evolclaw 3.1.3 → 3.1.5

package/dist/aun/aid/identity.js

@@ -1,119 +1,446 @@
 import fs from 'fs';
 import path from 'path';
-import os from 'os';
 import crypto from 'crypto';
-import { getAunClient, downloadCaRoot } from './client.js';
-import { resolvePaths, aidsDir as evolclawAidsDir, agentMdPath } from '../../paths.js';
+import { getAidStore, loadAid, loadClient, AidLoadError, SLOT } from './store.js';
+import { downloadCaRoot } from './client.js';
+import { resolvePaths, agentMdPath, aunPath as defaultAunPath } from '../../paths.js';
 // ==================== Validation ====================
 export function isValidAid(name) {
     const labels = name.split('.');
     return labels.length >= 3 && labels.every(l => /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?$/.test(l));
 }
+/**
+ * 根据扫描得到的状态推断 AID 分类。
+ *  - hasPrivateKey + signVerified=true            → mine
+ *  - hasPrivateKey + (signVerified=false 或未实测) → broken
+ *  - !hasPrivateKey + hasCert                     → peer-cert
+ *  - !hasPrivateKey + !hasCert                    → no-cert
+ */
+function categorizeAid(info) {
+    if (info.hasPrivateKey) {
+        if (info.signVerified === true)
+            return 'mine';
+        return 'broken';
+    }
+    return info.hasCert ? 'peer-cert' : 'no-cert';
+}
 // ==================== AID Operations ====================
 export function aidList(aunPath) {
-    const aunAidsDir = path.join(aunPath ?? path.join(os.homedir(), '.aun'), 'AIDs');
-    const ecAidsDir = evolclawAidsDir();
+    const root = aunPath ?? defaultAunPath();
+    const aunAidsDir = path.join(root, 'AIDs');
     const seen = new Map();
-    // Scan ~/.aun/AIDs (private keys live here)
     if (fs.existsSync(aunAidsDir)) {
         for (const e of fs.readdirSync(aunAidsDir, { withFileTypes: true })) {
             if (!e.isDirectory())
                 continue;
+            const aidDir = path.join(aunAidsDir, e.name);
+            const keyJsonPath = path.join(aidDir, 'private', 'key.json');
+            const hasPrivateKey = fs.existsSync(path.join(aidDir, 'private'));
+            const certPath = path.join(aidDir, 'public', 'cert.pem');
+            let hasCert = false;
+            let certExpired = false;
+            let keyMatchesCert = null;
+            if (fs.existsSync(certPath)) {
+                hasCert = true;
+                try {
+                    const certPem = fs.readFileSync(certPath, 'utf-8');
+                    const x509 = new crypto.X509Certificate(certPem);
+                    certExpired = new Date(x509.validTo) < new Date();
+                    if (hasPrivateKey && fs.existsSync(keyJsonPath)) {
+                        try {
+                            const kp = JSON.parse(fs.readFileSync(keyJsonPath, 'utf-8'));
+                            const localPubB64 = typeof kp?.public_key_der_b64 === 'string' ? kp.public_key_der_b64 : '';
+                            if (localPubB64) {
+                                const certPubDer = x509.publicKey.export({ type: 'spki', format: 'der' });
+                                const localPubDer = Buffer.from(localPubB64, 'base64');
+                                keyMatchesCert = certPubDer.equals(localPubDer);
+                            }
+                        }
+                        catch { /* key.json 不可解析视作不匹配 */
+                            keyMatchesCert = false;
+                        }
+                    }
+                }
+                catch {
+                    // 证书无法解析视为过期 / 不可用
+                    certExpired = true;
+                }
+            }
             seen.set(e.name, {
                 aid: e.name,
-                hasPrivateKey: fs.existsSync(path.join(aunAidsDir, e.name, 'private')),
+                category: categorizeAid({
+                    hasPrivateKey,
+                    hasCert,
