@tokenbuddy/tokenbuddy 1.0.26 → 1.0.27

package/src/init-clawtip-activation.ts

@@ -88,6 +88,11 @@ export interface StartClawtipWalletBootstrapOptions {
   runClawtipCommand?: (args: string[]) => Promise<string>;
 }
 
+export interface ClawtipProofProviderPayload {
+  paymentInstructions?: unknown;
+  quote?: unknown;
+}
+
 /**
  * `checkOpenClawRuntime()` 的可注入依赖。
  */
@@ -301,7 +306,13 @@ function findClawtipFailureMessage(output: string): string | undefined {
     if (trimmed.includes("商家信息有误")
       || trimmed.includes("商户信息有误")
       || trimmed.includes("支付失败")
-      || trimmed.includes("下单失败")) {
+      || trimmed.includes("下单失败")
+      || trimmed.includes("收付款方账户不能相同")) {
+      return sanitizeClawtipOutput(trimmed);
+    }
+    const returnedMessage = trimmed.match(/^返回消息[:：]\s*(.+)$/);
+    const returnedText = returnedMessage?.[1]?.trim();
+    if (returnedText && !returnedText.includes("成功")) {
       return sanitizeClawtipOutput(trimmed);
     }
   }
@@ -431,6 +442,71 @@ export function readClawtipPayCredential(orderFile: string): string | undefined
   return typeof credential === "string" && credential.trim() ? credential : undefined;
 }
 
+function asRecord(value: unknown): Record<string, unknown> | undefined {
+  return value && typeof value === "object" && !Array.isArray(value)
+    ? value as Record<string, unknown>
+    : undefined;
+}
+
+function stringField(source: Record<string, unknown>, key: string): string | undefined {
+  const value = source[key];
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : undefined;
+}
+
+function numberField(source: Record<string, unknown>, key: string): number | undefined {
+  const value = source[key];
+  return typeof value === "number" && Number.isFinite(value) ? value : undefined;
+}
+
+function findClawtipPayment(payload: ClawtipProofProviderPayload): ClawtipBootstrapPayment | undefined {
+  const instructions = asRecord(payload.paymentInstructions);
+  const direct = asRecord(instructions?.clawtip);
+  const option = Array.isArray(instructions?.options)
+    ? instructions.options
+      .map(asRecord)
+      .find((entry) => entry?.method === "clawtip" && asRecord(entry.clawtip))
+    : undefined;
+  const clawtip = direct || asRecord(option?.clawtip);
+  if (!clawtip) {
+    return undefined;
+  }
+
+  const orderNo = stringField(clawtip, "orderNo") || stringField(clawtip, "order_no");
+  const indicator = stringField(clawtip, "indicator");
+  const amountFen = numberField(clawtip, "amountFen") ?? numberField(clawtip, "amount");
+  if (!orderNo || !indicator || amountFen === undefined) {
+    return undefined;
+  }
+
+  return {
+    orderNo,
+    indicator,
+    amountFen,
+    payTo: stringField(clawtip, "payTo") || stringField(clawtip, "pay_to"),
+    encryptedData: stringField(clawtip, "encryptedData") || stringField(clawtip, "encrypted_data"),
+    slug: stringField(clawtip, "slug"),
+    skillId: stringField(clawtip, "skillId") || stringField(clawtip, "skill-id"),
+    description: stringField(clawtip, "description"),
+    resourceUrl: stringField(clawtip, "resourceUrl") || stringField(clawtip, "resource_url"),
+  };
+}
+
+export async function createClawtipPaymentProof(
+  payload: ClawtipProofProviderPayload,
+  options: StartClawtipWalletBootstrapOptions = {},
+): Promise<string> {
+  const payment = findClawtipPayment(payload);
+  if (!payment) {
+    throw new Error("ClawTip proof payload is missing paymentInstructions.clawtip order data");
+  }
+
+  const result = await startClawtipWalletBootstrap(payment, options);
+  if (!result.payCredential) {
+    throw new Error(`ClawTip pay did not write payCredential to the order file: ${result.orderFile}`);
+  }
+  return result.payCredential;
+}
+
 /**
  * 把 ClawTip 引导支付所需的所有字段写成本地 order JSON：
  * `~/.openclaw/skills/orders/<indicator>/<orderNo>.json`。

