coze_lab 0.1.43 → 0.1.44

package/README.md

@@ -69,6 +69,9 @@ created after a new Codex turn, Codex did not load or execute the hook.
 ## Token lifecycle
 
 OAuth tokens are stored in `~/.cozeloop/credentials.json` (mode 600).
+For local `--agent-id=<agentId>` setup, if
+`~/.coze/agents/<agentId>/config.json` contains `patToken`, onboarding uses that
+PAT directly and skips the OAuth device-code flow.
 
 In cloud mode, trace verification and hook uploads prefer
 `COZELOOP_API_TOKEN` and fall back to `COZE_API_TOKEN`. The selfcheck result is
@@ -77,7 +80,8 @@ writes the hook configuration but reports `verify=fail` with `token_source`.
 For Python SDK uploads, `OTEL_ENDPOINT` is not used as the SDK base URL; set
 `COZELOOP_API_BASE_URL` only when the SDK ingest endpoint should be overridden.
 
-**At hook execution time** (Claude Code / Codex), the Python hook script automatically:
+**At hook execution time** (Claude Code / Codex), per-agent PAT setups use the
+token written by onboarding. Otherwise, the Python hook script automatically:
 1. Reads `~/.cozeloop/credentials.json`
 2. If the token expires in < 10 minutes, calls the Coze refresh API
 3. Updates `credentials.json` with the new token

package/index.js

@@ -9,6 +9,7 @@ const CREDS_PATH  = require('path').join(require('os').homedir(), '.cozeloop', '
 const PACKAGE_VERSION = require('./package.json').version;
 // Refresh when less than 10 minutes remain
 const REFRESH_THRESHOLD_MS = 10 * 60 * 1000;
+const TOKEN_SOURCE_AGENT_PAT = 'agent_config.patToken';
 
 // ─── 1. Cloud structured output ──────────────────────────────────────────────
 // 云端模式：在 stdout 输出一行机器可读结果 COZE_LAB_RESULT={...}，
@@ -176,6 +177,10 @@ function hasCloudModelInfo(cfg) {
   return !!(cfg?.modelInfo && typeof cfg.modelInfo === 'object' && !Array.isArray(cfg.modelInfo));
 }
 
+function getAgentPatToken(cfg) {
+  return typeof cfg?.patToken === 'string' ? cfg.patToken.trim() : '';
+}
+
 function inferDeployTypeFromAgentConfig(cfg) {
   if (cfg?.deployType === 'cloud') return { deployType: 'cloud', reason: 'config.deployType=cloud' };
   if (isCloudRuntimeEnv()) return { deployType: 'cloud', reason: 'env CLOUD_ENV=1' };
@@ -216,7 +221,7 @@ function resolveAgent(agentId, soft) {
     ]);
   }
   const inferred = inferDeployTypeFromAgentConfig(cfg);
-  return { framework, workspace: cfg.workspace || '', deployType: inferred.deployType, deployReason: inferred.reason, agentId, root };
+  return { framework, workspace: cfg.workspace || '', deployType: inferred.deployType, deployReason: inferred.reason, agentId, root, patToken: getAgentPatToken(cfg) };
 }
 
 function validateArgs(args) {
@@ -239,6 +244,7 @@ function validateArgs(args) {
         agentId: resolved.agentId,
         workspace: resolved.workspace,
         agentRoot: resolved.root,
+        patToken: resolved.patToken,
         deployType: resolved.deployType,
         deployReason: explicitCloud ? '--cloud' : resolved.deployReason,
         'codex-home': args['codex-home'],
@@ -527,7 +533,7 @@ function shellEnvLine(key, value) {
 // writeClaudeCodeHook 配置 Claude Code 的 hook。
 // configBaseDir 缺省 process.cwd()（全局/项目级）；传入 agent 的 workspace 则 per-agent：
 // settings.json + 凭证写进 <configBaseDir>/.claude，仅该 agent（以此为 cwd 启动）生效。
-function writeClaudeCodeHook(patToken, workspaceId, pythonCmd, configBaseDir, cloud) {
+function writeClaudeCodeHook(token, workspaceId, pythonCmd, configBaseDir, cloud, tokenSource) {
   const hooksDir    = path.join(os.homedir(), '.claude', 'hooks');
   const hookScript  = path.join(hooksDir, 'cozeloop_hook.py');
   const baseDir     = configBaseDir || process.cwd();
@@ -610,9 +616,16 @@ function writeClaudeCodeHook(patToken, workspaceId, pythonCmd, configBaseDir, cl
           existing.env.COZE_API_TOKEN = cozeToken;
           delete existing.env.COZELOOP_API_TOKEN;
         }
+        delete existing.env.COZELOOP_TOKEN_SOURCE;
+      } else if (tokenSource === TOKEN_SOURCE_AGENT_PAT && token) {
+        existing.env.COZELOOP_API_TOKEN = token;
+        existing.env.COZELOOP_TOKEN_SOURCE = TOKEN_SOURCE_AGENT_PAT;
+        delete existing.env.COZE_API_TOKEN;
+        delete existing.env.COZELAB_ONBOARD_CLOUD;
       } else {
         delete existing.env.COZELOOP_API_TOKEN;
         delete existing.env.COZE_API_TOKEN;
+        delete existing.env.COZELOOP_TOKEN_SOURCE;
         delete existing.env.COZELAB_ONBOARD_CLOUD;
       }
       const loopBaseUrl = readEnv('COZELOOP_API_BASE_URL');
@@ -645,9 +658,10 @@ function writeClaudeCodeHook(patToken, workspaceId, pythonCmd, configBaseDir, cl
 
