinclair/typebox").TString;
-        flow: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TUnsafe<"oauth2-user" | "oauth2-m2m" | "apikey">>;
-        redirectUrl: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
-        scopes: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TArray<import("@sinclair/typebox").TString>>;
-        returnValue: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TBoolean>;
-    }>;
-    execute: (_toolCallId: any, params: any) => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityFetchTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-fetch.d.ts.map

package/dist/src/tools/identity-fetch.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-fetch.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-fetch.ts"],"names":[],"mappings":"AAgBA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAIrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAO1E,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,mBAAmB,IACvD,KAAK,iBAAiB;;;;;;;;;;;;EA8D/B"}
+{"version":3,"file":"identity-fetch.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-fetch.ts"],"names":[],"mappings":"AAgBA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAsB,MAAM,qBAAqB,CAAC;AAEvE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAO1E,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,mBAAmB,IACvD,KAAK,iBAAiB,KAAG,YAAY,CA8D9C"}

package/dist/src/tools/identity-fetch.js

@@ -19,16 +19,16 @@ import { jsonResult } from "openclaw/plugin-sdk";
 import { runFetch } from "../actions/identity-actions.js";
 import { getCredential, resolveCredentialValue } from "../store/credential-store.js";
 import { resolveEffectiveSessionKey } from "../store/sender-session-store.js";
-const FETCH_FLOWS = ["oauth2-user", "oauth2-m2m", "apikey"];
+const FETCH_FLOWS = ["oauth2-user", "oauth2-m2m", "apikey", "user"];
 export function createIdentityFetchTool(deps) {
     return (ctx) => ({
         name: "identity_fetch",
         label: "Identity Fetch Credential",
-        description: "Add credential for a provider. OAuth2-user returns auth URL to open; apikey/oauth2-m2m complete immediately. Set returnValue=true to receive the credential value for same-turn automation (use with care: value may appear in logs).",
+        description: "Add credential for a provider. OAuth2-user returns auth URL to open; apikey/oauth2-m2m/user complete immediately. Set returnValue=true to receive the credential value for same-turn automation (use with care: value may appear in logs).",
         parameters: Type.Object({
             provider: Type.String({ description: "Provider name (e.g. google, openai)" }),
             flow: Type.Optional(optionalStringEnum(FETCH_FLOWS, {
-                description: "oauth2-user (default for 3LO), oauth2-m2m, apikey",
+                description: "oauth2-user (default for 3LO), oauth2-m2m, apikey, user",
             })),
             redirectUrl: Type.Optional(Type.String()),
             scopes: Type.Optional(Type.Array(Type.String())),

package/dist/src/tools/identity-get-role-credentials.d.ts

@@ -0,0 +1,10 @@
+/**
+ * identity_get_role_credentials: obtain STS temporary credentials via a role credential provider.
+ * Skills that need IAM Role access call this tool to get AK/SK/SessionToken,
+ * then use them for downstream API requests.
+ */
+import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
+import type { IdentityActionsDeps } from "../actions/identity-actions.js";
+export declare function createIdentityGetRoleCredentialsTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
+//# sourceMappingURL=identity-get-role-credentials.d.ts.map

package/dist/src/tools/identity-get-role-credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-get-role-credentials.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-get-role-credentials.ts"],"names":[],"mappings":"AAgBA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,oCAAoC,CAAC,IAAI,EAAE,mBAAmB,IACpE,KAAK,iBAAiB,KAAG,YAAY,CAsC9C"}

