@useorgx/openclaw-plugin 0.4.8 → 0.7.0

package/dist/artifacts/register-artifact.js

@@ -1,8 +1,25 @@
 import { randomUUID } from "node:crypto";
+import { stableHash } from "../hash-utils.js";
+import { validateArtifactMetadata, normalizeArtifactType, } from "./artifact-domain-schemas.js";
+const ALLOWED_ENTITY_TYPES = new Set([
+    "initiative",
+    "workstream",
+    "milestone",
+    "task",
+    "decision",
+    "project",
+]);
 const MAX_PREVIEW_MARKDOWN = 25_000;
 function normalizeText(value) {
     return typeof value === "string" ? value.trim() : "";
 }
+function normalizeConfidenceScore(value) {
+    if (typeof value !== "number" || !Number.isFinite(value))
+        return null;
+    if (value < 0 || value > 1)
+        return null;
+    return value;
+}
 function isUuid(value) {
     return /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i.test(value);
 }
@@ -28,6 +45,9 @@ export function validateRegisterArtifactInput(input) {
     const entityType = normalizeText(input.entity_type);
     if (!entityType)
         errors.push("entity_type is required");
+    else if (!ALLOWED_ENTITY_TYPES.has(entityType)) {
+        errors.push("entity_type must be one of: initiative, workstream, milestone, task, decision, project");
+    }
     const entityId = normalizeText(input.entity_id);
     if (!entityId)
         errors.push("entity_id is required");
@@ -39,6 +59,10 @@ export function validateRegisterArtifactInput(input) {
     const artifactType = normalizeText(input.artifact_type);
     if (!artifactType)
         errors.push("artifact_type is required");
+    if (typeof input.confidence_score !== "undefined" &&
+        normalizeConfidenceScore(input.confidence_score) == null) {
+        errors.push("confidence_score must be a number between 0 and 1 when provided");
+    }
     const createdByType = normalizeText(input.created_by_type);
     if (createdByType && createdByType !== "human" && createdByType !== "agent") {
         errors.push("created_by_type must be 'human' or 'agent' when provided");
@@ -60,6 +84,44 @@ function isArtifactTypeConstraintError(err) {
     return (msg.includes("artifact_type") &&
         (msg.includes("constraint") || msg.includes("foreign") || msg.includes("violat")));
 }
+function isRecord(value) {
+    return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function extractArtifactFromCreateResponse(payload) {
+    if (!isRecord(payload))
+        return null;
+    if (isRecord(payload.artifact))
+        return payload.artifact;
+    if (isRecord(payload.data) && isRecord(payload.data.artifact)) {
+        return payload.data.artifact;
+    }
+    if (isRecord(payload.data))
+        return payload.data;
+    return null;
+}
+function extractArtifactFromDetailResponse(payload) {
+    if (!isRecord(payload))
+        return null;
+    if (isRecord(payload.artifact))
+        return payload.artifact;
+    if (isRecord(payload.data) && isRecord(payload.data.artifact)) {
+        return payload.data.artifact;
+    }
+    if (isRecord(payload.data))
+        return payload.data;
+    return null;
+}
+function extractArtifactsFromListResponse(payload) {
+    if (!isRecord(payload))
+        return [];
+    const direct = payload.artifacts;
+    if (Array.isArray(direct))
+        return direct.filter(isRecord);
+    if (isRecord(payload.data) && Array.isArray(payload.data.artifacts)) {
+        return payload.data.artifacts.filter(isRecord);
+    }
+    return [];
+}
 function normalizeBaseUrl(baseUrl) {
     return baseUrl.replace(/\/+$/, "");
 }
@@ -67,18 +129,20 @@ async function sleep(ms) {
     await new Promise((r) => setTimeout(r, ms));
 }
 async function validateArtifactPersistence(client, input) {
-    // Use API-key compatible entity CRUD endpoints for validation.
