@m1a0rz/agent-identity 0.4.6 → 0.5.0

package/dist/src/local-server/peer-check.js

@@ -0,0 +1,206 @@
+/*
+ * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/**
+ * Peer process identification for the local UDS identity server (Linux-only).
+ *
+ * Resolution strategy:
+ *
+ *   SO_PEERCRED (zero-cost, race-free):
+ *     getsockopt(fd, SOL_SOCKET, SO_PEERCRED) returns { pid, uid, gid } directly
+ *     from the kernel. No process spawn, no race conditions.
+ *     Requires a native binding registered via registerPeerCredProvider().
+ *
+ *   /proc filesystem (zero-spawn process info):
+ *     /proc/<pid>/exe   → full executable path (readlink)
+ *     /proc/<pid>/comm  → kernel comm field (process name, max 16 chars)
+ *     /proc/<pid>/status → UID/GID
+ *     Used to resolve process details after PID is obtained from SO_PEERCRED.
+ *
+ * When SO_PEERCRED is not available (no native provider registered), behavior
+ * is controlled by the failOpen flag:
+ *   - failOpen=true  → allow with warning (default, socket 0600 still protects)
+ *   - failOpen=false → reject
+ *
+ * Security model:
+ *   - Socket 0600 ensures same-UID at the filesystem level.
+ *   - SO_PEERCRED adds process-level granularity via an allowlist.
+ *   - Default allowlist: curl, wget, httpie, python, node, bun, deno.
+ *   - Operator can extend via identity.localServerAllowlist config.
+ */
+import { readlinkSync, readFileSync } from "node:fs";
+import path from "node:path";
+let peerLogger = {};
+export function setPeerCheckLogger(logger) {
+    peerLogger = logger;
+}
+const DEFAULT_ALLOWLIST = [
+    "curl",
+    "wget",
+    "http", // httpie
+    "xh", // xh (httpie-compatible)
+    "python",
+    "python3",
+    "node",
+    "bun",
+    "deno",
+    "java",
+    "go",
+];
+// ─── Tier 1: SO_PEERCRED via pluggable native binding ────────────────
+let peerCredProvider = null;
+/**
+ * Register a native SO_PEERCRED provider. Call this at startup if a native
+ * binding (N-API addon, koffi FFI, etc.) is available.
+ *
+ * Example with a hypothetical native addon:
+ *   import { getPeerCred } from "./peercred.node";
+ *   registerPeerCredProvider(getPeerCred);
+ *
+ * The provider receives the connected socket fd and must return
+ * { pid, uid, gid } or null on failure.
+ */
+export function registerPeerCredProvider(fn) {
+    peerCredProvider = fn;
+}
+/** True when a native SO_PEERCRED provider is registered. */
+export function hasPeerCredProvider() {
+    return peerCredProvider !== null;
+}
+/**
+ * Get peer credentials from a connected Unix socket fd via SO_PEERCRED.
+ * Returns null when no native provider is registered or the call fails.
+ */
+function getPeerCredentials(socketFd) {
+    if (!peerCredProvider || socketFd < 0)
+        return null;
+    try {
+        return peerCredProvider(socketFd);
+    }
+    catch {
+        return null;
+    }
+}
+// ─── Tier 2: /proc filesystem (Linux) ────────────────────────────────
+function readProcExe(pid) {
+    try {
+        return readlinkSync(`/proc/${pid}/exe`);
+    }
+    catch {
+        return null;
+    }
+}
+function readProcComm(pid) {
+    try {
+        return readFileSync(`/proc/${pid}/comm`, "utf-8").trim() || null;
+    }
+    catch {
+        return null;
+    }
+}
+function readProcIds(pid) {
+    try {
+        const status = readFileSync(`/proc/${pid}/status`, "utf-8");
+        let uid = -1;
+        let gid = -1;
+        for (const line of status.split("\n")) {
+            // Format: "Uid:\treal\teffective\tsaved\tfs"
+            if (line.startsWith("Uid:")) {
+                uid = parseInt(line.split("\t")[1], 10);
