coze_lab 0.1.44 → 0.1.46

package/index.js

@@ -2,13 +2,9 @@
 'use strict';
 
 // ─── 0. Constants ─────────────────────────────────────────────────────────────
-const CLIENT_ID   = '08972682140163281554629748278108.app.coze';
 const WORKSPACE_ID = '7649231955045072915';
 const COZE_API    = 'https://api.coze.cn';
-const CREDS_PATH  = require('path').join(require('os').homedir(), '.cozeloop', 'credentials.json');
 const PACKAGE_VERSION = require('./package.json').version;
-// Refresh when less than 10 minutes remain
-const REFRESH_THRESHOLD_MS = 10 * 60 * 1000;
 const TOKEN_SOURCE_AGENT_PAT = 'agent_config.patToken';
 
 // ─── 1. Cloud structured output ──────────────────────────────────────────────
@@ -118,7 +114,7 @@ const OPENCLAW_PLUGIN_VERSION = (() => {
   }
 })();
 
-// Read a single script file (Python hook / refresh) as a UTF-8 string.
+// Read a single script file as a UTF-8 string.
 function readScript(relPath) {
   return require('fs').readFileSync(require('path').join(SCRIPTS_DIR, relPath), 'utf8');
 }
@@ -147,6 +143,8 @@ function loadOpenclawFiles() {
 function parseArgs() {
   const args = {};
   for (const arg of process.argv.slice(2)) {
+    // Legacy auth-only commands are still parsed so validateArgs can return a
+    // clear "removed" error instead of falling through to generic usage.
     if (arg === '--logout')  { args['logout']  = true; continue; }
     if (arg === '--login')   { args['login']   = true; continue; }
     if (arg === '--status')  { args['status']  = true; continue; }
@@ -225,11 +223,16 @@ function resolveAgent(agentId, soft) {
 }
 
 function validateArgs(args) {
-  if (args['logout'])  return { logout:  true };
-  if (args['login'])   return { login:   true };
-  if (args['status'])  return { status:  true };
-  if (args['refresh']) return { refresh: true };
-  if (args['verify'])  return { verify:  true, pairCode: args['pair-code'] };
+  const legacyAuthCmd = ['login', 'status', 'refresh', 'logout'].find((name) => args[name]);
+  if (legacyAuthCmd) {
+    errorBox([
+      `ERROR: --${legacyAuthCmd} 已移除`,
+      '',
+      'coze_lab 不再提供 Device Code / OAuth 本地授权兜底链路。',
+      '本地请使用 --agent-id=<id>，并确保 ~/.coze/agents/<id>/config.json 中存在 patToken。',
+      '云端请通过环境变量 COZELOOP_API_TOKEN 或 COZE_API_TOKEN 注入 trace token。',
+    ]);
+  }
 
   // --agent-id：优先读 coze-bridge 的 ~/.coze/agents/<id>/config.json 拿 framework/workspace。
   // 云端判定优先看 deployType / CLOUD_ENV；兼容老 config 时再看 cloud-only 落盘字段。
@@ -251,6 +254,7 @@ function validateArgs(args) {
         pairCode: args['pair-code'],
         cloud,
         force: !!args['force'],
+        verify: !!args['verify'],
       };
     }
     // 显式 --cloud 或 CLOUD_ENV=1 且 config.json 缺失：回退到显式 --agent
@@ -274,6 +278,15 @@ function validateArgs(args) {
       pairCode: args['pair-code'],
       cloud: true,
       force: !!args['force'],
+      verify: !!args['verify'],
+    };
+  }
+
+  if (args['verify']) {
+    return {
+      verify: true,
+      pairCode: args['pair-code'],
+      cloud: !!args['cloud'] || isCloudRuntimeEnv() || !!getCloudTokenInfo().token,
     };
   }
 
@@ -282,18 +295,15 @@ function validateArgs(args) {
       'ERROR: --agent 或 --agent-id 至少提供一个',
       '',
       'Usage:',
-      '  --agent=claude-code | codex | openclaw   (全局配置)',
-      '  --agent-id=<id>                          (按 ~/.coze/agents/<id> 的 framework 自动路由)',
+      '  --agent-id=<id>                          (本地/云端按 ~/.coze/agents/<id>/config.json 自动路由)',
+      '  --cloud --agent=claude-code|codex|openclaw (云端兼容调用，token 来自环境变量)',
       '',
       'Flags:',
       '  --force    强制重装（OpenClaw 跳过幂等检查，无条件重写插件 + 重装依赖 + 重启 gateway）',
       '',
       'Other commands:',
-      '  --status   Show authorization status',
-      '  --login    Login (Device Code flow)',
-      '  --refresh  Force refresh access token',
-      '  --logout   Clear cached credentials',
       '  --verify   Send a test trace to verify the reporting pipeline',
+      '             需要 --agent-id 的 patToken，或环境变量 COZELOOP_API_TOKEN/COZE_API_TOKEN',
       '             可带 --pair-code=<值> 写入 trace metadata（缺省自动生成），供查询方回查',
     ]);
   }
@@ -307,7 +317,17 @@ function validateArgs(args) {
       '  --agent=openclaw',
     ]);
   }
-  return { agent: args['agent'], 'codex-home': args['codex-home'], pairCode: args['pair-code'], cloud: !!args['cloud'], force: !!args['force'] };
+  const cloud = !!args['cloud'] || isCloudRuntimeEnv();
+  if (!cloud) {
+    errorBox([
+      'ERROR: 本地模式不再支持仅使用 --agent=<type> 配置 trace',
+      '',
+      '本地配置必须通过 --agent-id=<id> 读取对应 agent config 中的 patToken。',
+      '请使用：',
+      '  npx coze_lab --agent-id=<id>',
+    ]);
+  }
+  return { agent: args['agent'], 'codex-home': args['codex-home'], pairCode: args['pair-code'], cloud, force: !!args['force'] };
 }
 