package/dist/src/tools/identity-get-role-credentials.js

@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { Type } from "@sinclair/typebox";
+import { jsonResult } from "openclaw/plugin-sdk";
+import { runGetRoleCredentials } from "../actions/identity-actions.js";
+import { resolveEffectiveSessionKey } from "../store/sender-session-store.js";
+export function createIdentityGetRoleCredentialsTool(deps) {
+    return (ctx) => ({
+        name: "identity_get_role_credentials",
+        label: "Identity Get Role Credentials",
+        description: "Obtain temporary STS credentials (AccessKeyId, SecretAccessKey, SessionToken) " +
+            "via a role credential provider. Use when a skill or tool needs IAM Role access " +
+            "to call cloud APIs. By default uses the user session token (id_token); " +
+            "set useTip=true to use the TIP token instead.",
+        parameters: Type.Object({
+            providerName: Type.String({
+                description: "Role credential provider name configured in the control plane.",
+            }),
+            useTip: Type.Optional(Type.Boolean({
+                description: "When true, use TIP token as identity token instead of user session token. Default false.",
+            })),
+        }),
+        execute: async (_toolCallId, params) => {
+            const sessionKey = ctx.sessionKey ? resolveEffectiveSessionKey(ctx.sessionKey) : undefined;
+            if (!sessionKey) {
+                return jsonResult({ error: "No session context", success: false });
+            }
+            const p = params;
+            const result = await runGetRoleCredentials(deps, sessionKey, {
+                providerName: p.providerName,
+                useTip: p.useTip ?? false,
+                config: ctx.config,
+            });
+            if (result.kind === "error") {
+                return jsonResult({ success: false, error: result.message });
+            }
+            return jsonResult({
+                success: true,
+                credentials: result.credentials,
+            });
+        },
+    });
+}

package/dist/src/tools/identity-get-session-token.d.ts

@@ -0,0 +1,8 @@
+/**
+ * identity_get_session_token: obtain the OIDC id_token (session / user token) for the current session.
+ */
+import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
+import type { IdentityActionsDeps } from "../actions/identity-actions.js";
+export declare function createIdentityGetSessionTokenTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
+//# sourceMappingURL=identity-get-session-token.d.ts.map

package/dist/src/tools/identity-get-session-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-get-session-token.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-get-session-token.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,iCAAiC,CAAC,IAAI,EAAE,mBAAmB,IACjE,KAAK,iBAAiB,KAAG,YAAY,CA0B9C"}

package/dist/src/tools/identity-get-session-token.js

@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { Type } from "@sinclair/typebox";
+import { jsonResult } from "openclaw/plugin-sdk";
+import { runGetSessionToken } from "../actions/identity-actions.js";
+import { resolveEffectiveSessionKey } from "../store/sender-session-store.js";
+export function createIdentityGetSessionTokenTool(deps) {
+    return (ctx) => ({
+        name: "identity_get_session_token",
+        label: "Identity Get Session Token",
+        description: "Obtain the OIDC id_token stored for this session (UserPool / session identity token). " +
+            "Use when a skill needs the end-user JWT instead of the TIP workload token. " +
+            "The value is sensitive; do not print it in chat.",
+        parameters: Type.Object({}),
+        execute: async () => {
+            const sessionKey = ctx.sessionKey ? resolveEffectiveSessionKey(ctx.sessionKey) : undefined;
+            if (!sessionKey) {
+                return jsonResult({ success: false, error: "No session context" });
+            }
+            const result = await runGetSessionToken(deps, sessionKey);
+            if (result.kind === "error") {
+                return jsonResult({ success: false, error: result.message });
+            }
+            return jsonResult({
+                success: true,
+                sessionIdToken: result.sessionIdToken,
+                sub: result.sub,
+                loginAt: result.loginAt,
+                expiresAt: result.expiresAt,
+            });
+        },
+    });
+}

package/dist/src/tools/identity-get-tip-token.d.ts

@@ -0,0 +1,8 @@
+/**
+ * identity_get_tip_token: obtain the workload TIP JWT for the current session.
+ */
+import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
+import type { IdentityActionsDeps } from "../actions/identity-actions.js";
+export declare function createIdentityGetTipTokenTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
+//# sourceMappingURL=identity-get-tip-token.d.ts.map

