evolclaw 3.1.2 → 3.1.4

package/dist/aun/aid/identity.js

@@ -1,56 +1,193 @@
 import fs from 'fs';
 import path from 'path';
-import os from 'os';
 import crypto from 'crypto';
-import { getAunClient, downloadCaRoot } from './client.js';
-import { resolvePaths, aidsDir as evolclawAidsDir, agentMdPath } from '../../paths.js';
+import { getAunClient, createAunClient, downloadCaRoot } from './client.js';
+import { resolvePaths, agentMdPath, aunPath as defaultAunPath } from '../../paths.js';
 // ==================== Validation ====================
 export function isValidAid(name) {
     const labels = name.split('.');
     return labels.length >= 3 && labels.every(l => /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?$/.test(l));
 }
+/**
+ * 根据扫描得到的状态推断 AID 分类。
+ *  - hasPrivateKey + signVerified=true            → mine
+ *  - hasPrivateKey + (signVerified=false 或未实测) → broken
+ *  - !hasPrivateKey + hasCert                     → peer-cert
+ *  - !hasPrivateKey + !hasCert                    → no-cert
+ */
+function categorizeAid(info) {
+    if (info.hasPrivateKey) {
+        if (info.signVerified === true)
+            return 'mine';
+        return 'broken';
+    }
+    return info.hasCert ? 'peer-cert' : 'no-cert';
+}
 // ==================== AID Operations ====================
 export function aidList(aunPath) {
-    const aunAidsDir = path.join(aunPath ?? path.join(os.homedir(), '.aun'), 'AIDs');
-    const ecAidsDir = evolclawAidsDir();
+    const root = aunPath ?? defaultAunPath();
+    const aunAidsDir = path.join(root, 'AIDs');
     const seen = new Map();
-    // Scan ~/.aun/AIDs (private keys live here)
     if (fs.existsSync(aunAidsDir)) {
         for (const e of fs.readdirSync(aunAidsDir, { withFileTypes: true })) {
             if (!e.isDirectory())
                 continue;
+            const aidDir = path.join(aunAidsDir, e.name);
+            const keyJsonPath = path.join(aidDir, 'private', 'key.json');
+            const hasPrivateKey = fs.existsSync(path.join(aidDir, 'private'));
+            const certPath = path.join(aidDir, 'public', 'cert.pem');
+            let hasCert = false;
+            let certExpired = false;
+            let keyMatchesCert = null;
+            if (fs.existsSync(certPath)) {
+                hasCert = true;
+                try {
+                    const certPem = fs.readFileSync(certPath, 'utf-8');
+                    const x509 = new crypto.X509Certificate(certPem);
+                    certExpired = new Date(x509.validTo) < new Date();
+                    if (hasPrivateKey && fs.existsSync(keyJsonPath)) {
+                        try {
+                            const kp = JSON.parse(fs.readFileSync(keyJsonPath, 'utf-8'));
+                            const localPubB64 = typeof kp?.public_key_der_b64 === 'string' ? kp.public_key_der_b64 : '';
+                            if (localPubB64) {
+                                const certPubDer = x509.publicKey.export({ type: 'spki', format: 'der' });
+                                const localPubDer = Buffer.from(localPubB64, 'base64');
+                                keyMatchesCert = certPubDer.equals(localPubDer);
+                            }
+                        }
+                        catch { /* key.json 不可解析视作不匹配 */
+                            keyMatchesCert = false;
+                        }
+                    }
+                }
+                catch {
+                    // 证书无法解析视为过期 / 不可用
+                    certExpired = true;
+                }
+            }
             seen.set(e.name, {
                 aid: e.name,
-                hasPrivateKey: fs.existsSync(path.join(aunAidsDir, e.name, 'private')),
+                category: categorizeAid({
+                    hasPrivateKey,
+                    hasCert,
+                    // 静态扫描没跑实测，用 canSign 作为 mine/broken 的近似判定
+                    signVerified: hasPrivateKey ? (hasCert && !certExpired && keyMatchesCert === true) : null,
