@m1a0rz/agent-identity 0.4.5 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (121) hide show
  1. package/README-cn.md +70 -9
  2. package/README.md +70 -9
  3. package/dist/index.d.ts.map +1 -1
  4. package/dist/index.js +80 -27
  5. package/dist/src/actions/identity-actions.d.ts.map +1 -1
  6. package/dist/src/actions/identity-actions.js +1 -1
  7. package/dist/src/commands/identity-commands.d.ts.map +1 -1
  8. package/dist/src/commands/identity-commands.js +1 -37
  9. package/dist/src/hooks/before-agent-start.d.ts +11 -3
  10. package/dist/src/hooks/before-agent-start.d.ts.map +1 -1
  11. package/dist/src/hooks/before-agent-start.js +12 -11
  12. package/dist/src/hooks/before-dispatch.d.ts +71 -0
  13. package/dist/src/hooks/before-dispatch.d.ts.map +1 -0
  14. package/dist/src/hooks/before-dispatch.js +148 -0
  15. package/dist/src/hooks/before-tool-call.d.ts +12 -3
  16. package/dist/src/hooks/before-tool-call.d.ts.map +1 -1
  17. package/dist/src/hooks/before-tool-call.js +51 -60
  18. package/dist/src/hooks/llm-input.d.ts +2 -0
  19. package/dist/src/hooks/llm-input.d.ts.map +1 -1
  20. package/dist/src/hooks/llm-input.js +30 -7
  21. package/dist/src/hooks/tool-result-persist.d.ts +1 -0
  22. package/dist/src/hooks/tool-result-persist.d.ts.map +1 -1
  23. package/dist/src/hooks/tool-result-persist.js +5 -2
  24. package/dist/src/local-server/handlers.d.ts +44 -0
  25. package/dist/src/local-server/handlers.d.ts.map +1 -0
  26. package/dist/src/local-server/handlers.js +207 -0
  27. package/dist/src/local-server/identity-socket.d.ts +18 -0
  28. package/dist/src/local-server/identity-socket.d.ts.map +1 -0
  29. package/dist/src/local-server/identity-socket.js +198 -0
  30. package/dist/src/local-server/peer-check.d.ts +58 -0
  31. package/dist/src/local-server/peer-check.d.ts.map +1 -0
  32. package/dist/src/local-server/peer-check.js +206 -0
  33. package/dist/src/local-server/peercred-linux.d.ts +30 -0
  34. package/dist/src/local-server/peercred-linux.d.ts.map +1 -0
  35. package/dist/src/local-server/peercred-linux.js +69 -0
  36. package/dist/src/preflight/plugin-preflight.d.ts +18 -8
  37. package/dist/src/preflight/plugin-preflight.d.ts.map +1 -1
  38. package/dist/src/preflight/plugin-preflight.js +96 -92
  39. package/dist/src/preflight/plugin-state.d.ts +1 -1
  40. package/dist/src/preflight/plugin-state.d.ts.map +1 -1
  41. package/dist/src/risk/llm-risk-check.d.ts +0 -5
  42. package/dist/src/risk/llm-risk-check.d.ts.map +1 -1
  43. package/dist/src/risk/llm-risk-check.js +10 -1
  44. package/dist/src/risk/low-risk-tools.d.ts.map +1 -1
  45. package/dist/src/risk/low-risk-tools.js +0 -1
  46. package/dist/src/services/identity-client.d.ts +0 -1
  47. package/dist/src/services/identity-client.d.ts.map +1 -1
  48. package/dist/src/services/identity-client.js +1 -1
  49. package/dist/src/services/skill-contract-renderer.d.ts.map +1 -1
  50. package/dist/src/services/skill-contract-renderer.js +15 -4
  51. package/dist/src/store/dispatch-feature-flag.d.ts +7 -0
  52. package/dist/src/store/dispatch-feature-flag.d.ts.map +1 -0
  53. package/dist/src/store/dispatch-feature-flag.js +36 -0
  54. package/dist/src/tools/identity-config-suggest.d.ts +1 -1
  55. package/dist/src/tools/identity-config-suggest.d.ts.map +1 -1
  56. package/dist/src/tools/identity-config-suggest.js +1 -1
  57. package/dist/src/tools/identity-config.d.ts +1 -1
  58. package/dist/src/tools/identity-config.d.ts.map +1 -1
  59. package/dist/src/tools/identity-config.js +1 -1
  60. package/dist/src/tools/identity-fetch.d.ts +1 -1
  61. package/dist/src/tools/identity-fetch.d.ts.map +1 -1
  62. package/dist/src/tools/identity-fetch.js +1 -2
  63. package/dist/src/tools/identity-get-role-credentials.d.ts +1 -1
  64. package/dist/src/tools/identity-get-role-credentials.d.ts.map +1 -1
  65. package/dist/src/tools/identity-get-role-credentials.js +1 -1
  66. package/dist/src/tools/identity-get-session-token.d.ts +1 -1
  67. package/dist/src/tools/identity-get-session-token.d.ts.map +1 -1
  68. package/dist/src/tools/identity-get-session-token.js +1 -1
  69. package/dist/src/tools/identity-get-tip-token.d.ts +1 -1
  70. package/dist/src/tools/identity-get-tip-token.d.ts.map +1 -1
  71. package/dist/src/tools/identity-get-tip-token.js +1 -1
  72. package/dist/src/tools/identity-list-credentials.d.ts +1 -1
  73. package/dist/src/tools/identity-list-credentials.d.ts.map +1 -1
  74. package/dist/src/tools/identity-list-credentials.js +1 -1
  75. package/dist/src/tools/identity-list-risk-patterns.d.ts +1 -1
  76. package/dist/src/tools/identity-list-risk-patterns.d.ts.map +1 -1
  77. package/dist/src/tools/identity-list-risk-patterns.js +1 -1
  78. package/dist/src/tools/identity-list-roles.d.ts +1 -1
  79. package/dist/src/tools/identity-list-roles.d.ts.map +1 -1
  80. package/dist/src/tools/identity-list-roles.js +1 -1
  81. package/dist/src/tools/identity-list-tips.d.ts +1 -1
  82. package/dist/src/tools/identity-list-tips.d.ts.map +1 -1
  83. package/dist/src/tools/identity-list-tips.js +1 -1
  84. package/dist/src/tools/identity-login.d.ts +1 -1
  85. package/dist/src/tools/identity-login.d.ts.map +1 -1
  86. package/dist/src/tools/identity-login.js +1 -1
  87. package/dist/src/tools/identity-logout.d.ts +1 -1
  88. package/dist/src/tools/identity-logout.d.ts.map +1 -1
  89. package/dist/src/tools/identity-logout.js +1 -1
  90. package/dist/src/tools/identity-risk-check.d.ts +1 -1
  91. package/dist/src/tools/identity-risk-check.d.ts.map +1 -1
  92. package/dist/src/tools/identity-risk-check.js +1 -1
  93. package/dist/src/tools/identity-set-binding.d.ts +1 -1
  94. package/dist/src/tools/identity-set-binding.d.ts.map +1 -1
  95. package/dist/src/tools/identity-set-binding.js +1 -1
  96. package/dist/src/tools/identity-status.d.ts +1 -1
  97. package/dist/src/tools/identity-status.d.ts.map +1 -1
  98. package/dist/src/tools/identity-status.js +1 -1
  99. package/dist/src/tools/identity-unset-binding.d.ts +1 -1
  100. package/dist/src/tools/identity-unset-binding.d.ts.map +1 -1
  101. package/dist/src/tools/identity-unset-binding.js +1 -1
  102. package/dist/src/tools/identity-whoami.d.ts +1 -1
  103. package/dist/src/tools/identity-whoami.d.ts.map +1 -1
  104. package/dist/src/tools/identity-whoami.js +1 -1
  105. package/dist/src/types.d.ts +22 -0
  106. package/dist/src/types.d.ts.map +1 -1
  107. package/dist/src/utils/tool-result.d.ts +26 -0
  108. package/dist/src/utils/tool-result.d.ts.map +1 -0
  109. package/dist/src/utils/tool-result.js +40 -0
  110. package/openclaw.plugin.json +15 -0
  111. package/package.json +9 -6
  112. package/skills/SKILL.md +3 -8
  113. package/dist/src/store/tool-approval-store.d.ts +0 -40
  114. package/dist/src/store/tool-approval-store.d.ts.map +0 -1
  115. package/dist/src/store/tool-approval-store.js +0 -162
  116. package/dist/src/tools/identity-approve-tool.d.ts +0 -15
  117. package/dist/src/tools/identity-approve-tool.d.ts.map +0 -1
  118. package/dist/src/tools/identity-approve-tool.js +0 -50
  119. package/dist/src/utils/approval-channel.d.ts +0 -7
  120. package/dist/src/utils/approval-channel.d.ts.map +0 -1
  121. package/dist/src/utils/approval-channel.js +0 -28
package/README-cn.md CHANGED
@@ -9,9 +9,11 @@ UserPool OIDC 登录、TIP (Trusted Identity Provider) 令牌(通过 Identity
9
9
  ## 功能特性
10
10
 