+            }
+            else if (line.startsWith("Gid:")) {
+                gid = parseInt(line.split("\t")[1], 10);
+            }
+            if (uid >= 0 && gid >= 0)
+                break;
+        }
+        return { uid, gid };
+    }
+    catch {
+        return null;
+    }
+}
+function buildPeerInfo(pid, cred) {
+    const comm = readProcComm(pid) ?? "unknown";
+    const exe = readProcExe(pid) ?? comm;
+    const ids = cred ?? readProcIds(pid);
+    return {
+        pid,
+        uid: ids?.uid ?? -1,
+        gid: ids?.gid ?? -1,
+        processName: comm,
+        processPath: exe,
+    };
+}
+// ─── Allowlist check ─────────────────────────────────────────────────
+/**
+ * Check whether a peer process is in the allowlist.
+ *
+ * Matching rules (any match = allowed):
+ *   1. Exact basename match: "curl" matches /usr/bin/curl
+ *   2. Full path match: "/usr/bin/curl" matches exactly
+ *   3. Glob suffix: "python*" matches python3, python3.11
+ */
+export function isProcessAllowed(peer, customAllowlist = []) {
+    const list = [...DEFAULT_ALLOWLIST, ...customAllowlist];
+    const baseName = path.basename(peer.processPath || peer.processName);
+    for (const pattern of list) {
+        if (pattern.includes("/") && peer.processPath === pattern)
+            return true;
+        if (pattern.endsWith("*") && baseName.startsWith(pattern.slice(0, -1)))
+            return true;
+        if (pattern === baseName)
+            return true;
+    }
+    return false;
+}
+// ─── Main entry ──────────────────────────────────────────────────────
+/**
+ * Resolve and validate the peer process for a UDS connection.
+ *
+ * @param customAllowlist  Extra process names/paths to allow.
+ * @param failOpen    If true, allow when SO_PEERCRED is unavailable
+ *                    (socket 0600 still provides UID-level protection).
+ * @param socketFd    The accepted connection socket's fd (for SO_PEERCRED).
+ */
+export function checkPeer(customAllowlist, failOpen, socketFd = -1) {
+    peerLogger.debug?.(`peer-check: fd=${socketFd} hasPeerCredProvider=${peerCredProvider !== null} failOpen=${failOpen}`);
+    const cred = getPeerCredentials(socketFd);
+    if (cred && cred.pid > 0) {
+        peerLogger.debug?.(`peer-check: SO_PEERCRED ok pid=${cred.pid} uid=${cred.uid} gid=${cred.gid}`);
+        const peer = buildPeerInfo(cred.pid, cred);
+        peerLogger.debug?.(`peer-check: resolved process name=${peer.processName} path=${peer.processPath} uid=${peer.uid} gid=${peer.gid}`);
+        if (isProcessAllowed(peer, customAllowlist)) {
+            peerLogger.debug?.(`peer-check: ALLOWED ${peer.processName} (pid=${peer.pid})`);
+            return { allowed: true, peer };
+        }
+        const reason = `process_not_allowed: ${peer.processName} (pid=${peer.pid}, path=${peer.processPath})`;
+        peerLogger.warn?.(`peer-check: REJECTED ${reason}`);
+        return { allowed: false, reason, peer };
+    }
+    if (cred) {
+        peerLogger.debug?.(`peer-check: SO_PEERCRED returned pid=${cred.pid} (invalid), falling back`);
+    }
+    else {
+        peerLogger.debug?.(`peer-check: SO_PEERCRED unavailable (no provider or fd=${socketFd}), falling back`);
+    }
+    if (failOpen) {
+        peerLogger.debug?.("peer-check: ALLOWED (fail-open, peer unresolvable — socket 0600 provides baseline)");
+        return { allowed: true, peer: null };
+    }
+    const reason = "peer_unresolvable: no SO_PEERCRED provider registered";
+    peerLogger.warn?.(`peer-check: REJECTED ${reason}`);
+    return { allowed: false, reason };
+}

