@martian-engineering/lossless-claw 0.2.7 → 0.3.0

package/index.ts

@@ -4,7 +4,8 @@
  * DAG-based conversation summarization with incremental compaction,
  * full-text search, and sub-agent expansion.
  */
-import { readFileSync } from "node:fs";
+import { readFileSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
 import type { OpenClawPluginApi } from "openclaw/plugin-sdk";
 import { resolveLcmConfig } from "./src/db/config.js";
 import { LcmContextEngine } from "./src/engine.js";
@@ -45,8 +46,12 @@ type PluginEnvSnapshot = {
   pluginSummaryProvider: string;
   openclawProvider: string;
   openclawDefaultModel: string;
+  agentDir: string;
+  home: string;
 };
 
+type ReadEnvFn = (key: string) => string | undefined;
+
 type CompleteSimpleOptions = {
   apiKey?: string;
   maxTokens: number;
@@ -90,6 +95,10 @@ type RuntimeModelAuth = {
   }) => Promise<RuntimeModelAuthResult | undefined>;
 };
 
+const MODEL_AUTH_PR_URL = "https://github.com/openclaw/openclaw/pull/41090";
+const MODEL_AUTH_MERGE_COMMIT = "4790e40";
+const MODEL_AUTH_REQUIRED_RELEASE = "the first OpenClaw release after 2026.3.8";
+
 /** Capture plugin env values once during initialization. */
 function snapshotPluginEnv(env: NodeJS.ProcessEnv = process.env): PluginEnvSnapshot {
   return {
@@ -99,6 +108,8 @@ function snapshotPluginEnv(env: NodeJS.ProcessEnv = process.env): PluginEnvSnaps
     pluginSummaryProvider: "",
     openclawProvider: env.OPENCLAW_PROVIDER?.trim() ?? "",
     openclawDefaultModel: "",
+    agentDir: env.OPENCLAW_AGENT_DIR?.trim() || env.PI_CODING_AGENT_DIR?.trim() || "",
+    home: env.HOME?.trim() ?? "",
   };
 }
 
@@ -117,6 +128,71 @@ function readDefaultModelFromConfig(config: unknown): string {
   return typeof primary === "string" ? primary.trim() : "";
 }
 
+/** Resolve common provider API keys from environment. */
+function resolveApiKey(provider: string, readEnv: ReadEnvFn): string | undefined {
+  const keyMap: Record<string, string[]> = {
+    openai: ["OPENAI_API_KEY"],
+    anthropic: ["ANTHROPIC_API_KEY"],
+    google: ["GOOGLE_API_KEY", "GEMINI_API_KEY"],
+    groq: ["GROQ_API_KEY"],
+    xai: ["XAI_API_KEY"],
+    mistral: ["MISTRAL_API_KEY"],
+    together: ["TOGETHER_API_KEY"],
+    openrouter: ["OPENROUTER_API_KEY"],
+    "github-copilot": ["GITHUB_COPILOT_API_KEY", "GITHUB_TOKEN"],
+  };
+
+  const providerKey = provider.trim().toLowerCase();
+  const keys = keyMap[providerKey] ?? [];
+  const normalizedProviderEnv = `${providerKey.replace(/[^a-z0-9]/g, "_").toUpperCase()}_API_KEY`;
+  keys.push(normalizedProviderEnv);
+
+  for (const key of keys) {
+    const value = readEnv(key)?.trim();
+    if (value) {
+      return value;
+    }
+  }
+  return undefined;
+}
+
+/** A SecretRef pointing to a value inside secrets.json via a nested path. */
+type SecretRef = {
+  source?: string;
+  provider?: string;
+  id: string;
+};
+
+type SecretProviderConfig = {
+  source?: string;
+  path?: string;
+  mode?: string;
+};
+
+type AuthProfileCredential =
+  | { type: "api_key"; provider: string; key?: string; keyRef?: SecretRef; email?: string }
+  | { type: "token"; provider: string; token?: string; tokenRef?: SecretRef; expires?: number; email?: string }
+  | ({
+      type: "oauth";
+      provider: string;
+      access?: string;
+      refresh?: string;
+      expires?: number;
+      email?: string;
+    } & Record<string, unknown>);
+
+type AuthProfileStore = {
+  profiles: Record<string, AuthProfileCredential>;
+  order?: Record<string, string[]>;
+};
+
+type PiAiOAuthCredentials = {
+  refresh: string;
+  access: string;
+  expires: number;
+  [key: string]: unknown;
+};
+
 type PiAiModule = {
   completeSimple?: (
     model: {
@@ -148,6 +224,11 @@ type PiAiModule = {
   ) => Promise<Record<string, unknown> & { content?: Array<{ type: string; text?: string }> }>;
   getModel?: (provider: string, modelId: string) => unknown;
   getModels?: (provider: string) => unknown[];
+  getEnvApiKey?: (provider: string) => string | undefined;
+  getOAuthApiKey?: (
+    providerId: string,
+    credentials: Record<string, PiAiOAuthCredentials>,
+  ) => Promise<{ apiKey: string; newCredentials: PiAiOAuthCredentials } | null>;
 };
 
 /** Narrow unknown values to plain objects. */
@@ -251,14 +332,11 @@ function resolveProviderApiFromRuntimeConfig(
   return typeof api === "string" && api.trim() ? api.trim() : undefined;
 }
 