 // ─── 4. Agent detection ──────────────────────────────────────────────────────
@@ -439,12 +459,16 @@ function checkCozeloopSdk(pythonCmd, options = {}) {
 }
 
 // ─── 6. Version whitelist check ──────────────────────────────────────────────
-// Match on major.minor prefix: '1.3' matches 1.3.0, 1.3.2, 1.3.9
-const VERSION_WHITELIST = {
-  'claude-code': ['1.2', '1.3', '1.4', '2.0', '2.1'],
-  'codex':       ['1.0', '1.1', '0.134'],
-  'openclaw':    ['2026.3', '2026.4', '2026.5'],
+// Forward-compatible lower bounds. Newer CLI releases are treated as
+// supported by default because the hook selfcheck is the authoritative guard.
+const VERSION_SUPPORT = {
+  'claude-code': { min: '1.0.0', display: ['>= 1.0.0'] },
+  'codex':       { min: '0.134.0', display: ['>= 0.134.0'] },
+  'openclaw':    { min: '2026.3.0', display: ['>= 2026.3.0'] },
 };
+const VERSION_WHITELIST = Object.fromEntries(
+  Object.entries(VERSION_SUPPORT).map(([agent, cfg]) => [agent, cfg.display]),
+);
 
 const UPGRADE_CMD = {
   'claude-code': 'npm install -g @anthropic-ai/claude-code@latest',
@@ -453,15 +477,15 @@ const UPGRADE_CMD = {
 };
 
 function checkVersionWhitelist(agent, version) {
-  const whitelist = VERSION_WHITELIST[agent] || [];
-  const supported = whitelist.some(prefix => version.startsWith(prefix + '.') || version === prefix);
+  const support = VERSION_SUPPORT[agent];
+  const supported = support && isVersionAtLeast(version, support.min);
 
   if (supported) {
     ok(`${agent} v${version} — OK`);
     return;
   }
 
-  const supportedList = whitelist.map(v => `  • ${v}.x`);
+  const supportedList = (support?.display || []).map(v => `  • ${v}`);
   warnBox([
     `⚠ WARNING: Unsupported ${agent} version: ${version}`,
     '',
@@ -471,10 +495,29 @@ function checkVersionWhitelist(agent, version) {
     'Trace reporting may not work correctly.',
     'Please upgrade and re-run:',
     `  ${UPGRADE_CMD[agent]}`,
-    `  npx coze_lab --agent=${agent} ...`,
+    '  npx coze_lab --agent-id=<id>',
   ]);
 }
 
+function parseVersionNumbers(version) {
+  const m = String(version || '').match(/(\d+(?:\.\d+){0,3})/);
+  return m ? m[1].split('.').map((part) => Number(part)) : [];
+}
+
+function isVersionAtLeast(version, minVersion) {
+  const got = parseVersionNumbers(version);
+  const min = parseVersionNumbers(minVersion);
+  if (!got.length || !min.length) return false;
+  const len = Math.max(got.length, min.length);
+  for (let i = 0; i < len; i += 1) {
+    const a = got[i] || 0;
+    const b = min[i] || 0;
+    if (a > b) return true;
+    if (a < b) return false;
+  }
+  return true;
+}
+
 // ─── 7. Hook writers ─────────────────────────────────────────────────────────
 const fs   = require('fs');
 const path = require('path');
@@ -545,15 +588,13 @@ function writeClaudeCodeHook(token, workspaceId, pythonCmd, configBaseDir, cloud
   const settingsPath = path.join(claudeDir, 'settings.json');
   const localSettingsPath = path.join(baseDir, '.claude', 'settings.local.json');
 
-  // 1. Write Python hook scripts (trace + refresh) — 脚本放全局 ~/.claude/hooks，可共享
+  // 1. Write Python hook script — 脚本放全局 ~/.claude/hooks，可共享
   ensureDir(hooksDir);
   writeHookScript(hookScript, readScript('claude-code/cozeloop_hook.py'));
-  const refreshScript = path.join(hooksDir, 'cozeloop_refresh.py');
-  writeHookScript(refreshScript, readScript('shared/cozeloop_refresh.py'));
 
