@ozaiya/openclaw-channel 0.10.26 → 0.10.28

package/README.md

@@ -1,6 +1,6 @@
 # @ozaiya/openclaw-channel
 
-[OpenClaw](https://openclaw.ai) channel plugin for [Ozaiya](https://ozai.dev) E2E encrypted group chat.
+[OpenClaw](https://openclaw.ai) channel plugin for [Ozaiya](https://ozaiya.com) E2E encrypted group chat.
 
 ## Overview
 
@@ -85,7 +85,7 @@ Notes:
 ## Requirements
 
 - [OpenClaw](https://openclaw.ai) >= 2026.0.0
-- An [Ozaiya](https://ozai.dev) account
+- An [Ozaiya](https://ozaiya.com) account
 
 ## License
 

package/dist/src/cdpLogin.d.ts

@@ -0,0 +1,21 @@
+export interface CdpCookie {
+    name: string;
+    value: string;
+    domain: string;
+    /** Unix seconds; -1 / undefined for a session cookie. */
+    expires?: number;
+}
+export interface LoginCdpClient {
+    /** JPEG of the current page (the login / QR wall). */
+    screenshot: (quality?: number) => Promise<Buffer | null>;
+    /** All cookies (incl. HttpOnly — only reachable via CDP, not document.cookie). */
+    getCookies: () => Promise<CdpCookie[]>;
+    /** Top-frame URL (so we can tell when the page leaves a login/auth page). */
+    currentUrl: () => Promise<string | null>;
+    close: () => void;
+}
+/**
+ * Open a short-lived CDP client against the browser's active page target.
+ * Returns null if the browser is unreachable or has no page target.
+ */
+export declare function connectLoginCdp(host: string, port: number): Promise<LoginCdpClient | null>;