-/** Resolve runtime.modelAuth from plugin runtime, even before plugin-sdk typings land locally. */
-function getRuntimeModelAuth(api: OpenClawPluginApi): RuntimeModelAuth {
+/** Resolve runtime.modelAuth from plugin runtime when available. */
+function getRuntimeModelAuth(api: OpenClawPluginApi): RuntimeModelAuth | undefined {
   const runtime = api.runtime as OpenClawPluginApi["runtime"] & {
     modelAuth?: RuntimeModelAuth;
   };
-  if (!runtime.modelAuth) {
-    throw new Error("OpenClaw runtime.modelAuth is required by lossless-claw.");
-  }
   return runtime.modelAuth;
 }
 
@@ -292,6 +370,407 @@ function resolveApiKeyFromAuthResult(auth: RuntimeModelAuthResult | undefined):
   return apiKey ? apiKey : undefined;
 }
 
+function buildLegacyAuthFallbackWarning(): string {
+  return [
+    "[lcm] OpenClaw runtime.modelAuth is unavailable; using legacy auth-profiles fallback.",
+    `Stock lossless-claw 0.2.7 expects OpenClaw plugin runtime support from PR #41090 (${MODEL_AUTH_PR_URL}).`,
+    `OpenClaw 2026.3.8 and 2026.3.8-beta.1 do not include merge commit ${MODEL_AUTH_MERGE_COMMIT};`,
+    `${MODEL_AUTH_REQUIRED_RELEASE} is required for stock lossless-claw 0.2.7 without this fallback patch.`,
+  ].join(" ");
+}
+
+/** Parse auth-profiles JSON into a minimal store shape. */
+function parseAuthProfileStore(raw: string): AuthProfileStore | undefined {
+  try {
+    const parsed = JSON.parse(raw) as unknown;
+    if (!isRecord(parsed) || !isRecord(parsed.profiles)) {
+      return undefined;
+    }
+
+    const profiles: Record<string, AuthProfileCredential> = {};
+    for (const [profileId, value] of Object.entries(parsed.profiles)) {
+      if (!isRecord(value)) {
+        continue;
+      }
+      const type = value.type;
+      const provider = typeof value.provider === "string" ? value.provider.trim() : "";
+      if (!provider || (type !== "api_key" && type !== "token" && type !== "oauth")) {
+        continue;
+      }
+      profiles[profileId] = value as AuthProfileCredential;
+    }
+
+    const rawOrder = isRecord(parsed.order) ? parsed.order : undefined;
+    const order: Record<string, string[]> | undefined = rawOrder
+      ? Object.entries(rawOrder).reduce<Record<string, string[]>>((acc, [provider, value]) => {
+          if (!Array.isArray(value)) {
+            return acc;
+          }
+          const ids = value
+            .map((entry) => (typeof entry === "string" ? entry.trim() : ""))
+            .filter(Boolean);
+          if (ids.length > 0) {
+            acc[provider] = ids;
+          }
+          return acc;
+        }, {})
+      : undefined;
+
+    return {
+      profiles,
+      ...(order && Object.keys(order).length > 0 ? { order } : {}),
+    };
+  } catch {
+    return undefined;
+  }
+}
+
+/** Merge auth stores, letting later stores override earlier profiles/order. */
+function mergeAuthProfileStores(stores: AuthProfileStore[]): AuthProfileStore | undefined {
+  if (stores.length === 0) {
+    return undefined;
+  }
+  const merged: AuthProfileStore = { profiles: {} };
+  for (const store of stores) {
+    merged.profiles = { ...merged.profiles, ...store.profiles };
+    if (store.order) {
+      merged.order = { ...(merged.order ?? {}), ...store.order };
+    }
+  }
+  return merged;
+}
+
+/** Determine candidate auth store paths ordered by precedence. */
+function resolveAuthStorePaths(params: { agentDir?: string; envSnapshot: PluginEnvSnapshot }): string[] {
+  const paths: string[] = [];
+  const directAgentDir = params.agentDir?.trim();
+  if (directAgentDir) {
+    paths.push(join(directAgentDir, "auth-profiles.json"));
+  }
+
+  const envAgentDir = params.envSnapshot.agentDir;
+  if (envAgentDir) {
+    paths.push(join(envAgentDir, "auth-profiles.json"));
+  }
+
+  const home = params.envSnapshot.home;
+  if (home) {
+    paths.push(join(home, ".openclaw", "agents", "main", "agent", "auth-profiles.json"));
+  }
+
+  return [...new Set(paths)];
+}
+
+/** Build profile selection order for provider auth lookup. */
+function resolveAuthProfileCandidates(params: {
+  provider: string;
+  store: AuthProfileStore;
+  authProfileId?: string;
+  runtimeConfig?: unknown;
+}): string[] {
+  const candidates: string[] = [];
+  const normalizedProvider = normalizeProviderId(params.provider);
+  const push = (value: string | undefined) => {
+    const profileId = value?.trim();
+    if (!profileId) {
+      return;
+    }
+    if (!candidates.includes(profileId)) {
+      candidates.push(profileId);
+    }
+  };
+
+  push(params.authProfileId);
+
+  const storeOrder = findProviderConfigValue(params.store.order, params.provider);
+  for (const profileId of storeOrder ?? []) {
+    push(profileId);
+  }
+
+  if (isRecord(params.runtimeConfig)) {
+    const auth = params.runtimeConfig.auth;
+    if (isRecord(auth)) {
+      const order = findProviderConfigValue(
+        isRecord(auth.order) ? (auth.order as Record<string, unknown>) : undefined,
+        params.provider,
+      );
+      if (Array.isArray(order)) {
+        for (const profileId of order) {
+          if (typeof profileId === "string") {
+            push(profileId);
+          }
+        }
+      }
+    }
+  }
+
+  for (const [profileId, credential] of Object.entries(params.store.profiles)) {
+    if (normalizeProviderId(credential.provider) === normalizedProvider) {
+      push(profileId);
+    }
+  }
+
+  return candidates;
+}
+
+/**
+ * Resolve a SecretRef (tokenRef/keyRef) to a credential string.
+ *
+ * OpenClaw's auth-profiles support a level of indirection: instead of storing
+ * the raw API key or token inline, a credential can reference it via a
+ * SecretRef. Two resolution strategies are supported:
+ *
+ * 1. `source: "env"` — read the value from an environment variable whose
+ *    name is `ref.id` (e.g. `{ source: "env", id: "ANTHROPIC_API_KEY" }`).
+ *
+ * 2. File-based — resolve against a configured `secrets.providers.<provider>`
+ *    file provider when available. JSON-mode providers walk slash-delimited
+ *    paths, while singleValue providers use the sentinel id `value`.
+ *
+ * 3. Legacy fallback — when no file provider config is available, fall back to
+ *    `~/.openclaw/secrets.json` for backward compatibility.
+ */
+function resolveSecretRef(params: {
+  ref: SecretRef | undefined;
+  home: string;
+  config?: unknown;
+}): string | undefined {
+  const ref = params.ref;
+  if (!ref?.id) return undefined;
+
+  // source: env — read directly from environment variable
+  if (ref.source === "env") {
+    const val = process.env[ref.id]?.trim();
+    return val || undefined;
+  }
+
+  // File-based provider config — use configured file provider when present.
+  try {
+    const providers = isRecord(params.config)
+      ? (params.config as { secrets?: { providers?: Record<string, unknown> } }).secrets?.providers
+      : undefined;
+    const providerName = ref.provider?.trim() || "default";
+    const provider =
+      providers && isRecord(providers)
+        ? providers[providerName]
+        : undefined;
+    if (isRecord(provider) && provider.source === "file" && typeof provider.path === "string") {
+      const configuredPath = provider.path.trim();
+      const filePath =
+        configuredPath.startsWith("~/") && params.home
+          ? join(params.home, configuredPath.slice(2))
