@m1a0rz/agent-identity 0.4.6 → 0.5.0

package/dist/src/store/tool-approval-store.js

@@ -1,162 +0,0 @@
-/*
- * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/**
- * In-memory store for tool approval flow.
- * Pending: awaiting user approval. Approval: recorded for retry-path allow.
- */
-import { createHash } from "node:crypto";
-const POLL_INTERVAL_MS = 500;
-const pendingByApprovalId = new Map();
-const approvalKeys = new Map(); // key -> expiresAtMs (for retry-path)
-const approvedById = new Map(); // approvalId -> expiresAtMs (for poll-path)
-/**
- * Canonical JSON for stable hashing (sorted keys, no functions).
- */
-function canonicalJson(obj) {
-    if (obj === null || obj === undefined)
-        return "null";
-    if (typeof obj !== "object")
-        return JSON.stringify(obj);
-    if (Array.isArray(obj))
-        return "[" + obj.map(canonicalJson).join(",") + "]";
-    const keys = Object.keys(obj).sort();
-    const pairs = keys.map((k) => `${JSON.stringify(k)}:${canonicalJson(obj[k])}`);
-    return "{" + pairs.join(",") + "}";
-}
-/**
- * Hash for tool+params, used as approval key and short approval id.
- */
-export function hashToolParams(toolName, params) {
-    const payload = `${toolName}:${canonicalJson(params)}`;
-    return createHash("sha256").update(payload, "utf-8").digest("hex");
-}
-/**
- * Short id for approval messages (first 8 chars of hash).
- */
-export function shortApprovalId(fullHash) {
-    return fullHash.slice(0, 8);
-}
-/**
- * Approval key for hasRecentApproval lookup.
- */
-function approvalKey(sessionKey, toolName, params) {
-    return `${sessionKey}:${hashToolParams(toolName, params)}`;
-}
-export function createPending(params) {
-    const { approvalId, sessionKey, toolName, params: p, ttlMs } = params;
-    const expiresAtMs = Date.now() + ttlMs;
-    pendingByApprovalId.set(approvalId, {
-        approvalId,
-        sessionKey,
-        toolName,
-        params: p,
-        expiresAtMs,
-    });
-}
-export function getPending(approvalId) {
-    const entry = pendingByApprovalId.get(approvalId);
-    if (!entry || Date.now() > entry.expiresAtMs) {
-        pendingByApprovalId.delete(approvalId);
-        return undefined;
-    }
-    return entry;
-}
-/**
- * Approve a pending request. Records approval for retry-path and poll-path; removes from pending.
- * When approverSessionKey is provided, verifies it matches the pending entry's sessionKey.
- */
-export function approve(approvalId, ttlMs, approverSessionKey) {
-    const entry = getPending(approvalId);
-    if (!entry)
-        return false;
-    if (approverSessionKey != null &&
-        approverSessionKey.trim() !== "" &&
-        entry.sessionKey !== approverSessionKey) {
-        return false;
-    }
-    const expiresAtMs = Date.now() + ttlMs;
-    pendingByApprovalId.delete(approvalId);
-    const key = approvalKey(entry.sessionKey, entry.toolName, entry.params);
-    approvalKeys.set(key, expiresAtMs);
-    approvedById.set(approvalId, expiresAtMs);
-    return true;
-}
-/**
- * Reject a pending request. When rejecterSessionKey is provided, verifies it matches.
- */
-export function reject(approvalId, rejecterSessionKey) {
-    const entry = getPending(approvalId);
-    if (!entry)
-        return false;
-    if (rejecterSessionKey != null &&
-        rejecterSessionKey.trim() !== "" &&
-        entry.sessionKey !== rejecterSessionKey) {
-        return false;
-    }
-    return pendingByApprovalId.delete(approvalId);
-}
-export function hasRecentApproval(sessionKey, toolName, params) {
-    const key = approvalKey(sessionKey, toolName, params);
-    const expiresAt = approvalKeys.get(key);
-    if (!expiresAt || Date.now() > expiresAt) {
-        approvalKeys.delete(key);
-        return false;
-    }
-    return true;
-}
-export function consumeApproval(sessionKey, toolName, params) {
-    const key = approvalKey(sessionKey, toolName, params);
-    const expiresAt = approvalKeys.get(key);
-    if (!expiresAt || Date.now() > expiresAt) {
-        approvalKeys.delete(key);
-        return false;
-    }
-    approvalKeys.delete(key);
-    return true;
-}
-export function getPendingForSession(sessionKey) {
-    const now = Date.now();
-    const result = [];
-    for (const entry of pendingByApprovalId.values()) {
-        if (entry.sessionKey === sessionKey && entry.expiresAtMs > now) {
-            result.push(entry);
-        }
-    }
-    return result;
-}
-/**
- * Poll until approved or timeout.
- */
-export async function pollForApproval(approvalId, timeoutMs, onCheck) {
-    const deadline = Date.now() + timeoutMs;
-    while (Date.now() < deadline) {
-        onCheck?.();
-        if (approvedById.has(approvalId)) {
-            const expiresAt = approvedById.get(approvalId);
-            if (Date.now() <= expiresAt) {
-                approvedById.delete(approvalId);
-                return true;
-            }
-            approvedById.delete(approvalId);
-        }
-        const entry = getPending(approvalId);
-        if (!entry) {
-            return false;
-        }
-        await new Promise((r) => setTimeout(r, POLL_INTERVAL_MS));
-    }
-    return false;
-}

