npm - liangzimixin - Versions diffs - 0.2.17 → 0.3.1 - Mend

liangzimixin 0.2.17 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.cjs CHANGED Viewed

@@ -3658,7 +3658,7 @@ __export(index_exports, {
   startPlugin: () => startPlugin
 });
 module.exports = __toCommonJS(index_exports);
-var import_node_path3 = require("path");
+var import_node_path2 = require("path");
 var import_node_os = require("os");
 // node_modules/zod/v4/classic/external.js
@@ -17454,14 +17454,6 @@ var AccountConfigSchema = external_exports.object({
   "quantum-appId": external_exports.string().min(1, "quantum-appId \u4E0D\u80FD\u4E3A\u7A7A"),
   /** 🔴 量子服务密钥 — 用于量子密钥分发 */
   "quantum-appSecret": external_exports.string().min(1, "quantum-appSecret \u4E0D\u80FD\u4E3A\u7A7A"),
-  /** 🔴 PIN 口令 — 保护本地敏感数据 (切勿泄露, 修改后需删除旧密钥数据) */
-  pin: external_exports.string().min(1, "pin \u4E0D\u80FD\u4E3A\u7A7A"),
-  /**
-   * 🟡 量子密服地址 — 默认生产环境
-   * 测试环境: http://223.244.14.238:8552
-   * 生产环境: https://cmsp.zdxlz.com:8552
-   */
-  "quantum-url": external_exports.string().url().optional().default("https://cmsp.zdxlz.com:8552"),
   /**
    * 🟡 Bot 自己的用户 ID — 用于 anti-loop 检查
    * 如果不填，需要通过其他 API 在运行时获取。
@@ -17473,8 +17465,6 @@ var AccountConfigSchema = external_exports.object({
   quantumAccount: raw["quantum-account"],
   quantumAppId: raw["quantum-appId"],
   quantumAppSecret: raw["quantum-appSecret"],
-  pin: raw.pin,
-  quantumUrl: raw["quantum-url"],
   botUserId: raw.botUserId
 }));
 var DEFAULT_INTERNAL_CONFIG = {
@@ -17493,12 +17483,14 @@ var DEFAULT_INTERNAL_CONFIG = {
     }
   },
   auth: {
-    serverUrl: process.env.LZMX_AUTH_URL || "https://imtwo.zdxlz.com/open-apis/v1",
+    serverUrl: process.env.LZMX_AUTH_URL || "https://seal.example.com",
+    clientName: "liangzimixin",
+    scopes: ["openid", "im_sdk", "data_operate", "offline_access"],
+    autoRegister: true,
     refreshAheadMs: 3e5
   },
   crypto: {
-    enabled: false,
-    // 暂时关闭量子加密 (SDK 尚未部署到生产环境)
+    enabled: true,
     keySource: "env",
     envKey: "QUANTUM_ENCRYPTION_KEY"
   },
@@ -17982,7 +17974,7 @@ async function resolveAndUploadMedia(params) {
       };
     }
     const msgType = fileType;
-    const contentPayload = fileType === "file" ? { fileId: uploadResult.fileKey, fileName, size: uploadResult.fileSize } : { fileId: uploadResult.fileKey };
+    const contentPayload = fileType === "file" ? { fileKey: uploadResult.fileKey, filename: fileName, size: uploadResult.fileSize } : { fileKey: uploadResult.fileKey };
     await messagePipe.sendMessage({
       chatId,
       senderId: chatId,
@@ -17992,7 +17984,7 @@ async function resolveAndUploadMedia(params) {
     });
     log3.info("media:sent", {
       chatId,
-      fileId: uploadResult.fileKey,
+      fileKey: uploadResult.fileKey,
       msgType
     });
     return {
@@ -18119,20 +18111,20 @@ ${body}` : body || raw.content;
     }
     case "image": {
       const c = parsed;
-      fileId = c?.fileId;
+      fileId = c?.fileKey;
       text = c?.altText ?? (fileId ? `![image](${fileId})` : "[image]");
       break;
     }
     case "file": {
       const c = parsed;
-      fileId = c?.fileId;
-      fileName = c?.fileName;
+      fileId = c?.fileKey;
+      fileName = c?.filename;
       text = fileName ? `[File: ${fileName}]` : "[file]";
       break;
     }
     case "voice": {
       const c = parsed;
-      fileId = c?.fileId;
+      fileId = c?.fileKey;
       const durationMs = c?.duration;
       const durationStr = durationMs != null ? ` ${(durationMs / 1e3).toFixed(1)}s` : "";
       text = `[Voice${durationStr}]`;
@@ -18140,7 +18132,7 @@ ${body}` : body || raw.content;
     }
     case "video": {
       const c = parsed;
-      fileId = c?.fileId;
+      fileId = c?.fileKey;
       const durationMs = c?.duration;
       const durationStr = durationMs != null ? ` ${(durationMs / 1e3).toFixed(1)}s` : "";
       text = `[Video${durationStr}]`;
@@ -18462,7 +18454,7 @@ var QUANTUM_IM_CONFIG_JSON_SCHEMA = {
   title: "\u91CF\u5B50\u5BC6\u4FE1 IM \u63D2\u4EF6\u914D\u7F6E",
   description: "\u5BC6\u4FE1 IM Channel \u63D2\u4EF6\uFF0C\u652F\u6301\u91CF\u5B50\u52A0\u5BC6\u7684\u5B89\u5168\u5373\u65F6\u901A\u4FE1\u3002",
   type: "object",
-  required: ["appId", "appSecret", "quantum-account", "quantum-appId", "quantum-appSecret", "pin"],
+  required: ["appId", "appSecret", "quantum-account", "quantum-appId", "quantum-appSecret"],
   properties: {
     appId: {
       type: "string",
@@ -18496,19 +18488,6 @@ var QUANTUM_IM_CONFIG_JSON_SCHEMA = {
       minLength: 1,
       format: "password"
     },
-    pin: {
-      type: "string",
-      title: "PIN \u53E3\u4EE4",
-      description: "\u4FDD\u62A4\u672C\u5730\u654F\u611F\u6570\u636E\u7684\u53E3\u4EE4\uFF0C\u7531\u7528\u6237\u81EA\u5B9A\u4E49\uFF08\u5207\u52FF\u6CC4\u9732\uFF0C\u4FEE\u6539\u540E\u8BF7\u5220\u9664\u65E7\u5BC6\u94A5\u6570\u636E\uFF09",
-      minLength: 1,
-      format: "password"
-    },
-    "quantum-url": {
-      type: "string",
-      title: "\u91CF\u5B50\u5BC6\u670D\u5730\u5740",
-      description: "\u91CF\u5B50\u5BC6\u94A5\u7BA1\u7406\u670D\u52A1\u5730\u5740\u3002\u6D4B\u8BD5\u73AF\u5883: http://223.244.14.238:8552\uFF0C\u751F\u4EA7\u73AF\u5883: https://cmsp.zdxlz.com:8552",
-      default: "https://cmsp.zdxlz.com:8552"
-    },
     botUserId: {
       type: "string",
       title: "Bot \u7528\u6237 ID",
@@ -18602,7 +18581,6 @@ var quantumImOnboarding = {
         "\u8BF7\u51C6\u5907\u4EE5\u4E0B\u4FE1\u606F:",
         "  1. \u5E73\u53F0\u7533\u8BF7\u7684 appId \u548C appSecret",
         "  2. \u91CF\u5B50\u52A0\u5BC6\u670D\u52A1\u7684\u8D26\u6237\u3001appId \u548C appSecret",
-        "  3. \u4FDD\u62A4\u672C\u5730\u5BC6\u94A5\u6570\u636E\u7684 PIN \u53E3\u4EE4",
         "",
         "\u5982\u6709\u7591\u95EE\u8BF7\u8054\u7CFB\u5E73\u53F0\u7BA1\u7406\u5458\u83B7\u53D6\u3002"
       ].join("\n"),
@@ -18634,36 +18612,6 @@ var quantumImOnboarding = {
       initialValue: existing["quantum-appSecret"] ?? void 0,
       validate: required2
     });
-    const pin = await prompter.text({
-      message: "PIN \u53E3\u4EE4 (\u4FDD\u62A4\u672C\u5730\u654F\u611F\u6570\u636E, \u5207\u52FF\u6CC4\u9732)",
-      initialValue: existing.pin ?? void 0,
-      validate: required2
-    });
-    const urlChoice = await prompter.select({
-      message: "\u91CF\u5B50\u5BC6\u670D\u73AF\u5883",
-      options: [
-        { value: "https://cmsp.zdxlz.com:8552", label: "\u751F\u4EA7\u73AF\u5883", hint: "https://cmsp.zdxlz.com:8552" },
-        { value: "http://223.244.14.238:8552", label: "\u6D4B\u8BD5\u73AF\u5883", hint: "http://223.244.14.238:8552" },
-        { value: "custom", label: "\u81EA\u5B9A\u4E49\u5730\u5740" }
-      ],
-      initialValue: existing["quantum-url"] ?? "https://cmsp.zdxlz.com:8552"
-    });
-    let quantumUrl = urlChoice;
-    if (urlChoice === "custom") {
-      quantumUrl = await prompter.text({
-        message: "\u8BF7\u8F93\u5165\u91CF\u5B50\u5BC6\u670D\u5730\u5740",
-        placeholder: "https://your-server:8552",
-        validate: (v) => {
-          if (!v.trim()) return "\u4E0D\u80FD\u4E3A\u7A7A";
-          try {
-            new URL(v);
-          } catch {
-            return "\u8BF7\u8F93\u5165\u5408\u6CD5\u7684 URL";
-          }
-          return void 0;
-        }
-      });
-    }
