iobroker.anthbot 0.0.3 → 0.0.5

package/LICENSE

@@ -1,5 +1,6 @@
 MIT License
 
+Copyright (c) 2026 iobroker-community-adapters <iobroker-community-adapters@gmx.de>  
 Copyright (c) 2026 Robin Rainton <robin@rainton.com>
 
 Permission is hereby granted, free of charge, to any person obtaining a copy

package/README.md

@@ -14,11 +14,53 @@
 
 Connect with Anthbot devices such as their robot mowers.
 
+### Monitoring
+
+Battery level is reported in the `elec` state. 
+
+View a device's status in the `mode` state (charging, mowing, standby, etc).
+
+The last status message & it's severity (event, error, etc) are shown in the `last_code`, `last_code_text` and `last_code_type` states. For users looking for more history, the `code_list` state holds a JSON array with the a larger number of messages.
+
+The rest of the states should be self explanatory.
+
+### Commands
+
+`stop_all_tasks` equates to hiting 'Stop' in the Anthbot app.
+
+`charge_start` equates to the 'Recharge' icon in the Anthbot app.
+
+`mow_start` equates to start when in 'Full maps' mode.
+
+`custom_area_mow_start` equates to custom area (aka 'Zones') mode. For this to work a valid list of area IDs must already be set in the `area_list` state. Area IDs are not the same as names the Anthbot app shows. Valid area IDs can be found in the `map.custom_areas.raw` state (this will be improved later).
+
+Ie. to start mowing one or more zones:
+
+- Set the `area_list` state to an array of IDs. Eg: `[102, 117]`
+- Trigger the `custom_area_mow_start` state.
+
+`ridable_mow_start` equates to edge mowing mode. As with `custom_area_mow_start`, set the `area_list` with a valid list of ridable areas (aka. edge) IDs. Valid ridable area IDs can be found in the `map.ridable_areas.raw` state.
+
+### Map & area (aka. zone) editing
+
+With `area_set` it is possible to edit one or more areas. Take the JSON representation from a desired entry from the `map.custom_areas.raw_list`, modify it as required and save this the `area_set` state as a JSON array.
+
+Note that when using `area_set` it is not necessary to define all parameters and only those provided will be changed. Eg: `[{"mow_head":10,"id":117}]` will change the angle of mowing in area 117 to 10 degrees and leave the other parameters as is.
+
 ## Changelog
 <!--
     Placeholder for the next version (at the beginning of the line):
     ### **WORK IN PROGRESS**
 -->
+### 0.0.5 (2026-05-20)
+ - (raintonr) Added brief usage tips in readme
+ - (raintonr) Added active_area, code_list & map states and ridable_mow_start command
+
+### 0.0.4 (2026-05-18)
+- (copilot) Adapter requires node.js >= 22 now
+- (copilot) Adapter requires admin >= 7.7.22 now
+- (raintonr) Handle temporary IoT access tokens (#9)
+
 ### 0.0.3 (2026-04-25)
 * (raintonr) adapter checker issues
 
@@ -28,6 +70,8 @@ Connect with Anthbot devices such as their robot mowers.
 ## License
 MIT License
 
+
+Copyright (c) 2026 iobroker-community-adapters <iobroker-community-adapters@gmx.de>  
 Copyright (c) 2026 Robin Rainton <robin@rainton.com>
 
