evolclaw 3.1.4 → 3.1.6

package/dist/agents/kit-renderer.js

@@ -7,6 +7,9 @@ const PARAM_DESCRIPTIONS = {
     EVOLCLAW_HOME: '用户数据根目录',
     PACKAGE_ROOT: 'evolclaw 包根目录',
     CURRENT_PROJECT: '当前项目完整路径',
+    PERSONAL_DIR: '当前 agent 个人数据目录',
+    RELATIONS_DIR: '当前 agent 关系数据目录',
+    VENUES_DIR: '当前 agent 环境数据目录',
     selfAid: '当前 agent 的 AID',
     selfName: '当前 agent 的显示名',
     hasPersona: '是否有 persona 内容',
@@ -16,21 +19,35 @@ const PARAM_DESCRIPTIONS = {
     peerName: '对端显示名',
     peerRole: '对端角色（owner/admin/guest/anonymous）',
     peerType: '对端类型（human/agent）',
+    sameDevice: '对端与本端同一物理设备（E2EE 消息 proximity，仅加密消息有值）',
+    sameNetwork: '对端与本端在同一网络内',
+    sameEgressIp: '对端与本端共享同一出口 IP',
     groupId: '群组 ID（群聊时）',
     chatType: '聊天类型（private=私聊 / group=群聊 / null=本地开发）',
     channel: '渠道类型（aun/feishu/wechat/dingtalk/qqbot/wecom）',
     venueUid: '场所唯一标识（预留）',
+    dispatch: '群分发模式（mention=被@才响应 / broadcast=所有消息都响应）',
+    clientType: '客户端类型（desktop/web/mobile）',
+    permissionMode: '权限模式（auto/bypass/request/edit/plan/noask/readonly）',
     capabilities: '当前渠道支持的能力列表',
     project: '当前项目目录名',
     sessionId: 'evolclaw 会话 ID',
     sessionName: '会话名称',
+    sessionKey: '会话路由键（channelType#urlEncode(channelId)#urlEncode(threadId)）',
     sessionCreatedAt: '会话创建时间（ISO）',
+    timezone: 'IANA 时区名（把 ISO 时间戳转本地时间用，如 Asia/Shanghai）',
+    tzOffset: '当前 UTC 偏移（如 +08:00）',
+    osInfo: '操作系统及版本（如 Windows 11 Pro (win32 10.0.26200)）',
     threadId: '话题 ID（多话题路由时）',
     chatMode: '会话模式（interactive=同步交互 / proactive=主动推送）',
     readonly: '是否只读模式',
+    evolclawMode: 'evolclaw 运行模式（dev=源码仓库可直接修改 | install=全局安装包只读）',
     baseAgent: 'base agent 规范值（claude/codex/gemini/hermes）',
     baseAgentName: 'base agent 显示名',
-    baseAgentModel: 'base agent 使用的模型',
+    baseAgentModel: 'base agent 引擎底座模型（evolclaw 作用域无配置时的兜底）',
+    effectiveModel: '当前实际生效模型（关系级 > agent级 > 全局 优先级解析结果）',
+    modelFallbackActive: 'evolclaw 配置的模型不可用，当前正在使用降级模型',
+    modelFallbackModel: '当前降级使用的 base agent 模型名',
     agentSessionId: 'base agent 会话 ID',
 };
 function buildPathMappings(vars) {
@@ -47,6 +64,9 @@ function buildPathMappings(vars) {
         { prefix: pkgRoot, alias: '$PACKAGE_ROOT' },
     ];
     if (selfAid) {
+        mappings.push({ prefix: path.join(evolHome, 'agents', selfAid, 'personal'), alias: '$PERSONAL_DIR' });
+        mappings.push({ prefix: path.join(evolHome, 'agents', selfAid, 'relations'), alias: '$RELATIONS_DIR' });
+        mappings.push({ prefix: path.join(evolHome, 'agents', selfAid, 'venues'), alias: '$VENUES_DIR' });
         mappings.push({ prefix: path.join(evolHome, 'agents', selfAid), alias: '$AGENT_DIR' });
     }
     mappings.push({ prefix: evolHome, alias: '$EVOLCLAW_HOME' });
@@ -90,33 +110,75 @@ export function renderKitSections(ctx) {
     const fileParts = [];
     const fragmentParts = [];
     const pathMappings = buildPathMappings(ctx.vars);
+    const diagnostics = [];
     for (const section of sections) {
-        if (section.enabled === false)
+        const rawPath = section.type === 'file' ? (section.file ?? '') : (section.path ?? '');
+        const diag = {
+            id: section.id,
+            description: section.description,
+            type: section.type,
+            rawPath,
+            pattern: section.pattern,
+            needsInjection: section.needsInjection,
+            when: section.when,
+            enabled: section.enabled !== false,
+            whenPassed: false,
+            resolvedPath: null,
+            resolveStatus: 'no-path',
+            fileCount: 0,
+            used: false,
+            injected: false,
+        };
+        if (section.enabled === false) {
+            diag.resolveStatus = 'skipped-disabled';
+            diagnostics.push(diag);
             continue;
-        if (!evaluateWhen(section.when, ctx.vars))