11
11
  - **OIDC 登录**:`/identity login` 返回 IdP 授权 URL。用户打开 URL 后,IdP 重定向到 `/identity/oauth/callback`。
12
- - **TIP 令牌**:当会话中有已登录用户时,`before_agent_start` 钩子会获取 TIP 令牌。
12
+ - **LLM 前置认证拦截(`before_dispatch`)**:在 LLM 调用前拦截未认证消息,节省 token 开销。直接在静态回复中返回 OIDC 登录 URL。在不支持 `before_dispatch` 的旧版 OpenClaw 上自动回退到 `before_agent_start`。
13
+ - **TIP 令牌**:`before_dispatch` / `before_agent_start` 钩子在会话中有已登录用户时获取 TIP 令牌。
13
14
  - **凭据 3LO**:`/identity fetch <provider>` 返回授权 URL。IdP 重定向到 Identity 提供的回调地址(控制台配置)。
14
15
  - **凭据绑定**:`/identity set <provider> <envVar>` 将存储的凭据绑定到环境变量。凭据按工具调用粒度安全注入,并发多用户会话之间互相隔离。
16
+ - **本地身份服务(UDS)**:可选的 HTTP-over-Unix-Domain-Socket 服务,将 TIP 令牌、OIDC 会话令牌及所有插件工具暴露给本地其他进程。支持 Linux `SO_PEERCRED` + `/proc` 进程级校验和可配置进程白名单。
15
17
  - **加密会话存储**:`sessions.json` 使用 AES-256-GCM 加密存储在磁盘上。旧版明文文件首次加载时自动迁移。
16
18
  - **内存 TIP 缓存**:TIP 令牌仅存储在内存中(不持久化到磁盘)。TIP 是短效令牌,可随时从用户 session token 重新获取。
17
19
  - **动态 UserPool**:通过 `userPoolName` + `clientName` 解析 OIDC 配置(无需手动配置 clientId)。
@@ -44,8 +46,6 @@ UserPool OIDC 登录、TIP (Trusted Identity Provider) 令牌(通过 Identity
44
46
  | `fetch <provider> [--flow=...]` | 添加凭据。flow 根据 provider 类型自动推断;可用 `--flow` 覆盖。 |
45
47
  | `set <provider> <envVar>` | 将凭据绑定到环境变量供工具注入。无凭据时从 `process.env[envVar]` 导入。 |
46
48
  | `unset <provider>` | 移除 provider 的环境变量绑定。 |
47
- | `approve <approval_id>` | 审批待处理的高风险工具调用。 |
48
- | `reject <approval_id>` | 拒绝待处理的高风险工具调用。 |
49
49
 
50
50
  ## OIDC 登录流程
51
51
 
@@ -144,7 +144,7 @@ openclaw plugins install --link .
144
144
  - `llmRiskCheck`:LLM 配置(`endpoint`、`api`、`model`、`apiKey`、`timeoutMs`、`cacheTtlMs`)。`enableLlmRiskCheck` 为 true 时必填。
145
145
  - `approvalTtlSeconds`:审批链接/命令的 TTL(秒)。默认 300。
146
146
 
147
- **预期结果**:配置完成后,插件可正常发起登录、获取 TIP Token。开启 AuthZ 相关开关后,agent/工具/skill 权限检查与高风险审批生效;使用 `/identity approve <approval_id>` 审批被拦截的调用。
147
+ **预期结果**:配置完成后,插件可正常发起登录、获取 TIP Token。开启 AuthZ 相关开关后,agent/工具/skill 权限检查与高风险审批生效。高风险工具调用通过 OpenClaw 原生 `requireApproval` 机制处理(UI 覆层、Telegram 按钮、Discord 交互、`/approve` CLI)。
148
148
 
149
149
  ---
150
150
 
@@ -177,7 +177,10 @@ openclaw plugins install --link .
177
177
  "lowRiskBypass": true,
178
178
  "enableLlmRiskCheck": false,
179
179
  "approvalTtlSeconds": 300
180
- }
180
+ },
181
+ "localServer": false,
182
+ "localServerAllowlist": [],
183
+ "localServerFailOpen": true
181
184
  }
182
185
  }
183
186
  }
@@ -206,6 +209,9 @@ openclaw plugins install --link .
206
209
  | `subagentTipPropagation` | boolean | 否 | 将 TIP 和 session 传播到子 agent。默认 false |
207
210
  | `webchatSessionExchange` | boolean | 否 | 启用 `identity.session.put` / `identity.session.get` gateway WS 方法供 webchat 客户端使用。默认 false |
208
211
  | `personalSessionMode` | boolean | 否 | 个人/单用户模式:TIP、OIDC session、凭据仅存储在 `agent:main:main`(不做按发送者或 per-channel-peer 隔离)。子 agent 会话不变。默认 false;多租户或群聊共享场景勿开启。 |
212
+ | `localServer` | boolean | 否 | 启用本地 UDS 身份服务。默认 false。详见[本地身份服务(UDS)](#本地身份服务uds)。 |
213
+ | `localServerAllowlist` | string[] | 否 | 额外允许访问 UDS 服务的进程名/路径。`curl` 始终允许。 |
214
+ | `localServerFailOpen` | boolean | 否 | 无法识别对端进程时是否放行。默认 true。 |
209
215
 
210
216
  \* AK/SK 至少通过 `accessKeyId`+`secretAccessKey`、环境变量、`credentialsMetadataUrl`+`roleTrn` 或 `credentialsFile` 之一提供。
211
217
 
@@ -246,7 +252,7 @@ TIP token 通过 `GetWorkloadAccessTokenForJWT` 获取。工作负载行为:
246
252
 
247
253
  当用户从飞书聊天运行 `/identity` 时,登录成功和凭据获取的跟进消息会通过飞书发送。凭据从 openclaw.json 的 `channels.feishu` 读取(与 feishu 扩展相同:`appId`、`appSecret`,可选 `accounts`)。agent-identity 无需额外配置。
248
254
 
249
- **审批消息**(当高风险工具被拦截时):若要向飞书(或 Telegram、Slack 等)推送审批请求,请在 openclaw.json 中将 `session.dmScope` 设置为 `per-channel-peer` `per-account-channel-peer`。默认 `session.dmScope: "main"` 时,sessionKey 不包含 channel/peer 信息,插件无法推导推送目标,审批消息不会推送。用户仍可在 agent 的错误回复中看到 block/approval_id;使用 `/identity approve <id>` 审批。
255
+ **审批消息**(当高风险工具被拦截时):插件从 `before_tool_call` 返回 `requireApproval`,OpenClaw 框架在所有渠道原生处理审批 UI(exec 覆层、Telegram 按钮、Discord 交互、`/approve` CLI)。无需插件侧推送逻辑。
250
256
 
