clawdentity 0.0.4 → 0.0.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clawdentity",
-  "version": "0.0.4",
+  "version": "0.0.5",
   "type": "module",
   "publishConfig": {
     "access": "public"
@@ -21,6 +21,17 @@
     "postinstall.mjs",
     "skill-bundle"
   ],
+  "scripts": {
+    "build": "pnpm -F @clawdentity/openclaw-skill build && pnpm run sync:skill-bundle && pnpm run verify:skill-bundle && tsup",
+    "format": "biome format .",
+    "lint": "biome lint .",
+    "prepack": "pnpm run build",
+    "postinstall": "node ./postinstall.mjs",
+    "sync:skill-bundle": "node ./scripts/sync-skill-bundle.mjs",
+    "verify:skill-bundle": "node ./scripts/verify-skill-bundle.mjs",
+    "test": "vitest run",
+    "typecheck": "tsc --noEmit"
+  },
   "dependencies": {
     "commander": "^13.1.0",
     "jsqr": "^1.4.0",
@@ -29,21 +40,11 @@
     "ws": "^8.19.0"
   },
   "devDependencies": {
+    "@clawdentity/connector": "workspace:*",
+    "@clawdentity/protocol": "workspace:*",
+    "@clawdentity/sdk": "workspace:*",
     "@types/node": "^22.18.11",
     "@types/pngjs": "^6.0.5",
-    "@types/qrcode": "^1.5.6",
-    "@clawdentity/connector": "0.0.0",
-    "@clawdentity/protocol": "0.0.0",
-    "@clawdentity/sdk": "0.0.0"
-  },
-  "scripts": {
-    "build": "pnpm -F @clawdentity/openclaw-skill build && pnpm run sync:skill-bundle && pnpm run verify:skill-bundle && tsup",
-    "format": "biome format .",
-    "lint": "biome lint .",
-    "postinstall": "node ./postinstall.mjs",
-    "sync:skill-bundle": "node ./scripts/sync-skill-bundle.mjs",
-    "verify:skill-bundle": "node ./scripts/verify-skill-bundle.mjs",
-    "test": "vitest run",
-    "typecheck": "tsc --noEmit"
+    "@types/qrcode": "^1.5.6"
   }
-}
+}