+          : configuredPath;
+      if (!filePath) {
+        return undefined;
+      }
+      const raw = readFileSync(filePath, "utf8");
+      if (provider.mode === "singleValue") {
+        if (ref.id.trim() !== "value") {
+          return undefined;
+        }
+        const value = raw.trim();
+        return value || undefined;
+      }
+
+      const secrets = JSON.parse(raw) as Record<string, unknown>;
+      const parts = ref.id.replace(/^\//, "").split("/");
+      let current: unknown = secrets;
+      for (const part of parts) {
+        if (!current || typeof current !== "object") return undefined;
+        current = (current as Record<string, unknown>)[part];
+      }
+      return typeof current === "string" && current.trim() ? current.trim() : undefined;
+    }
+  } catch {
+    // Fall through to the legacy secrets.json lookup below.
+  }
+
+  // Legacy file fallback (source: "file" or unset) — read from ~/.openclaw/secrets.json
+  try {
+    const secretsPath = join(params.home, ".openclaw", "secrets.json");
+    const raw = readFileSync(secretsPath, "utf8");
+    const secrets = JSON.parse(raw) as Record<string, unknown>;
+    const parts = ref.id.replace(/^\//, "").split("/");
+    let current: unknown = secrets;
+    for (const part of parts) {
+      if (!current || typeof current !== "object") return undefined;
+      current = (current as Record<string, unknown>)[part];
+    }
+    return typeof current === "string" && current.trim() ? current.trim() : undefined;
+  } catch {
+    return undefined;
+  }
+}
+
+/** Resolve OAuth/api-key/token credentials from auth-profiles store. */
+async function resolveApiKeyFromAuthProfiles(params: {
+  provider: string;
+  authProfileId?: string;
+  agentDir?: string;
+  runtimeConfig?: unknown;
+  appConfig?: unknown;
+  piAiModule: PiAiModule;
+  envSnapshot: PluginEnvSnapshot;
+}): Promise<string | undefined> {
+  const storesWithPaths = resolveAuthStorePaths({
+    agentDir: params.agentDir,
+    envSnapshot: params.envSnapshot,
+  })
+    .map((path) => {
+      try {
+        const parsed = parseAuthProfileStore(readFileSync(path, "utf8"));
+        return parsed ? { path, store: parsed } : undefined;
+      } catch {
+        return undefined;
+      }
+    })
+    .filter((entry): entry is { path: string; store: AuthProfileStore } => !!entry);
+  if (storesWithPaths.length === 0) {
+    return undefined;
+  }
+
+  const mergedStore = mergeAuthProfileStores(storesWithPaths.map((entry) => entry.store));
+  if (!mergedStore) {
+    return undefined;
+  }
+
+  const candidates = resolveAuthProfileCandidates({
+    provider: params.provider,
+    store: mergedStore,
+    authProfileId: params.authProfileId,
+    runtimeConfig: params.runtimeConfig,
+  });
+  if (candidates.length === 0) {
+    return undefined;
+  }
+
+  const persistPath =
+    params.agentDir?.trim() ? join(params.agentDir.trim(), "auth-profiles.json") : storesWithPaths[0]?.path;
+  const secretConfig = (() => {
+    if (isRecord(params.runtimeConfig)) {
+      const runtimeProviders = (params.runtimeConfig as {
+        secrets?: { providers?: Record<string, unknown> };
+      }).secrets?.providers;
+      if (isRecord(runtimeProviders) && Object.keys(runtimeProviders).length > 0) {
+        return params.runtimeConfig;
+      }
+    }
+    return params.appConfig ?? params.runtimeConfig;
+  })();
+
+  for (const profileId of candidates) {
+    const credential = mergedStore.profiles[profileId];
+    if (!credential) {
+      continue;
+    }
+    if (normalizeProviderId(credential.provider) !== normalizeProviderId(params.provider)) {
+      continue;
+    }
+
+    if (credential.type === "api_key") {
+      const key =
+        credential.key?.trim() ||
+        resolveSecretRef({
+          ref: credential.keyRef,
+          home: params.envSnapshot.home,
+          config: secretConfig,
+        });
+      if (key) {
+        return key;
+      }
+      continue;
+    }
+
+    if (credential.type === "token") {
+      const token =
+        credential.token?.trim() ||
+        resolveSecretRef({
+          ref: credential.tokenRef,
+          home: params.envSnapshot.home,
+          config: secretConfig,
+        });
+      if (!token) {
+        continue;
+      }
+      const expires = credential.expires;
+      if (typeof expires === "number" && Number.isFinite(expires) && expires > 0 && Date.now() >= expires) {
+        continue;
+      }
+      return token;
+    }
+
+    const access = credential.access?.trim();
+    const expires = credential.expires;
+    const isExpired =
+      typeof expires === "number" && Number.isFinite(expires) && expires > 0 && Date.now() >= expires;
+
+    if (!isExpired && access) {
+      if (
+        (credential.provider === "google-gemini-cli" || credential.provider === "google-antigravity") &&
+        typeof credential.projectId === "string" &&
+        credential.projectId.trim()
+      ) {
+        return JSON.stringify({
+          token: access,
+          projectId: credential.projectId.trim(),
+        });
+      }
+      return access;
+    }
+
+    if (typeof params.piAiModule.getOAuthApiKey !== "function") {
+      continue;
+    }
+
+    try {
+      const oauthCredential = {
+        access: credential.access ?? "",
+        refresh: credential.refresh ?? "",
+        expires: typeof credential.expires === "number" ? credential.expires : 0,
+        ...(typeof credential.projectId === "string" ? { projectId: credential.projectId } : {}),
+        ...(typeof credential.accountId === "string" ? { accountId: credential.accountId } : {}),
+      };
+      const refreshed = await params.piAiModule.getOAuthApiKey(params.provider, {
+        [params.provider]: oauthCredential,
+      });
+      if (!refreshed?.apiKey) {
+        continue;
+      }
+      mergedStore.profiles[profileId] = {
+        ...credential,
+        ...refreshed.newCredentials,
+        type: "oauth",
+      };
+      if (persistPath) {
+        try {
+          writeFileSync(
+            persistPath,
+            JSON.stringify(
+              {
+                version: 1,
+                profiles: mergedStore.profiles,
+                ...(mergedStore.order ? { order: mergedStore.order } : {}),
+              },
+              null,
+              2,
+            ),
+            "utf8",
+          );
+        } catch {
+          // Ignore persistence errors: refreshed credentials remain usable in-memory for this run.
+        }
+      }
+      return refreshed.apiKey;
+    } catch {
+      if (access) {
+        return access;
+      }
+    }
+  }
+
+  return undefined;
+}
+
 /** Build a minimal but useful sub-agent prompt. */
 function buildSubagentSystemPrompt(params: {
   depth: number;
@@ -353,6 +832,7 @@ function createLcmDependencies(api: OpenClawPluginApi): LcmDependencies {
   const envSnapshot = snapshotPluginEnv();
   envSnapshot.openclawDefaultModel = readDefaultModelFromConfig(api.config);
   const modelAuth = getRuntimeModelAuth(api);
+  const readEnv: ReadEnvFn = (key) => process.env[key];
   const pluginConfig =
     api.pluginConfig && typeof api.pluginConfig === "object" && !Array.isArray(api.pluginConfig)
       ? api.pluginConfig
@@ -371,6 +851,10 @@ function createLcmDependencies(api: OpenClawPluginApi): LcmDependencies {
     }
   }
 
