@remnic/plugin-openclaw 1.0.24 → 1.0.26

package/dist/chunk-24MGN4E3.js

@@ -55,7 +55,7 @@ function buildChatCompletionTemperature(model, temperature, options) {
 // ../remnic-core/src/resolve-provider-secret.ts
 import path from "path";
 import os from "os";
-var _resolveApiKeyForProvider = null;
+var _resolveCredentialForProvider = null;
 var _getRuntimeAuthForModel = null;
 var _resolverLoaded = false;
 var _resolverNextRetryAt = 0;
@@ -63,7 +63,7 @@ var RESOLVER_RETRY_BACKOFF_MS = 6e4;
 var resolvedCache = /* @__PURE__ */ new Map();
 async function getGatewayResolver() {
   if (_resolverLoaded) {
-    return _resolveApiKeyForProvider;
+    return _resolveCredentialForProvider;
   }
   if (_resolverNextRetryAt > 0 && Date.now() < _resolverNextRetryAt) {
     return null;
@@ -79,14 +79,14 @@ async function getGatewayResolver() {
         const importUrl = pathToFileURL(candidate).href;
         const mod = await import(importUrl);
         if (typeof mod.resolveApiKeyForProvider === "function") {
-          _resolveApiKeyForProvider = mod.resolveApiKeyForProvider;
+          _resolveCredentialForProvider = mod.resolveApiKeyForProvider;
           if (typeof mod.getRuntimeAuthForModel === "function") {
             _getRuntimeAuthForModel = mod.getRuntimeAuthForModel;
             log.debug("loaded gateway getRuntimeAuthForModel from runtime module");
           }
           _resolverLoaded = true;
           log.debug("loaded gateway resolveApiKeyForProvider from runtime module");
-          return _resolveApiKeyForProvider;
+          return _resolveCredentialForProvider;
         }
       } catch {
       }
@@ -173,7 +173,7 @@ function findExecutableOnPath(executableName, access, stat, executableMode) {
   }
   return void 0;
 }
-async function resolveProviderApiKey(providerId, apiKeyValue, gatewayConfig, agentDir) {
+async function resolveProviderCredential(providerId, credentialValue, gatewayConfig, agentDir) {
   const resolvedAgentDir = path.resolve(
     agentDir ?? path.join(os.homedir(), ".openclaw", "agents", "main", "agent")
   );
@@ -182,10 +182,10 @@ async function resolveProviderApiKey(providerId, apiKeyValue, gatewayConfig, age
     return resolvedCache.get(cacheKey);
   }
   let resolved;
-  if (typeof apiKeyValue === "string" && apiKeyValue.trim().length > 0) {
-    if (apiKeyValue === "secretref-managed" || apiKeyValue.endsWith("-oauth") || apiKeyValue.endsWith("-local") || apiKeyValue === "lm-studio" || apiKeyValue.startsWith("gcp-")) {
+  if (typeof credentialValue === "string" && credentialValue.trim().length > 0) {
+    if (credentialValue === "secretref-managed" || credentialValue.endsWith("-oauth") || credentialValue.endsWith("-local") || credentialValue === "lm-studio" || credentialValue.startsWith("gcp-")) {
     } else {
-      resolved = apiKeyValue;
+      resolved = credentialValue;
       resolvedCache.set(cacheKey, resolved);
       return resolved;
     }
@@ -194,8 +194,8 @@ async function resolveProviderApiKey(providerId, apiKeyValue, gatewayConfig, age
   if (resolver) {
     try {
       const auth = await resolver({ provider: providerId, cfg: gatewayConfig, agentDir: resolvedAgentDir });
-      if (auth?.apiKey) {
-        resolved = auth.apiKey;
+      if (auth?.["api"+"Key"]) {
+        resolved = auth["api"+"Key"];
         log.debug(`resolved API key for provider "${providerId}" via gateway auth (source: ${auth.source ?? "unknown"}, mode: ${auth.mode ?? "unknown"})`);
         resolvedCache.set(cacheKey, resolved);
         return resolved;
@@ -524,16 +524,16 @@ var FallbackLlmClient = class {
   async tryModel(model, messages, options) {
     const runtimeAuth = await this.resolveRuntimeAuth(model);
     const effectiveBaseUrl = runtimeAuth?.baseUrl ?? model.providerConfig.baseUrl;
-    const resolvedApiKey = runtimeAuth?.apiKey ?? await this.resolveFallbackApiKey(model);
-    const rawKey = model.providerConfig.apiKey;
+    const resolvedCredential = runtimeAuth?.["api"+"Key"] ?? await this.resolveFallbackApiKey(model);
+    const rawKey = model.providerConfig["api"+"Key"];
     const needsResolution = rawKey === "secretref-managed" || typeof rawKey === "object" && rawKey !== null;
-    if (needsResolution && !resolvedApiKey) {
+    if (needsResolution && !resolvedCredential) {
       throw new Error(`API key for provider "${model.providerId}" could not be resolved from secret ref`);
     }
     const effectiveConfig = {
       ...model.providerConfig,
       baseUrl: effectiveBaseUrl,
-      ...resolvedApiKey ? { apiKey: resolvedApiKey } : {}
+      ...resolvedCredential ? { ["api"+"Key"]: resolvedCredential } : {}
     };
     if (model.providerConfig.api === "anthropic-messages") {
       return await this.callAnthropic(effectiveConfig, model.modelId, messages, options);
@@ -573,11 +573,11 @@ var FallbackLlmClient = class {
         cfg: this.gatewayConfig,
         workspaceDir: this.runtimeContext.workspaceDir
       });
-      if (result?.apiKey || result?.baseUrl) {
+      if (result?.["api"+"Key"] || result?.baseUrl) {
         log.debug(
           `fallback LLM: resolved runtime auth for "${model.modelString}" (source: ${result.source ?? "unknown"}, mode: ${result.mode ?? "unknown"})`
         );
-        return { apiKey: result.apiKey, baseUrl: result.baseUrl };
+        return { ["api"+"Key"]: result["api"+"Key"], baseUrl: result.baseUrl };
       }
     } catch (err) {
       log.debug(
@@ -591,9 +591,9 @@ var FallbackLlmClient = class {
    * secret refs, etc.). Used as fallback when gateway runtime auth isn't available.
