npm - clawmux - Versions diffs - 0.2.2 → 0.2.3 - Mend

clawmux 0.2.2 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/cli.cjs CHANGED Viewed

@@ -317,7 +317,7 @@ function getLogDir() {
 }
 // src/cli.ts
-var VERSION2 = process.env.npm_package_version ?? "0.2.2";
+var VERSION2 = process.env.npm_package_version ?? "0.2.3";
 var SERVICE_NAME = "clawmux";
 var HELP = `Usage: clawmux <command>

package/dist/index.cjs CHANGED Viewed

@@ -1892,6 +1892,98 @@ class OllamaAdapter {
 var ollamaAdapter = new OllamaAdapter;
 registerAdapter(ollamaAdapter);
+// src/utils/aws-sigv4.ts
+var import_node_crypto = require("node:crypto");
+var SERVICE = "bedrock";
+function sha256(data) {
+  return import_node_crypto.createHash("sha256").update(data).digest("hex");
+}
+function hmacSha256(key, data) {
+  return import_node_crypto.createHmac("sha256", key).update(data).digest();
+}
+function hmacSha256Hex(key, data) {
+  return import_node_crypto.createHmac("sha256", key).update(data).digest("hex");
+}
+function awsUriEncode(str) {
+  return encodeURIComponent(str).replace(/!/g, "%21").replace(/'/g, "%27").replace(/\(/g, "%28").replace(/\)/g, "%29").replace(/\*/g, "%2A");
+}
+function buildCanonicalUri(pathname) {
+  if (pathname === "" || pathname === "/")
+    return "/";
+  const segments = pathname.split("/");
+  return segments.map((segment) => segment === "" ? "" : awsUriEncode(awsUriEncode(segment))).join("/");
+}
+function formatDateStamp(date) {
+  return date.toISOString().slice(0, 10).replace(/-/g, "");
+}
+function formatAmzDate(date) {
+  return date.toISOString().replace(/[-:]/g, "").replace(/\.\d{3}/, "");
+}
+function deriveSigningKey(secretKey, dateStamp, region, service) {
+  const kDate = hmacSha256(`AWS4${secretKey}`, dateStamp);
+  const kRegion = hmacSha256(kDate, region);
+  const kService = hmacSha256(kRegion, service);
+  return hmacSha256(kService, "aws4_request");
+}
+function signRequest(request, credentials, now) {
+  const date = now ?? new Date;
+  const dateStamp = formatDateStamp(date);
+  const amzDate = formatAmzDate(date);
+  const url = new URL(request.url);
+  const canonicalUri = buildCanonicalUri(url.pathname);
+  const sortedParams = [...url.searchParams.entries()].sort((a, b) => a[0].localeCompare(b[0]));
+  const canonicalQueryString = sortedParams.map(([k, v]) => `${awsUriEncode(k)}=${awsUriEncode(v)}`).join("&");
+  const payloadHash = sha256(request.body);
+  const headersToSign = {};
+  for (const [k, v] of Object.entries(request.headers)) {
+    headersToSign[k.toLowerCase()] = v.trim();
+  }
+  headersToSign["host"] = url.host;
+  headersToSign["x-amz-date"] = amzDate;
+  headersToSign["x-amz-content-sha256"] = payloadHash;
+  if (credentials.sessionToken) {
+    headersToSign["x-amz-security-token"] = credentials.sessionToken;
+  }
+  const sortedHeaderKeys = Object.keys(headersToSign).sort();
+  const canonicalHeaders = sortedHeaderKeys.map((k) => `${k}:${headersToSign[k]}`).join(`
+`) + `
+`;
+  const signedHeaders = sortedHeaderKeys.join(";");
+  const canonicalRequest = [
+    request.method,
+    canonicalUri,
+    canonicalQueryString,
+    canonicalHeaders,
+    signedHeaders,
+    payloadHash
+  ].join(`
+`);
+  const credentialScope = `${dateStamp}/${credentials.region}/${SERVICE}/aws4_request`;
+  const stringToSign = [
+    "AWS4-HMAC-SHA256",
+    amzDate,
+    credentialScope,
+    sha256(canonicalRequest)
+  ].join(`
+`);
+  const signingKey = deriveSigningKey(credentials.secretAccessKey, dateStamp, credentials.region, SERVICE);