-    // The web UI endpoints (/api/artifacts/*, /api/work-artifacts/*) are session-authenticated (401 for API keys).
-    const detail = await client.rawRequest("GET", `/api/entities?type=artifact&id=${encodeURIComponent(input.artifactId)}`);
-    const rows = detail && typeof detail === "object" ? detail.data : null;
-    const artifact = Array.isArray(rows) ? rows.find((r) => r && typeof r === "object" && r.id === input.artifactId) : null;
-    const artifactOk = artifact && typeof artifact === "object" && typeof artifact.id === "string" && artifact.id === input.artifactId;
-    const linkedOk = artifactOk &&
-        typeof artifact.entity_type === "string" &&
-        typeof artifact.entity_id === "string" &&
-        artifact.entity_type === input.entity_type &&
-        artifact.entity_id === input.entity_id;
-    return { artifact_detail_ok: Boolean(artifactOk), linked_ok: Boolean(linkedOk) };
+    const detail = await client.rawRequest("GET", `/api/client/artifacts/${encodeURIComponent(input.artifactId)}`);
+    const detailArtifact = extractArtifactFromDetailResponse(detail);
+    const detailOk = Boolean(detailArtifact && typeof detailArtifact.id === "string" && detailArtifact.id === input.artifactId);
+    const list = await client.rawRequest("GET", `/api/client/artifacts/by-entity?entity_type=${encodeURIComponent(input.entity_type)}&entity_id=${encodeURIComponent(input.entity_id)}&limit=25`);
+    const artifacts = extractArtifactsFromListResponse(list);
+    const linkedArtifact = artifacts.find((artifact) => {
+        return (typeof artifact.id === "string" &&
+            artifact.id === input.artifactId &&
+            typeof artifact.entity_type === "string" &&
+            artifact.entity_type === input.entity_type &&
+            typeof artifact.entity_id === "string" &&
+            artifact.entity_id === input.entity_id);
+    });
+    return { artifact_detail_ok: detailOk, linked_ok: Boolean(linkedArtifact) };
 }
 export async function registerArtifact(client, baseUrl, input) {
     const warnings = [];
@@ -111,6 +175,9 @@ export async function registerArtifact(client, baseUrl, input) {
             ? input.metadata
             : {}),
     };
+    const confidenceScore = normalizeConfidenceScore(input.confidence_score);
+    if (confidenceScore != null)
+        metadata.confidence_score = confidenceScore;
     if (input.external_url)
         metadata.external_url = String(input.external_url);
     if (input.preview_markdown) {
@@ -122,20 +189,102 @@ export async function registerArtifact(client, baseUrl, input) {
         if (preview.length > MAX_PREVIEW_MARKDOWN)
             metadata.preview_truncated = true;
     }
+    // --- Proof Ladder: atomic unit normalization + schema validation ---
+    const explicitAtomicType = typeof metadata.atomic_unit_type === "string"
+        ? metadata.atomic_unit_type.trim()
+        : null;
+    const inferredAtomicType = normalizeArtifactType(input.artifact_type);
+    const atomicUnitType = explicitAtomicType || inferredAtomicType;
+    if (atomicUnitType) {
+        metadata.atomic_unit_type = atomicUnitType;
+        const validation = validateArtifactMetadata(atomicUnitType, metadata);
+        metadata.schema_validated = validation.valid;
+        if (!validation.valid) {
+            warnings.push(...validation.warnings);
+        }
+    }
+    // --- Proof Ladder: artifact content hash ---
+    const hashSource = input.preview_markdown || input.external_url || input.name;
+    if (hashSource && !metadata.artifact_hash) {
+        metadata.artifact_hash = stableHash(String(hashSource));
+    }
+    // --- Proof Ladder: queue_ref from environment / caller ---
+    if (!metadata.queue_ref) {
+        const queueRef = {};
+        const envInitId = normalizeText(process.env.ORGX_INITIATIVE_ID);
+        const envWsId = normalizeText(process.env.ORGX_WORKSTREAM_ID);
+        const envTaskId = normalizeText(process.env.ORGX_TASK_ID);
+        if (envInitId)
+            queueRef.initiative_id = envInitId;
+        if (envWsId)
+            queueRef.workstream_id = envWsId;
+        if (envTaskId)
+            queueRef.task_id = envTaskId;
+        if (Object.keys(queueRef).length > 0) {