package/dist/src/cdpLogin.js

@@ -0,0 +1,133 @@
+/**
+ * One-shot CDP helpers for the human-in-the-loop login handoff (`request_login`).
+ *
+ * Unlike sandboxScreenCdp's continuous screencast, this is a short-lived client for
+ * a few discrete calls: grab a screenshot of the current page (the login / QR wall),
+ * read cookies (to detect a completed login), and read the current URL. It connects
+ * to the SAME browser CDP endpoint the screencast uses (e.g. browser:9222, Host
+ * spoofed to localhost), so it sees exactly the page the agent's browser plugin is
+ * driving.
+ *
+ * Generic by design: nothing here is goofish/闲鱼-specific. The CALLER decides what a
+ * "successful login" looks like (a cookie appearing, or the URL leaving the login
+ * page), so the same handoff works for any login-gated site and any bot.
+ *
+ * CDP reachability: Chromium rejects DevTools HTTP/WS whose Host header isn't an IP
+ * or `localhost`, so we spoof `Host: localhost` — same trick sandboxScreenCdp uses.
+ */
+import http from "node:http";
+/** GET a CDP HTTP endpoint with a spoofed localhost Host header. */
+function cdpGet(host, port, path) {
+    return new Promise((resolve, reject) => {
+        const req = http.request({ host, port, path, headers: { Host: "localhost" }, timeout: 5000 }, (res) => {
+            let body = "";
+            res.on("data", (c) => (body += c));
+            res.on("end", () => resolve(body));
+        });
+        req.on("error", reject);
+        req.on("timeout", () => { req.destroy(new Error("cdp http timeout")); });
+        req.end();
+    });
+}
+/**
+ * Open a short-lived CDP client against the browser's active page target.
+ * Returns null if the browser is unreachable or has no page target.
+ */
+export async function connectLoginCdp(host, port) {
+    const WsModule = await import("ws");
+    const WSImpl = (WsModule.default ?? WsModule);
+    // Discover the page target's ws path (Host spoofed to localhost). Prefer a real
+    // http(s) page over about:blank/devtools so we capture the page the agent is on.
+    let pageWsPath;
+    try {
+        const json = await cdpGet(host, port, "/json");
+        const targets = JSON.parse(json);
+        const pages = targets.filter((t) => t.type === "page" && t.webSocketDebuggerUrl);
+        const page = pages.find((t) => /^https?:/i.test(t.url ?? "")) ?? pages[0];
+        if (!page?.webSocketDebuggerUrl)
+            return null;
+        pageWsPath = new URL(page.webSocketDebuggerUrl).pathname;
+    }
+    catch {
+        return null;
+    }
+    const ws = new WSImpl(`ws://${host}:${port}${pageWsPath}`, { headers: { Host: "localhost" } });
+    ws.binaryType = "arraybuffer";
+    const pending = new Map();
+    let cmdId = 1;
+    let closed = false;
+    ws.on("message", (raw) => {
+        let msg;
+        try {
+            msg = JSON.parse(typeof raw === "string" ? raw : Buffer.from(raw).toString());
+        }
+        catch {
+            return;
+        }
+        if (typeof msg.id === "number" && pending.has(msg.id)) {
+            const p = pending.get(msg.id);
+            clearTimeout(p.timer);
+            pending.delete(msg.id);
+            p.resolve(msg.result ?? null);
+        }
+    });
+    ws.on("error", () => { });
+    const opened = await new Promise((resolve) => {
+        const t = setTimeout(() => resolve(false), 5000);
+        ws.on("open", () => { clearTimeout(t); resolve(true); });
+        ws.on("close", () => { clearTimeout(t); resolve(false); });
+    });
+    if (!opened) {
+        try {
+            ws.close();
+        }
+        catch { /* ignore */ }
+        return null;
+    }
+    const call = (method, params, timeoutMs = 6000) => new Promise((resolve) => {
+        if (closed || ws.readyState !== 1) {
+            resolve(null);
+            return;
+        }
+        const id = cmdId++;
+        const timer = setTimeout(() => { pending.delete(id); resolve(null); }, timeoutMs);
+        pending.set(id, { resolve, timer });
+        try {
+            ws.send(JSON.stringify({ id, method, params }));
+        }
+        catch {
+            clearTimeout(timer);
+            pending.delete(id);
+            resolve(null);
+        }
+    });
+    await call("Network.enable");
+    return {
+        async screenshot(quality = 75) {
+            const r = await call("Page.captureScreenshot", { format: "jpeg", quality }, 8000);
+            const data = r?.data;
+            return data ? Buffer.from(data, "base64") : null;
+        },
+        async getCookies() {
+            const r = await call("Network.getAllCookies");
+            const cookies = r?.cookies;
+            return Array.isArray(cookies) ? cookies : [];
+        },
+        async currentUrl() {
+            const r = await call("Runtime.evaluate", { expression: "location.href", returnByValue: true });
+            const v = r?.result?.value;
+            return typeof v === "string" ? v : null;
+        },
+        close() {
+            closed = true;
+            for (const p of pending.values())
+                clearTimeout(p.timer);
+            pending.clear();
+            try {
+                ws.close();
+            }
+            catch { /* ignore */ }
+        },
+    };
+}
+//# sourceMappingURL=cdpLogin.js.map

package/dist/src/cdpLogin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cdpLogin.js","sourceRoot":"","sources":["../../src/cdpLogin.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,oEAAoE;AACpE,SAAS,MAAM,CAAC,IAAY,EAAE,IAAY,EAAE,IAAY;IACtD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CACtB,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,EACnE,CAAC,GAAG,EAAE,EAAE;YACN,IAAI,IAAI,GAAG,EAAE,CAAC;YACd,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC;YACnC,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACrC,CAAC,CACF,CAAC;QACF,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACxB,GAAG,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACzE,GAAG,CAAC,GAAG,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC;AAoBD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,IAAY,EAAE,IAAY;IAE9D,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;IACpC,MAAM,MAAM,GAAG,CAAC,QAAQ,CAAC,OAAO,IAAI,QAAQ,CAAkC,CAAC;IAE/E,gFAAgF;IAChF,iFAAiF;IACjF,IAAI,UAAkB,CAAC;IACvB,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;QAC/C,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAyE,CAAC;QACzG,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,IAAI,CAAC,CAAC,oBAAoB,CAAC,CAAC;QACjF,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC;QAC1E,IAAI,CAAC,IAAI,EAAE,oBAAoB;YAAE,OAAO,IAAI,CAAC;QAC7C,UAAU,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,QAAQ,CAAC;IAC3D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,EAAE,GAAO,IAAI,MAAM,CAAC,QAAQ,IAAI,IAAI,IAAI,GAAG,UAAU,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,CAAC;IAClG,EAAwC,CAAC,UAAU,GAAG,aAAa,CAAC;IAErE,MAAM,OAAO,GAAG,IAAI,GAAG,EAAmF,CAAC;IAC3G,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,MAAM,GAAG,KAAK,CAAC;IAEnB,EAAE,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,GAAkC,EAAE,EAAE;QACtD,IAAI,GAAsC,CAAC;QAC3C,IAAI,CAAC;YAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAkB,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC;YAAC,OAAO;QAAC,CAAC;QACvH,IAAI,OAAO,GAAG,CAAC,EAAE,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;YACtD,MAAM,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAE,CAAC;YAC/B,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;YACtB,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACvB,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,IAAI,IAAI,CAAC,CAAC;QAChC,CAAC;IACH,CAAC,CAAC,CAAC;IACH,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,GAA+C,CAAC,CAAC,CAAC;IAEtE,MAAM,MAAM,GAAG,MAAM,IAAI,OAAO,CAAU,CAAC,OAAO,EAAE,EAAE;QACpD,MAAM,CAAC,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,CAAC;QACjD,EAAE,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACzD,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IACH,IAAI,CAAC,MAAM,EAAE,CAAC;QAAC,IAAI,CAAC;YAAC,EAAE,CAAC,KAAK,EAAE,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QAAC,OAAO,IAAI,CAAC;IAAC,CAAC;IAExE,MAAM,IAAI,GAAG,CAAC,MAAc,EAAE,MAAgC,EAAE,SAAS,GAAG,IAAI,EAAoB,EAAE,CACpG,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QACtB,IAAI,MAAM,IAAI,EAAE,CAAC,UAAU,KAAK,CAAC,EAAE,CAAC;YAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC7D,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;QACnB,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;QAClF,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;QACpC,IAAI,CAAC;YAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;QAAC,CAAC;QACxD,MAAM,CAAC;YAAC,YAAY,CAAC,KAAK,CAAC,CAAC;YAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEL,MAAM,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAE7B,OAAO;QACL,KAAK,CAAC,UAAU,CAAC,OAAO,GAAG,EAAE;YAC3B,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,wBAAwB,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,IAAI,CAAC,CAAC;YAClF,MAAM,IAAI,GAAI,CAA8B,EAAE,IAAI,CAAC;YACnD,OAAO,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACnD,CAAC;QACD,KAAK,CAAC,UAAU;YACd,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,uBAAuB,CAAC,CAAC;YAC9C,MAAM,OAAO,GAAI,CAAsC,EAAE,OAAO,CAAC;YACjE,OAAO,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/C,CAAC;QACD,KAAK,CAAC,UAAU;YACd,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,kBAAkB,EAAE,EAAE,UAAU,EAAE,eAAe,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;YAC/F,MAAM,CAAC,GAAI,CAA4C,EAAE,MAAM,EAAE,KAAK,CAAC;YACvE,OAAO,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAC1C,CAAC;QACD,KAAK;YACH,MAAM,GAAG,IAAI,CAAC;YACd,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,MAAM,EAAE;gBAAE,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;YACxD,OAAO,CAAC,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC;gBAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QAC5C,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/src/channel.js

@@ -13,6 +13,7 @@ import { registerPluginHttpRoute } from "openclaw/plugin-sdk/webhook-ingress";
 import { unwrapGroupKey, decryptMessage, encryptMessage, wrapGroupKey } from "./crypto.js";
 import { resolveImageGenerationConfig, generateImage } from "./imageGeneration.js";
 import { createDesktopTool } from "./desktopTool.js";
+import { connectLoginCdp } from "./cdpLogin.js";
 import { startRecording, stopAndExtractRecording } from "./desktopRecorder.js";
 import { sendMessage, probeApi, fetchGroups, addMember, getUserPublicKeys, toggleReaction, editMessage, deleteMessage, pinMessage, unpinMessage, uploadFile, searchUsers, fetchLinkPreview, joinCall, leaveCall, startCall, startPhoneCall, endPhoneCall, updatePhoneCallStatus, } from "./api.js";
 import { botCreateDirect, botCreateGroup } from "./botActions.js";
@@ -30,7 +31,7 @@ import { summarizeWithDoubao } from "./doubao.js";
 import { fetchXueqiuPost, searchXueqiuPosts } from "./xueqiu.js";
 import { fetchSocialMediaPost, searchSocialMedia, extractSocialMediaContent } from "./socialMedia.js";
 import { requestConfirmation, parseActionCallback, resolveConfirmation } from "./actionConfirmation.js";
-const DEFAULT_API_BASE_URL = "https://api.ozai.dev";
+const DEFAULT_API_BASE_URL = "https://api.ozaiya.com";
 const DEFAULT_WEBHOOK_PATH = "/ozaiya/webhook";
 const DEFAULT_ACCOUNT_ID = "default";
 const GATEWAY_ACCOUNT_ID = "ozaiya-gateway";
@@ -63,6 +64,9 @@ const READ_ONLY_TOOLS = new Set([
     "update_plan",
     // publish_artifact registers a deliverable; surfaced in its own section, not a step.
     "publish_artifact",
+    // request_login is an interactive human-handoff; the QR/login message it posts to
+    // the chat IS the visible signal, so it shouldn't also show as a work step.
+    "request_login",
 ]);
 // Explicit tool → category overrides. Anything not listed falls through to the
 // keyword heuristic in categorize() below.
@@ -1623,6 +1627,105 @@ function buildChannelTools(account, cfg) {
             }
         },
     });
+    // Login handoff tool: when the agent hits a login wall (sign-in page, QR scan,
+    // captcha, 2FA) it can't get past on its own, this captures the current browser
+    // screen, sends it to the chat for the human to scan / log in, and BLOCKS until
+    // they finish or it times out. Generic by design — works for any login-gated site
+    // (the QR's a screenshot; success is detected by a login cookie appearing or the
+    // page leaving the login URL), so the same primitive serves any bot, not just goofish.
+    tools.push({
+        name: "request_login",
+        label: "Request Login",
+        ownerOnly: false,
+        description: "Ask the human to complete an interactive login when a site blocks you with a sign-in wall, QR-code scan, captcha, or 2FA that you cannot pass yourself. " +
+            "Call this the MOMENT you land on such a page and cannot proceed — do NOT give up, and do NOT fall back to web search. " +
+            "It captures the current browser screen, sends it to the chat so the user can scan / sign in, and waits until they finish (or it times out). " +
+            "When it returns loggedIn:true, reload the page and continue the task. " +
+            "Optional: `message` (instruction shown to the user) and `timeoutSec` (how long to wait, default 180).",
+        parameters: {
+            type: "object",
+            properties: {
+                message: { type: "string", description: "Short instruction shown to the user, e.g. '请用手机闲鱼/淘宝扫码登录'." },
+                timeoutSec: { type: "number", description: "Seconds to wait for the user (default 180, max 600)." },
+            },
+        },
+        execute: async (_toolCallId, rawArgs) => {
+            const args = (rawArgs ?? {});
+            const dispatch = activeDispatches.get(account.accountId);
+            const groupId = dispatch?.groupId ?? accountToOriginGroupId.get(account.accountId);
+            if (!groupId) {
+                return { content: [{ type: "text", text: "No active chat to send the login request to." }] };
+            }
+            // Same CDP endpoint the screencast uses: in-container NOVNC_HOST:9222, else local.
+            const host = process.env.NOVNC_HOST || "localhost";
+            const port = Number(process.env.OPENCLAW_BROWSER_CDP_PORT || process.env.CDP_PORT || "9222");
+            const timeoutMs = Math.min(600, Math.max(30, Number(args.timeoutSec) || 180)) * 1000;