251
257
  ### WebChat Session Exchange(Gateway WS 方法)
252
258
 
@@ -299,16 +305,71 @@ TIP token 通过 `GetWorkloadAccessTokenForJWT` 获取。工作负载行为:
299
305
  - **identity_config_suggest** — 可合并的配置片段(`intent`、`lang`)
300
306
  - **identity_set_binding** / **identity_unset_binding** — 工具注入用的环境变量绑定
301
307
  - **identity_risk_check** / **identity_list_risk_patterns** — 风险评估(可选插件能力)
302
- - **identity_approve_tool** — 可选;**仅供人工审批** — 推荐 `/identity approve <id>`(模型不得自批)
303
308
  - **identity_list_tips** — 所有有效 TIP 与绑定(运维 / 多会话排查)
304
309
 
305
310
  ## 钩子
306
311
 
307
- - **before_agent_start** - 仅为主 agent 获取 TIP token。开启 `authz.agentCheck` 后,会执行 CheckPermission 校验用户是否有权调用该 agent。
312
+ - **before_dispatch** - 无状态 LLM 前置认证拦截。在 LLM 调用前检查 TIP 令牌是否有效。未找到 TIP 时,以静态回复(包含 OIDC 登录 URL)阻断消息,LLM 零 token 消耗。开启 `authz.agentCheck` 后同时执行 agent 级 CheckPermission。设置特性标志使 `before_agent_start` 跳过冗余认证逻辑。
313
+ - **before_agent_start** - 面向不支持 `before_dispatch` 的旧版 OpenClaw 的回退认证拦截。当 `before_dispatch` 活跃时,此钩子的认证逻辑为空操作。仍负责获取 TIP 令牌和执行 agent CheckPermission。
308
314
  - **subagent_spawned** - 在子 agent 创建时将 TIP 传播到子会话。
309
- - **before_tool_call** - 群组上下文注入、可选 AuthZ(TIP 检查、CheckPermission、风险审批)、工具调用级凭据注入。
315
+ - **before_tool_call** - 群组上下文注入、可选 AuthZ(TIP 检查、CheckPermission、通过 `requireApproval` 处理风险审批)、工具调用级凭据注入。高风险工具调用返回 `requireApproval` 给 OpenClaw 框架,由框架原生处理审批 UI。
310
316
  - **after_tool_call** - 清理工具调用级凭据注入状态。
311
317
 
318
+ ## 本地身份服务(UDS)
319
+
320
+ 当 `identity.localServer` 为 `true` 时,插件启动一个基于 Unix Domain Socket 的 HTTP 服务,允许本地其他进程(脚本、插件、CLI 工具)访问身份令牌和执行插件工具,无需经过 OpenClaw 消息通道。
321
+
322
+ ### 配置
323
+
324
+ | 参数 | 类型 | 描述 |
325
+ |------|------|------|
326
+ | `localServer` | boolean | 启用本地 UDS 服务。默认 false。 |
327
+ | `localServerAllowlist` | string[] | 额外允许连接的进程名或路径。支持精确匹配和 glob 后缀(如 `"python*"`)。`curl` 默认始终允许。 |
328
+ | `localServerFailOpen` | boolean | 无法识别对端进程时,是否允许连接(依赖 0600 socket 权限兜底)。默认 true。设为 false 为严格模式。 |
329
+
330
+ **Socket 路径**:`~/.openclaw/plugins/identity/identity.sock`(权限 `0600`,仅 owner 可访问)。
331
+
332
+ ### 端点
333
+
334
+ | 方法 | 路径 | 描述 |
335
+ |------|------|------|
336
+ | `GET` | `/token` | 主会话的 TIP 令牌 |
337
+ | `GET` | `/token?session=<key>` | 指定会话的 TIP 令牌 |
338
+ | `GET` | `/session` | 主会话的 OIDC session(id_token) |
339
+ | `GET` | `/status` | 服务健康状态与可用会话概览 |
340
+ | `GET` | `/tools` | 列出所有可用工具名称、描述及 JSON Schema |
341
+ | `POST` | `/tool/<name>` | 执行指定工具。Body:`{ "params": {...}, "session": "..." }` |
342
+
343
+ ### 进程级校验(Linux)
344
+
345
+ 在 Linux 上,服务通过以下方式校验连接进程:
346
+
347
+ 1. **`SO_PEERCRED`**(内核级):通过 `getsockopt` 零开销获取对端 PID/UID/GID。需注册原生 provider。
348
+ 2. **`/proc` 文件系统**:从 `/proc/<pid>/exe`、`/proc/<pid>/comm`、`/proc/<pid>/status` 获取进程名和路径,无需 spawn 外部进程。
349
+
350
+ 解析后的进程信息与内置白名单(`curl`)及 `localServerAllowlist` 自定义条目做匹配。当 `localServerFailOpen` 为 true(默认)时,无法识别的对端将被放行(socket 文件权限提供基础安全保障)。
351
+
352
+ ### 使用示例
353
+
354
+ ```bash
355
+ # 获取 TIP 令牌
356
+ curl --unix-socket ~/.openclaw/plugins/identity/identity.sock http://localhost/token
357
+
358
+ # 获取 OIDC session 令牌
359
+ curl --unix-socket ~/.openclaw/plugins/identity/identity.sock http://localhost/session
360
+
361
+ # 列出可用工具
362
+ curl --unix-socket ~/.openclaw/plugins/identity/identity.sock http://localhost/tools
363
+
364
+ # 执行工具
365
+ curl --unix-socket ~/.openclaw/plugins/identity/identity.sock \
366
+ -X POST http://localhost/tool/identity_whoami \
367
+ -H 'Content-Type: application/json' \
368
+ -d '{"params": {}, "session": ""}'
369
+ ```
370
+
371
+ 更多语言示例见 [`demo/local-server/`](demo/local-server/)(Python、Go、TypeScript、Java、Rust)。
372
+
312
373
  ## 数据存储
313
374
 
314
375
  插件数据位于 `~/.openclaw/plugins/identity/`:
package/README.md CHANGED
@@ -9,9 +9,11 @@ Integrates with [Volcengine Agent Identity and Permission Management](https://ww
9
9
  ## Features
10
10
 
11
11
  - **OIDC Login**: `/identity login` returns IdP auth URL (no HTTP start endpoint). User opens URL, IdP redirects to `/identity/oauth/callback`.
12
- - **TIP Token**: `before_agent_start` hook fetches TIP token when session has a logged-in user.
12
+ - **Pre-LLM Auth Gate (`before_dispatch`)**: Blocks unauthenticated messages before the LLM is invoked, saving tokens. Returns an OIDC login URL directly in the static response. Falls back to `before_agent_start` on older OpenClaw versions.
13
+ - **TIP Token**: `before_dispatch` / `before_agent_start` hooks fetch TIP token when session has a logged-in user.
13
14
  - **Credential 3LO**: `/identity fetch <provider>` returns auth URL. IdP redirects to Identity-provided callback (control-plane config).
14
15
  - **Credential Binding**: `/identity set <provider> <envVar>` binds stored credential to env var. Credentials are securely injected per-tool-call, isolated between concurrent multi-user sessions.
16
+ - **Local Identity Server (UDS)**: Optional HTTP-over-Unix-Domain-Socket server exposing TIP tokens, OIDC session tokens, and all plugin tools to other local processes. Supports peer credential checking (Linux `SO_PEERCRED` + `/proc`) and configurable process allowlist.
15
17
  - **Encrypted Session Storage**: `sessions.json` is encrypted at rest (AES-256-GCM). Plaintext sessions from older versions are auto-migrated on first load.
16
18
  - **In-memory TIP Cache**: TIP tokens are stored only in memory (no disk persistence). They are short-lived and re-obtained from the user's session token on demand.
17
19
  - **Dynamic UserPool**: Resolve OIDC config by `userPoolName` + `clientName` (no manual clientId).
@@ -44,8 +46,6 @@ Single command `/identity` (alias `/id`) with subcommands. Default with no args:
44
46
  | `fetch <provider> [--flow=...]` | Add credential. Flow auto-inferred from provider type (api_key/oauth2/m2m); override with `--flow`. |
45
47
  | `set <provider> <envVar>` | Bind credential to env var for tool injection. If no credential, import from `process.env[envVar]`. |
46
48
  | `unset <provider>` | Remove env binding for provider. |
47
- | `approve <approval_id>` | Approve a pending high-risk tool call. |
48
- | `reject <approval_id>` | Reject a pending high-risk tool call. |
49
49
 