+            metadata.queue_ref = queueRef;
+        }
+    }
+    // --- Proof Ladder: run_ref from environment / caller ---
+    if (!metadata.run_ref) {
+        const runRef = {};
+        const envRunId = normalizeText(process.env.ORGX_RUN_ID);
+        const envCorrId = normalizeText(process.env.ORGX_CORRELATION_ID);
+        const envSessionId = normalizeText(process.env.ORGX_SESSION_ID);
+        if (envRunId)
+            runRef.run_id = envRunId;
+        if (envCorrId)
+            runRef.correlation_id = envCorrId;
+        if (envSessionId)
+            runRef.session_id = envSessionId;
+        if (Object.keys(runRef).length > 0) {
+            metadata.run_ref = runRef;
+        }
+    }
     const metadataInitiativeId = typeof metadata.initiative_id === "string" && metadata.initiative_id.trim().length > 0
         ? metadata.initiative_id.trim()
         : null;
     const initiativeIdHint = input.entity_type === "initiative" ? input.entity_id : metadataInitiativeId;
     let entity = null;
     let created = false;
-    // Attempt idempotent create using a client-provided UUID id (preferred).
+    let usedLegacyCreate = false;
+    // Primary path: canonical client artifact contract.
     try {
+        const response = await client.rawRequest("POST", "/api/client/artifacts", {
+            artifact_id: desiredId,
+            entity_type: input.entity_type,
+            entity_id: input.entity_id,
+            name: input.name,
+            artifact_type: input.artifact_type,
+            description: input.description ?? undefined,
+            artifact_url: artifactUrl,
+            external_url: input.external_url ?? undefined,
+            preview_markdown: input.preview_markdown ?? undefined,
+            status,
+            metadata,
+            ...(initiativeIdHint ? { initiative_id: initiativeIdHint } : {}),
+            ...createdBy,
+        });
+        entity = extractArtifactFromCreateResponse(response);
+        if (!entity) {
+            warnings.push("client artifact create returned an unexpected payload shape");
+        }
+        else {
+            created = true;
+        }
+    }
+    catch (err) {
+        warnings.push(`client artifact create failed; falling back to legacy entities route: ${safeErrorMessage(err)}`);
+    }
+    // Compatibility path for older OrgX servers.
+    if (!entity) {
+        usedLegacyCreate = true;
         try {
             entity = await client.createEntity("artifact", {
                 id: desiredId,
                 name: input.name,
                 description: input.description ?? undefined,
                 artifact_type: input.artifact_type,
+                confidence_score: confidenceScore ?? undefined,
                 entity_type: input.entity_type,
                 entity_id: input.entity_id,
                 ...(initiativeIdHint ? { initiative_id: initiativeIdHint } : {}),
@@ -150,13 +299,14 @@ export async function registerArtifact(client, baseUrl, input) {
             if (!isArtifactTypeConstraintError(err)) {
                 throw err;
             }
-            warnings.push(`artifact_type rejected; retrying with shared.project_handbook`);
+            warnings.push(`artifact_type rejected on legacy route; retrying with shared.project_handbook`);
             metadata.requested_artifact_type = input.artifact_type;
             entity = await client.createEntity("artifact", {
                 id: desiredId,
                 name: input.name,
                 description: input.description ?? undefined,
                 artifact_type: "shared.project_handbook",
+                confidence_score: confidenceScore ?? undefined,
                 entity_type: input.entity_type,
                 entity_id: input.entity_id,
                 ...(initiativeIdHint ? { initiative_id: initiativeIdHint } : {}),
@@ -168,52 +318,15 @@ export async function registerArtifact(client, baseUrl, input) {
             created = true;
         }
     }
-    catch (err) {
-        warnings.push(`artifact create with explicit id failed: ${safeErrorMessage(err)}`);
-        // Fallback: create without id, then patch artifact_url once we know the server id.