package/dist/src/tools/identity-get-tip-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-get-tip-token.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-get-tip-token.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,mBAAmB,IAC7D,KAAK,iBAAiB,KAAG,YAAY,CA0B9C"}

package/dist/src/tools/identity-get-tip-token.js

@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { Type } from "@sinclair/typebox";
+import { jsonResult } from "openclaw/plugin-sdk";
+import { runGetTipToken } from "../actions/identity-actions.js";
+import { resolveEffectiveSessionKey } from "../store/sender-session-store.js";
+export function createIdentityGetTipTokenTool(deps) {
+    return (ctx) => ({
+        name: "identity_get_tip_token",
+        label: "Identity Get TIP Token",
+        description: "Obtain the Trusted Identity Provider (TIP) JWT for this session. " +
+            "Use when a skill needs the workload token for downstream APIs. " +
+            "The value is sensitive; do not print it in chat.",
+        parameters: Type.Object({}),
+        execute: async () => {
+            const sessionKey = ctx.sessionKey ? resolveEffectiveSessionKey(ctx.sessionKey) : undefined;
+            if (!sessionKey) {
+                return jsonResult({ success: false, error: "No session context" });
+            }
+            const result = await runGetTipToken(deps, sessionKey, ctx.config);
+            if (result.kind === "error") {
+                return jsonResult({ success: false, error: result.message });
+            }
+            return jsonResult({
+                success: true,
+                tipToken: result.tipToken,
+                sub: result.sub,
+                issuedAt: result.issuedAt,
+                expiresAt: result.expiresAt,
+            });
+        },
+    });
+}

package/dist/src/tools/identity-list-credentials.d.ts

@@ -2,16 +2,7 @@
  * identity_list_credentials: list credential providers and stored credentials (paginated).
  */
 import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
-export declare function createIdentityListCredentialsTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{
-        page: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TNumber>;
-        name: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
-        flow: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
-    }>;
-    execute: (_toolCallId: any, params: any) => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityListCredentialsTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-list-credentials.d.ts.map

package/dist/src/tools/identity-list-credentials.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-list-credentials.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-credentials.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,iCAAiC,CAAC,IAAI,EAAE,mBAAmB,IACjE,KAAK,iBAAiB;;;;;;;;;;EAyB/B"}
+{"version":3,"file":"identity-list-credentials.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-credentials.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,iCAAiC,CAAC,IAAI,EAAE,mBAAmB,IACjE,KAAK,iBAAiB,KAAG,YAAY,CA0B9C"}

package/dist/src/tools/identity-list-credentials.js

@@ -21,19 +21,20 @@ export function createIdentityListCredentialsTool(deps) {
     return (ctx) => ({
         name: "identity_list_credentials",
         label: "Identity List Credentials",
-        description: "List credential providers and stored credentials. Supports filtering by name or flow to locate a specific provider without paging through all results.",
+        description: "List credential providers (OAuth/API key) and stored credentials. Use identity_list_roles for role credential providers (STS).",
         parameters: Type.Object({
             page: Type.Optional(Type.Number({ minimum: 1, default: 1 })),
             name: Type.Optional(Type.String({ description: "Filter providers by name (exact or prefix match)." })),
             flow: Type.Optional(Type.String({ description: "Filter providers by flow, e.g. 'M2M' or 'USER_FEDERATION'." })),
+            type: Type.Optional(Type.String({ description: "Filter credential providers by type, e.g. 'api_key' or 'oauth2'." })),
         }),
         execute: async (_toolCallId, params) => {
             const sessionKey = ctx.sessionKey ? resolveEffectiveSessionKey(ctx.sessionKey) : undefined;
             if (!sessionKey) {
                 return jsonResult({ error: "No session context", providers: [], storedOnly: [] });
             }
-            const { page, name, flow } = params;
-            const filter = name || flow ? { name, flow } : undefined;
+            const { page, name, flow, type } = params;
+            const filter = name || flow || type ? { name, flow, type } : undefined;
             const result = await runListCredentials(deps, sessionKey, page ?? 1, filter);
             return jsonResult({
                 providers: result.providers,