50
50
  ## OIDC Login Flow
51
51
 
@@ -144,7 +144,7 @@ The plugin typically needs three types of config:
144
144
  - `llmRiskCheck`: LLM config (`endpoint`, `api`, `model`, `apiKey`, `timeoutMs`, `cacheTtlMs`). Required when `enableLlmRiskCheck` is true.
145
145
  - `approvalTtlSeconds`: Approval link/command TTL (seconds). Default 300.
146
146
 
147
- **Expected outcome**: After config, the plugin can initiate login and obtain TIP Token. With AuthZ flags enabled, agent/tool/skill permission checks and high-risk approvals apply; use `/identity approve <approval_id>` to approve blocked calls.
147
+ **Expected outcome**: After config, the plugin can initiate login and obtain TIP Token. With AuthZ flags enabled, agent/tool/skill permission checks and high-risk approvals apply. High-risk tool calls use OpenClaw's native `requireApproval` mechanism (UI overlay, Telegram buttons, Discord interactions, `/approve` CLI).
148
148
 
149
149
  ---
150
150
 
@@ -177,7 +177,10 @@ Add to `openclaw.json` under `plugins.entries.agent-identity.config`:
177
177
  "lowRiskBypass": true,
178
178
  "enableLlmRiskCheck": false,
179
179
  "approvalTtlSeconds": 300
180
- }
180
+ },
181
+ "localServer": false,
182
+ "localServerAllowlist": [],
183
+ "localServerFailOpen": true
181
184
  }
182
185
  }
183
186
  }
@@ -206,6 +209,9 @@ Add to `openclaw.json` under `plugins.entries.agent-identity.config`:
206
209
  | `subagentTipPropagation` | boolean | No | Propagate TIP and session to subagents. Default false |
207
210
  | `webchatSessionExchange` | boolean | No | Enable `identity.session.put` / `identity.session.get` gateway WS methods for webchat clients. Default false |
208
211
  | `personalSessionMode` | boolean | No | Single-user mode: TIP, OIDC session, and credentials are stored only under `agent:main:main` (no per-sender or per-channel-peer keys). Subagent sessions unchanged. Default false — do not enable for multi-tenant or shared groups. |
212
+ | `localServer` | boolean | No | Enable the local UDS identity server. Default false. See [Local Identity Server (UDS)](#local-identity-server-uds). |
213
+ | `localServerAllowlist` | string[] | No | Additional process names/paths allowed to access the UDS server. `curl` always allowed. |
214
+ | `localServerFailOpen` | boolean | No | Allow connections when peer cannot be identified. Default true. |
209
215
 
210
216
  \* AK/SK must be provided via `accessKeyId`+`secretAccessKey`, environment variables, `credentialsMetadataUrl`+`roleTrn`, or `credentialsFile`.
211
217
 
@@ -246,7 +252,7 @@ TIP token is obtained via `GetWorkloadAccessTokenForJWT`. Workload behavior:
246
252
 
247
253
  Login success and credential fetch follow-up messages (e.g. "✓ Credential for `google` added.") are sent via Feishu when the user runs `/identity` from a Feishu chat. Credentials are read from `channels.feishu` in openclaw.json (same as feishu extension: `appId`, `appSecret`, optional `accounts`). No extra config in agent-identity is required.
248
254
 
249
- **Approval messages** (when a high-risk tool is blocked): For approval requests to be delivered to Feishu (or Telegram, Slack, etc.), set `session.dmScope` to `per-channel-peer` or `per-account-channel-peer` in openclaw.json. With default `session.dmScope: "main"`, the sessionKey does not include channel/peer info, so the plugin cannot derive a delivery target and approval messages are not pushed. The user will still see the block/approval_id in the agent's error reply; use `/identity approve <id>` to approve.
255
+ **Approval messages** (when a high-risk tool is blocked): The plugin returns `requireApproval` from `before_tool_call`, and OpenClaw handles the approval UI natively across all channels (exec overlay, Telegram buttons, Discord interactions, `/approve` CLI). No plugin-side delivery logic is needed.
250
256
 
251
257
  ### WebChat Session Exchange (Gateway WS Methods)
252
258
 
@@ -299,16 +305,71 @@ Agent-facing behavior is summarized in [`skills/SKILL.md`](skills/SKILL.md). Reg
299
305
  - **identity_config_suggest** — Config merge snippets (`intent`, `lang`)
300
306
  - **identity_set_binding** / **identity_unset_binding** — Env var bindings for tool injection
301
307
  - **identity_risk_check** / **identity_list_risk_patterns** — Risk evaluation (optional plugin)
302
- - **identity_approve_tool** — Optional; **human approval only** — prefer `/identity approve <id>` (agents must not self-approve)
303
308
  - **identity_list_tips** — All valid TIP tokens and bindings (ops / multi-session debug)
304
309
 
305
310
  ## Hooks
306
311
 
307
- - **before_agent_start** - Fetch TIP token for main agent only. When `authz.agentCheck` is enabled, runs CheckPermission to verify the user can invoke the agent.
312
+ - **before_dispatch** - Stateless pre-LLM authentication gate. Checks for a valid TIP token before the LLM is invoked. If no TIP is found, blocks the message with a static response containing an OIDC login URL. Zero LLM token cost for unauthenticated users. When `authz.agentCheck` is enabled, also runs agent-level CheckPermission. Sets a feature flag so `before_agent_start` skips redundant auth logic.
313
+ - **before_agent_start** - Fallback auth gate for older OpenClaw versions that do not support `before_dispatch`. When `before_dispatch` is active, this hook is a no-op for authentication. Still fetches TIP token and runs agent CheckPermission when applicable.
308
314
  - **subagent_spawned** - Propagate TIP to child session on subagent spawn.
309
- - **before_tool_call** - Group context injection, optional AuthZ (TIP check, CheckPermission, risk approval), and per-tool-call credential injection.
315
+ - **before_tool_call** - Group context injection, optional AuthZ (TIP check, CheckPermission, risk via `requireApproval`), and per-tool-call credential injection. High-risk tool calls return `requireApproval` to the OpenClaw framework, which handles approval UI natively.
310
316
  - **after_tool_call** - Clean up per-tool-call credential injection state.
311
317
 