 Permission is hereby granted, free of charge, to any person obtaining a copy

package/io-package.json

@@ -1,8 +1,34 @@
 {
   "common": {
     "name": "anthbot",
-    "version": "0.0.3",
+    "version": "0.0.5",
     "news": {
+      "0.0.5": {
+        "en": "Added brief usage tips in readme\nAdded active_area, code_list & map states and ridable_mow_start command",
+        "de": "Kurze Nutzungstipps in readme hinzugefügt\nActive area, code list & map Zustände und ridable mow start Befehl hinzugefügt",
+        "ru": "Добавлены краткие советы по использованию в Readme\nДобавлено состояние active area, code list & map и команда ridable mow start",
+        "pt": "Adicionado breves dicas de uso no readme\nAdicionado ative  area, code  list & map states and ridable  mow  start command",
+        "nl": "Korte gebruik tips toegevoegd in readme\nActive area, code list & map states en ridable mow start commando toegevoegd",
+        "fr": "Ajout de brèves conseils d'utilisation dans readme\nAjout de la commande active area, code list & map et ridable mow start",
+        "it": "Aggiunto breve utilizzo suggerimenti in readme\nAggiunto active area, code list & mappa stati e comando ridable mow start",
+        "es": "Consejos de uso breves adicionales en el readme\nAñadido active area, code list & map states and ridable mow start command",
+        "pl": "Dodano krótkie wskazówki użycia w readme\nDodano active _ area, code _ list & map states oraz polecenie ridable _ mow _ start",
+        "uk": "Додайте поради щодо короткого використання в читме\nДодано активний area, code list & map States і ridable mow start команди",
+        "zh-cn": "在readme中添加简短的使用提示\n添加活动区域、 代码列表状态和可清除的  mow  start 命令"
+      },
+      "0.0.4": {
+        "en": "Adapter requires node.js >= 22 now\nAdapter requires admin >= 7.7.22 now\nHandle temporary IoT access tokens (#9)",
+        "de": "Adapter benötigt node.js >= 22 jetzt\nAdapter benötigt admin >= 7.7.22 jetzt\nHandle temporäre IoT-Zugriffstoken (#9)",
+        "ru": "Адаптер требует node.js >= 22 сейчас\nАдаптер требует администратора >= 7.7.22\nОбработка временных токенов доступа к IoT (#9)",
+        "pt": "Adaptador requer nod.js >= 22 agora\nAdaptador requer admin >= 7.7.22 agora\nLidar com tokens de acesso temporário de IoT (# 9)",
+        "nl": "Voor de adapter zijn node.js < 22 nu nodig\nAdapter vereist admin < 7.7.22 nu\nTijdelijke IoT toegang tokens hanteren (#9)",
+        "fr": "Adaptateur nécessite node.js >= 22 maintenant\nAdaptateur nécessite admin >= 7.7.22 maintenant\nPoignez des jetons d'accès IoT temporaires (#9)",
+        "it": "Adattatore richiede node.js >= 22 ora\nAdattatore richiede admin >= 7.7.22 ora\nMantenere i gettoni di accesso IoT temporanei (#9)",
+        "es": "Adaptador requiere node.js ю= 22 ahora\nEl adaptador requiere administrador= 7.7.22 ahora\nHandle temporary IoT access tokens (#9)",
+        "pl": "Adapter wymaga node.js > = 22\nAdapter wymaga admin > = 7.7.22\nObsługa tymczasowych żetonów dostępu IoT (# 9)",
+        "uk": "Адаптер вимагає node.js >= 22 тепер\nАдаптер вимагає адмін >= 7.7.22 тепер\nЗручності для доступу до Інтернету речей (#9)",
+        "zh-cn": "适配器需要节点.js 现在22\n适任者需要管理员 \\ 7.7.22 现在\n处理临时 IOT 访问符 (# 9)"
+      },
       "0.0.3": {
         "en": "adapter checker issues",
         "de": "adapter checker probleme",
@@ -57,7 +83,8 @@
       "zh-cn": "与 Anthbot 设备连接，例如机器人割草机"
     },
     "authors": [
-      "Robin Rainton <robin@rainton.com>"
+      "Robin Rainton <robin@rainton.com>",
+      "iobroker-community-adapters <iobroker-community-adapters@gmx.de>"
     ],
     "keywords": [
       "robot",
@@ -92,15 +119,22 @@
     ],
     "globalDependencies": [
       {
-        "admin": ">=7.0.23"
+        "admin": ">=7.7.22"
       }
     ]
   },
   "native": {
     "username": "",
     "password": "",
-    "regionCode": null
+    "regionCode": 61
   },
+  "encryptedNative": [
+    "password"
+  ],
+  "protectedNative": [
+    "username",
+    "password"
+  ],
   "objects": [],
   "instanceObjects": [
     {

package/lib/anthbotApi.js

@@ -34,7 +34,7 @@ const REQUEST_TIMEOUT = 15000; // 15 seconds
 // Shared methods
 class AnthotCloudApi {
     /**
-     * @param {{ verboseLogger?: ((message: string) => void) | null}} options
+     * @param {{ verboseLogger?: ((message: string) => void) | null }} options - Configuration options
      */
     constructor({ verboseLogger = null }) {
         this.verboseLogger = verboseLogger;
@@ -117,7 +117,7 @@ class AnthotCloudApi {
  * Client for Anthbot cloud account endpoints
  */
 class AnthbotCloudApiClient {
-    /** @param {{ verboseLogger?: ((message: string) => void) | null }} options */
+    /** @param {{ verboseLogger?: ((message: string) => void) | null }} options - Configuration options */
     constructor({ verboseLogger = null }) {
         this.endpointHost = DEFAULT_API_HOST;
         this.authHeaders = {
@@ -134,8 +134,12 @@ class AnthbotCloudApiClient {
 
