npm - liangzimixin - Versions diffs - 0.3.1 → 0.3.3 - Mend

liangzimixin 0.3.1 → 0.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.cjs CHANGED Viewed

@@ -2233,7 +2233,7 @@ var require_websocket = __commonJS({
     var http = require("http");
     var net = require("net");
     var tls = require("tls");
-    var { randomBytes: randomBytes2, createHash } = require("crypto");
+    var { randomBytes: randomBytes3, createHash } = require("crypto");
     var { Duplex, Readable } = require("stream");
     var { URL: URL2 } = require("url");
     var PerMessageDeflate = require_permessage_deflate();
@@ -2763,7 +2763,7 @@ var require_websocket = __commonJS({
         }
       }
       const defaultPort = isSecure ? 443 : 80;
-      const key = randomBytes2(16).toString("base64");
+      const key = randomBytes3(16).toString("base64");
       const request = isSecure ? https.request : http.request;
       const protocolSet = /* @__PURE__ */ new Set();
       let perMessageDeflate;
@@ -17483,10 +17483,7 @@ var DEFAULT_INTERNAL_CONFIG = {
     }
   },
   auth: {
-    serverUrl: process.env.LZMX_AUTH_URL || "https://seal.example.com",
-    clientName: "liangzimixin",
-    scopes: ["openid", "im_sdk", "data_operate", "offline_access"],
-    autoRegister: true,
+    serverUrl: process.env.LZMX_AUTH_URL || "https://imtwo.zdxlz.com/open-apis/v1",
     refreshAheadMs: 3e5
   },
   crypto: {
@@ -18812,54 +18809,104 @@ var quantumImPlugin = {
   }
 };
-// src/crypto/quantun-plug-adapter.ts
-var import_node_module = require("module");
-var import_meta = {};
-var log14 = createLogger("crypto/quantun-plug-adapter");
-var SM4_MODE = {
-  ECB_NOPADDING: 1,
-  ECB_PKCS7PADDING: 2,
-  CBC_NOPADDING: 3,
-  CBC_PKCS7PADDING: 4
+// src/crypto/quantun-plug-mock.ts
+var import_node_crypto = require("crypto");
+var log14 = createLogger("crypto/quantun-plug-mock");
+var MOCK_KEY = Buffer.alloc(32, 0);
+MOCK_KEY.write("quantum-mock-key-2026", 0);
+var MOCK_KEY_ID = "mock-key-v1";
+var initialized = false;
+var quantunPlugMock = {
+  /**
+   * 初始化 Mock SDK
+   * 幂等操作 — 重复调用不会报错
+   */
+  async init() {
+    if (initialized) return;
+    initialized = true;
+    log14.warn("\u26A0\uFE0F MOCK MODE \u2014 \u4F7F\u7528 AES-256-GCM \u6A21\u62DF\u91CF\u5B50\u52A0\u5BC6");
+  },
+  /**
+   * 加密明文 → 密文 + 密钥标识
+   *
+   * 内部流程:
+   *   1. 生成 12 字节随机 IV (确保每次加密结果不同)
+   *   2. AES-256-GCM 加密明文
+   *   3. 获取 16 字节 AuthTag (认证标签,防篡改)
+   *   4. 拼接 [IV(12) | Tag(16) | Ciphertext] → Base64 编码
+   */
+  async encrypt(plaintext, mode) {
+    if (!initialized) {
+      throw new Error("quantunPlug not initialized \u2014 call init() first");
+    }
+    const iv = (0, import_node_crypto.randomBytes)(12);
+    const cipher = (0, import_node_crypto.createCipheriv)("aes-256-gcm", MOCK_KEY, iv);
+    const encrypted = Buffer.concat([
+      cipher.update(plaintext, "utf-8"),
+      cipher.final()
+    ]);
+    const tag = cipher.getAuthTag();
+    const combined = Buffer.concat([iv, tag, encrypted]);
+    return {
+      ciphertext: combined.toString("base64"),
+      keyId: MOCK_KEY_ID
+    };
+  },
+  /**
+   * 解密密文 → 明文
+   *
+   * 内部流程:
+   *   1. Base64 解码
+   *   2. 拆分 IV(12) + Tag(16) + Ciphertext
+   *   3. AES-256-GCM 解密 + AuthTag 验证
+   *   4. 返回 UTF-8 明文
+   *
+   * @throws AuthTag 验证失败时抛出异常 (数据被篡改)
+   */
+  async decrypt(ciphertext, keyId, mode) {