+        }
+        diag.whenPassed = evaluateWhen(section.when, ctx.vars);
+        if (!diag.whenPassed) {
+            diag.resolveStatus = 'skipped-when';
+            diagnostics.push(diag);
             continue;
+        }
+        if (rawPath) {
+            const resolveResult = resolvePathWithDiag(rawPath, ctx);
+            diag.resolvedPath = resolveResult.resolved;
+            diag.resolveStatus = resolveResult.status;
+            if (resolveResult.unresolvedTokens.length > 0)
+                diag.unresolvedTokens = resolveResult.unresolvedTokens;
+        }
         const files = loadSectionFiles(section, ctx);
-        if (files.length === 0)
+        diag.fileCount = files.length;
+        if (files.length === 0) {
+            diagnostics.push(diag);
             continue;
+        }
+        let anyUsed = false;
         for (const [filePath, rawContent] of files) {
             const content = section.needsInjection ? renderTemplate(rawContent, ctx.vars) : rawContent;
-            if (!content.trim())
+            if (!content.trim()) {
+                diag.emptyContent = true;
                 continue;
+            }
             const label = section.description ? `${section.id} — ${section.description}` : section.id;
             const displayPath = shortenPath(filePath, pathMappings);
             const part = `Contenu de ${displayPath} (${label}):\n\n${content.trimEnd()}`;
             fileParts.push(part);
+            anyUsed = true;
             if (section.needsInjection) {
                 fragmentParts.push(part);
+                diag.injected = true;
             }
         }
+        diag.used = anyUsed;
+        diagnostics.push(diag);
     }
-    if (fileParts.length === 0)
-        return '';
     const body = fileParts.join('\n\n');
-    const output = `<system-reminder>\nEvolClaw Context Kit documents are shown below.\n\n${body}\n\nIMPORTANT: Use this context when it affects the current interaction.\n</system-reminder>`;
+    const output = fileParts.length > 0
+        ? `<system-reminder>\nEvolClaw Context Kit documents are shown below.\n\n${body}\n\nIMPORTANT: Use this context when it affects the current interaction.\n</system-reminder>`
+        : '';
     const fragmentsOutput = fragmentParts.length > 0 ? fragmentParts.join('\n\n') : '';
-    writeDebugFiles(ctx, output, fragmentsOutput);
+    writeDebugFiles(ctx, output, fragmentsOutput, diagnostics);
     return output;
 }
 export function cleanEckDebug() {
@@ -212,23 +274,38 @@ function loadDirectorySection(dirPath, pattern, ctx) {
 }
 // ── Path resolution ──
 function resolvePath(rawPath, ctx) {
-    let resolved = rawPath.replace(/\$([A-Z_]+)/g, (_, name) => {
+    const r = resolvePathWithDiag(rawPath, ctx);
+    return r.status === 'ok' ? r.resolved : null;
+}
+function resolvePathWithDiag(rawPath, ctx) {
+    const unresolved = [];
+    let resolved = rawPath.replace(/\$([A-Z_]+)/g, (_m, name) => {
         const val = ctx.vars[name];
-        if (val === undefined || val === null || val === false || val === '')
+        if (val === undefined || val === null || val === false || val === '') {
+            unresolved.push(`$${name}`);
             return '';
+        }
         return String(val);
     });
-    resolved = resolved.replace(/\{\{(\w+)\}\}/g, (_, key) => {
+    resolved = resolved.replace(/\{\{(\w+)\}\}/g, (_m, key) => {
         const val = ctx.vars[key];
-        if (val === undefined || val === null || val === false || val === '')
+        if (val === undefined || val === null || val === false || val === '') {
+            unresolved.push(`{{${key}}}`);
             return '';
+        }
         return String(val);
     });
-    if (!resolved || resolved.includes('$') || resolved.includes('{{'))
-        return null;