+  if (!modelAuth) {
+    api.logger.warn(buildLegacyAuthFallbackWarning());
+  }
+
   return {
     config,
     complete: async ({
@@ -401,11 +885,23 @@ function createLcmDependencies(api: OpenClawPluginApi): LcmDependencies {
           return { content: [] };
         }
 
+        // When runtimeConfig is undefined (e.g. resolveLargeFileTextSummarizer
+        // passes legacyParams without config), fall back to the plugin API so
+        // provider-level baseUrl/headers/apiKey are always resolvable.
+        let effectiveRuntimeConfig = runtimeConfig;
+        if (!isRecord(effectiveRuntimeConfig)) {
+          try {
+            effectiveRuntimeConfig = api.runtime.config.loadConfig();
+          } catch {
+            // loadConfig may not be available in all contexts; leave undefined.
+          }
+        }
+
         const knownModel =
           typeof mod.getModel === "function" ? mod.getModel(providerId, modelId) : undefined;
         const fallbackApi =
           providerApi?.trim() ||
-          resolveProviderApiFromRuntimeConfig(runtimeConfig, providerId) ||
+          resolveProviderApiFromRuntimeConfig(effectiveRuntimeConfig, providerId) ||
           (() => {
             if (typeof mod.getModels !== "function") {
               return undefined;
@@ -419,6 +915,21 @@ function createLcmDependencies(api: OpenClawPluginApi): LcmDependencies {
           })() ||
           inferApiFromProvider(providerId);
 
