npm - aamp-openclaw-plugin - Versions diffs - 0.1.37 → 0.1.39 - Mend

aamp-openclaw-plugin 0.1.37 → 0.1.39

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md +15 -1
package/bin/aamp-openclaw-plugin.mjs +50 -44
package/dist/file-store.js +73 -0
package/dist/file-store.js.map +2 -2
package/dist/index.js +718 -134
package/dist/index.js.map +4 -4
package/openclaw.plugin.json +21 -0
package/package.json +57 -1
package/skills/SKILL.md +0 -1

package/README.md CHANGED Viewed

@@ -22,6 +22,18 @@ the installer will prompt for:
 The answers are written into the OpenClaw plugin config automatically, so users do not need to hand-edit `openclaw.json`.
+When the plugin starts, it also prints a five-minute `aamp://connect?...`
+pairing URL and terminal QR code. Scan it with AAMP App, paste it into User UI,
+or run `aamp-cli pair --url ...` to authorize that sender. A valid
+`pair.request` writes the sender and optional dispatch-context rules to the
+paired sender policy file, then consumes the code. The plugin replies with
+`pair.respond`; rejected responses include the failure reason.
+You can generate a fresh pairing QR code later without restarting OpenClaw:
+- Ask the agent to use the `aamp_pairing_code` tool.
+- Or run the `/aamp-pair` command in OpenClaw.
 ## Build
 ```bash
@@ -41,6 +53,8 @@ npm run build
           "taskDispatchConcurrency": 10,
           "slug": "openclaw-agent",
           "credentialsFile": "~/.openclaw/extensions/aamp-openclaw-plugin/.credentials.json",
+          "pairingFile": "~/.openclaw/extensions/aamp-openclaw-plugin/.pairing.json",
+          "senderPoliciesFile": "~/.openclaw/extensions/aamp-openclaw-plugin/.sender-policies.json",
           "senderPolicies": [
             {
               "sender": "meegle-bot@meshmail.ai",
@@ -57,7 +71,7 @@ npm run build
 }
 ```
-If `senderPolicies` is omitted, all senders are accepted. If set, the dispatch sender must match one policy and all configured dispatch-context rules for that sender must pass.
+If `senderPolicies` is omitted, no senders are authorized by default. Use the printed pairing QR/URL or configure at least one policy before sending `task.dispatch`; matching policies can also require all configured dispatch-context rules to pass.
 `taskDispatchConcurrency` is optional and defaults to `10`.
 The plugin also understands:

package/bin/aamp-openclaw-plugin.mjs CHANGED Viewed

@@ -8,10 +8,13 @@ import { stdin as input, stdout as output, stderr } from 'node:process'
 import { spawnSync } from 'node:child_process'
 import { createRequire } from 'node:module'
 import { fileURLToPath } from 'node:url'
+import { AampClient } from 'aamp-sdk'
 const PLUGIN_ID = 'aamp-openclaw-plugin'
 const DEFAULT_AAMP_HOST = 'https://meshmail.ai'
 const DEFAULT_CREDENTIALS_FILE = '~/.openclaw/extensions/aamp-openclaw-plugin/.credentials.json'
+const DEFAULT_PAIRING_FILE = '~/.openclaw/extensions/aamp-openclaw-plugin/.pairing.json'
+const DEFAULT_SENDER_POLICIES_FILE = '~/.openclaw/extensions/aamp-openclaw-plugin/.sender-policies.json'
 const CODING_TOOL_ALLOWLIST = [
   'read',
   'write',
@@ -35,9 +38,12 @@ const CODING_TOOL_ALLOWLIST = [
   'image_generate',
 ]
 const AAMP_PLUGIN_TOOL_ALLOWLIST = [
+  'aamp_directory_search',
   'aamp_send_result',
   'aamp_send_help',
   'aamp_pending_tasks',
+  'aamp_pairing_code',
+  'aamp_cancel_task',
   'aamp_dispatch_task',
   'aamp_check_protocol',
   'aamp_download_attachment',
