@m1a0rz/agent-identity 0.4.1 → 0.4.3

package/dist/src/tools/identity-login.d.ts

@@ -3,12 +3,7 @@
  * Returns auth URL when login needed; tools don't have deliveryTarget so callback falls back to sessionKey.
  */
 import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
-export declare function createIdentityLoginTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{}>;
-    execute: () => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityLoginTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-login.d.ts.map

package/dist/src/tools/identity-login.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-login.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-login.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,mBAAmB,IACvD,KAAK,iBAAiB;;;;;;EAiC/B"}
+{"version":3,"file":"identity-login.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-login.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,mBAAmB,IACvD,KAAK,iBAAiB,KAAG,YAAY,CAiC9C"}

package/dist/src/tools/identity-logout.d.ts

@@ -2,12 +2,7 @@
  * identity_logout: clear session and TIP for the caller's session.
  */
 import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
-export declare function createIdentityLogoutTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{}>;
-    execute: () => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityLogoutTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-logout.d.ts.map

package/dist/src/tools/identity-logout.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-logout.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-logout.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,mBAAmB,IACxD,KAAK,iBAAiB;;;;;;EAgB/B"}
+{"version":3,"file":"identity-logout.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-logout.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,mBAAmB,IACxD,KAAK,iBAAiB,KAAG,YAAY,CAgB9C"}

package/dist/src/tools/identity-risk-check.d.ts

@@ -2,8 +2,8 @@
  * identity_risk_check: diagnose risk for a command or tool call without executing.
  * Use before running exec/write to see if it would require approval.
  */
-import type { PluginToolContext } from "../types.js";
-import type { PluginConfig } from "../types.js";
+import type { PluginToolContext, PluginConfig } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 export type IdentityRiskCheckDeps = {
     pluginConfig: PluginConfig;
     logger?: {
@@ -11,19 +11,5 @@ export type IdentityRiskCheckDeps = {
         warn?: (msg: string) => void;
     };
 };
-export declare function createIdentityRiskCheckTool(deps: IdentityRiskCheckDeps): (_ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{
-        command: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
-        toolName: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
-        params: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TRecord<import("@sinclair/typebox").TString, import("@sinclair/typebox").TUnknown>>;
-    }>;
-    execute: (_toolCallId: string, params: {
-        command?: string;
-        toolName?: string;
-        params?: Record<string, unknown>;
-    }) => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityRiskCheckTool(deps: IdentityRiskCheckDeps): (_ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-risk-check.d.ts.map

package/dist/src/tools/identity-risk-check.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-risk-check.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-risk-check.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAIrD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEhD,MAAM,MAAM,qBAAqB,GAAG;IAClC,YAAY,EAAE,YAAY,CAAC;IAC3B,MAAM,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CAC1E,CAAC;AAEF,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,qBAAqB,IAC7D,MAAM,iBAAiB;;;;;;;;;2BAuBd,MAAM,UACX;QAAE,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE;EAuCtF"}
+{"version":3,"file":"identity-risk-check.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-risk-check.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEnE,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAG/D,MAAM,MAAM,qBAAqB,GAAG;IAClC,YAAY,EAAE,YAAY,CAAC;IAC3B,MAAM,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CAC1E,CAAC;AAEF,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,qBAAqB,IAC7D,MAAM,iBAAiB,KAAG,YAAY,CA+D/C"}

package/dist/src/tools/identity-set-binding.d.ts

@@ -2,15 +2,7 @@
  * identity_set_binding: bind a credential provider to an env var for tool injection.
  */
 import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
-export declare function createIdentitySetBindingTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{
-        provider: import("@sinclair/typebox").TString;
-        envVar: import("@sinclair/typebox").TString;
-    }>;
-    execute: (_toolCallId: any, params: any) => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentitySetBindingTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-set-binding.d.ts.map

package/dist/src/tools/identity-set-binding.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-set-binding.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-set-binding.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,4BAA4B,CAAC,IAAI,EAAE,mBAAmB,IAC5D,KAAK,iBAAiB;;;;;;;;;EAwB/B"}
+{"version":3,"file":"identity-set-binding.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-set-binding.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,4BAA4B,CAAC,IAAI,EAAE,mBAAmB,IAC5D,KAAK,iBAAiB,KAAG,YAAY,CAwB9C"}