package/src/package-update.ts

@@ -0,0 +1,313 @@
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+import { execFileSync, spawn } from "child_process";
+import { fileURLToPath } from "url";
+
+export const TOKENBUDDY_LAUNCHD_LABEL = "com.tokenbuddy.proxyd";
+const DEFAULT_PACKAGE_NAME = "tokenbuddy";
+
+export interface InstalledPackageManifest {
+  name: string;
+  version: string;
+}
+
+export interface PackageUpdateCheck {
+  packageName: string;
+  currentVersion: string;
+  latestVersion: string;
+  updateAvailable: boolean;
+  registryUrl: string;
+  installCommand: string;
+}
+
+export interface PackageInstallResult {
+  attempted: boolean;
+  succeeded: boolean;
+  command: string;
+  args: string[];
+  error?: string;
+}
+
+export interface PackageRestartResult {
+  attempted: boolean;
+  restarted: boolean;
+  method: "launchd";
+  scheduled?: boolean;
+  plistPath?: string;
+  target?: string;
+  error?: string;
+}
+
+export interface PackageUpdateResult {
+  check: PackageUpdateCheck;
+  install: PackageInstallResult;
+  restart: PackageRestartResult;
+}
+
+export interface CheckPackageUpdateDeps {
+  fetch?: typeof fetch;
+  env?: NodeJS.ProcessEnv;
+  argv?: string[];
+  cwd?: string;
+}
+
+export interface RunPackageUpdateDeps extends CheckPackageUpdateDeps {
+  npmCommand?: string;
+  runNpmInstall?: (command: string, args: string[]) => void;
+  restartProxyd?: (controlPort: number) => Promise<PackageRestartResult>;
+}
+
+export interface RunPackageUpdateOptions {
+  apply: boolean;
+  controlPort: number;
+}
+
+interface RegistryDocument {
+  "dist-tags"?: {
+    latest?: unknown;
+  };
+}
+
+function currentModuleDir(): string {
+  if (typeof __dirname !== "undefined") {
+    return __dirname;
+  }
+
+  const stack = new Error().stack || "";
+  const fileUrlMatch = stack.match(/(file:\/\/\/[^)\n]+\/package-update\.js):\d+:\d+/);
+  if (fileUrlMatch) {
+    return path.dirname(fileURLToPath(fileUrlMatch[1]));
+  }
+
+  const filePathMatch = stack.match(/(\/[^)\n]+\/package-update\.(?:js|ts)):\d+:\d+/);
+  if (filePathMatch) {
+    return path.dirname(filePathMatch[1]);
+  }
+
+  return process.cwd();
+}
+
+function candidatePackageRoots(argv: string[] = process.argv, cwd = process.cwd()): string[] {
+  return [
+    argv[1],
+    path.join(cwd, "packages", "tokenbuddy-cli"),
+    path.resolve(currentModuleDir(), ".."),
+    cwd,
+  ].filter((candidate): candidate is string => Boolean(candidate));
+}
+
+export function readInstalledPackageManifest(
+  argv: string[] = process.argv,
+  cwd = process.cwd(),
+): InstalledPackageManifest {
+  const seen = new Set<string>();
+  for (const candidateRoot of candidatePackageRoots(argv, cwd)) {
+    let current = fs.existsSync(candidateRoot) ? fs.realpathSync(candidateRoot) : candidateRoot;
+    if (!fs.existsSync(current)) continue;
+    if (!fs.statSync(current).isDirectory()) {
+      current = path.dirname(current);
+    }
+    while (!seen.has(current)) {
+      seen.add(current);
+      const packageJsonPath = path.join(current, "package.json");
+      if (fs.existsSync(packageJsonPath)) {
+        const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, "utf8")) as { name?: unknown; version?: unknown };
+        if (typeof packageJson.version === "string" && packageJson.version.length > 0) {
+          const name = typeof packageJson.name === "string" && packageJson.name.length > 0
+            ? packageJson.name
+            : DEFAULT_PACKAGE_NAME;
+          if (name === DEFAULT_PACKAGE_NAME || name === "@tokenbuddy/tokenbuddy") {
+            return { name, version: packageJson.version };
+          }
+        }
+      }
+      const parent = path.dirname(current);
+      if (parent === current) break;
+      current = parent;
+    }
+  }
+  return { name: DEFAULT_PACKAGE_NAME, version: "0.0.0" };
+}
+
+function registryUrl(packageName: string): string {
+  return `https://registry.npmjs.org/${encodeURIComponent(packageName)}`;
+}
+
+function packageNameForUpdate(manifest: InstalledPackageManifest, env: NodeJS.ProcessEnv = process.env): string {
+  const override = env.TOKENBUDDY_UPDATE_PACKAGE_NAME?.trim();
+  if (override) {
+    return override;
+  }
+  return manifest.name === "@tokenbuddy/tokenbuddy"
+    ? DEFAULT_PACKAGE_NAME
+    : manifest.name || DEFAULT_PACKAGE_NAME;
+}
+
+function parseSemver(value: string): [number, number, number] | null {
+  const match = value.trim().match(/^(\d+)\.(\d+)\.(\d+)(?:[-+].*)?$/);
+  if (!match) {
+    return null;
+  }
+  return [Number(match[1]), Number(match[2]), Number(match[3])];
+}
+
+function isVersionGreater(left: string, right: string): boolean {
+  const parsedLeft = parseSemver(left);
+  const parsedRight = parseSemver(right);
+  if (!parsedLeft || !parsedRight) {