package/dist/src/local-server/peercred-linux.d.ts

@@ -0,0 +1,30 @@
+/**
+ * SO_PEERCRED implementation for Linux via koffi FFI.
+ *
+ * Calls getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &ucred, &len) to retrieve
+ * the peer process PID, UID, and GID from a connected Unix domain socket.
+ *
+ * koffi is an optionalDependency — if unavailable (non-Linux, missing binary,
+ * exotic platform), this module returns null and the caller falls back to
+ * fail-open behavior.
+ *
+ * Prebuilt binaries included by koffi:
+ *   Linux x86_64 (glibc/musl), Linux arm64 (glibc/musl),
+ *   macOS x86_64/arm64, Windows x86_64/arm64, FreeBSD, OpenBSD.
+ * SO_PEERCRED itself is Linux-only; on other OSes this module is a no-op.
+ */
+import type { GetPeerCredFn } from "./peer-check.js";
+/**
+ * Try to build a SO_PEERCRED provider using koffi.
+ * Returns the provider function on success, null on failure.
+ *
+ * Failure reasons (all silent, expected on non-Linux):
+ *   - koffi not installed (optionalDependency skipped)
+ *   - koffi binary missing for this platform
+ *   - Not Linux (SO_PEERCRED is Linux-specific)
+ */
+export declare function tryBuildPeerCredProvider(logger?: {
+    debug?: (msg: string) => void;
+    warn?: (msg: string) => void;
+}): GetPeerCredFn | null;
+//# sourceMappingURL=peercred-linux.d.ts.map

package/dist/src/local-server/peercred-linux.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"peercred-linux.d.ts","sourceRoot":"","sources":["../../../src/local-server/peercred-linux.ts"],"names":[],"mappings":"AAgBA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAmB,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAMtE;;;;;;;;GAQG;AACH,wBAAgB,wBAAwB,CACtC,MAAM,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;CAAE,GACvE,aAAa,GAAG,IAAI,CA4CtB"}

package/dist/src/local-server/peercred-linux.js

@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+// Linux constants for getsockopt(fd, SOL_SOCKET, SO_PEERCRED, ...)
+const SOL_SOCKET = 1;
+const SO_PEERCRED = 17;
+/**
+ * Try to build a SO_PEERCRED provider using koffi.
+ * Returns the provider function on success, null on failure.
+ *
+ * Failure reasons (all silent, expected on non-Linux):
+ *   - koffi not installed (optionalDependency skipped)
+ *   - koffi binary missing for this platform
+ *   - Not Linux (SO_PEERCRED is Linux-specific)
+ */
+export function tryBuildPeerCredProvider(logger) {
+    if (process.platform !== "linux") {
+        logger?.debug?.("peercred-linux: skipped (platform=" + process.platform + ", SO_PEERCRED is Linux-only)");
+        return null;
+    }
+    try {
+        // Dynamic require so the module is only loaded on Linux when available.
+        // eslint-disable-next-line @typescript-eslint/no-require-imports
+        const koffi = require("koffi");
+        const lib = koffi.load("libc.so.6");
+        const ucred = koffi.struct("ucred", {
+            pid: "int",
+            uid: "unsigned int",
+            gid: "unsigned int",
+        });
+        // int getsockopt(int sockfd, int level, int optname, void *optval, socklen_t *optlen)
+        const getsockopt = lib.func("int getsockopt(int, int, int, _Out_ ucred *, _Inout_ unsigned int *)");
+        logger?.debug?.("peercred-linux: koffi loaded, getsockopt bound to libc.so.6");
+        return (fd) => {
+            if (fd < 0)
+                return null;
+            try {
+                const cred = {};
+                const optlen = [12]; // sizeof(struct ucred) = 3 × int32 = 12
+                const ret = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, cred, optlen);
+                if (ret !== 0) {
+                    logger?.debug?.(`peercred-linux: getsockopt returned ${ret} for fd=${fd}`);
+                    return null;
+                }
+                return { pid: cred.pid, uid: cred.uid, gid: cred.gid };
+            }
+            catch (err) {
+                logger?.warn?.(`peercred-linux: getsockopt threw for fd=${fd}: ${String(err)}`);
+                return null;
+            }
+        };
+    }
+    catch (err) {
+        logger?.debug?.(`peercred-linux: koffi unavailable (${String(err).slice(0, 80)}), SO_PEERCRED disabled`);
+        return null;
+    }
+}

package/dist/src/risk/llm-risk-check.d.ts

@@ -1,8 +1,3 @@
-/**
- * LLM-based risk classification for tool calls.
- * Supports Ollama and OpenAI-compatible providers. No core OpenClaw changes.
- * Reference: GuardSpine plugin (ollamaGenerate, runCouncilReview).
- */
 import type { RiskLevel } from "./classify-risk.js";
 export type LlmRiskCheckConfig = {
     endpoint: string;