 // writeCodexHook 把 hook 写进指定的 CODEX_HOME。codexHome 缺省 ~/.codex；
 // 传入动态目录（如 coze-bridge 的 /tmp/coze-bridge-codex-home-xxx）即可 per-agent 生效。
-// 本地模式不把短期 token 写入 cozeloop.env；Hook 运行时读取 ~/.cozeloop/credentials.json。
+// 普通本地模式不把短期 token 写入 cozeloop.env；Hook 运行时读取 ~/.cozeloop/credentials.json。
+// 本地 --agent-id 且 config.patToken 存在时写入该 PAT，并用 COZELOOP_TOKEN_SOURCE 标记来源。
 // cloud=true 时写 COZELAB_ONBOARD_CLOUD，并带入 sandbox 注入的 trace token。
-function writeCodexHook(token, workspaceId, pythonCmd, codexHome, cloud) {
+function writeCodexHook(token, workspaceId, pythonCmd, codexHome, cloud, tokenSource) {
   const home       = codexHome || path.join(os.homedir(), '.codex');
   const hooksDir   = path.join(home, 'hooks');
   const hookScript = path.join(hooksDir, 'cozeloop_hook.py');
@@ -675,6 +689,9 @@ function writeCodexHook(token, workspaceId, pythonCmd, codexHome, cloud) {
     } else if (cozeToken) {
       envLines.push(shellEnvLine('COZE_API_TOKEN', cozeToken));
     }
+  } else if (tokenSource === TOKEN_SOURCE_AGENT_PAT && token) {
+    envLines.push(shellEnvLine('COZELOOP_API_TOKEN', token));
+    envLines.push(shellEnvLine('COZELOOP_TOKEN_SOURCE', TOKEN_SOURCE_AGENT_PAT));
   }
   envLines.push(shellEnvLine('CODEX_HOME', home));
   envLines.push(shellEnvLine('COZELOOP_HOOK_LOG', logFile));
@@ -879,7 +896,7 @@ function buildOpenClawSelfcheckTags(pcfg, workspaceId, pair) {
   return tags;
 }
 
-function applyOpenClawPluginConfig(existing, token, workspaceId, agentId, cloud, logFile) {
+function applyOpenClawPluginConfig(existing, token, workspaceId, agentId, cloud, logFile, tokenSource) {
   if (!existing.plugins)         existing.plugins = {};
   if (!existing.plugins.allow)   existing.plugins.allow = [];
   if (!existing.plugins.entries) existing.plugins.entries = {};
@@ -906,7 +923,12 @@ function applyOpenClawPluginConfig(existing, token, workspaceId, agentId, cloud,
   if (logFile) {
     pcfg.logFile = logFile;
   }
-  pcfg.disableLocalCredentials = !!cloud;
+  if (tokenSource === TOKEN_SOURCE_AGENT_PAT) {
+    pcfg.tokenSource = TOKEN_SOURCE_AGENT_PAT;
+  } else {
+    delete pcfg.tokenSource;
+  }
+  pcfg.disableLocalCredentials = !!cloud || tokenSource === TOKEN_SOURCE_AGENT_PAT;
   // 插件代码版本：参与幂等比对，升级插件（bump scripts/openclaw/package.json version）后
   // 强制触发重写+重装+重启，避免云端 pluginDir 滞留旧插件 dist。
   if (OPENCLAW_PLUGIN_VERSION) {
@@ -924,7 +946,7 @@ function applyOpenClawPluginConfig(existing, token, workspaceId, agentId, cloud,
   return existing;
 }
 