-  // 2. Merge settings.json — Stop (trace 收尾) + PostToolUse (trace 增量) + UserPromptSubmit (refresh)。用绝对路径。
+  // 2. Merge settings.json — Stop (trace 收尾) + PostToolUse (trace 增量)。用绝对路径。
+  //    同时清掉旧版本写入的 cozeloop_refresh.py hook，避免继续走 OAuth refresh 兜底。
   const hookCmd    = `${pythonCmd} ${hookScript}`;
-  const refreshCmd = `${pythonCmd} ${refreshScript}`;
 
   ensureDir(claudeDir);
   let settings;
@@ -576,12 +617,11 @@ function writeClaudeCodeHook(token, workspaceId, pythonCmd, configBaseDir, cloud
       );
       existing.hooks.PostToolUse.push({ matcher: '', hooks: [{ type: 'command', command: hookCmd }] });
 
-      // UserPromptSubmit hook — token refresh before each user message
+      // Remove legacy token-refresh hook entries.
       if (!existing.hooks.UserPromptSubmit) existing.hooks.UserPromptSubmit = [];
       existing.hooks.UserPromptSubmit = existing.hooks.UserPromptSubmit.filter(
         entry => !entry.hooks?.some(h => h.command?.includes('cozeloop_refresh.py'))
       );
-      existing.hooks.UserPromptSubmit.push({ matcher: '', hooks: [{ type: 'command', command: refreshCmd }] });
 
       return existing;
     });
@@ -596,7 +636,7 @@ function writeClaudeCodeHook(token, workspaceId, pythonCmd, configBaseDir, cloud
   }
   ok(`Hook registered in ${settingsPath}`);
 
-  // 3. Write credentials into <baseDir>/.claude/settings.local.json
+  // 3. Write hook environment into <baseDir>/.claude/settings.local.json
   ensureDir(path.join(baseDir, '.claude'));
   ensureDir(path.dirname(logFile));
   let localSettings;
@@ -648,9 +688,9 @@ function writeClaudeCodeHook(token, workspaceId, pythonCmd, configBaseDir, cloud
   try {
     atomicWriteFileSync(localSettingsPath, JSON.stringify(localSettings, null, 2));
   } catch (e) {
-    errorBox([`ERROR: Cannot write credentials to ${localSettingsPath}`, '', e.message]);
+    errorBox([`ERROR: Cannot write hook environment to ${localSettingsPath}`, '', e.message]);
   }
-  ok(`Credentials written to ${localSettingsPath}`);
+  ok(`Hook environment written to ${localSettingsPath}`);
 
 
   return { hookScript, settingsPath, localSettingsPath, logFile };
@@ -658,8 +698,7 @@ function writeClaudeCodeHook(token, workspaceId, pythonCmd, configBaseDir, cloud
 
 // writeCodexHook 把 hook 写进指定的 CODEX_HOME。codexHome 缺省 ~/.codex；
 // 传入动态目录（如 coze-bridge 的 /tmp/coze-bridge-codex-home-xxx）即可 per-agent 生效。
-// 普通本地模式不把短期 token 写入 cozeloop.env；Hook 运行时读取 ~/.cozeloop/credentials.json。
-// 本地 --agent-id 且 config.patToken 存在时写入该 PAT，并用 COZELOOP_TOKEN_SOURCE 标记来源。
+// 本地 --agent-id 从 config.patToken 写入 token，并用 COZELOOP_TOKEN_SOURCE 标记来源。
 // cloud=true 时写 COZELAB_ONBOARD_CLOUD，并带入 sandbox 注入的 trace token。
 function writeCodexHook(token, workspaceId, pythonCmd, codexHome, cloud, tokenSource) {
   const home       = codexHome || path.join(os.homedir(), '.codex');
@@ -669,12 +708,9 @@ function writeCodexHook(token, workspaceId, pythonCmd, codexHome, cloud, tokenSo
   const logFile    = path.join(hooksDir, 'cozeloop.log');
   const hooksJson  = path.join(home, 'hooks.json');
 
-  // 1. Write Python hook scripts (trace + refresh)
-  // Token is read from ~/.cozeloop/credentials.json at runtime
+  // 1. Write Python hook script
   ensureDir(hooksDir);
   writeHookScript(hookScript, readScript('codex/cozeloop_hook.py'));
-  const refreshScript = path.join(hooksDir, 'cozeloop_refresh.py');
-  writeHookScript(refreshScript, readScript('shared/cozeloop_refresh.py'));
 
