phoneclaw-connector 1.0.0

package/dist/device-identity.js

@@ -0,0 +1,133 @@
+import { createHash, createPrivateKey, createPublicKey, generateKeyPairSync, sign as cryptoSign, } from 'crypto';
+import { promises as fs } from 'fs';
+import { join, dirname } from 'path';
+import { fileURLToPath } from 'url';
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const IDENTITY_FILE = 'device-identity.json';
+function base64UrlEncode(buf) {
+    return buf
+        .toString('base64')
+        .replaceAll('+', '-')
+        .replaceAll('/', '_')
+        .replace(/=+$/g, '');
+}
+function deriveDeviceIdFromPublicKeyPem(publicKeyPem) {
+    const publicKey = createPublicKey(publicKeyPem);
+    const spki = publicKey.export({ type: 'spki', format: 'der' });
+    // Ed25519 SPKI: 12-byte prefix + 32-byte raw key
+    const ED25519_SPKI_PREFIX = Buffer.from('302a300506032b6570032100', 'hex');
+    let raw;
+    if (spki.length === ED25519_SPKI_PREFIX.length + 32 &&
+        spki.subarray(0, ED25519_SPKI_PREFIX.length).equals(ED25519_SPKI_PREFIX)) {
+        raw = spki.subarray(ED25519_SPKI_PREFIX.length);
+    }
+    else {
+        raw = spki;
+    }
+    // OpenClaw uses SHA-256 hex (64 lowercase hex chars) as the stable deviceId.
+    return createHash('sha256').update(raw).digest('hex');
+}
+function publicKeyRawBase64UrlFromPem(publicKeyPem) {
+    const publicKey = createPublicKey(publicKeyPem);
+    const spki = publicKey.export({ type: 'spki', format: 'der' });
+    const ED25519_SPKI_PREFIX = Buffer.from('302a300506032b6570032100', 'hex');
+    let raw;
+    if (spki.length === ED25519_SPKI_PREFIX.length + 32 &&
+        spki.subarray(0, ED25519_SPKI_PREFIX.length).equals(ED25519_SPKI_PREFIX)) {
+        raw = spki.subarray(ED25519_SPKI_PREFIX.length);
+    }
+    else {
+        raw = spki;
+    }
+    return base64UrlEncode(raw);
+}
+function generateIdentity() {
+    const { publicKey, privateKey } = generateKeyPairSync('ed25519');
+    const publicKeyPem = publicKey.export({ type: 'spki', format: 'pem' });
+    const privateKeyPem = privateKey.export({ type: 'pkcs8', format: 'pem' });
+    const deviceId = deriveDeviceIdFromPublicKeyPem(publicKeyPem);
+    return {
+        deviceId,
+        publicKey: publicKeyRawBase64UrlFromPem(publicKeyPem),
+        privateKey: privateKeyPem,
+        publicKeyPem,
+        createdAt: new Date().toISOString(),
+    };
+}
+function isValidIdentity(value) {
+    if (!value || typeof value !== 'object')
+        return false;
+    const v = value;
+    return (typeof v.deviceId === 'string' &&
+        typeof v.publicKey === 'string' &&
+        typeof v.privateKey === 'string' &&
+        typeof v.publicKeyPem === 'string' &&
+        typeof v.createdAt === 'string');
+}
+/**
+ * Manages the skill's persistent Ed25519 device identity used for OpenClaw
+ * Gateway pairing. The identity is stored next to the skill source so that
+ * re-launches keep the same deviceId and can be auto-approved as a paired
+ * node.
+ */
+export class DeviceIdentityStore {
+    identityPath;
+    identity = null;
+    constructor(configDir) {
+        this.identityPath = configDir
+            ? join(configDir, IDENTITY_FILE)
+            : join(__dirname, '..', IDENTITY_FILE);
+    }
+    /**
+     * Load existing identity or generate a new one. Persists to disk on first
+     * creation. Subsequent calls return the in-memory cached identity.
+     */
+    async getOrCreate() {
+        if (this.identity)
+            return this.identity;
+        try {
+            const data = await fs.readFile(this.identityPath, 'utf-8');
+            const parsed = JSON.parse(data);
+            if (isValidIdentity(parsed) && this.matchesPublicKey(parsed)) {
+                this.identity = parsed;
+                return parsed;
+            }
+            console.warn('[DeviceIdentity] Existing identity file is invalid or mismatched; regenerating.');
+        }
+        catch {
+            // file does not exist or is unreadable — generate new
+        }
+        const generated = generateIdentity();
+        await this.persist(generated);
+        this.identity = generated;
+        return generated;
+    }
+    /** Verify the persisted publicKey (base64url raw) actually matches the PEM. */
+    matchesPublicKey(identity) {
+        try {
+            const derivedRaw = publicKeyRawBase64UrlFromPem(identity.publicKeyPem);
+            return derivedRaw === identity.publicKey;
+        }
+        catch {
+            return false;
+        }
+    }
+    async persist(identity) {
+        await fs.mkdir(dirname(this.identityPath), { recursive: true });
+        await fs.writeFile(this.identityPath, JSON.stringify(identity, null, 2), {
+            mode: 0o600,
+        });
+    }
+    /**
+     * Sign a payload string with the identity's Ed25519 private key. Returns
+     * base64url-encoded raw signature (no padding).
+     */
+    signPayload(payload, identity) {
+        const privateKey = createPrivateKey(identity.privateKey);
+        const signature = cryptoSign(null, Buffer.from(payload, 'utf8'), privateKey);
+        return base64UrlEncode(signature);
+    }
+}
+export { base64UrlEncode, publicKeyRawBase64UrlFromPem, deriveDeviceIdFromPublicKeyPem };
+//# sourceMappingURL=device-identity.js.map