+                    // 静态扫描没跑实测，用 canSign 作为 mine/broken 的近似判定
+                    signVerified: hasPrivateKey ? (hasCert && !certExpired && keyMatchesCert === true) : null,
+                    canSign: hasPrivateKey && hasCert && !certExpired && keyMatchesCert === true,
+                }),
+                hasPrivateKey,
                 hasAgentMd: fs.existsSync(agentMdPath(e.name)),
+                hasCert,
+                certExpired,
+                keyMatchesCert,
+                canSign: hasPrivateKey && hasCert && !certExpired && keyMatchesCert === true,
+                signVerified: null,
             });
         }
     }
-    // Scan $EVOLCLAW_HOME/AIDs (agent.md lives here)
-    if (fs.existsSync(ecAidsDir) && ecAidsDir !== aunAidsDir) {
-        for (const e of fs.readdirSync(ecAidsDir, { withFileTypes: true })) {
-            if (!e.isDirectory())
-                continue;
-            if (seen.has(e.name))
+    return [...seen.values()];
+}
+// ==================== Sign Self-Test ====================
+/**
+ * 实跑一次本地 sign + verify，验证 AID 是否真能签名/验签。
+ * 全本地（不联网）：用 SDK 解密私钥 → ECDSA 签 payload → 用本地 cert 公钥验。
+ * 任一环节失败都视为不可签——包括私钥 passphrase 解不开、cert 被 SDK 主动 discard 等。
+ */
+export async function verifySignAbility(aid, opts) {
+    const aunPath = opts?.aunPath ?? defaultAunPath();
+    let ownStore = null;
+    try {
+        let store = opts?.store;
+        if (!store) {
+            store = await getAidStore({ slotId: SLOT.cli, aunPath });
+            ownStore = store;
+        }
+        // 加载本地 AID 值对象（含私钥），sign + verify 全本地完成
+        let aidObj;
+        try {
+            aidObj = loadAid(store, aid);
+        }
+        catch (e) {
+            const code = e instanceof AidLoadError ? e.code : 'LOAD_FAILED';
+            return { ok: false, reason: `load failed: ${code} ${String(e?.message || e).slice(0, 100)}` };
+        }
+        const probe = `# probe\naid: "${aid}"\n`;
+        const signRes = aidObj.signAgentMd(probe);
+        if (!signRes.ok) {
+            return { ok: false, reason: `sign failed: ${String(signRes.error?.message || signRes.error?.code).slice(0, 120)}` };
+        }
+        const verifyRes = aidObj.verifyAgentMd(signRes.data.signed);
+        if (!verifyRes.ok) {
+            return { ok: false, reason: `verify threw: ${String(verifyRes.error?.message || verifyRes.error?.code).slice(0, 120)}` };
+        }
+        if (verifyRes.data.status === 'verified')
+            return { ok: true };
+        return { ok: false, reason: `verify failed: ${verifyRes.data.status ?? 'unknown'}${verifyRes.data.reason ? ' — ' + verifyRes.data.reason : ''}` };
+    }
+    finally {
+        if (ownStore) {
+            try {
+                ownStore.close();
+            }
+            catch { /* ignore */ }
+        }
+    }
+}
+/**
+ * aidList 的"实测版"：先做静态扫描，再对每个 AID 跑一次本地 sign+verify。
+ * 共用同一个 AUNClient 实例，避免重复初始化 secret-store / sqlite。
+ */
+export async function aidListVerified(aunPath) {
+    const list = aidList(aunPath);
+    const root = aunPath ?? defaultAunPath();
+    const store = await getAidStore({ slotId: SLOT.cli, aunPath: root });
+    try {
+        for (const a of list) {
+            // canSign=false 的 AID 不必跑实测，结论已经明确
+            if (!a.canSign) {
+                a.signVerified = false;
+                if (!a.hasPrivateKey)
+                    a.signError = 'no private key';
+                else if (!a.hasCert)
+                    a.signError = 'no cert';
+                else if (a.certExpired)
+                    a.signError = 'cert expired';
+                else if (a.keyMatchesCert === false)
+                    a.signError = 'key/cert public-key mismatch';
+                a.category = categorizeAid({
+                    hasPrivateKey: a.hasPrivateKey, hasCert: a.hasCert,
+                    signVerified: a.signVerified, canSign: a.canSign,
+                });