   // 2. Write env file with chmod 600
   const envLines = [
@@ -707,14 +743,14 @@ function writeCodexHook(token, workspaceId, pythonCmd, codexHome, cloud, tokenSo
   try {
     fs.writeFileSync(envFile, envContent, { mode: 0o600 });
   } catch (e) {
-    errorBox([`ERROR: Cannot write credentials to ${envFile}`, '', e.message]);
+    errorBox([`ERROR: Cannot write hook environment to ${envFile}`, '', e.message]);
   }
-  ok(`Credentials written to ${envFile} (chmod 600)`);
+  ok(`Hook environment written to ${envFile} (chmod 600)`);
 
-  // 3. Merge hooks.json — Stop (trace 收尾) + PostToolUse (trace 增量) + SessionStart (refresh)
+  // 3. Merge hooks.json — Stop (trace 收尾) + PostToolUse (trace 增量)
   //    命令用绝对路径（CODEX_HOME 不一定是 ~/.codex）。
+  //    同时清掉旧版本写入的 cozeloop_refresh.py SessionStart hook。
   const hookCmd    = `set -a && . ${envFile} && set +a && ${pythonCmd} ${hookScript}`;
-  const refreshCmd = `${pythonCmd} ${refreshScript}`;
 
   const hooks = mergeJson(hooksJson, (existing) => {
     if (!existing.hooks) existing.hooks = {};
@@ -734,12 +770,11 @@ function writeCodexHook(token, workspaceId, pythonCmd, codexHome, cloud, tokenSo
     );
     existing.hooks.PostToolUse.push({ matcher: null, hooks: [{ type: 'command', command: hookCmd, timeout: 60 }] });
 
-    // SessionStart hook — token refresh
+    // Remove legacy token-refresh hook entries.
     if (!existing.hooks.SessionStart) existing.hooks.SessionStart = [];
     existing.hooks.SessionStart = existing.hooks.SessionStart.filter(
       entry => !entry.hooks?.some(h => h.command?.includes('cozeloop_refresh.py'))
     );
-    existing.hooks.SessionStart.push({ matcher: null, hooks: [{ type: 'command', command: refreshCmd, timeout: 15 }] });
 
     return existing;
   });
@@ -1063,7 +1098,7 @@ function writeOpenClawHook(token, workspaceId, agentId, cloud, force, tokenSourc
   }
 }
 
-// ─── 8. Auth — Device Code OAuth + token store ───────────────────────────────
+// ─── 8. Trace verification HTTP helpers ─────────────────────────────────────
 const https = require('https');
 const crypto = require('crypto');
 
@@ -1377,18 +1412,15 @@ async function verifyTraceReport(token, workspaceId, pairCode, tracesUrl) {
 }
 
 // ── OpenClaw 专属上报链路校验 ──────────────────────────────────────────────
-// 为什么单独一条：claude-code/codex 的 verify 用主流程刚 getValidToken() 刷新过的有效
+// 为什么单独一条：claude-code/codex 的 verify 用主流程解析到的 token
 // token 直发，而 openclaw 运行时上报用的是【写死在 openclaw.json 插件 config.authorization
 // 里的静态 token】。两者是不同 token —— 插件那个失效（401/4100）时通用 verify 照样 ok，
 // 这就是“verify=ok 但实际查不到 trace”假象的根因。本函数改为读插件实际配置的 token 打
 // ingest，真实反映运行时会不会 401。
 //
 // cloud/local 兼容：插件配置位置都在 resolveHomeDir(cloud)/.openclaw/openclaw.json，
-// endpoint 都走 getOtelEndpointBase(cloud)，逻辑统一。差异在 token 刷新：
-//   - local：disableLocalCredentials=false，插件会读 ~/.cozeloop/credentials.json 自动刷新，
-//            所以额外检测【实际加载的插件是否含刷新逻辑 getRefreshedToken】，无则告警。
-//   - cloud：disableLocalCredentials=true，插件只用写死的 token、不刷新，token 失效需重注入，
-//            刷新能力检测对 cloud 无意义（跳过）。
+// endpoint 都走 getOtelEndpointBase(cloud)，逻辑统一。OpenClaw 插件只使用 onboard 写入
+// 的 authorization，不再读取或刷新本地 credentials。
 async function verifyOpenClawTraceLink(cloud, pairCode) {
   const home = resolveHomeDir(cloud);
   const configPath = path.join(home, '.openclaw', 'openclaw.json');
@@ -1480,60 +1512,14 @@ async function verifyOpenClawTraceLink(cloud, pairCode) {
     if (snippet) console.log(snippet);
     // 4100/401 = 该 token 已失效。指出根因与修复方式。
     if (res.status === 401 || /\b4100\b/.test(res.body || '')) {
-      info('插件配置的 token 已失效。运行时上报会 401 → OTLP 抛 unhandled rejection → gateway 崩溃 → span 丢失。');
-      info('修复：重跑 `node index.js --agent=openclaw --force` 写入新 token（local 会从 ~/.cozeloop 自动刷新）。');
-    }
-  }
-
-  // 2) 仅 local：检测实际加载的插件是否具备 token 自动刷新能力。
-  //    cloud 主动 disableLocalCredentials，不刷新，检测无意义。
-  if (!cloud) {
-    const refreshOk = openClawPluginHasRefresh(home);
-    if (refreshOk === true) {
-      ok('openclaw 插件具备 token 自动刷新能力 (getRefreshedToken)。');
-    } else if (refreshOk === false) {
-      warn('本机加载的 openclaw 插件【无 token 刷新逻辑】，token 过期后会反复 401 崩 gateway。');
-      info('修复：重跑 `node index.js --agent=openclaw --force` 安装带刷新逻辑的新插件。');
+      info('插件配置的 token 已失效。运行时上报会 401，span 会丢失。');
+      info('修复：重跑 `npx coze_lab --agent-id=<id> --force` 写入 agent config 中最新 patToken。');
     }
-    // refreshOk === null：定位不到插件文件，不下结论（不误报）。
   }
 
