@remnic/plugin-openclaw 1.0.9 → 1.0.11

package/dist/chunk-NKVIN6RD.js

@@ -0,0 +1,118 @@
+// ../remnic-core/src/transfer/fs-utils.ts
+import { createHash } from "crypto";
+import {
+  lstat,
+  mkdir,
+  readdir,
+  readFile,
+  realpath,
+  stat,
+  writeFile
+} from "fs/promises";
+import path from "path";
+async function sha256File(filePath) {
+  const buf = await readFile(filePath);
+  const sha256 = createHash("sha256").update(buf).digest("hex");
+  return { sha256, bytes: buf.byteLength };
+}
+function sha256String(content) {
+  const buf = Buffer.from(content, "utf-8");
+  const sha256 = createHash("sha256").update(buf).digest("hex");
+  return { sha256, bytes: buf.byteLength };
+}
+async function writeJsonFile(filePath, value) {
+  await mkdir(path.dirname(filePath), { recursive: true });
+  await writeFile(filePath, JSON.stringify(value, null, 2) + "\n", "utf-8");
+}
+async function readJsonFile(filePath) {
+  const raw = await readFile(filePath, "utf-8");
+  return JSON.parse(raw);
+}
+async function listFilesRecursive(rootDir) {
+  const out = [];
+  async function walk(dir) {
+    const entries = await readdir(dir, { withFileTypes: true });
+    for (const ent of entries) {
+      const fp = path.join(dir, ent.name);
+      if (ent.isDirectory()) {
+        await walk(fp);
+      } else if (ent.isFile()) {
+        out.push(fp);
+      }
+    }
+  }
+  await walk(rootDir);
+  return out.sort();
+}
+async function ensureDirExists(dirPath) {
+  await mkdir(dirPath, { recursive: true });
+}
+async function fileExists(filePath) {
+  try {
+    await stat(filePath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function toPosixRelPath(absPath, rootDir) {
+  const rel = path.relative(rootDir, absPath);
+  return rel.split(path.sep).join("/");
+}
+function fromPosixRelPath(relPath) {
+  return relPath.split("/").join(path.sep);
+}
+function isPathInsideRoot(rootReal, absPath) {
+  const rel = path.relative(rootReal, absPath);
+  if (rel === "") return true;
+  if (rel === "..") return false;
+  if (rel.startsWith(`..${path.sep}`)) return false;
+  if (path.isAbsolute(rel)) return false;
+  return true;
+}
+async function assertIsDirectoryNotSymlink(absPath, errorPrefix, argName) {
+  const st = await stat(absPath).catch(() => null);
+  if (!st || !st.isDirectory()) {
+    throw new Error(
+      `${errorPrefix}: '${argName}' must be an existing directory: ${absPath}`
+    );
+  }
+  const lst = await lstat(absPath).catch(() => null);
+  if (lst && lst.isSymbolicLink()) {
+    throw new Error(
+      `${errorPrefix}: '${argName}' must not be a symlink \u2014 resolve it to its real path first: ${absPath}`
+    );
+  }
+}
+async function assertRealpathInsideRoot(rootReal, targetAbs, sourcePath, errorPrefix) {
+  let existing = targetAbs;
+  const suffix = [];
+  while (existing !== path.dirname(existing)) {
+    const st = await lstat(existing).catch(() => null);
+    if (st !== null) break;
+    suffix.unshift(path.basename(existing));
+    existing = path.dirname(existing);
+  }
+  const existingReal = await realpath(existing).catch(() => existing);
+  const targetReal = suffix.length > 0 ? path.join(existingReal, ...suffix) : existingReal;
+  if (!isPathInsideRoot(rootReal, targetReal)) {
+    throw new Error(
+      `${errorPrefix}: record path escapes target root via symlink: ${sourcePath}`
+    );
+  }
+}
+
+export {
+  sha256File,
+  sha256String,
+  writeJsonFile,
+  readJsonFile,
+  listFilesRecursive,
+  ensureDirExists,
+  fileExists,
+  toPosixRelPath,
+  fromPosixRelPath,
+  isPathInsideRoot,
+  assertIsDirectoryNotSymlink,
+  assertRealpathInsideRoot
+};

