liangzimixin 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 liangzimixin contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,66 @@
+# liangzimixin (量子密信)
+
+[![npm version](https://img.shields.io/npm/v/liangzimixin.svg)](https://www.npmjs.com/package/liangzimixin)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+量子加密即时通信 (Quantum-encrypted IM) 渠道插件，用于 [OpenClaw](https://openclaw.ai) 平台。
+
+## 功能特性
+
+- 💬 **即时通信** — 消息收发、撤回
+- 🔐 **量子加密** — 端到端量子密钥加密，安全通信
+- 📎 **文件传输** — 图片/文件上传下载，支持分片
+- 🔄 **自动重连** — WebSocket 心跳保活 + 断线自动重连
+- 🔔 **推送通知** — Cockatoo 推送（可选）
+- 🔑 **OAuth 认证** — Seal OAuth 自动注册/Token 管理
+
+## 安装
+
+```bash
+openclaw plugins install liangzimixin
+```
+
+## 要求
+
+- **Node.js**: `v20` 或更高
+- **OpenClaw**: `2026.2.26` 或更高（`openclaw -v` 检查版本）
+
+## 配置
+
+安装后在 OpenClaw 配置文件中添加插件配置：
+
+```yaml
+plugins:
+  entries:
+    liangzimixin:
+      config:
+        credentials:
+          appId: "你的应用 ID"
+          appSecret: "你的应用密钥"
+          account: "账户标识"
+          quantumId: "量子服务 ID"
+          quantumSecret: "量子服务密钥"
+        transport:
+          wsUrl: "wss://im.example.com/ws"
+        auth:
+          serverUrl: "http://seal.example.com:8080"
+          clientName: "my-quantum-im"
+        message:
+          messageServiceBaseUrl: "https://msg.example.com/api/v1"
+        file:
+          fileServiceBaseUrl: "https://fs.example.com/api/v1"
+```
+
+## 使用
+
+配置完成后重启 OpenClaw Gateway：
+
+```bash
+openclaw gateway restart
+```
+
+插件将自动连接到密信 IM 服务器，开始接收和发送消息。
+
+## License
+
+[MIT](./LICENSE)

package/dist/auth/oauth-client.d.ts

@@ -0,0 +1,99 @@
+/**
+ * openclaw-quantum-im — Seal OAuth HTTP 客户端
+ *
+ * 封装 Seal 授权服务器通信: register / getToken
+ * 基于《seal认证技术文档》OAuth2 Client Credentials 模式
+ *
+ * 安全要求:
+ *   - client_secret / access_token 不得出现在日志中 (仅前 8 位 + ***)
+ *   - HTTP 请求使用超时控制 (默认 30s)
+ */
+import type { SealConfig, SealClientRegistration, TokenData, IntrospectResult } from '../types.js';
+/** Seal API 错误 — HTTP 非 2xx 响应 */
+export declare class SealApiError extends Error {
+    readonly status: number;
+    readonly body: unknown;
+    readonly endpoint: string;
+    constructor(status: number, body: unknown, endpoint: string);
+}
+/** Token 获取失败 (含重试后仍失败) */
+export declare class TokenAcquireError extends Error {
+    constructor(message: string, options?: {
+        cause?: Error;
+    });
+}
+/** 脱敏 — 仅显示前 8 位 + *** */
+declare function sanitize(value: string): string;
+/** 延时等待 */
+declare function sleep(ms: number): Promise<void>;
+/**
+ * Seal OAuth HTTP 客户端 — 封装与 Seal 授权服务器的所有 HTTP 通信。
+ * 提供核心操作: 动态注册 / 获取令牌
+ *
+ * Introspect 暂不实现，保留接口签名。
+ */
+export declare class SealClient {
+    private readonly baseUrl;
+    private clientId?;
+    private clientSecret?;
+    private readonly clientName;
+    private readonly scopes;
+    constructor(config: SealConfig);
+    /**
+     * 统一 HTTP 请求封装 — 含超时、日志脱敏和错误处理
+     * @param method - HTTP 方法
+     * @param path - 请求路径 (如 '/seal/client/register')
+     * @param options - 请求选项
+     * @returns 解析后的 JSON 响应
+     * @throws SealApiError — HTTP 非 2xx 响应
+     */
+    private request;
+    /** 判断是否已注册 (有 clientId + clientSecret) */
+    isRegistered(): boolean;
+    /** 更新 clientId / clientSecret (注册成功后或从持久化加载后调用) */
+    setCredentials(clientId: string, clientSecret: string): void;
+    /**
+     * 动态注册客户端 → POST /seal/client/register
+     *
+     * 首次运行时自动调用，获取 clientId 和 clientSecret。
+     * 注册成功后自动更新内部凭据。
+     */
+    register(params: {
+        /** 客户端显示名称 */
+        clientName: string;
+        /** 请求的 OAuth scope */