-    if (!fs.existsSync(resolved))
-        return null;
-    return resolved;
+    if (!resolved || resolved.includes('$') || resolved.includes('{{')) {
+        return { resolved: resolved || null, status: 'unresolved-vars', unresolvedTokens: unresolved };
+    }
+    if (unresolved.length > 0) {
+        // 占位符是非必需变量，但有的解析为空——视为未解析
+        return { resolved, status: 'unresolved-vars', unresolvedTokens: unresolved };
+    }
+    if (!fs.existsSync(resolved)) {
+        return { resolved, status: 'not-exist', unresolvedTokens: unresolved };
+    }
+    return { resolved, status: 'ok', unresolvedTokens: unresolved };
 }
 // CHUNK_CONTINUE_5
 // ── Directory reading ──
@@ -260,10 +337,17 @@ function evaluateWhen(when, vars) {
         return true;
     if (when.var !== undefined) {
         const val = vars[when.var];
-        if (when.eq !== undefined)
+        if (when.eq !== undefined) {
+            // 把 undefined 视作 null 的等价物，便于 manifest 用 eq:null/neq:null 表达"未注入"
+            if (when.eq === null)
+                return val === null || val === undefined;
             return val === when.eq;
-        if (when.neq !== undefined)
+        }
+        if (when.neq !== undefined) {
+            if (when.neq === null)
+                return val !== null && val !== undefined;
             return val !== when.neq;
+        }
         if (when.in !== undefined)
             return when.in.includes(val);
         if (when.nin !== undefined)
@@ -281,9 +365,10 @@ function isTruthy(val) {
 // CHUNK_CONTINUE_6
 // ── Template rendering ──
 function resolveConditions(template, vars) {
-    // Find innermost {{?...}}...{{/}} block (no nested {{? inside) and resolve it.
-    // Repeat until no blocks remain.
-    const inner = /\{\{\?(\w+)(?:(!=|=)([^}]*))?\}\}([^]*?)\{\{\/\}\}/;
+    // 只匹配**最内层** {{?...}}...{{/}} 块：body 内不允许再出现 {{? ，
+    // 否则非贪婪 ([^]*?) 会匹配到嵌套内层的 {{/}}，导致外层提前闭合、残留多余 {{/}}。
+    // 逐字符负向前瞻 (?!\{\{\?) 排除嵌套起始，配合 do/while 由内向外逐层消解。
+    const inner = /\{\{\?(\w+)(?:(!=|=)([^}]*))?\}\}((?:(?!\{\{\?)[^])*?)\{\{\/\}\}/;
     let result = template;
     let prev;
     do {
@@ -321,7 +406,7 @@ function getSessionCache(sessionId) {
     return cache;
 }
 // ── Debug output ──
-function writeDebugFiles(ctx, output, fragmentsOutput) {
+function writeDebugFiles(ctx, output, fragmentsOutput, diagnostics) {
     const now = new Date();
     const ts = now.toISOString().replace(/[T:.]/g, '-').slice(0, 19);
     const dir = eckDebugDir();
@@ -337,8 +422,89 @@ function writeDebugFiles(ctx, output, fragmentsOutput) {
         })),
     };
     fs.writeFile(path.join(dir, `vars-${ts}.json`), JSON.stringify(varsData, null, 2), () => { });
-    fs.writeFile(path.join(dir, `context-${ts}.md`), output, () => { });
+    if (output)
+        fs.writeFile(path.join(dir, `context-${ts}.md`), output, () => { });
     if (fragmentsOutput) {
         fs.writeFile(path.join(dir, `fragments-${ts}.md`), fragmentsOutput, () => { });
     }
+    fs.writeFile(path.join(dir, `manifest-${ts}.md`), formatManifestDiagnostics(ctx, diagnostics), () => { });
+}
+function formatManifestDiagnostics(ctx, diagnostics) {
+    const STATUS_ICON = {
+        'ok': 'OK',
+        'unresolved-vars': 'UNRESOLVED-VARS',
+        'not-exist': 'NOT-EXIST',
+        'skipped-disabled': 'SKIPPED(disabled)',
+        'skipped-when': 'SKIPPED(when)',
+        'no-path': 'NO-PATH',
+    };
+    const used = diagnostics.filter(d => d.used).length;
+    const skippedWhen = diagnostics.filter(d => d.resolveStatus === 'skipped-when').length;
+    const errors = diagnostics.filter(d => d.resolveStatus === 'unresolved-vars' || d.resolveStatus === 'not-exist').length;
+    const lines = [];
+    lines.push(`# ECK Manifest Diagnostics`);
+    lines.push('');
+    lines.push(`- timestamp: ${new Date().toISOString()}`);
+    lines.push(`- sessionId: ${ctx.sessionId}`);