package/dist/chunk-OEI7GLV2.js

@@ -0,0 +1,17 @@
+import {
+  resolveHomeDir
+} from "./chunk-I6B2W2IY.js";
+
+// ../remnic-core/src/utils/path.ts
+import path from "path";
+function expandTildePath(p) {
+  if (p === "~") return resolveHomeDir();
+  if (p.startsWith("~/") || p.startsWith("~\\")) {
+    return path.join(resolveHomeDir(), p.slice(2));
+  }
+  return p;
+}
+
+export {
+  expandTildePath
+};

package/dist/{chunk-S2ISS4AH.js → chunk-P3DIW2SD.js}

@@ -1,18 +1,18 @@
-import {
-  readEnvVar,
-  resolveHomeDir
-} from "./chunk-7TENHBV2.js";
-import {
-  StorageManager,
-  isConsolidationOperator
-} from "./chunk-JJSNPSCD.js";
 import {
   countRecallTokenOverlap,
   normalizeRecallTokens
-} from "./chunk-YHH3SXKD.js";
+} from "./chunk-WPINX4MF.js";
+import {
+  StorageManager,
+  isSemanticConsolidationLlmOperator
+} from "./chunk-TNH24SF6.js";
 import {
   log
 } from "./chunk-UFU5GGGA.js";
+import {
+  readEnvVar,
+  resolveHomeDir
+} from "./chunk-I6B2W2IY.js";
 
 // ../remnic-core/src/connectors/codex-materialize-runner.ts
 import path2 from "path";
@@ -990,7 +990,7 @@ function parseOperatorAwareConsolidationResponse(response, cluster) {
   const obj = parsed;
   const rawOperator = typeof obj.operator === "string" ? obj.operator.trim().toLowerCase() : "";
   const rawOutput = typeof obj.output === "string" ? obj.output : "";
-  const operator = isConsolidationOperator(rawOperator) ? rawOperator : chooseConsolidationOperator(cluster);
+  const operator = isSemanticConsolidationLlmOperator(rawOperator) ? rawOperator : chooseConsolidationOperator(cluster);
   const output = rawOutput.trim().length > 0 ? rawOutput.trim() : response.trim();
   return { operator, output };
 }

package/dist/{chunk-7TENHBV2.js → chunk-RQCTMECT.js}

@@ -4,6 +4,9 @@ import {
 import {
   log
 } from "./chunk-UFU5GGGA.js";
+import {
+  readEnvVar
+} from "./chunk-I6B2W2IY.js";
 
 // ../remnic-core/src/openai-chat-compat.ts
 function normalizedModel(model) {
@@ -38,51 +41,9 @@ function buildChatCompletionTokenLimit(model, maxTokens, options) {
   return { max_tokens: safeMaxTokens };
 }
 