318
+ ## Local Identity Server (UDS)
319
+
320
+ When `identity.localServer` is `true`, the plugin starts an HTTP server over a Unix Domain Socket, allowing other local processes (scripts, plugins, CLIs) to access identity tokens and execute plugin tools without going through OpenClaw's messaging layer.
321
+
322
+ ### Configuration
323
+
324
+ | Param | Type | Description |
325
+ |-------|------|-------------|
326
+ | `localServer` | boolean | Enable the local UDS server. Default false. |
327
+ | `localServerAllowlist` | string[] | Additional process names or paths allowed to connect. Supports exact match and glob suffix (e.g. `"python*"`). `curl` is always allowed by default. |
328
+ | `localServerFailOpen` | boolean | When peer identity cannot be resolved, allow the connection (relying on 0600 socket permissions). Default true. Set to false for strict mode. |
329
+
330
+ **Socket path**: `~/.openclaw/plugins/identity/identity.sock` (permissions `0600`, owner-only access).
331
+
332
+ ### Endpoints
333
+
334
+ | Method | Path | Description |
335
+ |--------|------|-------------|
336
+ | `GET` | `/token` | TIP token for the main session |
337
+ | `GET` | `/token?session=<key>` | TIP token for a specific session |
338
+ | `GET` | `/session` | OIDC session (id_token) for main session |
339
+ | `GET` | `/status` | Server health and available sessions summary |
340
+ | `GET` | `/tools` | List all available tool names with descriptions and JSON schemas |
341
+ | `POST` | `/tool/<name>` | Execute a registered tool. Body: `{ "params": {...}, "session": "..." }` |
342
+
343
+ ### Peer Credential Checking (Linux)
344
+
345
+ On Linux, the server validates connecting processes via:
346
+
347
+ 1. **`SO_PEERCRED`** (kernel-level): Zero-overhead retrieval of peer PID/UID/GID via `getsockopt`. Requires a registered native provider.
348
+ 2. **`/proc` filesystem**: Derives process name and path from `/proc/<pid>/exe`, `/proc/<pid>/comm`, `/proc/<pid>/status`. No process spawning.
349
+
350
+ Resolved peer info is checked against the built-in allowlist (`curl`) plus any custom entries in `localServerAllowlist`. When `localServerFailOpen` is true (default), unresolvable peers are allowed (socket file permissions provide baseline security).
351
+
352
+ ### Usage Examples
353
+
354
+ ```bash
355
+ # Get TIP token
356
+ curl --unix-socket ~/.openclaw/plugins/identity/identity.sock http://localhost/token
357
+
358
+ # Get OIDC session token
359
+ curl --unix-socket ~/.openclaw/plugins/identity/identity.sock http://localhost/session
360
+
361
+ # List available tools
362
+ curl --unix-socket ~/.openclaw/plugins/identity/identity.sock http://localhost/tools
363
+
364
+ # Execute a tool
365
+ curl --unix-socket ~/.openclaw/plugins/identity/identity.sock \
366
+ -X POST http://localhost/tool/identity_whoami \
367
+ -H 'Content-Type: application/json' \
368
+ -d '{"params": {}, "session": ""}'
369
+ ```
370
+
371
+ See [`demo/local-server/`](demo/local-server/) for examples in Python, Go, TypeScript, Java, and Rust.
372
+
312
373
  ## Data Storage
313
374
 