package/dist/device-identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-identity.js","sourceRoot":"","sources":["../src/device-identity.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,UAAU,EACV,gBAAgB,EAChB,eAAe,EACf,mBAAmB,EACnB,IAAI,IAAI,UAAU,GACnB,MAAM,QAAQ,CAAC;AAChB,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,IAAI,CAAC;AACpC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,KAAK,CAAC;AAEpC,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAClD,MAAM,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;AAetC,MAAM,aAAa,GAAG,sBAAsB,CAAC;AAE7C,SAAS,eAAe,CAAC,GAAW;IAClC,OAAO,GAAG;SACP,QAAQ,CAAC,QAAQ,CAAC;SAClB,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC;SACpB,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC;SACpB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,8BAA8B,CAAC,YAAoB;IAC1D,MAAM,SAAS,GAAG,eAAe,CAAC,YAAY,CAAC,CAAC;IAChD,MAAM,IAAI,GAAG,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;IACzE,iDAAiD;IACjD,MAAM,mBAAmB,GAAG,MAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE,KAAK,CAAC,CAAC;IAC3E,IAAI,GAAW,CAAC;IAChB,IACE,IAAI,CAAC,MAAM,KAAK,mBAAmB,CAAC,MAAM,GAAG,EAAE;QAC/C,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,mBAAmB,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,mBAAmB,CAAC,EACxE,CAAC;QACD,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAClD,CAAC;SAAM,CAAC;QACN,GAAG,GAAG,IAAI,CAAC;IACb,CAAC;IACD,6EAA6E;IAC7E,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,4BAA4B,CAAC,YAAoB;IACxD,MAAM,SAAS,GAAG,eAAe,CAAC,YAAY,CAAC,CAAC;IAChD,MAAM,IAAI,GAAG,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;IACzE,MAAM,mBAAmB,GAAG,MAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE,KAAK,CAAC,CAAC;IAC3E,IAAI,GAAW,CAAC;IAChB,IACE,IAAI,CAAC,MAAM,KAAK,mBAAmB,CAAC,MAAM,GAAG,EAAE;QAC/C,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,mBAAmB,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,mBAAmB,CAAC,EACxE,CAAC;QACD,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAClD,CAAC;SAAM,CAAC;QACN,GAAG,GAAG,IAAI,CAAC;IACb,CAAC;IACD,OAAO,eAAe,CAAC,GAAG,CAAC,CAAC;AAC9B,CAAC;AAED,SAAS,gBAAgB;IACvB,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;IACjE,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;IACjF,MAAM,aAAa,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;IACpF,MAAM,QAAQ,GAAG,8BAA8B,CAAC,YAAY,CAAC,CAAC;IAC9D,OAAO;QACL,QAAQ;QACR,SAAS,EAAE,4BAA4B,CAAC,YAAY,CAAC;QACrD,UAAU,EAAE,aAAa;QACzB,YAAY;QACZ,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CAAC,KAAc;IACrC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACtD,MAAM,CAAC,GAAG,KAAgC,CAAC;IAC3C,OAAO,CACL,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ;QAC9B,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ;QAC/B,OAAO,CAAC,CAAC,UAAU,KAAK,QAAQ;QAChC,OAAO,CAAC,CAAC,YAAY,KAAK,QAAQ;QAClC,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,CAChC,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,OAAO,mBAAmB;IACtB,YAAY,CAAS;IACrB,QAAQ,GAA0B,IAAI,CAAC;IAE/C,YAAY,SAAkB;QAC5B,IAAI,CAAC,YAAY,GAAG,SAAS;YAC3B,CAAC,CAAC,IAAI,CAAC,SAAS,EAAE,aAAa,CAAC;YAChC,CAAC,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,aAAa,CAAC,CAAC;IAC3C,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,WAAW;QACf,IAAI,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC,QAAQ,CAAC;QAExC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;YAC3D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAChC,IAAI,eAAe,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC7D,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC;gBACvB,OAAO,MAAM,CAAC;YAChB,CAAC;YACD,OAAO,CAAC,IAAI,CACV,iFAAiF,CAClF,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,sDAAsD;QACxD,CAAC;QAED,MAAM,SAAS,GAAG,gBAAgB,EAAE,CAAC;QACrC,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAC9B,IAAI,CAAC,QAAQ,GAAG,SAAS,CAAC;QAC1B,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,+EAA+E;IACvE,gBAAgB,CAAC,QAAwB;QAC/C,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,4BAA4B,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;YACvE,OAAO,UAAU,KAAK,QAAQ,CAAC,SAAS,CAAC;QAC3C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,OAAO,CAAC,QAAwB;QAC5C,MAAM,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAChE,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;YACvE,IAAI,EAAE,KAAK;SACZ,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,WAAW,CAAC,OAAe,EAAE,QAAwB;QACnD,MAAM,UAAU,GAAG,gBAAgB,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QACzD,MAAM,SAAS,GAAG,UAAU,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,UAAU,CAAC,CAAC;QAC7E,OAAO,eAAe,CAAC,SAAS,CAAC,CAAC;IACpC,CAAC;CACF;AAED,OAAO,EAAE,eAAe,EAAE,4BAA4B,EAAE,8BAA8B,EAAE,CAAC"}

