coze_lab 0.1.43 → 0.1.45

package/scripts/codex/cozeloop_hook.py

@@ -35,360 +35,22 @@ import os
 import sys
 import hashlib
 import time
-import urllib.request
-import urllib.error
 from datetime import datetime
 from pathlib import Path
 from typing import Optional, List, Dict, Any
 
-# --- Token refresh --------------------------------------------------------
-_COZELOOP_CLIENT_ID = "08972682140163281554629748278108.app.coze"
-_COZE_API = "https://api.coze.cn"
-_REFRESH_THRESHOLD = 10 * 60
-_FORCE_REFRESH_COOLDOWN_MS = 60 * 1000
-_REFRESH_LOCK_STALE = 30
-_DEFAULT_WORKSPACE_ID = "7649231955045072915"  # hardcoded spaceID fallback
-_OTEL_SUFFIX = "/v1/loop/opentelemetry"
+# --- Token resolution -----------------------------------------------------
 
-# 实时 tool span 上报的批量间隔（秒）：距上次上报不足此值则本次不发，把已结束的 tool span
-# 攒到下次一起发（最多每 5s 一批）。终态(Stop/SubagentStop)不受限，立即收尾。
-REALTIME_BATCH_INTERVAL = float(os.environ.get("COZELOOP_REALTIME_BATCH_INTERVAL", "5"))
-
-
-# --- coze-context parsing -------------------------------------------------
-# User messages may embed a block like:
-#   <coze-context>
-#   account_id: 0
-#   agent_id: 7644920552473395499
-#   session_id: 7644919579054997796
-#   message_id: 04dd5246-...
-#   </coze-context>
-# We parse its key:value pairs and inject them into the trace.
-
-_COZE_CTX_OPEN = "<coze-context>"
-_COZE_CTX_CLOSE = "</coze-context>"
-
-
-def parse_coze_context(text: str) -> Dict[str, str]:
-    """Extract the LAST <coze-context> block's key:value pairs from text.
-
-    Returns {} if no block is present. Tag keys are prefixed with
-    'coze_' by the caller; here we return raw keys as written.
-    """
-    if not text or _COZE_CTX_OPEN not in text:
-        return {}
-    # Take the last occurrence (latest context wins).
-    open_idx = text.rfind(_COZE_CTX_OPEN)
-    close_idx = text.find(_COZE_CTX_CLOSE, open_idx)
-    if close_idx == -1:
-        return {}
-    body = text[open_idx + len(_COZE_CTX_OPEN):close_idx]
-    # The block may arrive with real newlines, OR with literal backslash-n
-    # (e.g. when the whole message is an embedded JSON string that was never
-    # un-escaped). Normalize both forms before splitting into lines.
-    body = body.replace("\\r\\n", "\n").replace("\\n", "\n").replace("\\r", "\n")
-    result: Dict[str, str] = {}
-    for line in body.splitlines():
-        line = line.strip()
-        if not line or ":" not in line:
-            continue
-        key, _, value = line.partition(":")
-        key = key.strip()
-        value = value.strip()
-        if key:
-            result[key] = value
-    return result
-
-
-def coze_context_tags(text: str) -> Dict[str, str]:
-    """Return coze-context kv as trace tags, prefixed with 'coze_'."""
-    return {f"coze_{k}": v for k, v in parse_coze_context(text).items()}
-
-
-def turn_coze_context(turn: Dict[str, Any]) -> Dict[str, str]:
-    """Extract coze-context from a grouped turn with fallbacks for Codex rollout shapes."""
-    texts = [turn.get("user_message_text", "")]
-    for msg in turn.get("input_messages", []):
-        if isinstance(msg, dict):
-            texts.append(str(msg.get("content", "")))
-    user_payload = turn.get("user_message")
-    if isinstance(user_payload, dict):
-        texts.append(extract_message_content_text(user_payload))
-    for text in texts:
-        ctx = parse_coze_context(text)
-        if ctx:
-            return ctx
-    return {}
-
-
-# --- trace upload failure / logid capture ---------------------------------
-def _extract_logid(msg: str) -> str:
-    """Pull the server logid out of an SDK error message, if present.
-
-    SDK failure messages embed it as 'logid=XXXX' (sometimes within brackets).
-    """
-    if not msg:
-        return ""
-    marker = "logid="
-    idx = msg.find(marker)
-    if idx == -1:
-        return ""
-    rest = msg[idx + len(marker):]
-    logid = []
-    for ch in rest:
-        if ch.isalnum():
-            logid.append(ch)
-        else:
-            break
-    return "".join(logid)
-
-
-def _make_finish_event_processor(upload_events: Optional[List[str]] = None):
-    """Return a trace_finish_event_processor that surfaces failures + logid.
-
-    The CozeLoop SDK calls this for each flush event; on failure we print the
-    server logid to stderr so it can be handed to platform support for tracing
-    the root cause (e.g. via `bytedcli log get-logid-log <logid>`).
-    """
-    def _processor(info):
-        try:
-            if not getattr(info, "is_event_fail", False):
-                hook_log("upload success")
-                return
-            detail = getattr(info, "detail_msg", "") or ""
-            if upload_events is not None:
-                upload_events.append(detail or "trace export failed")
-            logid = _extract_logid(detail)
-            if logid:
-                hook_log(f"upload failed logid={logid} detail={detail[:500]}")
-                print(f"[CozeLoop] 上报失败 logid={logid} (可用 bytedcli log get-logid-log {logid} 排查)", file=sys.stderr)
-            else:
-                hook_log(f"upload failed detail={detail[:500]}")
-                print(f"[CozeLoop] 上报失败: {detail[:300]}", file=sys.stderr)
-        except Exception:
-            pass
-    return _processor
-
-
-
-def _get_credentials_path() -> Path:
-    return Path.home() / ".cozeloop" / "credentials.json"
-
-def _get_refresh_state_path() -> Path:
-    return Path.home() / ".cozeloop" / "refresh-state.json"
-
-def _get_refresh_lock_path() -> Path:
-    return Path.home() / ".cozeloop" / "refresh-state.lock"
-
-def _load_credentials():
-    path = _get_credentials_path()
-    if not path.exists():
-        return None
-    try:
-        return json.loads(path.read_text())
-    except Exception:
-        return None
-
-def _save_credentials(creds):
-    path = _get_credentials_path()
-    path.parent.mkdir(parents=True, exist_ok=True)
-    path.write_text(json.dumps(creds, indent=2))
-    os.chmod(path, 0o600)
-
-def _load_refresh_state():
-    path = _get_refresh_state_path()
-    if not path.exists():
-        return {}
-    try:
-        return json.loads(path.read_text())
-    except Exception:
-        return {}
-
-def _save_refresh_state(patch):
-    path = _get_refresh_state_path()
-    try:
-        path.parent.mkdir(parents=True, exist_ok=True)
-        state = _load_refresh_state()
-        state.update(patch)
-        path.write_text(json.dumps(state, indent=2))
-        os.chmod(path, 0o600)
-    except Exception:
-        pass
-
-def _with_refresh_lock(fn):
-    lock_path = _get_refresh_lock_path()
-    lock_path.parent.mkdir(parents=True, exist_ok=True)
-    for _ in range(24):
-        fd = None
-        try:
-            fd = os.open(str(lock_path), os.O_CREAT | os.O_EXCL | os.O_WRONLY, 0o600)
-            try:
-                return fn()
-            finally:
-                try:
-                    os.close(fd)
-                except Exception:
-                    pass
-                try:
-                    lock_path.unlink()
-                except Exception:
-                    pass
-        except FileExistsError:
-            try:
-                if time.time() - lock_path.stat().st_mtime > _REFRESH_LOCK_STALE:
-                    lock_path.unlink()
-                    continue
-            except Exception:
-                pass
-            time.sleep(0.25)
-    hook_log("forced refresh skipped because refresh lock is busy")
-    return None
-
-def _refresh_token(refresh_tok: str):
-    try:
-        payload = json.dumps({
-            "grant_type": "refresh_token",
-            "client_id": _COZELOOP_CLIENT_ID,
-            "refresh_token": refresh_tok,
-        }).encode()
-        req = urllib.request.Request(
-            f"{_COZE_API}/api/permission/oauth2/token",
-            data=payload,
-            headers={
-                "Content-Type": "application/json",
-            },
-        )
-        with urllib.request.urlopen(req, timeout=10) as resp:
-            data = json.loads(resp.read())
-        if data.get("access_token"):
-            existing = _load_credentials() or {}
-            creds = {
-                "access_token": data["access_token"],
-                "refresh_token": data.get("refresh_token", refresh_tok),
-                "expires_at": data.get("expires_in", 0) * 1000,  # unix timestamp in seconds
-                "workspace_id": existing.get("workspace_id", ""),
-            }
-            _save_credentials(creds)
-            return creds["access_token"]
-    except Exception:
-        pass
-    return None
-
-def force_refresh_token_after_upload_failure(reason: str = "upload_failure", current_token: Optional[str] = None):
-    is_cloud = os.environ.get("COZELAB_ONBOARD_CLOUD", "").lower() in ("1", "true", "yes")
-    if is_cloud:
-        hook_log("upload failure token refresh skipped in cloud mode")
-        return None
-
-    creds = _load_credentials()
-    if not creds or not creds.get("refresh_token"):