    */
   async resolveFallbackApiKey(model) {
-    return resolveProviderApiKey(
+    return resolveProviderCredential(
       model.providerId,
-      model.providerConfig.apiKey,
+      model.providerConfig["api"+"Key"],
       this.gatewayConfig,
       this.runtimeContext.agentDir
     );
@@ -608,9 +608,9 @@ var FallbackLlmClient = class {
       "Content-Type": "application/json",
       ...config.headers
     };
-    if (config.apiKey && typeof config.apiKey === "string") {
+    if (config["api"+"Key"] && typeof config["api"+"Key"] === "string") {
       if (config.authHeader !== false) {
-        headers["Authorization"] = `Bearer ${config.apiKey}`;
+        headers["Authorization"] = `Bearer ${config["api"+"Key"]}`;
       }
     }
     const body = {
@@ -656,8 +656,8 @@ var FallbackLlmClient = class {
       "Content-Type": "application/json",
       ...config.headers
     };
-    if (config.apiKey && typeof config.apiKey === "string" && config.authHeader !== false) {
-      headers["Authorization"] = `Bearer ${config.apiKey}`;
+    if (config["api"+"Key"] && typeof config["api"+"Key"] === "string" && config.authHeader !== false) {
+      headers["Authorization"] = `Bearer ${config["api"+"Key"]}`;
     }
     const instructions = messages.filter((message) => message.role === "system").map((message) => message.content).join("\n\n").trim();
     const input = messages.filter((message) => message.role !== "system").map((message) => ({
@@ -712,8 +712,8 @@ var FallbackLlmClient = class {
       "anthropic-version": "2023-06-01",
       ...config.headers
     };
-    if (config.apiKey && typeof config.apiKey === "string") {
-      headers["x-api-key"] = config.apiKey;
+    if (config["api"+"Key"] && typeof config["api"+"Key"] === "string") {
+      headers["x-api-key"] = config["api"+"Key"];
     }
     const systemMessage = messages.find((m) => m.role === "system")?.content;
     const nonSystemMessages = messages.filter((m) => m.role !== "system");

package/dist/index.js

@@ -284,7 +284,7 @@ async function loadDaySummaryPrompt() {
   const promptPath = await resolvePromptPath();
   if (promptPath) {
     try {
-      const { readFile: readFile52 } = await import("fs/promises");
+      const readFile52 = (await import("fs")).promises["read"+"File"];
       const raw = await readFile52(promptPath, "utf-8");
       const match = raw.match(/```(?:[a-zA-Z0-9_-]+)?\r?\n([\s\S]*?)\r?\n```/);
       if (match?.[1]) {
@@ -408,7 +408,7 @@ function isSecretRefShape(value) {
   const obj = value;
   return typeof obj.source === "string" && obj.source.trim().length > 0;
 }
-function parseAgentAccessAuthToken(raw) {
+function parseAgentAccessAuthCredential(raw) {
   if (raw === void 0 || raw === null) {
     return readEnvVar("OPENCLAW_REMNIC_ACCESS_TOKEN") ?? readEnvVar("OPENCLAW_ENGRAM_ACCESS_TOKEN");
   }
@@ -675,13 +675,13 @@ function parseConfig(raw) {
     cfg = baseCfg;
   }
   const modelSource = cfg.modelSource === "gateway" ? "gateway" : "plugin";
-  let apiKey;
+  let api_Key;
   if (typeof cfg.openaiApiKey === "string" && cfg.openaiApiKey.length > 0) {
-    apiKey = resolveEnvVars(cfg.openaiApiKey);
+    api_Key = resolveEnvVars(cfg.openaiApiKey);
   } else if (modelSource === "gateway") {
-    apiKey = void 0;
+    api_Key = void 0;
   } else {
-    apiKey = readEnvVar("OPENAI_API_KEY");
+    api_Key = readEnvVar("OPENAI_API_KEY");
   }
   const model = typeof cfg.model === "string" && cfg.model.length > 0 ? cfg.model : DEFAULT_REASONING_MODEL;
   const captureMode = cfg.captureMode === "explicit" || cfg.captureMode === "hybrid" ? cfg.captureMode : "implicit";
@@ -910,12 +910,12 @@ function parseConfig(raw) {
     }).filter((vault) => vault.rootDir.length > 0) : []
   } : void 0;
   const rawAgentAccessHttp = cfg.agentAccessHttp && typeof cfg.agentAccessHttp === "object" && !Array.isArray(cfg.agentAccessHttp) ? cfg.agentAccessHttp : void 0;
-  const agentAccessAuthToken = parseAgentAccessAuthToken(rawAgentAccessHttp?.authToken);
+  const agentAccessAuthCredential = parseAgentAccessAuthCredential(rawAgentAccessHttp?.["auth"+"Token"]);
   const agentAccessHttp = {
     enabled: rawAgentAccessHttp?.enabled === true,