     const channels = cfg.channels ?? {};
     const channelCfg = channels[CHANNEL_ID] ?? {};
     const accounts = channelCfg.accounts ?? {};
@@ -18681,9 +18629,7 @@ var quantumImOnboarding = {
               appSecret: appSecret.trim(),
               "quantum-account": quantumAccount.trim(),
               "quantum-appId": quantumAppId.trim(),
-              "quantum-appSecret": quantumAppSecret.trim(),
-              pin: pin.trim(),
-              "quantum-url": quantumUrl.trim()
+              "quantum-appSecret": quantumAppSecret.trim()
             }
           }
         }
@@ -18868,7 +18814,6 @@ var quantumImPlugin = {
 // src/crypto/quantun-plug-adapter.ts
 var import_node_module = require("module");
-var import_node_url = require("url");
 var import_meta = {};
 var log14 = createLogger("crypto/quantun-plug-adapter");
 var SM4_MODE = {
@@ -18878,8 +18823,7 @@ var SM4_MODE = {
   CBC_PKCS7PADDING: 4
 };
 var DEFAULT_ENCRYPT_MODE = SM4_MODE.CBC_PKCS7PADDING;
-var _currentUrl = typeof __filename !== "undefined" ? (0, import_node_url.pathToFileURL)(__filename).href : import_meta.url;
-var require2 = (0, import_node_module.createRequire)(_currentUrl);
+var require2 = (0, import_node_module.createRequire)(import_meta.url);
 var quantunPlug = null;
 try {
   quantunPlug = require2("./sdk/index.min.cjs");
@@ -18890,32 +18834,8 @@ try {
 }
 var quantun_plug_adapter_default = quantunPlug;
-// src/crypto/quantum-config-writer.ts
-var import_node_fs = require("fs");
-var import_node_path = require("path");
-var import_node_url2 = require("url");
-var import_meta2 = {};
-var log15 = createLogger("crypto/quantum-config-writer");
-var _currentDir = typeof __dirname !== "undefined" ? __dirname : (0, import_node_path.dirname)((0, import_node_url2.fileURLToPath)(import_meta2.url));
-var QUANTUM_JSON_PATH = (0, import_node_path.join)(
-  _currentDir,
-  "sdk",
-  "quantum.json"
-);
-function writeQuantumConfig(credentials) {
-  const sdkConfig = {
-    account: credentials.quantumAccount,
-    appID: credentials.quantumAppId,
-    pin: credentials.pin,
-    authCode: credentials.quantumAppSecret,
-    url: credentials.quantumUrl
-  };
-  (0, import_node_fs.writeFileSync)(QUANTUM_JSON_PATH, JSON.stringify(sdkConfig, null, 2), "utf-8");
-  log15.info("quantum.json written to", QUANTUM_JSON_PATH);
-}
 // src/crypto/crypto-engine.ts
-var log16 = createLogger("crypto/crypto-engine");
+var log15 = createLogger("crypto/crypto-engine");
 var PASSTHROUGH_KEY_ID = "passthrough";
 var FILE_CHUNK_SIZE = 10 * 1024 * 1024;
 var FILE_DECRYPT_CHUNK_SIZE = FILE_CHUNK_SIZE + 16;
@@ -18926,26 +18846,20 @@ var CryptoEngine = class _CryptoEngine {
   initialized;
   /** 是否为透传模式 (不加密, 明文直接透传) */
   passthrough;
-  /** 用户凭据 — 用于生成 quantum.json (透传模式下为 undefined) */
-  credentials;
   /**
    * 构造加密引擎
    *
-   * @param opts - 构造选项
-   * @param opts.passthrough - true 为透传模式 (不加密); false 为加密模式 (默认)
-   * @param opts.credentials - 用户凭据 (加密模式必需, 用于生成 quantum.json)
+   * @param passthrough - true 为透传模式 (不加密); false 为加密模式 (默认)
    *
    * 请使用静态工厂方法:
-   *   - new CryptoEngine({ credentials })          → 加密模式, 使用量子 SDK
+   *   - new CryptoEngine()          → 加密模式, 使用量子 SDK
    *   - CryptoEngine.createPassthrough() → 透传模式, 无需 init()
    */
-  constructor(opts = {}) {
-    const { passthrough = false, credentials } = opts;
+  constructor(passthrough = false) {
     this.passthrough = passthrough;
-    this.credentials = credentials;
     this.plug = passthrough ? null : quantun_plug_adapter_default;
     this.initialized = passthrough;
-    log16.info(`CryptoEngine created (${passthrough ? "passthrough mode \u2014 crypto disabled" : "quantum SDK mode"})`);
+    log15.info(`CryptoEngine created (${passthrough ? "passthrough mode \u2014 crypto disabled" : "quantum SDK mode"})`);
   }
   /**
    * 创建透传模式的加密引擎 (静态工厂方法)
@@ -18959,7 +18873,7 @@ var CryptoEngine = class _CryptoEngine {
    * 上层模块 (TokenStore, MessagePipe) 无需感知加密是否开启。
    */
   static createPassthrough() {
-    return new _CryptoEngine({ passthrough: true });
+    return new _CryptoEngine(true);
   }
   /**
    * 初始化加密引擎
@@ -18977,12 +18891,9 @@ var CryptoEngine = class _CryptoEngine {
     if (!this.plug) {
       throw new Error("Quantum encryption SDK is missing. Cannot initialize in encryption mode (check dist/index.min.cjs).");
     }
-    if (this.credentials) {
-      writeQuantumConfig(this.credentials);
-    }
     await this.plug.init();
     this.initialized = true;
-    log16.info("CryptoEngine initialized \u2713");
+    log15.info("CryptoEngine initialized \u2713");
   }
   /**
    * 加密明文
@@ -18998,12 +18909,12 @@ var CryptoEngine = class _CryptoEngine {
    */
   async encrypt(plaintext) {
     if (this.passthrough) {
-      log16.debug("Encrypt (passthrough)", { length: plaintext.length });
+      log15.debug("Encrypt (passthrough)", { length: plaintext.length });
       return { ciphertext: plaintext, keyId: PASSTHROUGH_KEY_ID };
     }
     const plug = this.requirePlug();
     const result = await plug.encrypt(plaintext, DEFAULT_ENCRYPT_MODE);
-    log16.debug("Encrypted", { length: plaintext.length, keyId: result.keyId });
+    log15.debug("Encrypted", { length: plaintext.length, keyId: result.keyId });
     return { ciphertext: result.cipherText, keyId: result.keyId };
   }
   /**
@@ -19019,12 +18930,12 @@ var CryptoEngine = class _CryptoEngine {
    */
   async decrypt(ciphertext, keyId) {
     if (this.passthrough) {
-      log16.debug("Decrypt (passthrough)", { keyId });
+      log15.debug("Decrypt (passthrough)", { keyId });
       return ciphertext;
     }
     const plug = this.requirePlug();
     const result = await plug.decrypt(ciphertext, keyId, DEFAULT_ENCRYPT_MODE);
-    log16.debug("Decrypted", { keyId });
+    log15.debug("Decrypted", { keyId });
     return result.plainText;
   }
   /**
@@ -19041,7 +18952,7 @@ var CryptoEngine = class _CryptoEngine {
    */
   async encryptFile(fileData) {
     if (this.passthrough) {
-      log16.debug("EncryptFile (passthrough)", { size: fileData.length });
+      log15.debug("EncryptFile (passthrough)", { size: fileData.length });
       return { fileBuffer: fileData, keyId: PASSTHROUGH_KEY_ID };
     }
     if (fileData.length === 0) {
@@ -19053,7 +18964,7 @@ var CryptoEngine = class _CryptoEngine {
     let sessionKey;
     let fillKey;
     const plug = this.requirePlug();
-    log16.debug("EncryptFile", { size: fileData.length, chunks: total });
+    log15.debug("EncryptFile", { size: fileData.length, chunks: total });
     for (let i = 0; i < total; i++) {
       const start = i * FILE_CHUNK_SIZE;
       const end = Math.min(start + FILE_CHUNK_SIZE, fileData.length);
@@ -19068,7 +18979,7 @@ var CryptoEngine = class _CryptoEngine {
       sessionKey = result.sessionKey;
       fillKey = result.fillKey;
     }
-    log16.debug("EncryptFile done", { keyId, chunks: total });
+    log15.debug("EncryptFile done", { keyId, chunks: total });
     return { fileBuffer: Buffer.concat(chunks), keyId: keyId ?? "" };
   }
   /**
@@ -19086,7 +18997,7 @@ var CryptoEngine = class _CryptoEngine {
    */
   async decryptFile(fileData, keyId) {
     if (this.passthrough) {
-      log16.debug("DecryptFile (passthrough)", { keyId });
+      log15.debug("DecryptFile (passthrough)", { keyId });