package/dist/src/tools/identity-status.d.ts

@@ -2,12 +2,7 @@
  * identity_status: return login status, credentials, and env bindings for the caller's session.
  */
 import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
-export declare function createIdentityStatusTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{}>;
-    execute: () => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityStatusTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-status.d.ts.map

package/dist/src/tools/identity-status.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-status.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-status.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,mBAAmB,IACxD,KAAK,iBAAiB;;;;;;EAiC/B"}
+{"version":3,"file":"identity-status.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-status.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,mBAAmB,IACxD,KAAK,iBAAiB,KAAG,YAAY,CAiC9C"}

package/dist/src/tools/identity-unset-binding.d.ts

@@ -2,14 +2,7 @@
  * identity_unset_binding: remove credential env binding.
  */
 import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
-export declare function createIdentityUnsetBindingTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{
-        provider: import("@sinclair/typebox").TString;
-    }>;
-    execute: (_toolCallId: any, params: any) => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityUnsetBindingTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-unset-binding.d.ts.map

package/dist/src/tools/identity-unset-binding.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-unset-binding.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-unset-binding.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,8BAA8B,CAAC,IAAI,EAAE,mBAAmB,IAC9D,KAAK,iBAAiB;;;;;;;;EAiB/B"}
+{"version":3,"file":"identity-unset-binding.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-unset-binding.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,8BAA8B,CAAC,IAAI,EAAE,mBAAmB,IAC9D,KAAK,iBAAiB,KAAG,YAAY,CAiB9C"}

package/dist/src/tools/identity-whoami.d.ts

@@ -2,12 +2,7 @@
  * identity_whoami: return current session identity (sub, TIP status) for the caller's session.
  */
 import type { PluginToolContext } from "../types.js";
+import { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
-export declare function createIdentityWhoamiTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => {
-    name: string;
-    label: string;
-    description: string;
-    parameters: import("@sinclair/typebox").TObject<{}>;
-    execute: () => Promise<import("@mariozechner/pi-agent-core").AgentToolResult<unknown>>;
-};
+export declare function createIdentityWhoamiTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-whoami.d.ts.map

package/dist/src/tools/identity-whoami.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-whoami.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-whoami.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,mBAAmB,IACxD,KAAK,iBAAiB;;;;;;EA+B/B"}
+{"version":3,"file":"identity-whoami.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-whoami.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,mBAAmB,IACxD,KAAK,iBAAiB,KAAG,YAAY,CA+B9C"}

package/dist/src/types.d.ts

@@ -18,6 +18,12 @@ export type PluginToolContext = {
 };
 export type IdentityConfig = {
     endpoint?: string;
+    /**
+     * Plain-text region id metadata URL (e.g. http://100.96.0.96/latest/region_id).
+     * When `endpoint` is unset, response body builds `https://id.{region}.volcengineapi.com`.
+     * Lower priority than `endpoint`.
+     */
+    regionMetadataUrl?: string;
     accessKeyId?: string;
     secretAccessKey?: string;
     sessionToken?: string;
@@ -33,6 +39,12 @@ export type IdentityConfig = {
     subagentTipPropagation?: boolean;
     /** Enable identity.session.put / identity.session.get gateway WS methods for webchat clients. Default: false. */
     webchatSessionExchange?: boolean;
+    /**
+     * When true, collapse identity/session/TIP/credential storage to `agent:main:main` for all
+     * non-subagent sessions (no per-sender or per-channel-peer isolation). For single-user
+     * deployments only. Default: false.
+     */
+    personalSessionMode?: boolean;
 };
 export type UserPoolConfig = {
     /** Explicit: discovery URL for OIDC. */
@@ -45,6 +57,19 @@ export type UserPoolConfig = {
     userPoolName?: string;
     clientName?: string;
     autoCreate?: boolean;
+    /**
+     * Identity provider name passed as `identity_provider` in the auth URL.
+     * When omitted, the first provider from ListIdentityProviders is used (if available).
+     */
+    identityProvider?: string;
+    /**
+     * When true, the OIDC flow goes through the UserPool relay (redirect_relay_uri).
+     * The callback handler will detect the relay state format
+     * (base64 JSON with request_id/provider_id/request_state) and first forward the
+     * authorization code to the UserPool's generic_oauth callback endpoint, then
+     * perform the token exchange. The app state is recovered from request_state.
+     */
+    useRelayCallback?: boolean;
 };
 export type AuthzConfig = {
     /** Run CheckPermission for agents (resource type "agent") before agent starts. Default: false. */