-function isOpenClawAlreadyInjected(configPath, pluginDir, token, workspaceId, agentId, cloud, logFile) {
+function isOpenClawAlreadyInjected(configPath, pluginDir, token, workspaceId, agentId, cloud, logFile, tokenSource) {
   if (!fs.existsSync(pluginDir)) return false;
   let existing;
   try {
@@ -939,11 +961,12 @@ function isOpenClawAlreadyInjected(configPath, pluginDir, token, workspaceId, ag
     agentId,
     cloud,
     logFile,
+    tokenSource,
   );
   return JSON.stringify(existing) === JSON.stringify(desired);
 }
 
-function writeOpenClawHook(token, workspaceId, agentId, cloud, force) {
+function writeOpenClawHook(token, workspaceId, agentId, cloud, force, tokenSource) {
   const home       = resolveHomeDir(cloud);
   const configPath = path.join(home, '.openclaw', 'openclaw.json');
   const pluginDir  = path.join(home, '.cozeloop', 'openclaw-plugin');
@@ -958,7 +981,7 @@ function writeOpenClawHook(token, workspaceId, agentId, cloud, force) {
     ]);
   }
 
-  if (!force && isOpenClawAlreadyInjected(configPath, pluginDir, token, workspaceId, agentId, cloud, logFile)) {
+  if (!force && isOpenClawAlreadyInjected(configPath, pluginDir, token, workspaceId, agentId, cloud, logFile, tokenSource)) {
     ok(`OpenClaw plugin already configured in ${configPath}`);
     info('OpenClaw gateway restart skipped (configuration unchanged).');
     return { configPath, pluginDir, logFile, unchanged: true, gatewayRestarted: false, gatewayRestartSkipped: true };
@@ -1017,7 +1040,7 @@ function writeOpenClawHook(token, workspaceId, agentId, cloud, force) {
 
   // 4. Update openclaw.json with token and workspace
   const config = mergeJson(configPath, (existing) => {
-    return applyOpenClawPluginConfig(existing, token, workspaceId, agentId, cloud, logFile);
+    return applyOpenClawPluginConfig(existing, token, workspaceId, agentId, cloud, logFile, tokenSource);
   });
 
   try {
@@ -1886,7 +1909,8 @@ async function main() {
   // Step 1: Authorize.
   //   云端模式：token 取自 sandbox 注入的环境变量，跳过 OAuth / credentials.json。
   //     优先使用 COZELOOP_API_TOKEN；兼容使用 COZE_API_TOKEN，并以真实 selfcheck 为准。
-  //   本地：load cached → refresh → device code。
+  //   本地 --agent-id 且 config.patToken 存在：优先使用该 PAT，跳过 OAuth / credentials.json。
+  //   其它本地模式：load cached → refresh → device code。
   //   注意：workspace_id 始终用写死的 WORKSPACE_ID（团队固定上报 workspace），不读环境。
   let token;
   let tokenSource = '';
@@ -1910,8 +1934,14 @@ async function main() {
     }
   } else {
     info('Step 1/5: 检查授权状态...');
-    token = await getValidToken();
-    tokenSource = 'credentials';
+    if (args.agentId && args.patToken) {
+      token = args.patToken;
+      tokenSource = TOKEN_SOURCE_AGENT_PAT;
+      ok(`已从 ~/.coze/agents/${args.agentId}/config.json 读取 patToken，跳过本地授权。`);
+    } else {
+      token = await getValidToken();
+      tokenSource = 'credentials';
+    }
   }
   console.log('');
 
@@ -1945,7 +1975,7 @@ async function main() {
         '否则 hook 配置会落到全局/进程目录，无法做到 per-agent 隔离。',
       ]);
     }
-    written = writeClaudeCodeHook(token, WORKSPACE_ID, pythonCmd, args.agentId ? agentWorkspace : undefined, args.cloud);
+    written = writeClaudeCodeHook(token, WORKSPACE_ID, pythonCmd, args.agentId ? agentWorkspace : undefined, args.cloud, tokenSource);
   } else if (agent === 'codex') {
     const codexHome = resolveCodexHome(args);
     if (args.cloud && args.agentId && codexHome && !fs.existsSync(codexHome)) {
@@ -1953,10 +1983,10 @@ async function main() {
       info(`已创建云端 Codex 配置目录: ${codexHome}`);
     }
     if (codexHome) info(`Codex 配置目录: ${codexHome}`);
-    written = writeCodexHook(token, WORKSPACE_ID, pythonCmd, codexHome, args.cloud);
+    written = writeCodexHook(token, WORKSPACE_ID, pythonCmd, codexHome, args.cloud, tokenSource);
   } else {
     // openclaw：云端用 traceAgentIds allowlist 做 per-agent 放行。
-    written = writeOpenClawHook(token, WORKSPACE_ID, args.agentId, args.cloud, args.force) || {};
+    written = writeOpenClawHook(token, WORKSPACE_ID, args.agentId, args.cloud, args.force, tokenSource) || {};
   }
   // 走到这里说明 detectAgent / 环境检查 / 写 hook 配置全部成功 → 注入成功。
   cloudResult.inject = 'ok';
@@ -2056,6 +2086,7 @@ if (require.main === module) {
 