+    if (!initialized) {
+      throw new Error("quantunPlug not initialized \u2014 call init() first");
+    }
+    const combined = Buffer.from(ciphertext, "base64");
+    const iv = combined.subarray(0, 12);
+    const tag = combined.subarray(12, 28);
+    const encrypted = combined.subarray(28);
+    const decipher = (0, import_node_crypto.createDecipheriv)("aes-256-gcm", MOCK_KEY, iv);
+    decipher.setAuthTag(tag);
+    const decrypted = Buffer.concat([
+      decipher.update(encrypted),
+      decipher.final()
+      // 此处 Tag 验证失败会抛出异常
+    ]);
+    return {
+      plaintext: decrypted.toString("utf-8")
+    };
+  }
 };
-var DEFAULT_ENCRYPT_MODE = SM4_MODE.CBC_PKCS7PADDING;
-var require2 = (0, import_node_module.createRequire)(import_meta.url);
-var quantunPlug = null;
-try {
-  quantunPlug = require2("./sdk/index.min.cjs");
-  log14.info("Quantum SDK loaded from sdk/index.min.cjs");
-} catch (err) {
-  const msg = err instanceof Error ? err.message : String(err);
-  log14.warn("Quantum SDK missing, only passthrough mode will work:", msg);
-}
-var quantun_plug_adapter_default = quantunPlug;
+var quantun_plug_mock_default = quantunPlugMock;
 // src/crypto/crypto-engine.ts
 var log15 = createLogger("crypto/crypto-engine");
 var PASSTHROUGH_KEY_ID = "passthrough";
-var FILE_CHUNK_SIZE = 10 * 1024 * 1024;
-var FILE_DECRYPT_CHUNK_SIZE = FILE_CHUNK_SIZE + 16;
 var CryptoEngine = class _CryptoEngine {
-  /** 底层量子加密 SDK 实例, 透传模式下为 null */
+  /** 底层量子加密 SDK 实例 (Mock 或真实), 透传模式下为 null */
   plug;
   /** SDK 是否已完成初始化 */
-  initialized;
+  initialized = false;
   /** 是否为透传模式 (不加密, 明文直接透传) */
   passthrough;
   /**
-   * 构造加密引擎
+   * 构造加密引擎 (加密模式)
    *
-   * @param passthrough - true 为透传模式 (不加密); false 为加密模式 (默认)
+   * 当前默认使用 Mock SDK。
+   * 待真实 SDK 交付后，此处替换为 require('./quantunPlug.ejs')。
    *
-   * 请使用静态工厂方法:
-   *   - new CryptoEngine()          → 加密模式, 使用量子 SDK
-   *   - CryptoEngine.createPassthrough() → 透传模式, 无需 init()
+   * 如需透传模式，请使用静态方法 CryptoEngine.createPassthrough()。
    */
-  constructor(passthrough = false) {
-    this.passthrough = passthrough;
-    this.plug = passthrough ? null : quantun_plug_adapter_default;
-    this.initialized = passthrough;
-    log15.info(`CryptoEngine created (${passthrough ? "passthrough mode \u2014 crypto disabled" : "quantum SDK mode"})`);
+  constructor() {
+    this.plug = quantun_plug_mock_default;
+    this.passthrough = false;
+    log15.info("CryptoEngine created (mock mode)");
   }
   /**
    * 创建透传模式的加密引擎 (静态工厂方法)
@@ -18873,12 +18920,17 @@ var CryptoEngine = class _CryptoEngine {
    * 上层模块 (TokenStore, MessagePipe) 无需感知加密是否开启。
    */
   static createPassthrough() {
-    return new _CryptoEngine(true);
+    const instance = Object.create(_CryptoEngine.prototype);
+    instance.plug = null;
+    instance.passthrough = true;
+    instance.initialized = true;
+    log15.info("CryptoEngine created (passthrough mode \u2014 crypto disabled)");
+    return instance;
   }
   /**
    * 初始化加密引擎
    *
-   * 加密模式: 调用 SDK 的 init() 方法完成密服入网、密钥协商等初始化操作。
+   * 加密模式: 调用 SDK 的 init() 方法完成密钥协商等初始化操作。
    * 透传模式: 空操作 (already initialized)。
    * 幂等操作 — 重复调用安全。
    */
@@ -18888,9 +18940,6 @@ var CryptoEngine = class _CryptoEngine {
       this.initialized = true;
       return;
     }
-    if (!this.plug) {