+                    canSign: hasPrivateKey && hasCert && !certExpired && keyMatchesCert === true,
+                }),
+                hasPrivateKey,
                 hasAgentMd: fs.existsSync(agentMdPath(e.name)),
+                hasCert,
+                certExpired,
+                keyMatchesCert,
+                canSign: hasPrivateKey && hasCert && !certExpired && keyMatchesCert === true,
+                signVerified: null,
             });
         }
     }
-    // Scan $EVOLCLAW_HOME/AIDs (agent.md lives here)
-    if (fs.existsSync(ecAidsDir) && ecAidsDir !== aunAidsDir) {
-        for (const e of fs.readdirSync(ecAidsDir, { withFileTypes: true })) {
-            if (!e.isDirectory())
-                continue;
-            if (seen.has(e.name))
+    return [...seen.values()];
+}
+// ==================== Sign Self-Test ====================
+/**
+ * 实跑一次本地 sign + verify，验证 AID 是否真能签名/验签。
+ * 全本地（不联网）：用 SDK 解密私钥 → ECDSA 签 payload → 用本地 cert 公钥验。
+ * 任一环节失败都视为不可签——包括私钥 passphrase 解不开、cert 被 SDK 主动 discard 等。
+ */
+export async function verifySignAbility(aid, opts) {
+    const aunPath = opts?.aunPath ?? defaultAunPath();
+    let ownClient = null;
+    try {
+        let client = opts?.client;
+        if (!client) {
+            client = await createAunClient({ aunPath });
+            ownClient = client;
+        }
+        const probe = `# probe\naid: "${aid}"\n`;
+        let signed;
+        try {
+            signed = await client.auth.signAgentMd(probe, { aid });
+        }
+        catch (e) {
+            return { ok: false, reason: `sign failed: ${String(e?.message || e).slice(0, 120)}` };
+        }
+        const certPath = path.join(aunPath, 'AIDs', aid, 'public', 'cert.pem');
+        const certPem = fs.existsSync(certPath) ? fs.readFileSync(certPath, 'utf-8') : '';
+        if (!certPem)
+            return { ok: false, reason: 'cert.pem missing' };
+        let result;
+        try {
+            result = await client.auth.verifyAgentMd(signed, { aid, certPem });
+        }
+        catch (e) {
+            return { ok: false, reason: `verify threw: ${String(e?.message || e).slice(0, 120)}` };
+        }
+        const verified = result?.status === 'verified' || result?.verified === true;
+        if (verified)
+            return { ok: true };
+        return { ok: false, reason: `verify failed: ${result?.status ?? 'unknown'}${result?.reason ? ' — ' + result.reason : ''}` };
+    }
+    finally {
+        if (ownClient) {
+            try {
+                await ownClient.close();
+            }
+            catch { /* ignore */ }
+        }
+    }
+}
+/**
+ * aidList 的"实测版"：先做静态扫描，再对每个 AID 跑一次本地 sign+verify。
+ * 共用同一个 AUNClient 实例，避免重复初始化 secret-store / sqlite。
+ */
+export async function aidListVerified(aunPath) {
+    const list = aidList(aunPath);
+    const root = aunPath ?? defaultAunPath();
+    const client = await createAunClient({ aunPath: root });
+    try {
+        for (const a of list) {
+            // canSign=false 的 AID 不必跑实测，结论已经明确
+            if (!a.canSign) {
+                a.signVerified = false;
+                if (!a.hasPrivateKey)
+                    a.signError = 'no private key';
+                else if (!a.hasCert)
+                    a.signError = 'no cert';
+                else if (a.certExpired)
+                    a.signError = 'cert expired';
+                else if (a.keyMatchesCert === false)
+                    a.signError = 'key/cert public-key mismatch';
+                a.category = categorizeAid({
+                    hasPrivateKey: a.hasPrivateKey, hasCert: a.hasCert,
+                    signVerified: a.signVerified, canSign: a.canSign,
+                });
                 continue;
-            seen.set(e.name, {
-                aid: e.name,
-                hasPrivateKey: fs.existsSync(path.join(aunAidsDir, e.name, 'private')),