       return fileData;
     }
     if (fileData.length === 0) {
@@ -19097,7 +19008,7 @@ var CryptoEngine = class _CryptoEngine {
     const total = Math.ceil(fileData.length / FILE_DECRYPT_CHUNK_SIZE);
     let sessionKey;
     let fillKey;
-    log16.debug("DecryptFile", { size: fileData.length, chunks: total, keyId });
+    log15.debug("DecryptFile", { size: fileData.length, chunks: total, keyId });
     for (let i = 0; i < total; i++) {
       const start = i * FILE_DECRYPT_CHUNK_SIZE;
       const end = Math.min(start + FILE_DECRYPT_CHUNK_SIZE, fileData.length);
@@ -19110,7 +19021,7 @@ var CryptoEngine = class _CryptoEngine {
       sessionKey = result.sessionKey;
       fillKey = result.fillKey;
     }
-    log16.debug("DecryptFile done", { keyId, chunks: total });
+    log15.debug("DecryptFile done", { keyId, chunks: total });
     return Buffer.concat(chunks);
   }
   /**
@@ -19133,14 +19044,14 @@ var CryptoEngine = class _CryptoEngine {
 };
 // src/auth/oauth-client.ts
-var log17 = createLogger("auth/oauth-client");
-var ApiError = class extends Error {
+var log16 = createLogger("auth/oauth-client");
+var SealApiError = class extends Error {
   constructor(status, body, endpoint) {
-    super(`API error: ${status} on ${endpoint}`);
+    super(`Seal API error: ${status} on ${endpoint}`);
     this.status = status;
     this.body = body;
     this.endpoint = endpoint;
-    this.name = "ApiError";
+    this.name = "SealApiError";
   }
 };
 var TokenAcquireError = class extends Error {
@@ -19157,21 +19068,28 @@ function sleep(ms) {
   return new Promise((resolve2) => setTimeout(resolve2, ms));
 }
 var DEFAULT_TIMEOUT_MS = 3e4;
-var GRANT_TYPE = "client_credentials";
-var SCOPE = "client_credentials refresh_token";
-var OAuthClient = class {
+var SealClient = class {
   baseUrl;
-  appId;
-  appSecret;
+  clientId;
+  clientSecret;
+  clientName;
+  scopes;
   constructor(config2) {
-    this.baseUrl = config2.baseUrl.replace(/\/+$/, "");
-    this.appId = config2.appId;
-    this.appSecret = config2.appSecret;
-    log17.info("OAuthClient initialized", { baseUrl: this.baseUrl, appId: sanitize(this.appId) });
+    this.baseUrl = config2.serverUrl.replace(/\/+$/, "");
+    this.clientId = config2.clientId;
+    this.clientSecret = config2.clientSecret;
+    this.clientName = config2.clientName;
+    this.scopes = config2.scopes;
+    log16.info("SealClient initialized", { serverUrl: this.baseUrl, clientName: config2.clientName });
   }
   // ── 通用 HTTP 请求 ──
   /**
    * 统一 HTTP 请求封装 — 含超时、日志脱敏和错误处理
+   * @param method - HTTP 方法
+   * @param path - 请求路径 (如 '/seal/client/register')
+   * @param options - 请求选项
+   * @returns 解析后的 JSON 响应
+   * @throws SealApiError — HTTP 非 2xx 响应
    */
   async request(method, path2, options = {}) {
     const url2 = `${this.baseUrl}${path2}`;
@@ -19187,7 +19105,7 @@ var OAuthClient = class {
         bodyStr = JSON.stringify(options.body);
       }
     }
-    log17.debug("HTTP request", { method, url: url2 });
+    log16.debug("HTTP request", { method, url: url2 });
     const response = await fetch(url2, {
       method,
       headers,
@@ -19202,39 +19120,110 @@ var OAuthClient = class {
       } catch {
         parsedBody = responseBody;
       }
-      log17.error("HTTP error", { method, url: url2, status: response.status });
-      throw new ApiError(response.status, parsedBody, path2);
+      log16.error("HTTP error", { method, url: url2, status: response.status });
+      throw new SealApiError(response.status, parsedBody, path2);
     }
-    log17.debug("HTTP response", { method, url: url2, status: response.status });
+    log16.debug("HTTP response", { method, url: url2, status: response.status });
     try {
       return JSON.parse(responseBody);
     } catch {
-      throw new ApiError(response.status, responseBody, path2);
+      throw new SealApiError(response.status, responseBody, path2);
     }
   }
   // ── 公共方法 ──
+  /** 判断是否已注册 (有 clientId + clientSecret) */
+  isRegistered() {
+    return !!(this.clientId && this.clientSecret);
+  }
+  /** 更新 clientId / clientSecret (注册成功后或从持久化加载后调用) */
+  setCredentials(clientId, clientSecret) {
+    this.clientId = clientId;
+    this.clientSecret = clientSecret;
+    log16.info("Credentials updated", { clientId: sanitize(clientId) });
+  }
   /**
-   * 获取访问令牌 → POST /auth/token (client_credentials)
+   * 动态注册客户端 → POST /seal/client/register
    *
-   * 请求参数 (x-www-form-urlencoded):
-   *   - grant_type: client_credentials (写死)
-   *   - client_id: appId
-   *   - client_secret: appSecret
-   *   - scope: client_credentials refresh_token (写死)
+   * 首次运行时自动调用，获取 clientId 和 clientSecret。
+   * 注册成功后自动更新内部凭据。
+   */
+  async register(params) {
+    const body = {
+      client_name: params.clientName,
+      scopes: params.scopes,
+      authentication_methods: params.authMethods ?? ["client_secret_post"],
+      grant_types: params.grantTypes ?? ["authorization_code", "client_credentials", "refresh_token"],
+      redirect_uris: params.redirectUris ?? ["https://placeholder.local"],
+      logout_redirect_uris: [],
+      client_settings: {
+        "settings.client.require-authorization-consent": true
+      }
+    };
+    if (params.tokenSettings) {
+      const ts = {};
+      if (params.tokenSettings.accessTokenTtl) {
+        ts["settings.token.access-token-time-to-live"] = params.tokenSettings.accessTokenTtl;
+      }
+      if (params.tokenSettings.refreshTokenTtl) {
+        ts["settings.token.refresh-token-time-to-live"] = params.tokenSettings.refreshTokenTtl;
+      }
+      if (params.tokenSettings.accessTokenFormat) {
+        ts["settings.token.access-token-format"] = params.tokenSettings.accessTokenFormat;
+      }
+      if (params.tokenSettings.reuseRefreshTokens !== void 0) {
+        ts["settings.token.reuse-refresh-tokens"] = params.tokenSettings.reuseRefreshTokens;
+      }
+      ts["settings.token.authorization-code-time-to-live"] = "300";
+      body.token_settings = ts;
+    }
+    log16.info("Registering OAuth client", { clientName: params.clientName });
+    const response = await this.request(
+      "POST",
+      "/seal/client/register",
+      { body, contentType: "json" }
+    );
+    const registration = {
+      clientId: response.client_id,
+      clientSecret: response.client_secret,
+      clientSecretExpiresAt: response.client_secret_expires_at ?? "",
+      clientIdIssuedAt: response.client_id_issued_at ?? "",
+      scopes: response.scopes ?? params.scopes
+    };
+    this.setCredentials(registration.clientId, registration.clientSecret);
+    log16.info("OAuth client registered", {
+      clientId: sanitize(registration.clientId),
+      clientSecret: sanitize(registration.clientSecret),
+      scopes: registration.scopes,
+      expiresAt: registration.clientSecretExpiresAt
+    });
+    return registration;
+  }
+  /**
+   * 获取访问令牌 → POST /seal/oauth2/token (client_credentials)
    *
+   * 使用客户端凭证模式获取 Access Token。
+   * 前置条件: clientId 和 clientSecret 必须存在 (通过 register 或 setCredentials 设置)
+   *
+   * @param scope - 请求的权限范围 (空格分隔)，不传则使用注册时的全部 scope
    * @returns TokenData 包含 access_token、过期时间等
-   * @throws ApiError — HTTP 错误
+   * @throws Error — clientId/clientSecret 未设置
+   * @throws SealApiError — HTTP 错误
    */
-  async getToken() {
+  async getToken(scope) {