@@ -176,6 +182,19 @@ export function writeJsonFile(path, value) {
   writeFileSync(path, JSON.stringify(value, null, 2) + '\n', 'utf-8')
 }
+async function renderTerminalQr(value) {
+  try {
+    const qrcode = await import('qrcode-terminal')
+    const generator = qrcode.default?.generate ?? qrcode.generate
+    if (!generator) return ''
+    return await new Promise((resolve) => {
+      generator(value, { small: true }, (qr) => resolve(qr))
+    })
+  } catch {
+    return ''
+  }
+}
 export function normalizeBaseUrl(url) {
   if (url.startsWith('http://') || url.startsWith('https://')) return url.replace(/\/$/, '')
   return `https://${url.replace(/\/$/, '')}`
@@ -444,50 +463,15 @@ export async function ensureMailboxIdentity({ aampHost, slug, credentialsFile })
     }
   }
-  const base = normalizeBaseUrl(aampHost)
-  const discoveryRes = await fetch(`${base}/.well-known/aamp`)
-  if (!discoveryRes.ok) {
-    const text = await discoveryRes.text().catch(() => '')
-    throw new Error(`AAMP discovery failed (${discoveryRes.status}): ${text || discoveryRes.statusText}`)
-  }
-  const discovery = await discoveryRes.json()
-  const apiUrl = discovery?.api?.url
-  if (!apiUrl) {
-    throw new Error('AAMP discovery did not return api.url')
-  }
-  const apiBase = new URL(apiUrl, `${base}/`).toString()
-  const registerRes = await fetch(`${apiBase}?action=aamp.mailbox.register`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({
-      slug,
-      description: 'OpenClaw AAMP agent node',
-    }),
+  const credData = await AampClient.registerMailbox({
+    aampHost: normalizeBaseUrl(aampHost),
+    slug,
+    description: 'OpenClaw AAMP agent node',
   })
-  if (!registerRes.ok) {
-    const text = await registerRes.text().catch(() => '')
-    throw new Error(`AAMP self-register failed (${registerRes.status}): ${text || registerRes.statusText}`)
-  }
-  const registerData = await registerRes.json()
-  const code = registerData?.registrationCode
-  if (!code) {
-    throw new Error('AAMP self-register succeeded but no registrationCode was returned')
-  }
-  const credRes = await fetch(`${apiBase}?action=aamp.mailbox.credentials&code=${encodeURIComponent(code)}`)
-  if (!credRes.ok) {
-    const text = await credRes.text().catch(() => '')
-    throw new Error(`AAMP credential exchange failed (${credRes.status}): ${text || credRes.statusText}`)
-  }
-  const credData = await credRes.json()
   const identity = {
     email: credData?.email,
-    mailboxToken: credData?.mailbox?.token ?? credData?.jmap?.token,
-    smtpPassword: credData?.smtp?.password,
+    mailboxToken: credData?.mailboxToken,
+    smtpPassword: credData?.smtpPassword,
   }
   if (!identity.email || !identity.mailboxToken || !identity.smtpPassword) {
@@ -498,6 +482,18 @@ export async function ensureMailboxIdentity({ aampHost, slug, credentialsFile })
   return { created: true, email: identity.email, credentialsPath: resolvedCreds }
 }
+export function createPairingFile({ email, pairingFile }) {
+  if (!email) return null
+  const pairing = AampClient.createPairingCode({ mailbox: email })
+  writeJsonFile(expandHome(pairingFile), {
+    mailbox: pairing.mailbox,
+    pairCode: pairing.pairCode,
+    expiresAt: pairing.expiresAt,
+    connectUrl: pairing.connectUrl,
+  })
+  return pairing
+}
 function printHelp() {
   output.write(
     [
@@ -541,7 +537,7 @@ export async function runInit() {