-      throw new Error("Quantum encryption SDK is missing. Cannot initialize in encryption mode (check dist/index.min.cjs).");
-    }
     await this.plug.init();
     this.initialized = true;
     log15.info("CryptoEngine initialized \u2713");
@@ -18898,24 +18947,22 @@ var CryptoEngine = class _CryptoEngine {
   /**
    * 加密明文
    *
-   * 加密模式: 调用底层 SDK 加密 (SM4_CBC_PKCS7PADDING), 返回密文 + keyId
+   * 加密模式: 调用底层 SDK 加密, 返回 Base64 密文 + keyId
    * 透传模式: 直接返回明文作为 "密文", keyId = 'passthrough'
    *
-   * 注意: SDK 返回驼峰 cipherText, 此方法对外统一为小写 ciphertext
-   *
    * @param plaintext - 要加密的明文字符串
    * @returns { ciphertext: 密文字符串, keyId: 密钥标识 }
    * @throws 加密模式下未初始化时抛出错误
    */
   async encrypt(plaintext) {
+    this.ensureInitialized();
     if (this.passthrough) {
       log15.debug("Encrypt (passthrough)", { length: plaintext.length });
       return { ciphertext: plaintext, keyId: PASSTHROUGH_KEY_ID };
     }
-    const plug = this.requirePlug();
-    const result = await plug.encrypt(plaintext, DEFAULT_ENCRYPT_MODE);
+    const result = await this.plug.encrypt(plaintext, 1);
     log15.debug("Encrypted", { length: plaintext.length, keyId: result.keyId });
-    return { ciphertext: result.cipherText, keyId: result.keyId };
+    return result;
   }
   /**
    * 解密密文
@@ -18929,100 +18976,14 @@ var CryptoEngine = class _CryptoEngine {
    * @throws 加密模式下未初始化、密文损坏或 keyId 不匹配时抛出错误
    */
   async decrypt(ciphertext, keyId) {
+    this.ensureInitialized();
     if (this.passthrough) {
       log15.debug("Decrypt (passthrough)", { keyId });
       return ciphertext;
     }
-    const plug = this.requirePlug();
-    const result = await plug.decrypt(ciphertext, keyId, DEFAULT_ENCRYPT_MODE);
+    const result = await this.plug.decrypt(ciphertext, keyId, 1);
     log15.debug("Decrypted", { keyId });
-    return result.plainText;
-  }
-  /**
-   * 加密文件数据
-   *
-   * 自动处理 10MB 分片编排:
-   *   - ≤10MB: 单次调用 SDK encryptFile
-   *   - >10MB: 按 10MB 分片, 首片无需传密钥参数, 后续片传入前一片返回的 { keyId, sessionKey, fillKey }
-   *
-   * 透传模式: 直接返回原数据
-   *
-   * @param fileData - 文件数据 Buffer
-   * @returns { fileBuffer: 加密后的文件 Buffer, keyId: 密钥标识 }
-   */
-  async encryptFile(fileData) {
-    if (this.passthrough) {
-      log15.debug("EncryptFile (passthrough)", { size: fileData.length });
-      return { fileBuffer: fileData, keyId: PASSTHROUGH_KEY_ID };
-    }
-    if (fileData.length === 0) {
-      return { fileBuffer: Buffer.alloc(0), keyId: PASSTHROUGH_KEY_ID };
-    }
-    const chunks = [];
-    const total = Math.ceil(fileData.length / FILE_CHUNK_SIZE);
-    let keyId;
-    let sessionKey;
-    let fillKey;
-    const plug = this.requirePlug();
-    log15.debug("EncryptFile", { size: fileData.length, chunks: total });
-    for (let i = 0; i < total; i++) {
-      const start = i * FILE_CHUNK_SIZE;
-      const end = Math.min(start + FILE_CHUNK_SIZE, fileData.length);
-      const chunk = fileData.subarray(start, end);
-      const result = await plug.encryptFile(chunk, DEFAULT_ENCRYPT_MODE, {
-        keyId,
-        sessionKey,
-        fillKey
-      });
-      chunks.push(result.fileBuffer);
-      keyId = result.keyId;
-      sessionKey = result.sessionKey;
-      fillKey = result.fillKey;
-    }
-    log15.debug("EncryptFile done", { keyId, chunks: total });
-    return { fileBuffer: Buffer.concat(chunks), keyId: keyId ?? "" };
-  }
-  /**
-   * 解密文件数据
-   *
-   * 自动处理 (10MB + 16) 分片编排:
-   *   - ≤(10MB+16): 单次调用 SDK decryptFile
-   *   - >(10MB+16): 按 (10MB+16) 分片, 首片传 keyId, 后续片传入前一片返回的 { sessionKey, fillKey }
-   *
-   * 透传模式: 直接返回原数据
-   *
-   * @param fileData - 加密后的文件 Buffer
-   * @param keyId    - 加密时返回的密钥标识
-   * @returns 解密后的文件 Buffer
-   */
-  async decryptFile(fileData, keyId) {
-    if (this.passthrough) {
-      log15.debug("DecryptFile (passthrough)", { keyId });
-      return fileData;
-    }
-    if (fileData.length === 0) {
-      return Buffer.alloc(0);
-    }
-    const plug = this.requirePlug();
-    const chunks = [];
-    const total = Math.ceil(fileData.length / FILE_DECRYPT_CHUNK_SIZE);
-    let sessionKey;
-    let fillKey;
-    log15.debug("DecryptFile", { size: fileData.length, chunks: total, keyId });
-    for (let i = 0; i < total; i++) {
-      const start = i * FILE_DECRYPT_CHUNK_SIZE;
-      const end = Math.min(start + FILE_DECRYPT_CHUNK_SIZE, fileData.length);
-      const chunk = fileData.subarray(start, end);
-      const result = await plug.decryptFile(chunk, keyId, DEFAULT_ENCRYPT_MODE, {
-        sessionKey,
-        fillKey
-      });
-      chunks.push(result.fileBuffer);
-      sessionKey = result.sessionKey;
-      fillKey = result.fillKey;
-    }
-    log15.debug("DecryptFile done", { keyId, chunks: total });
-    return Buffer.concat(chunks);
+    return result.plaintext;
   }
   /**
    * 查询当前是否为透传模式
@@ -19032,26 +18993,25 @@ var CryptoEngine = class _CryptoEngine {
     return this.passthrough;
   }
   /**
-   * 确保引擎已初始化，同时返回非空 plug 实例
-   * （通过 init() 守卫保证：加密模式下 init() 成功后 plug 一定非 null）
+   * 确保引擎已初始化
+   * 未初始化时抛出明确错误，避免难以排查的 SDK 内部异常
    */
-  requirePlug() {
+  ensureInitialized() {
     if (!this.initialized) {
       throw new Error("CryptoEngine not initialized \u2014 call init() first");
     }
-    return this.plug;
   }
 };
 // src/auth/oauth-client.ts
 var log16 = createLogger("auth/oauth-client");
-var SealApiError = class extends Error {
+var ApiError = class extends Error {
   constructor(status, body, endpoint) {
-    super(`Seal API error: ${status} on ${endpoint}`);
+    super(`API error: ${status} on ${endpoint}`);
     this.status = status;
     this.body = body;
     this.endpoint = endpoint;
-    this.name = "SealApiError";
+    this.name = "ApiError";
   }
 };
 var TokenAcquireError = class extends Error {
@@ -19068,28 +19028,21 @@ function sleep(ms) {
   return new Promise((resolve2) => setTimeout(resolve2, ms));
 }
 var DEFAULT_TIMEOUT_MS = 3e4;
-var SealClient = class {
+var GRANT_TYPE = "client_credentials";
+var SCOPE = "client_credentials refresh_token";
+var OAuthClient = class {
   baseUrl;
-  clientId;
-  clientSecret;
-  clientName;
-  scopes;
+  appId;
+  appSecret;
   constructor(config2) {
-    this.baseUrl = config2.serverUrl.replace(/\/+$/, "");
-    this.clientId = config2.clientId;
-    this.clientSecret = config2.clientSecret;
-    this.clientName = config2.clientName;
-    this.scopes = config2.scopes;
-    log16.info("SealClient initialized", { serverUrl: this.baseUrl, clientName: config2.clientName });
+    this.baseUrl = config2.baseUrl.replace(/\/+$/, "");
+    this.appId = config2.appId;
+    this.appSecret = config2.appSecret;
+    log16.info("OAuthClient initialized", { baseUrl: this.baseUrl, appId: sanitize(this.appId) });
   }
   // ── 通用 HTTP 请求 ──
   /**
    * 统一 HTTP 请求封装 — 含超时、日志脱敏和错误处理