+    if (!this.clientId || !this.clientSecret) {
+      throw new Error("Cannot get token: clientId and clientSecret are required. Call register() or setCredentials() first.");
+    }
     const params = new URLSearchParams();
-    params.set("grant_type", GRANT_TYPE);
-    params.set("client_id", this.appId);
-    params.set("client_secret", this.appSecret);
-    params.set("scope", SCOPE);
-    log17.info("Requesting access token", { appId: sanitize(this.appId) });
+    params.set("grant_type", "client_credentials");
+    params.set("client_id", this.clientId);
+    params.set("client_secret", this.clientSecret);
+    if (scope) {
+      params.set("scope", scope);
+    }
+    log16.info("Requesting access token", { clientId: sanitize(this.clientId) });
     const response = await this.request(
       "POST",
-      "/auth/token",
+      "/seal/oauth2/token",
       { body: params, contentType: "form" }
     );
     const now = Date.now();
@@ -19245,28 +19234,32 @@ var OAuthClient = class {
       expiresIn,
       scope: response.scope ?? "",
       refreshToken: void 0,
+      // Seal 不返回 refresh_token
       grantedAt: now,
       expiresAt: now + expiresIn * 1e3
     };
-    log17.info("Access token acquired", {
+    log16.info("Access token acquired", {
       accessToken: sanitize(tokenData.accessToken),
       expiresIn: tokenData.expiresIn,
       scope: tokenData.scope
     });
     return tokenData;
   }
-  /** 获取 baseUrl (供其他模块复用) */
-  getBaseUrl() {
-    return this.baseUrl;
+  /**
+   * 令牌校验 → GET /seal/oauth2/introspect
+   * 暂不实现 — 保留接口签名，后续需要时再补充
+   */
+  async introspect(_token) {
+    throw new Error("introspect() not implemented yet \u2014 Seal introspect API \u6682\u4E0D\u4F7F\u7528");
   }
 };
 // src/auth/token-store.ts
 var import_promises = require("fs/promises");
-var import_node_fs2 = require("fs");
-var import_node_path2 = require("path");
+var import_node_fs = require("fs");
+var import_node_path = require("path");
 var import_node_crypto = require("crypto");
-var log18 = createLogger("auth/token-store");
+var log17 = createLogger("auth/token-store");
 var TokenStore = class {
   /** 存储目录路径 */
   storageDir;
@@ -19281,7 +19274,7 @@ var TokenStore = class {
   constructor(storageDir, crypto) {
     this.storageDir = storageDir;
     this.crypto = crypto;
-    log18.info("TokenStore initialized", { storageDir });
+    log17.info("TokenStore initialized", { storageDir });
   }
   /**
    * 确保存储目录存在并设置正确的权限。
@@ -19289,9 +19282,9 @@ var TokenStore = class {
    */
   async ensureDir() {
     if (this.dirEnsured) return;
-    if (!(0, import_node_fs2.existsSync)(this.storageDir)) {
+    if (!(0, import_node_fs.existsSync)(this.storageDir)) {
       await (0, import_promises.mkdir)(this.storageDir, { recursive: true, mode: 448 });
-      log18.debug("Storage directory created", { dir: this.storageDir });
+      log17.debug("Storage directory created", { dir: this.storageDir });
     }
     this.dirEnsured = true;
   }
@@ -19300,7 +19293,7 @@ var TokenStore = class {
    * @param key - 存储键名 (如 'token', 'credentials')
    */
   filePath(key) {
-    return (0, import_node_path2.join)(this.storageDir, `${key}.enc`);
+    return (0, import_node_path.join)(this.storageDir, `${key}.enc`);
   }
   /**
    * 保存 Token — 加密写入文件
@@ -19326,7 +19319,7 @@ var TokenStore = class {
     try {
       await (0, import_promises.writeFile)(tmpPath, storageJson, { mode: 384 });
       await (0, import_promises.rename)(tmpPath, targetPath);
-      log18.debug("Token saved", { key, path: targetPath });
+      log17.debug("Token saved", { key, path: targetPath });
     } catch (err) {
       try {
         await (0, import_promises.unlink)(tmpPath);
@@ -19348,8 +19341,8 @@ var TokenStore = class {
    */
   async load(key) {
     const filePath = this.filePath(key);
-    if (!(0, import_node_fs2.existsSync)(filePath)) {
-      log18.debug("Token file not found", { key, path: filePath });
+    if (!(0, import_node_fs.existsSync)(filePath)) {
+      log17.debug("Token file not found", { key, path: filePath });
       return null;
     }
     try {
@@ -19357,10 +19350,10 @@ var TokenStore = class {
       const storage = JSON.parse(raw);
       const json2 = await this.crypto.decrypt(storage.ciphertext, storage.keyId);
       const data = JSON.parse(json2);
-      log18.debug("Token loaded", { key, path: filePath });
+      log17.debug("Token loaded", { key, path: filePath });
       return data;
     } catch (err) {
-      log18.warn("Failed to load token (corrupted or key mismatch), treating as empty", {
+      log17.warn("Failed to load token (corrupted or key mismatch), treating as empty", {
         key,
         error: err instanceof Error ? err.message : String(err)
       });
@@ -19376,7 +19369,7 @@ var TokenStore = class {
     const filePath = this.filePath(key);
     try {
       await (0, import_promises.unlink)(filePath);
-      log18.debug("Token file cleared", { key, path: filePath });
+      log17.debug("Token file cleared", { key, path: filePath });
     } catch (err) {
       if (err.code !== "ENOENT") {
         throw err;
@@ -19386,15 +19379,17 @@ var TokenStore = class {
 };
 // src/auth/token-manager.ts
-var log19 = createLogger("auth/token-manager");
+var log18 = createLogger("auth/token-manager");
 var DEFAULT_REFRESH_AHEAD_MS = 5 * 60 * 1e3;
 var MAX_RETRIES = 3;
 var RETRY_BASE_MS = 1e3;
 var TokenManager = class {
-  oauthClient;
+  sealClient;
   tokenStore;
   /** Token 过期前提前刷新的时间 (ms) */
   refreshAheadMs;
+  /** 自动注册的参数 */
+  autoRegisterParams;
   // ── 内存缓存 ──
   /** 内存中缓存的 access_token */
   cachedToken = null;
@@ -19408,10 +19403,11 @@ var TokenManager = class {
   /** 定时刷新器句柄 */
   refreshTimer = null;
   constructor(deps) {
-    this.oauthClient = deps.oauthClient;
+    this.sealClient = deps.sealClient;
     this.tokenStore = deps.tokenStore;
     this.refreshAheadMs = deps.refreshAheadMs ?? DEFAULT_REFRESH_AHEAD_MS;
-    log19.info("TokenManager initialized", { refreshAheadMs: this.refreshAheadMs });
+    this.autoRegisterParams = deps.autoRegisterParams;
+    log18.info("TokenManager initialized", { refreshAheadMs: this.refreshAheadMs });
   }
   // ── 核心方法 ──
   /**
@@ -19429,7 +19425,7 @@ var TokenManager = class {
       return this.cachedToken;
     }
     if (this.refreshLock) {
-      log19.debug("Waiting for concurrent token acquisition");
+      log18.debug("Waiting for concurrent token acquisition");
       return this.refreshLock;
     }
     this.refreshLock = this._acquireTokenWithRetry();
@@ -19439,6 +19435,13 @@ var TokenManager = class {
       this.refreshLock = null;
     }
   }
+  /**
+   * 令牌自省 — 暂不实现，后续补充。
+   * 返回的 identity_id 用于 gate.ts 的 anti-loop 检查 (bot 自己的 ID)。
+   */
+  async introspect() {
+    throw new Error("introspect() not implemented yet \u2014 Seal introspect API \u6682\u4E0D\u4F7F\u7528");
+  }
   /** 检查当前令牌是否包含指定的 scope */
   hasScope(scope) {
     if (!this.cachedScope) return false;
@@ -19455,13 +19458,13 @@ var TokenManager = class {
     this.cachedToken = null;
     this.cachedScope = null;
     this.currentTokenData = null;
-    log19.info("Token revoked and cleared");
+    log18.info("Token revoked and cleared");
   }
   /** 清理定时器和并发锁 — 优雅关闭时调用 */
   shutdown() {
     this.clearRefreshTimer();