package/skill-bundle/openclaw-skill/dist/relay-to-peer.mjs

@@ -1,3 +1,8 @@
+// src/transforms/relay-to-peer.ts
+import { readFile as readFile2 } from "fs/promises";
+import { dirname as dirname2, join as join2 } from "path";
+import { fileURLToPath } from "url";
+
 // src/transforms/peers-config.ts
 import { chmod, mkdir, readFile, writeFile } from "fs/promises";
 import { homedir } from "os";
@@ -131,9 +136,17 @@ async function loadPeersConfig(options = {}) {
 // src/transforms/relay-to-peer.ts
 var DEFAULT_CONNECTOR_BASE_URL = "http://127.0.0.1:19400";
 var DEFAULT_CONNECTOR_OUTBOUND_PATH = "/v1/outbound";
+var RELAY_RUNTIME_FILE_NAME = "clawdentity-relay.json";
+var RELAY_PEERS_FILE_NAME = "clawdentity-peers.json";
 function isRecord2(value) {
   return typeof value === "object" && value !== null;
 }
+function getErrorCode2(error) {
+  if (!isRecord2(error)) {
+    return void 0;
+  }
+  return typeof error.code === "string" ? error.code : void 0;
+}
 function parseRequiredString(value) {
   if (typeof value !== "string") {
     throw new Error("Input value must be a string");
@@ -182,12 +195,114 @@ function normalizeConnectorPath(value) {
   }
   return trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
 }
-function resolveConnectorEndpoint(options) {
-  const baseUrlInput = options.connectorBaseUrl ?? process.env.CLAWDENTITY_CONNECTOR_BASE_URL ?? DEFAULT_CONNECTOR_BASE_URL;
-  const pathInput = options.connectorPath ?? process.env.CLAWDENTITY_CONNECTOR_OUTBOUND_PATH ?? DEFAULT_CONNECTOR_OUTBOUND_PATH;
-  const baseUrl = parseConnectorBaseUrl(baseUrlInput.trim());
+function resolveTransformsDir() {
+  return dirname2(fileURLToPath(import.meta.url));
+}
+async function readJson(filePath) {
+  let raw;
+  try {
+    raw = await readFile2(filePath, "utf8");
+  } catch (error) {
+    if (getErrorCode2(error) === "ENOENT") {
+      return void 0;
+    }
+    throw error;
+  }
+  try {
+    return JSON.parse(raw);
+  } catch {
+    throw new Error(`Relay runtime config at ${filePath} is not valid JSON`);
+  }
+}
+function parseRelayRuntimeConfig(value) {
+  if (!isRecord2(value)) {
+    throw new Error("Relay runtime config must be an object");
+  }
+  const connectorBaseUrl = typeof value.connectorBaseUrl === "string" && value.connectorBaseUrl.trim().length > 0 ? parseConnectorBaseUrl(value.connectorBaseUrl.trim()) : void 0;
+  const connectorPath = typeof value.connectorPath === "string" && value.connectorPath.trim().length > 0 ? normalizeConnectorPath(value.connectorPath) : void 0;
+  const peersConfigPath = typeof value.peersConfigPath === "string" && value.peersConfigPath.trim().length > 0 ? value.peersConfigPath.trim() : void 0;
+  const connectorBaseUrls = Array.isArray(value.connectorBaseUrls) ? value.connectorBaseUrls.filter((item) => typeof item === "string").map((item) => item.trim()).filter((item) => item.length > 0).map(parseConnectorBaseUrl) : void 0;
+  return {
+    connectorBaseUrl,
+    connectorBaseUrls,
+    connectorPath,
+    peersConfigPath
+  };
+}
+async function loadRelayRuntimeConfig() {
+  const runtimePath = join2(resolveTransformsDir(), RELAY_RUNTIME_FILE_NAME);
+  const parsed = await readJson(runtimePath);
+  if (parsed === void 0) {
+    return {};
+  }
+  return parseRelayRuntimeConfig(parsed);
+}
+function parseGatewayHexToIpv4(value) {
+  if (!/^[0-9A-Fa-f]{8}$/.test(value)) {
+    return void 0;
+  }
+  const octets = [0, 2, 4, 6].map(
+    (index) => Number.parseInt(value.slice(index, index + 2), 16)
+  );
+  return `${octets[3]}.${octets[2]}.${octets[1]}.${octets[0]}`;
+}
+async function resolveLinuxDockerGatewayHost() {
+  let raw;
+  try {
+    raw = await readFile2("/proc/net/route", "utf8");
+  } catch {
+    return void 0;
+  }
+  const lines = raw.split("\n");
+  for (const line of lines.slice(1)) {
+    const parts = line.trim().split(/\s+/);
+    if (parts.length < 4) {
+      continue;
+    }
+    const destination = parts[1];
+    const gateway = parts[2];
+    const flags = Number.parseInt(parts[3], 16);
+    if (destination === "00000000" && Number.isFinite(flags) && (flags & 2) === 2) {
+      return parseGatewayHexToIpv4(gateway);
+    }
+  }
+  return void 0;
+}
+async function resolveConnectorEndpoints(options) {
+  const runtimeConfig = await loadRelayRuntimeConfig();