-   * @param method - HTTP 方法
-   * @param path - 请求路径 (如 '/seal/client/register')
-   * @param options - 请求选项
-   * @returns 解析后的 JSON 响应
-   * @throws SealApiError — HTTP 非 2xx 响应
    */
   async request(method, path2, options = {}) {
     const url2 = `${this.baseUrl}${path2}`;
@@ -19121,109 +19074,38 @@ var SealClient = class {
         parsedBody = responseBody;
       }
       log16.error("HTTP error", { method, url: url2, status: response.status });
-      throw new SealApiError(response.status, parsedBody, path2);
+      throw new ApiError(response.status, parsedBody, path2);
     }
     log16.debug("HTTP response", { method, url: url2, status: response.status });
     try {
       return JSON.parse(responseBody);
     } catch {
-      throw new SealApiError(response.status, responseBody, path2);
+      throw new ApiError(response.status, responseBody, path2);
     }
   }
   // ── 公共方法 ──
-  /** 判断是否已注册 (有 clientId + clientSecret) */
-  isRegistered() {
-    return !!(this.clientId && this.clientSecret);
-  }
-  /** 更新 clientId / clientSecret (注册成功后或从持久化加载后调用) */
-  setCredentials(clientId, clientSecret) {
-    this.clientId = clientId;
-    this.clientSecret = clientSecret;
-    log16.info("Credentials updated", { clientId: sanitize(clientId) });
-  }
-  /**
-   * 动态注册客户端 → POST /seal/client/register
-   *
-   * 首次运行时自动调用，获取 clientId 和 clientSecret。
-   * 注册成功后自动更新内部凭据。
-   */
-  async register(params) {
-    const body = {
-      client_name: params.clientName,
-      scopes: params.scopes,
-      authentication_methods: params.authMethods ?? ["client_secret_post"],
-      grant_types: params.grantTypes ?? ["authorization_code", "client_credentials", "refresh_token"],
-      redirect_uris: params.redirectUris ?? ["https://placeholder.local"],
-      logout_redirect_uris: [],
-      client_settings: {
-        "settings.client.require-authorization-consent": true
-      }
-    };
-    if (params.tokenSettings) {
-      const ts = {};
-      if (params.tokenSettings.accessTokenTtl) {
-        ts["settings.token.access-token-time-to-live"] = params.tokenSettings.accessTokenTtl;
-      }
-      if (params.tokenSettings.refreshTokenTtl) {
-        ts["settings.token.refresh-token-time-to-live"] = params.tokenSettings.refreshTokenTtl;
-      }
-      if (params.tokenSettings.accessTokenFormat) {
-        ts["settings.token.access-token-format"] = params.tokenSettings.accessTokenFormat;
-      }
-      if (params.tokenSettings.reuseRefreshTokens !== void 0) {
-        ts["settings.token.reuse-refresh-tokens"] = params.tokenSettings.reuseRefreshTokens;
-      }
-      ts["settings.token.authorization-code-time-to-live"] = "300";
-      body.token_settings = ts;
-    }
-    log16.info("Registering OAuth client", { clientName: params.clientName });
-    const response = await this.request(
-      "POST",
-      "/seal/client/register",
-      { body, contentType: "json" }
-    );
-    const registration = {
-      clientId: response.client_id,
-      clientSecret: response.client_secret,
-      clientSecretExpiresAt: response.client_secret_expires_at ?? "",
-      clientIdIssuedAt: response.client_id_issued_at ?? "",
-      scopes: response.scopes ?? params.scopes
-    };
-    this.setCredentials(registration.clientId, registration.clientSecret);
-    log16.info("OAuth client registered", {