package/dist/src/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAE1D;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG;IAC9B,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,qGAAqG;IACrG,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,0GAA0G;IAC1G,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC,iHAAiH;IACjH,sBAAsB,CAAC,EAAE,OAAO,CAAC;CAClC,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,wCAAwC;IACxC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,6EAA6E;IAC7E,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG;IACxB,kGAAkG;IAClG,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,4EAA4E;IAC5E,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB;;;OAGG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,iEAAiE;IACjE,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,4EAA4E;IAC5E,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,wEAAwE;IACxE,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,2EAA2E;IAC3E,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,6CAA6C;IAC7C,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,oFAAoF;IACpF,YAAY,CAAC,EAAE;QACb,iGAAiG;QACjG,QAAQ,EAAE,MAAM,CAAC;QACjB,6EAA6E;QAC7E,GAAG,CAAC,EAAE,QAAQ,GAAG,oBAAoB,CAAC;QACtC,8CAA8C;QAC9C,KAAK,EAAE,MAAM,CAAC;QACd,gEAAgE;QAChE,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,oCAAoC;QACpC,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,uFAAuF;QACvF,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;IACF,6CAA6C;IAC7C,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACzB,+BAA+B;IAC/B,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,KAAK,CAAC,EAAE,WAAW,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,cAAc,CAAC;IACvB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAE1D;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG;IAC9B,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;;OAIG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,qGAAqG;IACrG,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,0GAA0G;IAC1G,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC,iHAAiH;IACjH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,OAAO,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,wCAAwC;IACxC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,6EAA6E;IAC7E,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG;IACxB,kGAAkG;IAClG,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,4EAA4E;IAC5E,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB;;;OAGG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,iEAAiE;IACjE,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,4EAA4E;IAC5E,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,wEAAwE;IACxE,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,2EAA2E;IAC3E,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,6CAA6C;IAC7C,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,oFAAoF;IACpF,YAAY,CAAC,EAAE;QACb,iGAAiG;QACjG,QAAQ,EAAE,MAAM,CAAC;QACjB,6EAA6E;QAC7E,GAAG,CAAC,EAAE,QAAQ,GAAG,oBAAoB,CAAC;QACtC,8CAA8C;QAC9C,KAAK,EAAE,MAAM,CAAC;QACd,gEAAgE;QAChE,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,oCAAoC;QACpC,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,uFAAuF;QACvF,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;IACF,6CAA6C;IAC7C,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACzB,+BAA+B;IAC/B,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,KAAK,CAAC,EAAE,WAAW,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,cAAc,CAAC;IACvB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC"}

package/dist/src/utils/derive-session-key.d.ts

@@ -116,6 +116,7 @@ export type SessionKeyDeliveryTarget = {
     /** For feishu per-account sessions (agent:main:feishu:default:direct:ou_xxx). */
     accountId?: string;
 };
+export declare function isBuiltinSenderId(senderId: string | undefined | null): boolean;
 export declare function isSendableChannel(channel: string | undefined | null): boolean;
 /** Command context shape (subset of PluginCommandContext). */
 export type CommandContextForDelivery = {