package/dist/device.d.ts

@@ -0,0 +1,21 @@
+import { DeviceInfo } from './types.js';
+import { DeviceIdentity } from './device-identity.js';
+export declare class DeviceManager {
+    private configPath;
+    private configDir;
+    private deviceInfo;
+    private identityStore;
+    private cachedIdentity;
+    constructor(configDir?: string);
+    getDeviceInfo(): Promise<DeviceInfo>;
+    /**
+     * Returns the persistent Ed25519 device identity used for OpenClaw Gateway
+     * pairing. Lazily creates one on first call and caches it in memory.
+     */
+    getDeviceIdentity(): Promise<DeviceIdentity>;
+    private generateDeviceInfo;
+    private getMachineId;
+    private saveDeviceInfo;
+    resetDevice(): Promise<void>;
+}
+//# sourceMappingURL=device.d.ts.map

package/dist/device.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"device.d.ts","sourceRoot":"","sources":["../src/device.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAOxC,OAAO,EAAE,cAAc,EAAuB,MAAM,sBAAsB,CAAC;AAM3E,qBAAa,aAAa;IACxB,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,UAAU,CAA2B;IAC7C,OAAO,CAAC,aAAa,CAAsB;IAC3C,OAAO,CAAC,cAAc,CAA+B;gBAEzC,SAAS,CAAC,EAAE,MAAM;IAMxB,aAAa,IAAI,OAAO,CAAC,UAAU,CAAC;IAoB1C;;;OAGG;IACG,iBAAiB,IAAI,OAAO,CAAC,cAAc,CAAC;YAMpC,kBAAkB;YAsBlB,YAAY;YAmBZ,cAAc;IAQtB,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC;CASnC"}