+        scopes: string[];
+        /** 授权类型 (默认包含 authorization_code, client_credentials, refresh_token) */
+        grantTypes?: string[];
+        /** 认证方法 (默认 ['client_secret_post']) */
+        authMethods?: string[];
+        /** 重定向 URI (默认 ['https://placeholder.local']) */
+        redirectUris?: string[];
+        /** Token 高级设置 */
+        tokenSettings?: {
+            accessTokenTtl?: string;
+            refreshTokenTtl?: string;
+            accessTokenFormat?: string;
+            reuseRefreshTokens?: boolean;
+        };
+    }): Promise<SealClientRegistration>;
+    /**
+     * 获取访问令牌 → POST /seal/oauth2/token (client_credentials)
+     *
+     * 使用客户端凭证模式获取 Access Token。
+     * 前置条件: clientId 和 clientSecret 必须存在 (通过 register 或 setCredentials 设置)
+     *
+     * @param scope - 请求的权限范围 (空格分隔)，不传则使用注册时的全部 scope
+     * @returns TokenData 包含 access_token、过期时间等
+     * @throws Error — clientId/clientSecret 未设置
+     * @throws SealApiError — HTTP 错误
+     */
+    getToken(scope?: string): Promise<TokenData>;
+    /**
+     * 令牌校验 → GET /seal/oauth2/introspect
+     * 暂不实现 — 保留接口签名，后续需要时再补充
+     */
+    introspect(_token: string): Promise<IntrospectResult>;
+}
+export { sanitize, sleep };
+//# sourceMappingURL=oauth-client.d.ts.map

package/dist/auth/oauth-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-client.d.ts","sourceRoot":"","sources":["../../src/auth/oauth-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,sBAAsB,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAOnG,kCAAkC;AAClC,qBAAa,YAAa,SAAQ,KAAK;aAEnB,MAAM,EAAE,MAAM;aACd,IAAI,EAAE,OAAO;aACb,QAAQ,EAAE,MAAM;gBAFhB,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,OAAO,EACb,QAAQ,EAAE,MAAM;CAKnC;AAED,2BAA2B;AAC3B,qBAAa,iBAAkB,SAAQ,KAAK;gBAC9B,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,KAAK,CAAA;KAAE;CAIzD;AAID,0BAA0B;AAC1B,iBAAS,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAGvC;AAED,WAAW;AACX,iBAAS,KAAK,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAExC;AAKD;;;;;GAKG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,CAAS;IAC1B,OAAO,CAAC,YAAY,CAAC,CAAS;IAC9B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAW;gBAEtB,MAAM,EAAE,UAAU;IAW9B;;;;;;;OAOG;YACW,OAAO;IA6DrB,0CAA0C;IAC1C,YAAY,IAAI,OAAO;IAIvB,mDAAmD;IACnD,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,IAAI;IAM5D;;;;;OAKG;IACG,QAAQ,CAAC,MAAM,EAAE;QACrB,cAAc;QACd,UAAU,EAAE,MAAM,CAAC;QACnB,sBAAsB;QACtB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,wEAAwE;QACxE,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;QACtB,uCAAuC;QACvC,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;QACvB,iDAAiD;QACjD,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,iBAAiB;QACjB,aAAa,CAAC,EAAE;YACd,cAAc,CAAC,EAAE,MAAM,CAAC;YACxB,eAAe,CAAC,EAAE,MAAM,CAAC;YACzB,iBAAiB,CAAC,EAAE,MAAM,CAAC;YAC3B,kBAAkB,CAAC,EAAE,OAAO,CAAC;SAC9B,CAAC;KACH,GAAG,OAAO,CAAC,sBAAsB,CAAC;IAqEnC;;;;;;;;;;OAUG;IACG,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IA6ClD;;;OAGG;IACG,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;CAG5D;AAED,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC"}

package/dist/auth/oauth-client.js

@@ -0,0 +1,247 @@
+/**
+ * openclaw-quantum-im — Seal OAuth HTTP 客户端
+ *
+ * 封装 Seal 授权服务器通信: register / getToken
+ * 基于《seal认证技术文档》OAuth2 Client Credentials 模式
+ *
+ * 安全要求:
+ *   - client_secret / access_token 不得出现在日志中 (仅前 8 位 + ***)
+ *   - HTTP 请求使用超时控制 (默认 30s)
+ */
+import { createLogger } from '../logger.js';
+const log = createLogger('auth/oauth-client');
+// ── 错误类型 ──
+/** Seal API 错误 — HTTP 非 2xx 响应 */
+export class SealApiError extends Error {