+    lines.push(`- sections total: ${diagnostics.length}`);
+    lines.push(`- sections used: ${used}`);
+    lines.push(`- sections skipped (when=false): ${skippedWhen}`);
+    lines.push(`- sections with errors (unresolved-vars/not-exist): ${errors}`);
+    lines.push('');
+    if (errors > 0) {
+        lines.push(`## Errors`);
+        lines.push('');
+        for (const d of diagnostics) {
+            if (d.resolveStatus !== 'unresolved-vars' && d.resolveStatus !== 'not-exist')
+                continue;
+            lines.push(`### ${d.id}${d.description ? ' — ' + d.description : ''}`);
+            lines.push(`- status: ${STATUS_ICON[d.resolveStatus]}`);
+            lines.push(`- type: ${d.type}`);
+            lines.push(`- raw path: \`${d.rawPath}\``);
+            lines.push(`- resolved: \`${d.resolvedPath ?? '(null)'}\``);
+            if (d.unresolvedTokens && d.unresolvedTokens.length > 0) {
+                lines.push(`- unresolved tokens: ${d.unresolvedTokens.map(t => '`' + t + '`').join(', ')}`);
+            }
+            lines.push('');
+        }
+    }
+    lines.push(`## All sections`);
+    lines.push('');
+    lines.push(`| order | id | status | type | raw path | resolved | files | used | injected |`);
+    lines.push(`|---|---|---|---|---|---|---|---|---|`);
+    diagnostics.forEach((d, idx) => {
+        const status = STATUS_ICON[d.resolveStatus];
+        const rawPath = d.rawPath ? '`' + d.rawPath + '`' : '—';
+        const resolvedShort = d.resolvedPath ? '`' + (d.resolvedPath.length > 60 ? '…' + d.resolvedPath.slice(-58) : d.resolvedPath) + '`' : '—';
+        lines.push(`| ${idx + 1} | ${d.id} | ${status} | ${d.type} | ${rawPath} | ${resolvedShort} | ${d.fileCount} | ${d.used ? 'Y' : '·'} | ${d.injected ? 'Y' : '·'} |`);
+    });
+    lines.push('');
+    // 详细列出每个 section
+    lines.push(`## Section details`);
+    lines.push('');
+    for (const d of diagnostics) {
+        lines.push(`### ${d.id}${d.description ? ' — ' + d.description : ''}`);
+        lines.push(`- status: ${STATUS_ICON[d.resolveStatus]}`);
+        lines.push(`- type: ${d.type}`);
+        if (d.rawPath)
+            lines.push(`- raw path: \`${d.rawPath}\``);
+        if (d.pattern)
+            lines.push(`- pattern: \`${d.pattern}\``);
+        if (d.when !== undefined)
+            lines.push(`- when: \`${JSON.stringify(d.when)}\` → ${d.whenPassed ? 'true' : 'false'}`);
+        lines.push(`- needsInjection: ${d.needsInjection ? 'true' : 'false'}`);
+        lines.push(`- enabled: ${d.enabled}`);
+        if (d.resolvedPath)
+            lines.push(`- resolved: \`${d.resolvedPath}\``);
+        if (d.unresolvedTokens && d.unresolvedTokens.length > 0) {
+            lines.push(`- unresolved tokens: ${d.unresolvedTokens.map(t => '`' + t + '`').join(', ')}`);
+        }
+        lines.push(`- file count: ${d.fileCount}`);
+        if (d.emptyContent)
+            lines.push(`- note: 文件存在但渲染后内容为空`);
+        lines.push(`- used in output: ${d.used ? 'yes' : 'no'}`);
+        lines.push(`- injected as fragment: ${d.injected ? 'yes' : 'no'}`);
+        lines.push('');
+    }
+    return lines.join('\n');
 }

package/dist/aun/aid/agentmd.js

@@ -1,143 +1,96 @@
 import fs from 'fs';
 import path from 'path';
-import { getAunClient, createAunClient } from './client.js';
+import { getAidStore, loadAid, SLOT } from './store.js';
 import { agentMdPath, aidLocalDir, resolveRoot } from '../../paths.js';
 export function buildInitialAgentMd(opts) {
     const agentName = opts.aid.split('.')[0];
     const agentType = opts.type || 'ai';
     return `---\naid: "${opts.aid}"\nname: "${agentName}"\ntype: "${agentType}"\nversion: "1.0.0"\ndescription: ""\ntags:\n  - evolclaw\n---\n`;
 }
-/**
- * Resolve the gateway URL for an AID via .well-known discovery.