-        try {
-            entity = await client.createEntity("artifact", {
-                name: input.name,
-                description: input.description ?? undefined,
-                artifact_type: input.artifact_type,
-                entity_type: input.entity_type,
-                entity_id: input.entity_id,
-                ...(initiativeIdHint ? { initiative_id: initiativeIdHint } : {}),
-                artifact_url: input.external_url ?? `${normalizeBaseUrl(baseUrl)}/artifacts/pending`,
-                status,
-                metadata,
-                ...createdBy,
-            });
-            created = true;
-        }
-        catch (inner) {
-            if (!isArtifactTypeConstraintError(inner)) {
-                throw inner;
-            }
-            warnings.push(`artifact_type rejected; retrying with shared.project_handbook`);
-            metadata.requested_artifact_type = input.artifact_type;
-            entity = await client.createEntity("artifact", {
-                name: input.name,
-                description: input.description ?? undefined,
-                artifact_type: "shared.project_handbook",
-                entity_type: input.entity_type,
-                entity_id: input.entity_id,
-                ...(initiativeIdHint ? { initiative_id: initiativeIdHint } : {}),
-                artifact_url: input.external_url ?? `${normalizeBaseUrl(baseUrl)}/artifacts/pending`,
-                status,
-                metadata,
-                ...createdBy,
-            });
-            created = true;
-        }
-    }
     const artifactId = entity && typeof entity === "object" && typeof entity.id === "string"
         ? String(entity.id)
         : null;
-    let finalArtifactUrl = artifactId
-        ? `${normalizeBaseUrl(baseUrl)}/artifacts/${artifactId}`
-        : null;
-    if (artifactId) {
+    let finalArtifactUrl = entity && typeof entity === "object" && typeof entity.artifact_url === "string"
+        ? String(entity.artifact_url)
+        : artifactId
+            ? `${normalizeBaseUrl(baseUrl)}/artifacts/${artifactId}`
+            : null;
+    if (artifactId && usedLegacyCreate) {
         try {
             await client.updateEntity("artifact", artifactId, {
                 artifact_url: finalArtifactUrl,

package/dist/auth/flows.d.ts

@@ -0,0 +1,47 @@
+import { type ResolvedConfig } from "../config/resolution.js";
+import type { OnboardingState } from "../types.js";
+type LoggerLike = {
+    info?: (msg: string, meta?: Record<string, unknown>) => void;
+    warn?: (msg: string, meta?: Record<string, unknown>) => void;
+    debug?: (msg: string, meta?: Record<string, unknown>) => void;
+};
+type RuntimeConfigState = Pick<ResolvedConfig, "apiKey" | "apiKeySource" | "userId" | "baseUrl" | "installationId">;
+export declare function applyRuntimeApiKey(input: {
+    config: RuntimeConfigState;
+    apiKey: string;
+    source: "manual" | "browser_pairing";
+    workspaceName?: string | null;
+    keyPrefix?: string | null;
+    userId?: string | null;
+    currentWorkspaceName: string | null;
+    updateOnboardingState: (updates: Partial<OnboardingState>) => unknown;
+    setCredentials: (credentials: {
+        apiKey: string;
+        userId: string;
+        baseUrl: string;
+    }) => void;
+    logger?: LoggerLike;
+}): void;
+export declare function isAuthRequiredError(result: {
+    status: number;
+    error: string;
+}): boolean;
+export declare function buildManualKeyConnectUrl(baseApiUrl: string): string;
+export declare function fetchOrgxJson<T>(input: {
+    baseApiUrl: string;
+    method: "GET" | "POST";
+    path: string;
+    body?: unknown;
+    options?: {
+        timeoutMs?: number;
+    };
+    toErrorMessage: (err: unknown) => string;
+}): Promise<{
+    ok: true;
+    data: T;
+} | {
+    ok: false;
+    status: number;
+    error: string;
+}>;
+export {};

package/dist/auth/flows.js

@@ -0,0 +1,169 @@
+import { saveAuthStore } from "../auth-store.js";
+import { resolveRuntimeUserId, } from "../config/resolution.js";