             'Detected existing plugin config:',
             `  aampHost: ${previousConfig.aampHost ?? DEFAULT_AAMP_HOST}`,
             `  slug: ${previousConfig.slug ?? 'openclaw-agent'}`,
-            `  senderPolicies: ${previousConfig.senderPolicies ? JSON.stringify(previousConfig.senderPolicies) : '(allow all)'}`,
+            `  senderPolicies: ${previousConfig.senderPolicies ? JSON.stringify(previousConfig.senderPolicies) : '(default deny until paired or configured)'}`,
             '',
           ].join('\n'),
         )
@@ -554,7 +550,7 @@ export async function runInit() {
         aampHost = aampHostAnswer.trim() || aampHost
         const senderAnswer = await rl.question(
-          'Primary trusted dispatch sender (e.g. meegle-bot@meshmail.ai, leave blank to allow all): ',
+          'Primary trusted dispatch sender (e.g. meegle-bot@meshmail.ai, leave blank to pair later): ',
         )
         const sender = senderAnswer.trim()
         if (sender) {
@@ -620,6 +616,8 @@ export async function runInit() {
     aampHost,
     slug,
     credentialsFile: DEFAULT_CREDENTIALS_FILE,
+    pairingFile: DEFAULT_PAIRING_FILE,
+    senderPoliciesFile: DEFAULT_SENDER_POLICIES_FILE,
     ...(senderPolicies ? { senderPolicies } : {}),
   }, {
     includeCodingBaseline,
@@ -646,6 +644,10 @@ export async function runInit() {
     slug,
     credentialsFile: DEFAULT_CREDENTIALS_FILE,
   })
+  const pairing = identityResult.email
+    ? createPairingFile({ email: identityResult.email, pairingFile: DEFAULT_PAIRING_FILE })
+    : null
+  const qr = pairing ? await renderTerminalQr(pairing.connectUrl) : ''
   const restartResult = restartGateway()
@@ -661,7 +663,9 @@ export async function runInit() {
       `  channels.aamp.enabled: ${next.channels?.aamp?.enabled === true ? 'true' : 'false'}`,
       `  aampHost: ${aampHost}`,
       `  credentialsFile: ${DEFAULT_CREDENTIALS_FILE}`,
-      `  senderPolicies: ${senderPolicies ? JSON.stringify(senderPolicies) : '(allow all)'}`,
+      `  pairingFile: ${DEFAULT_PAIRING_FILE}`,
+      `  senderPoliciesFile: ${DEFAULT_SENDER_POLICIES_FILE}`,
+      `  senderPolicies: ${senderPolicies ? JSON.stringify(senderPolicies) : '(default deny until paired or configured)'}`,
       `  tools.allow: ${JSON.stringify(next.tools?.allow ?? [])}`,
       `  codingBaselineAdded: ${toolPolicyPlan.missingCodingTools.length > 0 && includeCodingBaseline ? 'yes' : 'no'}`,
       identityResult.created
@@ -676,6 +680,8 @@ export async function runInit() {
       restartResult.ok
         ? 'Plugin changes should now be active.'
         : 'Please restart the OpenClaw gateway manually for the plugin changes to take effect.',
+      pairing ? `Pairing URL (expires ${pairing.expiresAt}): ${pairing.connectUrl}` : '',
+      qr ? `\n${qr}` : '',
       '',
     ].join('\n'),
   )

package/dist/file-store.js CHANGED Viewed

@@ -2,12 +2,19 @@
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";
 import { homedir } from "node:os";
+import { randomBytes } from "node:crypto";
 function defaultCredentialsPath() {
   return join(homedir(), ".openclaw", "extensions", "aamp-openclaw-plugin", ".credentials.json");
 }
 function defaultTaskStatePath() {
   return join(homedir(), ".openclaw", "extensions", "aamp-openclaw-plugin", ".task-state.json");
 }
+function defaultPairingPath() {
+  return join(homedir(), ".openclaw", "extensions", "aamp-openclaw-plugin", ".pairing.json");