   return { success, status: res.status, body: res.body || '' };
 }
 
-// 检测本机【实际加载的】openclaw trace 插件是否含 token 刷新逻辑（getRefreshedToken）。
-// 返回 true=有 / false=无 / null=定位不到插件文件（不下结论）。
-// 探测顺序：openclaw plugins list 给出的真实路径 > onboard 安装位置 ~/.cozeloop/openclaw-plugin
-// > 历史手改位置 ~/.openclaw/workspace/cozeloop-trace-fix。
-function openClawPluginHasRefresh(home) {
-  const candidates = [];
-  // openclaw plugins list 拿实际加载路径（最准——能发现 cozeloop-trace-fix 这类残留旧插件）
-  try {
-    const { execSync } = require('child_process');
-    const out = execSync('openclaw plugins list', { stdio: ['ignore', 'pipe', 'ignore'] }).toString();
-    for (const line of out.split(/\r?\n/)) {
-      if (!/cozeloop|trace/i.test(line)) continue;
-      const m = line.match(/(\/[^\s'"]+)/); // 抓行内绝对路径
-      if (m) candidates.push(m[1]);
-    }
-  } catch { /* CLI 不可用则回退已知路径 */ }
-  candidates.push(path.join(home, '.cozeloop', 'openclaw-plugin'));
-  candidates.push(path.join(home, '.openclaw', 'workspace', 'cozeloop-trace-fix'));
-
-  let foundAny = false;
-  for (const base of candidates) {
-    for (const rel of ['dist/cozeloop-exporter.js', 'dist/index.js', 'cozeloop-exporter.js', 'index.js']) {
-      const f = path.isAbsolute(rel) ? rel : path.join(base, rel);
-      try {
-        if (!fs.existsSync(f)) continue;
-        foundAny = true;
-        if (fs.readFileSync(f, 'utf8').includes('getRefreshedToken')) return true;
-      } catch { /* ignore */ }
-    }
-  }
-  return foundAny ? false : null;
-}
-
 function httpsGet(url, headers) {
   return new Promise((resolve, reject) => {
     const h = { ...(headers || {}) };
@@ -1547,254 +1533,10 @@ function httpsGet(url, headers) {
   });
 }
 
