evolclaw 3.1.4 → 3.1.5

package/dist/aun/aid/identity.js

@@ -1,7 +1,8 @@
 import fs from 'fs';
 import path from 'path';
 import crypto from 'crypto';
-import { getAunClient, createAunClient, downloadCaRoot } from './client.js';
+import { getAidStore, loadAid, loadClient, AidLoadError, SLOT } from './store.js';
+import { downloadCaRoot } from './client.js';
 import { resolvePaths, agentMdPath, aunPath as defaultAunPath } from '../../paths.js';
 // ==================== Validation ====================
 export function isValidAid(name) {
@@ -94,41 +95,39 @@ export function aidList(aunPath) {
  */
 export async function verifySignAbility(aid, opts) {
     const aunPath = opts?.aunPath ?? defaultAunPath();
-    let ownClient = null;
+    let ownStore = null;
     try {
-        let client = opts?.client;
-        if (!client) {
-            client = await createAunClient({ aunPath });
-            ownClient = client;
+        let store = opts?.store;
+        if (!store) {
+            store = await getAidStore({ slotId: SLOT.cli, aunPath });
+            ownStore = store;
         }
-        const probe = `# probe\naid: "${aid}"\n`;
-        let signed;
+        // 加载本地 AID 值对象（含私钥），sign + verify 全本地完成
+        let aidObj;
         try {
-            signed = await client.auth.signAgentMd(probe, { aid });
+            aidObj = loadAid(store, aid);
         }
         catch (e) {
-            return { ok: false, reason: `sign failed: ${String(e?.message || e).slice(0, 120)}` };
+            const code = e instanceof AidLoadError ? e.code : 'LOAD_FAILED';
+            return { ok: false, reason: `load failed: ${code} ${String(e?.message || e).slice(0, 100)}` };
         }
-        const certPath = path.join(aunPath, 'AIDs', aid, 'public', 'cert.pem');
-        const certPem = fs.existsSync(certPath) ? fs.readFileSync(certPath, 'utf-8') : '';
-        if (!certPem)
-            return { ok: false, reason: 'cert.pem missing' };
-        let result;
-        try {
-            result = await client.auth.verifyAgentMd(signed, { aid, certPem });
+        const probe = `# probe\naid: "${aid}"\n`;
+        const signRes = aidObj.signAgentMd(probe);
+        if (!signRes.ok) {
+            return { ok: false, reason: `sign failed: ${String(signRes.error?.message || signRes.error?.code).slice(0, 120)}` };
         }
-        catch (e) {
-            return { ok: false, reason: `verify threw: ${String(e?.message || e).slice(0, 120)}` };
+        const verifyRes = aidObj.verifyAgentMd(signRes.data.signed);
+        if (!verifyRes.ok) {
+            return { ok: false, reason: `verify threw: ${String(verifyRes.error?.message || verifyRes.error?.code).slice(0, 120)}` };
         }
-        const verified = result?.status === 'verified' || result?.verified === true;
-        if (verified)
+        if (verifyRes.data.status === 'verified')
             return { ok: true };
-        return { ok: false, reason: `verify failed: ${result?.status ?? 'unknown'}${result?.reason ? ' — ' + result.reason : ''}` };
+        return { ok: false, reason: `verify failed: ${verifyRes.data.status ?? 'unknown'}${verifyRes.data.reason ? ' — ' + verifyRes.data.reason : ''}` };
     }
     finally {
-        if (ownClient) {
+        if (ownStore) {
             try {
-                await ownClient.close();
+                ownStore.close();
             }
             catch { /* ignore */ }
         }
@@ -141,7 +140,7 @@ export async function verifySignAbility(aid, opts) {
 export async function aidListVerified(aunPath) {
     const list = aidList(aunPath);
     const root = aunPath ?? defaultAunPath();
-    const client = await createAunClient({ aunPath: root });
+    const store = await getAidStore({ slotId: SLOT.cli, aunPath: root });
     try {