                 continue;
-            seen.set(e.name, {
-                aid: e.name,
-                hasPrivateKey: fs.existsSync(path.join(aunAidsDir, e.name, 'private')),
-                hasAgentMd: fs.existsSync(agentMdPath(e.name)),
+            }
+            const r = await verifySignAbility(a.aid, { aunPath: root, store });
+            a.signVerified = r.ok;
+            if (!r.ok)
+                a.signError = r.reason;
+            a.category = categorizeAid({
+                hasPrivateKey: a.hasPrivateKey, hasCert: a.hasCert,
+                signVerified: a.signVerified, canSign: a.canSign,
             });
         }
     }
-    return [...seen.values()];
+    finally {
+        try {
+            store.close();
+        }
+        catch { /* ignore */ }
+    }
+    return list;
 }
 export async function aidCreate(aid, opts) {
-    const aunPath = opts?.aunPath ?? path.join(os.homedir(), '.aun');
+    const aunPath = opts?.aunPath ?? defaultAunPath();
     const aidDir = path.join(aunPath, 'AIDs', aid);
-    if (fs.existsSync(aidDir) && fs.existsSync(path.join(aidDir, 'private'))) {
-        const client = await getAunClient(aid, { aunPath });
-        return { aid, alreadyExisted: true, gateway: '', client };
-    }
-    const { AUNClient, GatewayDiscovery } = await import('@agentunion/fastaun');
-    let client = new AUNClient({ aun_path: aunPath });
-    try {
-        const result = await client.auth.createAid({ aid });
-        const gateway = result.gateway || '';
-        const caDownloaded = await downloadCaRoot(aunPath, gateway);
-        const caCertPath = path.join(aunPath, 'CA', 'root', 'root.crt');
-        if (caDownloaded && fs.existsSync(caCertPath)) {
+    const hasPrivateKey = fs.existsSync(path.join(aidDir, 'private'));
+    // 如果私钥已存在，先验证签名能力
+    if (hasPrivateKey) {
+        const verifyResult = await verifySignAbility(aid, { aunPath });
+        if (verifyResult.ok) {
+            // 身份有效：加载并认证，返回已认证的 client
+            const store = await getAidStore({ slotId: SLOT.cli, aunPath });
             try {
-                await client.close();
+                const client = await loadClient(store, aid);
+                const auth = await client.authenticate();
+                return { aid, alreadyExisted: true, gateway: String(auth?.gateway ?? ''), client, store };
             }
-            catch { /* ignore */ }
-            client = new AUNClient({ aun_path: aunPath, root_ca_path: caCertPath });
-            await client.auth.createAid({ aid });
-        }
-        let gatewayUrl = gateway;
-        if (!gatewayUrl) {
-            try {
-                const discovery = new GatewayDiscovery({});
-                gatewayUrl = await discovery.discover(`https://${aid}/.well-known/aun-gateway`);
+            catch (e) {
+                store.close();
+                throw e;
             }
-            catch { /* fall through */ }
         }
-        if (gatewayUrl) {
-            client._gatewayUrl = gatewayUrl;
+        // 签名验证失败
+        if (!opts?.force) {
+            const error = new Error(`AID ${aid} 已存在但身份无效（${verifyResult.reason || '签名验证失败'}）。\n` +
+                `使用 --force 参数尝试恢复或重新注册。`);
+            error.code = 'AID_INVALID';
+            error.reason = verifyResult.reason;
+            throw error;
+        }
+        // --force：先尝试 authenticate 恢复证书
+        const recoverStore = await getAidStore({ slotId: SLOT.cli, aunPath });
+        try {
+            const recoverClient = await loadClient(recoverStore, aid);
+            const auth = await recoverClient.authenticate();
+            return { aid, alreadyExisted: true, gateway: String(auth?.gateway ?? ''), client: recoverClient, store: recoverStore };
+        }
+        catch {
+            recoverStore.close();
+            fs.rmSync(aidDir, { recursive: true, force: true });
         }