- */
-async function discoverGateway(aid) {
-    try {
-        const resp = await fetch(`https://${aid}/.well-known/aun-gateway`, { redirect: 'follow' });
-        if (!resp.ok)
-            return undefined;
-        const text = await resp.text();
-        try {
-            return JSON.parse(text.trim()).gateways?.[0]?.url ?? text.trim();
-        }
-        catch {
-            return text.trim();
-        }
-    }
-    catch {
-        return undefined;
-    }
-}
-/**
- * Obtain cert PEM for an AID: local first, then network.
- * Persists fetched cert to local for future use.
- */
-async function obtainCertPem(aid, aunPath, client) {
-    const localCert = path.join(aunPath, 'AIDs', aid, 'public', 'cert.pem');
-    if (fs.existsSync(localCert)) {
-        return fs.readFileSync(localCert, 'utf-8');
-    }
-    // Fetch from network via SDK's _fetchPeerCert (needs gateway)
-    if (client) {
-        try {
-            if (!client._gatewayUrl) {
-                client._gatewayUrl = await discoverGateway(aid);
-            }
-            if (client._gatewayUrl) {
-                const certPem = await client._fetchPeerCert.call(client, aid);
-                // Persist for future use
-                if (certPem) {
-                    const certDir = path.join(aunPath, 'AIDs', aid, 'public');
-                    fs.mkdirSync(certDir, { recursive: true });
-                    fs.writeFileSync(localCert, certPem, 'utf-8');
-                }
-                return certPem;
-            }
-        }
-        catch { /* fall through */ }
-    }
-    return undefined;
+/** Normalize an SDK verification result to the local union type. */
+function normalizeVerification(v) {
+    const status = v.status === 'verified' ? 'verified' : v.status === 'unsigned' ? 'unsigned' : 'invalid';
+    return { status, ...(v.reason ? { reason: String(v.reason) } : {}) };
 }
 /**
- * Verify agent.md content using SDK.
+ * Verify locally-cached agent.md content offline via the AID value object.
+ * Loads the peer cert through the store (no network, no private key required).
  */
-async function verifyContent(content, aid, certPem, client) {
+function verifyLocal(store, aid, content) {
     if (!content.includes('AUN-SIGNATURE')) {
         return { status: 'unsigned' };
     }
-    if (!certPem) {
-        return { status: 'invalid', reason: 'certificate not available' };
-    }
     try {
-        const result = await client.auth.verifyAgentMd(content, { aid, certPem });
-        if (result.status === 'verified' || result.verified) {
-            return { status: 'verified' };
-        }
-        return { status: 'invalid', reason: result.reason };
+        const aidObj = loadAid(store, aid);
+        const r = aidObj.verifyAgentMd(content);
+        if (!r.ok)
+            return { status: 'invalid', reason: r.error.message };
+        return normalizeVerification(r.data);
     }
     catch (e) {
-        return { status: 'invalid', reason: `verify error: ${String(e.message || e).slice(0, 100)}` };
+        // loadAid throws AidLoadError when the peer cert is missing/invalid.
+        return { status: 'invalid', reason: `certificate not available: ${String(e?.message || e).slice(0, 100)}` };
     }
 }
-/**
- * Create a bare AUNClient (no createAid) for read-only operations.