     /**
      * Login and return bearer token
+     *
+     * @param {string} username - Username
+     * @param {string} password - Password
+     * @param {number} areaCode - Country/region code
      */
-    async asyncLogin({ username, password, areaCode }) {
+    async asyncLogin(username, password, areaCode) {
         const url = `https://${this.endpointHost}/api/v1/login`;
         const headers = {
             Accept: 'application/json, text/plain, */*',
@@ -158,15 +162,14 @@ class AnthbotCloudApiClient {
 
         let data;
         try {
-            data = /** @type {{ code: number; data: { access_token: string } }} */ (await response.json());
+            data = /** @type {{code: number, data?: any}} */ (await response.json());
         } catch {
             throw new Error('Invalid JSON response from login');
         }
 
         if (typeof data !== 'object' || data === null) {
             throw new Error('Invalid login payload type');
-        }
-        if (data.code !== 0) {
+        } else if (data.code !== 0) {
             throw new Error(`Login rejected: code=${JSON.stringify(data.code)}`);
         }
 
@@ -183,56 +186,83 @@ class AnthbotCloudApiClient {
         const bearerToken = `Bearer ${accessToken}`;
         this.bearerToken = bearerToken;
         this.authHeaders['Authorization'] = bearerToken;
-        return bearerToken;
     }
 
-    checkToken() {
-        if (!this.bearerToken) {
-            throw new Error('Bearer token not configured');
+    /**
+     * Fetch JSON and resolve the service-level payload data.
+     *
+     * @param {string} url URL to fetch from
+     * @param {RequestInit} [options] Request options (method, headers, body, etc.)
+     * @returns {Promise<any>} Payload data from the response
+     */
+    async fetchPayloadData(url, options = {}) {
+        // GET is default
+        if (!options.method) {
+            options.method = 'GET';
+        }
+
+        // Always add our auth headers
+        options.headers = { ...this.authHeaders, ...options.headers };
+
+        // Check headers given (or added above) have the Authorization (sic.)
+        if (!Object.prototype.hasOwnProperty.call(options.headers, 'Authorization')) {
+            throw new Error('Missing Authorization header');
         }
+
+        const response = await this.fetch(url, options);
+        if (response.status !== 200) {
+            const body = await response.text();
+            throw new Error(`Request to ${url} failed (${response.status}): ${body.slice(0, 300)}`);
+        }
+
+        let payload;
+        try {
+            payload = /** @type {{code: number, data?: any}} */ (await response.json());
+        } catch {
+            throw new Error(`Invalid JSON response from ${url}`);
+        }
+
+        if (typeof payload !== 'object' || payload === null) {
+            throw new Error(`Invalid API payload from ${url}`);
+        } else if (payload.code !== 0) {
+            throw new Error(`API returned code=${payload.code} from ${url}`);
+        }
+        return payload.data;
     }
 
     /**
      * Fetch account-bound Anthbot devices
+     *
+     * @returns {Promise<{alias: string, sn: string}[]>} - List of devices
      */
     async asyncGetBoundDevices() {
-        this.checkToken();
-
         const url = `https://${this.endpointHost}/api/v1/device/bind/list`;
-        const response = await this.fetch(url, {
-            method: 'GET',
-            headers: this.authHeaders,
-        });
 
-        if (response.status !== 200) {
-            throw new Error(`Request to ${url} failed, response ${response.status}`);
-        }
-
-        return /** @type {{ data:  {alias: string, sn: string}[] }} */ (await response.json()).data;
+        return /** @type {{alias: string, sn: string}[]} */ (await this.fetchPayloadData(url));
     }
 