+}
+function defaultSenderPoliciesPath() {
+  return join(homedir(), ".openclaw", "extensions", "aamp-openclaw-plugin", ".sender-policies.json");
+}
 function loadCachedIdentity(file) {
   const resolved = file ?? defaultCredentialsPath();
   if (!existsSync(resolved))
@@ -54,6 +61,66 @@ function saveTaskState(state, file) {
     terminalTaskIds: state.terminalTaskIds ?? []
   }, null, 2), "utf-8");
 }
+function createPairingCode(params) {
+  const pairCode = randomBytes(6).toString("base64url");
+  const expiresAt = new Date(Date.now() + (params.ttlSeconds ?? 300) * 1e3).toISOString();
+  const connectUrl = `aamp://connect?mailbox=${encodeURIComponent(params.mailbox.toLowerCase())}&pair_code=${encodeURIComponent(pairCode)}`;
+  const state = {
+    mailbox: params.mailbox.toLowerCase(),
+    pairCode,
+    expiresAt,
+    connectUrl
+  };
+  const resolved = params.file ?? defaultPairingPath();
+  mkdirSync(dirname(resolved), { recursive: true });
+  writeFileSync(resolved, JSON.stringify(state, null, 2), "utf-8");
+  return state;
+}
+function consumePairingCode(params) {
+  const resolved = params.file ?? defaultPairingPath();
+  if (!existsSync(resolved))
+    return null;
+  const state = JSON.parse(readFileSync(resolved, "utf-8"));
+  if (state.mailbox.toLowerCase() !== params.mailbox.toLowerCase())
+    return null;
+  if (state.pairCode !== params.pairCode)
+    return null;
+  if (state.consumedAt)
+    return null;
+  if (new Date(state.expiresAt).getTime() <= Date.now())
+    return null;
+  writeFileSync(resolved, JSON.stringify({ ...state, pairCode: "", consumedAt: (/* @__PURE__ */ new Date()).toISOString() }, null, 2), "utf-8");
+  return state;
+}
+function isPairedSenderPolicy(value) {
+  if (!value || typeof value !== "object")
+    return false;
+  const policy = value;
+  return typeof policy.sender === "string" && typeof policy.dispatchContextRules === "object" && typeof policy.pairedAt === "string";
+}
+function loadPairedSenderPolicies(file) {
+  const resolved = file ?? defaultSenderPoliciesPath();
+  if (!existsSync(resolved))
+    return [];
+  try {
+    const data = JSON.parse(readFileSync(resolved, "utf-8"));
+    return Array.isArray(data) ? data.filter(isPairedSenderPolicy) : [];
+  } catch {
+    return [];
+  }
+}
+function addPairedSenderPolicy(file, policy) {
+  const resolved = file ?? defaultSenderPoliciesPath();
+  const policies = loadPairedSenderPolicies(resolved);
+  const normalizedSender = policy.sender.toLowerCase();
+  const next = [
+    ...policies.filter((item) => item.sender.toLowerCase() !== normalizedSender),
+    { ...policy, sender: normalizedSender }
+  ];
+  mkdirSync(dirname(resolved), { recursive: true });
+  writeFileSync(resolved, JSON.stringify(next, null, 2), "utf-8");
+  return next;
+}
 function ensureDir(dir) {
   mkdirSync(dir, { recursive: true });
 }
@@ -65,10 +132,16 @@ function writeBinaryFile(path, content) {
   writeFileSync(path, content);
 }
 export {
+  addPairedSenderPolicy,
+  consumePairingCode,
+  createPairingCode,
   defaultCredentialsPath,
+  defaultPairingPath,
+  defaultSenderPoliciesPath,
   defaultTaskStatePath,
   ensureDir,
   loadCachedIdentity,
+  loadPairedSenderPolicies,
   loadTaskState,
   readBinaryFile,
   saveCachedIdentity,

package/dist/file-store.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../src/file-store.ts"],