-// ../remnic-core/src/runtime/env.ts
-import os from "os";
-var REMNIC_ENGRAM_PREFIX_PAIRS = [
-  ["REMNIC_", "ENGRAM_"],
-  ["ENGRAM_", "REMNIC_"]
-];
-function getEnvMap() {
-  const runtimeProcess = globalThis.process;
-  return runtimeProcess?.["env"];
-}
-function legacyEnvCandidates(name) {
-  const candidates = [name];
-  for (const [primary, legacy] of REMNIC_ENGRAM_PREFIX_PAIRS) {
-    if (name.startsWith(primary)) {
-      candidates.push(`${legacy}${name.slice(primary.length)}`);
-    }
-  }
-  return candidates;
-}
-function readEnvVar(name) {
-  const env = getEnvMap();
-  for (const candidate of legacyEnvCandidates(name)) {
-    const value = env?.[candidate];
-    if (typeof value === "string") return value;
-  }
-  return void 0;
-}
-function resolveHomeDir() {
-  return readEnvVar("HOME") || os.homedir();
-}
-function cloneEnv() {
-  return { ...getEnvMap() ?? {} };
-}
-function mergeEnv(overrides) {
-  const merged = cloneEnv();
-  for (const [key, value] of Object.entries(overrides)) {
-    if (typeof value === "string") merged[key] = value;
-    else delete merged[key];
-  }
-  return merged;
-}
-
 // ../remnic-core/src/resolve-provider-secret.ts
 import path from "path";
-import os2 from "os";
+import os from "os";
 var _resolveApiKeyForProvider = null;
 var _getRuntimeAuthForModel = null;
 var _resolverLoaded = false;
@@ -126,6 +87,9 @@ async function getGatewayResolver() {
   return null;
 }
 async function findRuntimeModules() {
+  return findGatewayRuntimeModules("runtime-model-auth.runtime-");
+}
+async function findGatewayRuntimeModules(filePrefix) {
   const { accessSync, constants, readdirSync, realpathSync, statSync } = await import("fs");
   const { createRequire } = await import("module");
   const candidates = [];
@@ -169,7 +133,7 @@ async function findRuntimeModules() {
     try {
       const files = readdirSync(dir);
       for (const f of files) {
-        if (f.startsWith("runtime-model-auth.runtime-") && f.endsWith(".js")) {
+        if (f.startsWith(filePrefix) && f.endsWith(".js")) {
           candidates.push(path.join(dir, f));
         }
       }
@@ -200,7 +164,7 @@ function findExecutableOnPath(executableName, access, stat, executableMode) {
 }
 async function resolveProviderApiKey(providerId, apiKeyValue, gatewayConfig, agentDir) {
   const resolvedAgentDir = path.resolve(
-    agentDir ?? path.join(os2.homedir(), ".openclaw", "agents", "main", "agent")
+    agentDir ?? path.join(os.homedir(), ".openclaw", "agents", "main", "agent")
   );
   const cacheKey = `provider:${providerId}:agentDir:${resolvedAgentDir}`;
   if (resolvedCache.has(cacheKey)) {
@@ -730,10 +694,8 @@ function extractResponsesOutputText(data) {
 }
 
 export {
-  readEnvVar,
-  resolveHomeDir,
-  mergeEnv,
   shouldAssumeOpenAiChatCompletions,
   buildChatCompletionTokenLimit,
+  findGatewayRuntimeModules,
   FallbackLlmClient
 };