-        hook_log("upload failure token refresh skipped; no local refresh_token")
-        return None
-
-    cached = creds.get("access_token")
-    now_ms = int(time.time() * 1000)
-    last_ms = int(_load_refresh_state().get("last_forced_refresh_ms", 0) or 0)
-    if last_ms and now_ms - last_ms < _FORCE_REFRESH_COOLDOWN_MS:
-        if cached and cached != current_token:
-            hook_log("forced refresh throttled; reuse newer cached token")
-            return cached
-        hook_log(f"forced refresh throttled ageMs={now_ms - last_ms}")
-        return None
-
-    def _locked_refresh():
-        locked_creds = _load_credentials()
-        if not locked_creds or not locked_creds.get("refresh_token"):
-            hook_log("forced refresh skipped in lock; credentials missing")
-            return None
-        locked_cached = locked_creds.get("access_token")
-        locked_now_ms = int(time.time() * 1000)
-        locked_last_ms = int(_load_refresh_state().get("last_forced_refresh_ms", 0) or 0)
-        if locked_last_ms and locked_now_ms - locked_last_ms < _FORCE_REFRESH_COOLDOWN_MS:
-            if locked_cached and locked_cached != current_token:
-                hook_log("forced refresh already done by another process; reuse token")
-                return locked_cached
-            hook_log(f"forced refresh skipped in lock ageMs={locked_now_ms - locked_last_ms}")
-            return None
-        _save_refresh_state({
-            "last_forced_refresh_ms": locked_now_ms,
-            "last_reason": (reason or "upload_failure")[:120],
-        })
-        hook_log(f"forced token refresh after upload failure reason={(reason or 'upload_failure')[:120]}")
-        refreshed = _refresh_token(locked_creds["refresh_token"])
-        if refreshed:
-            hook_log("forced token refresh OK")
-        else:
-            hook_log("forced token refresh FAILED")
-        return refreshed
-
-    return _with_refresh_lock(_locked_refresh)
-
-
-def _normalize_api_base_url(url: str) -> str:
-    base = (url or "").strip().rstrip("/")
-    if not base:
-        return base
-    # 剥除已知 loop 路径后缀，还原纯 API base。
-    # 关键：含 /api 的变体必须连 /api 整体剥掉，否则残留 /api 会拼出 /api/v1/loop/... → 后端 400。
-    # 顺序：更长 / 带 /api 的在前，裸 /v1 最后，避免误匹配短后缀。
-    suffixes = (
-        "/api/v1/loop/opentelemetry/v1/traces",
-        _OTEL_SUFFIX + "/v1/traces",
-        "/api/v1/loop/opentelemetry",
-        _OTEL_SUFFIX,
-        "/api/v1",
-        "/v1",
-    )
-    for suffix in suffixes:
-        if base.endswith(suffix):
-            return base[:-len(suffix)].rstrip("/")
-    return base
-
-
-def get_api_base_url() -> str:
-    return _normalize_api_base_url(
-        os.environ.get("COZELOOP_API_BASE_URL", "")
-    )
-
-
-def _token_from_credentials():
-    creds = _load_credentials()
-    if not creds:
-        return None
-    # expires_at 由 index.js 以毫秒存储；先减去当前毫秒时间再换算成秒，与 _REFRESH_THRESHOLD(秒) 比较。
-    remaining = (creds.get("expires_at", 0) - time.time() * 1000) / 1000
-    if remaining > _REFRESH_THRESHOLD:
-        return creds.get("access_token")
-    if creds.get("refresh_token"):
-        new_token = _refresh_token(creds["refresh_token"])
-        if new_token:
-            return new_token
-    return None
-
-
-def get_fresh_token():
+def get_fresh_token() -> Optional[str]:
+    """Return the token injected by onboard. Do not read local credentials."""
     env_token = os.environ.get("COZELOOP_API_TOKEN")
     env_coze_token = os.environ.get("COZE_API_TOKEN")
-    is_cloud = os.environ.get("COZELAB_ONBOARD_CLOUD", "").lower() in ("1", "true", "yes")
-    if is_cloud:
-        return env_token or env_coze_token or _token_from_credentials()
-
-    # Local onboard used to write a short-lived access token into cozeloop.env.
-    # If credentials exist but cannot be refreshed, do not fall back to that stale
-    # env token; failing closed keeps state from advancing on a known-bad token.
-    creds = _load_credentials()
-    if creds:
-        return _token_from_credentials()
-    if env_token and not env_coze_token:
-        token = _token_from_credentials()
-        if token:
-            return token
-        return env_token
     if env_token:
         return env_token
-    if env_coze_token:
+    if os.environ.get("COZELAB_ONBOARD_CLOUD", "").lower() in ("1", "true", "yes"):
         return env_coze_token
-    return _token_from_credentials()
+    return None
+
 # -------------------------------------------------------------------------
 