package/dist/src/utils/derive-session-key.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"derive-session-key.d.ts","sourceRoot":"","sources":["../../../src/utils/derive-session-key.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,yFAAyF;AACzF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,OAAO,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC/B,MAAM,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE;YAAE,EAAE,CAAC,EAAE,MAAM,CAAC;YAAC,OAAO,CAAC,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,CAAC;CAC3D,CAAC;AAEF,KAAK,sBAAsB,GAAG;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,iBAAiB,CAAC;CAC3B,CAAC;AAKF;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAKlE;AAOD;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,iBAAiB,GAAG,MAAM,CAE/D;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAM/F;AAED,MAAM,MAAM,oBAAoB,GAAG;IACjC,qFAAqF;IACrF,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mEAAmE;IACnE,MAAM,CAAC,EAAE,iBAAiB,CAAC;CAC5B,CAAC;AAEF;;;GAGG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,oBAAoB,GAAG,MAAM,CASnE;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAKnF;AAED;;;;;;;;GAQG;AACH,wBAAgB,0BAA0B,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAOzF;AAED;;;;;;;;GAQG;AACH,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAIrF;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAEnF;AAED,MAAM,MAAM,yBAAyB,GAAG;IACtC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,qDAAqD;IACrD,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,6BAA6B,CAAC,MAAM,EAAE,yBAAyB,GAAG,MAAM,CAiBvF;AAuGD;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,EAAE,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAEnF;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,sBAAsB,GAAG,MAAM,GAAG,IAAI,CAiC9E;AAED,MAAM,MAAM,wBAAwB,GAAG;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,EAAE,EAAE,MAAM,CAAC;IACX,iFAAiF;IACjF,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAaF,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAE7E;AAED,8DAA8D;AAC9D,MAAM,MAAM,yBAAyB,GAAG;IACtC,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,+BAA+B,CAC7C,GAAG,EAAE,yBAAyB,GAC7B,wBAAwB,GAAG,IAAI,CAmBjC;AAED;;;;GAIG;AACH,wBAAgB,+BAA+B,CAC7C,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GACpC,wBAAwB,GAAG,IAAI,CAyDjC"}
+{"version":3,"file":"derive-session-key.d.ts","sourceRoot":"","sources":["../../../src/utils/derive-session-key.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,yFAAyF;AACzF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,OAAO,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC/B,MAAM,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE;YAAE,EAAE,CAAC,EAAE,MAAM,CAAC;YAAC,OAAO,CAAC,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,CAAC;CAC3D,CAAC;AAEF,KAAK,sBAAsB,GAAG;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,iBAAiB,CAAC;CAC3B,CAAC;AAKF;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAKlE;AAOD;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,iBAAiB,GAAG,MAAM,CAE/D;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAM/F;AAED,MAAM,MAAM,oBAAoB,GAAG;IACjC,qFAAqF;IACrF,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mEAAmE;IACnE,MAAM,CAAC,EAAE,iBAAiB,CAAC;CAC5B,CAAC;AAEF;;;GAGG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,oBAAoB,GAAG,MAAM,CASnE;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAKnF;AAED;;;;;;;;GAQG;AACH,wBAAgB,0BAA0B,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAOzF;AAED;;;;;;;;GAQG;AACH,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAIrF;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAEnF;AAED,MAAM,MAAM,yBAAyB,GAAG;IACtC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,qDAAqD;IACrD,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,6BAA6B,CAAC,MAAM,EAAE,yBAAyB,GAAG,MAAM,CAiBvF;AAuGD;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,EAAE,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAEnF;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,sBAAsB,GAAG,MAAM,GAAG,IAAI,CAiC9E;AAED,MAAM,MAAM,wBAAwB,GAAG;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,EAAE,EAAE,MAAM,CAAC;IACX,iFAAiF;IACjF,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAsBF,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAE9E;AAaD,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAE7E;AAED,8DAA8D;AAC9D,MAAM,MAAM,yBAAyB,GAAG;IACtC,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,+BAA+B,CAC7C,GAAG,EAAE,yBAAyB,GAC7B,wBAAwB,GAAG,IAAI,CAmBjC;AAED;;;;GAIG;AACH,wBAAgB,+BAA+B,CAC7C,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GACpC,wBAAwB,GAAG,IAAI,CA2DjC"}