package/dist/chunk-SSFTU6LP.js

@@ -0,0 +1,182 @@
+import {
+  getKey,
+  readHeader,
+  secureStoreDir
+} from "./chunk-CXM7EBAO.js";
+import {
+  open,
+  seal
+} from "./chunk-YGGGUTG3.js";
+
+// ../remnic-core/src/transfer/capsule-crypto.ts
+import { open as openFileHandle, readFile, writeFile } from "fs/promises";
+import path from "path";
+var MAGIC = Buffer.from("REMNIC-ENC\0", "ascii");
+var FORMAT_VERSION = 2;
+var MIN_ENC_SIZE_V1 = MAGIC.length + 1 + 45;
+var MIN_ENC_SIZE = MAGIC.length + 1 + 2;
+async function isEncryptedCapsuleFile(filePath) {
+  if (!filePath.endsWith(".enc")) return false;
+  let fh = null;
+  try {
+    fh = await openFileHandle(filePath, "r");
+    const buf = Buffer.allocUnsafe(MAGIC.length);
+    const { bytesRead } = await fh.read(buf, 0, MAGIC.length, 0);
+    if (bytesRead < MAGIC.length) return false;
+    return buf.equals(MAGIC);
+  } catch {
+    return false;
+  } finally {
+    if (fh !== null) {
+      await fh.close().catch(() => void 0);
+    }
+  }
+}
+async function encryptCapsuleFile(opts) {
+  const encPath = opts.outPath ?? `${opts.sourceGzPath}.enc`;
+  const key = getKeyOrThrow(opts.memoryDir, "encrypt capsule");
+  const plaintext = await readFile(opts.sourceGzPath);
+  const basename = path.basename(encPath);
+  const aad = Buffer.from(basename, "utf-8");
+  const kdfSection = await loadKdfSection(opts.memoryDir);
+  const envelope = seal(key, kdfSection.salt, plaintext, { aad });
+  const versionBuf = Buffer.alloc(1);
+  versionBuf.writeUInt8(FORMAT_VERSION, 0);
+  const kdfJsonBuf = Buffer.from(kdfSection.json, "utf-8");
+  const kdfLenBuf = Buffer.alloc(2);
+  kdfLenBuf.writeUInt16LE(kdfJsonBuf.length, 0);
+  const output = Buffer.concat([MAGIC, versionBuf, kdfLenBuf, kdfJsonBuf, envelope]);
+  await writeFile(encPath, output);
+  return { encPath };
+}
+async function decryptCapsuleFile(opts) {
+  const gzPath = opts.outPath ?? opts.encPath.replace(/\.enc$/, "");
+  const buf = await readFile(opts.encPath);
+  if (buf.length < MIN_ENC_SIZE_V1) {
+    throw new Error(
+      `decryptCapsuleFile: file too short to be an encrypted capsule: ${opts.encPath}`
+    );
+  }
+  if (!buf.subarray(0, MAGIC.length).equals(MAGIC)) {
+    throw new Error(
+      `decryptCapsuleFile: file does not start with REMNIC-ENC magic: ${opts.encPath}`
+    );
+  }
+  const version = buf.readUInt8(MAGIC.length);
+  if (version !== 1 && version !== 2) {
+    throw new Error(
+      `decryptCapsuleFile: unsupported encrypted-capsule format version ${version} (this build supports versions 1 and 2): ${opts.encPath}`
+    );
+  }
+  const { key, envelopeOffset } = resolveKeyAndOffset(buf, version, opts.memoryDir, "decryptCapsuleFile", opts.encPath);
+  const envelope = buf.subarray(envelopeOffset);
+  const basename = path.basename(opts.encPath);
+  const aad = Buffer.from(basename, "utf-8");
+  let plaintext;
+  try {
+    plaintext = open(key, envelope, { aad });
+  } catch (cause) {
+    throw new Error(
+      `decryptCapsuleFile: authentication failed \u2014 wrong passphrase, tampered archive, or key mismatch. Ensure the secure-store is unlocked with the correct passphrase and the archive has not been modified: ${opts.encPath}`,
+      { cause }
+    );
+  }
+  await writeFile(gzPath, plaintext);
+  return { gzPath };
+}
+async function decryptCapsuleFileInMemory(encPath, memoryDir) {
+  const buf = await readFile(encPath);
+  if (buf.length < MIN_ENC_SIZE_V1) {
+    throw new Error(
+      `decryptCapsuleFileInMemory: file too short to be an encrypted capsule: ${encPath}`
+    );
+  }
+  if (!buf.subarray(0, MAGIC.length).equals(MAGIC)) {
+    throw new Error(