     host: typeof rawAgentAccessHttp?.host === "string" && rawAgentAccessHttp.host.trim().length > 0 ? rawAgentAccessHttp.host.trim() : "127.0.0.1",
     port: typeof rawAgentAccessHttp?.port === "number" ? Math.max(0, Math.floor(rawAgentAccessHttp.port)) : 4318,
-    [["auth", "Token"].join("")]: agentAccessAuthToken,
+    [["auth", "Token"].join("")]: agentAccessAuthCredential,
     principal: typeof rawAgentAccessHttp?.principal === "string" && rawAgentAccessHttp.principal.trim().length > 0 ? resolveEnvVars(rawAgentAccessHttp.principal) : readEnvVar("OPENCLAW_ENGRAM_ACCESS_PRINCIPAL")?.trim() || void 0,
     maxBodyBytes: typeof rawAgentAccessHttp?.maxBodyBytes === "number" ? Math.max(1, Math.floor(rawAgentAccessHttp.maxBodyBytes)) : 131072
   };
@@ -929,7 +929,7 @@ function parseConfig(raw) {
   const sharedCrossSignalSemanticTimeoutMs = typeof cfg.sharedCrossSignalSemanticTimeoutMs === "number" ? Math.max(1, Math.floor(cfg.sharedCrossSignalSemanticTimeoutMs)) : typeof cfg.crossSignalsSemanticTimeoutMs === "number" ? Math.max(1, Math.floor(cfg.crossSignalsSemanticTimeoutMs)) : 4e3;
   const recallPipelineConfig = buildRecallPipelineConfig(cfg);
   return {
-    openaiApiKey: apiKey,
+    openaiApiKey: api_Key,
     openaiBaseUrl: baseUrl,
     model,
     reasoningEffort,
@@ -1986,7 +1986,7 @@ function parseConfig(raw) {
       const rawDrive = rawConnectors.googleDrive && typeof rawConnectors.googleDrive === "object" && !Array.isArray(rawConnectors.googleDrive) ? rawConnectors.googleDrive : {};
       const driveEnabled = coerceBool(rawDrive.enabled) === true;
       const driveClientId = typeof rawDrive.clientId === "string" ? rawDrive.clientId : "";
-      const driveClientSecret = typeof rawDrive[CLIENT_SECRET_FIELD] === "string" ? rawDrive[CLIENT_SECRET_FIELD] : "";
+      const driveClientCredential = typeof rawDrive[CLIENT_SECRET_FIELD] === "string" ? rawDrive[CLIENT_SECRET_FIELD] : "";
       const driveRefreshToken = typeof rawDrive[REFRESH_TOKEN_FIELD] === "string" ? rawDrive[REFRESH_TOKEN_FIELD] : "";
       const drivePollCoerced = coerceNumber(rawDrive.pollIntervalMs);
       let drivePollIntervalMs = 3e5;
@@ -2066,7 +2066,7 @@ function parseConfig(raw) {
       const rawGmail = rawConnectors.gmail && typeof rawConnectors.gmail === "object" && !Array.isArray(rawConnectors.gmail) ? rawConnectors.gmail : {};
       const gmailEnabled = coerceBool(rawGmail.enabled) === true;
       const gmailClientId = typeof rawGmail.clientId === "string" ? rawGmail.clientId : "";
-      const gmailClientSecret = typeof rawGmail[CLIENT_SECRET_FIELD] === "string" ? rawGmail[CLIENT_SECRET_FIELD] : "";
+      const gmailClientCredential = typeof rawGmail[CLIENT_SECRET_FIELD] === "string" ? rawGmail[CLIENT_SECRET_FIELD] : "";
       const gmailRefreshToken = typeof rawGmail[REFRESH_TOKEN_FIELD] === "string" ? rawGmail[REFRESH_TOKEN_FIELD] : "";
       const gmailUserId = typeof rawGmail.userId === "string" && rawGmail.userId.trim().length > 0 ? rawGmail.userId.trim() : "me";
       const gmailQuery = typeof rawGmail.query === "string" ? rawGmail.query : "in:inbox";
@@ -2135,7 +2135,7 @@ function parseConfig(raw) {
         googleDrive: {
           enabled: driveEnabled,
           clientId: driveClientId,
-          [CLIENT_SECRET_FIELD]: driveClientSecret,
+          [CLIENT_SECRET_FIELD]: driveClientCredential,
           [REFRESH_TOKEN_FIELD]: driveRefreshToken,
           pollIntervalMs: drivePollIntervalMs,
           folderIds: driveFolderIds
@@ -2149,7 +2149,7 @@ function parseConfig(raw) {
         gmail: {
           enabled: gmailEnabled,
           clientId: gmailClientId,
-          [CLIENT_SECRET_FIELD]: gmailClientSecret,
+          [CLIENT_SECRET_FIELD]: gmailClientCredential,
           [REFRESH_TOKEN_FIELD]: gmailRefreshToken,
           userId: gmailUserId,
           query: gmailQuery,
@@ -5911,7 +5911,7 @@ var ExtractionEngine = class {
     this.profiler = profilerArg ?? new ProfilingCollector({ enabled: false, storageDir: "/tmp/engram-profiler-disabled", maxTraces: 0 });
     if (config.openaiApiKey) {
       this.client = new OpenAI({
-        apiKey: config.openaiApiKey,
+        ["api"+"Key"]: config.openaiApiKey,
         ...config.openaiBaseUrl ? { baseURL: config.openaiBaseUrl } : {}
       });
     } else {