+    status;
+    body;
+    endpoint;
+    constructor(status, body, endpoint) {
+        super(`Seal API error: ${status} on ${endpoint}`);
+        this.status = status;
+        this.body = body;
+        this.endpoint = endpoint;
+        this.name = 'SealApiError';
+    }
+}
+/** Token 获取失败 (含重试后仍失败) */
+export class TokenAcquireError extends Error {
+    constructor(message, options) {
+        super(message, options);
+        this.name = 'TokenAcquireError';
+    }
+}
+// ── 工具函数 ──
+/** 脱敏 — 仅显示前 8 位 + *** */
+function sanitize(value) {
+    if (value.length <= 8)
+        return '***';
+    return value.slice(0, 8) + '***';
+}
+/** 延时等待 */
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+// ── HTTP 请求默认超时 ──
+const DEFAULT_TIMEOUT_MS = 30_000;
+/**
+ * Seal OAuth HTTP 客户端 — 封装与 Seal 授权服务器的所有 HTTP 通信。
+ * 提供核心操作: 动态注册 / 获取令牌
+ *
+ * Introspect 暂不实现，保留接口签名。
+ */
+export class SealClient {
+    baseUrl;
+    clientId;
+    clientSecret;
+    clientName;
+    scopes;
+    constructor(config) {
+        this.baseUrl = config.serverUrl.replace(/\/+$/, ''); // 去除尾部斜杠
+        this.clientId = config.clientId;
+        this.clientSecret = config.clientSecret;
+        this.clientName = config.clientName;
+        this.scopes = config.scopes;
+        log.info('SealClient initialized', { serverUrl: this.baseUrl, clientName: config.clientName });
+    }
+    // ── 通用 HTTP 请求 ──
+    /**
+     * 统一 HTTP 请求封装 — 含超时、日志脱敏和错误处理
+     * @param method - HTTP 方法
+     * @param path - 请求路径 (如 '/seal/client/register')
+     * @param options - 请求选项
+     * @returns 解析后的 JSON 响应
+     * @throws SealApiError — HTTP 非 2xx 响应
+     */
+    async request(method, path, options = {}) {
+        const url = `${this.baseUrl}${path}`;
+        const timeout = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+        const headers = { ...options.headers };
+        let bodyStr;
+        if (options.body) {
+            if (options.contentType === 'form' || options.body instanceof URLSearchParams) {
+                headers['Content-Type'] = 'application/x-www-form-urlencoded';
+                bodyStr = options.body instanceof URLSearchParams
+                    ? options.body.toString()
+                    : new URLSearchParams(options.body).toString();
+            }
+            else {
+                headers['Content-Type'] = 'application/json';
+                bodyStr = JSON.stringify(options.body);
+            }
+        }
+        log.debug('HTTP request', { method, url });
+        const response = await fetch(url, {
+            method,
+            headers,
+            body: bodyStr,
+            signal: AbortSignal.timeout(timeout),
+        });
+        const responseBody = await response.text();
+        if (!response.ok) {
+            let parsedBody;
+            try {
+                parsedBody = JSON.parse(responseBody);
+            }
+            catch {
+                parsedBody = responseBody;
+            }
+            log.error('HTTP error', { method, url, status: response.status });
+            throw new SealApiError(response.status, parsedBody, path);
+        }
+        log.debug('HTTP response', { method, url, status: response.status });
+        try {
+            return JSON.parse(responseBody);
+        }
+        catch {
+            throw new SealApiError(response.status, responseBody, path);
+        }
+    }
+    // ── 公共方法 ──
+    /** 判断是否已注册 (有 clientId + clientSecret) */
+    isRegistered() {
+        return !!(this.clientId && this.clientSecret);
+    }