-// ── Credentials store ──────────────────────────────────────────────────────
-function loadCredentials() {
-  try {
-    return JSON.parse(fs.readFileSync(CREDS_PATH, 'utf8'));
-  } catch {
-    return null;
-  }
-}
-
-function saveCredentials(creds) {
-  // 0o700：凭证目录仅 owner 可读/进入，其他用户无法枚举 ~/.cozeloop 内容。
-  fs.mkdirSync(path.dirname(CREDS_PATH), { recursive: true, mode: 0o700 });
-  atomicWriteFileSync(CREDS_PATH, JSON.stringify(creds, null, 2), { mode: 0o600 });
-}
-
-function deleteCredentials() {
-  try { fs.unlinkSync(CREDS_PATH); } catch { /* already gone */ }
-}
-
-function isExpired(creds) {
-  if (!creds || !creds.expires_at) return true;
-  return Date.now() >= creds.expires_at - REFRESH_THRESHOLD_MS;
-}
-
-// ── Refresh token ──────────────────────────────────────────────────────────
-async function refreshToken(creds) {
-  info('Access token expiring soon, refreshing...');
-  let res;
-  try {
-    res = await httpsPost(`${COZE_API}/api/permission/oauth2/token`, {
-      grant_type:    'refresh_token',
-      client_id:     CLIENT_ID,
-      refresh_token: creds.refresh_token,
-    });
-  } catch (e) {
-    errorBox(['ERROR: Could not refresh token', '', e.message]);
-  }
-
-  let data;
-  try { data = JSON.parse(res.body); } catch {
-    errorBox(['ERROR: Unexpected response while refreshing token']);
-  }
-
-  if (data.error || res.status !== 200) {
-    warn(`Token refresh failed (${data.error || res.status}), re-authorizing...`);
-    return null; // caller will re-run device code flow
-  }
-
-  const updated = {
-    access_token:  data.access_token,
-    refresh_token: data.refresh_token ?? creds.refresh_token,
-    expires_at:    (data.expires_in ?? 0) * 1000,  // expires_at stored in milliseconds (Python 端按毫秒读)
-    workspace_id:  creds.workspace_id ?? WORKSPACE_ID,  // preserve workspace_id
-  };
-  saveCredentials(updated);
-  ok('Token refreshed successfully.');
-  return updated;
-}
-
-// ── Device Code flow ───────────────────────────────────────────────────────
-async function deviceCodeAuth() {
-  // Step 1: Get device code
-  let res;
-  try {
-    res = await httpsPost(`${COZE_API}/api/permission/oauth2/device/code`, {
-      client_id: CLIENT_ID,
-    });
-  } catch (e) {
-    errorBox(['ERROR: Could not reach Coze API', '', e.message]);
-  }
-
-  let data;
-  try { data = JSON.parse(res.body); } catch {
-    errorBox(['ERROR: Unexpected response from Coze API']);
-  }
-
-  if (res.status !== 200 || data.error) {
-    errorBox([
-      'ERROR: Failed to start device authorization',
-      '',
-      data.error_description || data.error || `HTTP ${res.status}`,
-    ]);
-  }
-
-  const { device_code, user_code, verification_uri, expires_in, interval = 5 } = data;
-  const activation_url = `${verification_uri}?user_code=${encodeURIComponent(user_code)}`;
-
-  console.log('');
-  box([
-    '  请在浏览器中打开以下链接完成授权：',
-    '',
-    `  ${activation_url}`,
-    '',
-    `  验证码将在 ${expires_in} 秒后过期`,
-  ], C.cyan);
-  console.log('');
-
-  // Try to open browser automatically
-  try {
-    const { execSync } = require('child_process');
-    const opener = process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'start' : 'xdg-open';
-    execSync(`${opener} "${activation_url}"`, { stdio: 'ignore' });
-    info('已自动打开浏览器，请在浏览器中完成授权...');
-  } catch {
-    info('请手动在浏览器中打开上方链接完成授权...');
-  }
-
-  // Step 2: Poll for token
-  const deadline = Date.now() + expires_in * 1000;
-  let pollInterval = interval * 1000;
-
-  process.stdout.write(`${C.cyan}[i]${C.reset} 等待授权中`);
-
-  while (Date.now() < deadline) {
-    await new Promise(r => setTimeout(r, pollInterval));
-    process.stdout.write('.');
-
-    let pollRes;
-    try {
-      pollRes = await httpsPost(`${COZE_API}/api/permission/oauth2/token`, {
-        grant_type:  'urn:ietf:params:oauth:grant-type:device_code',
-        client_id:   CLIENT_ID,
-        device_code,
-      });
-    } catch { continue; }
-
-    let pollData;
-    try { pollData = JSON.parse(pollRes.body); } catch { continue; }