-      clientId: sanitize(registration.clientId),
-      clientSecret: sanitize(registration.clientSecret),
-      scopes: registration.scopes,
-      expiresAt: registration.clientSecretExpiresAt
-    });
-    return registration;
-  }
   /**
-   * 获取访问令牌 → POST /seal/oauth2/token (client_credentials)
+   * 获取访问令牌 → POST /auth/token (client_credentials)
    *
-   * 使用客户端凭证模式获取 Access Token。
-   * 前置条件: clientId 和 clientSecret 必须存在 (通过 register 或 setCredentials 设置)
+   * 请求参数 (x-www-form-urlencoded):
+   *   - grant_type: client_credentials (写死)
+   *   - client_id: appId
+   *   - client_secret: appSecret
+   *   - scope: client_credentials refresh_token (写死)
    *
-   * @param scope - 请求的权限范围 (空格分隔)，不传则使用注册时的全部 scope
    * @returns TokenData 包含 access_token、过期时间等
-   * @throws Error — clientId/clientSecret 未设置
-   * @throws SealApiError — HTTP 错误
+   * @throws ApiError — HTTP 错误
    */
-  async getToken(scope) {
-    if (!this.clientId || !this.clientSecret) {
-      throw new Error("Cannot get token: clientId and clientSecret are required. Call register() or setCredentials() first.");
-    }
+  async getToken() {
     const params = new URLSearchParams();
-    params.set("grant_type", "client_credentials");
-    params.set("client_id", this.clientId);
-    params.set("client_secret", this.clientSecret);
-    if (scope) {
-      params.set("scope", scope);
-    }
-    log16.info("Requesting access token", { clientId: sanitize(this.clientId) });
+    params.set("grant_type", GRANT_TYPE);
+    params.set("client_id", this.appId);
+    params.set("client_secret", this.appSecret);
+    params.set("scope", SCOPE);
+    log16.info("Requesting access token", { appId: sanitize(this.appId) });
     const response = await this.request(
       "POST",
-      "/seal/oauth2/token",
+      "/auth/token",
       { body: params, contentType: "form" }
     );
     const now = Date.now();
@@ -19234,7 +19116,6 @@ var SealClient = class {
       expiresIn,
       scope: response.scope ?? "",
       refreshToken: void 0,
-      // Seal 不返回 refresh_token
       grantedAt: now,
       expiresAt: now + expiresIn * 1e3
     };
@@ -19245,12 +19126,9 @@ var SealClient = class {
     });
     return tokenData;
   }
-  /**
-   * 令牌校验 → GET /seal/oauth2/introspect
-   * 暂不实现 — 保留接口签名，后续需要时再补充
-   */
-  async introspect(_token) {
-    throw new Error("introspect() not implemented yet \u2014 Seal introspect API \u6682\u4E0D\u4F7F\u7528");
+  /** 获取 baseUrl (供其他模块复用) */
+  getBaseUrl() {
+    return this.baseUrl;
   }
 };
@@ -19258,7 +19136,7 @@ var SealClient = class {
 var import_promises = require("fs/promises");
 var import_node_fs = require("fs");
 var import_node_path = require("path");
-var import_node_crypto = require("crypto");
+var import_node_crypto2 = require("crypto");
 var log17 = createLogger("auth/token-store");
 var TokenStore = class {
   /** 存储目录路径 */
@@ -19314,7 +19192,7 @@ var TokenStore = class {
     const storage = { ciphertext, keyId };
     const storageJson = JSON.stringify(storage);
     const targetPath = this.filePath(key);
-    const tmpSuffix = (0, import_node_crypto.randomBytes)(4).toString("hex");
+    const tmpSuffix = (0, import_node_crypto2.randomBytes)(4).toString("hex");
     const tmpPath = `${targetPath}.${tmpSuffix}.tmp`;
     try {
       await (0, import_promises.writeFile)(tmpPath, storageJson, { mode: 384 });