-        return { aid, alreadyExisted: false, gateway: gatewayUrl, client };
     }
-    catch (e) {
+    // 新注册流程：AIDStore.register → downloadCaRoot → load → authenticate
+    const store = await getAidStore({ slotId: SLOT.cli, aunPath });
+    try {
+        const regResult = await store.register(aid);
+        if (!regResult.ok) {
+            const e = new Error(regResult.error.message);
+            e.code = regResult.error.code;
+            throw e;
+        }
+        // 注册成功后下载 CA 根证书（如果还没有）
+        // 从 AID well-known 发现 gateway 用于 CA 下载
+        let gatewayUrl = '';
         try {
-            await client.close();
+            const { GatewayDiscovery } = await import('@agentunion/fastaun');
+            const discovery = new GatewayDiscovery({});
+            gatewayUrl = await discovery.discover(`https://${aid}/.well-known/aun-gateway`);
         }
-        catch { /* ignore */ }
+        catch { /* fall through */ }
+        if (gatewayUrl) {
+            await downloadCaRoot(aunPath, gatewayUrl);
+        }
+        // 重建 store（CA 可能刚下载，需要 rootCaPath 生效）
+        store.close();
+        const store2 = await getAidStore({ slotId: SLOT.cli, aunPath });
+        try {
+            const client = await loadClient(store2, aid);
+            await client.authenticate();
+            return { aid, alreadyExisted: false, gateway: gatewayUrl, client, store: store2 };
+        }
+        catch (e) {
+            store2.close();
+            throw e;
+        }
+    }
+    catch (e) {
+        store.close();
         throw e;
     }
 }
 // ==================== Show ====================
-export function aidShow(aid, opts) {
-    const aunPath = opts?.aunPath ?? path.join(os.homedir(), '.aun');
+export async function aidShow(aid, opts) {
+    const aunPath = opts?.aunPath ?? defaultAunPath();
     const aidDir = path.join(aunPath, 'AIDs', aid);
     const hasPrivateKey = fs.existsSync(path.join(aidDir, 'private'));
     const hasAgentMd = fs.existsSync(agentMdPath(aid));
     let certExpiresAt = null;
     let certSubject = null;
+    let certExpired = false;
+    let certPem = null;
+    let keyMatchesCert = null;
     const certPath = path.join(aidDir, 'public', 'cert.pem');
     if (fs.existsSync(certPath)) {
         try {
-            const pem = fs.readFileSync(certPath, 'utf-8');
-            const x509 = new crypto.X509Certificate(pem);
+            certPem = fs.readFileSync(certPath, 'utf-8');
+            const x509 = new crypto.X509Certificate(certPem);
             certExpiresAt = x509.validTo;
             certSubject = x509.subject;
+            certExpired = new Date(x509.validTo) < new Date();
+            const keyJsonPath = path.join(aidDir, 'private', 'key.json');
+            if (hasPrivateKey && fs.existsSync(keyJsonPath)) {
+                try {
+                    const kp = JSON.parse(fs.readFileSync(keyJsonPath, 'utf-8'));
+                    const localPubB64 = typeof kp?.public_key_der_b64 === 'string' ? kp.public_key_der_b64 : '';
+                    if (localPubB64) {
+                        const certPubDer = x509.publicKey.export({ type: 'spki', format: 'der' });
+                        const localPubDer = Buffer.from(localPubB64, 'base64');
+                        keyMatchesCert = certPubDer.equals(localPubDer);
+                    }
+                }
+                catch {
+                    keyMatchesCert = false;
+                }
+            }
         }
         catch { /* ignore parse errors */ }
     }
-    return { aid, hasPrivateKey, hasAgentMd, certExpiresAt, certSubject };
+    let agentMdSignature = 'unknown';
+    let agentMdSignatureReason;
+    let signVerified = null;
+    let signError;
+    // 先做一次签名自检（共享 store，避免重复起 SDK）
+    const store = await getAidStore({ slotId: SLOT.cli, aunPath });
+    try {
+        if (hasPrivateKey && certPem && !certExpired && keyMatchesCert !== false) {