+    /** 更新 clientId / clientSecret (注册成功后或从持久化加载后调用) */
+    setCredentials(clientId, clientSecret) {
+        this.clientId = clientId;
+        this.clientSecret = clientSecret;
+        log.info('Credentials updated', { clientId: sanitize(clientId) });
+    }
+    /**
+     * 动态注册客户端 → POST /seal/client/register
+     *
+     * 首次运行时自动调用，获取 clientId 和 clientSecret。
+     * 注册成功后自动更新内部凭据。
+     */
+    async register(params) {
+        // 构建 Seal API 请求体 (snake_case)
+        const body = {
+            client_name: params.clientName,
+            scopes: params.scopes,
+            authentication_methods: params.authMethods ?? ['client_secret_post'],
+            grant_types: params.grantTypes ?? ['authorization_code', 'client_credentials', 'refresh_token'],
+            redirect_uris: params.redirectUris ?? ['https://placeholder.local'],
+            logout_redirect_uris: [],
+            client_settings: {
+                'settings.client.require-authorization-consent': true,
+            },
+        };
+        // 映射 tokenSettings → Seal API 的 'settings.token.xxx' 格式
+        if (params.tokenSettings) {
+            const ts = {};
+            if (params.tokenSettings.accessTokenTtl) {
+                ts['settings.token.access-token-time-to-live'] = params.tokenSettings.accessTokenTtl;
+            }
+            if (params.tokenSettings.refreshTokenTtl) {
+                ts['settings.token.refresh-token-time-to-live'] = params.tokenSettings.refreshTokenTtl;
+            }
+            if (params.tokenSettings.accessTokenFormat) {
+                ts['settings.token.access-token-format'] = params.tokenSettings.accessTokenFormat;
+            }
+            if (params.tokenSettings.reuseRefreshTokens !== undefined) {
+                ts['settings.token.reuse-refresh-tokens'] = params.tokenSettings.reuseRefreshTokens;
+            }
+            // authorization-code-time-to-live 固定 300s
+            ts['settings.token.authorization-code-time-to-live'] = '300';
+            body.token_settings = ts;
+        }
+        log.info('Registering OAuth client', { clientName: params.clientName });
+        // 发请求
+        // 注意: 响应中的字段名与请求不同:
+        //   authentication_methods → client_authentication_methods
+        //   grant_types → authorization_grant_types
+        //   client_settings / token_settings → 返回为 JSON 字符串
+        const response = await this.request('POST', '/seal/client/register', { body, contentType: 'json' });
+        // 解析响应 → SealClientRegistration (仅提取关键字段)
+        const registration = {
+            clientId: response.client_id,
+            clientSecret: response.client_secret,
+            clientSecretExpiresAt: response.client_secret_expires_at ?? '',
+            clientIdIssuedAt: response.client_id_issued_at ?? '',
+            scopes: response.scopes ?? params.scopes,
+        };
+        // 自动更新内部凭据
+        this.setCredentials(registration.clientId, registration.clientSecret);
+        log.info('OAuth client registered', {
+            clientId: sanitize(registration.clientId),
+            clientSecret: sanitize(registration.clientSecret),
+            scopes: registration.scopes,
+            expiresAt: registration.clientSecretExpiresAt,
+        });
+        return registration;
+    }
+    /**
+     * 获取访问令牌 → POST /seal/oauth2/token (client_credentials)
+     *
+     * 使用客户端凭证模式获取 Access Token。
+     * 前置条件: clientId 和 clientSecret 必须存在 (通过 register 或 setCredentials 设置)
+     *
+     * @param scope - 请求的权限范围 (空格分隔)，不传则使用注册时的全部 scope
+     * @returns TokenData 包含 access_token、过期时间等