@@ -19384,12 +19262,10 @@ var DEFAULT_REFRESH_AHEAD_MS = 5 * 60 * 1e3;
 var MAX_RETRIES = 3;
 var RETRY_BASE_MS = 1e3;
 var TokenManager = class {
-  sealClient;
+  oauthClient;
   tokenStore;
   /** Token 过期前提前刷新的时间 (ms) */
   refreshAheadMs;
-  /** 自动注册的参数 */
-  autoRegisterParams;
   // ── 内存缓存 ──
   /** 内存中缓存的 access_token */
   cachedToken = null;
@@ -19403,10 +19279,9 @@ var TokenManager = class {
   /** 定时刷新器句柄 */
   refreshTimer = null;
   constructor(deps) {
-    this.sealClient = deps.sealClient;
+    this.oauthClient = deps.oauthClient;
     this.tokenStore = deps.tokenStore;
     this.refreshAheadMs = deps.refreshAheadMs ?? DEFAULT_REFRESH_AHEAD_MS;
-    this.autoRegisterParams = deps.autoRegisterParams;
     log18.info("TokenManager initialized", { refreshAheadMs: this.refreshAheadMs });
   }
   // ── 核心方法 ──
@@ -19435,13 +19310,6 @@ var TokenManager = class {
       this.refreshLock = null;
     }
   }
-  /**
-   * 令牌自省 — 暂不实现，后续补充。
-   * 返回的 identity_id 用于 gate.ts 的 anti-loop 检查 (bot 自己的 ID)。
-   */
-  async introspect() {
-    throw new Error("introspect() not implemented yet \u2014 Seal introspect API \u6682\u4E0D\u4F7F\u7528");
-  }
   /** 检查当前令牌是否包含指定的 scope */
   hasScope(scope) {
     if (!this.cachedScope) return false;
@@ -19472,14 +19340,14 @@ var TokenManager = class {
    *
    * 重试策略:
    *   - 网络错误 / 5xx → 重试 (最多 3 次)
-   *   - 401/403 → 不重试 (client_secret 可能无效)
+   *   - 401/403 → 不重试 (凭证可能无效)
    */
   async _acquireTokenWithRetry() {
     for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
       try {
         return await this._acquireToken();
       } catch (err) {
-        if (err instanceof SealApiError && (err.status === 401 || err.status === 403)) {
+        if (err instanceof ApiError && (err.status === 401 || err.status === 403)) {
           log18.error("Token acquire failed with auth error, not retrying", { status: err.status });
           throw err;
         }
@@ -19507,10 +19375,9 @@ var TokenManager = class {
    *
    * 流程:
    *   1. 尝试从 TokenStore 加载缓存
-   *   2. 检查是否需要注册客户端
-   *   3. 调用 SealClient.getToken() 获取新 Token
-   *   4. 保存到内存缓存 + TokenStore
-   *   5. 设置定时刷新器
+   *   2. 调用 OAuthClient.getToken() 获取新 Token
+   *   3. 保存到内存缓存 + TokenStore
+   *   4. 设置定时刷新器
    */
   async _acquireToken() {
     try {
@@ -19527,43 +19394,8 @@ var TokenManager = class {
     } catch {
       log18.warn("Failed to load token from store, acquiring new one");
     }
-    if (!this.sealClient.isRegistered()) {
-      try {
-        const savedCreds = await this.tokenStore.load("credentials");
-        if (savedCreds?.clientId && savedCreds?.clientSecret) {
-          this.sealClient.setCredentials(
-            savedCreds.clientId,
-            savedCreds.clientSecret
-          );
-          log18.info("Credentials loaded from store");
-        }
-      } catch {
-        log18.debug("No saved credentials found");
-      }
-    }
-    if (!this.sealClient.isRegistered()) {
-      if (!this.autoRegisterParams) {
-        throw new Error("SealClient not registered and autoRegisterParams not provided. Call setCredentials() or enable autoRegister.");
-      }
-      log18.info("Auto-registering OAuth client");
-      const registration = await this.sealClient.register({
-        clientName: this.autoRegisterParams.clientName,