314
375
  Plugin data at `~/.openclaw/plugins/identity/`:
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAgBA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAmF7D,MAAM,CAAC,OAAO,UAAU,QAAQ,CAAC,GAAG,EAAE,iBAAiB,QA+etD"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAgBA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAgB,MAAM,qBAAqB,CAAC;AAqF3E,MAAM,CAAC,OAAO,UAAU,QAAQ,CAAC,GAAG,EAAE,iBAAiB,QA6iBtD"}
package/dist/index.js CHANGED
@@ -17,6 +17,8 @@ import { runPluginPreflight } from "./src/preflight/plugin-preflight.js";
17
17
  import { pluginState } from "./src/preflight/plugin-state.js";
18
18
  import { createIdentityCommand, createIdCommand } from "./src/commands/identity-commands.js";
19
19
  import { createBeforeAgentStartHandler } from "./src/hooks/before-agent-start.js";
20
+ import { createBeforeDispatchHandler } from "./src/hooks/before-dispatch.js";
21
+ import { runLogin } from "./src/actions/identity-actions.js";
20
22
  import { createLlmInputHandler } from "./src/hooks/llm-input.js";
21
23
  import { createSessionsSendPropagationHandler } from "./src/hooks/sessions-send-propagation.js";
22
24
  import { createSessionsSpawnPropagationHandler } from "./src/hooks/sessions-spawn-propagation.js";
@@ -31,7 +33,6 @@ import { createOIDCCallbackHandler, createOIDCCallbackHandlerLazy, } from "./src
31
33
  import { IdentityClient, resolveOIDCConfig, } from "./src/services/identity-client.js";
32
34
  import { IdentityService } from "./src/services/identity-service.js";
33
35
  import { sendNotificationFeishu } from "./src/services/send-notification-feishu.js";
34
- import { createIdentityApproveTool } from "./src/tools/identity-approve-tool.js";
35
36
  import { createIdentityConfigTool } from "./src/tools/identity-config.js";
36
37
  import { createIdentityConfigSuggestTool } from "./src/tools/identity-config-suggest.js";
37
38
  import { createIdentityListRiskPatternsTool } from "./src/tools/identity-list-risk-patterns.js";
@@ -53,6 +54,7 @@ import { parseSessionKeyToDeliveryTarget, } from "./src/utils/derive-session-key
53
54
  import { createSessionPutHandler, createSessionGetHandler, } from "./src/gateway/identity-session-methods.js";
54
55
  import { logDebug, logInfo, logWarn } from "./src/utils/logger.js";
55
56
  import { initEncryptionKey } from "./src/store/encryption.js";
57
+ import { startIdentitySocket, stopIdentitySocket } from "./src/local-server/identity-socket.js";
56
58
  const PLUGIN_STORE_DIR = "~/.openclaw/plugins/identity";
57
59
  /**
58
60
  * Whether Identity should be enabled.
@@ -254,6 +256,7 @@ export default function register(api) {
254
256
  await sendFn(target.to, text);
255
257
  };
256
258
  const onLoginSuccess = async (sessionKey, sub, deliveryTarget) => {
259
+ logInfo(api.logger, `onLoginSuccess: login completed for session=${sessionKey.slice(0, 24)}... (sub=${sub})`);
257
260
  const targetOrKey = deliveryTarget ?? parseSessionKeyToDeliveryTarget(sessionKey) ?? sessionKey;
258
261
  await sendToSession(targetOrKey, `✓ Login successful as ${sub}. You can continue in the chat.`);
259
262
  };
@@ -319,28 +322,36 @@ export default function register(api) {
319
322
  api.registerCommand(createIdCommand(identityCommandsDeps));
320
323
  logInfo(api.logger, "commands /identity, /id (login, status, logout, list, list-roles, list-tips, fetch, set, unset); HTTP callback /identity/oauth/callback (credential OAuth uses Identity callback)");
321
324
  // Tools (share deps with commands). Optional = only included when agent allowlist explicitly adds them.
322
- api.registerTool(createIdentityWhoamiTool(identityCommandsDeps), { optional: false });
323
- api.registerTool(createIdentityLogoutTool(identityCommandsDeps), { optional: false });
324
- api.registerTool(createIdentityStatusTool(identityCommandsDeps), { optional: false });
325
- api.registerTool(createIdentityLoginTool(identityCommandsDeps), { optional: false });
326
- api.registerTool(createIdentityListCredentialsTool(identityCommandsDeps), { optional: false });
327
- api.registerTool(createIdentityListRolesTool(identityCommandsDeps), { optional: false });
328
- api.registerTool(createIdentityListTipsTool(identityCommandsDeps), { optional: false });
329
- api.registerTool(createIdentityConfigTool(identityCommandsDeps), { optional: false });
330
- api.registerTool(createIdentityConfigSuggestTool(), { optional: false });
331
- api.registerTool(createIdentityFetchTool(identityCommandsDeps), { optional: false });
332
- api.registerTool(createIdentityGetRoleCredentialsTool(identityCommandsDeps), { optional: false });
333
- api.registerTool(createIdentityGetTipTokenTool(identityCommandsDeps), { optional: false });
334
- api.registerTool(createIdentityGetSessionTokenTool(identityCommandsDeps), { optional: false });
335
- api.registerTool(createIdentitySetBindingTool(identityCommandsDeps), { optional: true });
336
- api.registerTool(createIdentityUnsetBindingTool(identityCommandsDeps), { optional: true });
337
- api.registerTool(createIdentityRiskCheckTool({ pluginConfig, logger: api.logger }), { optional: true });
338
- api.registerTool(createIdentityListRiskPatternsTool(), { optional: true });
325
+ // Collected in an array so the same factories can be reused for the local UDS server.
339
326
  const authz = pluginConfig.authz;
340
- const approvalTtlMs = (authz?.approvalTtlSeconds ?? 300) * 1000;
341
- api.registerTool(createIdentityApproveTool({ approvalTtlMs, logger: api.logger }), {
342
- optional: true,
343
- });
327
+ const toolRegs = [
328
+ { factory: createIdentityWhoamiTool(identityCommandsDeps), optional: false },
329
+ { factory: createIdentityLogoutTool(identityCommandsDeps), optional: false },
330
+ { factory: createIdentityStatusTool(identityCommandsDeps), optional: false },
331
+ { factory: createIdentityLoginTool(identityCommandsDeps), optional: false },
332
+ { factory: createIdentityListCredentialsTool(identityCommandsDeps), optional: false },
333
+ { factory: createIdentityListRolesTool(identityCommandsDeps), optional: false },
334
+ { factory: createIdentityListTipsTool(identityCommandsDeps), optional: false },
335
+ { factory: createIdentityConfigTool(identityCommandsDeps), optional: false },
336
+ { factory: createIdentityConfigSuggestTool(), optional: false },
337
+ { factory: createIdentityFetchTool(identityCommandsDeps), optional: false },
338
+ { factory: createIdentityGetRoleCredentialsTool(identityCommandsDeps), optional: false },
339
+ { factory: createIdentityGetTipTokenTool(identityCommandsDeps), optional: false },
340
+ { factory: createIdentityGetSessionTokenTool(identityCommandsDeps), optional: false },
341
+ { factory: createIdentitySetBindingTool(identityCommandsDeps), optional: true },
342
+ { factory: createIdentityUnsetBindingTool(identityCommandsDeps), optional: true },
343
+ { factory: createIdentityRiskCheckTool({ pluginConfig, logger: api.logger }), optional: true },
344
+ { factory: createIdentityListRiskPatternsTool(), optional: true },
345
+ ];
346
+ for (const { factory, optional } of toolRegs) {
347
+ api.registerTool(factory, { optional });
348
+ }
349
+ // Build name → factory map for the local UDS server (same factories, zero duplication).
350
+ const toolFactoryMap = new Map();
351
+ for (const { factory } of toolRegs) {
352
+ const sample = factory({});
353
+ toolFactoryMap.set(sample.name, factory);
354
+ }
344
355
  // Capture group sender on every inbound message so before_tool_call can
345
356
  // identify which user triggered the current run.
346
357
  api.on("message_received", (event, ctx) => {
@@ -386,11 +397,31 @@ export default function register(api) {
386
397
  logDebug(api.logger, `sender captured session=${sessionKey} sender=${senderId}`);
387
398
  }, { priority: 200 });
388
399
  api.on("session_end", (_event, ctx) => {
389
- if (ctx.sessionKey)
400
+ if (ctx.sessionKey) {
390
401
  clearSender(ctx.sessionKey);
402
+ }
391
403
  });
392
404
  // Hooks
393
405
  if (hasIdentity) {
406
+ // before_dispatch: stateless pre-LLM auth gate — checks TIP token on
407
+ // every message and blocks unauthenticated users BEFORE model invocation
408
+ // (zero token cost). Also sets a feature flag so before_agent_start
409
+ // knows to skip its legacy auth logic.
410
+ api.on("before_dispatch", createBeforeDispatchHandler({
411
+ storeDir,
412
+ identityService,
413
+ configWorkloadName: identityCfg?.workloadName,
414
+ getOidcConfigForRefresh,
415
+ logger: api.logger,
416
+ identityClient: hasIdentity ? identityClient : undefined,
417
+ namespaceName: authz?.namespaceName ?? "default",
418
+ agentCheck: authz?.agentCheck ?? false,
419
+ generateLoginUrl: async (sessionKey) => runLogin(identityCommandsDeps, sessionKey),
420
+ }));
421
+ // before_agent_start: legacy fallback for older openclaw versions that
422
+ // don't support before_dispatch. When before_dispatch is active, this
423
+ // hook skips auth entirely. Otherwise injects IDENTITY_REQUIRED_CONTEXT
424
+ // for LLM-based login prompt generation.
394
425
  api.on("before_agent_start", createBeforeAgentStartHandler({
395
426
  storeDir,
396
427
  identityService,
@@ -439,9 +470,7 @@ export default function register(api) {
439
470
  identityClient: hasIdentity ? identityClient : undefined,
440
471
  namespaceName: authz?.namespaceName ?? "default",
441
472
  logger: api.logger,
442
- sendToSession,
443
473
  authz,
444
- approvalTtlMs,
445
474
  identityService: hasIdentity ? identityService : undefined,
446
475
  getOidcConfigForRefresh: getOidcConfigForRefresh ?? undefined,
447
476
  configWorkloadName: identityCfg?.workloadName,
@@ -467,8 +496,8 @@ export default function register(api) {
467
496
  // On any failure, set pluginState.degraded so hooks skip all interception.
468
497
  const authzEnabled = !!(authz?.agentCheck || authz?.toolCheck || authz?.requireRiskApproval);
469
498
  runPluginPreflight({
499
+ pluginConfig,
470
500
  identityClient,
471
- identityService,
472
501
  hasIdentity,
473
502
  credentialConfig: identityCfg
474
503
  ? {
@@ -485,7 +514,6 @@ export default function register(api) {
485
514
  : explicitOidcEnabled
486
515
  ? { mode: "explicit", discoveryUrl: userpool?.discoveryUrl }
487
516
  : undefined,
488
- workloadPoolName: identityCfg?.workloadPoolName,
489
517
  authzEnabled,
490
518
  namespaceName: authz?.namespaceName ?? "default",
491
519
  logger: api.logger,
@@ -497,4 +525,29 @@ export default function register(api) {
497
525
  }).catch((err) => {
498
526
  logWarn(api.logger, `[identity] preflight threw unexpectedly: ${String(err)}`);
499
527
  });
528
+ // Local UDS server: lets other processes on the same machine retrieve
529
+ // TIP tokens via HTTP-over-UDS (no network exposure, 0600 socket).
530
+ // Registered as a proper service so OpenClaw manages start/stop lifecycle.
531
+ if (identityCfg?.localServer && hasIdentity) {
532
+ const socketOpts = {
533
+ storeDir,
534
+ identityService,
535
+ configWorkloadName: identityCfg.workloadName,
536
+ getOidcConfigForRefresh,
537
+ logger: api.logger,
538
+ allowlist: identityCfg.localServerAllowlist,
539
+ failOpen: identityCfg.localServerFailOpen ?? true,
540
+ toolFactories: toolFactoryMap,
541
+ };
542
+ api.registerService({
543
+ id: "identity-local-server",
544
+ start: async () => {
545
+ const socketPath = await startIdentitySocket(socketOpts);
546
+ logInfo(api.logger, `local identity server ready at ${socketPath}`);
547
+ },
548
+ stop: async () => {
549
+ await stopIdentitySocket(api.logger);
550
+ },
551
+ });
552
+ }
500
553
  }
@@ -1 +1 @@
1