package/dist/src/risk/llm-risk-check.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"llm-risk-check.d.ts","sourceRoot":"","sources":["../../../src/risk/llm-risk-check.ts"],"names":[],"mappings":"AAgBA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAmDpD,MAAM,MAAM,kBAAkB,GAAG;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,QAAQ,GAAG,oBAAoB,CAAC;IACtC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kDAAkD;IAClD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AA0CF,MAAM,MAAM,aAAa,GAAG;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAyJjE;;GAEG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,MAAM,EAAE,kBAAkB,EAC1B,MAAM,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;CAAE,GACvE,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAiE/B"}
+{"version":3,"file":"llm-risk-check.d.ts","sourceRoot":"","sources":["../../../src/risk/llm-risk-check.ts"],"names":[],"mappings":"AAuBA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAuDpD,MAAM,MAAM,kBAAkB,GAAG;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,QAAQ,GAAG,oBAAoB,CAAC;IACtC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kDAAkD;IAClD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AA0CF,MAAM,MAAM,aAAa,GAAG;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAyJjE;;GAEG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,MAAM,EAAE,kBAAkB,EAC1B,MAAM,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;CAAE,GACvE,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAiE/B"}

package/dist/src/risk/llm-risk-check.js

@@ -13,8 +13,17 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-import { hashToolParams } from "../store/tool-approval-store.js";
+/**
+ * LLM-based risk classification for tool calls.
+ * Supports Ollama and OpenAI-compatible providers. No core OpenClaw changes.
+ * Reference: GuardSpine plugin (ollamaGenerate, runCouncilReview).
+ */
+import { createHash } from "node:crypto";
 import { logDebug, logWarn } from "../utils/logger.js";
+function hashToolParams(toolName, params) {
+    const payload = `${toolName}:${JSON.stringify(params)}`;
+    return createHash("sha256").update(payload, "utf-8").digest("hex");
+}
 /** Max chars for params JSON; critical fields (command, path) get smarter truncation. */
 const PARAMS_MAX_CHARS = 800;
 const CACHE_TTL_MS_DEFAULT = 300_000; // 5 min

package/dist/src/risk/low-risk-tools.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"low-risk-tools.d.ts","sourceRoot":"","sources":["../../../src/risk/low-risk-tools.ts"],"names":[],"mappings":"AAmCA,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,EAAE,GAAG,OAAO,CAQhF"}
+{"version":3,"file":"low-risk-tools.d.ts","sourceRoot":"","sources":["../../../src/risk/low-risk-tools.ts"],"names":[],"mappings":"AAkCA,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,EAAE,GAAG,OAAO,CAQhF"}

package/dist/src/risk/low-risk-tools.js

@@ -23,7 +23,6 @@ const LOW_RISK_TOOL_NAMES = new Set([
     "identity_list_tips",
     "identity_list_credentials",
     "identity_config",
-    "identity_approve_tool",
     "identity_risk_check",
     "identity_list_risk_patterns",
     "web_search",

package/dist/src/store/dispatch-feature-flag.d.ts

@@ -0,0 +1,7 @@
+/** Mark before_dispatch as active (called by the handler on first invocation). */
+export declare function markBeforeDispatchActive(): void;
+/** Whether before_dispatch has been invoked at least once by the runtime. */
+export declare function isBeforeDispatchActive(): boolean;
+/** Reset flag (for tests). */
+export declare function resetBeforeDispatchFlag(): void;
+//# sourceMappingURL=dispatch-feature-flag.d.ts.map

package/dist/src/store/dispatch-feature-flag.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dispatch-feature-flag.d.ts","sourceRoot":"","sources":["../../../src/store/dispatch-feature-flag.ts"],"names":[],"mappings":"AA2BA,kFAAkF;AAClF,wBAAgB,wBAAwB,IAAI,IAAI,CAE/C;AAED,6EAA6E;AAC7E,wBAAgB,sBAAsB,IAAI,OAAO,CAEhD;AAED,8BAA8B;AAC9B,wBAAgB,uBAAuB,IAAI,IAAI,CAE9C"}