+  const signature = hmacSha256Hex(signingKey, stringToSign);
+  const authorization = `AWS4-HMAC-SHA256 Credential=${credentials.accessKeyId}/${credentialScope}, ` + `SignedHeaders=${signedHeaders}, Signature=${signature}`;
+  const result = {
+    Authorization: authorization,
+    "x-amz-date": amzDate,
+    "x-amz-content-sha256": payloadHash
+  };
+  if (credentials.sessionToken) {
+    result["x-amz-security-token"] = credentials.sessionToken;
+  }
+  return result;
+}
+function extractRegionFromUrl(url) {
+  const match = url.match(/\.([a-z0-9-]+)\.amazonaws\.com/);
+  return match?.[1];
+}
 // src/adapters/bedrock.ts
 function bedrockMessagesToStandard(messages) {
   return messages.map((m) => {
@@ -1988,18 +2080,23 @@ class BedrockAdapter {
         maxTokens: parsed.maxTokens
       };
     }
+    const url = `${baseUrl}/model/${targetModel}/converse-stream`;
+    const body = JSON.stringify(requestBody);
     const headers = {
       "Content-Type": "application/json"
     };
-    if (auth.apiKey) {
+    if (auth.awsAccessKeyId && auth.awsSecretKey && auth.awsRegion) {
+      const sigv4Headers = signRequest({ method: "POST", url, headers, body }, {
+        accessKeyId: auth.awsAccessKeyId,
+        secretAccessKey: auth.awsSecretKey,
+        sessionToken: auth.awsSessionToken,
+        region: auth.awsRegion
+      });
+      Object.assign(headers, sigv4Headers);
+    } else if (auth.apiKey) {
       headers[auth.headerName || "Authorization"] = auth.headerValue || auth.apiKey;
     }
-    return {
-      url: `${baseUrl}/model/${targetModel}/converse-stream`,
-      method: "POST",
-      headers,
-      body: JSON.stringify(requestBody)
-    };
+    return { url, method: "POST", headers, body };
   }
   modifyMessages(rawBody, compressedMessages) {
     return {
@@ -2726,10 +2823,17 @@ function formatAuth(apiKey, providerConfig) {
     return { apiKey, headerName: "x-goog-api-key", headerValue: apiKey };
   }
   if (api === "bedrock-converse-stream") {
+    const secretKey = process.env.AWS_SECRET_ACCESS_KEY ?? "";
+    const sessionToken = process.env.AWS_SESSION_TOKEN;
+    const region = process.env.AWS_REGION ?? process.env.AWS_DEFAULT_REGION ?? extractRegionFromUrl(providerConfig?.baseUrl ?? "") ?? "us-east-1";
     return {
       apiKey,
       headerName: "Authorization",
-      headerValue: "AWS4-HMAC-SHA256 Credential=placeholder"
+      headerValue: "",
+      awsAccessKeyId: apiKey,
+      awsSecretKey: secretKey,
+      awsSessionToken: sessionToken,
+      awsRegion: region
     };
   }
   return { apiKey, headerName: "Authorization", headerValue: `Bearer ${apiKey}` };
@@ -3365,7 +3469,11 @@ async function handleApiRequest(req, body, apiType, config, openclawConfig, auth
   const authInfo = {
     apiKey: auth.apiKey,
     headerName: auth.headerName,
-    headerValue: auth.headerValue
+    headerValue: auth.headerValue,
+    awsAccessKeyId: auth.awsAccessKeyId,
+    awsSecretKey: auth.awsSecretKey,
+    awsSessionToken: auth.awsSessionToken,
+    awsRegion: auth.awsRegion
   };
   const actualModelId = decision.model.split("/").slice(1).join("/");
   const isCrossProvider = targetApiType !== "" && targetApiType !== apiType;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "clawmux",
-  "version": "0.2.2",
+  "version": "0.2.3",
   "description": "Smart model routing + context compression proxy for OpenClaw",
   "type": "module",
   "bin": {