+      `decryptCapsuleFileInMemory: file does not start with REMNIC-ENC magic: ${encPath}`
+    );
+  }
+  const version = buf.readUInt8(MAGIC.length);
+  if (version !== 1 && version !== 2) {
+    throw new Error(
+      `decryptCapsuleFileInMemory: unsupported encrypted-capsule format version ${version} (this build supports versions 1 and 2): ${encPath}`
+    );
+  }
+  const { key, envelopeOffset } = resolveKeyAndOffset(buf, version, memoryDir, "decryptCapsuleFileInMemory", encPath);
+  const envelope = buf.subarray(envelopeOffset);
+  const basename = path.basename(encPath);
+  const aad = Buffer.from(basename, "utf-8");
+  try {
+    return open(key, envelope, { aad });
+  } catch (cause) {
+    throw new Error(
+      `decryptCapsuleFileInMemory: authentication failed \u2014 wrong passphrase, tampered archive, or key mismatch. Ensure the secure-store is unlocked with the correct passphrase and the archive has not been modified: ${encPath}`,
+      { cause }
+    );
+  }
+}
+async function loadKdfSection(memoryDir) {
+  try {
+    const header = await readHeader(memoryDir);
+    if (header !== null) {
+      const { decodeMetadataSalt } = await import("./metadata-JAGIWHEA.js");
+      const salt2 = decodeMetadataSalt(header.metadata);
+      const kdf = header.metadata.kdf;
+      const json2 = JSON.stringify({
+        algorithm: kdf.algorithm,
+        params: kdf.params,
+        salt: salt2.toString("hex")
+      });
+      return { json: json2, salt: salt2 };
+    }
+  } catch {
+  }
+  const { generateSalt } = await import("./cipher-VHAFCG7Z.js");
+  const salt = generateSalt();
+  const { DEFAULT_ARGON2ID_PARAMS } = await import("./kdf-H5B23ZM2.js");
+  const json = JSON.stringify({
+    algorithm: "argon2id",
+    params: DEFAULT_ARGON2ID_PARAMS,
+    salt: salt.toString("hex")
+  });
+  return { json, salt };
+}
+function getKeyOrThrow(memoryDir, action) {
+  const storeId = secureStoreDir(memoryDir);
+  const key = getKey(storeId);
+  if (key === null) {
+    throw new Error(
+      `Secure-store is locked or not initialized \u2014 cannot ${action}. Run \`remnic secure-store unlock\` first, or \`remnic secure-store init\` if the store has never been initialized.`
+    );
+  }
+  return key;
+}
+function resolveKeyAndOffset(buf, version, memoryDir, caller, encPath) {
+  if (version === 1) {
+    const key2 = getKeyOrThrow(memoryDir, "decrypt capsule");
+    return { key: key2, envelopeOffset: MAGIC.length + 1 };
+  }
+  const kdfLenOffset = MAGIC.length + 1;
+  if (buf.length < kdfLenOffset + 2) {
+    throw new Error(
+      `${caller}: file too short for format v2 KDF length field: ${encPath}`
+    );
+  }
+  const kdfLen = buf.readUInt16LE(kdfLenOffset);
+  const kdfJsonOffset = kdfLenOffset + 2;
+  if (buf.length < kdfJsonOffset + kdfLen) {
+    throw new Error(
+      `${caller}: file too short for format v2 KDF params section (expected ${kdfLen} bytes): ${encPath}`
+    );
+  }
+  const envelopeOffset = kdfJsonOffset + kdfLen;
+  const key = getKeyOrThrow(memoryDir, "decrypt capsule");
+  return { key, envelopeOffset };
+}
+
+export {
+  isEncryptedCapsuleFile,
+  encryptCapsuleFile,
+  decryptCapsuleFile,
+  decryptCapsuleFileInMemory
+};

package/dist/{chunk-BXTMZDRT.js → chunk-SVSQAG6M.js}

@@ -1,12 +1,14 @@
 import {
-  assertIsoRecordedAt,
-  assertString,
   countRecallTokenOverlap,
-  isRecord,
   normalizeRecallTokens,
-  recordStoreDay,
   topicOverlapScore
-} from "./chunk-YHH3SXKD.js";
+} from "./chunk-WPINX4MF.js";
+import {
+  assertIsoRecordedAt,
+  assertString,
+  isRecord,
+  recordStoreDay
+} from "./chunk-3G7FAF6S.js";
 import {
   listJsonFiles,
   readJsonFile