package/dist/src/store/dispatch-feature-flag.js

@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/**
+ * Feature flag: tracks whether the openclaw runtime actually invokes
+ * before_dispatch. Older openclaw versions register the handler but
+ * never call it; in that case before_agent_start must handle auth.
+ *
+ * The flag is set to true the first time before_dispatch fires.
+ * before_agent_start checks it to decide whether to skip auth logic.
+ */
+let active = false;
+/** Mark before_dispatch as active (called by the handler on first invocation). */
+export function markBeforeDispatchActive() {
+    active = true;
+}
+/** Whether before_dispatch has been invoked at least once by the runtime. */
+export function isBeforeDispatchActive() {
+    return active;
+}
+/** Reset flag (for tests). */
+export function resetBeforeDispatchFlag() {
+    active = false;
+}

package/dist/src/tools/identity-config-suggest.d.ts

@@ -1,4 +1,4 @@
-import { AnyAgentTool } from "openclaw/plugin-sdk";
+import type { AnyAgentTool } from "openclaw/plugin-sdk";
 declare const INTENTS: {
     readonly identity: {
         readonly label: "Identity API (AK/SK, endpoint)";

package/dist/src/tools/identity-config-suggest.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-config-suggest.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-config-suggest.ts"],"names":[],"mappings":"AAuBA,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAiC/D,QAAA,MAAM,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgGH,CAAC;AAEX,MAAM,MAAM,mBAAmB,GAAG,MAAM,OAAO,OAAO,CAAC;AAEvD,wBAAgB,+BAA+B,UAClC,YAAY,CA+CxB"}
+{"version":3,"file":"identity-config-suggest.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-config-suggest.ts"],"names":[],"mappings":"AAuBA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAkCxD,QAAA,MAAM,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgGH,CAAC;AAEX,MAAM,MAAM,mBAAmB,GAAG,MAAM,OAAO,OAAO,CAAC;AAEvD,wBAAgB,+BAA+B,UAClC,YAAY,CA+CxB"}

package/dist/src/tools/identity-config-suggest.js

@@ -19,7 +19,7 @@
  * Does not modify config; returns JSON and instructions for manual edit.
  */
 import { Type } from "@sinclair/typebox";
-import { jsonResult } from "openclaw/plugin-sdk";
+import { jsonResult } from "../utils/tool-result.js";
 const CONFIG_PATH = "plugins.entries.agent-identity.config";
 /** Identity credential defaults and resolution order. Included when intent is identity or full. */
 const IDENTITY_DEFAULTS = {

package/dist/src/tools/identity-config.d.ts

@@ -2,7 +2,7 @@
  * identity_config: show identity plugin configuration (redacted).
  */
 import type { PluginToolContext } from "../types.js";
-import { AnyAgentTool } from "openclaw/plugin-sdk";
+import type { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
 export declare function createIdentityConfigTool(deps: IdentityActionsDeps): (_ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-config.d.ts.map

package/dist/src/tools/identity-config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-config.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-config.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAG1E,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,mBAAmB,IACxD,MAAM,iBAAiB,KAAG,YAAY,CAU/C"}
+{"version":3,"file":"identity-config.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-config.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAExD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAG1E,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,mBAAmB,IACxD,MAAM,iBAAiB,KAAG,YAAY,CAU/C"}

package/dist/src/tools/identity-config.js

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 import { Type } from "@sinclair/typebox";
-import { jsonResult } from "openclaw/plugin-sdk";
+import { jsonResult } from "../utils/tool-result.js";
 import { runConfig } from "../actions/identity-actions.js";
 export function createIdentityConfigTool(deps) {
     return (_ctx) => ({

package/dist/src/tools/identity-fetch.d.ts

@@ -4,7 +4,7 @@
  * When returnValue is true and fetch succeeds, returns the credential value for same-turn automation.
  */
 import type { PluginToolContext } from "../types.js";
-import { AnyAgentTool } from "openclaw/plugin-sdk";
+import type { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
 export declare function createIdentityFetchTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-fetch.d.ts.map

package/dist/src/tools/identity-fetch.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-fetch.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-fetch.ts"],"names":[],"mappings":"AAgBA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAsB,MAAM,qBAAqB,CAAC;AAEvE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAO1E,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,mBAAmB,IACvD,KAAK,iBAAiB,KAAG,YAAY,CA8D9C"}
+{"version":3,"file":"identity-fetch.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-fetch.ts"],"names":[],"mappings":"AAgBA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAExD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAO1E,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,mBAAmB,IACvD,KAAK,iBAAiB,KAAG,YAAY,CA8D9C"}