+    return left !== right;
+  }
+  for (let index = 0; index < parsedLeft.length; index += 1) {
+    if (parsedLeft[index] > parsedRight[index]) return true;
+    if (parsedLeft[index] < parsedRight[index]) return false;
+  }
+  return false;
+}
+
+export async function checkPackageUpdate(deps: CheckPackageUpdateDeps = {}): Promise<PackageUpdateCheck> {
+  const env = deps.env ?? process.env;
+  const manifest = readInstalledPackageManifest(deps.argv, deps.cwd);
+  const packageName = packageNameForUpdate(manifest, env);
+  const url = registryUrl(packageName);
+  const fetchImpl = deps.fetch ?? fetch;
+  const res = await fetchImpl(url);
+  if (!res.ok) {
+    throw new Error(`npm registry returned HTTP ${res.status} for ${packageName}`);
+  }
+  const registry = await res.json() as RegistryDocument;
+  const latestVersion = registry["dist-tags"]?.latest;
+  if (typeof latestVersion !== "string" || latestVersion.length === 0) {
+    throw new Error(`npm registry response for ${packageName} is missing dist-tags.latest`);
+  }
+  const installCommand = `npm install -g ${packageName}@${latestVersion}`;
+  return {
+    packageName,
+    currentVersion: manifest.version,
+    latestVersion,
+    updateAvailable: isVersionGreater(latestVersion, manifest.version),
+    registryUrl: url,
+    installCommand,
+  };
+}
+
+function npmCommand(env: NodeJS.ProcessEnv, override?: string): string {
+  return override || env.TOKENBUDDY_UPDATE_NPM_COMMAND || "npm";
+}
+
+function defaultRunNpmInstall(command: string, args: string[]): void {
+  execFileSync(command, args, {
+    stdio: ["ignore", "pipe", "pipe"],
+    maxBuffer: 8 * 1024 * 1024,
+  });
+}
+
+function commandErrorMessage(error: unknown): string {
+  const withOutput = error as { message?: string; stderr?: Buffer; stdout?: Buffer };
+  const stderr = withOutput.stderr?.toString("utf8").trim();
+  const stdout = withOutput.stdout?.toString("utf8").trim();
+  return stderr || stdout || (error instanceof Error ? error.message : String(error));
+}
+
+export async function runPackageUpdate(
+  options: RunPackageUpdateOptions,
+  deps: RunPackageUpdateDeps = {},
+): Promise<PackageUpdateResult> {
+  const check = await checkPackageUpdate(deps);
+  const command = npmCommand(deps.env ?? process.env, deps.npmCommand);
+  const args = ["install", "-g", `${check.packageName}@${check.latestVersion}`];
+  const install: PackageInstallResult = {
+    attempted: false,
+    succeeded: false,
+    command,
+    args,
+  };
+  const restart: PackageRestartResult = {
+    attempted: false,
+    restarted: false,
+    method: "launchd",
+  };
+
+  if (!options.apply || !check.updateAvailable) {
+    return {
+      check,
+      install,
+      restart,
+    };
+  }
+
+  install.attempted = true;
+  try {
+    (deps.runNpmInstall ?? defaultRunNpmInstall)(command, args);
+    install.succeeded = true;
+  } catch (error: unknown) {
+    install.error = commandErrorMessage(error);
+    return { check, install, restart };
+  }
+
+  if (!deps.restartProxyd) {
+    restart.error = "tb-proxyd restart runner is not configured";
+    return { check, install, restart };
+  }
+
+  return {
+    check,
+    install,
+    restart: await deps.restartProxyd(options.controlPort),
+  };
+}
+
+function launchdUserDomain(): string {
+  if (typeof process.getuid === "function") {
+    return `gui/${process.getuid()}`;
+  }
+  return "gui/501";
+}
+
+function launchdServiceTarget(label: string): string {
+  return `${launchdUserDomain()}/${label}`;
+}
+
+export function scheduleLaunchAgentRestart(
+  deps: {
+    platform?: NodeJS.Platform;
+    homeDir?: string;
+    existsSync?: (filePath: string) => boolean;
+    spawn?: typeof spawn;
+  } = {},
+): PackageRestartResult {
+  const platform = deps.platform ?? process.platform;
+  const homeDir = deps.homeDir ?? os.homedir();
+  const plistPath = path.join(homeDir, "Library", "LaunchAgents", `${TOKENBUDDY_LAUNCHD_LABEL}.plist`);
+  const base = {
+    attempted: false,
+    restarted: false,
+    method: "launchd" as const,
+    plistPath,
+  };
+  if (platform !== "darwin") {
+    return {
+      ...base,
+      error: "tb-proxyd restart is only supported for the macOS LaunchAgent service.",
+    };
+  }
+  if (!(deps.existsSync ?? fs.existsSync)(plistPath)) {
+    return {
+      ...base,
+      error: "LaunchAgent plist is missing. Run `tb init` to install tb-proxyd as a service first.",
+    };
+  }
+
+  const target = launchdServiceTarget(TOKENBUDDY_LAUNCHD_LABEL);
+  const child = (deps.spawn ?? spawn)("sh", ["-c", `sleep 0.35; launchctl kickstart -k ${target}`], {
+    detached: true,
+    stdio: "ignore",
+  });
+  child.unref();
+  return {
+    ...base,
+    attempted: true,
+    scheduled: true,
+    target,
+  };
+}