+            const r = await verifySignAbility(aid, { aunPath, store });
+            signVerified = r.ok;
+            if (!r.ok)
+                signError = r.reason;
+        }
+        else {
+            signVerified = false;
+            if (!hasPrivateKey)
+                signError = 'no private key';
+            else if (!certPem)
+                signError = 'no cert';
+            else if (certExpired)
+                signError = 'cert expired';
+            else if (keyMatchesCert === false)
+                signError = 'key/cert public-key mismatch';
+        }
+        if (hasAgentMd) {
+            try {
+                const content = fs.readFileSync(agentMdPath(aid), 'utf-8');
+                if (!content.includes('AUN-SIGNATURE')) {
+                    agentMdSignature = 'unsigned';
+                }
+                else {
+                    // 用本地 AID 值对象验签（含本地 cert 公钥）
+                    const aidObj = loadAid(store, aid);
+                    const result = aidObj.verifyAgentMd(content);
+                    if (!result.ok) {
+                        agentMdSignature = 'unknown';
+                        agentMdSignatureReason = String(result.error?.message || result.error?.code).slice(0, 100);
+                    }
+                    else if (result.data.status === 'verified') {
+                        agentMdSignature = 'verified';
+                    }
+                    else if (result.data.status === 'unsigned') {
+                        agentMdSignature = 'unsigned';
+                    }
+                    else {
+                        agentMdSignature = 'invalid';
+                        agentMdSignatureReason = result.data.reason;
+                    }
+                }
+            }
+            catch (e) {
+                agentMdSignature = 'unknown';
+                agentMdSignatureReason = String(e?.message || e).slice(0, 100);
+            }
+        }
+    }
+    finally {
+        try {
+            store.close();
+        }
+        catch { }
+    }
+    return { aid, hasPrivateKey, hasAgentMd, certExpiresAt, certSubject, certExpired, keyMatchesCert, signVerified, signError, agentMdSignature, agentMdSignatureReason };
 }
 // ==================== Delete ====================
 export function aidDelete(aid, opts) {
-    const aunPath = opts?.aunPath ?? path.join(os.homedir(), '.aun');
+    const aunPath = opts?.aunPath ?? defaultAunPath();
     const aidDir = path.join(aunPath, 'AIDs', aid);
     if (!fs.existsSync(aidDir))
         return false;
     fs.rmSync(aidDir, { recursive: true, force: true });
     return true;
 }
+export async function probePkiRecoverability(aid, opts) {
+    const aunPath = opts?.aunPath ?? defaultAunPath();
+    const timeoutMs = opts?.timeoutMs ?? 8000;
+    const keyJsonPath = path.join(aunPath, 'AIDs', aid, 'private', 'key.json');
+    if (!fs.existsSync(keyJsonPath))
+        return { kind: 'no-key' };
+    let localPubB64 = '';
+    try {
+        const kp = JSON.parse(fs.readFileSync(keyJsonPath, 'utf-8'));
+        if (typeof kp?.public_key_der_b64 !== 'string' || !kp.public_key_der_b64) {
+            return { kind: 'unknown', reason: 'key.json missing public_key_der_b64' };
+        }
+        localPubB64 = kp.public_key_der_b64;
+    }
+    catch (e) {
+        return { kind: 'unknown', reason: `key.json parse failed: ${String(e?.message || e).slice(0, 80)}` };
+    }
+    // 1. 发现网关
+    let gateway = '';
+    try {
+        const ctl = AbortSignal.timeout(timeoutMs);
+        const gwResp = await fetch(`https://${aid}/.well-known/aun-gateway`, { redirect: 'follow', signal: ctl });
+        if (gwResp.ok) {
+            const text = (await gwResp.text()).trim();
+            try {
+                const parsed = JSON.parse(text);
+                gateway = parsed?.gateways?.[0]?.url || text;