 # --- SDK Import ---
@@ -1089,7 +751,6 @@ def _make_model_message(role: str, content: str = "", tool_calls: list = None,
 
 def send_turns_to_cozeloop(turns: List[Dict[str, Any]], session_id: str, model_name: str = "codex",
                            history_context: Optional[List[Dict[str, Any]]] = None,
-                           retry_on_auth_failure: bool = True,
                            coze_tags_override: Optional[Dict[str, str]] = None) -> Optional[List[Dict[str, Any]]]:
     """Send conversation turns to CozeLoop for tracing.
 
@@ -1119,14 +780,7 @@ def send_turns_to_cozeloop(turns: List[Dict[str, Any]], session_id: str, model_n
             f"api_base_url={bool(get_api_base_url())}"
         )
         print("[CozeLoop] 警告: 未找到有效 Token，上报可能失败", file=sys.stderr)
-    creds = _load_credentials()
-    # 云端模式：sandbox 注入的 COZELOOP_WORKSPACE_ID 必须优先于 credentials.json。
-    # 否则残留的本地 credentials.json workspace_id 会覆盖云端注入，导致 trace 上报错位。
-    is_cloud = os.environ.get("COZELAB_ONBOARD_CLOUD", "").lower() in ("1", "true", "yes")
-    if is_cloud:
-        workspace_id = os.environ.get("COZELOOP_WORKSPACE_ID", "") or (creds or {}).get("workspace_id") or _DEFAULT_WORKSPACE_ID
-    else:
-        workspace_id = (creds or {}).get("workspace_id") or os.environ.get("COZELOOP_WORKSPACE_ID", "") or _DEFAULT_WORKSPACE_ID
+    workspace_id = os.environ.get("COZELOOP_WORKSPACE_ID", "") or _DEFAULT_WORKSPACE_ID
     os.environ["COZELOOP_WORKSPACE_ID"] = workspace_id
     hook_log(f"workspace_id={workspace_id}")
     upload_events: List[str] = []
@@ -1548,19 +1202,6 @@ def send_turns_to_cozeloop(turns: List[Dict[str, Any]], session_id: str, model_n
 
     if upload_events:
         hook_log(f"upload failed state not advanced failures={len(upload_events)} detail={upload_events[-1][:500]}")
-        if retry_on_auth_failure:
-            new_token = force_refresh_token_after_upload_failure(upload_events[-1], token)
-            if new_token:
-                os.environ["COZELOOP_API_TOKEN"] = new_token
-                hook_log("retry upload once after forced token refresh")
-                return send_turns_to_cozeloop(
-                    turns,
-                    session_id,
-                    model_name,
-                    history_context,
-                    retry_on_auth_failure=False,
-                    coze_tags_override=coze_tags_override,
-                )
         return None
 