package/src/registry-trust.ts

@@ -0,0 +1,51 @@
+import * as crypto from "crypto";
+
+export const DEFAULT_SELLER_REGISTRY_URL = "https://registry.tokenbuddy.ai/v1/registry.json";
+export const DEFAULT_SELLER_REGISTRY_SIGNATURE_URL = "https://registry.tokenbuddy.ai/v1/registry.sig";
+
+const TRUSTED_REGISTRY_KEYS: Record<string, string> = {
+  "registry-ed25519-2026-06": "MCowBQYDK2VwAyEAcPWdwqqycIHmhSBWmt+HgFgQEMNFJv2uEEcpxPzwgb0="
+};
+
+export function signatureUrlForRegistryUrl(registryUrl: string): string {
+  if (registryUrl === DEFAULT_SELLER_REGISTRY_URL) {
+    return DEFAULT_SELLER_REGISTRY_SIGNATURE_URL;
+  }
+  return registryUrl.replace(/\.json(?:\?.*)?$/, ".sig");
+}
+
+export function shouldVerifyRegistry(registryUrl: string): boolean {
+  if (process.env.TB_PROXYD_ALLOW_UNSIGNED_REGISTRY === "1") {
+    return false;
+  }
+  return registryUrl === DEFAULT_SELLER_REGISTRY_URL || process.env.TB_PROXYD_REQUIRE_SIGNED_REGISTRY === "1";
+}
+
+export function verifyTrustedRegistrySignature(registryBytes: string, signatureText: string): string {
+  return verifyRegistrySignatureWithKeys(registryBytes, signatureText, TRUSTED_REGISTRY_KEYS);
+}
+
+export function verifyRegistrySignatureWithKeys(
+  registryBytes: string,
+  signatureText: string,
+  trustedKeys: Record<string, string>
+): string {
+  const signature = signatureText.trim();
+  for (const [keyId, publicKeyDerBase64] of Object.entries(trustedKeys)) {
+    const publicKey = crypto.createPublicKey({
+      key: Buffer.from(publicKeyDerBase64, "base64"),
+      format: "der",
+      type: "spki"
+    });
+    const ok = crypto.verify(
+      null,
+      Buffer.from(registryBytes, "utf8"),
+      publicKey,
+      Buffer.from(signature, "base64url")
+    );
+    if (ok) {
+      return keyId;
+    }
+  }
+  throw new Error("registry signature verification failed");
+}