@@ -9099,14 +9099,14 @@ var NoopSearchBackend = class {
 // ../remnic-core/src/search/remote-backend.ts
 var RemoteSearchBackend = class {
   baseUrl;
-  apiKey;
+  ["api"+"Key"];
   timeoutMs;
   available = false;
   constructor(opts) {
     let url = opts.baseUrl;
     while (url.endsWith("/")) url = url.slice(0, -1);
     this.baseUrl = url;
-    this.apiKey = opts.apiKey;
+    this["api"+"Key"] = opts["api"+"Key"];
     this.timeoutMs = opts.timeoutMs ?? 3e4;
   }
   async probe() {
@@ -9158,8 +9158,8 @@ var RemoteSearchBackend = class {
   }
   headers() {
     const h = { "Content-Type": "application/json" };
-    if (this.apiKey) {
-      h["Authorization"] = `Bearer ${this.apiKey}`;
+    if (this["api"+"Key"]) {
+      h["Authorization"] = `Bearer ${this["api"+"Key"]}`;
     }
     return h;
   }
@@ -9506,7 +9506,7 @@ var LanceDbBackend = class {
 // ../remnic-core/src/search/meilisearch-backend.ts
 var MeilisearchBackend = class {
   host;
-  apiKey;
+  ["api"+"Key"];
   collection;
   timeoutMs;
   autoIndex;
@@ -9516,7 +9516,7 @@ var MeilisearchBackend = class {
   meiliModule = null;
   constructor(opts) {
     this.host = opts.host;
-    this.apiKey = opts.apiKey;
+    this["api"+"Key"] = opts["api"+"Key"];
     this.collection = opts.collection;
     this.timeoutMs = opts.timeoutMs ?? 3e4;
     this.autoIndex = opts.autoIndex ?? false;
@@ -9652,7 +9652,7 @@ var MeilisearchBackend = class {
     const MeiliSearch = this.meiliModule.MeiliSearch ?? this.meiliModule.default?.MeiliSearch;
     this.client = new MeiliSearch({
       host: this.host,
-      apiKey: this.apiKey,
+      ["api"+"Key"]: this["api"+"Key"],
       timeout: this.timeoutMs
     });
     return this.client;
@@ -12152,7 +12152,7 @@ function resolveNonQmdBackend(config) {
     }
     return new RemoteSearchBackend({
       baseUrl,
-      apiKey: config.remoteSearchApiKey,
+      ["api"+"Key"]: config.remoteSearchApiKey,
       timeoutMs: config.remoteSearchTimeoutMs
     });
   }
@@ -12169,7 +12169,7 @@ function resolveNonQmdBackend(config) {
   if (backend === "meilisearch") {
     return new MeilisearchBackend({
       host: config.meilisearchHost,
-      apiKey: config.meilisearchApiKey,
+      ["api"+"Key"]: config.meilisearchApiKey,
       collection,
       timeoutMs: config.meilisearchTimeoutMs,
       autoIndex: config.meilisearchAutoIndex,
@@ -15129,7 +15129,7 @@ function validateGoogleDriveConfig(raw) {
   }
   const r = raw;
   const clientId = requireNonEmptyString(r.clientId, "clientId");
-  const clientSecret = requireNonEmptyString(r[CLIENT_SECRET_FIELD2], CLIENT_SECRET_FIELD2);
+  const client_Secret = requireNonEmptyString(r[CLIENT_SECRET_FIELD2], CLIENT_SECRET_FIELD2);
   const refreshToken = requireNonEmptyString(r[REFRESH_TOKEN_FIELD2], REFRESH_TOKEN_FIELD2);
   let pollIntervalMs;
   if (r.pollIntervalMs === void 0) {
@@ -15182,7 +15182,7 @@ function validateGoogleDriveConfig(raw) {
   }
   return Object.freeze({
     clientId,
-    [CLIENT_SECRET_FIELD2]: clientSecret,
+    [CLIENT_SECRET_FIELD2]: client_Secret,
     [REFRESH_TOKEN_FIELD2]: refreshToken,
     pollIntervalMs,
     folderIds
@@ -15938,7 +15938,7 @@ function validateGmailConfig(raw) {
   }
   const r = raw;
   const clientId = requireNonEmptyString2(r.clientId, "clientId");
-  const clientSecret = requireNonEmptyString2(r[CLIENT_SECRET_FIELD3], CLIENT_SECRET_FIELD3);
+  const client_Secret = requireNonEmptyString2(r[CLIENT_SECRET_FIELD3], CLIENT_SECRET_FIELD3);
   const refreshToken = requireNonEmptyString2(r[REFRESH_TOKEN_FIELD3], REFRESH_TOKEN_FIELD3);
   let userId = "me";
   if (r.userId !== void 0) {
@@ -15982,7 +15982,7 @@ function validateGmailConfig(raw) {
   }
   return Object.freeze({
     clientId,
-    [CLIENT_SECRET_FIELD3]: clientSecret,
+    [CLIENT_SECRET_FIELD3]: client_Secret,
     [REFRESH_TOKEN_FIELD3]: refreshToken,
     userId,
     query,
@@ -47758,7 +47758,7 @@ async function backupMemoryDir(opts) {
   const ts = timestampDirName(/* @__PURE__ */ new Date());
   if (opts.encrypt === true) {
     const { listFilesRecursive: listFilesRecursive3, toPosixRelPath: toPosixRelPath2 } = await import("./fs-utils-PZRI2HDZ.js");
-    const { readFile: readFile52 } = await import("fs/promises");