-                hasAgentMd: fs.existsSync(agentMdPath(e.name)),
+            }
+            const r = await verifySignAbility(a.aid, { aunPath: root, client });
+            a.signVerified = r.ok;
+            if (!r.ok)
+                a.signError = r.reason;
+            a.category = categorizeAid({
+                hasPrivateKey: a.hasPrivateKey, hasCert: a.hasCert,
+                signVerified: a.signVerified, canSign: a.canSign,
             });
         }
     }
-    return [...seen.values()];
+    finally {
+        try {
+            await client.close();
+        }
+        catch { /* ignore */ }
+    }
+    return list;
 }
 export async function aidCreate(aid, opts) {
-    const aunPath = opts?.aunPath ?? path.join(os.homedir(), '.aun');
+    const aunPath = opts?.aunPath ?? defaultAunPath();
     const aidDir = path.join(aunPath, 'AIDs', aid);
     if (fs.existsSync(aidDir) && fs.existsSync(path.join(aidDir, 'private'))) {
         const client = await getAunClient(aid, { aunPath });
         return { aid, alreadyExisted: true, gateway: '', client };
     }
-    const { AUNClient, GatewayDiscovery } = await import('@agentunion/fastaun');
-    let client = new AUNClient({ aun_path: aunPath });
+    const { GatewayDiscovery } = await import('@agentunion/fastaun');
+    let client = await createAunClient({ aunPath });
     try {
         const result = await client.auth.createAid({ aid });
         const gateway = result.gateway || '';
@@ -61,7 +198,7 @@ export async function aidCreate(aid, opts) {
                 await client.close();
             }
             catch { /* ignore */ }
-            client = new AUNClient({ aun_path: aunPath, root_ca_path: caCertPath });
+            client = await createAunClient({ aunPath });
             await client.auth.createAid({ aid });
         }
         let gatewayUrl = gateway;
@@ -86,34 +223,183 @@ export async function aidCreate(aid, opts) {
     }
 }
 // ==================== Show ====================
-export function aidShow(aid, opts) {
-    const aunPath = opts?.aunPath ?? path.join(os.homedir(), '.aun');
+export async function aidShow(aid, opts) {
+    const aunPath = opts?.aunPath ?? defaultAunPath();
     const aidDir = path.join(aunPath, 'AIDs', aid);
     const hasPrivateKey = fs.existsSync(path.join(aidDir, 'private'));
     const hasAgentMd = fs.existsSync(agentMdPath(aid));
     let certExpiresAt = null;
     let certSubject = null;
+    let certExpired = false;
+    let certPem = null;
+    let keyMatchesCert = null;
     const certPath = path.join(aidDir, 'public', 'cert.pem');
     if (fs.existsSync(certPath)) {
         try {
-            const pem = fs.readFileSync(certPath, 'utf-8');
-            const x509 = new crypto.X509Certificate(pem);
+            certPem = fs.readFileSync(certPath, 'utf-8');
+            const x509 = new crypto.X509Certificate(certPem);
             certExpiresAt = x509.validTo;
             certSubject = x509.subject;
+            certExpired = new Date(x509.validTo) < new Date();
+            const keyJsonPath = path.join(aidDir, 'private', 'key.json');
+            if (hasPrivateKey && fs.existsSync(keyJsonPath)) {
+                try {
+                    const kp = JSON.parse(fs.readFileSync(keyJsonPath, 'utf-8'));
+                    const localPubB64 = typeof kp?.public_key_der_b64 === 'string' ? kp.public_key_der_b64 : '';
+                    if (localPubB64) {
+                        const certPubDer = x509.publicKey.export({ type: 'spki', format: 'der' });
+                        const localPubDer = Buffer.from(localPubB64, 'base64');
+                        keyMatchesCert = certPubDer.equals(localPubDer);
+                    }
+                }
+                catch {
+                    keyMatchesCert = false;
+                }
+            }
         }
         catch { /* ignore parse errors */ }
     }
-    return { aid, hasPrivateKey, hasAgentMd, certExpiresAt, certSubject };