package/src/route-failover.ts

@@ -30,7 +30,7 @@ export interface FailoverDecision {
   wastedCreditMicros?: number;
   /** 失败发生在 fresh-purchase 窗口内（刚买不到 N 秒），用于触发软重试保护 */
   freshPurchase: boolean;
-  /** 在切走这个 seller 之前已经尝试的次数（含本次失败） */
+  /** 在切走这个 seller 之前的最后一次尝试索引（0-based，含本次失败） */
   retryAttemptsBeforeFailover: number;
   /** 当次会话是否已超出 auto-purchase 预算；true 时不再触发新一轮 buy */
   budgetExceeded: boolean;
@@ -66,7 +66,7 @@ export interface DecideContext {
   errorKind: FailureKind;
   /** 人类可读错误描述（不携带敏感字段），用于日志/doctor */
   errorMessage?: string;
-  /** 当前是该 seller 的第几次尝试（1-based） */
+  /** 当前是该 seller 的第几次尝试（0-based；日志里同名字段保持该语义） */
   attempt: number;
 }
 
@@ -170,6 +170,7 @@ export class RouteFailover {
     const isHard = context.errorKind === "hard_4xx" || context.errorKind === "auth_invalid" || context.errorKind === "no_compatible";
     const isSoft = context.errorKind === "soft_5xx" || context.errorKind === "deadline";
     const isBusyCapacity = context.errorKind === "busy_capacity";
+    const isPurchaseFailure = context.errorKind === "purchase_failed";
     const info = this.pool.inspect(context.sellerId);
     const freshPurchase = info.freshPurchase;
     const budgetExceeded = !this.creditTracker.canAutoPurchase(this.now());
@@ -190,6 +191,17 @@ export class RouteFailover {
       };
     }
 
+    if (isPurchaseFailure) {
+      return {
+        action: "failover_next",
+        reason: "purchase_failed",
+        wastedCreditMicros: this.creditTracker.getEntry(context.sellerId)?.currentBalanceMicros,
+        freshPurchase,
+        retryAttemptsBeforeFailover: context.attempt,
+        budgetExceeded
+      };
+    }
+
     if (isHard) {
       // Hard failures are not eligible for retry; the seller is wrong
       // for this request. The pool has already transferred leftover

package/src/seller-catalog.ts

@@ -1,4 +1,10 @@
 import { createModuleLogger } from "@tokenbuddy/logging";
+import * as crypto from "crypto";
+import {
+  shouldVerifyRegistry,
+  signatureUrlForRegistryUrl,
+  verifyTrustedRegistrySignature
+} from "./registry-trust.js";
 
 const logger = createModuleLogger("tb-proxyd");
 
@@ -46,6 +52,21 @@ export interface SellerRegistryDocument {
   sellers: RegistrySeller[];
 }
 