- {"version":3,"file":"identity-actions.d.ts","sourceRoot":"","sources":["../../../src/actions/identity-actions.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,KAAK,EAEV,uBAAuB,EAExB,MAAM,gCAAgC,CAAC;AACxC,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;AAgB/E,OAAO,EAKL,KAAK,eAAe,EACrB,MAAM,8BAA8B,CAAC;AAWtC,MAAM,MAAM,oBAAoB,GAAG;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,gFAAgF;IAChF,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,6DAA6D;IAC7D,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,aAAa,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACnD,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,qBAAqB,CAAC;IAC/B,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,qBAAqB,CAAC,EAAE,CACtB,kBAAkB,EAAE,wBAAwB,GAAG,MAAM,EACrD,IAAI,EAAE,MAAM,KACT,OAAO,CAAC,IAAI,CAAC,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG,aAAa,GAAG,YAAY,GAAG,QAAQ,GAAG,MAAM,CAAC;AAmHzE,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,EAAE,OAAO,CAAC;IAClB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;IAChB,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wDAAwD;IACxD,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,4BAA4B;IAC5B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uBAAuB;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAC7C,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC,CAAC;AAEF,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,cAAc,GACtB,OAAO,CAAC,YAAY,CAAC,CA4BvB;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,mBAAmB,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAC1C;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACrC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,cAAc,CAAC;IAAC,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAA;CAAE,GACtF,OAAO,CAAC,WAAW,CAAC,CAyDtB;AAED,MAAM,MAAM,YAAY,GAAG;IAAE,EAAE,EAAE,OAAO,CAAA;CAAE,CAAC;AAE3C,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,YAAY,CAAC,CASvB;AAID,MAAM,MAAM,WAAW,GAAG;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,SAAS,EAAE,WAAW,EAAE,CAAC;IACzB,UAAU,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtE,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,CAAC;AAEF,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE,MAAU,EAChB,MAAM,CAAC,EAAE,qBAAqB,GAC7B,OAAO,CAAC,qBAAqB,CAAC,CA6DhC;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,yBAAyB,GAAG;IACtC,SAAS,EAAE,eAAe,EAAE,CAAC;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,OAAO,CAAC;CAClB,CAAC;AAEF,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,GACzB,OAAO,CAAC,yBAAyB,CAAC,CA2CpC;AAED,MAAM,MAAM,cAAc,GAAG;IAC3B,IAAI,EAAE,KAAK,CAAC;QACV,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC,CAAC;IACH,oDAAoD;IACpD,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CAC3D,CAAC;AAEF,wBAAsB,WAAW,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,cAAc,CAAC,CAsBpF;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,CAAC;AAEF,wBAAsB,SAAS,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,YAAY,CAAC,CA6ChF;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACpC;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACtD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IACN,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,SAAS,CAAC;IAChB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAC;IACjD,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,kFAAkF;IAClF,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CAC7B,GACA,OAAO,CAAC,WAAW,CAAC,CAqKtB;AAED,MAAM,MAAM,gBAAgB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEjF,wBAAsB,aAAa,CACjC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC3C,OAAO,CAAC,gBAAgB,CAAC,CAkC3B;AAED,MAAM,MAAM,kBAAkB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnF,wBAAsB,eAAe,CACnC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC3B,OAAO,CAAC,kBAAkB,CAAC,CAW7B;AAED,MAAM,MAAM,8BAA8B,GACtC;IACA,IAAI,EAAE,SAAS,CAAC;IAChB,WAAW,EAAE;QACX,WAAW,EAAE,MAAM,CAAC;QACpB,eAAe,EAAE,MAAM,CAAC;QACxB,YAAY,EAAE,MAAM,CAAC;QACrB,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;CACH,GACC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,qBAAqB,CACzC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IACN,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,OAAO,qBAAqB,EAAE,cAAc,CAAC;CACvD,GACA,OAAO,CAAC,8BAA8B,CAAC,CAsDzC;AAED,MAAM,MAAM,iBAAiB,GACzB;IACA,IAAI,EAAE,SAAS,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB,GACC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC;;GAEG;AACH,wBAAsB,cAAc,CAClC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,cAAc,GACtB,OAAO,CAAC,iBAAiB,CAAC,CAgB5B;AAED,MAAM,MAAM,qBAAqB,GAC7B;IACA,IAAI,EAAE,SAAS,CAAC;IAChB,4CAA4C;IAC5C,cAAc,EAAE,MAAM,CAAC;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GACC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,qBAAqB,CAAC,CAoBhC"}
1
+ {"version":3,"file":"identity-actions.d.ts","sourceRoot":"","sources":["../../../src/actions/identity-actions.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,KAAK,EAEV,uBAAuB,EAExB,MAAM,gCAAgC,CAAC;AACxC,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;AAgB/E,OAAO,EAKL,KAAK,eAAe,EACrB,MAAM,8BAA8B,CAAC;AAWtC,MAAM,MAAM,oBAAoB,GAAG;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,gFAAgF;IAChF,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,6DAA6D;IAC7D,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,aAAa,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACnD,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,qBAAqB,CAAC;IAC/B,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,qBAAqB,CAAC,EAAE,CACtB,kBAAkB,EAAE,wBAAwB,GAAG,MAAM,EACrD,IAAI,EAAE,MAAM,KACT,OAAO,CAAC,IAAI,CAAC,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG,aAAa,GAAG,YAAY,GAAG,QAAQ,GAAG,MAAM,CAAC;AAoHzE,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,EAAE,OAAO,CAAC;IAClB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;IAChB,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wDAAwD;IACxD,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,4BAA4B;IAC5B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uBAAuB;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAC7C,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC,CAAC;AAEF,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,cAAc,GACtB,OAAO,CAAC,YAAY,CAAC,CA4BvB;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,mBAAmB,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAC1C;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACrC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,cAAc,CAAC;IAAC,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAA;CAAE,GACtF,OAAO,CAAC,WAAW,CAAC,CAyDtB;AAED,MAAM,MAAM,YAAY,GAAG;IAAE,EAAE,EAAE,OAAO,CAAA;CAAE,CAAC;AAE3C,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,YAAY,CAAC,CASvB;AAID,MAAM,MAAM,WAAW,GAAG;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,SAAS,EAAE,WAAW,EAAE,CAAC;IACzB,UAAU,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtE,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,CAAC;AAEF,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE,MAAU,EAChB,MAAM,CAAC,EAAE,qBAAqB,GAC7B,OAAO,CAAC,qBAAqB,CAAC,CA6DhC;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,yBAAyB,GAAG;IACtC,SAAS,EAAE,eAAe,EAAE,CAAC;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,OAAO,CAAC;CAClB,CAAC;AAEF,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,GACzB,OAAO,CAAC,yBAAyB,CAAC,CA2CpC;AAED,MAAM,MAAM,cAAc,GAAG;IAC3B,IAAI,EAAE,KAAK,CAAC;QACV,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC,CAAC;IACH,oDAAoD;IACpD,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CAC3D,CAAC;AAEF,wBAAsB,WAAW,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,cAAc,CAAC,CAsBpF;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,CAAC;AAEF,wBAAsB,SAAS,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,YAAY,CAAC,CA6ChF;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACpC;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACtD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IACN,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,SAAS,CAAC;IAChB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAC;IACjD,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,kFAAkF;IAClF,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CAC7B,GACA,OAAO,CAAC,WAAW,CAAC,CAqKtB;AAED,MAAM,MAAM,gBAAgB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEjF,wBAAsB,aAAa,CACjC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC3C,OAAO,CAAC,gBAAgB,CAAC,CAkC3B;AAED,MAAM,MAAM,kBAAkB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnF,wBAAsB,eAAe,CACnC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC3B,OAAO,CAAC,kBAAkB,CAAC,CAW7B;AAED,MAAM,MAAM,8BAA8B,GACtC;IACE,IAAI,EAAE,SAAS,CAAC;IAChB,WAAW,EAAE;QACX,WAAW,EAAE,MAAM,CAAC;QACpB,eAAe,EAAE,MAAM,CAAC;QACxB,YAAY,EAAE,MAAM,CAAC;QACrB,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;CACH,GACD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,qBAAqB,CACzC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IACN,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,OAAO,qBAAqB,EAAE,cAAc,CAAC;CACvD,GACA,OAAO,CAAC,8BAA8B,CAAC,CAsDzC;AAED,MAAM,MAAM,iBAAiB,GACzB;IACE,IAAI,EAAE,SAAS,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB,GACD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC;;GAEG;AACH,wBAAsB,cAAc,CAClC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,cAAc,GACtB,OAAO,CAAC,iBAAiB,CAAC,CAgB5B;AAED,MAAM,MAAM,qBAAqB,GAC7B;IACE,IAAI,EAAE,SAAS,CAAC;IAChB,4CAA4C;IAC5C,cAAc,EAAE,MAAM,CAAC;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GACD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,qBAAqB,CAAC,CAoBhC"}
@@ -93,7 +93,7 @@ async function pollOAuthAndNotify(params) {
93
93
  }
94
94
  }
95
95
  catch (err) {
96
- logDebug(logger, `fetch poll attempt failed: ${String(err)}`);
96
+ logWarn(logger, `fetch poll attempt failed: ${String(err)}`);
97
97
  }
98
98
  }
99
99
  const target = deliveryTarget ?? sessionKey;
@@ -1 +1 @@
1
- {"version":3,"file":"identity-commands.d.ts","sourceRoot":"","sources":["../../../src/commands/identity-commands.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAYL,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,SAAS,EACf,MAAM,gCAAgC,CAAC;AAaxC,YAAY,EAAE,oBAAoB,EAAE,SAAS,EAAE,CAAC;AAEhD,MAAM,MAAM,sBAAsB,GAAG;IACnC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG,mBAAmB,CAAC;AAyxBvD,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,oBAAoB;;;;;mBA3nB3C,oBAAoB,KAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;EAooBpE;AAED,0CAA0C;AAC1C,wBAAgB,eAAe,CAAC,IAAI,EAAE,oBAAoB;;;;;mBAvoBrC,oBAAoB,KAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;EAgpBpE"}
1
+ {"version":3,"file":"identity-commands.d.ts","sourceRoot":"","sources":["../../../src/commands/identity-commands.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAYL,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,SAAS,EACf,MAAM,gCAAgC,CAAC;AAYxC,YAAY,EAAE,oBAAoB,EAAE,SAAS,EAAE,CAAC;AAEhD,MAAM,MAAM,sBAAsB,GAAG;IACnC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG,mBAAmB,CAAC;AA4uBvD,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,oBAAoB;;;;;mBAhlB3C,oBAAoB,KAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;EAylBpE;AAED,0CAA0C;AAC1C,wBAAgB,eAAe,CAAC,IAAI,EAAE,oBAAoB;;;;;mBA5lBrC,oBAAoB,KAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;EAqmBpE"}
@@ -20,8 +20,7 @@ import { pluginState } from "../preflight/plugin-state.js";
20
20
  import { logDebug } from "../utils/logger.js";
21
21
  import { diagnoseRisk } from "../risk/diagnose-risk.js";
22
22
  import { getRiskPatterns } from "../risk/classify-risk.js";
23
- import * as toolApprovalStore from "../store/tool-approval-store.js";
24
- const HELP_TEXT = `**/identity** – UserPool login, TIP token, credentials, and risk approval
23
+ const HELP_TEXT = `**/identity** UserPool login, TIP token, credentials, and risk evaluation
25
24
 