package/dist/src/tools/identity-approve-tool.d.ts

@@ -1,15 +0,0 @@
-/**
- * identity_approve_tool: approve a high-risk tool call by approval_id.
- * Used for webchat/TUI flow when user approves via UI then agent retries.
- */
-import type { PluginToolContext } from "../types.js";
-import { AnyAgentTool } from "openclaw/plugin-sdk";
-export type IdentityApproveToolDeps = {
-    approvalTtlMs: number;
-    logger?: {
-        debug?: (msg: string) => void;
-        warn?: (msg: string) => void;
-    };
-};
-export declare function createIdentityApproveTool(deps: IdentityApproveToolDeps): (ctx: PluginToolContext) => AnyAgentTool;
-//# sourceMappingURL=identity-approve-tool.d.ts.map

package/dist/src/tools/identity-approve-tool.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"identity-approve-tool.d.ts","sourceRoot":"","sources":["../../../src/tools/identity-approve-tool.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,EAAE,YAAY,EAAc,MAAM,qBAAqB,CAAC;AAK/D,MAAM,MAAM,uBAAuB,GAAG;IACpC,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CAC1E,CAAC;AAEF,wBAAgB,yBAAyB,CAAC,IAAI,EAAE,uBAAuB,IAC7D,KAAK,iBAAiB,KAAG,YAAY,CA8B9C"}

package/dist/src/tools/identity-approve-tool.js

@@ -1,50 +0,0 @@
-/*
- * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-import { Type } from "@sinclair/typebox";
-import { jsonResult } from "openclaw/plugin-sdk";
-import * as toolApprovalStore from "../store/tool-approval-store.js";
-import { resolveEffectiveSessionKey } from "../store/sender-session-store.js";
-import { logDebug, logWarn } from "../utils/logger.js";
-export function createIdentityApproveTool(deps) {
-    return (ctx) => ({
-        name: "identity_approve_tool",
-        label: "Approve Tool Call",
-        description: "Approve a pending high-risk tool call by its approval ID. Must run from same session.",
-        parameters: Type.Object({
-            approval_id: Type.String({ description: "Approval ID from the pending tool message" }),
-        }),
-        execute: async (_toolCallId, params) => {
-            const approvalId = (params?.approval_id ?? "").trim();
-            if (!approvalId) {
-                return jsonResult({
-                    ok: false,
-                    error: "approval_id is required",
-                });
-            }
-            const approverKey = ctx.sessionKey ? resolveEffectiveSessionKey(ctx.sessionKey) : ctx.sessionKey;
-            const ok = toolApprovalStore.approve(approvalId, deps.approvalTtlMs, approverKey);
-            if (ok) {
-                logDebug(deps.logger, `approved tool call ${approvalId}`);
-                return jsonResult({ ok: true, message: "Tool call approved" });
-            }
-            logWarn(deps.logger, `approve failed for ${approvalId} (expired or not found)`);
-            return jsonResult({
-                ok: false,
-                error: "Approval not found or expired. Request a new tool execution.",
-            });
-        },
-    });
-}

package/dist/src/utils/approval-channel.d.ts

@@ -1,7 +0,0 @@
-/**
- * Returns true when sessionKey can be delivered to (sendMessage works).
- * Those sessions use sync approval (poll until user approves).
- * Returns false for webchat/TUI (agent:main:main etc) - use retry flow.
- */
-export declare function supportsSyncApproval(sessionKey: string | undefined | null): boolean;
-//# sourceMappingURL=approval-channel.d.ts.map

package/dist/src/utils/approval-channel.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"approval-channel.d.ts","sourceRoot":"","sources":["../../../src/utils/approval-channel.ts"],"names":[],"mappings":"AAuBA;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAEnF"}

package/dist/src/utils/approval-channel.js

@@ -1,28 +0,0 @@
-/*
- * Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/**
- * Determine if session supports sync approval (sendMessage + poll).
- * Channel sessions (Feishu, Telegram, etc.) support it; webchat/TUI do not.
- */
-import { parseSessionKeyToDeliveryTarget } from "./derive-session-key.js";
-/**
- * Returns true when sessionKey can be delivered to (sendMessage works).
- * Those sessions use sync approval (poll until user approves).
- * Returns false for webchat/TUI (agent:main:main etc) - use retry flow.
- */
-export function supportsSyncApproval(sessionKey) {
-    return parseSessionKeyToDeliveryTarget(sessionKey ?? "") !== null;
-}