+     * @throws Error — clientId/clientSecret 未设置
+     * @throws SealApiError — HTTP 错误
+     */
+    async getToken(scope) {
+        if (!this.clientId || !this.clientSecret) {
+            throw new Error('Cannot get token: clientId and clientSecret are required. Call register() or setCredentials() first.');
+        }
+        // 构建 URL-encoded 请求体
+        const params = new URLSearchParams();
+        params.set('grant_type', 'client_credentials');
+        params.set('client_id', this.clientId);
+        params.set('client_secret', this.clientSecret);
+        if (scope) {
+            params.set('scope', scope);
+        }
+        log.info('Requesting access token', { clientId: sanitize(this.clientId) });
+        const response = await this.request('POST', '/seal/oauth2/token', { body: params, contentType: 'form' });
+        // 解析响应 → TokenData
+        const now = Date.now();
+        const expiresIn = response.expires_in;
+        const tokenData = {
+            accessToken: response.access_token,
+            tokenType: response.token_type ?? 'Bearer',
+            expiresIn,
+            scope: response.scope ?? '',
+            refreshToken: undefined, // Seal 不返回 refresh_token
+            grantedAt: now,
+            expiresAt: now + expiresIn * 1000,
+        };
+        log.info('Access token acquired', {
+            accessToken: sanitize(tokenData.accessToken),
+            expiresIn: tokenData.expiresIn,
+            scope: tokenData.scope,
+        });
+        return tokenData;
+    }
+    /**
+     * 令牌校验 → GET /seal/oauth2/introspect
+     * 暂不实现 — 保留接口签名，后续需要时再补充
+     */
+    async introspect(_token) {
+        throw new Error('introspect() not implemented yet — Seal introspect API 暂不使用');
+    }
+}
+export { sanitize, sleep };
+//# sourceMappingURL=oauth-client.js.map

package/dist/auth/oauth-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-client.js","sourceRoot":"","sources":["../../src/auth/oauth-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAE5C,MAAM,GAAG,GAAG,YAAY,CAAC,mBAAmB,CAAC,CAAC;AAE9C,aAAa;AAEb,kCAAkC;AAClC,MAAM,OAAO,YAAa,SAAQ,KAAK;IAEnB;IACA;IACA;IAHlB,YACkB,MAAc,EACd,IAAa,EACb,QAAgB;QAEhC,KAAK,CAAC,mBAAmB,MAAM,OAAO,QAAQ,EAAE,CAAC,CAAC;QAJlC,WAAM,GAAN,MAAM,CAAQ;QACd,SAAI,GAAJ,IAAI,CAAS;QACb,aAAQ,GAAR,QAAQ,CAAQ;QAGhC,IAAI,CAAC,IAAI,GAAG,cAAc,CAAC;IAC7B,CAAC;CACF;AAED,2BAA2B;AAC3B,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1C,YAAY,OAAe,EAAE,OAA2B;QACtD,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF;AAED,aAAa;AAEb,0BAA0B;AAC1B,SAAS,QAAQ,CAAC,KAAa;IAC7B,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IACpC,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,CAAC;AACnC,CAAC;AAED,WAAW;AACX,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED,oBAAoB;AACpB,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAElC;;;;;GAKG;AACH,MAAM,OAAO,UAAU;IACJ,OAAO,CAAS;IACzB,QAAQ,CAAU;IAClB,YAAY,CAAU;IACb,UAAU,CAAS;IACnB,MAAM,CAAW;IAElC,YAAY,MAAkB;QAC5B,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAE,SAAS;QAC/D,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;QAChC,IAAI,CAAC,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC;QACxC,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;QACpC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QAC5B,GAAG,CAAC,IAAI,CAAC,wBAAwB,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;IACjG,CAAC;IAED,mBAAmB;IAEnB;;;;;;;OAOG;IACK,KAAK,CAAC,OAAO,CACnB,MAAsB,EACtB,IAAY,EACZ,UAKI,EAAE;QAEN,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,IAAI,kBAAkB,CAAC;QAExD,MAAM,OAAO,GAA2B,EAAE,