         for (const a of list) {
             // canSign=false 的 AID 不必跑实测，结论已经明确
@@ -161,7 +160,7 @@ export async function aidListVerified(aunPath) {
                 });
                 continue;
             }
-            const r = await verifySignAbility(a.aid, { aunPath: root, client });
+            const r = await verifySignAbility(a.aid, { aunPath: root, store });
             a.signVerified = r.ok;
             if (!r.ok)
                 a.signError = r.reason;
@@ -173,7 +172,7 @@ export async function aidListVerified(aunPath) {
     }
     finally {
         try {
-            await client.close();
+            store.close();
         }
         catch { /* ignore */ }
     }
@@ -182,43 +181,79 @@ export async function aidListVerified(aunPath) {
 export async function aidCreate(aid, opts) {
     const aunPath = opts?.aunPath ?? defaultAunPath();
     const aidDir = path.join(aunPath, 'AIDs', aid);
-    if (fs.existsSync(aidDir) && fs.existsSync(path.join(aidDir, 'private'))) {
-        const client = await getAunClient(aid, { aunPath });
-        return { aid, alreadyExisted: true, gateway: '', client };
-    }
-    const { GatewayDiscovery } = await import('@agentunion/fastaun');
-    let client = await createAunClient({ aunPath });
-    try {
-        const result = await client.auth.createAid({ aid });
-        const gateway = result.gateway || '';
-        const caDownloaded = await downloadCaRoot(aunPath, gateway);
-        const caCertPath = path.join(aunPath, 'CA', 'root', 'root.crt');
-        if (caDownloaded && fs.existsSync(caCertPath)) {
+    const hasPrivateKey = fs.existsSync(path.join(aidDir, 'private'));
+    // 如果私钥已存在，先验证签名能力
+    if (hasPrivateKey) {
+        const verifyResult = await verifySignAbility(aid, { aunPath });
+        if (verifyResult.ok) {
+            // 身份有效：加载并认证，返回已认证的 client
+            const store = await getAidStore({ slotId: SLOT.cli, aunPath });
             try {
-                await client.close();
+                const client = await loadClient(store, aid);
+                const auth = await client.authenticate();
+                return { aid, alreadyExisted: true, gateway: String(auth?.gateway ?? ''), client, store };
             }
-            catch { /* ignore */ }
-            client = await createAunClient({ aunPath });
-            await client.auth.createAid({ aid });
-        }
-        let gatewayUrl = gateway;
-        if (!gatewayUrl) {
-            try {
-                const discovery = new GatewayDiscovery({});
-                gatewayUrl = await discovery.discover(`https://${aid}/.well-known/aun-gateway`);
+            catch (e) {
+                store.close();
+                throw e;
             }
-            catch { /* fall through */ }
         }
-        if (gatewayUrl) {
-            client._gatewayUrl = gatewayUrl;
+        // 签名验证失败
+        if (!opts?.force) {
+            const error = new Error(`AID ${aid} 已存在但身份无效（${verifyResult.reason || '签名验证失败'}）。\n` +
+                `使用 --force 参数尝试恢复或重新注册。`);
+            error.code = 'AID_INVALID';
+            error.reason = verifyResult.reason;
+            throw error;
+        }
+        // --force：先尝试 authenticate 恢复证书
+        const recoverStore = await getAidStore({ slotId: SLOT.cli, aunPath });
+        try {
+            const recoverClient = await loadClient(recoverStore, aid);
+            const auth = await recoverClient.authenticate();
+            return { aid, alreadyExisted: true, gateway: String(auth?.gateway ?? ''), client: recoverClient, store: recoverStore };
+        }
+        catch {
+            recoverStore.close();
+            fs.rmSync(aidDir, { recursive: true, force: true });
         }
-        return { aid, alreadyExisted: false, gateway: gatewayUrl, client };