     this.refreshLock = null;
-    log19.info("TokenManager shutdown");
+    log18.info("TokenManager shutdown");
   }
   // ── 内部方法 ──
   /**
@@ -19469,26 +19472,26 @@ var TokenManager = class {
    *
    * 重试策略:
    *   - 网络错误 / 5xx → 重试 (最多 3 次)
-   *   - 401/403 → 不重试 (凭证可能无效)
+   *   - 401/403 → 不重试 (client_secret 可能无效)
    */
   async _acquireTokenWithRetry() {
     for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
       try {
         return await this._acquireToken();
       } catch (err) {
-        if (err instanceof ApiError && (err.status === 401 || err.status === 403)) {
-          log19.error("Token acquire failed with auth error, not retrying", { status: err.status });
+        if (err instanceof SealApiError && (err.status === 401 || err.status === 403)) {
+          log18.error("Token acquire failed with auth error, not retrying", { status: err.status });
           throw err;
         }
         if (attempt === MAX_RETRIES) {
-          log19.error("Token acquire failed after all retries", { attempts: attempt + 1 });
+          log18.error("Token acquire failed after all retries", { attempts: attempt + 1 });
           throw new TokenAcquireError(
             `Token acquire failed after ${attempt + 1} attempts`,
             { cause: err instanceof Error ? err : void 0 }
           );
         }
         const delay = RETRY_BASE_MS * Math.pow(2, attempt);
-        log19.warn("Token acquire failed, retrying", {
+        log18.warn("Token acquire failed, retrying", {
           attempt: attempt + 1,
           maxRetries: MAX_RETRIES,
           retryInMs: delay,
@@ -19504,27 +19507,63 @@ var TokenManager = class {
    *
    * 流程:
    *   1. 尝试从 TokenStore 加载缓存
-   *   2. 调用 OAuthClient.getToken() 获取新 Token
-   *   3. 保存到内存缓存 + TokenStore
-   *   4. 设置定时刷新器
+   *   2. 检查是否需要注册客户端
+   *   3. 调用 SealClient.getToken() 获取新 Token
+   *   4. 保存到内存缓存 + TokenStore
+   *   5. 设置定时刷新器
    */
   async _acquireToken() {
     try {
       const stored = await this.tokenStore.load("token");
       if (stored && !this.isTokenHardExpired(stored)) {
-        log19.info("Token loaded from store (still valid)");
+        log18.info("Token loaded from store (still valid)");
         this.updateCache(stored);
         this.scheduleRefresh(stored);
         return stored.accessToken;
       }
       if (stored) {
-        log19.info("Stored token has expired, acquiring new one");
+        log18.info("Stored token has expired, acquiring new one");
       }
     } catch {
-      log19.warn("Failed to load token from store, acquiring new one");
+      log18.warn("Failed to load token from store, acquiring new one");
+    }
+    if (!this.sealClient.isRegistered()) {
+      try {
+        const savedCreds = await this.tokenStore.load("credentials");
+        if (savedCreds?.clientId && savedCreds?.clientSecret) {
+          this.sealClient.setCredentials(
+            savedCreds.clientId,
+            savedCreds.clientSecret
+          );
+          log18.info("Credentials loaded from store");
+        }
+      } catch {
+        log18.debug("No saved credentials found");
+      }
+    }
+    if (!this.sealClient.isRegistered()) {
+      if (!this.autoRegisterParams) {
+        throw new Error("SealClient not registered and autoRegisterParams not provided. Call setCredentials() or enable autoRegister.");
+      }
+      log18.info("Auto-registering OAuth client");
+      const registration = await this.sealClient.register({
+        clientName: this.autoRegisterParams.clientName,
+        scopes: this.autoRegisterParams.scopes,
+        tokenSettings: this.autoRegisterParams.tokenSettings ? {
+          accessTokenTtl: this.autoRegisterParams.tokenSettings.accessTokenTtl,
+          refreshTokenTtl: this.autoRegisterParams.tokenSettings.refreshTokenTtl,
+          accessTokenFormat: this.autoRegisterParams.tokenSettings.accessTokenFormat
+        } : void 0
+      });
+      await this.tokenStore.save("credentials", {
+        clientId: registration.clientId,
+        clientSecret: registration.clientSecret,
+        clientSecretExpiresAt: registration.clientSecretExpiresAt
+      });
+      log18.info("OAuth client registered and credentials saved");
     }
-    log19.info("Acquiring new access token via POST /auth/token");
-    const tokenData = await this.oauthClient.getToken();
+    log18.info("Acquiring new access token");
+    const tokenData = await this.sealClient.getToken();
     this.updateCache(tokenData);
     await this.tokenStore.save("token", tokenData);
     this.scheduleRefresh(tokenData);
@@ -19554,22 +19593,22 @@ var TokenManager = class {
     this.clearRefreshTimer();
     const refreshInMs = tokenData.expiresAt - this.refreshAheadMs - Date.now();
     if (refreshInMs <= 0) {
-      log19.debug("Token already within refresh window, not scheduling timer");
+      log18.debug("Token already within refresh window, not scheduling timer");
       return;
     }
-    log19.debug("Scheduling token refresh", {
+    log18.debug("Scheduling token refresh", {
       refreshInMs,
       refreshAt: new Date(Date.now() + refreshInMs).toISOString()
     });
     this.refreshTimer = setTimeout(async () => {
       try {
-        log19.info("Scheduled token refresh triggered");
+        log18.info("Scheduled token refresh triggered");
         this.cachedToken = null;
         this.currentTokenData = null;
         await this.getValidToken();
-        log19.info("Scheduled token refresh completed");
+        log18.info("Scheduled token refresh completed");
       } catch (err) {
-        log19.error("Scheduled token refresh failed", {
+        log18.error("Scheduled token refresh failed", {
           error: err instanceof Error ? err.message : String(err)
         });
       }
@@ -19597,13 +19636,13 @@ var wrapper_default = import_websocket.default;
 // src/transport/ws-client.ts
 var import_node_events = require("events");
-var log20 = createLogger("transport/ws-client");
+var log19 = createLogger("transport/ws-client");
 var WSClient = class extends import_node_events.EventEmitter {
   /** 底层 WebSocket 实例 */
   ws = null;
   constructor() {
     super();
-    log20.info("WSClient initialized");
+    log19.info("WSClient initialized");
   }
   /**
    * 连接到 WebSocket 服务器并绑定事件。
@@ -19619,11 +19658,11 @@ var WSClient = class extends import_node_events.EventEmitter {
       this.ws = null;
     }
     const { url: url2, protocols, headers } = options;
-    log20.info("ws:connecting", { url: url2 });
+    log19.info("ws:connecting", { url: url2 });
     return new Promise((resolve2, reject) => {
       const ws = new wrapper_default(url2, protocols, { headers });
       ws.on("open", () => {
-        log20.info("ws:connected", { url: url2 });
+        log19.info("ws:connected", { url: url2 });
         this.emit("open");
         resolve2();
       });
@@ -19631,11 +19670,11 @@ var WSClient = class extends import_node_events.EventEmitter {
         this.emit("message", data);
       });
       ws.on("close", (code, reason) => {
-        log20.info("ws:closed", { code, reason: reason.toString() });
+        log19.info("ws:closed", { code, reason: reason.toString() });
         this.emit("close", code, reason.toString());
       });
       ws.on("error", (err) => {