26
25
  Subcommands:
27
26
  • \`whoami\` – Identity brief: sub, login time, TIP expiry
@@ -38,8 +37,6 @@ Subcommands:
38
37
  • \`unset <provider>\` – Remove credential env binding
39
38
  • \`risk <command>\` – Diagnose risk for a shell command (e.g. exec)
40
39
  • \`risk-patterns\` – List built-in dangerous commands and sensitive paths
41
- • \`approve <approval_id>\` – Approve a pending high-risk tool call
42
- • \`reject <approval_id>\` – Reject a pending high-risk tool call
43
40
 
44
41
  Fetch: flow auto-inferred from control-plane provider type; override with \`--flow=oauth2-user|oauth2-m2m|apikey|user\`.
45
42
 
@@ -191,8 +188,6 @@ function createIdentityHandler(deps) {
191
188
  "get-role",
192
189
  "set",
193
190
  "unset",
194
- "approve",
195
- "reject",
196
191
  ].includes(sub);
197
192
  if (needsSession && !sessionKey) {
198
193
  return {
@@ -233,10 +228,6 @@ function createIdentityHandler(deps) {
233
228
  return handleRisk(deps, rest);
234
229
  case "risk-patterns":
235
230
  return handleRiskPatterns();
236
- case "approve":
237
- return handleApprove(deps, sessionKey, rest);
238
- case "reject":
239
- return handleReject(deps, sessionKey, rest);
240
231
  default:
241
232
  return {
242
233
  text: `Unknown subcommand: \`${sub}\`. Use \`/identity help\` for usage.`,
@@ -599,33 +590,6 @@ async function handleRisk(deps, rest) {
599
590
  lines.push(`Reason: ${result.reason}`);
600
591
  return { text: lines.join("\n") };
601
592
  }
602
- async function handleApprove(deps, sessionKey, rest) {
603
- const approvalId = rest.trim();
604
- if (!approvalId) {
605
- return {
606
- text: "Usage: `/identity approve <approval_id>`\nExample: `/identity approve abc123`\n\nUse the approval_id from the pending tool message. Must run from the same chat that triggered the approval request.",
607
- };
608
- }
609
- const approvalTtlMs = (deps.pluginConfig?.authz?.approvalTtlSeconds ?? 300) * 1000;
610
- const ok = toolApprovalStore.approve(approvalId, approvalTtlMs, sessionKey);
611
- if (ok)
612
- return { text: "✓ Tool call approved. You can retry the action now." };
613
- return {
614
- text: "⚠ Approval not found or expired. Run from the same chat that requested approval, or the request may have timed out.",
615
- };
616
- }
617
- async function handleReject(deps, sessionKey, rest) {
618
- const approvalId = rest.trim();
619
- if (!approvalId) {
620
- return {
621
- text: "Usage: `/identity reject <approval_id>`\nExample: `/identity reject abc123`\n\nMust run from the same chat that triggered the approval request.",
622
- };
623
- }
624
- const ok = toolApprovalStore.reject(approvalId, sessionKey);
625
- if (ok)
626
- return { text: "✓ Tool call rejected." };
627
- return { text: "⚠ Approval not found or already expired. Run from the same chat that requested approval." };
628
- }
629
593
  async function handleRiskPatterns() {
630
594
  const { commandPatterns, sensitivePaths } = getRiskPatterns();
631
595
  const lines = [
@@ -1,7 +1,15 @@
1
1
  /**
2
- * before_agent_start hook: fetch TIP token for main agent only.
3
- * Credential env injection is handled per-tool-call in before_tool_call
4
- * to avoid process.env race conditions between concurrent runs.
2
+ * before_agent_start hook legacy auth fallback + autonomous trigger handling.
3
+ *
4
+ * Feature-gated: when before_dispatch is active (runtime called it at least
5
+ * once), this hook skips all authentication logic because before_dispatch
6
+ * already handles blocking unauthenticated users at zero token cost.
7
+ *
8
+ * When before_dispatch is NOT active (older openclaw versions that don't
9
+ * support the hook), this hook falls back to the original behavior:
10
+ * - No TIP → inject IDENTITY_REQUIRED_CONTEXT into system prompt
11
+ * - TIP found → optionally run agent permission check
12
+ * - Autonomous triggers → skip interactive login injection
5
13
  */
6
14
  import type { IdentityClientInterface } from "../services/identity-client.js";
7
15
  import type { IdentityService } from "../services/identity-service.js";
@@ -1 +1 @@
1
- {"version":3,"file":"before-agent-start.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-agent-start.ts"],"names":[],"mappings":"AAgBA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAyC3E,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;IACtG,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB,CAAC;AAEF,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,oBAAoB,IAoBpE,QAAQ;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,OAAO,EAAE,CAAA;CAAE,EAChD,KAAK;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,KACnF,OAAO,CAAC;IAAE,cAAc,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CA8F/C"}
1
+ {"version":3,"file":"before-agent-start.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-agent-start.ts"],"names":[],"mappings":"AAgBA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AA0C3E,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;IACtG,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB,CAAC;AAEF,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,oBAAoB,IAoBpE,QAAQ;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,OAAO,EAAE,CAAA;CAAE,EAChD,KAAK;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,KACnF,OAAO,CAAC;IAAE,cAAc,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAmG/C"}