     }
-    catch (e) {
+    // 新注册流程：AIDStore.register → downloadCaRoot → load → authenticate
+    const store = await getAidStore({ slotId: SLOT.cli, aunPath });
+    try {
+        const regResult = await store.register(aid);
+        if (!regResult.ok) {
+            const e = new Error(regResult.error.message);
+            e.code = regResult.error.code;
+            throw e;
+        }
+        // 注册成功后下载 CA 根证书（如果还没有）
+        // 从 AID well-known 发现 gateway 用于 CA 下载
+        let gatewayUrl = '';
         try {
-            await client.close();
+            const { GatewayDiscovery } = await import('@agentunion/fastaun');
+            const discovery = new GatewayDiscovery({});
+            gatewayUrl = await discovery.discover(`https://${aid}/.well-known/aun-gateway`);
         }
-        catch { /* ignore */ }
+        catch { /* fall through */ }
+        if (gatewayUrl) {
+            await downloadCaRoot(aunPath, gatewayUrl);
+        }
+        // 重建 store（CA 可能刚下载，需要 rootCaPath 生效）
+        store.close();
+        const store2 = await getAidStore({ slotId: SLOT.cli, aunPath });
+        try {
+            const client = await loadClient(store2, aid);
+            await client.authenticate();
+            return { aid, alreadyExisted: false, gateway: gatewayUrl, client, store: store2 };
+        }
+        catch (e) {
+            store2.close();
+            throw e;
+        }
+    }
+    catch (e) {
+        store.close();
         throw e;
     }
 }
@@ -263,11 +298,11 @@ export async function aidShow(aid, opts) {
     let agentMdSignatureReason;
     let signVerified = null;
     let signError;
-    // 先做一次签名自检（共享 client，避免重复起 SDK）
-    const client = await createAunClient({ aunPath });
+    // 先做一次签名自检（共享 store，避免重复起 SDK）
+    const store = await getAidStore({ slotId: SLOT.cli, aunPath });
     try {
         if (hasPrivateKey && certPem && !certExpired && keyMatchesCert !== false) {
-            const r = await verifySignAbility(aid, { aunPath, client });
+            const r = await verifySignAbility(aid, { aunPath, store });
             signVerified = r.ok;
             if (!r.ok)
                 signError = r.reason;
@@ -290,16 +325,22 @@ export async function aidShow(aid, opts) {
                     agentMdSignature = 'unsigned';
                 }
                 else {
-                    const result = await client.auth.verifyAgentMd(content, { aid, ...(certPem ? { certPem } : {}) });
-                    if (result.status === 'verified' || result.verified) {
+                    // 用本地 AID 值对象验签（含本地 cert 公钥）
+                    const aidObj = loadAid(store, aid);
+                    const result = aidObj.verifyAgentMd(content);
+                    if (!result.ok) {
+                        agentMdSignature = 'unknown';
+                        agentMdSignatureReason = String(result.error?.message || result.error?.code).slice(0, 100);
+                    }
+                    else if (result.data.status === 'verified') {
                         agentMdSignature = 'verified';
                     }
-                    else if (result.status === 'unsigned') {
+                    else if (result.data.status === 'unsigned') {
                         agentMdSignature = 'unsigned';
                     }
                     else {
                         agentMdSignature = 'invalid';
-                        agentMdSignatureReason = result.reason;
+                        agentMdSignatureReason = result.data.reason;
                     }
                 }
             }
@@ -311,7 +352,7 @@ export async function aidShow(aid, opts) {
     }
     finally {
         try {
-            await client.close();
+            store.close();
         }
         catch { }
     }