+        // Resolve provider-level config (baseUrl, headers, etc.) from runtime config.
+        // Custom/proxy providers (e.g. bailian, local proxies) store their baseUrl and
+        // apiKey under models.providers.<provider> in openclaw.json.  Without this
+        // lookup the resolved model object lacks baseUrl, which crashes pi-ai's
+        // detectCompat() ("Cannot read properties of undefined (reading 'includes')"),
+        // and the apiKey is unresolvable, causing 401 errors.  See #19.
+        const providerLevelConfig: Record<string, unknown> = (() => {
+          if (!isRecord(effectiveRuntimeConfig)) return {};
+          const providers = (effectiveRuntimeConfig as { models?: { providers?: Record<string, unknown> } })
+            .models?.providers;
+          if (!providers) return {};
+          const cfg = findProviderConfigValue(providers, providerId);
+          return isRecord(cfg) ? cfg : {};
+        })();
+
         const resolvedModel =
           isRecord(knownModel) &&
           typeof knownModel.api === "string" &&
@@ -429,6 +940,18 @@ function createLcmDependencies(api: OpenClawPluginApi): LcmDependencies {
                 id: knownModel.id,
                 provider: knownModel.provider,
                 api: knownModel.api,
+                // Merge baseUrl/headers from provider config if not already on the model.
+                // Always set baseUrl to a string — pi-ai's detectCompat() crashes when
+                // baseUrl is undefined.
+                baseUrl:
+                  typeof knownModel.baseUrl === "string"
+                    ? knownModel.baseUrl
+                    : typeof providerLevelConfig.baseUrl === "string"
+                      ? providerLevelConfig.baseUrl
+                      : "",
+                ...(knownModel.headers == null && isRecord(providerLevelConfig.headers)
+                  ? { headers: providerLevelConfig.headers }
+                  : {}),
               }
             : {
                 id: modelId,
@@ -445,10 +968,18 @@ function createLcmDependencies(api: OpenClawPluginApi): LcmDependencies {
                 },
                 contextWindow: 200_000,
                 maxTokens: 8_000,
+                // Always set baseUrl to a string — pi-ai's detectCompat() crashes when
+                // baseUrl is undefined.
+                baseUrl: typeof providerLevelConfig.baseUrl === "string"
+                  ? providerLevelConfig.baseUrl
+                  : "",
+                ...(isRecord(providerLevelConfig.headers)
+                  ? { headers: providerLevelConfig.headers }
+                  : {}),
               };
 
         let resolvedApiKey = apiKey?.trim();
-        if (!resolvedApiKey) {
+        if (!resolvedApiKey && modelAuth) {
           try {
             resolvedApiKey = resolveApiKeyFromAuthResult(
               await modelAuth.resolveApiKeyForProvider({
@@ -464,6 +995,38 @@ function createLcmDependencies(api: OpenClawPluginApi): LcmDependencies {
             );
           }
         }
+        if (!resolvedApiKey && !modelAuth) {
+          resolvedApiKey = resolveApiKey(providerId, readEnv);
+        }
+        if (!resolvedApiKey && !modelAuth && typeof mod.getEnvApiKey === "function") {
+          resolvedApiKey = mod.getEnvApiKey(providerId)?.trim();
+        }
+        if (!resolvedApiKey && !modelAuth) {
+          resolvedApiKey = await resolveApiKeyFromAuthProfiles({
+            provider: providerId,
+            authProfileId,
+            agentDir,
+            appConfig: api.config,
+            runtimeConfig: effectiveRuntimeConfig,
+            piAiModule: mod,
+            envSnapshot,
+          });
+        }
+        // Fallback: read apiKey from models.providers config (e.g. proxy providers
+        // with keys like "not-needed-for-cli-proxy").
+        if (!resolvedApiKey && isRecord(effectiveRuntimeConfig)) {
+          const providers = (effectiveRuntimeConfig as { models?: { providers?: Record<string, unknown> } })
+            .models?.providers;
+          if (providers) {
+            const providerCfg = findProviderConfigValue(providers, providerId);
+            if (isRecord(providerCfg) && typeof providerCfg.apiKey === "string") {
+              const cfgKey = providerCfg.apiKey.trim();
+              if (cfgKey) {
+                resolvedApiKey = cfgKey;
+              }
+            }
+          }
+        }
 