package/dist/src/tools/identity-list-risk-patterns.d.ts

@@ -3,11 +3,6 @@
  * Use to understand what the plugin considers high-risk before running commands.
  */
 import type { PluginToolContext } from "../types.js";
-export declare function createIdentityListRiskPatternsTool(): (_ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{}>;
-    execute: () => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+import { AnyAgentTool } from "openclaw/plugin-sdk";
+export declare function createIdentityListRiskPatternsTool(): (_ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-list-risk-patterns.d.ts.map

package/dist/src/tools/identity-list-risk-patterns.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-list-risk-patterns.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-risk-patterns.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAKrD,wBAAgB,kCAAkC,KACxC,MAAM,iBAAiB;;;;;;EAehC"}
+{"version":3,"file":"identity-list-risk-patterns.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-risk-patterns.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAG/D,wBAAgB,kCAAkC,KACxC,MAAM,iBAAiB,KAAG,YAAY,CAe/C"}

package/dist/src/tools/identity-list-roles.d.ts

@@ -0,0 +1,8 @@
+/**
+ * identity_list_roles: list role credential providers (STS).
+ */
+import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
+import type { IdentityActionsDeps } from "../actions/identity-actions.js";
+export declare function createIdentityListRolesTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
+//# sourceMappingURL=identity-list-roles.d.ts.map

package/dist/src/tools/identity-list-roles.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-list-roles.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-roles.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,mBAAmB,IAC3D,KAAK,iBAAiB,KAAG,YAAY,CAsB9C"}

package/dist/src/tools/identity-list-roles.js

@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { Type } from "@sinclair/typebox";
+import { jsonResult } from "openclaw/plugin-sdk";
+import { runListRoleCredentials } from "../actions/identity-actions.js";
+import { resolveEffectiveSessionKey } from "../store/sender-session-store.js";
+export function createIdentityListRolesTool(deps) {
+    return (ctx) => ({
+        name: "identity_list_roles",
+        label: "Identity List Roles",
+        description: "List role credential providers (STS). Use identity_get_role_credentials to obtain credentials for a provider.",
+        parameters: Type.Object({
+            name: Type.Optional(Type.String({ description: "Filter providers by name (prefix match)." })),
+        }),
+        execute: async (_toolCallId, params) => {
+            const sessionKey = ctx.sessionKey ? resolveEffectiveSessionKey(ctx.sessionKey) : undefined;
+            if (!sessionKey) {
+                return jsonResult({ error: "No session context", providers: [] });
+            }
+            const { name } = params;
+            const filter = name ? { name } : undefined;
+            const result = await runListRoleCredentials(deps, sessionKey, filter);
+            return jsonResult({
+                providers: result.providers,
+                page: result.page,
+                hasMore: result.hasMore,
+            });
+        },
+    });
+}

package/dist/src/tools/identity-list-tips.d.ts

@@ -2,12 +2,7 @@
  * identity_list_tips: list valid TIP tokens and env bindings.
  */
 import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
-export declare function createIdentityListTipsTool(deps: IdentityActionsDeps): (_ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{}>;
-    execute: () => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityListTipsTool(deps: IdentityActionsDeps): (_ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-list-tips.d.ts.map

package/dist/src/tools/identity-list-tips.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-list-tips.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-tips.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAG1E,wBAAgB,0BAA0B,CAAC,IAAI,EAAE,mBAAmB,IAC1D,MAAM,iBAAiB;;;;;;EAahC"}
+{"version":3,"file":"identity-list-tips.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-tips.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAG1E,wBAAgB,0BAA0B,CAAC,IAAI,EAAE,mBAAmB,IAC1D,MAAM,iBAAiB,KAAG,YAAY,CAa/C"}