-        scopes: this.autoRegisterParams.scopes,
-        tokenSettings: this.autoRegisterParams.tokenSettings ? {
-          accessTokenTtl: this.autoRegisterParams.tokenSettings.accessTokenTtl,
-          refreshTokenTtl: this.autoRegisterParams.tokenSettings.refreshTokenTtl,
-          accessTokenFormat: this.autoRegisterParams.tokenSettings.accessTokenFormat
-        } : void 0
-      });
-      await this.tokenStore.save("credentials", {
-        clientId: registration.clientId,
-        clientSecret: registration.clientSecret,
-        clientSecretExpiresAt: registration.clientSecretExpiresAt
-      });
-      log18.info("OAuth client registered and credentials saved");
-    }
-    log18.info("Acquiring new access token");
-    const tokenData = await this.sealClient.getToken();
+    log18.info("Acquiring new access token via POST /auth/token");
+    const tokenData = await this.oauthClient.getToken();
     this.updateCache(tokenData);
     await this.tokenStore.save("token", tokenData);
     this.scheduleRefresh(tokenData);
@@ -19753,7 +19585,7 @@ var MessageDedup = class {
 };
 // src/transport/message-pipe.ts
-var import_node_crypto2 = require("crypto");
+var import_node_crypto3 = require("crypto");
 var log21 = createLogger("transport/message-pipe");
 var MessagePipe = class {
   wsClient;
@@ -19901,7 +19733,7 @@ var MessagePipe = class {
     if (timestamp && nonce && signature) {
       const token = await this.tokenFn();
       const signatureInput = timestamp + nonce + frame.data;
-      const expected = (0, import_node_crypto2.createHmac)("sha256", token).update(signatureInput).digest("hex");
+      const expected = (0, import_node_crypto3.createHmac)("sha256", token).update(signatureInput).digest("hex");
       if (expected !== signature) {
         log21.warn("inbound:signature-fail", { timestamp, nonce });
         return;
@@ -20469,28 +20301,17 @@ async function startPlugin(accountConfig, internalOverrides) {
     cryptoEngine = CryptoEngine.createPassthrough();
     log25.info("Crypto passthrough mode \u2713 (disabled by config)");
   }
-  const sealClient = new SealClient({
-    serverUrl: config2.auth.serverUrl,
-    clientName: config2.auth.clientName,
-    clientId: config2.auth.clientId,
-    clientSecret: config2.auth.clientSecret,
-    scopes: config2.auth.scopes
+  const oauthClient = new OAuthClient({
+    baseUrl: config2.auth.serverUrl,
+    appId: accountConfig.appId,
+    appSecret: accountConfig.appSecret
   });
   const tokenStorePath = (0, import_node_path2.join)((0, import_node_os.homedir)(), TOKEN_STORE_DIR, "tokens");
   const tokenStore = new TokenStore(tokenStorePath, cryptoEngine);
   const tokenManager = new TokenManager({
-    sealClient,
+    oauthClient,
     tokenStore,
-    refreshAheadMs: config2.auth.refreshAheadMs,
-    autoRegisterParams: config2.auth.autoRegister ? {
-      clientName: config2.auth.clientName,
-      scopes: config2.auth.scopes,
-      tokenSettings: config2.auth.tokenSettings ? {
-        accessTokenTtl: config2.auth.tokenSettings.accessTokenTtl,
-        refreshTokenTtl: config2.auth.tokenSettings.refreshTokenTtl,
-        accessTokenFormat: config2.auth.tokenSettings.accessTokenFormat
-      } : void 0
-    } : void 0
+    refreshAheadMs: config2.auth.refreshAheadMs
   });
   log25.info("Auth initialized \u2713");
   let pushQueue = null;