     /**
      * Fetch latest messages
      * Returns only last message by default
+     *
+     * @param {string} serialNumber - Device serial number
+     * @param {number} pageNum - Page number
+     * @param {number} pageSize - Page size
+     * @returns {Promise<unknown>} Latest messages
      */
     async asyncGetCodeList(serialNumber, pageNum = 1, pageSize = 1) {
-        this.checkToken();
-
         // TODO: allow language other than English?
         const url = `https://${this.endpointHost}/api/v1/device/v2/code/list?sn=${serialNumber}&pagenum=${pageNum}&pagesize=${pageSize}&language=English`;
 
-        const response = await this.fetch(url, {
-            method: 'GET',
-            headers: this.authHeaders,
-        });
-
-        if (response.status !== 200) {
-            throw new Error(`Request to ${url} failed, response ${response.status}`);
-        }
-
-        return /** @type {{ data: { data: unknown } }} */ (await response.json())?.data?.data;
+        return /** @type {unknown} */ ((await this.fetchPayloadData(url))?.data);
     }
 
+    /**
+     * Get verification token for presigned URL retrieval
+     *
+     * @param {string} serialNumber - Device serial number
+     * @returns {string} - Verification token
+     */
     buildVerificationToken(serialNumber) {
         const unixTimestamp = Math.floor(Date.now() / 1000);
         const tokenSuffix = unixTimestamp.toString();
@@ -243,42 +273,31 @@ class AnthbotCloudApiClient {
     /**
      * Fetch account-bound Anthbot devices
      *
-     * @param {string} sn
-     * @param {string} filename
-     * @param {string} category
-     * @param {string} sub_category
-     * @returns {Promise<string>} URL for the requested file
+     * @param {string} serialNumber - Device serial number
+     * @param {string} filename - File name
+     * @param {string} category - Category
+     * @param {string} sub_category - Sub category
+     * @returns {Promise<string>} - URL for the requested file
      */
-    async asyncGetPresignedUrl(sn, filename, category, sub_category) {
-        this.checkToken();
-
+    async asyncGetPresignedUrl(serialNumber, filename, category, sub_category) {
         const params = new URLSearchParams({
             filename,
-            sn,
+            sn: serialNumber,
             category,
             sub_category,
-            verification_token: this.buildVerificationToken(sn),
+            verification_token: this.buildVerificationToken(serialNumber),
         });
         const url = `https://${this.endpointHost}/api/v1/device/v2/presigned_url?${params}`;
-        const response = await this.fetch(url, {
-            method: 'GET',
-            headers: this.authHeaders,
-        });
-
-        if (response.status !== 200) {
-            throw new Error(`Request to ${url} failed, response ${response.status}`);
-        }
 
-        return /** @type {{ data:  {presigned_url: string } }} */ (await response.json()).data?.presigned_url;
+        return /** @type {string} */ ((await this.fetchPayloadData(url))?.presigned_url);
     }
 
     /**
      * Decodes a TAR.GZ archive from a Buffer and returns an array of file entries with filename, type and content.
      *
-     * @param {Buffer} buffer
-     * @returns {Promise<Array<{ filename: string; type: 'json' | 'blob'; content: unknown }>>}
+     * @param {Buffer} buffer - The TAR.GZ buffer to decode
+     * @returns {Promise<Array<{ filename: string; type: 'json' | 'blob'; content: unknown }>>} - Array of file contents
      */
-
     decodeTgzBuffer(buffer) {
         return new Promise((resolve, reject) => {
             const results = [];
@@ -337,6 +356,12 @@ class AnthbotCloudApiClient {
         });
     }
 
+    /**
+     * Fetch device map
+     *
+     * @param {string} serialNumber - Device serial number
+     * @returns {Promise<Array<{ filename: string; type: 'json' | 'blob'; content: unknown }>>} - Decoded map data
+     */
     async asyncGetDeviceMap(serialNumber) {
         const url = await this.asyncGetPresignedUrl(
             serialNumber,
@@ -360,43 +385,19 @@ class AnthbotCloudApiClient {
 
     /**
      * Fetch device cloud region metadata
+     *
+     * @param {string} serialNumber - Device serial number
+     * @returns {Promise<{regionName: string; iotEndpoint: string}>} - Region metadata
      */
     async asyncGetDeviceRegion(serialNumber) {
         if (this.verboseLogger) {
             this.verboseLogger(`Cache miss - fetching device region for ${serialNumber}`);
         }
 