-  "sourcesContent": ["import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'\nimport { dirname, join } from 'node:path'\nimport { homedir } from 'node:os'\n\nexport interface Identity {\n  email: string\n  mailboxToken: string\n  smtpPassword: string\n}\n\nexport interface CachedTaskState {\n  terminalTaskIds?: string[]\n}\n\nexport function defaultCredentialsPath(): string {\n  return join(homedir(), '.openclaw', 'extensions', 'aamp-openclaw-plugin', '.credentials.json')\n}\n\nexport function defaultTaskStatePath(): string {\n  return join(homedir(), '.openclaw', 'extensions', 'aamp-openclaw-plugin', '.task-state.json')\n}\n\nexport function loadCachedIdentity(file?: string): Identity | null {\n  const resolved = file ?? defaultCredentialsPath()\n  if (!existsSync(resolved)) return null\n  try {\n    const parsed = JSON.parse(readFileSync(resolved, 'utf-8')) as Partial<Identity>\n    if (!parsed.email || !parsed.mailboxToken || !parsed.smtpPassword) return null\n    return {\n      email: parsed.email,\n      mailboxToken: parsed.mailboxToken,\n      smtpPassword: parsed.smtpPassword,\n    }\n  } catch {\n    return null\n  }\n}\n\nexport function saveCachedIdentity(identity: Identity, file?: string): void {\n  const resolved = file ?? defaultCredentialsPath()\n  mkdirSync(dirname(resolved), { recursive: true })\n  writeFileSync(resolved, JSON.stringify({\n    email: identity.email,\n    mailboxToken: identity.mailboxToken,\n    smtpPassword: identity.smtpPassword,\n  }, null, 2), 'utf-8')\n}\n\nexport function loadTaskState(file?: string): CachedTaskState {\n  const resolved = file ?? defaultTaskStatePath()\n  if (!existsSync(resolved)) return { terminalTaskIds: [] }\n  try {\n    const parsed = JSON.parse(readFileSync(resolved, 'utf-8')) as CachedTaskState\n    return {\n      terminalTaskIds: Array.isArray(parsed.terminalTaskIds) ? parsed.terminalTaskIds.filter(Boolean) : [],\n    }\n  } catch {\n    return { terminalTaskIds: [] }\n  }\n}\n\nexport function saveTaskState(state: CachedTaskState, file?: string): void {\n  const resolved = file ?? defaultTaskStatePath()\n  mkdirSync(dirname(resolved), { recursive: true })\n  writeFileSync(resolved, JSON.stringify({\n    terminalTaskIds: state.terminalTaskIds ?? [],\n  }, null, 2), 'utf-8')\n}\n\nexport function ensureDir(dir: string): void {\n  mkdirSync(dir, { recursive: true })\n}\n\nexport function readBinaryFile(path: string): Buffer {\n  return readFileSync(path)\n}\n\nexport function writeBinaryFile(path: string, content: Uint8Array | Buffer): void {\n  mkdirSync(dirname(path), { recursive: true })\n  writeFileSync(path, content)\n}\n"],
-  "mappings": ";AAAA,SAAS,YAAY,WAAW,cAAc,qBAAqB;AACnE,SAAS,SAAS,YAAY;AAC9B,SAAS,eAAe;AAYjB,SAAS,yBAAiC;AAC/C,SAAO,KAAK,QAAQ,GAAG,aAAa,cAAc,wBAAwB,mBAAmB;AAC/F;AAEO,SAAS,uBAA+B;AAC7C,SAAO,KAAK,QAAQ,GAAG,aAAa,cAAc,wBAAwB,kBAAkB;AAC9F;AAEO,SAAS,mBAAmB,MAAgC;AACjE,QAAM,WAAW,QAAQ,uBAAuB;AAChD,MAAI,CAAC,WAAW,QAAQ;AAAG,WAAO;AAClC,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,aAAa,UAAU,OAAO,CAAC;AACzD,QAAI,CAAC,OAAO,SAAS,CAAC,OAAO,gBAAgB,CAAC,OAAO;AAAc,aAAO;AAC1E,WAAO;AAAA,MACL,OAAO,OAAO;AAAA,MACd,cAAc,OAAO;AAAA,MACrB,cAAc,OAAO;AAAA,IACvB;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,mBAAmB,UAAoB,MAAqB;AAC1E,QAAM,WAAW,QAAQ,uBAAuB;AAChD,YAAU,QAAQ,QAAQ,GAAG,EAAE,WAAW,KAAK,CAAC;AAChD,gBAAc,UAAU,KAAK,UAAU;AAAA,IACrC,OAAO,SAAS;AAAA,IAChB,cAAc,SAAS;AAAA,IACvB,cAAc,SAAS;AAAA,EACzB,GAAG,MAAM,CAAC,GAAG,OAAO;AACtB;AAEO,SAAS,cAAc,MAAgC;AAC5D,QAAM,WAAW,QAAQ,qBAAqB;AAC9C,MAAI,CAAC,WAAW,QAAQ;AAAG,WAAO,EAAE,iBAAiB,CAAC,EAAE;AACxD,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,aAAa,UAAU,OAAO,CAAC;AACzD,WAAO;AAAA,MACL,iBAAiB,MAAM,QAAQ,OAAO,eAAe,IAAI,OAAO,gBAAgB,OAAO,OAAO,IAAI,CAAC;AAAA,IACrG;AAAA,EACF,QAAQ;AACN,WAAO,EAAE,iBAAiB,CAAC,EAAE;AAAA,EAC/B;AACF;AAEO,SAAS,cAAc,OAAwB,MAAqB;AACzE,QAAM,WAAW,QAAQ,qBAAqB;AAC9C,YAAU,QAAQ,QAAQ,GAAG,EAAE,WAAW,KAAK,CAAC;AAChD,gBAAc,UAAU,KAAK,UAAU;AAAA,IACrC,iBAAiB,MAAM,mBAAmB,CAAC;AAAA,EAC7C,GAAG,MAAM,CAAC,GAAG,OAAO;AACtB;AAEO,SAAS,UAAU,KAAmB;AAC3C,YAAU,KAAK,EAAE,WAAW,KAAK,CAAC;AACpC;AAEO,SAAS,eAAe,MAAsB;AACnD,SAAO,aAAa,IAAI;AAC1B;AAEO,SAAS,gBAAgB,MAAc,SAAoC;AAChF,YAAU,QAAQ,IAAI,GAAG,EAAE,WAAW,KAAK,CAAC;AAC5C,gBAAc,MAAM,OAAO;AAC7B;",
+  "sourcesContent": ["import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'\nimport { dirname, join } from 'node:path'\nimport { homedir } from 'node:os'\nimport { randomBytes } from 'node:crypto'\n\nexport interface Identity {\n  email: string\n  mailboxToken: string\n  smtpPassword: string\n}\n\nexport interface CachedTaskState {\n  terminalTaskIds?: string[]\n}\n\nexport interface DispatchContextRules {\n  [key: string]: string[]\n}\n\nexport interface PairingCodeState {\n  mailbox: string\n  pairCode: string\n  expiresAt: string\n  connectUrl: string\n  consumedAt?: string\n}\n\nexport interface PairedSenderPolicy {\n  sender: string\n  dispatchContextRules: DispatchContextRules\n  pairedAt: string\n}\n\nexport function defaultCredentialsPath(): string {\n  return join(homedir(), '.openclaw', 'extensions', 'aamp-openclaw-plugin', '.credentials.json')\n}\n\nexport function defaultTaskStatePath(): string {\n  return join(homedir(), '.openclaw', 'extensions', 'aamp-openclaw-plugin', '.task-state.json')\n}\n\nexport function defaultPairingPath(): string {\n  return join(homedir(), '.openclaw', 'extensions', 'aamp-openclaw-plugin', '.pairing.json')\n}\n\nexport function defaultSenderPoliciesPath(): string {\n  return join(homedir(), '.openclaw', 'extensions', 'aamp-openclaw-plugin', '.sender-policies.json')\n}\n\nexport function loadCachedIdentity(file?: string): Identity | null {\n  const resolved = file ?? defaultCredentialsPath()\n  if (!existsSync(resolved)) return null\n  try {\n    const parsed = JSON.parse(readFileSync(resolved, 'utf-8')) as Partial<Identity>\n    if (!parsed.email || !parsed.mailboxToken || !parsed.smtpPassword) return null\n    return {\n      email: parsed.email,\n      mailboxToken: parsed.mailboxToken,\n      smtpPassword: parsed.smtpPassword,\n    }\n  } catch {\n    return null\n  }\n}\n\nexport function saveCachedIdentity(identity: Identity, file?: string): void {\n  const resolved = file ?? defaultCredentialsPath()\n  mkdirSync(dirname(resolved), { recursive: true })\n  writeFileSync(resolved, JSON.stringify({\n    email: identity.email,\n    mailboxToken: identity.mailboxToken,\n    smtpPassword: identity.smtpPassword,\n  }, null, 2), 'utf-8')\n}\n\nexport function loadTaskState(file?: string): CachedTaskState {\n  const resolved = file ?? defaultTaskStatePath()\n  if (!existsSync(resolved)) return { terminalTaskIds: [] }\n  try {\n    const parsed = JSON.parse(readFileSync(resolved, 'utf-8')) as CachedTaskState\n    return {\n      terminalTaskIds: Array.isArray(parsed.terminalTaskIds) ? parsed.terminalTaskIds.filter(Boolean) : [],\n    }\n  } catch {\n    return { terminalTaskIds: [] }\n  }\n}\n\nexport function saveTaskState(state: CachedTaskState, file?: string): void {\n  const resolved = file ?? defaultTaskStatePath()\n  mkdirSync(dirname(resolved), { recursive: true })\n  writeFileSync(resolved, JSON.stringify({\n    terminalTaskIds: state.terminalTaskIds ?? [],\n  }, null, 2), 'utf-8')\n}\n\nexport function createPairingCode(params: {\n  mailbox: string\n  file?: string\n  ttlSeconds?: number\n}): PairingCodeState {\n  const pairCode = randomBytes(6).toString('base64url')\n  const expiresAt = new Date(Date.now() + (params.ttlSeconds ?? 300) * 1000).toISOString()\n  const connectUrl = `aamp://connect?mailbox=${encodeURIComponent(params.mailbox.toLowerCase())}&pair_code=${encodeURIComponent(pairCode)}`\n  const state: PairingCodeState = {\n    mailbox: params.mailbox.toLowerCase(),\n    pairCode,\n    expiresAt,\n    connectUrl,\n  }\n  const resolved = params.file ?? defaultPairingPath()\n  mkdirSync(dirname(resolved), { recursive: true })\n  writeFileSync(resolved, JSON.stringify(state, null, 2), 'utf-8')\n  return state\n}\n\nexport function consumePairingCode(params: {\n  mailbox: string\n  pairCode: string\n  file?: string\n}): PairingCodeState | null {\n  const resolved = params.file ?? defaultPairingPath()\n  if (!existsSync(resolved)) return null\n  const state = JSON.parse(readFileSync(resolved, 'utf-8')) as PairingCodeState\n  if (state.mailbox.toLowerCase() !== params.mailbox.toLowerCase()) return null\n  if (state.pairCode !== params.pairCode) return null\n  if (state.consumedAt) return null\n  if (new Date(state.expiresAt).getTime() <= Date.now()) return null\n  writeFileSync(resolved, JSON.stringify({ ...state, pairCode: '', consumedAt: new Date().toISOString() }, null, 2), 'utf-8')\n  return state\n}\n\nfunction isPairedSenderPolicy(value: unknown): value is PairedSenderPolicy {\n  if (!value || typeof value !== 'object') return false\n  const policy = value as PairedSenderPolicy\n  return typeof policy.sender === 'string'\n    && typeof policy.dispatchContextRules === 'object'\n    && typeof policy.pairedAt === 'string'\n}\n\nexport function loadPairedSenderPolicies(file?: string): PairedSenderPolicy[] {\n  const resolved = file ?? defaultSenderPoliciesPath()\n  if (!existsSync(resolved)) return []\n  try {\n    const data = JSON.parse(readFileSync(resolved, 'utf-8')) as unknown\n    return Array.isArray(data) ? data.filter(isPairedSenderPolicy) : []\n  } catch {\n    return []\n  }\n}\n\nexport function addPairedSenderPolicy(file: string | undefined, policy: PairedSenderPolicy): PairedSenderPolicy[] {\n  const resolved = file ?? defaultSenderPoliciesPath()\n  const policies = loadPairedSenderPolicies(resolved)\n  const normalizedSender = policy.sender.toLowerCase()\n  const next = [\n    ...policies.filter((item) => item.sender.toLowerCase() !== normalizedSender),\n    { ...policy, sender: normalizedSender },\n  ]\n  mkdirSync(dirname(resolved), { recursive: true })\n  writeFileSync(resolved, JSON.stringify(next, null, 2), 'utf-8')\n  return next\n}\n\nexport function ensureDir(dir: string): void {\n  mkdirSync(dir, { recursive: true })\n}\n\nexport function readBinaryFile(path: string): Buffer {\n  return readFileSync(path)\n}\n\nexport function writeBinaryFile(path: string, content: Uint8Array | Buffer): void {\n  mkdirSync(dirname(path), { recursive: true })\n  writeFileSync(path, content)\n}\n"],