         const completeOptions = buildCompleteSimpleOptions({
           api: resolvedModel.api,
@@ -587,28 +1150,76 @@ function createLcmDependencies(api: OpenClawPluginApi): LcmDependencies {
       return { provider, model: raw };
     },
     getApiKey: async (provider, model, options) => {
-      try {
-        return resolveApiKeyFromAuthResult(
-          await modelAuth.getApiKeyForModel({
-            model: buildModelAuthLookupModel({ provider, model }),
-            cfg: api.config,
-            ...(options?.profileId ? { profileId: options.profileId } : {}),
-            ...(options?.preferredProfile ? { preferredProfile: options.preferredProfile } : {}),
-          }),
-        );
-      } catch {
-        return undefined;
+      if (modelAuth) {
+        try {
+          const modelAuthKey = resolveApiKeyFromAuthResult(
+            await modelAuth.getApiKeyForModel({
+              model: buildModelAuthLookupModel({ provider, model }),
+              cfg: api.config,
+              ...(options?.profileId ? { profileId: options.profileId } : {}),
+              ...(options?.preferredProfile ? { preferredProfile: options.preferredProfile } : {}),
+            }),
+          );
+          if (modelAuthKey) {
+            return modelAuthKey;
+          }
+        } catch {
+          // Fall through to auth-profile lookup for older OpenClaw runtimes.
+        }
       }
+
+      const envKey = resolveApiKey(provider, readEnv);
+      if (envKey) {
+        return envKey;
+      }
+
+      const piAiModuleId = "@mariozechner/pi-ai";
+      const mod = (await import(piAiModuleId)) as PiAiModule;
+      return resolveApiKeyFromAuthProfiles({
+        provider,
+        authProfileId: options?.profileId,
+        agentDir: api.resolvePath("."),
+        runtimeConfig: api.config,
+        piAiModule: mod,
+        envSnapshot,
+      });
     },
     requireApiKey: async (provider, model, options) => {
-      const key = await resolveApiKeyFromAuthResult(
-        await modelAuth.getApiKeyForModel({
-          model: buildModelAuthLookupModel({ provider, model }),
-          cfg: api.config,
-          ...(options?.profileId ? { profileId: options.profileId } : {}),
-          ...(options?.preferredProfile ? { preferredProfile: options.preferredProfile } : {}),
-        }),
-      );
+      const key = await (async () => {
+        if (modelAuth) {
+          try {
+            const modelAuthKey = resolveApiKeyFromAuthResult(
+              await modelAuth.getApiKeyForModel({
+                model: buildModelAuthLookupModel({ provider, model }),
+                cfg: api.config,
+                ...(options?.profileId ? { profileId: options.profileId } : {}),
+                ...(options?.preferredProfile ? { preferredProfile: options.preferredProfile } : {}),
+              }),
+            );
+            if (modelAuthKey) {
+              return modelAuthKey;
+            }
+          } catch {
+            // Fall through to auth-profile lookup for older OpenClaw runtimes.
+          }
+        }
+
+        const envKey = resolveApiKey(provider, readEnv);
+        if (envKey) {
+          return envKey;
+        }
+
+        const piAiModuleId = "@mariozechner/pi-ai";
+        const mod = (await import(piAiModuleId)) as PiAiModule;
+        return resolveApiKeyFromAuthProfiles({
+          provider,
+          authProfileId: options?.profileId,
+          agentDir: api.resolvePath("."),
+          runtimeConfig: api.config,
+          piAiModule: mod,
+          envSnapshot,
+        });
+      })();
       if (!key) {
         throw new Error(`Missing API key for provider '${provider}' (model '${model}').`);
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@martian-engineering/lossless-claw",
-  "version": "0.2.7",
+  "version": "0.3.0",
   "description": "Lossless Context Management plugin for OpenClaw — DAG-based conversation summarization with incremental compaction",
   "type": "module",
   "main": "index.ts",
@@ -24,7 +24,10 @@
     "LICENSE"
   ],
   "scripts": {
-    "test": "vitest run --dir test"
+    "changeset": "changeset",
+    "release:verify": "npm test && npm pack --dry-run",
+    "test": "vitest run --dir test",
+    "version-packages": "changeset version"
   },
   "dependencies": {
     "@mariozechner/pi-agent-core": "*",
@@ -32,12 +35,16 @@
     "@sinclair/typebox": "0.34.48"
   },
   "devDependencies": {
+    "@changesets/cli": "^2.30.0",
     "typescript": "^5.7.0",
     "vitest": "^3.0.0"
   },
   "peerDependencies": {
     "openclaw": "*"
   },
+  "publishConfig": {
+    "access": "public"
+  },
   "openclaw": {
     "extensions": [
       "./index.ts"

package/src/assembler.ts

@@ -262,6 +262,10 @@ function toolResultBlockFromPart(part: MessagePartRecord, rawType?: string): unk
   const output = parseStoredValue(part.toolOutput) ?? part.textContent ?? "";
   const block: Record<string, unknown> = { type, output };
 
+  if (typeof part.toolName === "string" && part.toolName.length > 0) {
+    block.name = part.toolName;
+  }
+
   if (type === "function_call_output") {
     if (typeof part.toolCallId === "string" && part.toolCallId.length > 0) {
       block.call_id = part.toolCallId;
@@ -395,6 +399,10 @@ function pickToolCallId(parts: MessagePartRecord[]): string | undefined {
     if (!decoded || typeof decoded !== "object") {
       continue;
     }
+    const metadataToolCallId = (decoded as { toolCallId?: unknown }).toolCallId;
+    if (typeof metadataToolCallId === "string" && metadataToolCallId.length > 0) {
+      return metadataToolCallId;
+    }
     const raw = (decoded as { raw?: unknown }).raw;
     if (!raw || typeof raw !== "object") {
       continue;
@@ -411,6 +419,49 @@ function pickToolCallId(parts: MessagePartRecord[]): string | undefined {
   return undefined;
 }
 
+function pickToolName(parts: MessagePartRecord[]): string | undefined {
+  for (const part of parts) {
+    if (typeof part.toolName === "string" && part.toolName.length > 0) {
+      return part.toolName;
+    }
+    const decoded = parseJson(part.metadata);
+    if (!decoded || typeof decoded !== "object") {
+      continue;
+    }
+    const metadataToolName = (decoded as { toolName?: unknown }).toolName;
+    if (typeof metadataToolName === "string" && metadataToolName.length > 0) {
+      return metadataToolName;
+    }
+    const raw = (decoded as { raw?: unknown }).raw;
+    if (!raw || typeof raw !== "object") {
+      continue;
+    }
+    const maybe = (raw as { name?: unknown }).name;
+    if (typeof maybe === "string" && maybe.length > 0) {
+      return maybe;
+    }
+    const maybeCamel = (raw as { toolName?: unknown }).toolName;
+    if (typeof maybeCamel === "string" && maybeCamel.length > 0) {
+      return maybeCamel;
+    }
+  }
+  return undefined;
+}
+
+function pickToolIsError(parts: MessagePartRecord[]): boolean | undefined {
+  for (const part of parts) {
+    const decoded = parseJson(part.metadata);
+    if (!decoded || typeof decoded !== "object") {
+      continue;
+    }
+    const metadataIsError = (decoded as { isError?: unknown }).isError;
+    if (typeof metadataIsError === "boolean") {
+      return metadataIsError;
+    }
+  }
+  return undefined;
+}
+
 /** Format a Date for XML attributes in the agent's timezone. */
 function formatDateForAttribute(date: Date, timezone?: string): string {
   const tz = timezone ?? "UTC";
@@ -674,12 +725,15 @@ export class ContextAssembler {
 