+import { autoConfigureDetectedMcpClients } from "../mcp-client-setup.js";
+import { readOpenClawGatewayPort, readOpenClawSettingsSnapshot, } from "../openclaw-settings.js";
+export function applyRuntimeApiKey(input) {
+    const nextApiKey = input.apiKey.trim();
+    input.config.apiKey = nextApiKey;
+    input.config.apiKeySource = "persisted";
+    input.config.userId = resolveRuntimeUserId(nextApiKey, [input.userId, input.config.userId]);
+    input.setCredentials({
+        apiKey: input.config.apiKey,
+        userId: input.config.userId,
+        baseUrl: input.config.baseUrl,
+    });
+    saveAuthStore({
+        installationId: input.config.installationId,
+        apiKey: nextApiKey,
+        userId: input.config.userId || null,
+        workspaceName: input.workspaceName ?? null,
+        keyPrefix: input.keyPrefix ?? null,
+        source: input.source,
+    });
+    input.updateOnboardingState({
+        hasApiKey: true,
+        keySource: "persisted",
+        installationId: input.config.installationId,
+        workspaceName: input.workspaceName ?? input.currentWorkspaceName,
+    });
+    if (input.source === "browser_pairing" &&
+        process.env.ORGX_DISABLE_MCP_CLIENT_AUTOCONFIG !== "1") {
+        try {
+            const snapshot = readOpenClawSettingsSnapshot();
+            const port = readOpenClawGatewayPort(snapshot.raw);
+            const localMcpUrl = `http://127.0.0.1:${port}/orgx/mcp`;
+            void autoConfigureDetectedMcpClients({
+                localMcpUrl,
+                logger: input.logger ?? {},
+            }).catch(() => {
+                // best effort
+            });
+        }
+        catch {
+            // best effort
+        }
+    }
+}
+export function isAuthRequiredError(result) {
+    if (result.status !== 401) {
+        return false;
+    }
+    return /auth|unauthorized|token/i.test(result.error);
+}
+export function buildManualKeyConnectUrl(baseApiUrl) {
+    try {
+        // Deep-link into the Security section where API keys live.
+        return new URL("/settings#security", baseApiUrl).toString();
+    }
+    catch {
+        return "https://www.useorgx.com/settings#security";
+    }
+}
+export async function fetchOrgxJson(input) {
+    try {
+        const controller = new AbortController();
+        const timeoutMs = typeof input.options?.timeoutMs === "number" &&
+            Number.isFinite(input.options.timeoutMs)
+            ? Math.max(1_000, Math.floor(input.options.timeoutMs))
+            : 12_000;
+        const timeout = setTimeout(() => controller.abort(), timeoutMs);
+        let response;
+        let rawText = "";
+        try {
+            response = await fetch(`${input.baseApiUrl}${input.path}`, {
+                method: input.method,
+                signal: controller.signal,
+                headers: {
+                    Accept: "application/json",
+                    "Content-Type": "application/json",
+                },
+                body: input.body ? JSON.stringify(input.body) : undefined,
+            });
+            rawText = await response.text().catch(() => "");
+        }
+        finally {
+            clearTimeout(timeout);
+        }
+        const payload = (() => {
+            if (!rawText)
+                return null;
+            try {
+                return JSON.parse(rawText);
+            }
+            catch {
+                return null;
+            }
+        })();
+        if (!response.ok) {
+            const rawError = payload?.error ?? payload?.message;
+            let errorMessage;
+            if (typeof rawError === "string") {
+                errorMessage = rawError;
+            }
+            else if (rawError &&
+                typeof rawError === "object" &&
+                "message" in rawError &&
+                typeof rawError.message === "string") {
+                errorMessage = rawError.message;
+            }
+            else if (rawText && rawText.trim().length > 0) {
+                // Avoid dumping HTML (Cloudflare / Next.js error pages) into UI; keep it short.