package/dist/src/utils/derive-session-key.js

@@ -254,9 +254,9 @@ export function deriveSessionKey(params) {
     const groupPeerId = extractGroupPeerId(ch, from, to);
     const isGroup = Boolean(groupPeerId);
     if (isGroup && groupPeerId) {
-        return `agent:${agentId}:${ch}:group:${groupPeerId.toLowerCase()}`;
+        return `agent:${agentId}:${ch}:group:${groupPeerId}`;
     }
-    const peerId = (senderId ?? "").trim().toLowerCase();
+    const peerId = (senderId ?? "").trim();
     if (!peerId)
         return null;
     if (dmScope === "per-account-channel-peer") {
@@ -271,6 +271,28 @@ export function deriveSessionKey(params) {
     }
     return `agent:${agentId}:main`;
 }
+/**
+ * Built-in gateway client IDs that represent the same local operator.
+ * When these appear as senderIds, they should share the canonical main
+ * session key instead of creating per-sender isolation.
+ */
+const BUILTIN_SENDER_IDS = new Set([
+    "webchat-ui",
+    "openclaw-control-ui",
+    "webchat",
+    "cli",
+    "gateway-client",
+    "openclaw-macos",
+    "openclaw-ios",
+    "openclaw-android",
+    "node-host",
+    "test",
+    "fingerprint",
+    "openclaw-probe",
+]);
+export function isBuiltinSenderId(senderId) {
+    return BUILTIN_SENDER_IDS.has((senderId ?? "").trim().toLowerCase());
+}
 const SENDABLE_CHANNELS = new Set([
     "telegram",
     "slack",
@@ -333,9 +355,10 @@ export function parseSessionKeyToDeliveryTarget(sessionKey) {
         if (!peerId)
             return null;
         if (channel === "slack") {
+            const lower = peerId.toLowerCase();
             return {
                 channel,
-                to: peerId.startsWith("U") || peerId.startsWith("W") ? `user:${peerId}` : peerId,
+                to: lower.startsWith("u") || lower.startsWith("w") ? `user:${peerId}` : peerId,
             };
         }
         if (channel === "feishu") {
@@ -362,9 +385,10 @@ export function parseSessionKeyToDeliveryTarget(sessionKey) {
             return null;
         const accountId = scope;
         if (channel === "slack") {
+            const lower = peerId.toLowerCase();
             return {
                 channel,
-                to: peerId.startsWith("U") || peerId.startsWith("W") ? `user:${peerId}` : peerId,
+                to: lower.startsWith("u") || lower.startsWith("w") ? `user:${peerId}` : peerId,
                 accountId,
             };
         }

package/dist/src/utils/resolve-identity-endpoint.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Resolve Volcengine Identity API base URL.
+ * Priority: explicit endpoint > region from regionMetadataUrl -> https://id.{region}.volcengineapi.com > cn-beijing default.
+ */
+export declare const DEFAULT_IDENTITY_ENDPOINT = "https://id.cn-beijing.volcengineapi.com";
+/**
+ * GET metadata URL; expect plain-text region id (e.g. cn-beijing).
+ * Uses total request timeout (similar to curl --max-time 10).
+ */
+export declare function fetchRegionIdFromMetadata(metadataUrl: string, options?: {
+    totalTimeoutMs?: number;
+}): Promise<string | null>;
+export declare function identityEndpointFromRegion(region: string): string;
+export type ResolveIdentityApiEndpointInput = {
+    endpoint?: string;
+    regionMetadataUrl?: string;
+};
+/**
+ * Resolve Identity control/data plane base URL for signing and requests.
+ */
+export declare function resolveIdentityApiEndpoint(input: ResolveIdentityApiEndpointInput): Promise<string>;
+/**
+ * Derive Volcengine signing region from Identity endpoint host id.{region}.volcengineapi.com.
+ */
+export declare function signingRegionFromIdentityEndpoint(baseUrl: string): string | null;
+//# sourceMappingURL=resolve-identity-endpoint.d.ts.map

package/dist/src/utils/resolve-identity-endpoint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve-identity-endpoint.d.ts","sourceRoot":"","sources":["../../../src/utils/resolve-identity-endpoint.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,eAAO,MAAM,yBAAyB,4CAA4C,CAAC;AAUnF;;;GAGG;AACH,wBAAsB,yBAAyB,CAC7C,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE;IAAE,cAAc,CAAC,EAAE,MAAM,CAAA;CAAE,GACpC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAuBxB;AAED,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAEjE;AAED,MAAM,MAAM,+BAA+B,GAAG;IAC5C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF;;GAEG;AACH,wBAAsB,0BAA0B,CAC9C,KAAK,EAAE,+BAA+B,GACrC,OAAO,CAAC,MAAM,CAAC,CAYjB;AAED;;GAEG;AACH,wBAAgB,iCAAiC,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAQhF"}