+    let agentMdSignature = 'unknown';
+    let agentMdSignatureReason;
+    let signVerified = null;
+    let signError;
+    // 先做一次签名自检（共享 client，避免重复起 SDK）
+    const client = await createAunClient({ aunPath });
+    try {
+        if (hasPrivateKey && certPem && !certExpired && keyMatchesCert !== false) {
+            const r = await verifySignAbility(aid, { aunPath, client });
+            signVerified = r.ok;
+            if (!r.ok)
+                signError = r.reason;
+        }
+        else {
+            signVerified = false;
+            if (!hasPrivateKey)
+                signError = 'no private key';
+            else if (!certPem)
+                signError = 'no cert';
+            else if (certExpired)
+                signError = 'cert expired';
+            else if (keyMatchesCert === false)
+                signError = 'key/cert public-key mismatch';
+        }
+        if (hasAgentMd) {
+            try {
+                const content = fs.readFileSync(agentMdPath(aid), 'utf-8');
+                if (!content.includes('AUN-SIGNATURE')) {
+                    agentMdSignature = 'unsigned';
+                }
+                else {
+                    const result = await client.auth.verifyAgentMd(content, { aid, ...(certPem ? { certPem } : {}) });
+                    if (result.status === 'verified' || result.verified) {
+                        agentMdSignature = 'verified';
+                    }
+                    else if (result.status === 'unsigned') {
+                        agentMdSignature = 'unsigned';
+                    }
+                    else {
+                        agentMdSignature = 'invalid';
+                        agentMdSignatureReason = result.reason;
+                    }
+                }
+            }
+            catch (e) {
+                agentMdSignature = 'unknown';
+                agentMdSignatureReason = String(e?.message || e).slice(0, 100);
+            }
+        }
+    }
+    finally {
+        try {
+            await client.close();
+        }
+        catch { }
+    }
+    return { aid, hasPrivateKey, hasAgentMd, certExpiresAt, certSubject, certExpired, keyMatchesCert, signVerified, signError, agentMdSignature, agentMdSignatureReason };
 }
 // ==================== Delete ====================
 export function aidDelete(aid, opts) {
-    const aunPath = opts?.aunPath ?? path.join(os.homedir(), '.aun');
+    const aunPath = opts?.aunPath ?? defaultAunPath();
     const aidDir = path.join(aunPath, 'AIDs', aid);
     if (!fs.existsSync(aidDir))
         return false;
     fs.rmSync(aidDir, { recursive: true, force: true });
     return true;
 }
+export async function probePkiRecoverability(aid, opts) {
+    const aunPath = opts?.aunPath ?? defaultAunPath();
+    const timeoutMs = opts?.timeoutMs ?? 8000;
+    const keyJsonPath = path.join(aunPath, 'AIDs', aid, 'private', 'key.json');
+    if (!fs.existsSync(keyJsonPath))
+        return { kind: 'no-key' };
+    let localPubB64 = '';
+    try {
+        const kp = JSON.parse(fs.readFileSync(keyJsonPath, 'utf-8'));
+        if (typeof kp?.public_key_der_b64 !== 'string' || !kp.public_key_der_b64) {
+            return { kind: 'unknown', reason: 'key.json missing public_key_der_b64' };
+        }
+        localPubB64 = kp.public_key_der_b64;
+    }
+    catch (e) {
+        return { kind: 'unknown', reason: `key.json parse failed: ${String(e?.message || e).slice(0, 80)}` };
+    }
+    // 1. 发现网关
+    let gateway = '';
+    try {
+        const ctl = AbortSignal.timeout(timeoutMs);
+        const gwResp = await fetch(`https://${aid}/.well-known/aun-gateway`, { redirect: 'follow', signal: ctl });
+        if (gwResp.ok) {
+            const text = (await gwResp.text()).trim();
+            try {
+                const parsed = JSON.parse(text);
+                gateway = parsed?.gateways?.[0]?.url || text;
+            }
+            catch {
+                gateway = text;