-        this.checkToken();
-
         const url = `https://${this.endpointHost}/api/v1/device/v2/region`;
         const params = new URLSearchParams({ sn: serialNumber });
-        const response = await this.fetch(`${url}?${params}`, {
-            method: 'GET',
-            headers: this.authHeaders,
-        });
-
-        if (response.status !== 200) {
-            const body = await response.text();
-            throw new Error(`Device region failed (${response.status}): ${body.slice(0, 300)}`);
-        }
-
-        let payload;
-        try {
-            payload = /** @type {{ code: number; data: {region_name: string; iot_endpoint: string } }} */ (
-                await response.json()
-            );
-        } catch {
-            throw new Error('Invalid JSON response from device region');
-        }
+        const data = await this.fetchPayloadData(`${url}?${params}`);
 
-        if (typeof payload !== 'object' || payload === null) {
-            throw new Error('Invalid device region payload type');
-        }
-        if (payload.code !== 0) {
-            throw new Error(`Device region returned code=${payload.code}`);
-        }
-
-        const data = payload.data;
         if (typeof data !== 'object' || data === null) {
             throw new Error('Device region payload missing data object');
         }
@@ -417,6 +418,52 @@ class AnthbotCloudApiClient {
         return deviceRegion;
     }
 
+    /**
+     * Retrieve temporary IoT credentials for a device.
+     *
+     * @param {string} serialNumber - Device serial number
+     * @returns {Promise<object>} - IoT credentials and expiration
+     */
+    async asyncGetDeviceIotCredentials(serialNumber) {
+        const params = {
+            sn: serialNumber,
+            verification_token: this.buildVerificationToken(serialNumber),
+        };
+
+        const data = await this.fetchPayloadData(`https://${this.endpointHost}/api/v1/device/v2/iot/sts/arn`, {
+            method: 'POST',
+            headers: { 'content-type': 'application/json' },
+            body: JSON.stringify(params),
+        });
+
+        if (typeof data !== 'object' || data === null) {
+            throw new Error('IoT credentials payload missing data object');
+        }
+
+        const expiration = data.expiration;
+        const expiresAt =
+            expiration == null ? null : expiration > 2000000000 ? expiration * 1000 : Date.now() + expiration * 1000;
+
+        const iotCredentials = {
+            accessKeyId: data.access_key_id,
+            secretAccessKey: data.secret_access_key,
+            sessionToken: data.session_token,
+            regionName: data.region_name,
+            endpoint: data.endpoint,
+            expiresAt,
+        };
+        if (this.verboseLogger) {
+            this.verboseLogger(`IoT credentials for ${serialNumber}: ${JSON.stringify(iotCredentials)}`);
+        }
+        return iotCredentials;
+    }
+
+    /**
+     * Ensure shadow client is initialized
+     *
+     * @param {string} serialNumber - Device serial number
+     * @returns {Promise<void>}
+     */
     async checkShadowClient(serialNumber) {
         // TODO: Handle multiple devices with different shadow clients instead of caching just one
         if (!this.shadowClient) {
@@ -431,13 +478,40 @@ class AnthbotCloudApiClient {
                 verboseLogger: this.verboseLogger,
             });
         }
+
+        // Get new credentials if we have none or they have expired
+        if (
+            !this.iotCredentials ||
+            this.iotCredentials.expiresAt === null ||
+            this.iotCredentials.expiresAt - Date.now() <= 60000
+        ) {
+            if (this.verboseLogger) {
+                this.verboseLogger(`No/expired IoT Credentaials for ${serialNumber}, fetching them`);
+            }
+            this.iotCredentials = await this.asyncGetDeviceIotCredentials(serialNumber);
+            this.shadowClient.iotCredentials = this.iotCredentials;
+        }
     }
 
+    /**
+     * Get shadow reported state
+     *
+     * @param {string} serialNumber - Device serial number
+     * @returns {Promise<any>} - Reported state
+     */
     async asyncGetShadowReportedState(serialNumber) {
         await this.checkShadowClient(serialNumber);
         return await this.shadowClient?.asyncGetShadowReportedState();
     }
 