- */
-async function createBareClient(aunPath) {
-    return createAunClient({ aunPath });
-}
 export async function agentmdGet(aid, opts) {
     const aunPath = opts?.aunPath ?? resolveRoot();
-    const client = opts?.client ?? await createBareClient(aunPath);
-    const ownClient = !opts?.client;
+    const store = opts?.store ?? await getAidStore({ slotId: SLOT.cli, aunPath });
+    const ownStore = !opts?.store;
     const localPath = agentMdPath(aid);
     try {
-        // Try SDK fetch (auto-saves locally + verifies signature)
         let content;
         let verification;
-        try {
-            const info = await client.fetchAgentMd(aid);
-            content = info.content;
-            const sig = info.signature ?? {};
-            const status = sig.status === 'verified' ? 'verified' : sig.status === 'unsigned' ? 'unsigned' : 'invalid';
-            verification = { status, ...(sig.reason ? { reason: String(sig.reason) } : {}) };
+        const r = await store.downloadAgentMd(aid);
+        if (r.ok) {
+            content = r.data.content;
+            verification = normalizeVerification(r.data.verification);
         }
-        catch (err) {
-            // Network failed — fall back to local file (verify signature via SDK if requested)
-            if (!fs.existsSync(localPath))
-                throw err;
+        else {
+            // Network/fetch failed — fall back to local file.
+            if (!fs.existsSync(localPath)) {
+                throw new Error(`fetch agent.md failed for ${aid}: ${r.error.message}`);
+            }
             content = fs.readFileSync(localPath, 'utf-8');
             if (opts?.withVerification) {
-                const certPem = await obtainCertPem(aid, aunPath, client);
-                verification = await verifyContent(content, aid, certPem, client);
+                verification = verifyLocal(store, aid, content);
             }
         }
         if (!opts?.withVerification)
             return content;
-        return { content: content, verification: verification ?? { status: 'unsigned' } };
+        return { content, verification: verification ?? { status: 'unsigned' } };
     }
     finally {
-        if (ownClient)
+        if (ownStore)
             try {
-                await client.close();
+                store.close();
             }
             catch { /* ignore */ }
     }
 }
 /**
- * Upload agent.md: write to local file → publishAgentMd (auto-sign + upload).
+ * Upload agent.md: write local file → store.uploadAgentMd (auto-auth + sign + upload).
+ *
+ * fastaun 0.4.7: uploadAgentMd moved from AUNClient to AIDStore; the store builds
+ * its own LocalTokenStore + AuthFlow internally, so no AUNClient/authenticate needed.
  */
 export async function agentmdPut(content, opts) {
     const aunPath = opts.aunPath ?? resolveRoot();
-    const client = opts.client ?? await getAunClient(opts.aid, { aunPath });
-    const ownClient = !opts.client;
+    const store = opts.store ?? await getAidStore({ slotId: SLOT.cli, aunPath });
+    const ownStore = !opts.store;
     const dir = aidLocalDir(opts.aid);
     const filePath = path.join(dir, 'agent.md');
     const existed = fs.existsSync(filePath);
+    // 先写本地文件（与旧行为一致：本地内容更新应在上传失败时仍保留）
+    fs.mkdirSync(dir, { recursive: true });
+    fs.writeFileSync(filePath, content, 'utf-8');
     try {
-        fs.mkdirSync(dir, { recursive: true });
-        fs.writeFileSync(filePath, content, 'utf-8');
-        await client.publishAgentMd();
+        const r = await store.uploadAgentMd(opts.aid, content);
+        if (!r.ok)
+            throw new Error(`upload agent.md failed for ${opts.aid}: ${r.error.message}`);
     }
     catch (e) {
+        // 上传失败：仅当文件原本不存在（本次新建）时回滚，避免留下孤儿文件；
+        // 已存在的文件保留新内容（旧语义）。
         if (!existed)
             try {
                 fs.unlinkSync(filePath);
@@ -146,34 +99,53 @@ export async function agentmdPut(content, opts) {
         throw e;
     }
     finally {
-        if (ownClient)
+        if (ownStore)
             try {
-                await client.close();
+                store.close();
             }
             catch { /* ignore */ }
     }
 }
 /**
- * Check if agent.md is up-to-date (30-day cache), fetch if changed.
+ * Check if agent.md is up-to-date (30-day TTL), fetch if changed.
  * Returns changed=true + content when a new version was downloaded.