+  const pathInput = options.connectorPath ?? runtimeConfig.connectorPath ?? process.env.CLAWDENTITY_CONNECTOR_OUTBOUND_PATH ?? DEFAULT_CONNECTOR_OUTBOUND_PATH;
   const path = normalizeConnectorPath(pathInput.trim());
-  return new URL(path, baseUrl).toString();
+  const candidates = [];
+  if (options.connectorBaseUrl) {
+    candidates.push(parseConnectorBaseUrl(options.connectorBaseUrl.trim()));
+  }
+  if (runtimeConfig.connectorBaseUrls) {
+    candidates.push(...runtimeConfig.connectorBaseUrls);
+  }
+  if (runtimeConfig.connectorBaseUrl) {
+    candidates.push(runtimeConfig.connectorBaseUrl);
+  }
+  if (typeof process.env.CLAWDENTITY_CONNECTOR_BASE_URL === "string" && process.env.CLAWDENTITY_CONNECTOR_BASE_URL.trim().length > 0) {
+    candidates.push(
+      parseConnectorBaseUrl(process.env.CLAWDENTITY_CONNECTOR_BASE_URL.trim())
+    );
+  }
+  candidates.push(DEFAULT_CONNECTOR_BASE_URL);
+  const linuxGatewayHost = await resolveLinuxDockerGatewayHost();
+  if (linuxGatewayHost) {
+    for (const candidate of [...candidates]) {
+      try {
+        const parsed = new URL(candidate);
+        if (parsed.hostname === "host.docker.internal" || parsed.hostname === "gateway.docker.internal" || parsed.hostname === "172.17.0.1") {
+          parsed.hostname = linuxGatewayHost;
+          candidates.push(parsed.toString());
+        }
+      } catch {
+      }
+    }
+  }
+  const deduped = Array.from(new Set(candidates.map((candidate) => candidate)));
+  return deduped.map((baseUrl) => new URL(path, baseUrl).toString());
 }
 function mapConnectorFailure(status) {
   if (status === 404) {
@@ -218,6 +333,26 @@ async function postToConnector(endpoint, payload, fetchImpl) {
     throw mapConnectorFailure(response.status);
   }
 }
+function shouldTryNextConnectorEndpoint(error) {
+  if (!(error instanceof Error)) {
+    return false;
+  }
+  return error.message === "Local connector outbound relay request failed" || error.message === "Local connector outbound endpoint is unavailable";
+}
+async function resolvePeersConfigPathOptions(options) {
+  if (options.configPath !== void 0 || options.configDir !== void 0 || options.homeDir !== void 0) {
+    return options;
+  }
+  const runtimeConfig = await loadRelayRuntimeConfig();
+  if (runtimeConfig.peersConfigPath) {
+    return {
+      configPath: join2(resolveTransformsDir(), runtimeConfig.peersConfigPath)
+    };
+  }
+  return {
+    configPath: join2(resolveTransformsDir(), RELAY_PEERS_FILE_NAME)
+  };
+}
 async function relayPayloadToPeer(payload, options = {}) {
   if (!isRecord2(payload)) {
     return payload;
@@ -227,25 +362,37 @@ async function relayPayloadToPeer(payload, options = {}) {
     return payload;
   }
   const peerAlias = parseRequiredString(peerAliasValue);
-  const peersConfig = await loadPeersConfig(options);
+  const peersConfigPathOptions = await resolvePeersConfigPathOptions(options);
+  const peersConfig = await loadPeersConfig(peersConfigPathOptions);
   const peerEntry = peersConfig.peers[peerAlias];
   if (!peerEntry) {
     throw new Error("Peer alias is not configured");
   }
-  const connectorEndpoint = resolveConnectorEndpoint(options);
+  const connectorEndpoints = await resolveConnectorEndpoints(options);
   const fetchImpl = resolveRelayFetch(options.fetchImpl);
   const outboundPayload = removePeerField(payload);
-  await postToConnector(
-    connectorEndpoint,
-    {
-      peer: peerAlias,
-      peerDid: peerEntry.did,
-      peerProxyUrl: peerEntry.proxyUrl,
-      payload: outboundPayload
-    },
-    fetchImpl
-  );
-  return null;
+  const relayPayload = {
+    peer: peerAlias,
+    peerDid: peerEntry.did,
+    peerProxyUrl: peerEntry.proxyUrl,
+    payload: outboundPayload
+  };
+  let lastError;
+  for (const endpoint of connectorEndpoints) {
+    try {
+      await postToConnector(endpoint, relayPayload, fetchImpl);
+      return null;
+    } catch (error) {
+      lastError = error;
+      if (!shouldTryNextConnectorEndpoint(error)) {
+        throw error;
+      }
+    }
+  }
+  if (lastError instanceof Error) {
+    throw lastError;
+  }
+  throw new Error("Local connector outbound relay request failed");
 }
 async function relayToPeer(ctx) {
   return relayPayloadToPeer(ctx?.payload);