+    /**
+     * Send service command
+     *
+     * @param {string} serialNumber - Device serial number
+     * @param {string} cmd - Command
+     * @param {unknown} data - ommand data
+     * @returns {Promise<void>}
+     */
     async asyncSendServiceCommand(serialNumber, cmd, data) {
         await this.checkShadowClient(serialNumber);
         return await this.shadowClient?.asyncPublishServiceCommand({ cmd, data });
@@ -449,12 +523,13 @@ class AnthbotCloudApiClient {
  */
 class AnthbotShadowApiClient {
     /**
-     * @param {{serialNumber: string, regionName?: string | null, iotEndpoint?: string | null, verboseLogger?: ((message: string) => void) | null}} options
+     * @param {{serialNumber: string, regionName?: string | null, iotEndpoint?: string | null, verboseLogger?: ((message: string) => void) | null}} options - Configuration options
      */
     constructor({ serialNumber, regionName = null, iotEndpoint = null, verboseLogger = null }) {
         this._serialNumber = serialNumber;
         this._regionName = typeof regionName === 'string' && regionName ? regionName : null;
         this._iotEndpoint = AnthbotShadowApiClient._normalizeEndpoint(iotEndpoint);
+        this._iotCredentials = null;
         this.verboseLogger = verboseLogger;
         this.fetch = new AnthotCloudApi({ verboseLogger }).fetch;
 
@@ -491,6 +566,10 @@ class AnthbotShadowApiClient {
         return AnthbotShadowApiClient._guessRegionFromEndpoint(iotEndpoint);
     }
 
+    set iotCredentials(iotCredentals) {
+        this._iotCredentials = iotCredentals;
+    }
+
     get serialNumber() {
         return this._serialNumber;
     }
@@ -508,6 +587,9 @@ class AnthbotShadowApiClient {
     }
 
     _accessKeyId() {
+        if (this._iotCredentials?.accessKeyId) {
+            return this._iotCredentials.accessKeyId;
+        }
         if (this._iotEndpoint === CN_NORTHWEST_IOT_ENDPOINT) {
             return AWS_ACCESS_KEY_CN_NORTHWEST;
         }
@@ -518,6 +600,9 @@ class AnthbotShadowApiClient {
     }
 
     _secretAccessKey() {
+        if (this._iotCredentials?.secretAccessKey) {
+            return this._iotCredentials.secretAccessKey;
+        }
         if (this._iotEndpoint === CN_NORTHWEST_IOT_ENDPOINT) {
             return AWS_SECRET_KEY_CN_NORTHWEST;
         }
@@ -527,6 +612,10 @@ class AnthbotShadowApiClient {
         return AWS_SECRET_KEY_DEFAULT;
     }
 
+    _sessionToken() {
+        return this._iotCredentials?.sessionToken;
+    }
+
     static _sign(key, msg) {
         if (typeof key === 'string') {
             key = Buffer.from(key, 'utf-8');
@@ -546,18 +635,11 @@ class AnthbotShadowApiClient {
         const algorithm = 'AWS4-HMAC-SHA256';
         const signedHeaders = AnthbotShadowApiClient._signedHeadersFromRequest(canonicalRequest);
         const credentialScope = `${dateStamp}/${this.signingRegion}/iotdata/aws4_request`;
-        const stringToSign =
-            `${algorithm}\n` +
-            `${amzDate}\n` +
-            `${credentialScope}\n` +
-            crypto.createHash('sha256').update(canonicalRequest).digest('hex');
+        const stringToSign = `${algorithm}\n${amzDate}\n${credentialScope}\n${crypto.createHash('sha256').update(canonicalRequest).digest('hex')}`;
 
         const signature = crypto.createHmac('sha256', this._signingKey(dateStamp)).update(stringToSign).digest('hex');
 
-        return (
-            `${algorithm} Credential=${this._accessKeyId()}/${credentialScope}, ` +
-            `SignedHeaders=${signedHeaders}, Signature=${signature}`
-        );
+        return `${algorithm} Credential=${this._accessKeyId()}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;
     }
 
     static _normalizeHeaderValue(value) {
@@ -632,17 +714,12 @@ class AnthbotShadowApiClient {
             host: this._iotEndpoint,
             'x-amz-content-sha256': payloadHash,
             'x-amz-date': amzDate,
+            'x-amz-security-token': this._sessionToken(),
         };
 
         const [canonicalHeaders, signedHeaders] = AnthbotShadowApiClient._canonicalHeaders(signedHeaderValues);
 