+ *
+ * verification 透传 SDK 的验签结果：
+ * - downloaded（changed=true）时为 SDK downloadAgentMd 的 verification
+ * - 命中本地缓存或网络失败 fallback 时为 undefined（调用方需自行离线验签或视为未验证）
+ *
+ * Note: store.checkAgentMd tracks freshness via the store's in-memory cache,
+ * so a freshly-built store reports local_found=false and will fetch.
  */
 export async function agentmdSync(aid, opts) {
-    const client = opts?.client ?? await createBareClient();
-    const ownClient = !opts?.client;
+    const aunPath = opts?.aunPath ?? resolveRoot();
+    const store = opts?.store ?? await getAidStore({ slotId: SLOT.cli, aunPath });
+    const ownStore = !opts?.store;
+    const localPath = agentMdPath(aid);
     try {
-        const state = await client.checkAgentMd(aid, 30);
-        if (!state.in_sync || !state.local_found) {
-            const info = await client.fetchAgentMd(aid);
-            return { changed: true, content: info.content };
+        const check = await store.checkAgentMd(aid, 30);
+        // In sync (cache fresh) — return local file content with cached verification status.
+        if (check.ok && !check.data.needs_update && check.data.local_found) {
+            const content = fs.existsSync(localPath) ? fs.readFileSync(localPath, 'utf-8') : undefined;
+            const verification = check.data.verify_status
+                ? normalizeVerification({ status: check.data.verify_status, reason: check.data.verify_error || undefined })
+                : undefined;
+            return { changed: false, content, verification };
+        }
+        // Needs update (or check failed) — fetch fresh content.
+        // SDK's downloadAgentMd persists to disk internally (AgentMdManager.saveRecord → writeContent).
+        const fetched = await store.downloadAgentMd(aid);
+        if (fetched.ok) {
+            return { changed: true, content: fetched.data.content, verification: normalizeVerification(fetched.data.verification) };
         }
-        const localPath = agentMdPath(aid);
+        // Fetch failed (network) — fall back to local file if present.
         const content = fs.existsSync(localPath) ? fs.readFileSync(localPath, 'utf-8') : undefined;
         return { changed: false, content };
     }
     finally {
-        if (ownClient)
+        if (ownStore)
             try {
-                await client.close();
+                store.close();
             }
             catch { /* ignore */ }
     }

package/dist/aun/aid/client.js

@@ -24,7 +24,7 @@ export function suppressSdkLogs() {
         return; process.stderr.write(args.map(String).join(' ') + '\n'); };
 }
 // ==================== Constants ====================
-export const MIN_AUN_CORE_SDK = [0, 3, 3];
+export const MIN_AUN_CORE_SDK = [0, 4, 3];
 export const AUN_CORE_SDK_PKG = '@agentunion/fastaun';
 // ==================== SDK & Environment ====================
 function compareVersion(a, min) {
@@ -113,31 +113,3 @@ export async function downloadCaRoot(aunPath, gatewayUrl, indent = '') {
         return false;
     }
 }
-/**
- * 统一构造 AUNClient：自动绑 root_ca_path + setAgentMdPath(aidsDir())。
- * 不做 createAid / authenticate / connect，调用方按需续作。
- *
- * 所有 new AUNClient 调用都应走此工厂，避免 SDK 默认把 agent.md 写到
- * {aun_path}/AgentMDs（默认目录）。
- */
-export async function createAunClient(opts = {}) {
-    const { aunPath: defaultAunPath, aidsDir } = await import('../../paths.js');
-    const aunPath = opts.aunPath ?? defaultAunPath();
-    const caCertPath = path.join(aunPath, 'CA', 'root', 'root.crt');
-    const { AUNClient } = await import('@agentunion/fastaun');
-    const clientOpts = { aun_path: aunPath, debug: opts.debug ?? false };
-    if (fs.existsSync(caCertPath))
-        clientOpts.root_ca_path = caCertPath;
-    if (opts.encryptionSeed)
-        clientOpts.encryption_seed = opts.encryptionSeed;
-    const client = opts.aunSdkLog !== undefined
-        ? new AUNClient(clientOpts, opts.aunSdkLog)
-        : new AUNClient(clientOpts);
-    client.setAgentMdPath(aidsDir());
-    return client;
-}
-export async function getAunClient(aid, opts) {
-    const client = await createAunClient({ aunPath: opts?.aunPath });
-    await client.auth.createAid({ aid });
-    return client;
-}