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;QAC/D,IAAI,OAA2B,CAAC;QAEhC,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,IAAI,OAAO,CAAC,WAAW,KAAK,MAAM,IAAI,OAAO,CAAC,IAAI,YAAY,eAAe,EAAE,CAAC;gBAC9E,OAAO,CAAC,cAAc,CAAC,GAAG,mCAAmC,CAAC;gBAC9D,OAAO,GAAG,OAAO,CAAC,IAAI,YAAY,eAAe;oBAC/C,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE;oBACzB,CAAC,CAAC,IAAI,eAAe,CAAC,OAAO,CAAC,IAA8B,CAAC,CAAC,QAAQ,EAAE,CAAC;YAC7E,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;gBAC7C,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACzC,CAAC;QACH,CAAC;QAED,GAAG,CAAC,KAAK,CAAC,cAAc,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAE3C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM;YACN,OAAO;YACP,IAAI,EAAE,OAAO;YACb,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC;SACrC,CAAC,CAAC;QAEH,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAE3C,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,UAAmB,CAAC;YACxB,IAAI,CAAC;gBACH,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;YACxC,CAAC;YAAC,MAAM,CAAC;gBACP,UAAU,GAAG,YAAY,CAAC;YAC5B,CAAC;YACD,GAAG,CAAC,KAAK,CAAC,YAAY,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;YAClE,MAAM,IAAI,YAAY,CAAC,QAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,IAAI,CAAC,CAAC;QAC5D,CAAC;QAED,GAAG,CAAC,KAAK,CAAC,eAAe,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAErE,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAM,CAAC;QACvC,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,YAAY,CAAC,QAAQ,CAAC,MAAM,EAAE,YAAY,EAAE,IAAI,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED,aAAa;IAEb,0CAA0C;IAC1C,YAAY;QACV,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC;IAChD,CAAC;IAED,mDAAmD;IACnD,cAAc,CAAC,QAAgB,EAAE,YAAoB;QACnD,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;QACjC,GAAG,CAAC,IAAI,CAAC,qBAAqB,EAAE,EAAE,QAAQ,EAAE,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IACpE,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,QAAQ,CAAC,MAkBd;QACC,+BAA+B;QAC/B,MAAM,IAAI,GAA4B;YACpC,WAAW,EAAE,MAAM,CAAC,UAAU;YAC9B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,sBAAsB,EAAE,MAAM,CAAC,WAAW,IAAI,CAAC,oBAAoB,CAAC;YACpE,WAAW,EAAE,MAAM,CAAC,UAAU,IAAI,CAAC,oBAAoB,EAAE,oBAAoB,EAAE,eAAe,CAAC;YAC/F,aAAa,EAAE,MAAM,CAAC,YAAY,IAAI,CAAC,2BAA2B,CAAC;YACnE,oBAAoB,EAAE,EAAE;YACxB,eAAe,EAAE;gBACf,+CAA+C,EAAE,IAAI;aACtD;SACF,CAAC;QAEF,wDAAwD;QACxD,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;YACzB,MAAM,EAAE,GAA4B,EAAE,CAAC;YACvC,IAAI,MAAM,CAAC,aAAa,CAAC,cAAc,EAAE,CAAC;gBACxC,EAAE,CAAC,0CAA0C,CAAC,GAAG,MAAM,CAAC,aAAa,CAAC,cAAc,CAAC;YACvF,CAAC;YACD,IAAI,MAAM,CAAC,aAAa,CAAC,eAAe,EAAE,CAAC;gBACzC,EAAE,CAAC,2CAA2C,CAAC,GAAG,MAAM,CAAC,aAAa,CAAC,eAAe,CAAC;YACzF,CAAC;YACD,IAAI,MAAM,CAAC,aAAa,CAAC,iBAAiB,EAAE,CAAC;gBAC3C,EAAE,CAAC,oCAAoC,CAAC,GAAG,MAAM,CAAC,aAAa,CAAC,iBAAiB,CAAC;YACpF,CAAC;YACD,IAAI,MAAM,CAAC,aAAa,CAAC,kBAAkB,KAAK,SAAS,EAAE,CAAC;gBAC1D,EAAE,CAAC,qCAAqC,CAAC,GAAG,MAAM,CAAC,aAAa,CAAC,kBAAkB,CAAC;YACtF,CAAC;YACD,0CAA0C;YAC1C,EAAE,CAAC,gDAAgD,CAAC,GAAG,KAAK,CAAC;YAC7D,IAAI,CAAC,cAAc,GAAG,EAAE,CAAC;QAC3B,CAAC;QAED,GAAG,CAAC,IAAI,CAAC,0BAA0B,EAAE,EAAE,UAAU,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;QAExE,MAAM;QACN,oBAAoB;QACpB,2DAA2D;QAC3D,4CAA4C;QAC5C,oDAAoD;QACpD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CACjC,MAAM,EACN,uBAAuB,EACvB,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,CAC9B,CAAC;QAEF,0CAA0C;QAC1C,MAAM,YAAY,GAA2B;YAC3C,QAAQ,EAAE,QAAQ,CAAC,SAAmB;YACtC,YAAY,EAAE,QAAQ,CAAC,aAAuB;YAC9C,qBAAqB,EAAG,QAAQ,CAAC,wBAAmC,IAAI,EAAE;YAC1E,gBAAgB,EAAG,QAAQ,CAAC,mBAA8B,IAAI,EAAE;YAChE,MAAM,EAAG,QAAQ,CAAC,MAAmB,IAAI,MAAM,CAAC,MAAM;SACvD,CAAC;QAEF,WAAW;QACX,IAAI,CAAC,cAAc,CAAC,YAAY,CAAC,QAAQ,EAAE,YAAY,CAAC,YAAY,CAAC,CAAC;QAEtE,GAAG,CAAC,IAAI,CAAC,yBAAyB,EAAE;YAClC,QAAQ,EAAE,QAAQ,CAAC,YAAY,CAAC,QAAQ,CAAC;YACzC,YAAY,EAAE,QAAQ,CAAC,YAAY,CAAC,YAAY,CAAC;YACjD,MAAM,EAAE,YAAY,CAAC,MAAM;YAC3B,SAAS,EAAE,YAAY,CAAC,qBAAqB;SAC9C,CAAC,CAAC;QAEH,OAAO,YAAY,CAAC;IACtB,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,QAAQ,CAAC,KAAc;QAC3B,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACzC,MAAM,IAAI,KAAK,CAAC,sGAAsG,CAAC,CAAC;QAC1H,CAAC;QAED,qBAAqB;QACrB,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;QACrC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAC;QAC/C,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvC,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QAC/C,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QAC7B,CAAC;QAED,GAAG,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAE,QAAQ,EAAE,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QAE3E,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CACjC,MAAM,EACN,oBAAoB,EACpB,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,CACtC,CAAC;QAEF,mBAAmB;QACnB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,SAAS,GAAG,QAAQ,CAAC,UAAoB,CAAC;QAEhD,MAAM,SAAS,GAAc;YAC3B,WAAW,EAAE,QAAQ,CAAC,YAAsB;YAC5C,SAAS,EAAG,QAAQ,CAAC,UAAuB,IAAI,QAAQ;YACxD,SAAS;YACT,KAAK,EAAG,QAAQ,CAAC,KAAgB,IAAI,EAAE;YACvC,YAAY,EAAE,SAAS,EAAG,yBAAyB;YACnD,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG,GAAG,SAAS,GAAG,IAAI;SAClC,CAAC;QAEF,GAAG,CAAC,IAAI,CAAC,uBAAuB,EAAE;YAChC,WAAW,EAAE,QAAQ,CAAC,SAAS,CAAC,WAAW,CAAC;YAC5C,SAAS,EAAE,SAAS,CAAC,SAAS;YAC9B,KAAK,EAAE,SAAS,CAAC,KAAK;SACvB,CAAC,CAAC;QAEH,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,UAAU,CAAC,MAAc;QAC7B,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;IACjF,CAAC;CACF;AAED,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC"}

package/dist/auth/token-manager.d.ts

@@ -0,0 +1,118 @@
+/**
+ * openclaw-quantum-im — Token 生命周期管理
+ *
+ * 自动获取 / 缓存 / 过期重取 / 并发锁 / scope 检查 / 定时刷新
+ *
+ * Token 生命周期策略:
+ *   - 首次调用: 检查本地缓存 → 未命中则注册(autoRegister) → 获取 Token → 缓存
+ *   - 过期处理: 直接重新调用 POST /seal/oauth2/token 获取新 Token (无 refresh_token)
+ *   - 提前刷新: Token 过期前 refreshAheadMs 毫秒自动重新获取
+ *   - 并发锁: 多个并发请求共享同一个 Token 获取 Promise
+ *
+ * 安全要求:
+ *   - 并发锁防止多个请求同时获取 Token
+ *   - 重试策略有最大次数限制 (3 次)
+ *   - 指数退避: 1s, 2s, 4s
+ */
+import type { IntrospectResult } from '../types.js';
+import type { SealClient } from './oauth-client.js';
+import type { TokenStore } from './token-store.js';
+/**
+ * Token 生命周期管理器 — 自动处理令牌的获取、缓存、过期重取和并发控制。
+ *
+ * 核心方法:
+ *   getValidToken()  — 获取有效的 access_token (自动获取/重取/并发锁)
+ *   hasScope(scope)  — 检查当前令牌是否包含指定的 scope
+ *   isAuthorized()   — 检查是否持有有效令牌
+ *   revokeAndClear() — 废置并清除所有令牌
+ *   shutdown()       — 清理定时器和并发锁
+ */
+export declare class TokenManager {
+    private readonly sealClient;
+    private readonly tokenStore;
+    /** Token 过期前提前刷新的时间 (ms) */
+    private readonly refreshAheadMs;
+    /** 自动注册的参数 */
+    private readonly autoRegisterParams?;
+    /** 内存中缓存的 access_token */
+    private cachedToken;
+    /** 内存中缓存的 scope (用于 hasScope 检查) */
+    private cachedScope;
+    /** 完整的 TokenData (用于过期判断) */
+    private currentTokenData;
+    /** 并发刷新锁 — 多个并发 getValidToken() 调用共用同一个 Promise */
+    private refreshLock;
+    /** 定时刷新器句柄 */
+    private refreshTimer;
+    constructor(deps: {
+        sealClient: SealClient;
+        tokenStore: TokenStore;
+        refreshAheadMs?: number;
+        /** 自动注册参数 — autoRegister=true 时使用 */
+        autoRegisterParams?: {