     return ctx

package/scripts/openclaw/dist/cozeloop-exporter.js

@@ -3,10 +3,9 @@ import { BasicTracerProvider, BatchSpanProcessor } from "@opentelemetry/sdk-trac
 import { Resource } from "@opentelemetry/resources";
 import { ATTR_SERVICE_NAME, ATTR_SERVICE_INSTANCE_ID } from "@opentelemetry/semantic-conventions";
 import { hostname } from "os";
-import { basename, join } from "path";
+import { basename } from "path";
 import { createRequire } from "node:module";
-import { readFileSync, writeFileSync, mkdirSync, appendFileSync, openSync, closeSync, unlinkSync, statSync } from "fs";
-import { homedir } from "os";
+import { appendFileSync } from "fs";
 import http from "http";
 import https from "https";
 
@@ -21,183 +20,14 @@ const CLIENT_USER_AGENT = {
     source: "openapi",
 };
 
-// ── Token refresh helpers ─────────────────────────────────────────────────
-const _CLIENT_ID = "08972682140163281554629748278108.app.coze";
+// ── Token helpers ──────────────────────────────────────────────────────────
 const _COZE_API  = "https://api.coze.cn";
-const _REFRESH_THRESHOLD_MS = 10 * 60 * 1000;
-const _FORCE_REFRESH_COOLDOWN_MS = 60 * 1000;
-const _REFRESH_LOCK_STALE_MS = 30 * 1000;
-const _CREDS_PATH = join(homedir(), ".cozeloop", "credentials.json");
-const _REFRESH_STATE_PATH = join(homedir(), ".cozeloop", "refresh-state.json");
-const _REFRESH_LOCK_PATH = join(homedir(), ".cozeloop", "refresh-state.lock");
-
-function _loadCreds() {
-    try { return JSON.parse(readFileSync(_CREDS_PATH, "utf8")); }
-    catch { return null; }
-}
-
-function _saveCreds(c) {
-    try {
-        mkdirSync(join(homedir(), ".cozeloop"), { recursive: true });
-        writeFileSync(_CREDS_PATH, JSON.stringify(c, null, 2), { mode: 0o600 });
-    } catch { /* non-fatal */ }
-}
-
-function _loadRefreshState() {
-    try { return JSON.parse(readFileSync(_REFRESH_STATE_PATH, "utf8")); }
-    catch { return {}; }
-}
-
-function _saveRefreshState(patch) {
-    try {
-        mkdirSync(join(homedir(), ".cozeloop"), { recursive: true });
-        const state = { ..._loadRefreshState(), ...patch };
-        writeFileSync(_REFRESH_STATE_PATH, JSON.stringify(state, null, 2), { mode: 0o600 });
-    } catch { /* non-fatal */ }
-}
-
-function _authorizationFromCreds(creds) {
-    return creds?.access_token ? `Bearer ${creds.access_token}` : null;
-}
-
-function _sleep(ms) {
-    return new Promise(resolve => setTimeout(resolve, ms));
-}
-
-async function _withRefreshLock(logFile, fn) {
-    mkdirSync(join(homedir(), ".cozeloop"), { recursive: true });
-    for (let i = 0; i < 24; i++) {
-        let fd = null;
-        try {
-            fd = openSync(_REFRESH_LOCK_PATH, "wx", 0o600);
-            try {
-                return await fn();
-            }
-            finally {
-                try { if (fd !== null) closeSync(fd); } catch { /* ignore */ }
-                try { unlinkSync(_REFRESH_LOCK_PATH); } catch { /* ignore */ }
-            }
-        }
-        catch (err) {
-            if (err?.code !== "EEXIST") {
-                fileLog(logFile, `[auth] refresh lock error=${err?.message || err}`);
-                return null;
-            }
-            try {
-                const ageMs = Date.now() - statSync(_REFRESH_LOCK_PATH).mtimeMs;
-                if (ageMs > _REFRESH_LOCK_STALE_MS) {
-                    unlinkSync(_REFRESH_LOCK_PATH);
-                    continue;
-                }
-            } catch { /* ignore */ }
-            await _sleep(250);
-        }
-    }
-    fileLog(logFile, "[auth] refresh lock busy; skip forced refresh");
-    return null;
-}
-
-async function _refreshToken(refreshTok) {
-    return new Promise((resolve) => {
-        const body = JSON.stringify({ grant_type: "refresh_token", client_id: _CLIENT_ID, refresh_token: refreshTok });
-        const req = https.request(`${_COZE_API}/api/permission/oauth2/token`, {