     const parts = await this.conversationStore.getMessageParts(msg.messageId);
     const roleFromStore = toRuntimeRole(msg.role, parts);
-    const toolCallId = roleFromStore === "toolResult" ? pickToolCallId(parts) : undefined;
+    const isToolResult = roleFromStore === "toolResult";
+    const toolCallId = isToolResult ? pickToolCallId(parts) : undefined;
+    const toolName = isToolResult ? (pickToolName(parts) ?? "unknown") : undefined;
+    const toolIsError = isToolResult ? pickToolIsError(parts) : undefined;
     // Tool results without a call id cannot be serialized for Anthropic-compatible APIs.
     // This happens for legacy/bootstrap rows that have role=tool but no message_parts.
     // Preserve the text by degrading to assistant content instead of emitting invalid toolResult.
     const role: "user" | "assistant" | "toolResult" =
-      roleFromStore === "toolResult" && !toolCallId ? "assistant" : roleFromStore;
+      isToolResult && !toolCallId ? "assistant" : roleFromStore;
     const content = contentFromParts(parts, role, msg.content);
     const contentText =
       typeof content === "string" ? content : (JSON.stringify(content) ?? msg.content);
@@ -713,6 +767,8 @@ export class ContextAssembler {
               role,
               content,
               ...(toolCallId ? { toolCallId } : {}),
+              ...(toolName ? { toolName } : {}),
+              ...(role === "toolResult" && toolIsError !== undefined ? { isError: toolIsError } : {}),
             } as AgentMessage),
       tokens: tokenCount,
       isMessage: true,

package/src/compaction.ts

@@ -86,7 +86,7 @@ function estimateTokens(content: string): number {
 }
 
 /** Format a timestamp as `YYYY-MM-DD HH:mm TZ` for prompt source text. */
-function formatTimestamp(value: Date, timezone: string = "UTC"): string {
+export function formatTimestamp(value: Date, timezone: string = "UTC"): string {
   try {
     const fmt = new Intl.DateTimeFormat("en-CA", {
       timeZone: timezone,

package/src/engine.ts

@@ -60,6 +60,10 @@ function safeString(value: unknown): string | undefined {
   return typeof value === "string" ? value : undefined;
 }
 
+function safeBoolean(value: unknown): boolean | undefined {
+  return typeof value === "boolean" ? value : undefined;
+}
+
 function appendTextValue(value: unknown, out: string[]): void {
   if (typeof value === "string") {
     out.push(value);
@@ -264,6 +268,12 @@ function buildMessageParts(params: {
     safeString(topLevel.tool_use_id) ??
     safeString(topLevel.call_id) ??
     safeString(topLevel.id);
+  const topLevelToolName =
+    safeString(topLevel.toolName) ??
+    safeString(topLevel.tool_name);
+  const topLevelIsError =
+    safeBoolean(topLevel.isError) ??
+    safeBoolean(topLevel.is_error);
 
   // BashExecutionMessage: preserve a synthetic text part so output is round-trippable.
   if (!("content" in message) && "command" in message && "output" in message) {
@@ -307,6 +317,9 @@ function buildMessageParts(params: {
         textContent: message.content,
         metadata: toJson({
           originalRole: role,
+          toolCallId: topLevelToolCallId,
+          toolName: topLevelToolName,
+          isError: topLevelIsError,
         }),
       },
     ];
@@ -351,7 +364,8 @@ function buildMessageParts(params: {
       toolName:
         safeString(metadataRecord?.name) ??
         safeString(metadataRecord?.toolName) ??
-        safeString(metadataRecord?.tool_name),
+        safeString(metadataRecord?.tool_name) ??
+        topLevelToolName,
       toolInput:
         metadataRecord?.input !== undefined
           ? toJson(metadataRecord.input)
@@ -368,6 +382,9 @@ function buildMessageParts(params: {
             : (safeString(metadataRecord?.tool_output) ?? null),
       metadata: toJson({
         originalRole: role,
+        toolCallId: topLevelToolCallId,
+        toolName: topLevelToolName,
+        isError: topLevelIsError,
         rawType: block.type,
         raw: metadataRecord ?? message.content[ordinal],
       }),
@@ -563,6 +580,12 @@ export class LcmContextEngine implements ContextEngine {
   };
 
   private config: LcmConfig;
+
+  /** Get the configured timezone, falling back to system timezone. */
+  get timezone(): string {
+    return this.config.timezone ?? Intl.DateTimeFormat().resolvedOptions().timeZone;
+  }
+
   private conversationStore: ConversationStore;
   private summaryStore: SummaryStore;
   private assembler: ContextAssembler;

package/src/tools/lcm-describe-tool.ts

@@ -8,6 +8,7 @@ import type { LcmDependencies } from "../types.js";
 import type { AnyAgentTool } from "./common.js";
 import { jsonResult } from "./common.js";
 import { resolveLcmConversationScope } from "./lcm-conversation-scope.js";
+import { formatTimestamp } from "../compaction.js";
 
 const LcmDescribeSchema = Type.Object({
   id: Type.String({
@@ -40,8 +41,12 @@ function normalizeRequestedTokenCap(value: unknown): number | undefined {
   return Math.max(1, Math.trunc(value));
 }
 