+            clientName: string;
+            scopes: string[];
+            tokenSettings?: {
+                accessTokenTtl?: string;
+                refreshTokenTtl?: string;
+                accessTokenFormat?: string;
+            };
+        };
+    });
+    /**
+     * 获取有效的 access_token — 自动获取/重取，含并发锁。
+     *
+     * 流程:
+     *   1. 内存缓存检查: cachedToken 存在且未过期 → 直接返回
+     *   2. 并发锁检查: refreshLock 不为 null → await 共享 Promise
+     *   3. 慢路径: 设置 refreshLock → _acquireTokenWithRetry() → 清除锁
+     *
+     * @returns 有效的 access_token 字符串
+     */
+    getValidToken(): Promise<string>;
+    /**
+     * 令牌自省 — 暂不实现，后续补充。
+     * 返回的 identity_id 用于 gate.ts 的 anti-loop 检查 (bot 自己的 ID)。
+     */
+    introspect(): Promise<IntrospectResult>;
+    /** 检查当前令牌是否包含指定的 scope */
+    hasScope(scope: string): boolean;
+    /** 检查是否已授权 (是否持有有效令牌) */
+    isAuthorized(): boolean;
+    /** 废置并清除所有令牌 (包括文件存储和内存缓存) */
+    revokeAndClear(): Promise<void>;
+    /** 清理定时器和并发锁 — 优雅关闭时调用 */
+    shutdown(): void;
+    /**
+     * Token 获取 + 指数退避重试
+     *
+     * 重试策略:
+     *   - 网络错误 / 5xx → 重试 (最多 3 次)
+     *   - 401/403 → 不重试 (client_secret 可能无效)
+     */
+    private _acquireTokenWithRetry;
+    /**
+     * Token 获取核心逻辑
+     *
+     * 流程:
+     *   1. 尝试从 TokenStore 加载缓存
+     *   2. 检查是否需要注册客户端
+     *   3. 调用 SealClient.getToken() 获取新 Token
+     *   4. 保存到内存缓存 + TokenStore
+     *   5. 设置定时刷新器
+     */
+    private _acquireToken;
+    /** 更新内存缓存 */
+    private updateCache;
+    /** Token 是否需要刷新 (含提前量) — 用于触发主动刷新 */
+    private isTokenExpired;
+    /** Token 是否真正过期 (不含提前量) — 用于判断缓存的 Token 是否还能用 */
+    private isTokenHardExpired;
+    /**
+     * 设置定时刷新器 — 在 Token 过期前 refreshAheadMs 毫秒自动重新获取
+     */
+    private scheduleRefresh;
+    /** 清除定时刷新器 */
+    private clearRefreshTimer;
+}
+//# sourceMappingURL=token-manager.d.ts.map

package/dist/auth/token-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-manager.d.ts","sourceRoot":"","sources":["../../src/auth/token-manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAa,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAEpD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAgBnD;;;;;;;;;GASG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;IACxC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;IACxC,4BAA4B;IAC5B,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAS;IAExC,cAAc;IACd,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAQlC;IAIF,0BAA0B;IAC1B,OAAO,CAAC,WAAW,CAAuB;IAC1C,oCAAoC;IACpC,OAAO,CAAC,WAAW,CAAuB;IAC1C,6BAA6B;IAC7B,OAAO,CAAC,gBAAgB,CAA0B;IAIlD,mDAAmD;IACnD,OAAO,CAAC,WAAW,CAAgC;IACnD,cAAc;IACd,OAAO,CAAC,YAAY,CAA8C;gBAEtD,IAAI,EAAE;QAChB,UAAU,EAAE,UAAU,CAAC;QACvB,UAAU,EAAE,UAAU,CAAC;QACvB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,qCAAqC;QACrC,kBAAkB,CAAC,EAAE;YACnB,UAAU,EAAE,MAAM,CAAC;YACnB,MAAM,EAAE,MAAM,EAAE,CAAC;YACjB,aAAa,CAAC,EAAE;gBACd,cAAc,CAAC,EAAE,MAAM,CAAC;gBACxB,eAAe,CAAC,EAAE,MAAM,CAAC;gBACzB,iBAAiB,CAAC,EAAE,MAAM,CAAC;aAC5B,CAAC;SACH,CAAC;KACH;IAUD;;;;;;;;;OASG;IACG,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC;IAqBtC;;;OAGG;IACG,UAAU,IAAI,OAAO,CAAC,gBAAgB,CAAC;IAI7C,0BAA0B;IAC1B,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAKhC,yBAAyB;IACzB,YAAY,IAAI,OAAO;IAIvB,8BAA8B;IACxB,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC;IASrC,0BAA0B;IAC1B,QAAQ,IAAI,IAAI;IAQhB;;;;;;OAMG;YACW,sBAAsB;IAoCpC;;;;;;;;;OASG;YACW,aAAa;IA+E3B,aAAa;IACb,OAAO,CAAC,WAAW;IAQnB,qCAAqC;IACrC,OAAO,CAAC,cAAc;IAItB,iDAAiD;IACjD,OAAO,CAAC,kBAAkB;IAM1B;;OAEG;IACH,OAAO,CAAC,eAAe;IAqCvB,cAAc;IACd,OAAO,CAAC,iBAAiB;CAM1B"}