-            method: "POST",
-            headers: { "Content-Type": "application/json", "Content-Length": Buffer.byteLength(body) },
-        }, (res) => {
-            let buf = "";
-            res.on("data", c => buf += c);
-            res.on("end", () => {
-                try {
-                    const d = JSON.parse(buf);
-                    if (d.access_token) {
-                        const existing = _loadCreds() ?? {};
-                        const creds = {
-                            access_token: d.access_token,
-                            refresh_token: d.refresh_token ?? refreshTok,
-                            expires_at: (d.expires_in ?? 0) * 1000,  // unix timestamp in seconds
-                            workspace_id: existing.workspace_id ?? "",
-                        };
-                        _saveCreds(creds);
-                        resolve(creds.access_token);
-                    } else { resolve(null); }
-                } catch { resolve(null); }
-            });
-        });
-        req.on("error", () => resolve(null));
-        req.setTimeout(10000, () => { req.destroy(); resolve(null); });
-        req.write(body);
-        req.end();
-    });
-}
-
-async function _forceRefreshToken(currentAuthorization, opts = {}) {
-    const logFile = opts.logFile;
-    const creds = _loadCreds();
-    if (!creds?.refresh_token) {
-        fileLog(logFile, "[auth] upload failed but no local refresh_token is available");
-        return null;
-    }
-
-    const cachedAuth = _authorizationFromCreds(creds);
-    const now = Date.now();
-    const state = _loadRefreshState();
-    const lastForced = Number(state.last_forced_refresh_ms || 0);
-    if (lastForced && now - lastForced < _FORCE_REFRESH_COOLDOWN_MS) {
-        if (cachedAuth && cachedAuth !== currentAuthorization) {
-            fileLog(logFile, `[auth] forced refresh throttled; reuse newer cached token tokenLength=${cachedAuth.length}`);
-            return cachedAuth;
-        }
-        fileLog(logFile, `[auth] forced refresh throttled ageMs=${now - lastForced}`);
-        return null;
-    }
-
-    return _withRefreshLock(logFile, async () => {
-        const lockedCreds = _loadCreds();
-        if (!lockedCreds?.refresh_token) {
-            fileLog(logFile, "[auth] forced refresh skipped; credentials disappeared");
-            return null;
-        }
-        const lockedCachedAuth = _authorizationFromCreds(lockedCreds);
-        const lockedState = _loadRefreshState();
-        const lockedLastForced = Number(lockedState.last_forced_refresh_ms || 0);
-        const lockedNow = Date.now();
-        if (lockedLastForced && lockedNow - lockedLastForced < _FORCE_REFRESH_COOLDOWN_MS) {
-            if (lockedCachedAuth && lockedCachedAuth !== currentAuthorization) {
-                fileLog(logFile, `[auth] forced refresh already done by another process; reuse tokenLength=${lockedCachedAuth.length}`);
-                return lockedCachedAuth;
-            }
-            fileLog(logFile, `[auth] forced refresh skipped in lock ageMs=${lockedNow - lockedLastForced}`);
-            return null;
-        }
-
-        _saveRefreshState({
-            last_forced_refresh_ms: lockedNow,
-            last_reason: String(opts.reason || "upload_failure").slice(0, 120),
-        });
-        fileLog(logFile, `[auth] forced token refresh after local upload failure reason=${String(opts.reason || "upload_failure").slice(0, 120)}`);
-        const newToken = await _refreshToken(lockedCreds.refresh_token);
-        if (!newToken) {
-            fileLog(logFile, "[auth] forced token refresh FAILED");
-            return null;
-        }
-        const freshAuth = `Bearer ${newToken}`;
-        fileLog(logFile, `[auth] forced token refresh OK tokenLength=${freshAuth.length}`);
-        return freshAuth;
-    });
-}
 