+            }
+            catch {
+                gateway = text;
+            }
+        }
+    }
+    catch (e) {
+        return { kind: 'no-server-record', reason: `gateway discovery failed: ${String(e?.message || e).slice(0, 80)}` };
+    }
+    if (!gateway)
+        return { kind: 'no-server-record', reason: 'no gateway for AID' };
+    // 2. 拉云端 cert
+    let certPem = '';
+    try {
+        const parsed = new URL(gateway);
+        const scheme = parsed.protocol === 'wss:' ? 'https:' : 'http:';
+        const certUrl = `${scheme}//${parsed.host}/pki/cert/${encodeURIComponent(aid)}`;
+        const ctl = AbortSignal.timeout(timeoutMs);
+        const resp = await fetch(certUrl, { redirect: 'follow', signal: ctl });
+        if (!resp.ok) {
+            return { kind: 'no-server-record', reason: `pki/cert HTTP ${resp.status}` };
+        }
+        certPem = (await resp.text()).trim();
+        if (!certPem.includes('BEGIN CERTIFICATE')) {
+            return { kind: 'no-server-record', reason: 'pki/cert returned non-cert content' };
+        }
+    }
+    catch (e) {
+        return { kind: 'no-server-record', reason: `pki/cert fetch failed: ${String(e?.message || e).slice(0, 80)}` };
+    }
+    // 3. 比对公钥
+    try {
+        const x509 = new crypto.X509Certificate(certPem);
+        const certPubDer = x509.publicKey.export({ type: 'spki', format: 'der' });
+        const localPubDer = Buffer.from(localPubB64, 'base64');
+        if (certPubDer.equals(localPubDer)) {
+            return { kind: 'recoverable', serverCertPubB64: certPubDer.toString('base64') };
+        }
+        return {
+            kind: 'unrecoverable',
+            reason: 'server has different public key registered, current local private key cannot be used',
+        };
+    }
+    catch (e) {
+        return { kind: 'unknown', reason: `cert parse failed: ${String(e?.message || e).slice(0, 80)}` };
+    }
+}
 // ==================== Lookup ====================
 export async function aidLookup(aid) {
     let gateway = '';

package/dist/aun/aid/index.js

@@ -1,3 +1,4 @@
-export { isValidAid, aidList, aidCreate, aidShow, aidDelete, aidLookup, appendAidLifecycle, readAidLifecycle } from './identity.js';
+export { isValidAid, aidList, aidListVerified, aidCreate, aidShow, aidDelete, aidLookup, verifySignAbility, probePkiRecoverability, appendAidLifecycle, readAidLifecycle } from './identity.js';
 export { buildInitialAgentMd, agentmdGet, agentmdPut, agentmdSync } from './agentmd.js';
-export { MIN_AUN_CORE_SDK, AUN_CORE_SDK_PKG, isAunSdkVersionOk, resolveAunCoreSdkPkg, ensureAunSdk, isAunSdkReady, downloadCaRoot, getAunClient, suppressSdkLogs, } from './client.js';
+export { MIN_AUN_CORE_SDK, AUN_CORE_SDK_PKG, isAunSdkVersionOk, resolveAunCoreSdkPkg, ensureAunSdk, isAunSdkReady, downloadCaRoot, suppressSdkLogs, } from './client.js';
+export { getAidStore, loadClient, loadAid, AidLoadError, SLOT } from './store.js';

package/dist/aun/aid/store.js

@@ -0,0 +1,74 @@
+import fs from 'fs';
+import path from 'path';
+/**
+ * Slot 命名约定（基于 fastaun 0.4.3 隔离键语义）。
+ *
+ * slotIsolationKey 取第一个分隔符（空格/'/'/':'）之前的部分作为隔离键，
+ * 隔离键相同 = 共享消费通道（token / seq 游标 / 消息过滤）。
+ *
+ *   'evolclaw daemon'   → 隔离键 'evolclaw'   ┐
+ *   'evolclaw cli'      → 隔离键 'evolclaw'   ├ 共享 evolclaw 消费通道
+ *   'evolclaw netcheck' → 隔离键 'evolclaw'   ┘
+ *   'evolclaw-bench'    → 隔离键 'evolclaw-bench'（连字符非分隔符）→ 独立通道
+ *
+ * 设计意图：
+ *  - daemon 长连接 + cli 短连接共存于 evolclaw 通道（1 长 + N 短，短连接不踢长连接）
+ *  - netcheck 长连接抢 evolclaw 长连接位 → 踢掉 daemon（用于踢人/extra_info 测试）
+ *  - bench 各并发单元用 evolclaw-bench-<N>，各自独立隔离键，互不干扰
+ */
+export const SLOT = {
+    daemon: 'evolclaw daemon',
+    cli: 'evolclaw cli',
+    bench: 'evolclaw-bench',
+    netcheck: 'evolclaw netcheck',
+};
+/** 加载身份失败时抛出，携带 SDK 的错误码与消息。 */
+export class AidLoadError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.name = 'AidLoadError';