package/dist/src/tools/identity-fetch.js

@@ -14,8 +14,7 @@
  * limitations under the License.
  */
 import { Type } from "@sinclair/typebox";
-import { optionalStringEnum } from "openclaw/plugin-sdk";
-import { jsonResult } from "openclaw/plugin-sdk";
+import { jsonResult, optionalStringEnum } from "../utils/tool-result.js";
 import { runFetch } from "../actions/identity-actions.js";
 import { getCredential, resolveCredentialValue } from "../store/credential-store.js";
 import { resolveEffectiveSessionKey } from "../store/sender-session-store.js";

package/dist/src/tools/identity-get-role-credentials.d.ts

@@ -4,7 +4,7 @@
  * then use them for downstream API requests.
  */
 import type { PluginToolContext } from "../types.js";
-import { AnyAgentTool } from "openclaw/plugin-sdk";
+import type { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
 export declare function createIdentityGetRoleCredentialsTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-get-role-credentials.d.ts.map

package/dist/src/tools/identity-get-role-credentials.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-get-role-credentials.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-get-role-credentials.ts"],"names":[],"mappings":"AAgBA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,oCAAoC,CAAC,IAAI,EAAE,mBAAmB,IACpE,KAAK,iBAAiB,KAAG,YAAY,CAsC9C"}
+{"version":3,"file":"identity-get-role-credentials.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-get-role-credentials.ts"],"names":[],"mappings":"AAgBA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAExD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,oCAAoC,CAAC,IAAI,EAAE,mBAAmB,IACpE,KAAK,iBAAiB,KAAG,YAAY,CAsC9C"}

package/dist/src/tools/identity-get-role-credentials.js

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 import { Type } from "@sinclair/typebox";
-import { jsonResult } from "openclaw/plugin-sdk";
+import { jsonResult } from "../utils/tool-result.js";
 import { runGetRoleCredentials } from "../actions/identity-actions.js";
 import { resolveEffectiveSessionKey } from "../store/sender-session-store.js";
 export function createIdentityGetRoleCredentialsTool(deps) {

package/dist/src/tools/identity-get-session-token.d.ts

@@ -2,7 +2,7 @@
  * identity_get_session_token: obtain the OIDC id_token (session / user token) for the current session.
  */
 import type { PluginToolContext } from "../types.js";
-import { AnyAgentTool } from "openclaw/plugin-sdk";
+import type { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
 export declare function createIdentityGetSessionTokenTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-get-session-token.d.ts.map

package/dist/src/tools/identity-get-session-token.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-get-session-token.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-get-session-token.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,iCAAiC,CAAC,IAAI,EAAE,mBAAmB,IACjE,KAAK,iBAAiB,KAAG,YAAY,CA0B9C"}
+{"version":3,"file":"identity-get-session-token.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-get-session-token.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAExD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,iCAAiC,CAAC,IAAI,EAAE,mBAAmB,IACjE,KAAK,iBAAiB,KAAG,YAAY,CA0B9C"}

package/dist/src/tools/identity-get-session-token.js

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 import { Type } from "@sinclair/typebox";
-import { jsonResult } from "openclaw/plugin-sdk";
+import { jsonResult } from "../utils/tool-result.js";
 import { runGetSessionToken } from "../actions/identity-actions.js";
 import { resolveEffectiveSessionKey } from "../store/sender-session-store.js";
 export function createIdentityGetSessionTokenTool(deps) {

package/dist/src/tools/identity-get-tip-token.d.ts

@@ -2,7 +2,7 @@
  * identity_get_tip_token: obtain the workload TIP JWT for the current session.
  */
 import type { PluginToolContext } from "../types.js";
-import { AnyAgentTool } from "openclaw/plugin-sdk";
+import type { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
 export declare function createIdentityGetTipTokenTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-get-tip-token.d.ts.map

package/dist/src/tools/identity-get-tip-token.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-get-tip-token.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-get-tip-token.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,mBAAmB,IAC7D,KAAK,iBAAiB,KAAG,YAAY,CA0B9C"}
+{"version":3,"file":"identity-get-tip-token.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-get-tip-token.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAExD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,mBAAmB,IAC7D,KAAK,iBAAiB,KAAG,YAAY,CA0B9C"}