 async function getRefreshedToken(currentAuthorization, opts = {}) {
-    if (opts.disableLocalCredentials) return currentAuthorization;
-    if (opts.force) return _forceRefreshToken(currentAuthorization, opts);
-    const creds = _loadCreds();
-    if (!creds) return currentAuthorization; // no creds file, keep as-is
-    const remaining = (creds.expires_at ?? 0) - Date.now();
-    if (remaining > _REFRESH_THRESHOLD_MS) return `Bearer ${creds.access_token}`;
-    if (creds.refresh_token) {
-        const newToken = await _refreshToken(creds.refresh_token);
-        if (newToken) return `Bearer ${newToken}`;
-    }
-    return null;
+    if (opts.force) {
+        fileLog(opts.logFile, "[auth] token refresh disabled; keep configured authorization");
+    }
+    return currentAuthorization;
 }
 // ─────────────────────────────────────────────────────────────────────────
 
@@ -444,19 +274,19 @@ class CozeloopIngestExporter {
                 throw err;
             }
             this.headers = { ...this.headers, Authorization: freshAuth };
-            fileLog(this.logFile, `[ingest] retry after token refresh url=${this.url} spans=${body.spans.length}`);
+            fileLog(this.logFile, `[ingest] retry after authorization update url=${this.url} spans=${body.spans.length}`);
             try {
                 await this.postBody(body, true);
             }
             catch (retryErr) {
-                throw new Error(`retry after token refresh failed: ${retryErr?.message || retryErr}`);
+                throw new Error(`retry after authorization update failed: ${retryErr?.message || retryErr}`);
             }
         }
     }
     async refreshAuthorizationAfterFailure(err) {
         if (typeof this.onAuthFailure !== "function")
             return null;
-        fileLog(this.logFile, `[auth] local upload failure triggers refresh attempt err=${String(err?.message || err).slice(0, 300)}`);
+        fileLog(this.logFile, `[auth] upload failure; token refresh disabled err=${String(err?.message || err).slice(0, 300)}`);
         try {
             const current = this.headers?.Authorization || "";
             const fresh = await this.onAuthFailure(current, err);
@@ -565,6 +395,7 @@ export class CozeloopExporter {
     async refreshAuthIfNeeded() {
         const fresh = await getRefreshedToken(this.config.authorization, {
             disableLocalCredentials: this.config.disableLocalCredentials,
+            tokenSource: this.config.tokenSource,
         });
         if (fresh && fresh !== this.config.authorization) {
             this.api.logger.info("[CozeloopTrace] Token refreshed, re-initializing exporter...");
@@ -578,13 +409,13 @@ export class CozeloopExporter {
                 this.tracer = null;
             }
         } else if (fresh === null) {
-            this.api.logger.error("[CozeloopTrace] Local credentials exist but token refresh failed; refusing to reuse stale authorization.");
-            this.config.authorization = "";
+            this.api.logger.info("[CozeloopTrace] Token refresh disabled; keeping configured authorization.");
         }
     }
     async refreshAuthAfterUploadFailure(currentAuthorization, err) {
         const fresh = await getRefreshedToken(currentAuthorization || this.config.authorization, {
             disableLocalCredentials: this.config.disableLocalCredentials,
+            tokenSource: this.config.tokenSource,
             force: true,
             reason: err?.message || "upload_failure",
             logFile: this.config.logFile,

package/scripts/openclaw/dist/index.js

@@ -540,6 +540,7 @@ const cozeloopTracePlugin = {
             batchInterval: pluginConfig.batchInterval || 500,
             enabledHooks: pluginConfig.enabledHooks,
             disableLocalCredentials: pluginConfig.disableLocalCredentials === true,
+            tokenSource: pluginConfig.tokenSource,
             logFile: pluginConfig.logFile,
         };
         const exporter = new CozeloopExporter(api, config);
@@ -1011,7 +1012,7 @@ const cozeloopTracePlugin = {
         }
         if (shouldHookEnabled("session_start")) {
             on("session_start", async (event, hookCtx) => {
-                // Refresh token if expiring soon (< 10 min)
+                // No local refresh fallback; exporter keeps configured authorization.
                 await exporter.refreshAuthIfNeeded();
                 const rawChannelId = resolveChannelId(hookCtx, event.sessionId);
                 if (config.debug) {