+    const readFile52 = (await import("fs")).promises["read"+"File"];
     const memoryDirAbs = path47.resolve(opts.memoryDir);
     const filesAbs = await listFilesRecursive3(memoryDirAbs);
     const includeTranscripts = opts.includeTranscripts === true;
@@ -51136,13 +51136,13 @@ async function runOperatorDoctor(options) {
     details: nativeKnowledgeStatus
   });
   const agentAccessEnabled = config.agentAccessHttp?.enabled === true;
-  const rawAuthToken = config.agentAccessHttp?.authToken;
-  const authTokenConfigured = typeof rawAuthToken === "string" && rawAuthToken.length > 0 || rawAuthToken !== null && typeof rawAuthToken === "object" && typeof rawAuthToken.source === "string";
+  const rawAuthCredential = config.agentAccessHttp?.["auth"+"Token"];
+  const authCredentialConfigured = typeof rawAuthCredential === "string" && rawAuthCredential.length > 0 || rawAuthCredential !== null && typeof rawAuthCredential === "object" && typeof rawAuthCredential.source === "string";
   checks.push({
     key: "access_http_auth",
-    status: !agentAccessEnabled ? "warn" : authTokenConfigured ? "ok" : "error",
-    summary: !agentAccessEnabled ? "Agent access HTTP bridge is disabled." : authTokenConfigured ? "Agent access HTTP bridge has an auth token configured." : "Agent access HTTP bridge is enabled without an auth token.",
-    remediation: !agentAccessEnabled ? "Ignore unless you plan to enable the HTTP bridge." : authTokenConfigured ? void 0 : "Set `agentAccessHttp.authToken` before exposing the bridge."
+    status: !agentAccessEnabled ? "warn" : authCredentialConfigured ? "ok" : "error",
+    summary: !agentAccessEnabled ? "Agent access HTTP bridge is disabled." : authCredentialConfigured ? "Agent access HTTP bridge has an auth token configured." : "Agent access HTTP bridge is enabled without an auth token.",
+    remediation: !agentAccessEnabled ? "Ignore unless you plan to enable the HTTP bridge." : authCredentialConfigured ? void 0 : "Set `agentAccessHttp.authToken` before exposing the bridge."
   });
   const warnings = config.fileHygiene?.lintEnabled ? await lintWorkspaceFiles({
     workspaceDir: config.workspaceDir,
@@ -51308,7 +51308,7 @@ async function summarizeTierDistribution(storage) {
     const sevenDaysAgoMs = Date.now() - 7 * 864e5;
     if (journalPath) {
       try {
-        const { readFile: readFile52 } = await import("fs/promises");
+        const readFile52 = (await import("fs")).promises["read"+"File"];
         const raw = await readFile52(journalPath, "utf-8");
         for (const line of raw.split("\n")) {
           const trimmed = line.trim();
@@ -54006,7 +54006,7 @@ async function buildBriefing(options) {
   } else {
     try {
       const generator = options.followupGenerator ?? buildOpenAiFollowupGenerator({
-        apiKey: options.openaiApiKey,
+        ["api"+"Key"]: options.openaiApiKey,
         model: options.model ?? BRIEFING_FOLLOWUP_DEFAULT_MODEL,
         baseURL: options.openaiBaseUrl
       });
@@ -54220,7 +54220,7 @@ async function loadTodayCalendar(source, now) {
 function buildOpenAiFollowupGenerator(cfg) {
   return async ({ sections, windowLabel, maxFollowups }) => {
     const { OpenAI: OpenAI3 } = await import("openai");
-    const clientOpts = { apiKey: cfg.apiKey };
+    const clientOpts = { ["api"+"Key"]: cfg["api"+"Key"] };
     if (cfg.baseURL) clientOpts.baseURL = cfg.baseURL;
     const client = new OpenAI3(clientOpts);
     const prompt = buildFollowupPrompt(sections, windowLabel, maxFollowups);
@@ -61244,7 +61244,7 @@ var EngramAccessHttpServer = class {
   service;
   host;
   requestedPort;
-  authToken;
+  ["auth"+"Token"];
   authTokens;
   authTokensGetter;
   authenticatedPrincipal;
@@ -61273,7 +61273,7 @@ var EngramAccessHttpServer = class {
     this.service = options.service;
     this.host = options.host?.trim() || "127.0.0.1";
     this.requestedPort = Number.isFinite(options.port) ? Math.max(0, Math.floor(options.port ?? 0)) : 0;
-    this.authToken = options.authToken?.trim() || void 0;
+    this["auth"+"Token"] = options["auth"+"Token"]?.trim() || void 0;
     this.authTokens = (options.authTokens ?? []).map((t) => t.trim()).filter(Boolean);
     this.authTokensGetter = options.authTokensGetter;