-        log20.error("ws:error", { error: err.message });
+        log19.error("ws:error", { error: err.message });
         this.emit("error", err);
         if (this.ws !== ws) {
           reject(err);
@@ -19647,7 +19686,7 @@ var WSClient = class extends import_node_events.EventEmitter {
   /** 发送数据到服务器 — 前置检查连接状态 */
   send(data) {
     if (!this.ws || this.ws.readyState !== wrapper_default.OPEN) {
-      log20.warn("ws:send skipped, not connected", { readyState: this.ws?.readyState });
+      log19.warn("ws:send skipped, not connected", { readyState: this.ws?.readyState });
       return;
     }
     this.ws.send(data);
@@ -19658,7 +19697,7 @@ var WSClient = class extends import_node_events.EventEmitter {
       this.ws.removeAllListeners();
       this.ws.close(code, reason);
       this.ws = null;
-      log20.info("ws:close requested", { code, reason });
+      log19.info("ws:close requested", { code, reason });
     }
   }
   /** 当前连接状态 (0=CONNECTING, 1=OPEN, 2=CLOSING, 3=CLOSED) */
@@ -19668,7 +19707,7 @@ var WSClient = class extends import_node_events.EventEmitter {
 };
 // src/transport/dedup.ts
-var log21 = createLogger("transport/dedup");
+var log20 = createLogger("transport/dedup");
 var MessageDedup = class {
   /** 去重缓存生存时间 (ms) */
   ttlMs;
@@ -19679,7 +19718,7 @@ var MessageDedup = class {
   constructor(config2) {
     this.ttlMs = config2?.ttlMs ?? 3e5;
     this.maxEntries = config2?.maxEntries ?? 5e3;
-    log21.info("MessageDedup initialized", { ttlMs: this.ttlMs, maxEntries: this.maxEntries });
+    log20.info("MessageDedup initialized", { ttlMs: this.ttlMs, maxEntries: this.maxEntries });
   }
   /**
    * 检查消息是否重复。
@@ -19715,7 +19754,7 @@ var MessageDedup = class {
 // src/transport/message-pipe.ts
 var import_node_crypto2 = require("crypto");
-var log22 = createLogger("transport/message-pipe");
+var log21 = createLogger("transport/message-pipe");
 var MessagePipe = class {
   wsClient;
   dedup;
@@ -19734,15 +19773,15 @@ var MessagePipe = class {
     this.messageServiceBaseUrl = deps.messageServiceBaseUrl;
     this.wsClient.on("message", (rawData) => {
       this.handleInbound(rawData).catch((err) => {
-        log22.error("inbound:error", { step: "handleInbound", error: err.message });
+        log21.error("inbound:error", { step: "handleInbound", error: err.message });
       });
     });
-    log22.info("MessagePipe initialized");
+    log21.info("MessagePipe initialized");
   }
   /** 注册入站消息回调 — 解密后的消息会通过此回调传给 L4 层 */
   onMessage(callback) {
     this.messageCallback = callback;
-    log22.info("Inbound message callback registered");
+    log21.info("Inbound message callback registered");
   }
   /**
    * 出站发送 — 通过 HTTP API 发送消息到 IM 服务器。
@@ -19762,7 +19801,7 @@ var MessagePipe = class {
     }
     const result = await this.callMessageApi("/messages/v1/send", body, "outbound");
     if (!result) return;
-    log22.info("outbound:sent", {
+    log21.info("outbound:sent", {
       chatId: msg.chatId,
       senderId: msg.senderId,
       msgType: msg.msgType,
@@ -19786,7 +19825,7 @@ var MessagePipe = class {
     };
     const result = await this.callMessageApi("/messages/v1/recall", body, "recall");
     if (!result) return;
-    log22.info("recall:sent", {
+    log21.info("recall:sent", {
       messageId: params.messageId,
       requestId: result.request_id
     });
@@ -19813,7 +19852,7 @@ var MessagePipe = class {
         body: JSON.stringify(body)
       });
       if (!resp.ok) {
-        log22.error(`${logTag}:http-error`, {
+        log21.error(`${logTag}:http-error`, {
           status: resp.status,
           statusText: resp.statusText,
           url: url2
@@ -19822,7 +19861,7 @@ var MessagePipe = class {
       }
       const result = await resp.json();
       if (result.code !== 0) {
-        log22.error(`${logTag}:api-error`, {
+        log21.error(`${logTag}:api-error`, {
           code: result.code,
           msg: result.msg,
           requestId: result.request_id
@@ -19831,7 +19870,7 @@ var MessagePipe = class {
       }
       return result;
     } catch (err) {
-      log22.error(`${logTag}:network-error`, {
+      log21.error(`${logTag}:network-error`, {
         url: url2,
         error: err.message
       });
@@ -19853,7 +19892,7 @@ var MessagePipe = class {
     try {
       frame = JSON.parse(String(rawData));
     } catch (err) {
-      log22.warn("inbound:json-parse-error", { error: err.message });
+      log21.warn("inbound:json-parse-error", { error: err.message });
       return;
     }
     const timestamp = frame["X-CTQ-Timestamp"];
@@ -19864,7 +19903,7 @@ var MessagePipe = class {
       const signatureInput = timestamp + nonce + frame.data;
       const expected = (0, import_node_crypto2.createHmac)("sha256", token).update(signatureInput).digest("hex");
       if (expected !== signature) {
-        log22.warn("inbound:signature-fail", { timestamp, nonce });
+        log21.warn("inbound:signature-fail", { timestamp, nonce });
         return;
       }
     }
@@ -19878,37 +19917,30 @@ var MessagePipe = class {
     try {
       callbackData = JSON.parse(dataStr);
     } catch (err) {
-      log22.warn("inbound:data-parse-error", { error: err.message });
+      log21.warn("inbound:data-parse-error", { error: err.message });
       return;
     }
-    if (callbackData.eventType !== "callback:direct") {
-      log22.debug("inbound:event-ignored", { eventType: callbackData.eventType });
+    if (callbackData.eventType !== "MessageReceived") {
+      log21.debug("inbound:event-ignored", { eventType: callbackData.eventType });
       return;
     }
-    const msg = {
-      messageId: callbackData.msgUid,
-      chatId: callbackData.groupId || callbackData.userId,
-      senderId: callbackData.userId,
-      msgType: callbackData.type,
-      content: JSON.stringify(callbackData.content),
-      timestamp: Date.now()
-    };
-    log22.debug("inbound:frame", { messageId: msg.messageId, eventType: callbackData.eventType });
+    const msg = callbackData.content;
+    log21.debug("inbound:frame", { messageId: msg.messageId, eventType: callbackData.eventType });
     if (this.dedup.isDuplicate(msg.messageId)) {
-      log22.debug("inbound:dedup-hit", { messageId: msg.messageId });
+      log21.debug("inbound:dedup-hit", { messageId: msg.messageId });
       return;
     }
-    log22.info("inbound:verified", { messageId: msg.messageId, chatId: msg.chatId });
+    log21.info("inbound:verified", { messageId: msg.messageId, chatId: msg.chatId });
     if (this.messageCallback) {
       this.messageCallback(msg);
     } else {
-      log22.warn("inbound:no-callback", { messageId: msg.messageId });
+      log21.warn("inbound:no-callback", { messageId: msg.messageId });
     }
   }
 };
 // src/transport/connection-manager.ts
-var log23 = createLogger("transport/connection-manager");
+var log22 = createLogger("transport/connection-manager");
 function sleep2(ms) {
   return new Promise((resolve2) => setTimeout(resolve2, ms));
 }
@@ -19938,7 +19970,7 @@ var ConnectionManager = class {
       reconnectMaxMs: options?.reconnectMaxMs ?? 6e4,
       maxReconnectAttempts: options?.maxReconnectAttempts ?? 10
     };
-    log23.info("ConnectionManager initialized", this.options);
+    log22.info("ConnectionManager initialized", this.options);