package/dist/aun/aid/index.js

@@ -1,3 +1,4 @@
 export { isValidAid, aidList, aidListVerified, aidCreate, aidShow, aidDelete, aidLookup, verifySignAbility, probePkiRecoverability, appendAidLifecycle, readAidLifecycle } from './identity.js';
 export { buildInitialAgentMd, agentmdGet, agentmdPut, agentmdSync } from './agentmd.js';
-export { MIN_AUN_CORE_SDK, AUN_CORE_SDK_PKG, isAunSdkVersionOk, resolveAunCoreSdkPkg, ensureAunSdk, isAunSdkReady, downloadCaRoot, getAunClient, suppressSdkLogs, } from './client.js';
+export { MIN_AUN_CORE_SDK, AUN_CORE_SDK_PKG, isAunSdkVersionOk, resolveAunCoreSdkPkg, ensureAunSdk, isAunSdkReady, downloadCaRoot, suppressSdkLogs, } from './client.js';
+export { getAidStore, loadClient, loadAid, AidLoadError, SLOT } from './store.js';

package/dist/aun/aid/store.js

@@ -0,0 +1,74 @@
+import fs from 'fs';
+import path from 'path';
+/**
+ * Slot 命名约定（基于 fastaun 0.4.3 隔离键语义）。
+ *
+ * slotIsolationKey 取第一个分隔符（空格/'/'/':'）之前的部分作为隔离键，
+ * 隔离键相同 = 共享消费通道（token / seq 游标 / 消息过滤）。
+ *
+ *   'evolclaw daemon'   → 隔离键 'evolclaw'   ┐
+ *   'evolclaw cli'      → 隔离键 'evolclaw'   ├ 共享 evolclaw 消费通道
+ *   'evolclaw netcheck' → 隔离键 'evolclaw'   ┘
+ *   'evolclaw-bench'    → 隔离键 'evolclaw-bench'（连字符非分隔符）→ 独立通道
+ *
+ * 设计意图：
+ *  - daemon 长连接 + cli 短连接共存于 evolclaw 通道（1 长 + N 短，短连接不踢长连接）
+ *  - netcheck 长连接抢 evolclaw 长连接位 → 踢掉 daemon（用于踢人/extra_info 测试）
+ *  - bench 各并发单元用 evolclaw-bench-<N>，各自独立隔离键，互不干扰
+ */
+export const SLOT = {
+    daemon: 'evolclaw daemon',
+    cli: 'evolclaw cli',
+    bench: 'evolclaw-bench',
+    netcheck: 'evolclaw netcheck',
+};
+/** 加载身份失败时抛出，携带 SDK 的错误码与消息。 */
+export class AidLoadError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.name = 'AidLoadError';
+        this.code = code;
+    }
+}
+/**
+ * 统一构造 AIDStore。
+ *
+ * 接管旧 createAunClient 的职责：注入 encryptionSeed、rootCaPath、debug、slotId。
+ * deviceId 不传 —— 由 SDK 从 {aunPath}/.device_id 读取或生成（同机共享）。
+ */
+export async function getAidStore(opts) {
+    const { aunPath: defaultAunPath } = await import('../../paths.js');
+    const { loadProcessConfig } = await import('../../config-store.js');
+    const { AIDStore } = await import('@agentunion/fastaun');
+    const aunPath = opts.aunPath ?? defaultAunPath();
+    const encryptionSeed = loadProcessConfig().aun?.encryptionSeed
+        ?? process.env.AUN_ENCRYPTION_SEED
+        ?? 'evol';
+    const caCertPath = path.join(aunPath, 'CA', 'root', 'root.crt');
+    const storeOpts = {
+        aunPath,
+        encryptionSeed,
+        slotId: opts.slotId,
+        debug: opts.debug ?? false,
+    };
+    if (fs.existsSync(caCertPath))
+        storeOpts.rootCaPath = caCertPath;
+    return new AIDStore(storeOpts);
+}
+/**
+ * 从 store 加载本地身份并构造已就绪的 AUNClient（尚未连接）。
+ *
+ * load 失败（证书缺失/过期/链断裂/私钥不匹配等）抛 AidLoadError，携带 SDK 错误码。
+ */
+export async function loadClient(store, aid) {
+    const { AUNClient } = await import('@agentunion/fastaun');
+    return new AUNClient(loadAid(store, aid));
+}
+/** 加载本地 AID 值对象（用于离线签名/验签，无需连接）。load 失败抛 AidLoadError。 */
+export function loadAid(store, aid) {
+    const r = store.load(aid);
+    if (!r.ok)
+        throw new AidLoadError(r.error.code, r.error.message);
+    return r.data.aid;
+}