package/dist/src/utils/resolve-identity-endpoint.js

@@ -0,0 +1,90 @@
+/*
+ * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/**
+ * Resolve Volcengine Identity API base URL.
+ * Priority: explicit endpoint > region from regionMetadataUrl -> https://id.{region}.volcengineapi.com > cn-beijing default.
+ */
+export const DEFAULT_IDENTITY_ENDPOINT = "https://id.cn-beijing.volcengineapi.com";
+const DEFAULT_TOTAL_TIMEOUT_MS = 10_000;
+/** Region values that must not be used to build an endpoint. */
+function isInvalidRegionId(text) {
+    const t = text.trim().toLowerCase();
+    return t.length === 0 || t === "unknown";
+}
+/**
+ * GET metadata URL; expect plain-text region id (e.g. cn-beijing).
+ * Uses total request timeout (similar to curl --max-time 10).
+ */
+export async function fetchRegionIdFromMetadata(metadataUrl, options) {
+    const url = metadataUrl.trim();
+    if (!url)
+        return null;
+    const totalTimeoutMs = options?.totalTimeoutMs ?? DEFAULT_TOTAL_TIMEOUT_MS;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), totalTimeoutMs);
+    try {
+        const res = await fetch(url, {
+            signal: controller.signal,
+            redirect: "follow",
+        });
+        if (!res.ok)
+            return null;
+        const text = (await res.text()).trim();
+        if (isInvalidRegionId(text))
+            return null;
+        if (!/^[a-z0-9-]+$/i.test(text))
+            return null;
+        return text;
+    }
+    catch {
+        return null;
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+export function identityEndpointFromRegion(region) {
+    return `https://id.${region.trim()}.volcengineapi.com`;
+}
+/**
+ * Resolve Identity control/data plane base URL for signing and requests.
+ */
+export async function resolveIdentityApiEndpoint(input) {
+    const explicit = input.endpoint?.trim();
+    if (explicit)
+        return explicit;
+    const fallback = DEFAULT_IDENTITY_ENDPOINT;
+    const metaUrl = input.regionMetadataUrl?.trim();
+    if (metaUrl) {
+        const region = await fetchRegionIdFromMetadata(metaUrl);
+        if (region)
+            return identityEndpointFromRegion(region);
+    }
+    return fallback;
+}
+/**
+ * Derive Volcengine signing region from Identity endpoint host id.{region}.volcengineapi.com.
+ */
+export function signingRegionFromIdentityEndpoint(baseUrl) {
+    try {
+        const host = new URL(baseUrl).host;
+        const m = /^id\.([a-z0-9-]+)\.volcengineapi\.com$/i.exec(host);
+        return m ? m[1] : null;
+    }
+    catch {
+        return null;
+    }
+}

package/openclaw.plugin.json

@@ -13,7 +13,11 @@
         "properties": {
           "endpoint": {
             "type": "string",
-            "description": "Identity API endpoint, e.g. https://id.cn-beijing.volcengineapi.com"
+            "description": "Identity API endpoint, e.g. https://id.cn-beijing.volcengineapi.com. Highest priority; when set, regionMetadataUrl is ignored for the base URL."
+          },
+          "regionMetadataUrl": {
+            "type": "string",
+            "description": "GET this URL for plain-text region id (e.g. http://100.96.0.96/latest/region_id). When endpoint is unset, builds https://id.{region}.volcengineapi.com. Request timeout ~10s; on failure falls back to https://id.cn-beijing.volcengineapi.com"
           },
           "accessKeyId": {
             "type": "string",
@@ -65,6 +69,11 @@
             "type": "boolean",
             "default": false,
             "description": "Enable identity.session.put / identity.session.get gateway WS methods for webchat clients. Allows BFF to inject OIDC id_token into plugin sessions without redirect flow."
+          },
+          "personalSessionMode": {
+            "type": "boolean",
+            "default": false,
+            "description": "Single-user mode: store TIP, OIDC session, and credentials under agent:main:main only (no per-sender or per-channel-peer keys). Subagent sessions are unchanged. Not for multi-tenant or shared group chats."
           }
         }
       },
@@ -95,6 +104,14 @@
             "type": "boolean",
             "default": true,
             "description": "Create UserPool/Client when not found (dynamic mode)"
+          },
+          "identityProvider": {
+            "type": "string",
+            "description": "External identity provider name to use in the OAuth2 authorization URL (identity_provider param). When omitted, the first provider returned by ListIdentityProviders is used automatically."
+          },
+          "useRelayCallback": {
+            "type": "boolean",
+            "description": "When true, the OIDC flow goes through the UserPool relay (redirect_relay_uri). The callback handler will detect the relay state format (base64 JSON with request_id/provider_id/request_state) and first forward the authorization code to the UserPool's generic_oauth callback endpoint, then perform the token exchange. The app state is recovered from request_state."
           }
         }
       },