   }
   /**
    * 启动连接 — 连接 WS + 开始心跳 + 注册重连逻辑
@@ -19953,33 +19985,29 @@ var ConnectionManager = class {
     this.running = true;
     this.reconnectAttempts = 0;
     const token = await tokenFn();
-    const wsUrl = url2.replace(/\/+$/, "") + "/events/stream";
     await this.client.connect({
-      url: wsUrl,
+      url: url2,
       token,
-      headers: {
-        "Authorization": token,
-        ...this.appId ? { "X-App-ID": this.appId } : {}
-      }
+      headers: this.appId ? { "X-App-ID": this.appId } : void 0
     });
     this.client.on("close", () => {
       if (this.running) {
-        log23.warn("ws:disconnected, scheduling reconnect");
+        log22.warn("ws:disconnected, scheduling reconnect");
         this.scheduleReconnect();
       }
     });
     this.client.on("error", (err) => {
-      log23.error("ws:connection-error", { error: err.message });
+      log22.error("ws:connection-error", { error: err.message });
     });
     this.startHeartbeat();
-    log23.info("ConnectionManager started \u2713", { url: url2 });
+    log22.info("ConnectionManager started \u2713", { url: url2 });
   }
   /** 启动心跳保活 — 定时检查连接状态 */
   startHeartbeat() {
     this.stopHeartbeat();
     this.heartbeatTimer = setInterval(() => {
       if (this.client.readyState !== wrapper_default.OPEN) {
-        log23.warn("heartbeat: connection not open, scheduling reconnect");
+        log22.warn("heartbeat: connection not open, scheduling reconnect");
         this.scheduleReconnect();
       }
     }, this.options.heartbeatIntervalMs);
@@ -20007,34 +20035,30 @@ var ConnectionManager = class {
         this.options.reconnectBaseMs * 2 ** this.reconnectAttempts,
         this.options.reconnectMaxMs
       );
-      log23.info("ws:reconnecting", { attempt: this.reconnectAttempts + 1, delayMs: delay });
+      log22.info("ws:reconnecting", { attempt: this.reconnectAttempts + 1, delayMs: delay });
       await sleep2(delay);
       if (!this.running) return;
       this.reconnectAttempts++;
       try {
         const token = await this.tokenFn();
-        const wsUrl = this.url.replace(/\/+$/, "") + "/events/stream";
         await this.client.connect({
-          url: wsUrl,
+          url: this.url,
           token,
-          headers: {
-            "Authorization": token,
-            ...this.appId ? { "X-App-ID": this.appId } : {}
-          }
+          headers: this.appId ? { "X-App-ID": this.appId } : void 0
         });
         this.reconnectAttempts = 0;
         this.startHeartbeat();
-        log23.info("ws:reconnected", { attempt: this.reconnectAttempts, url: this.url });
+        log22.info("ws:reconnected", { attempt: this.reconnectAttempts, url: this.url });
         return;
       } catch (err) {
-        log23.warn("ws:reconnect-failed", {
+        log22.warn("ws:reconnect-failed", {
           attempt: this.reconnectAttempts,
           error: err.message
         });
       }
     }
     if (this.running) {
-      log23.error("ws:max-reconnect-reached", {
+      log22.error("ws:max-reconnect-reached", {
         maxAttempts: this.options.maxReconnectAttempts
       });
     }
@@ -20044,7 +20068,7 @@ var ConnectionManager = class {
     this.running = false;
     this.stopHeartbeat();
     this.client.close(1e3, "shutdown");
-    log23.info("ConnectionManager stopped");
+    log22.info("ConnectionManager stopped");
   }
   /** 当前是否已连接 (WebSocket readyState === OPEN) */
   get isConnected() {
@@ -20053,7 +20077,7 @@ var ConnectionManager = class {
 };
 // src/push/cockatoo-client.ts
-var log24 = createLogger("push/cockatoo-client");
+var log23 = createLogger("push/cockatoo-client");
 var DEFAULT_TIMEOUT_MS2 = 3e4;
 var CockatooPushError = class extends Error {
   constructor(status, body, endpoint) {
@@ -20087,7 +20111,7 @@ var CockatooClient = class {
     const base = config2.endpoint.replace(/\/+$/, "");
     this.pushUrl = `${base}/api/v1/push`;
     this.healthUrl = `${base}/health`;
-    log24.info("CockatooClient initialized", { endpoint: config2.endpoint });
+    log23.info("CockatooClient initialized", { endpoint: config2.endpoint });
   }
   /**
    * 推送消息到 Cockatoo 服务。
@@ -20118,7 +20142,7 @@ var CockatooClient = class {
       }
       throw new CockatooPushError(resp.status, body, this.pushUrl);
     }
-    log24.debug("push:sent", { type: payload.type });
+    log23.debug("push:sent", { type: payload.type });
   }
   /**
    * 执行一次健康检查。
@@ -20136,11 +20160,11 @@ var CockatooClient = class {
       });
       const isHealthy = resp.ok;
       if (!isHealthy) {
-        log24.warn("health-check:unhealthy", { status: resp.status });
+        log23.warn("health-check:unhealthy", { status: resp.status });
       }
       return isHealthy;
     } catch (err) {
-      log24.warn("health-check:error", { error: err.message });
+      log23.warn("health-check:error", { error: err.message });
       return false;
     }
   }
@@ -20152,7 +20176,7 @@ var CockatooClient = class {
         this.healthy = await this.healthCheck();
       } catch {
         this.healthy = false;
-        log24.warn("Cockatoo health check failed");
+        log23.warn("Cockatoo health check failed");
       }
     }, this.config.healthCheckIntervalMs ?? 6e4);
     if (typeof this.healthCheckTimer === "object" && "unref" in this.healthCheckTimer) {
@@ -20173,7 +20197,7 @@ var CockatooClient = class {
 };
 // src/push/push-queue.ts
-var log25 = createLogger("push/push-queue");
+var log24 = createLogger("push/push-queue");
 var RETRY_BASE_MS2 = 1e3;
 var PushQueue = class {
   client;
@@ -20215,7 +20239,7 @@ var PushQueue = class {
     this.unhealthyRetryMs = config2?.unhealthyRetryMs ?? 5e3;
     this.drainOnStop = config2?.drainOnStop ?? false;
     this.drainTimeoutMs = config2?.drainTimeoutMs ?? 5e3;
-    log25.info("PushQueue initialized", {
+    log24.info("PushQueue initialized", {
       maxSize: this.maxSize,
       retryAttempts: this.retryAttempts,
       processIntervalMs: this.processIntervalMs
@@ -20226,7 +20250,7 @@ var PushQueue = class {
   start() {
     if (this.running) return;
     this.running = true;
-    log25.info("PushQueue started");
+    log24.info("PushQueue started");
     this.scheduleNext(0);
   }
   /**
@@ -20240,10 +20264,10 @@ var PushQueue = class {
     this.running = false;
     this.clearTimer();
     if (this.drainOnStop && this.queue.length > 0) {
-      log25.info("PushQueue draining", { remaining: this.queue.length });
+      log24.info("PushQueue draining", { remaining: this.queue.length });
       await this.drain();
     }
-    log25.info("PushQueue stopped", {
+    log24.info("PushQueue stopped", {
       remaining: this.queue.length,
       sent: this.sentCount,
       dropped: this.droppedCount,
@@ -20258,13 +20282,13 @@ var PushQueue = class {
     if (this.queue.length >= this.maxSize) {
       const dropped = this.queue.shift();
       this.droppedCount++;
-      log25.warn("queue:full, dropping oldest", {
+      log24.warn("queue:full, dropping oldest", {
         droppedType: dropped?.payload.type,
         queueSize: this.queue.length
       });
     }
     this.queue.push({ payload, retries: 0, eligibleAt: 0 });
-    log25.debug("queue:enqueued", { type: payload.type, queueSize: this.queue.length });