package/dist/aun/msg/p2p.js

@@ -1,5 +1,6 @@
 import path from 'path';
 import { createShortConnection } from '../rpc/index.js';
+import { getAidStore, SLOT } from '../aid/store.js';
 import { uploadFileAndBuildPayload } from './upload.js';
 import { appendMessageLog, buildOutboundEntry } from '../../core/message/message-log.js';
 import { chatDirPath } from '../../core/session/session-fs-store.js';
@@ -7,11 +8,21 @@ import { resolvePaths } from '../../paths.js';
 export async function msgSend(args) {
     const conn = await createShortConnection(args.from, { aunPath: args.aunPath, slotId: args.slotId });
     try {
-        // 1. 解析对端身份（30天缓存）
+        // 1. 解析对端身份（30天缓存）。身份解析走 HTTP+PKI（store），与发消息的短连接无关。
         const { agentsDir } = resolvePaths();
         const selfAgentDir = path.join(agentsDir, args.from);
         const { PeerIdentityCache } = await import('../../core/relation/peer-identity.js');
-        const peerIdentity = await PeerIdentityCache.resolve('aun', args.to, selfAgentDir, conn, false);
+        const idStore = await getAidStore({ slotId: args.slotId ?? SLOT.cli, aunPath: args.aunPath });
+        let peerIdentity;
+        try {
+            peerIdentity = await PeerIdentityCache.resolve('aun', args.to, selfAgentDir, idStore, false);
+        }
+        finally {
+            try {
+                idStore.close();
+            }
+            catch { /* ignore */ }
+        }
         // 2. 决定 chatmode（遵循来源1-3）
         // 私聊：非 human 对端 → proactive，human 对端 → interactive
         const chatmode = peerIdentity.isAgent ? 'proactive' : 'interactive';
@@ -81,6 +92,19 @@ export async function msgSend(args) {
                     msgType: 'text',
                     source,
                 }));
+                // 通知 daemon 更新 stats（如果 daemon 在运行）
+                try {
+                    const { ipcQuery } = await import('../../ipc.js');
+                    await ipcQuery(resolvePaths().socket, {
+                        type: 'aun-aid-stats-record-outbound',
+                        aid: args.from,
+                        toPeer: args.to,
+                        text: textContent,
+                        encrypt: args.encrypt === true,
+                        chatmode,
+                    }, 1000);
+                }
+                catch { /* daemon 不在或 IPC 失败都忽略 */ }
             }
             catch { }
         }

package/dist/aun/rpc/connection.js

@@ -1,32 +1,25 @@
-import { aunPath as defaultAunPath } from '../../paths.js';
-import { createAunClient } from '../aid/client.js';
-import { loadProcessConfig } from '../../config-store.js';
+import { getAidStore, loadClient, SLOT } from '../aid/store.js';
 export async function createShortConnection(aid, opts) {
-    const aunPath = opts?.aunPath ?? defaultAunPath();
-    const slotId = opts?.slotId ?? '';
-    const encryptionSeed = loadProcessConfig().aun?.encryptionSeed
-        || process.env.AUN_ENCRYPTION_SEED
-        || 'evol';
-    const client = await createAunClient({ aunPath, encryptionSeed });
-    await client.auth.createAid({ aid });
-    const authResult = await client.auth.authenticate({ aid });
-    const accessToken = authResult?.access_token ?? client._access_token;
-    const gateway = client._gatewayUrl ?? authResult?.gateway;
-    await client.connect({
-        access_token: accessToken,
-        gateway,
-        slot_id: slotId,
-        connection_kind: 'short',
-    }, { auto_reconnect: false });
-    return {
-        async call(method, params) {
-            return client.call(method, params);
-        },
-        async close() {
-            try {
-                await client.close();
-            }
-            catch { /* ignore */ }
-        },
-    };
+    const store = await getAidStore({ slotId: opts?.slotId ?? SLOT.cli, aunPath: opts?.aunPath });
+    try {
+        const client = await loadClient(store, aid);
+        await client.connect({ connection_kind: 'short', short_ttl_ms: 30000, auto_reconnect: false });
+        return {
+            async call(method, params) {
+                return client.call(method, params);
+            },
+            async close() {
+                try {
+                    await client.close();
+                }
+                finally {
+                    store.close();
+                }
+            },
+        };
+    }
+    catch (e) {
+        store.close();
+        throw e;
+    }
 }