+        this.code = code;
+    }
+}
+/**
+ * 统一构造 AIDStore。
+ *
+ * 接管旧 createAunClient 的职责：注入 encryptionSeed、rootCaPath、debug、slotId。
+ * deviceId 不传 —— 由 SDK 从 {aunPath}/.device_id 读取或生成（同机共享）。
+ */
+export async function getAidStore(opts) {
+    const { aunPath: defaultAunPath } = await import('../../paths.js');
+    const { loadProcessConfig } = await import('../../config-store.js');
+    const { AIDStore } = await import('@agentunion/fastaun');
+    const aunPath = opts.aunPath ?? defaultAunPath();
+    const encryptionSeed = loadProcessConfig().aun?.encryptionSeed
+        ?? process.env.AUN_ENCRYPTION_SEED
+        ?? 'evol';
+    const caCertPath = path.join(aunPath, 'CA', 'root', 'root.crt');
+    const storeOpts = {
+        aunPath,
+        encryptionSeed,
+        slotId: opts.slotId,
+        debug: opts.debug ?? false,
+    };
+    if (fs.existsSync(caCertPath))
+        storeOpts.rootCaPath = caCertPath;
+    return new AIDStore(storeOpts);
+}
+/**
+ * 从 store 加载本地身份并构造已就绪的 AUNClient（尚未连接）。
+ *
+ * load 失败（证书缺失/过期/链断裂/私钥不匹配等）抛 AidLoadError，携带 SDK 错误码。
+ */
+export async function loadClient(store, aid) {
+    const { AUNClient } = await import('@agentunion/fastaun');
+    return new AUNClient(loadAid(store, aid));
+}
+/** 加载本地 AID 值对象（用于离线签名/验签，无需连接）。load 失败抛 AidLoadError。 */
+export function loadAid(store, aid) {
+    const r = store.load(aid);
+    if (!r.ok)
+        throw new AidLoadError(r.error.code, r.error.message);
+    return r.data.aid;
+}

package/dist/aun/msg/p2p.js

@@ -1,5 +1,6 @@
 import path from 'path';
 import { createShortConnection } from '../rpc/index.js';
+import { getAidStore, SLOT } from '../aid/store.js';
 import { uploadFileAndBuildPayload } from './upload.js';
 import { appendMessageLog, buildOutboundEntry } from '../../core/message/message-log.js';
 import { chatDirPath } from '../../core/session/session-fs-store.js';
@@ -7,11 +8,21 @@ import { resolvePaths } from '../../paths.js';
 export async function msgSend(args) {
     const conn = await createShortConnection(args.from, { aunPath: args.aunPath, slotId: args.slotId });
     try {
-        // 1. 解析对端身份（30天缓存）
+        // 1. 解析对端身份（30天缓存）。身份解析走 HTTP+PKI（store），与发消息的短连接无关。
         const { agentsDir } = resolvePaths();
         const selfAgentDir = path.join(agentsDir, args.from);
         const { PeerIdentityCache } = await import('../../core/relation/peer-identity.js');
-        const peerIdentity = await PeerIdentityCache.resolve('aun', args.to, selfAgentDir, conn, false);
+        const idStore = await getAidStore({ slotId: args.slotId ?? SLOT.cli, aunPath: args.aunPath });
+        let peerIdentity;
+        try {
+            peerIdentity = await PeerIdentityCache.resolve('aun', args.to, selfAgentDir, idStore, false);
+        }
+        finally {
+            try {
+                idStore.close();
+            }
+            catch { /* ignore */ }
+        }
         // 2. 决定 chatmode（遵循来源1-3）
         // 私聊：非 human 对端 → proactive，human 对端 → interactive
         const chatmode = peerIdentity.isAgent ? 'proactive' : 'interactive';
@@ -81,6 +92,19 @@ export async function msgSend(args) {
                     msgType: 'text',
                     source,
                 }));
+                // 通知 daemon 更新 stats（如果 daemon 在运行）
+                try {
+                    const { ipcQuery } = await import('../../ipc.js');
+                    await ipcQuery(resolvePaths().socket, {
+                        type: 'aun-aid-stats-record-outbound',
+                        aid: args.from,
+                        toPeer: args.to,
+                        text: textContent,
+                        encrypt: args.encrypt === true,
+                        chatmode,
+                    }, 1000);
+                }
+                catch { /* daemon 不在或 IPC 失败都忽略 */ }
             }
             catch { }
         }