-function formatIso(value: Date | null | undefined): string {
-  return value instanceof Date ? value.toISOString() : "-";
+function formatIso(value: Date | null | undefined, timezone?: string): string {
+  if (!(value instanceof Date)) return "-";
+  if (timezone) {
+    return formatTimestamp(value, timezone);
+  }
+  return value.toISOString();
 }
 
 export function createLcmDescribeTool(input: {
@@ -61,6 +66,7 @@ export function createLcmDescribeTool(input: {
     parameters: LcmDescribeSchema,
     async execute(_toolCallId, params) {
       const retrieval = input.lcm.getRetrieval();
+      const timezone = input.lcm.timezone;
       const p = params as Record<string, unknown>;
       const id = (p.id as string).trim();
       const conversationScope = await resolveLcmConversationScope({
@@ -152,7 +158,7 @@ export function createLcmDescribeTool(input: {
         lines.push(
           `meta conv=${s.conversationId} kind=${s.kind} depth=${s.depth} tok=${s.tokenCount} ` +
             `descTok=${s.descendantTokenCount} srcTok=${s.sourceMessageTokenCount} ` +
-            `desc=${s.descendantCount} range=${formatIso(s.earliestAt)}..${formatIso(s.latestAt)} ` +
+            `desc=${s.descendantCount} range=${formatIso(s.earliestAt, timezone)}..${formatIso(s.latestAt, timezone)} ` +
             `budgetCap=${resolvedTokenCap}`,
         );
         if (s.parentIds.length > 0) {
@@ -167,7 +173,7 @@ export function createLcmDescribeTool(input: {
             `d${node.depthFromRoot} ${node.summaryId} k=${node.kind} tok=${node.tokenCount} ` +
               `descTok=${node.descendantTokenCount} srcTok=${node.sourceMessageTokenCount} ` +
               `desc=${node.descendantCount} child=${node.childCount} ` +
-              `range=${formatIso(node.earliestAt)}..${formatIso(node.latestAt)} ` +
+              `range=${formatIso(node.earliestAt, timezone)}..${formatIso(node.latestAt, timezone)} ` +
               `cost[s=${node.costs.summariesOnly},m=${node.costs.withMessages}] ` +
               `budget[s=${node.budgetFit.summariesOnly ? "in" : "over"},` +
               `m=${node.budgetFit.withMessages ? "in" : "over"}]`,
@@ -205,7 +211,7 @@ export function createLcmDescribeTool(input: {
         if (f.byteSize != null) {
           lines.push(`**Size:** ${f.byteSize.toLocaleString()} bytes`);
         }
-        lines.push(`**Created:** ${f.createdAt.toISOString()}`);
+        lines.push(`**Created:** ${formatIso(f.createdAt, timezone)}`);
         if (f.explorationSummary) {
           lines.push("");
           lines.push("## Exploration Summary");

package/src/tools/lcm-grep-tool.ts

@@ -4,6 +4,7 @@ import type { LcmDependencies } from "../types.js";
 import type { AnyAgentTool } from "./common.js";
 import { jsonResult } from "./common.js";
 import { parseIsoTimestampParam, resolveLcmConversationScope } from "./lcm-conversation-scope.js";
+import { formatTimestamp } from "../compaction.js";
 
 const MAX_RESULT_CHARS = 40_000; // ~10k tokens
 
@@ -83,6 +84,7 @@ export function createLcmGrepTool(input: {
     parameters: LcmGrepSchema,
     async execute(_toolCallId, params) {
       const retrieval = input.lcm.getRetrieval();
+      const timezone = input.lcm.timezone;
 
       const p = params as Record<string, unknown>;
       const pattern = (p.pattern as string).trim();
@@ -139,8 +141,8 @@ export function createLcmGrepTool(input: {
       }
       if (since || before) {
         lines.push(
-          `**Time filter:** ${since ? `since ${since.toISOString()}` : "since -∞"} | ${
-            before ? `before ${before.toISOString()}` : "before +∞"
+          `**Time filter:** ${since ? `since ${formatTimestamp(since, timezone)}` : "since -∞"} | ${
+            before ? `before ${formatTimestamp(before, timezone)}` : "before +∞"
           }`,
         );
       }
@@ -154,7 +156,7 @@ export function createLcmGrepTool(input: {
         lines.push("");
         for (const msg of result.messages) {
           const snippet = truncateSnippet(msg.snippet);
-          const line = `- [msg#${msg.messageId}] (${msg.role}, ${msg.createdAt.toISOString()}): ${snippet}`;
+          const line = `- [msg#${msg.messageId}] (${msg.role}, ${formatTimestamp(msg.createdAt, timezone)}): ${snippet}`;
           if (currentChars + line.length > MAX_RESULT_CHARS) {
             lines.push("*(truncated — more results available)*");
             break;
@@ -170,7 +172,7 @@ export function createLcmGrepTool(input: {
         lines.push("");
         for (const sum of result.summaries) {
           const snippet = truncateSnippet(sum.snippet);
-          const line = `- [${sum.summaryId}] (${sum.kind}, ${sum.createdAt.toISOString()}): ${snippet}`;
+          const line = `- [${sum.summaryId}] (${sum.kind}, ${formatTimestamp(sum.createdAt, timezone)}): ${snippet}`;
           if (currentChars + line.length > MAX_RESULT_CHARS) {
             lines.push("*(truncated — more results available)*");
             break;