package/package.json

@@ -1,12 +1,15 @@
 {
   "name": "@m1a0rz/agent-identity",
-  "version": "0.4.1",
+  "version": "0.4.3",
   "description": "Agent Identity: UserPool (用户池) login, TIP token (工作负载令牌), credential hosting (凭据托管 OAuth2/API key), optional tool/skill permission control (CheckPermission) and risk approval. Integrates with Volcengine 智能体身份和权限管理平台.",
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "scripts": {
     "build": "tsc",
+    "test": "vitest run",
+    "test:ci": "vitest run --reporter=verbose",
+    "lint": "tsc --noEmit",
     "prepublishOnly": "npm run build"
   },
   "keywords": [
@@ -22,15 +25,20 @@
   "license": "Apache-2.0",
   "dependencies": {
     "@sinclair/typebox": "0.34.48",
-    "jose": "^5.9.6"
+    "jose": "^5.9.6",
+    "yaml": "^2.4.0",
+    "json5": "^2.2.3"
   },
   "devDependencies": {
     "@types/node": "^22.0.0",
+    "openclaw": "^2026.3.13",
     "typescript": "^5.7.0",
+    "vitest": "^4.1.0",
     "ws": "^8.19.0"
   },
   "peerDependencies": {
-    "openclaw": ">=2026.3.8"
+    "openclaw": ">=2026.3.8",
+    "@mariozechner/pi-agent-core": "^0.58.0"
   },
   "peerDependenciesMeta": {
     "openclaw": {

package/skills/SKILL.md

@@ -74,6 +74,14 @@ When looking for a specific provider (e.g. before `identity_fetch`), prefer pass
 
 Returns: `providers`, `storedOnly`, `page`, `hasMore`.
 
+### identity_list_roles
+
+Lists **STS role credential providers** (not OAuth/API key — use `identity_list_credentials` for those). **Call when:** "role credentials", "STS providers", "IAM role 凭据", "有哪些角色凭据". Requires login session.
+
+Optional param: `name` — prefix filter on provider name.
+
+Returns: `providers` (each may include `identitySource`). To obtain temporary keys for a provider, use `identity_get_role_credentials` with that provider name.
+
 ### identity_fetch
 
 Adds a credential for a provider (OAuth2 or API key). **Call when the user wants to add, get, or configure credentials:**
@@ -142,17 +150,9 @@ Generates config snippets. **Call when:** "如何配置 identity 插件", "帮
 
 Returns: `configPath`, `config` (JSON to merge), `instructions`, `nextSteps`.
 
-### identity_list_tips
-
-List valid TIP tokens and bindings. No params.
-
 ### identity_approve_tool
 
-| Param         | Type   | Required | Description                                              |
-| ------------- | ------ | -------- | -------------------------------------------------------- |
-| `approval_id` | string | Yes      | ID from the approval prompt                              |
-
-**Agent must NOT call this tool.** This is for human approval only — user runs `/identity approve <id>` or replies "approve" in chat.
+**Do not call this tool as the agent.** High-risk approvals are for humans only. When the user must approve, relay the **approval ID** and timeout from the error; they complete approval via `/identity approve <id>` or the channel workflow your gateway uses — not via this tool from the model.
 
 ## Workflow: Adding a Credential