+                const sanitized = rawText
+                    .replace(/\s+/g, " ")
+                    .replace(/<[^>]+>/g, "")
+                    .trim();
+                errorMessage =
+                    sanitized.length > 0
+                        ? sanitized.slice(0, 180)
+                        : `OrgX request failed (${response.status})`;
+            }
+            else {
+                errorMessage = `OrgX request failed (${response.status})`;
+            }
+            const statusToken = `HTTP ${response.status}`;
+            if (response.status &&
+                !errorMessage.toLowerCase().includes(statusToken.toLowerCase()) &&
+                !errorMessage.includes(`(${response.status})`)) {
+                errorMessage = `${errorMessage} (HTTP ${response.status})`;
+            }
+            const debugParts = [];
+            const requestId = response.headers.get("x-request-id");
+            const vercelId = response.headers.get("x-vercel-id");
+            const cfRay = response.headers.get("cf-ray");
+            const clerkStatus = response.headers.get("x-clerk-auth-status");
+            const clerkReason = response.headers.get("x-clerk-auth-reason");
+            if (requestId)
+                debugParts.push(`req=${requestId}`);
+            if (vercelId && vercelId !== requestId)
+                debugParts.push(`vercel=${vercelId}`);
+            if (cfRay)
+                debugParts.push(`cf-ray=${cfRay}`);
+            if (clerkStatus)
+                debugParts.push(`clerk=${clerkStatus}`);
+            if (clerkReason)
+                debugParts.push(`clerk_reason=${clerkReason}`);
+            const debugSuffix = debugParts.length > 0 ? ` (${debugParts.join(", ")})` : "";
+            return {
+                ok: false,
+                status: response.status,
+                error: `${errorMessage}${debugSuffix}`,
+            };
+        }
+        if (payload?.data !== undefined) {
+            return { ok: true, data: payload.data };
+        }
+        if (payload !== null) {
+            return { ok: true, data: payload };
+        }
+        return { ok: true, data: rawText };
+    }
+    catch (err) {
+        const message = err &&
+            typeof err === "object" &&
+            "name" in err &&
+            err.name === "AbortError"
+            ? `OrgX request timed out (method=${input.method}, path=${input.path})`
+            : input.toErrorMessage(err);
+        return { ok: false, status: 0, error: message };
+    }
+}

package/dist/auth-store.js

@@ -1,7 +1,8 @@
-import { mkdirSync, readFileSync, chmodSync, existsSync, rmSync } from 'node:fs';
+import { existsSync, readFileSync } from "node:fs";
 import { randomUUID } from 'node:crypto';
 import { getOrgxPluginConfigDir, getOrgxPluginConfigPath } from './paths.js';
 import { backupCorruptFileSync, writeJsonFileAtomicSync } from './fs-utils.js';
+import { clearStoreFileSync, ensureStoreDirSync, parseJsonSafe, } from "./stores/json-store.js";
 function authDir() {
     return getOrgxPluginConfigDir();
 }
@@ -18,22 +19,7 @@ function isUuid(value) {
     return /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i.test(value);
 }
 function ensureAuthDir() {
-    const dir = authDir();
-    mkdirSync(dir, { recursive: true, mode: 0o700 });
-    try {
-        chmodSync(dir, 0o700);
-    }
-    catch {
-        // best effort
-    }
-}
-function parseJson(value) {
-    try {
-        return JSON.parse(value);