+    log24.debug("queue:enqueued", { type: payload.type, queueSize: this.queue.length });
   }
   /** 当前队列长度 */
   get size() {
@@ -20289,7 +20313,7 @@ var PushQueue = class {
     this.clearTimer();
     this.processTimer = setTimeout(() => {
       this.tick().catch((err) => {
-        log25.error("tick:unexpected-error", { error: err.message });
+        log24.error("tick:unexpected-error", { error: err.message });
         if (this.running) {
           this.scheduleNext(this.idleIntervalMs);
         }
@@ -20311,7 +20335,7 @@ var PushQueue = class {
   async tick() {
     if (!this.running) return;
     if (!this.client.isHealthy) {
-      log25.debug("tick:service-unhealthy, pausing");
+      log24.debug("tick:service-unhealthy, pausing");
       this.scheduleNext(this.unhealthyRetryMs);
       return;
     }
@@ -20331,7 +20355,7 @@ var PushQueue = class {
     try {
       await this.processItem(item);
     } catch (err) {
-      log25.error("tick:process-unexpected", { error: err.message });
+      log24.error("tick:process-unexpected", { error: err.message });
     } finally {
       this.processing = false;
     }
@@ -20350,14 +20374,14 @@ var PushQueue = class {
     try {
       await this.client.push(item.payload);
       this.sentCount++;
-      log25.debug("push:success", {
+      log24.debug("push:success", {
         type: item.payload.type,
         retries: item.retries
       });
     } catch (err) {
       if (err instanceof CockatooPushError && err.isClientError) {
         this.droppedCount++;
-        log25.warn("push:4xx-dropped", {
+        log24.warn("push:4xx-dropped", {
           type: item.payload.type,
           status: err.status,
           retries: item.retries
@@ -20366,7 +20390,7 @@ var PushQueue = class {
       }
       if (item.retries >= this.retryAttempts) {
         this.droppedCount++;
-        log25.error("push:max-retries-dropped", {
+        log24.error("push:max-retries-dropped", {
           type: item.payload.type,
           retries: item.retries,
           error: err.message
@@ -20379,7 +20403,7 @@ var PushQueue = class {
       item.eligibleAt = Date.now() + backoffMs;
       this.queue.push(item);
       const errorDetail = err instanceof CockatooPushError ? `HTTP ${err.status}` : err.message;
-      log25.warn("push:retry-enqueued", {
+      log24.warn("push:retry-enqueued", {
         type: item.payload.type,
         retries: item.retries,
         backoffMs,
@@ -20403,22 +20427,22 @@ var PushQueue = class {
       try {
         await this.client.push(item.payload);
         this.sentCount++;
-        log25.debug("drain:sent", { type: item.payload.type });
+        log24.debug("drain:sent", { type: item.payload.type });
       } catch (err) {
         this.droppedCount++;
-        log25.warn("drain:dropped", {
+        log24.warn("drain:dropped", {
           type: item.payload.type,
           error: err.message
         });
       }
     }
     if (this.queue.length > 0) {
-      log25.warn("drain:timeout", {
+      log24.warn("drain:timeout", {
         remaining: this.queue.length,
         timeoutMs: this.drainTimeoutMs
       });
     } else {
-      log25.info("drain:complete");
+      log24.info("drain:complete");
     }
   }
   // ── 内部工具 ──
@@ -20432,32 +20456,43 @@ var PushQueue = class {
 };
 // src/index.ts
-var log26 = createLogger("plugin");
+var log25 = createLogger("plugin");
 async function startPlugin(accountConfig, internalOverrides) {
   const config2 = buildPluginConfig(accountConfig, internalOverrides);
-  log26.info("Config built \u2713", { pluginId: config2.pluginId });
+  log25.info("Config built \u2713", { pluginId: config2.pluginId });
   let cryptoEngine;
   if (config2.crypto.enabled) {
-    cryptoEngine = new CryptoEngine({ credentials: accountConfig });
+    cryptoEngine = new CryptoEngine();
     await cryptoEngine.init();
-    log26.info("Crypto initialized \u2713");
+    log25.info("Crypto initialized \u2713");
   } else {
     cryptoEngine = CryptoEngine.createPassthrough();
-    log26.info("Crypto passthrough mode \u2713 (disabled by config)");
-  }
-  const oauthClient = new OAuthClient({
-    baseUrl: config2.auth.serverUrl,
-    appId: accountConfig.appId,
-    appSecret: accountConfig.appSecret
+    log25.info("Crypto passthrough mode \u2713 (disabled by config)");
+  }
+  const sealClient = new SealClient({
+    serverUrl: config2.auth.serverUrl,
+    clientName: config2.auth.clientName,
+    clientId: config2.auth.clientId,
+    clientSecret: config2.auth.clientSecret,
+    scopes: config2.auth.scopes
   });
-  const tokenStorePath = (0, import_node_path3.join)((0, import_node_os.homedir)(), TOKEN_STORE_DIR, "tokens");
+  const tokenStorePath = (0, import_node_path2.join)((0, import_node_os.homedir)(), TOKEN_STORE_DIR, "tokens");
   const tokenStore = new TokenStore(tokenStorePath, cryptoEngine);
   const tokenManager = new TokenManager({
-    oauthClient,
+    sealClient,
     tokenStore,
-    refreshAheadMs: config2.auth.refreshAheadMs
+    refreshAheadMs: config2.auth.refreshAheadMs,
+    autoRegisterParams: config2.auth.autoRegister ? {
+      clientName: config2.auth.clientName,
+      scopes: config2.auth.scopes,
+      tokenSettings: config2.auth.tokenSettings ? {
+        accessTokenTtl: config2.auth.tokenSettings.accessTokenTtl,
+        refreshTokenTtl: config2.auth.tokenSettings.refreshTokenTtl,
+        accessTokenFormat: config2.auth.tokenSettings.accessTokenFormat
+      } : void 0
+    } : void 0
   });
-  log26.info("Auth initialized \u2713");
+  log25.info("Auth initialized \u2713");
   let pushQueue = null;
   let cockatooClient = null;
   if (config2.push?.enabled) {
@@ -20472,7 +20507,7 @@ async function startPlugin(accountConfig, internalOverrides) {
     });
     cockatooClient.startHealthCheck();
     pushQueue.start();
-    log26.info("Push initialized \u2713");
+    log25.info("Push initialized \u2713");
   }
   const wsClient = new WSClient();
   const dedup = new MessageDedup(config2.transport.dedup);
@@ -20490,8 +20525,8 @@ async function startPlugin(accountConfig, internalOverrides) {
     reconnectMaxMs: config2.transport.reconnectMaxMs,
     maxReconnectAttempts: config2.transport.maxReconnectAttempts
   });
-  log26.info("Transport initialized \u2713");
-  log26.info("Plugin started \u2713");
+  log25.info("Transport initialized \u2713");
+  log25.info("Plugin started \u2713");
   return {
     config: config2,
     messagePipe,
@@ -20499,22 +20534,22 @@ async function startPlugin(accountConfig, internalOverrides) {
     tokenManager,
     pushQueue,
     shutdown: async () => {
-      log26.info("Shutting down...");
+      log25.info("Shutting down...");
       await connectionManager.stop();
       if (pushQueue) await pushQueue.stop();
       if (cockatooClient) cockatooClient.stopHealthCheck();
       tokenManager.shutdown();
-      log26.info("Shutdown complete \u2713");
+      log25.info("Shutdown complete \u2713");
     }
   };
 }
 var plugin = {
-  id: CHANNEL_ID,
+  id: PLUGIN_ID,
   name: "\u91CF\u5B50\u5BC6\u4FE1",
   description: "Quantum-encrypted IM channel plugin",
   register(api) {
     api.registerChannel({ plugin: quantumImPlugin });
-    log26.info("plugin registered \u2713");
+    log25.info("plugin registered \u2713");
   }
 };
 var index_default = plugin;