package/skill-bundle/openclaw-skill/skill/SKILL.md

@@ -19,9 +19,14 @@ Use this skill when any of the following are requested:
 ## Filesystem Truth (must be used exactly)
 
 ### OpenClaw state files
-- OpenClaw state root (default): `~/.openclaw`
-- OpenClaw config: `~/.openclaw/openclaw.json`
+- OpenClaw state root (default): `~/.openclaw` (legacy fallback dirs may exist: `~/.clawdbot`, `~/.moldbot`, `~/.moltbot`)
+- OpenClaw config: `<resolved-openclaw-state>/openclaw.json` (legacy names may exist: `clawdbot.json`, `moldbot.json`, `moltbot.json`)
+- OpenClaw config env overrides: `OPENCLAW_CONFIG_PATH`, legacy `CLAWDBOT_CONFIG_PATH`
+- OpenClaw state env overrides: `OPENCLAW_STATE_DIR`, legacy `CLAWDBOT_STATE_DIR`
+- OpenClaw home override (used when config/state overrides are unset): `OPENCLAW_HOME`
 - Transform target path: `~/.openclaw/hooks/transforms/relay-to-peer.mjs`
+- Transform runtime snapshot: `~/.openclaw/hooks/transforms/clawdentity-relay.json`
+- Transform peers snapshot: `~/.openclaw/hooks/transforms/clawdentity-peers.json`
 - Workspace skill location: `~/.openclaw/workspace/skills/clawdentity-openclaw-relay/SKILL.md`
 - Default transform source expected by CLI setup:
   `~/.openclaw/workspace/skills/clawdentity-openclaw-relay/relay-to-peer.mjs`
@@ -35,6 +40,7 @@ Use this skill when any of the following are requested:
 - Peer map: `~/.clawdentity/peers.json`
 - Local selected agent marker: `~/.clawdentity/openclaw-agent-name`
 - Relay runtime config: `~/.clawdentity/openclaw-relay.json`
+- Connector assignment map: `~/.clawdentity/openclaw-connectors.json`
 
 ## Invite Input Assumption
 
@@ -133,11 +139,10 @@ Successful confirm establishes mutual trust for the two agent DIDs. After confir
 - Use `--openclaw-dir <path>` when state directory is non-default.
 - Use `--openclaw-base-url <url>` when local OpenClaw HTTP endpoint is non-default.
 - Use `--peer-alias <alias>` only when alias override is required.
-- Optional relay echo tuning:
-  - `--echo-enabled <true|false>`
-  - `--echo-channel <channel>`
-  - `--echo-to <target>`
-  - `--echo-max-length <number>`
+- Setup now provisions OpenClaw hook auth automatically:
+  - ensures `hooks.enabled=true`
+  - preserves existing `hooks.token` or generates one when missing
+  - mirrors token into `~/.clawdentity/openclaw-relay.json` as `openclawHookToken`
 
 7. Verify setup outputs.
 - Confirm setup reports:
@@ -146,12 +151,13 @@ Successful confirm establishes mutual trust for the two agent DIDs. After confir
   - updated OpenClaw config path
   - installed transform path
   - OpenClaw base URL
-  - relay echo config (enabled/channel/target/max length)
   - relay runtime config path
 - Confirm `~/.clawdentity/openclaw-agent-name` is set to the local agent name.
 
 8. Start connector runtime for local relay handoff.
 - Run `clawdentity connector start <agent-name>`.
+- Connector startup auto-loads `openclawHookToken` from `~/.clawdentity/openclaw-relay.json` when `--openclaw-hook-token` is not provided.
+- Connector startup auto-resolves outbound bind URL from `~/.clawdentity/openclaw-connectors.json` when `CLAWDENTITY_CONNECTOR_BASE_URL` is not set.
 - Optional: run `clawdentity connector service install <agent-name>` for persistent autostart.
 