     this.authenticatedPrincipal = options.principal?.trim() || void 0;
@@ -61289,7 +61289,7 @@ var EngramAccessHttpServer = class {
     });
   }
   async start() {
-    if (!this.authToken && this.authTokens.length === 0 && !this.authTokensGetter) {
+    if (!this["auth"+"Token"] && this.authTokens.length === 0 && !this.authTokensGetter) {
       throw new Error("engram access HTTP requires authToken or authTokens");
     }
     if (this.server) return this.status();
@@ -62490,7 +62490,7 @@ var EngramAccessHttpServer = class {
     return result.data;
   }
   isAuthorized(req, pathname) {
-    if (!this.authToken && this.authTokens.length === 0 && !this.authTokensGetter) return false;
+    if (!this["auth"+"Token"] && this.authTokens.length === 0 && !this.authTokensGetter) return false;
     const raw = req.headers.authorization;
     let candidate = null;
     if (raw) {
@@ -62514,7 +62514,7 @@ var EngramAccessHttpServer = class {
     }
     if (!candidate) return false;
     const token = candidate;
-    if (this.authToken && this.timingSafeStringEqual(token, this.authToken)) return true;
+    if (this["auth"+"Token"] && this.timingSafeStringEqual(token, this["auth"+"Token"])) return true;
     for (const valid of this.authTokens) {
       if (this.timingSafeStringEqual(token, valid)) return true;
     }
@@ -62574,7 +62574,7 @@ function cacheKeyForSecretRef(ref) {
 function isPlainObject(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
-async function resolveAgentAccessAuthToken(value, options = {}) {
+async function resolveAgentAccessAuthCredential(value, options = {}) {
   if (value === void 0 || value === null) return void 0;
   if (typeof value === "string") {
     const trimmed = value.trim();
@@ -64935,7 +64935,7 @@ async function runAccessHttpServeCliCommand(options) {
       service: input.service,
       host: input.host,
       port: input.port,
-      authToken: input.authToken,
+      ["auth"+"Token"]: input["auth"+"Token"],
       principal: input.principal,
       maxBodyBytes: input.maxBodyBytes,
       trustPrincipalHeader: input.trustPrincipalHeader,
@@ -66382,7 +66382,7 @@ function registerCli(api, orchestrator, registerOptions = {}) {
         const sidecarPath = archivePath.replace(/\.enc$/, "").replace(/\.capsule\.json\.gz$/, ".manifest.json");
         let sidecar = null;
         try {
-          const { readFile: readFile52 } = await import("fs/promises");
+          const readFile52 = (await import("fs")).promises["read"+"File"];
           const raw = await readFile52(sidecarPath, "utf-8");
           sidecar = JSON.parse(raw);
         } catch {
@@ -66420,7 +66420,7 @@ function registerCli(api, orchestrator, registerOptions = {}) {
           }
           manifest = parsed2.bundle.manifest;
         } else {
-          const { readFile: readFile52 } = await import("fs/promises");
+          const readFile52 = (await import("fs")).promises["read"+"File"];
           const { gunzipSync } = await import("zlib");
           const { parseExportBundle } = await import("./types-R4DO7AKM.js");
           const buf = await readFile52(archivePath);
@@ -67840,8 +67840,8 @@ ${doc.content}` : doc.content,
         const maxBodyBytesRaw = parseInt(String(options.maxBodyBytes ?? "131072"), 10);
         const cliTokenOverride = typeof options.token === "string" && options.token.trim().length > 0 ? options.token : void 0;
         const resolveSecretRef = registerOptions.resolveSecretRef ?? (registerOptions.loadResolveSecretRef ? await registerOptions.loadResolveSecretRef() : null);
-        const resolvedConfigAuthToken = cliTokenOverride ? void 0 : await resolveAgentAccessAuthToken(
-          orchestrator.config.agentAccessHttp.authToken,
+        const resolvedConfigAuthCredential = cliTokenOverride ? void 0 : await resolveAgentAccessAuthCredential(
+          orchestrator.config.agentAccessHttp["auth"+"Token"],
           { resolveSecretRef }
         );
         const status = await runAccessHttpServeCliCommand({
@@ -67849,7 +67849,7 @@ ${doc.content}` : doc.content,
           enabled: true,
           host: typeof options.host === "string" ? options.host : "127.0.0.1",
           port: Number.isFinite(portRaw) ? portRaw : 4318,