package/dist/src/tools/identity-get-tip-token.js

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 import { Type } from "@sinclair/typebox";
-import { jsonResult } from "openclaw/plugin-sdk";
+import { jsonResult } from "../utils/tool-result.js";
 import { runGetTipToken } from "../actions/identity-actions.js";
 import { resolveEffectiveSessionKey } from "../store/sender-session-store.js";
 export function createIdentityGetTipTokenTool(deps) {

package/dist/src/tools/identity-list-credentials.d.ts

@@ -2,7 +2,7 @@
  * identity_list_credentials: list credential providers and stored credentials (paginated).
  */
 import type { PluginToolContext } from "../types.js";
-import { AnyAgentTool } from "openclaw/plugin-sdk";
+import type { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
 export declare function createIdentityListCredentialsTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-list-credentials.d.ts.map

package/dist/src/tools/identity-list-credentials.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-list-credentials.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-credentials.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,iCAAiC,CAAC,IAAI,EAAE,mBAAmB,IACjE,KAAK,iBAAiB,KAAG,YAAY,CA0B9C"}
+{"version":3,"file":"identity-list-credentials.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-credentials.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAExD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,iCAAiC,CAAC,IAAI,EAAE,mBAAmB,IACjE,KAAK,iBAAiB,KAAG,YAAY,CA0B9C"}

package/dist/src/tools/identity-list-credentials.js

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 import { Type } from "@sinclair/typebox";
-import { jsonResult } from "openclaw/plugin-sdk";
+import { jsonResult } from "../utils/tool-result.js";
 import { runListCredentials } from "../actions/identity-actions.js";
 import { resolveEffectiveSessionKey } from "../store/sender-session-store.js";
 export function createIdentityListCredentialsTool(deps) {

package/dist/src/tools/identity-list-risk-patterns.d.ts

@@ -3,6 +3,6 @@
  * Use to understand what the plugin considers high-risk before running commands.
  */
 import type { PluginToolContext } from "../types.js";
-import { AnyAgentTool } from "openclaw/plugin-sdk";
+import type { AnyAgentTool } from "openclaw/plugin-sdk";
 export declare function createIdentityListRiskPatternsTool(): (_ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-list-risk-patterns.d.ts.map

package/dist/src/tools/identity-list-risk-patterns.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-list-risk-patterns.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-risk-patterns.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAG/D,wBAAgB,kCAAkC,KACxC,MAAM,iBAAiB,KAAG,YAAY,CAe/C"}
+{"version":3,"file":"identity-list-risk-patterns.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-risk-patterns.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAIxD,wBAAgB,kCAAkC,KACxC,MAAM,iBAAiB,KAAG,YAAY,CAe/C"}

package/dist/src/tools/identity-list-risk-patterns.js

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 import { Type } from "@sinclair/typebox";
-import { jsonResult } from "openclaw/plugin-sdk";
+import { jsonResult } from "../utils/tool-result.js";
 import { getRiskPatterns } from "../risk/classify-risk.js";
 export function createIdentityListRiskPatternsTool() {
     return (_ctx) => ({

package/dist/src/tools/identity-list-roles.d.ts

@@ -2,7 +2,7 @@
  * identity_list_roles: list role credential providers (STS).
  */
 import type { PluginToolContext } from "../types.js";
-import { AnyAgentTool } from "openclaw/plugin-sdk";
+import type { AnyAgentTool } from "openclaw/plugin-sdk";
 import type { IdentityActionsDeps } from "../actions/identity-actions.js";
 export declare function createIdentityListRolesTool(deps: IdentityActionsDeps): (ctx: PluginToolContext) => AnyAgentTool;
 //# sourceMappingURL=identity-list-roles.d.ts.map

package/dist/src/tools/identity-list-roles.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-list-roles.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-roles.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,mBAAmB,IAC3D,KAAK,iBAAiB,KAAG,YAAY,CAsB9C"}
+{"version":3,"file":"identity-list-roles.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-list-roles.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAExD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAI1E,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,mBAAmB,IAC3D,KAAK,iBAAiB,KAAG,YAAY,CAsB9C"}