 9. Complete trust pairing bootstrap.
@@ -186,6 +192,7 @@ If setup or relay fails:
 - Report precise missing file/path/value.
 - Fix only the failing config/input.
 - Ensure connector runtime is active (`clawdentity connector start <agent-name>`).
+- If relay failures show `405 Method Not Allowed`, rerun setup and restart OpenClaw so hook config is reloaded.
 - Re-run `clawdentity openclaw doctor`.
 - Re-run `clawdentity openclaw relay test --peer <alias>`.
 - Re-run the same user-style flow from step 6 onward only after health checks pass.

package/skill-bundle/openclaw-skill/skill/references/clawdentity-protocol.md

@@ -7,9 +7,15 @@ Define the exact runtime contract used by `relay-to-peer.mjs`.
 ## Filesystem Paths
 
 ### OpenClaw files
-- `~/.openclaw/openclaw.json`
-- `~/.openclaw/hooks/transforms/relay-to-peer.mjs`
-- `~/.openclaw/workspace/skills/clawdentity-openclaw-relay/SKILL.md`
+- `<resolved-openclaw-state>/openclaw.json` (legacy filenames may exist: `clawdbot.json`, `moldbot.json`, `moltbot.json`)
+- `<resolved-openclaw-state>/hooks/transforms/relay-to-peer.mjs`
+- `<resolved-openclaw-state>/hooks/transforms/clawdentity-relay.json`
+- `<resolved-openclaw-state>/hooks/transforms/clawdentity-peers.json`
+- `<resolved-openclaw-state>/workspace/skills/clawdentity-openclaw-relay/SKILL.md`
+- env overrides:
+  - `OPENCLAW_CONFIG_PATH`, `CLAWDBOT_CONFIG_PATH`
+  - `OPENCLAW_STATE_DIR`, `CLAWDBOT_STATE_DIR`
+  - `OPENCLAW_HOME` (used when explicit config/state overrides are unset)
 
 ### Clawdentity files
 - `~/.clawdentity/config.json`
@@ -18,6 +24,7 @@ Define the exact runtime contract used by `relay-to-peer.mjs`.
 - `~/.clawdentity/peers.json`
 - `~/.clawdentity/openclaw-agent-name`
 - `~/.clawdentity/openclaw-relay.json`
+- `~/.clawdentity/openclaw-connectors.json`
 
 ## Invite Code Contract
 
@@ -124,36 +131,31 @@ Relay resolves local agent name in this order:
 
 ## Local OpenClaw Base URL Contract
 
-`~/.clawdentity/openclaw-relay.json` stores OpenClaw runtime defaults for relay components:
+`~/.clawdentity/openclaw-relay.json` stores the OpenClaw upstream base URL used by local proxy runtime fallback:
 
 ```json
 {
   "openclawBaseUrl": "http://127.0.0.1:18789",
-  "echo": {
-    "enabled": true,
-    "channel": "last",
-    "maxLength": 500
-  },
+  "openclawHookToken": "<auto-provisioned-token>",
   "updatedAt": "2026-02-15T20:00:00.000Z"
 }
 ```
 
 Rules:
 - `openclawBaseUrl` must be absolute `http` or `https`.
-- `echo.enabled` defaults to `true`.
-- `echo.channel` defaults to `last`.
-- `echo.to` is optional; when omitted OpenClaw uses last-route delivery target.
-- `echo.maxLength` must be an integer from `50` to `2000` (default `500`).
+- `openclawHookToken` is optional in schema but should be present after `clawdentity openclaw setup`; connector runtime uses it for `/hooks/*` auth when no explicit hook token option/env is provided.
 - `updatedAt` is ISO-8601 UTC timestamp.
-- OpenClaw base URL precedence for local runtimes is: `OPENCLAW_BASE_URL` env first, then `openclaw-relay.json`, then built-in default.
+- Proxy runtime precedence is: `OPENCLAW_BASE_URL` env first, then `openclaw-relay.json`, then built-in default.
 
 ## Connector Handoff Contract
 
 The transform does not send directly to the peer proxy. It posts to the local connector runtime:
-- Default endpoint: `http://127.0.0.1:19400/v1/outbound`
-- Optional overrides:
+- Endpoint candidates are loaded from OpenClaw-local `hooks/transforms/clawdentity-relay.json` (generated by `openclaw setup`) and attempted in order.
+- Default fallback endpoint remains `http://127.0.0.1:19400/v1/outbound`.
+- Runtime may also use:
   - `CLAWDENTITY_CONNECTOR_BASE_URL`
   - `CLAWDENTITY_CONNECTOR_OUTBOUND_PATH`
+- `connector start <agentName>` resolves bind URL from `~/.clawdentity/openclaw-connectors.json` when explicit env override is absent.
 
 Outbound JSON body sent by transform: