clawdentity 0.0.22 → 0.0.23

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Ravi Kiran Vemula
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/bin.js

@@ -24389,16 +24389,20 @@ function parsePeerProfile(payload) {
   };
 }
 function parsePairingTicket(value) {
-  const ticket = parseNonEmptyString9(value);
+  let ticket = parseNonEmptyString9(value);
+  while (ticket.startsWith("`")) {
+    ticket = ticket.slice(1);
+  }
+  while (ticket.endsWith("`")) {
+    ticket = ticket.slice(0, -1);
+  }
+  ticket = ticket.trim().replace(/\s+/gu, "");
   if (!ticket.startsWith(PAIRING_TICKET_PREFIX)) {
     throw createCliError7(
       "CLI_PAIR_CONFIRM_TICKET_INVALID",
       "Pairing ticket is invalid"
     );
   }
-  return ticket;
-}
-function parsePairingTicketIssuerOrigin(ticket) {
   const encodedPayload = ticket.slice(PAIRING_TICKET_PREFIX.length);
   if (encodedPayload.length === 0) {
     throw createCliError7(
@@ -24406,15 +24410,26 @@ function parsePairingTicketIssuerOrigin(ticket) {
       "Pairing ticket is invalid"
     );
   }
-  let payloadRaw;
   try {
-    payloadRaw = new TextDecoder().decode(decodeBase64url(encodedPayload));
+    const payloadRaw = new TextDecoder().decode(
+      decodeBase64url(encodedPayload)
+    );
+    const payload = JSON.parse(payloadRaw);
+    if (!isRecord10(payload)) {
+      throw new Error("invalid payload");
+    }
   } catch {
     throw createCliError7(
       "CLI_PAIR_CONFIRM_TICKET_INVALID",
       "Pairing ticket is invalid"
     );
   }
+  return ticket;
+}
+function parsePairingTicketIssuerOrigin(ticket) {
+  const normalizedTicket = parsePairingTicket(ticket);
+  const encodedPayload = normalizedTicket.slice(PAIRING_TICKET_PREFIX.length);
+  const payloadRaw = new TextDecoder().decode(decodeBase64url(encodedPayload));
   let payload;
   try {
     payload = JSON.parse(payloadRaw);
@@ -24447,6 +24462,26 @@ function parsePairingTicketIssuerOrigin(ticket) {
   }
   return issuerUrl.origin;
 }
+function assertTicketIssuerMatchesProxy(input) {
+  const issuerOrigin = parsePairingTicketIssuerOrigin(input.ticket);
+  let proxyOrigin;
+  try {
+    proxyOrigin = new URL(input.proxyUrl).origin;
+  } catch {
+    throw createCliError7(
+      "CLI_PAIR_PROXY_URL_INVALID",
+      "Configured proxyUrl is invalid. Run `clawdentity config set proxyUrl <url>` and retry."
+    );
+  }
+  if (issuerOrigin === proxyOrigin) {
+    return;
+  }
+  const command = input.context === "confirm" ? "pair confirm" : "pair status";
+  throw createCliError7(
+    "CLI_PAIR_TICKET_ISSUER_MISMATCH",
+    `Pairing ticket was issued by ${issuerOrigin}, but current proxy URL is ${proxyOrigin}. Run \`clawdentity config set proxyUrl ${issuerOrigin}\` and retry \`${command}\`.`
+  );
+}
 function parseAitAgentDid(ait) {
   const parts = ait.split(".");
   if (parts.length < 2) {
@@ -24846,6 +24881,12 @@ function mapConfirmPairError(status, payload) {
   if (code === "PROXY_PAIR_TICKET_EXPIRED" || status === 410) {
     return "Pairing ticket has expired";
   }
+  if (code === "PROXY_PAIR_TICKET_INVALID_ISSUER") {
+    return message2 ? `Pair confirm failed: ticket issuer does not match this proxy (${message2}). Use the same proxy URL where the ticket was issued.` : "Pair confirm failed: ticket issuer does not match this proxy. Use the same proxy URL where the ticket was issued.";
+  }
+  if (code === "PROXY_PAIR_TICKET_INVALID_FORMAT" || code === "PROXY_PAIR_TICKET_UNSUPPORTED_VERSION") {
+    return message2 ? `Pair confirm request is invalid (400): ${message2}. Re-copy the full ticket/QR without truncation.` : "Pair confirm request is invalid (400): pairing ticket is malformed. Re-copy the full ticket/QR without truncation.";
+  }
   if (status === 400) {
     return message2 ? `Pair confirm request is invalid (400): ${message2}` : "Pair confirm request is invalid (400).";
   }
@@ -24869,6 +24910,12 @@ function mapStatusPairError(status, payload) {
   if (code === "PROXY_PAIR_STATUS_FORBIDDEN" || status === 403) {
     return message2 ? `Pair status request is forbidden (403): ${message2}` : "Pair status request is forbidden (403).";
   }
+  if (code === "PROXY_PAIR_TICKET_INVALID_ISSUER") {
+    return message2 ? `Pair status failed: ticket issuer does not match this proxy (${message2}). Use the same proxy URL where the ticket was issued.` : "Pair status failed: ticket issuer does not match this proxy. Use the same proxy URL where the ticket was issued.";
+  }
+  if (code === "PROXY_PAIR_TICKET_INVALID_FORMAT" || code === "PROXY_PAIR_TICKET_UNSUPPORTED_VERSION") {
+    return message2 ? `Pair status request is invalid (400): ${message2}. Re-copy the full ticket/QR without truncation.` : "Pair status request is invalid (400): pairing ticket is malformed. Re-copy the full ticket/QR without truncation.";
+  }
   if (status === 400) {
     return message2 ? `Pair status request is invalid (400): ${message2}` : "Pair status request is invalid (400).";
   }
@@ -25347,6 +25394,12 @@ async function confirmPairing(agentName, options, dependencies = {}) {
     }
     ticket = parsePairingTicket(qrDecodeImpl(new Uint8Array(imageBytes)));
   }
+  ticket = parsePairingTicket(ticket);
+  assertTicketIssuerMatchesProxy({
+    ticket,
+    proxyUrl,
+    context: "confirm"
+  });
   const { ait, secretKey } = await readAgentProofMaterial(
     normalizedAgentName,
     dependencies
@@ -25424,6 +25477,11 @@ async function getPairingStatusOnce(agentName, options, dependencies = {}) {
     fetchImpl
   });
   const ticket = parsePairingTicket(options.ticket);
+  assertTicketIssuerMatchesProxy({
+    ticket,
+    proxyUrl,
+    context: "status"
+  });
   const { ait, secretKey } = await readAgentProofMaterial(
     agentName,
     dependencies

package/dist/index.js

@@ -24389,16 +24389,20 @@ function parsePeerProfile(payload) {
   };
 }
 function parsePairingTicket(value) {
-  const ticket = parseNonEmptyString9(value);
+  let ticket = parseNonEmptyString9(value);
+  while (ticket.startsWith("`")) {
+    ticket = ticket.slice(1);
+  }
+  while (ticket.endsWith("`")) {
+    ticket = ticket.slice(0, -1);
+  }
+  ticket = ticket.trim().replace(/\s+/gu, "");
   if (!ticket.startsWith(PAIRING_TICKET_PREFIX)) {
     throw createCliError7(
       "CLI_PAIR_CONFIRM_TICKET_INVALID",
       "Pairing ticket is invalid"
     );
   }
-  return ticket;
-}
-function parsePairingTicketIssuerOrigin(ticket) {
   const encodedPayload = ticket.slice(PAIRING_TICKET_PREFIX.length);
   if (encodedPayload.length === 0) {
     throw createCliError7(
@@ -24406,15 +24410,26 @@ function parsePairingTicketIssuerOrigin(ticket) {
       "Pairing ticket is invalid"
     );
   }
-  let payloadRaw;
   try {
-    payloadRaw = new TextDecoder().decode(decodeBase64url(encodedPayload));
+    const payloadRaw = new TextDecoder().decode(
+      decodeBase64url(encodedPayload)
+    );
+    const payload = JSON.parse(payloadRaw);
+    if (!isRecord10(payload)) {
+      throw new Error("invalid payload");
+    }
   } catch {
     throw createCliError7(
       "CLI_PAIR_CONFIRM_TICKET_INVALID",
       "Pairing ticket is invalid"
     );
   }
+  return ticket;
+}
+function parsePairingTicketIssuerOrigin(ticket) {
+  const normalizedTicket = parsePairingTicket(ticket);
+  const encodedPayload = normalizedTicket.slice(PAIRING_TICKET_PREFIX.length);
+  const payloadRaw = new TextDecoder().decode(decodeBase64url(encodedPayload));
   let payload;
   try {
     payload = JSON.parse(payloadRaw);
@@ -24447,6 +24462,26 @@ function parsePairingTicketIssuerOrigin(ticket) {
   }
   return issuerUrl.origin;
 }
+function assertTicketIssuerMatchesProxy(input) {
+  const issuerOrigin = parsePairingTicketIssuerOrigin(input.ticket);
+  let proxyOrigin;
+  try {
+    proxyOrigin = new URL(input.proxyUrl).origin;
+  } catch {
+    throw createCliError7(
+      "CLI_PAIR_PROXY_URL_INVALID",
+      "Configured proxyUrl is invalid. Run `clawdentity config set proxyUrl <url>` and retry."
+    );
+  }
+  if (issuerOrigin === proxyOrigin) {
+    return;
+  }
+  const command = input.context === "confirm" ? "pair confirm" : "pair status";
+  throw createCliError7(
+    "CLI_PAIR_TICKET_ISSUER_MISMATCH",
+    `Pairing ticket was issued by ${issuerOrigin}, but current proxy URL is ${proxyOrigin}. Run \`clawdentity config set proxyUrl ${issuerOrigin}\` and retry \`${command}\`.`
+  );
+}
 function parseAitAgentDid(ait) {
   const parts = ait.split(".");
   if (parts.length < 2) {
@@ -24846,6 +24881,12 @@ function mapConfirmPairError(status, payload) {
   if (code === "PROXY_PAIR_TICKET_EXPIRED" || status === 410) {
     return "Pairing ticket has expired";
   }
+  if (code === "PROXY_PAIR_TICKET_INVALID_ISSUER") {
+    return message2 ? `Pair confirm failed: ticket issuer does not match this proxy (${message2}). Use the same proxy URL where the ticket was issued.` : "Pair confirm failed: ticket issuer does not match this proxy. Use the same proxy URL where the ticket was issued.";
+  }
+  if (code === "PROXY_PAIR_TICKET_INVALID_FORMAT" || code === "PROXY_PAIR_TICKET_UNSUPPORTED_VERSION") {
+    return message2 ? `Pair confirm request is invalid (400): ${message2}. Re-copy the full ticket/QR without truncation.` : "Pair confirm request is invalid (400): pairing ticket is malformed. Re-copy the full ticket/QR without truncation.";
+  }
   if (status === 400) {
     return message2 ? `Pair confirm request is invalid (400): ${message2}` : "Pair confirm request is invalid (400).";
   }
@@ -24869,6 +24910,12 @@ function mapStatusPairError(status, payload) {
   if (code === "PROXY_PAIR_STATUS_FORBIDDEN" || status === 403) {
     return message2 ? `Pair status request is forbidden (403): ${message2}` : "Pair status request is forbidden (403).";
   }
+  if (code === "PROXY_PAIR_TICKET_INVALID_ISSUER") {
+    return message2 ? `Pair status failed: ticket issuer does not match this proxy (${message2}). Use the same proxy URL where the ticket was issued.` : "Pair status failed: ticket issuer does not match this proxy. Use the same proxy URL where the ticket was issued.";
+  }
+  if (code === "PROXY_PAIR_TICKET_INVALID_FORMAT" || code === "PROXY_PAIR_TICKET_UNSUPPORTED_VERSION") {
+    return message2 ? `Pair status request is invalid (400): ${message2}. Re-copy the full ticket/QR without truncation.` : "Pair status request is invalid (400): pairing ticket is malformed. Re-copy the full ticket/QR without truncation.";
+  }
   if (status === 400) {
     return message2 ? `Pair status request is invalid (400): ${message2}` : "Pair status request is invalid (400).";
   }
@@ -25347,6 +25394,12 @@ async function confirmPairing(agentName, options, dependencies = {}) {
     }
     ticket = parsePairingTicket(qrDecodeImpl(new Uint8Array(imageBytes)));
   }
+  ticket = parsePairingTicket(ticket);
+  assertTicketIssuerMatchesProxy({
+    ticket,
+    proxyUrl,
+    context: "confirm"
+  });
   const { ait, secretKey } = await readAgentProofMaterial(
     normalizedAgentName,
     dependencies
@@ -25424,6 +25477,11 @@ async function getPairingStatusOnce(agentName, options, dependencies = {}) {
     fetchImpl
   });
   const ticket = parsePairingTicket(options.ticket);
+  assertTicketIssuerMatchesProxy({
+    ticket,
+    proxyUrl,
+    context: "status"
+  });
   const { ait, secretKey } = await readAgentProofMaterial(
     agentName,
     dependencies

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clawdentity",
-  "version": "0.0.22",
+  "version": "0.0.23",
   "type": "module",
   "publishConfig": {
     "access": "public"
@@ -32,8 +32,8 @@
     "@types/node": "^22.18.11",
     "@types/pngjs": "^6.0.5",
     "@types/qrcode": "^1.5.6",
-    "@clawdentity/connector": "0.0.0",
     "@clawdentity/protocol": "0.0.0",
+    "@clawdentity/connector": "0.0.0",
     "@clawdentity/sdk": "0.0.0"
   },
   "scripts": {