+            }
+        }
+    }
+    catch (e) {
+        return { kind: 'no-server-record', reason: `gateway discovery failed: ${String(e?.message || e).slice(0, 80)}` };
+    }
+    if (!gateway)
+        return { kind: 'no-server-record', reason: 'no gateway for AID' };
+    // 2. 拉云端 cert
+    let certPem = '';
+    try {
+        const parsed = new URL(gateway);
+        const scheme = parsed.protocol === 'wss:' ? 'https:' : 'http:';
+        const certUrl = `${scheme}//${parsed.host}/pki/cert/${encodeURIComponent(aid)}`;
+        const ctl = AbortSignal.timeout(timeoutMs);
+        const resp = await fetch(certUrl, { redirect: 'follow', signal: ctl });
+        if (!resp.ok) {
+            return { kind: 'no-server-record', reason: `pki/cert HTTP ${resp.status}` };
+        }
+        certPem = (await resp.text()).trim();
+        if (!certPem.includes('BEGIN CERTIFICATE')) {
+            return { kind: 'no-server-record', reason: 'pki/cert returned non-cert content' };
+        }
+    }
+    catch (e) {
+        return { kind: 'no-server-record', reason: `pki/cert fetch failed: ${String(e?.message || e).slice(0, 80)}` };
+    }
+    // 3. 比对公钥
+    try {
+        const x509 = new crypto.X509Certificate(certPem);
+        const certPubDer = x509.publicKey.export({ type: 'spki', format: 'der' });
+        const localPubDer = Buffer.from(localPubB64, 'base64');
+        if (certPubDer.equals(localPubDer)) {
+            return { kind: 'recoverable', serverCertPubB64: certPubDer.toString('base64') };
+        }
+        return {
+            kind: 'unrecoverable',
+            reason: 'server has different public key registered, current local private key cannot be used',
+        };
+    }
+    catch (e) {
+        return { kind: 'unknown', reason: `cert parse failed: ${String(e?.message || e).slice(0, 80)}` };
+    }
+}
 // ==================== Lookup ====================
 export async function aidLookup(aid) {
     let gateway = '';

package/dist/aun/aid/index.js

@@ -1,3 +1,3 @@
-export { isValidAid, aidList, aidCreate, aidShow, aidDelete, aidLookup, appendAidLifecycle, readAidLifecycle } from './identity.js';
-export { buildInitialAgentMd, agentmdGet, agentmdPut } from './agentmd.js';
+export { isValidAid, aidList, aidListVerified, aidCreate, aidShow, aidDelete, aidLookup, verifySignAbility, probePkiRecoverability, appendAidLifecycle, readAidLifecycle } from './identity.js';
+export { buildInitialAgentMd, agentmdGet, agentmdPut, agentmdSync } from './agentmd.js';
 export { MIN_AUN_CORE_SDK, AUN_CORE_SDK_PKG, isAunSdkVersionOk, resolveAunCoreSdkPkg, ensureAunSdk, isAunSdkReady, downloadCaRoot, getAunClient, suppressSdkLogs, } from './client.js';

package/dist/aun/rpc/connection.js

@@ -1,15 +1,13 @@
-import fs from 'fs';
-import path from 'path';
-import os from 'os';
+import { aunPath as defaultAunPath } from '../../paths.js';
+import { createAunClient } from '../aid/client.js';
+import { loadProcessConfig } from '../../config-store.js';
 export async function createShortConnection(aid, opts) {
-    const aunPath = opts?.aunPath ?? path.join(os.homedir(), '.aun');
+    const aunPath = opts?.aunPath ?? defaultAunPath();
     const slotId = opts?.slotId ?? '';
-    const caCertPath = path.join(aunPath, 'CA', 'root', 'root.crt');
-    const { AUNClient } = await import('@agentunion/fastaun');
-    const clientOpts = { aun_path: aunPath, debug: false };
-    if (fs.existsSync(caCertPath))
-        clientOpts.root_ca_path = caCertPath;
-    const client = new AUNClient(clientOpts);
+    const encryptionSeed = loadProcessConfig().aun?.encryptionSeed
+        || process.env.AUN_ENCRYPTION_SEED
+        || 'evol';
+    const client = await createAunClient({ aunPath, encryptionSeed });
     await client.auth.createAid({ aid });
     const authResult = await client.auth.authenticate({ aid });
     const accessToken = authResult?.access_token ?? client._access_token;