+export interface SellerRegistryTrustMetadata {
+  registryUrl: string;
+  registrySha256: string;
+  verified: boolean;
+  signatureUrl?: string;
+  signature?: string;
+  signingKeyId?: string;
+}
+
+export interface FetchedSellerRegistry {
+  registry: SellerRegistryDocument;
+  registryJson: string;
+  trust: SellerRegistryTrustMetadata;
+}
+
 /**
  * Buyer 自动路由 / 模型目录可见性门禁。
  * 新 registry 会显式写 `status`，只有 `active` 参与 buyer 可见路径；
@@ -174,10 +195,16 @@ export interface SellerCatalogResult {
   version: number;
   /** 默认 seller ID（来自 registry） */
   defaultSeller?: string;
+  /** fetched registry document */
+  registry?: SellerRegistryDocument;
+  /** fetched registry bytes used for hashing/signature verification */
+  registryJson?: string;
   /** 模型目录条目列表（去重后） */
   models: ModelCatalogEntry[];
   /** seller 元信息列表（拉取 manifest 后的快照） */
   sellers: SellerCatalogEntry[];
+  /** registry trust metadata for the fetched registry document */
+  registryTrust?: SellerRegistryTrustMetadata;
 }
 
 /**
@@ -270,6 +297,10 @@ export class RegistryTooLargeError extends Error {
  * @throws RegistryTooLargeError / Error
  */
 export async function fetchSellerRegistry(registryUrl: string): Promise<SellerRegistryDocument> {
+  return (await fetchSellerRegistryWithTrust(registryUrl)).registry;
+}
+
+export async function fetchSellerRegistryWithTrust(registryUrl: string): Promise<FetchedSellerRegistry> {
   const response = await fetch(registryUrl);
   if (response.status === 413) {
     // v1.2 §18.9: parse the structured 413 body so the caller can
@@ -292,11 +323,39 @@ export async function fetchSellerRegistry(registryUrl: string): Promise<SellerRe
   if (!response.ok) {
     throw new Error(`registry returned ${response.status}`);
   }
-  const data = await response.json() as SellerRegistryDocument;
+  const text = await response.text();
+  const trust: SellerRegistryTrustMetadata = {
+    registryUrl,
+    registrySha256: crypto.createHash("sha256").update(text).digest("hex"),
+    verified: false
+  };
+  if (shouldVerifyRegistry(registryUrl)) {
+    const signatureUrl = signatureUrlForRegistryUrl(registryUrl);
+    const signatureResponse = await fetch(signatureUrl);
+    if (!signatureResponse.ok) {
+      logger.warn("registry.signature.invalid", "registry signature fetch failed", {
+        registryUrl,
+        signatureUrl,
+        status: signatureResponse.status
+      });
+      throw new Error(`registry signature returned ${signatureResponse.status}`);
+    }
+    const signature = (await signatureResponse.text()).trim();
+    const signingKeyId = verifyTrustedRegistrySignature(text, signature);
+    trust.verified = true;
+    trust.signatureUrl = signatureUrl;
+    trust.signature = signature;
+    trust.signingKeyId = signingKeyId;
+    logger.info("registry.signature.verified", "registry signature verified", {
+      registryUrl,
+      signingKeyId
+    });
+  }
+  const data = JSON.parse(text) as SellerRegistryDocument;
   if (!data || !Array.isArray(data.sellers)) {
     throw new Error("registry response missing sellers");
   }
-  return data;
+  return { registry: data, registryJson: text, trust };
 }
 
 /**
@@ -325,7 +384,8 @@ export async function fetchSellerManifest(seller: RegistrySeller): Promise<Selle
  * @returns 聚合后的目录
  */
 export async function discoverSellerBackedModels(registryUrl: string): Promise<SellerCatalogResult> {
-  const registry = await fetchSellerRegistry(registryUrl);
+  const fetched = await fetchSellerRegistryWithTrust(registryUrl);
+  const registry = fetched.registry;
   const visibleSellers = registry.sellers.filter(isBuyerVisibleRegistrySeller);
   const sellerResults = await Promise.all(visibleSellers.map(async (seller) => {
     try {
@@ -380,8 +440,11 @@ export async function discoverSellerBackedModels(registryUrl: string): Promise<S
     registryUrl,
     version: registry.version,
     defaultSeller: registry.defaultSeller,
+    registry,
+    registryJson: fetched.registryJson,
     models: sellerResults.flatMap((entry) => entry.models),
-    sellers: sellerResults.map((entry) => entry.seller)
+    sellers: sellerResults.map((entry) => entry.seller),
+    registryTrust: fetched.trust
   };
 }