-
-    if (pollData.access_token) {
-      process.stdout.write('\n');
-      const creds = {
-        access_token:  pollData.access_token,
-        refresh_token: pollData.refresh_token,
-        expires_at:    (pollData.expires_in ?? 0) * 1000,  // expires_at stored in milliseconds (Python 端按毫秒读)
-        workspace_id:  WORKSPACE_ID,
-      };
-      saveCredentials(creds);
-      console.log('');
-      ok('授权成功！Token 已保存到 ~/.cozeloop/credentials.json');
-      return creds;
-    }
-
-    if (pollData.error === 'slow_down') {
-      pollInterval += 5000;
-    } else if (pollData.error === 'access_denied') {
-      process.stdout.write('\n');
-      errorBox(['ERROR: 用户拒绝了授权请求']);
-    } else if (pollData.error === 'expired_token') {
-      process.stdout.write('\n');
-      errorBox(['ERROR: 验证码已过期，请重新运行命令']);
-    }
-    // authorization_pending → keep polling
-  }
-
-  process.stdout.write('\n');
-  errorBox(['ERROR: 授权超时，请重新运行命令']);
-}
-
-// ── Get valid token (load → refresh → re-auth) ────────────────────────────
-async function getValidToken() {
-  let creds = loadCredentials();
-
-  if (creds && !isExpired(creds)) {
-    ok('已找到有效的本地授权，跳过授权步骤。');
-    return creds.access_token;
-  }
-
-  if (creds && creds.refresh_token) {
-    const refreshed = await refreshToken(creds);
-    if (refreshed) return refreshed.access_token;
-  }
-
-  // Need fresh authorization
-  info('未找到本地授权，启动 Device Code 授权流程...');
-  const fresh = await deviceCodeAuth();
-  return fresh.access_token;
-}
-
-// ── Logout ────────────────────────────────────────────────────────────────
-function logout() {
-  const creds = loadCredentials();
-  if (!creds) {
-    info('本地没有保存的授权信息，无需退出。');
-    return;
-  }
-  deleteCredentials();
-  successBox(['已成功退出登录', '', '本地 Token 已清除 (~/.cozeloop/credentials.json)']);
-}
-
-// ── Auth status ───────────────────────────────────────────────────────────
-function authStatus() {
-  const creds = loadCredentials();
-  if (!creds) {
-    box([
-      'Auth Status: NOT LOGGED IN',
-      '',
-      '~/.cozeloop/credentials.json not found.',
-      'Run with --agent=<type> to authorize.',
-    ], C.yellow);
-    return;
-  }
-
-  const expiresAt  = creds.expires_at ? new Date(creds.expires_at) : null;
-  const now        = Date.now();
-  const remainMs   = creds.expires_at ? creds.expires_at - now : null;
-  const remainMin  = remainMs != null ? Math.floor(remainMs / 60000) : null;
-
-  function formatRemaining(ms) {
-    if (ms == null) return 'unknown';
-    const min = Math.floor(ms / 60000);
-    if (min < 60)   return `${min} 分钟`;
-    const hr = Math.floor(min / 60);
-    if (hr < 24)    return `${hr} 小时`;
-    const day = Math.floor(hr / 24);
-    if (day < 365)  return `${day} 天`;
-    return `${Math.floor(day / 365)} 年`;
-  }
-
-  let statusLabel, statusColor;
-  if (!expiresAt) {
-    statusLabel = 'UNKNOWN (no expiry info)';
-    statusColor = C.yellow;
-  } else if (remainMs < 0) {
-    statusLabel = 'EXPIRED';
-    statusColor = C.red;
-  } else if (remainMs < REFRESH_THRESHOLD_MS) {
-    statusLabel = `EXPIRING SOON (剩余 ${formatRemaining(remainMs)})`;
-    statusColor = C.yellow;
-  } else {
-    statusLabel = `VALID (剩余 ${formatRemaining(remainMs)})`;
-    statusColor = C.green;
-  }
-
-  const lines = [
-    `Auth Status: ${statusLabel}`,
-    '',
-    `Token:      ${creds.access_token ? creds.access_token.slice(0, 20) + '...' : 'n/a'}`,
-    `Expires at: ${expiresAt ? expiresAt.toLocaleString() : 'unknown'}`,
-    `Refresh:    ${creds.refresh_token ? 'available' : 'not available'}`,
-  ];
-  box(lines, statusColor);
-}
-
 // ─── 9. Main ─────────────────────────────────────────────────────────────────
 const NEXT_STEP = {
   'claude-code': 'Hook 已写入。Claude Code 会自动热重载 hooks，当前会话即刻生效，无需 /new 或重启。',
-  'codex':       'Hook 已写入。Codex 在会话启动时加载 hook，当前会话不会即时生效；请重开 Codex 会话（已配置 SessionStart hook，新会话自动加载）。',
+  'codex':       'Hook 已写入。Codex 在会话启动时加载 hook，当前会话不会即时生效；请重开 Codex 会话。',
 };
 