 module.exports = {
   resolveHomeDir,
+  getAgentPatToken,
   mergeJson,
   atomicWriteFileSync,
   isExpired,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "coze_lab",
-  "version": "0.1.43",
+  "version": "0.1.44",
   "description": "Configure local AI agents (Claude Code, Codex, OpenClaw) to report traces to CozeLoop",
   "keywords": [
     "cozeloop",

package/scripts/claude-code/cozeloop_hook.py

@@ -369,6 +369,9 @@ def force_refresh_token_after_upload_failure(reason: str = "upload_failure", cur
     if is_cloud:
         hook_log("upload failure token refresh skipped in cloud mode")
         return None
+    if os.environ.get("COZELOOP_TOKEN_SOURCE") == "agent_config.patToken":
+        hook_log("upload failure token refresh skipped for agent config patToken")
+        return None
 
     creds = _load_credentials()
     if not creds or not creds.get("refresh_token"):
@@ -461,6 +464,8 @@ def get_fresh_token() -> Optional[str]:
     env_token = os.environ.get("COZELOOP_API_TOKEN")
     env_coze_token = os.environ.get("COZE_API_TOKEN")
     is_cloud = os.environ.get("COZELAB_ONBOARD_CLOUD", "").lower() in ("1", "true", "yes")
+    if os.environ.get("COZELOOP_TOKEN_SOURCE") == "agent_config.patToken" and env_token:
+        return env_token
     if is_cloud:
         return env_token or env_coze_token or _token_from_credentials()
 

package/scripts/codex/cozeloop_hook.py

@@ -279,6 +279,9 @@ def force_refresh_token_after_upload_failure(reason: str = "upload_failure", cur
     if is_cloud:
         hook_log("upload failure token refresh skipped in cloud mode")
         return None
+    if os.environ.get("COZELOOP_TOKEN_SOURCE") == "agent_config.patToken":
+        hook_log("upload failure token refresh skipped for agent config patToken")
+        return None
 
     creds = _load_credentials()
     if not creds or not creds.get("refresh_token"):
@@ -370,6 +373,8 @@ def get_fresh_token():
     env_token = os.environ.get("COZELOOP_API_TOKEN")
     env_coze_token = os.environ.get("COZE_API_TOKEN")
     is_cloud = os.environ.get("COZELAB_ONBOARD_CLOUD", "").lower() in ("1", "true", "yes")
+    if os.environ.get("COZELOOP_TOKEN_SOURCE") == "agent_config.patToken" and env_token:
+        return env_token
     if is_cloud:
         return env_token or env_coze_token or _token_from_credentials()
 

package/scripts/openclaw/dist/cozeloop-exporter.js

@@ -187,6 +187,7 @@ async function _forceRefreshToken(currentAuthorization, opts = {}) {
 }
 
 async function getRefreshedToken(currentAuthorization, opts = {}) {
+    if (opts.tokenSource === "agent_config.patToken") return currentAuthorization;
     if (opts.disableLocalCredentials) return currentAuthorization;
     if (opts.force) return _forceRefreshToken(currentAuthorization, opts);
     const creds = _loadCreds();
@@ -565,6 +566,7 @@ export class CozeloopExporter {
     async refreshAuthIfNeeded() {
         const fresh = await getRefreshedToken(this.config.authorization, {
             disableLocalCredentials: this.config.disableLocalCredentials,
+            tokenSource: this.config.tokenSource,
         });
         if (fresh && fresh !== this.config.authorization) {
             this.api.logger.info("[CozeloopTrace] Token refreshed, re-initializing exporter...");
@@ -585,6 +587,7 @@ export class CozeloopExporter {
     async refreshAuthAfterUploadFailure(currentAuthorization, err) {
         const fresh = await getRefreshedToken(currentAuthorization || this.config.authorization, {
             disableLocalCredentials: this.config.disableLocalCredentials,
+            tokenSource: this.config.tokenSource,
             force: true,
             reason: err?.message || "upload_failure",
             logFile: this.config.logFile,

package/scripts/openclaw/dist/index.js

@@ -540,6 +540,7 @@ const cozeloopTracePlugin = {
             batchInterval: pluginConfig.batchInterval || 500,
             enabledHooks: pluginConfig.enabledHooks,
             disableLocalCredentials: pluginConfig.disableLocalCredentials === true,
+            tokenSource: pluginConfig.tokenSource,
             logFile: pluginConfig.logFile,
         };
         const exporter = new CozeloopExporter(api, config);