+            const cdp = await connectLoginCdp(host, port);
+            if (!cdp) {
+                return { content: [{ type: "text", text: `Could not reach the browser to capture the login screen (CDP ${host}:${port}). Tell the user login is required but the screen can't be shown.` }] };
+            }
+            // Generic login-success detection — no site-specific assumptions:
+            //  (a) a strong auth cookie appears or changes (taobao/ali family incl. goofish
+            //      `unb`; these are only set on login, so a new value = a fresh sign-in), OR
+            //  (b) the page navigates away from the login/auth URL it started on.
+            const AUTH_COOKIES = ["unb", "_l_g_", "lgc"];
+            const LOGIN_URL_RE = /passport\.|login\.|\/login|signin|sign-in|account\.|\/auth/i;
+            const authSnapshot = (cs) => {
+                const m = {};
+                for (const c of cs)
+                    if (AUTH_COOKIES.includes(c.name) && c.value)
+                        m[c.name] = c.value;
+                return m;
+            };
+            try {
+                const startUrl = (await cdp.currentUrl()) ?? "";
+                const startedOnLogin = LOGIN_URL_RE.test(startUrl);
+                const startAuth = authSnapshot(await cdp.getCookies());
+                const sendShot = async (note) => {
+                    const shot = await cdp.screenshot();
+                    if (!shot)
+                        return false;
+                    const uploaded = await uploadFile(account.apiBaseUrl, account.botToken, groupId, `login-${Date.now()}.jpg`, "image/jpeg", shot);
+                    await sendEncryptedChatContent({ account, groupId, content: { files: [uploaded], text: note } }).catch(() => { });
+                    return true;
+                };
+                const mins = Math.max(1, Math.round(timeoutMs / 60000));
+                const instruction = (args.message?.trim() || "🔐 需要登录后才能继续。请用手机扫描下方二维码（或在此页面登录），完成后我会自动继续。") +
+                    `（约 ${mins} 分钟内有效）`;
+                if (!(await sendShot(instruction))) {
+                    cdp.close();
+                    return { content: [{ type: "text", text: "Failed to capture the login screen." }] };
+                }
+                const deadline = Date.now() + timeoutMs;
+                let resent = false;
+                while (Date.now() < deadline) {
+                    await new Promise((r) => setTimeout(r, 3000));
+                    const nowAuth = authSnapshot(await cdp.getCookies());
+                    const url = (await cdp.currentUrl()) ?? "";
+                    const authChanged = Object.keys(nowAuth).some((n) => nowAuth[n] !== startAuth[n]); // appeared or rotated on sign-in
+                    const leftLogin = startedOnLogin && !!url && !LOGIN_URL_RE.test(url);
+                    if (authChanged || leftLogin) {
+                        await sendEncryptedChatContent({ account, groupId, content: { text: "✅ 登录成功，继续任务。" } }).catch(() => { });
+                        cdp.close();
+                        return { content: [{ type: "text", text: "loggedIn:true — the user completed login. Reload the page and continue the task." }] };
+                    }
+                    // Re-send a fresh capture once past the halfway mark (the first QR may expire).
+                    if (!resent && Date.now() > deadline - timeoutMs / 2) {
+                        resent = true;
+                        await sendShot("⏳ 这是最新的二维码，请尽快扫码登录。").catch(() => { });
+                    }
+                }
+                await sendEncryptedChatContent({ account, groupId, content: { text: "⌛ 登录等待超时，已取消。如需继续请重新发起任务并尽快扫码。" } }).catch(() => { });
+                cdp.close();
+                return { content: [{ type: "text", text: "loggedIn:false — login timed out; the user did not sign in. Do not retry the gated page; tell the user it requires login." }] };
+            }
+            catch (err) {
+                cdp.close();
+                const msg = err instanceof Error ? err.message : String(err);
+                return { content: [{ type: "text", text: `request_login error: ${msg}` }] };
+            }
+        },
+    });
     // Wrap non-read-only tools with progress tracking.
     // When the tool executes, it looks up the current active dispatch for this account.
     const accountId = account.accountId;