-        const canonicalRequest =
-            `GET\n` +
-            `${canonicalUri}\n` +
-            `${canonicalQuery}\n` +
-            `${canonicalHeaders}\n` +
-            `${signedHeaders}\n` +
-            `${payloadHash}`;
+        const canonicalRequest = `GET\n${canonicalUri}\n${canonicalQuery}\n${canonicalHeaders}\n${signedHeaders}\n${payloadHash}`;
 
         const authorization = this._buildAuthorization(amzDate, dateStamp, canonicalRequest);
 
@@ -652,6 +729,7 @@ class AnthbotShadowApiClient {
             Host: this._iotEndpoint,
             'x-amz-date': amzDate,
             'x-amz-content-sha256': payloadHash,
+            'x-amz-security-token': this._sessionToken(),
             Authorization: authorization,
             'User-Agent': CLIENT_USER_AGENT,
         };
@@ -668,7 +746,7 @@ class AnthbotShadowApiClient {
 
         let payload;
         try {
-            payload = /** @type {{ state: { reported: unknown } }} */ (await response.json());
+            payload = /** @type {{state?: any}} */ (await response.json());
         } catch {
             throw new Error('Invalid JSON response from shadow request');
         }
@@ -688,6 +766,9 @@ class AnthbotShadowApiClient {
 
     /**
      * Encode path component for AWS SigV4
+     *
+     * @param {string} component - Component to encode
+     * @returns {string} - Encoded component
      */
     _encodePathComponent(component) {
         return encodeURIComponent(component).replace(/[!'()*]/g, ch => {
@@ -705,7 +786,6 @@ class AnthbotShadowApiClient {
 
         // Different AWS clients canonicalize the URI slightly differently.
         // Try the app-observed mode first, then fall back to alternatives.
-        /** @type {[string, boolean, string | null, boolean][]} */
         const attempts = [
             // 1) SDK headers + encoded URI + app-style canonical URI (trace match)
             [requestUriEncoded, true, null, true],
@@ -763,7 +843,7 @@ class AnthbotShadowApiClient {
             }
 
             if (this.verboseLogger) {
-                this.verboseLogger(`Anthbot command publish attempt failed (${status}`);
+                this.verboseLogger(`Anthbot command publish attempt failed (${status})`);
             }
         }
 
@@ -776,7 +856,7 @@ class AnthbotShadowApiClient {
     }
 
     /**
-     * @param {{requestUri: string, canonicalQuery: string, payloadBytes: Buffer, includeSdkHeaders: boolean, canonicalUriOverride?: string | null, signContentLength?: boolean}} options
+     * @param {{requestUri: string | boolean | null, canonicalQuery: string, payloadBytes: Buffer, includeSdkHeaders: string | boolean | null, canonicalUriOverride?: string | boolean | null, signContentLength?: string | boolean | null}} options - Request options
      */
     async _asyncSignedPost({
         requestUri,
@@ -800,6 +880,7 @@ class AnthbotShadowApiClient {
             'content-type': 'application/octet-stream',
             'x-amz-content-sha256': payloadHash,
             'x-amz-date': amzDate,
+            'x-amz-security-token': this._sessionToken(),
         };
 
         const headers = {
@@ -808,6 +889,7 @@ class AnthbotShadowApiClient {
             'Content-Type': 'application/octet-stream',
             'x-amz-content-sha256': payloadHash,
             'x-amz-date': amzDate,
+            'x-amz-security-token': this._sessionToken(),
         };
 
         if (signContentLength) {
@@ -836,13 +918,7 @@ class AnthbotShadowApiClient {
                 ? canonicalUriOverride
                 : AnthbotShadowApiClient._canonicalUriForSigv4(requestUri);
 
-        const canonicalRequest =
-            `POST\n` +
-            `${canonicalUri}\n` +
-            `${canonicalQuery}\n` +
-            `${canonicalHeaders}\n` +
-            `${signedHeaders}\n` +
-            `${payloadHash}`;
+        const canonicalRequest = `POST\n${canonicalUri}\n${canonicalQuery}\n${canonicalHeaders}\n${signedHeaders}\n${payloadHash}`;
 
         headers['Authorization'] = this._buildAuthorization(amzDate, dateStamp, canonicalRequest);