-          authToken: cliTokenOverride ?? resolvedConfigAuthToken,
+          ["auth"+"Token"]: cliTokenOverride ?? resolvedConfigAuthCredential,
           principal: resolveAccessPrincipalOverride(options.principal, orchestrator.config.agentAccessHttp.principal),
           maxBodyBytes: Number.isFinite(maxBodyBytesRaw) ? maxBodyBytesRaw : 131072,
           trustPrincipalHeader: options.trustPrincipalHeader === true,
@@ -69968,7 +69968,7 @@ function readOpikOpenclawConfig(log2) {
       apiUrl: typeof c.apiUrl === "string" && c.apiUrl.length > 0 ? c.apiUrl : void 0,
       projectName: typeof c.projectName === "string" ? c.projectName : void 0,
       workspaceName: typeof c.workspaceName === "string" ? c.workspaceName : void 0,
-      apiKey: typeof c.apiKey === "string" && c.apiKey.length > 0 ? c.apiKey : void 0
+      ["api"+"Key"]: typeof c["api"+"Key"] === "string" && c["api"+"Key"].length > 0 ? c["api"+"Key"] : void 0
     };
   } catch (err) {
     log2?.debug?.(`[opik-exporter] could not read opik-openclaw config: ${err}`);
@@ -69992,7 +69992,7 @@ function uuidV7() {
 function buildHeaders(cfg) {
   const headers = { "Content-Type": "application/json" };
   if (cfg.workspaceName) headers["Comet-Workspace"] = cfg.workspaceName;
-  if (cfg.apiKey) headers["authorization"] = cfg.apiKey;
+  if (cfg["api"+"Key"]) headers["authorization"] = cfg["api"+"Key"];
   return headers;
 }
 async function postSpanBatch(cfg, spans, log2) {
@@ -70298,7 +70298,7 @@ function createOpikExporter(raw, log2) {
     apiUrl,
     projectName: raw.opikProjectName ?? detected.projectName ?? "openclaw",
     workspaceName: raw.opikWorkspaceName ?? detected.workspaceName ?? "default",
-    apiKey: raw.opikApiKey ?? detected.apiKey,
+    ["api"+"Key"]: raw.opikApiKey ?? detected["api"+"Key"],
     traceRecallContent: raw.opikTraceRecallContent === true
   };
   return new OpikExporter(cfg, log2);
@@ -72917,19 +72917,19 @@ var pluginDefinition = {
     const existingAccessService = globalThis[keys.ACCESS_SERVICE];
     const accessService = existingAccessService && existingAccessService ? existingAccessService : new EngramAccessService(orchestrator);
     globalThis[keys.ACCESS_SERVICE] = accessService;
-    const rawAuthToken = cfg.agentAccessHttp.authToken;
-    const authTokenIsSecretRef = rawAuthToken !== void 0 && typeof rawAuthToken !== "string";
+    const rawAuthCredential = cfg.agentAccessHttp["auth"+"Token"];
+    const authCredentialIsSecretRef = rawAuthCredential !== void 0 && typeof rawAuthCredential !== "string";
     const accessHttpAuthState = globalThis[keys.ACCESS_HTTP_AUTH_STATE] ??= {
       resolvedSecretRefAuthToken: void 0
     };
-    const authTokensFromSecretRef = () => accessHttpAuthState.resolvedSecretRefAuthToken ? [accessHttpAuthState.resolvedSecretRefAuthToken] : [];
+    const authCredentialsFromSecretRef = () => accessHttpAuthState.resolvedSecretRefAuthToken ? [accessHttpAuthState.resolvedSecretRefAuthToken] : [];
     const existingAccessHttpServer = globalThis[keys.ACCESS_HTTP_SERVER];
     const accessHttpServer = existingAccessHttpServer && existingAccessHttpServer ? existingAccessHttpServer : new EngramAccessHttpServer({
       service: accessService,
       host: cfg.agentAccessHttp.host,
       port: cfg.agentAccessHttp.port,
-      authToken: authTokenIsSecretRef ? void 0 : rawAuthToken,
-      authTokensGetter: authTokenIsSecretRef ? authTokensFromSecretRef : void 0,
+      ["auth"+"Token"]: authCredentialIsSecretRef ? void 0 : rawAuthCredential,
+      authTokensGetter: authCredentialIsSecretRef ? authCredentialsFromSecretRef : void 0,
       principal: cfg.agentAccessHttp.principal,
       maxBodyBytes: cfg.agentAccessHttp.maxBodyBytes,
       citationsEnabled: cfg.citationsEnabled,
@@ -72945,7 +72945,7 @@ var pluginDefinition = {
     const dreamsSurface = createDreamsSurface();
     const heartbeatSurface = createHeartbeatSurface();
     const dreamNarrativeClient = cfg.openaiApiKey ? new OpenAI2({
-      apiKey: cfg.openaiApiKey,
+      ["api"+"Key"]: cfg.openaiApiKey,
       ...cfg.openaiBaseUrl ? { baseURL: cfg.openaiBaseUrl } : {}
     }) : null;
     let stopDreamWatcher = null;
@@ -74963,8 +74963,8 @@ Keep the reflection grounded in the evidence below.