 function openClawNextStep(written) {
@@ -1814,64 +1556,31 @@ async function main() {
 
   const args = validateArgs(parseArgs());
 
-  // ── Logout mode ──────────────────────────────────────────────────────────
-  if (args.logout) {
-    logout();
-    return;
-  }
-
-  if (args.status) {
-    authStatus();
-    return;
-  }
-
-  // ── Refresh mode ─────────────────────────────────────────────────────────
-  // ── Login mode ───────────────────────────────────────────────────────────
-  if (args.login) {
-    const existing = loadCredentials();
-    if (existing && !isExpired(existing)) {
-      warnBox([
-        '当前已有有效的登录凭证。',
+  if (args.verify) {
+    info('验证 trace 上报链路...');
+    let token = '';
+    let tokenSource = '';
+    if (args.cloud) {
+      const tokenInfo = getCloudTokenInfo();
+      token = tokenInfo.token;
+      tokenSource = tokenInfo.source;
+      if (!token) {
+        errorBox([
+          'ERROR: verify 需要环境变量 COZELOOP_API_TOKEN 或 COZE_API_TOKEN',
+          '',
+          'coze_lab 不再读取本地 OAuth credentials。',
+        ]);
+      }
+    } else if (args.agentId && args.patToken) {
+      token = args.patToken;
+      tokenSource = TOKEN_SOURCE_AGENT_PAT;
+    } else {
+      errorBox([
+        'ERROR: 本地 verify 需要 --agent-id 且 config.json 中存在 patToken',
         '',
-        '如需重新登录，请先运行 --logout，或使用 --refresh 刷新 Token。',
+        '请确认 ~/.coze/agents/<id>/config.json 包含 patToken 后重试。',
       ]);
-      return;
     }
-    deleteCredentials();
-    await deviceCodeAuth();
-    return;
-  }
-
-  if (args.refresh) {
-    const creds = loadCredentials();
-    if (!creds) {
-      box([
-        'ERROR: 未找到本地授权信息',
-        '',
-        '请先运行 --agent=<type> 完成授权。',
-      ], C.red);
-      process.exit(1);
-    }
-    if (!creds.refresh_token) {
-      box([
-        'ERROR: 当前凭证没有 refresh_token',
-        '',
-        '请运行 --logout 后重新 --agent=<type> 授权。',
-      ], C.red);
-      process.exit(1);
-    }
-    const refreshed = await refreshToken(creds);
-    if (!refreshed) {
-      warn('Refresh token 已失效，启动 Device Code 重新授权...');
-      console.log('');
-      await deviceCodeAuth();
-    }
-    return;
-  }
-
-  if (args.verify) {
-    info('验证 trace 上报链路...');
-    const token = await getValidToken();   // 无凭证会自动走登录/刷新
     console.log('');
     const result = await verifyTraceReport(token, WORKSPACE_ID, args.pairCode, getOtelTracesUrl(false));
     // 若本机装了 openclaw 插件，额外校验插件【实际配置的静态 token】——通用 verify 用刚刷新的
@@ -1884,7 +1593,7 @@ async function main() {
         if (cfg?.plugins?.entries?.['openclaw-cozeloop-trace']?.config?.authorization) {
           console.log('');
           info('检测到 openclaw cozeloop-trace 插件，校验其实际 token...');
-          const ocRes = await verifyOpenClawTraceLink(false, args.pairCode);
+          const ocRes = await verifyOpenClawTraceLink(args.cloud, args.pairCode);
           ocOk = ocRes.success;
         }
       } catch { /* 读不了就跳过 openclaw 校验 */ }
@@ -1906,11 +1615,10 @@ async function main() {
     console.log('');
   }
 
-  // Step 1: Authorize.
-  //   云端模式：token 取自 sandbox 注入的环境变量，跳过 OAuth / credentials.json。
+  // Step 1: Resolve trace token.
+  //   云端模式：token 取自 sandbox 注入的环境变量。
   //     优先使用 COZELOOP_API_TOKEN；兼容使用 COZE_API_TOKEN，并以真实 selfcheck 为准。
-  //   本地 --agent-id 且 config.patToken 存在：优先使用该 PAT，跳过 OAuth / credentials.json。
-  //   其它本地模式：load cached → refresh → device code。
+  //   本地模式：必须通过 --agent-id 读取 config.patToken。
   //   注意：workspace_id 始终用写死的 WORKSPACE_ID（团队固定上报 workspace），不读环境。
   let token;
   let tokenSource = '';
@@ -1933,14 +1641,20 @@ async function main() {
       info('将兼容使用 COZE_API_TOKEN 作为 trace token，并通过 selfcheck 验证实际可用性。');
     }
   } else {
-    info('Step 1/5: 检查授权状态...');
+    info('Step 1/5: 从 agent config 读取 patToken...');
     if (args.agentId && args.patToken) {
       token = args.patToken;
       tokenSource = TOKEN_SOURCE_AGENT_PAT;
-      ok(`已从 ~/.coze/agents/${args.agentId}/config.json 读取 patToken，跳过本地授权。`);
+      ok(`已从 ~/.coze/agents/${args.agentId}/config.json 读取 patToken。`);
     } else {
-      token = await getValidToken();
-      tokenSource = 'credentials';
+      errorBox([
+        'ERROR: 本地模式要求 ~/.coze/agents/<agentId>/config.json 中存在 patToken',
+        '',
+        'coze_lab 不再提供 Device Code / OAuth 本地授权兜底。',
+        args.agentId
+          ? `请确认 ~/.coze/agents/${args.agentId}/config.json 包含 patToken 后重试。`
+          : '请使用 --agent-id=<id> 运行，以便读取对应 agent config。',
+      ]);
     }
   }
   console.log('');
@@ -2025,7 +1739,7 @@ async function main() {
 
   // Step 5: Verify trace reporting end-to-end
   info('Step 5/5: 验证 trace 上报链路...');
-  // openclaw 走专属校验：claude-code/codex 的 verify 用主流程刚 getValidToken() 刷新过的
+  // openclaw 走专属校验：claude-code/codex 的 verify 用主流程解析到的
   // 有效 token 直发，测不到 openclaw 插件【写死在 openclaw.json 里的静态 token】是否失效
   // （插件不读这个临时 token）。openclaw 必须用插件实际配置的 authorization 打 ingest，
   // 才能真实反映运行时上报会不会 401。cloud/local 配置位置一致，统一走这条。
@@ -2089,5 +1803,7 @@ module.exports = {
   getAgentPatToken,
   mergeJson,
   atomicWriteFileSync,
-  isExpired,
+  VERSION_WHITELIST,
+  VERSION_SUPPORT,
+  isVersionAtLeast,
 };