-    }
-    catch {
-        return null;
-    }
+    ensureStoreDirSync(authDir());
 }
 export function getAuthFilePath() {
     return authFile();
@@ -44,7 +30,7 @@ export function readPersistedAuth() {
         if (!existsSync(file))
             return null;
         const raw = readFileSync(file, 'utf8');
-        const parsed = parseJson(raw);
+        const parsed = parseJsonSafe(raw);
         if (!parsed) {
             backupCorruptFileSync(file);
             return null;
@@ -83,13 +69,7 @@ export function writePersistedAuth(input) {
     return next;
 }
 export function clearPersistedAuth() {
-    const file = authFile();
-    try {
-        rmSync(file, { force: true });
-    }
-    catch {
-        // best effort
-    }
+    clearStoreFileSync(authFile());
 }
 function readInstallationRecord() {
     const file = installationFile();
@@ -97,7 +77,7 @@ function readInstallationRecord() {
         if (!existsSync(file))
             return null;
         const raw = readFileSync(file, 'utf8');
-        const parsed = parseJson(raw);
+        const parsed = parseJsonSafe(raw);
         if (!parsed) {
             backupCorruptFileSync(file);
             return null;

package/dist/byok-store.js

@@ -1,7 +1,8 @@
-import { chmodSync, existsSync, mkdirSync, readFileSync, statSync } from "node:fs";
+import { existsSync, readFileSync, statSync } from "node:fs";
 import { join } from "node:path";
 import { getOpenClawDir } from "./paths.js";
 import { backupCorruptFileSync, writeJsonFileAtomicSync } from "./fs-utils.js";
+import { ensureStoreDirSync, parseJsonSafe, } from "./stores/json-store.js";
 const PROVIDER_PROFILE_MAP = {
     openaiApiKey: { profileId: "openai-codex", provider: "openai-codex" },
     anthropicApiKey: { profileId: "anthropic", provider: "anthropic" },
@@ -18,14 +19,6 @@ function isSafePathSegment(value) {
         return false;
     return true;
 }
-function parseJson(value) {
-    try {
-        return JSON.parse(value);
-    }
-    catch {
-        return null;
-    }
-}
 function readObject(value) {
     return value && typeof value === "object" && !Array.isArray(value)
         ? value
@@ -36,7 +29,7 @@ function resolveDefaultAgentId() {
         const configPath = join(getOpenClawDir(), "openclaw.json");
         if (!existsSync(configPath))
             return "main";
-        const raw = parseJson(readFileSync(configPath, "utf8"));
+        const raw = parseJsonSafe(readFileSync(configPath, "utf8"));
         const agents = readObject(raw?.agents);
         const list = Array.isArray(agents.list) ? agents.list : [];
         for (const entry of list) {
@@ -70,14 +63,7 @@ function authProfilesFile() {
     return join(authProfilesDir(), "auth-profiles.json");
 }
 function ensureAuthProfilesDir() {
-    const dir = authProfilesDir();
-    mkdirSync(dir, { recursive: true, mode: 0o700 });
-    try {
-        chmodSync(dir, 0o700);
-    }
-    catch {
-        // best effort
-    }
+    ensureStoreDirSync(authProfilesDir());
 }
 function normalizeAuthProfileEntry(value) {
     if (!value || typeof value !== "object")
@@ -96,7 +82,7 @@ function readAuthProfiles() {
         if (!existsSync(file))
             return { file, parsed: null };
         const raw = readFileSync(file, "utf8");
-        const parsed = parseJson(raw);
+        const parsed = parseJsonSafe(raw);
         if (!parsed || typeof parsed !== "object") {
             backupCorruptFileSync(file);
             return { file, parsed: null };