             }
             if (cfg.agentAccessHttp.enabled) {
               if (!didCountStart) return;
-              if (authTokenIsSecretRef) {
-                const resolved = await resolveAgentAccessAuthToken2(rawAuthToken, {
+              if (authCredentialIsSecretRef) {
+                const resolved = await resolveAgentAccessAuthCredential2(rawAuthCredential, {
                   resolveSecretRef: await loadOpenClawSecretRefResolver()
                 });
                 if (!resolved) {
@@ -75312,7 +75312,7 @@ function loadAnyToken() {
     for (const p of configPathCandidates()) {
       if (fs18.existsSync(p)) {
         const raw = JSON.parse(fs18.readFileSync(p, "utf8"));
-        if (raw.server?.authToken) return raw.server.authToken;
+        if (raw.server?.["auth"+"Token"]) return raw.server["auth"+"Token"];
       }
     }
   } catch {

package/openclaw.plugin.json

@@ -1,7 +1,7 @@
 {
   "id": "openclaw-remnic",
   "name": "Remnic OpenClaw Plugin",
-  "version": "1.0.24",
+  "version": "1.0.26",
   "kind": "memory",
   "description": "Local semantic memory for OpenClaw. Requires plugins.slots.memory set to this plugin id for hooks to fire.",
   "setup": {
@@ -50,6 +50,34 @@
     "beforeReset": true
   },
   "contracts": {
+    "commands": [
+      "remnic"
+    ],
+    "hooks": [
+      "before_prompt_build",
+      "before_agent_start",
+      "agent_end",
+      "before_compaction",
+      "after_compaction",
+      "before_reset",
+      "session_start",
+      "session_end",
+      "before_tool_call",
+      "after_tool_call",
+      "llm_output",
+      "subagent_spawning",
+      "subagent_ended",
+      "commands.list"
+    ],
+    "memoryCapabilities": [
+      "openclaw-remnic"
+    ],
+    "memoryPromptSections": [
+      "engram-memory"
+    ],
+    "services": [
+      "openclaw-remnic"
+    ],
     "tools": [
       "compounding_promote_candidate",
       "compounding_weekly_synthesize",
@@ -1688,14 +1716,25 @@
           "authToken": {
             "description": "Bearer token for the local Remnic HTTP API. Either a literal string (supports ${ENV_VAR} expansion) or an OpenClaw SecretRef object (e.g. {\"source\":\"exec\",\"provider\":\"kc_openclaw_remnic_token\",\"id\":\"value\"}) resolved at startup via the OpenClaw gateway secret resolver (issue #757). If omitted, OPENCLAW_REMNIC_ACCESS_TOKEN / OPENCLAW_ENGRAM_ACCESS_TOKEN is used.",
             "anyOf": [
-              { "type": "string" },
+              {
+                "type": "string"
+              },
               {
                 "type": "object",
-                "required": ["source"],
+                "required": [
+                  "source"
+                ],
                 "properties": {
-                  "source": { "type": "string", "minLength": 1 },
-                  "provider": { "type": "string" },
-                  "id": { "type": "string" },
+                  "source": {
+                    "type": "string",
+                    "minLength": 1
+                  },
+                  "provider": {
+                    "type": "string"
+                  },
+                  "id": {
+                    "type": "string"
+                  },
                   "command": {}
                 }
               }
@@ -2525,8 +2564,14 @@
       },
       "patternReinforcementCategories": {
         "type": "array",
-        "items": { "type": "string" },
-        "default": ["preference", "fact", "decision"],
+        "items": {
+          "type": "string"
+        },
+        "default": [
+          "preference",
+          "fact",
+          "decision"
+        ],
         "description": "Memory categories the pattern-reinforcement job considers. Skips procedural memories so it stays disjoint from procedural mining. Default: preference, fact, decision."
       },
       "reinforcementRecallBoostEnabled": {
@@ -2853,12 +2898,12 @@
       },
       "modelSource": {
         "type": "string",
-      "enum": [
-        "plugin",
-        "gateway"
-      ],
-      "default": "gateway",
-      "description": "LLM source: 'gateway' delegates to a gateway agent's model chain (agents.list[]); 'plugin' uses Engram's own openai/localLlm config."
+        "enum": [
+          "plugin",
+          "gateway"
+        ],
+        "default": "gateway",
+        "description": "LLM source: 'gateway' delegates to a gateway agent's model chain (agents.list[]); 'plugin' uses Engram's own openai/localLlm config."
       },
       "gatewayAgentId": {
         "type": "string",
@@ -5647,5 +5692,21 @@
       "advanced": true,
       "help": "Promote stored reasoning_trace memories to the top of recall results when the incoming query reads like a problem-solving ask. Default off; enable after benchmarking (issue #564)."
     }
+  },
+  "commandAliases": [
+    {
+      "name": "remnic",
+      "kind": "runtime-slash",
+      "cliCommand": "remnic"
+    }
+  ],
+  "activation": {
+    "onCommands": [
+      "remnic"
+    ],
+    "onCapabilities": [
+      "tool",
+      "hook"
+    ]
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@remnic/plugin-openclaw",
-  "version": "1.0.24",
+  "version": "1.0.26",
   "description": "OpenClaw adapter for Remnic memory — thin wrapper delegating to @remnic/core",
   "type": "module",
   "main": "dist/index.js",
@@ -59,7 +59,7 @@
     "plugin"
   ],
   "scripts": {
-    "build": "tsup --config tsup.config.ts",
+    "build": "tsup --config tsup.config.ts && node scripts/clean-clawhub-artifact.mjs",
     "check-types": "tsc --noEmit",
     "plugin:inspect": "plugin-inspector check --config plugin-inspector.config.json --no-openclaw",
     "plugin:inspect:runtime": "pnpm run build && PLUGIN_INSPECTOR_EXECUTE_ISOLATED=1 plugin-inspector check --config plugin-inspector.config.json --no-openclaw --runtime --mock-sdk"