+  "mappings": ";AAAA,SAAS,YAAY,WAAW,cAAc,qBAAqB;AACnE,SAAS,SAAS,YAAY;AAC9B,SAAS,eAAe;AACxB,SAAS,mBAAmB;AA8BrB,SAAS,yBAAiC;AAC/C,SAAO,KAAK,QAAQ,GAAG,aAAa,cAAc,wBAAwB,mBAAmB;AAC/F;AAEO,SAAS,uBAA+B;AAC7C,SAAO,KAAK,QAAQ,GAAG,aAAa,cAAc,wBAAwB,kBAAkB;AAC9F;AAEO,SAAS,qBAA6B;AAC3C,SAAO,KAAK,QAAQ,GAAG,aAAa,cAAc,wBAAwB,eAAe;AAC3F;AAEO,SAAS,4BAAoC;AAClD,SAAO,KAAK,QAAQ,GAAG,aAAa,cAAc,wBAAwB,uBAAuB;AACnG;AAEO,SAAS,mBAAmB,MAAgC;AACjE,QAAM,WAAW,QAAQ,uBAAuB;AAChD,MAAI,CAAC,WAAW,QAAQ;AAAG,WAAO;AAClC,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,aAAa,UAAU,OAAO,CAAC;AACzD,QAAI,CAAC,OAAO,SAAS,CAAC,OAAO,gBAAgB,CAAC,OAAO;AAAc,aAAO;AAC1E,WAAO;AAAA,MACL,OAAO,OAAO;AAAA,MACd,cAAc,OAAO;AAAA,MACrB,cAAc,OAAO;AAAA,IACvB;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,mBAAmB,UAAoB,MAAqB;AAC1E,QAAM,WAAW,QAAQ,uBAAuB;AAChD,YAAU,QAAQ,QAAQ,GAAG,EAAE,WAAW,KAAK,CAAC;AAChD,gBAAc,UAAU,KAAK,UAAU;AAAA,IACrC,OAAO,SAAS;AAAA,IAChB,cAAc,SAAS;AAAA,IACvB,cAAc,SAAS;AAAA,EACzB,GAAG,MAAM,CAAC,GAAG,OAAO;AACtB;AAEO,SAAS,cAAc,MAAgC;AAC5D,QAAM,WAAW,QAAQ,qBAAqB;AAC9C,MAAI,CAAC,WAAW,QAAQ;AAAG,WAAO,EAAE,iBAAiB,CAAC,EAAE;AACxD,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,aAAa,UAAU,OAAO,CAAC;AACzD,WAAO;AAAA,MACL,iBAAiB,MAAM,QAAQ,OAAO,eAAe,IAAI,OAAO,gBAAgB,OAAO,OAAO,IAAI,CAAC;AAAA,IACrG;AAAA,EACF,QAAQ;AACN,WAAO,EAAE,iBAAiB,CAAC,EAAE;AAAA,EAC/B;AACF;AAEO,SAAS,cAAc,OAAwB,MAAqB;AACzE,QAAM,WAAW,QAAQ,qBAAqB;AAC9C,YAAU,QAAQ,QAAQ,GAAG,EAAE,WAAW,KAAK,CAAC;AAChD,gBAAc,UAAU,KAAK,UAAU;AAAA,IACrC,iBAAiB,MAAM,mBAAmB,CAAC;AAAA,EAC7C,GAAG,MAAM,CAAC,GAAG,OAAO;AACtB;AAEO,SAAS,kBAAkB,QAIb;AACnB,QAAM,WAAW,YAAY,CAAC,EAAE,SAAS,WAAW;AACpD,QAAM,YAAY,IAAI,KAAK,KAAK,IAAI,KAAK,OAAO,cAAc,OAAO,GAAI,EAAE,YAAY;AACvF,QAAM,aAAa,0BAA0B,mBAAmB,OAAO,QAAQ,YAAY,CAAC,CAAC,cAAc,mBAAmB,QAAQ,CAAC;AACvI,QAAM,QAA0B;AAAA,IAC9B,SAAS,OAAO,QAAQ,YAAY;AAAA,IACpC;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,QAAM,WAAW,OAAO,QAAQ,mBAAmB;AACnD,YAAU,QAAQ,QAAQ,GAAG,EAAE,WAAW,KAAK,CAAC;AAChD,gBAAc,UAAU,KAAK,UAAU,OAAO,MAAM,CAAC,GAAG,OAAO;AAC/D,SAAO;AACT;AAEO,SAAS,mBAAmB,QAIP;AAC1B,QAAM,WAAW,OAAO,QAAQ,mBAAmB;AACnD,MAAI,CAAC,WAAW,QAAQ;AAAG,WAAO;AAClC,QAAM,QAAQ,KAAK,MAAM,aAAa,UAAU,OAAO,CAAC;AACxD,MAAI,MAAM,QAAQ,YAAY,MAAM,OAAO,QAAQ,YAAY;AAAG,WAAO;AACzE,MAAI,MAAM,aAAa,OAAO;AAAU,WAAO;AAC/C,MAAI,MAAM;AAAY,WAAO;AAC7B,MAAI,IAAI,KAAK,MAAM,SAAS,EAAE,QAAQ,KAAK,KAAK,IAAI;AAAG,WAAO;AAC9D,gBAAc,UAAU,KAAK,UAAU,EAAE,GAAG,OAAO,UAAU,IAAI,aAAY,oBAAI,KAAK,GAAE,YAAY,EAAE,GAAG,MAAM,CAAC,GAAG,OAAO;AAC1H,SAAO;AACT;AAEA,SAAS,qBAAqB,OAA6C;AACzE,MAAI,CAAC,SAAS,OAAO,UAAU;AAAU,WAAO;AAChD,QAAM,SAAS;AACf,SAAO,OAAO,OAAO,WAAW,YAC3B,OAAO,OAAO,yBAAyB,YACvC,OAAO,OAAO,aAAa;AAClC;AAEO,SAAS,yBAAyB,MAAqC;AAC5E,QAAM,WAAW,QAAQ,0BAA0B;AACnD,MAAI,CAAC,WAAW,QAAQ;AAAG,WAAO,CAAC;AACnC,MAAI;AACF,UAAM,OAAO,KAAK,MAAM,aAAa,UAAU,OAAO,CAAC;AACvD,WAAO,MAAM,QAAQ,IAAI,IAAI,KAAK,OAAO,oBAAoB,IAAI,CAAC;AAAA,EACpE,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAEO,SAAS,sBAAsB,MAA0B,QAAkD;AAChH,QAAM,WAAW,QAAQ,0BAA0B;AACnD,QAAM,WAAW,yBAAyB,QAAQ;AAClD,QAAM,mBAAmB,OAAO,OAAO,YAAY;AACnD,QAAM,OAAO;AAAA,IACX,GAAG,SAAS,OAAO,CAAC,SAAS,KAAK,OAAO,YAAY,MAAM,gBAAgB;AAAA,IAC3E,EAAE,GAAG,QAAQ,QAAQ,iBAAiB;AAAA,EACxC;AACA,YAAU,QAAQ,QAAQ,GAAG,EAAE,WAAW,KAAK,CAAC;AAChD,gBAAc,UAAU,KAAK,UAAU,MAAM,MAAM,CAAC,GAAG,OAAO;AAC9D,SAAO;AACT;AAEO,SAAS,UAAU,KAAmB;AAC3C,YAAU,KAAK,EAAE,WAAW,KAAK,CAAC;AACpC;AAEO,SAAS,eAAe,MAAsB;AACnD,SAAO,aAAa,IAAI;AAC1B;AAEO,SAAS,gBAAgB,MAAc,SAAoC;AAChF,YAAU,QAAQ,IAAI,GAAG,EAAE,WAAW,KAAK,CAAC;AAC5C,gBAAc,MAAM,OAAO;AAC7B;",
   "names": []
 }