package/dist/device.js

@@ -0,0 +1,104 @@
+import { createHash } from 'crypto';
+import { v4 as uuidv4 } from 'uuid';
+import { promises as fs } from 'fs';
+import { join, dirname } from 'path';
+import { fileURLToPath } from 'url';
+import { exec } from 'child_process';
+import { promisify } from 'util';
+import os from 'os';
+import { DeviceIdentityStore } from './device-identity.js';
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const execAsync = promisify(exec);
+export class DeviceManager {
+    configPath;
+    configDir;
+    deviceInfo = null;
+    identityStore;
+    cachedIdentity = null;
+    constructor(configDir) {
+        this.configDir = configDir || join(__dirname, '..');
+        this.configPath = join(this.configDir, 'device.json');
+        this.identityStore = new DeviceIdentityStore(this.configDir);
+    }
+    async getDeviceInfo() {
+        if (this.deviceInfo) {
+            return this.deviceInfo;
+        }
+        // Try to load existing device info
+        try {
+            const data = await fs.readFile(this.configPath, 'utf-8');
+            const parsed = JSON.parse(data);
+            this.deviceInfo = parsed;
+            return parsed;
+        }
+        catch {
+            // Generate new device info
+            const generated = await this.generateDeviceInfo();
+            this.deviceInfo = generated;
+            await this.saveDeviceInfo();
+            return generated;
+        }
+    }
+    /**
+     * Returns the persistent Ed25519 device identity used for OpenClaw Gateway
+     * pairing. Lazily creates one on first call and caches it in memory.
+     */
+    async getDeviceIdentity() {
+        if (this.cachedIdentity)
+            return this.cachedIdentity;
+        this.cachedIdentity = await this.identityStore.getOrCreate();
+        return this.cachedIdentity;
+    }
+    async generateDeviceInfo() {
+        // Generate device ID based on machine fingerprint
+        const machineId = await this.getMachineId();
+        const hostname = os.hostname();
+        // 使用 "主机名-机器指纹前8位" 作为 deviceId，既唯一又易读
+        const fingerprint = createHash('sha256')
+            .update(`phoneclaw-${machineId}`)
+            .digest('hex')
+            .slice(0, 8);
+        const deviceId = `${hostname}-${fingerprint}`;
+        // Generate device key for authentication
+        const deviceKey = uuidv4();
+        return {
+            deviceId,
+            deviceKey,
+            platform: process.platform,
+            version: '1.0.0'
+        };
+    }
+    async getMachineId() {
+        try {
+            if (process.platform === 'darwin') {
+                const { stdout } = await execAsync('ioreg -rd1 -c IOPlatformExpertDevice');
+                const match = stdout.match(/"IOPlatformUUID" = "([^"]+)"/);
+                if (match)
+                    return match[1];
+            }
+            if (process.platform === 'linux') {
+                const machineId = await fs.readFile('/etc/machine-id', 'utf-8');
+                return machineId.trim();
+            }
+        }
+        catch {
+            // Fallback to hostname
+        }
+        return os.hostname();
+    }
+    async saveDeviceInfo() {
+        await fs.writeFile(this.configPath, JSON.stringify(this.deviceInfo, null, 2), 'utf-8');
+    }
+    async resetDevice() {
+        this.deviceInfo = null;
+        this.cachedIdentity = null;
+        try {
+            await fs.unlink(this.configPath);
+        }
+        catch {
+            // File doesn't exist, ignore
+        }
+    }
+}
+//# sourceMappingURL=device.js.map

package/dist/device.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"device.js","sourceRoot":"","sources":["../src/device.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACpC,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAC;AAEpC,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,IAAI,CAAC;AACpC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,KAAK,CAAC;AACpC,OAAO,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AACrC,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AACjC,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,EAAkB,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAE3E,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAClD,MAAM,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;AACtC,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;AAElC,MAAM,OAAO,aAAa;IAChB,UAAU,CAAS;IACnB,SAAS,CAAS;IAClB,UAAU,GAAsB,IAAI,CAAC;IACrC,aAAa,CAAsB;IACnC,cAAc,GAA0B,IAAI,CAAC;IAErD,YAAY,SAAkB;QAC5B,IAAI,CAAC,SAAS,GAAG,SAAS,IAAI,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QACpD,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;QACtD,IAAI,CAAC,aAAa,GAAG,IAAI,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC/D,CAAC;IAED,KAAK,CAAC,aAAa;QACjB,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC,UAAU,CAAC;QACzB,CAAC;QAED,mCAAmC;QACnC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACzD,MAAM,MAAM,GAAe,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAC5C,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC;YACzB,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,MAAM,CAAC;YACP,2BAA2B;YAC3B,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAClD,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;YAC5B,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;YAC5B,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,iBAAiB;QACrB,IAAI,IAAI,CAAC,cAAc;YAAE,OAAO,IAAI,CAAC,cAAc,CAAC;QACpD,IAAI,CAAC,cAAc,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,WAAW,EAAE,CAAC;QAC7D,OAAO,IAAI,CAAC,cAAc,CAAC;IAC7B,CAAC;IAEO,KAAK,CAAC,kBAAkB;QAC9B,kDAAkD;QAClD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAC5C,MAAM,QAAQ,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;QAC/B,sCAAsC;QACtC,MAAM,WAAW,GAAG,UAAU,CAAC,QAAQ,CAAC;aACrC,MAAM,CAAC,aAAa,SAAS,EAAE,CAAC;aAChC,MAAM,CAAC,KAAK,CAAC;aACb,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACf,MAAM,QAAQ,GAAG,GAAG,QAAQ,IAAI,WAAW,EAAE,CAAC;QAE9C,yCAAyC;QACzC,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC;QAE3B,OAAO;YACL,QAAQ;YACR,SAAS;YACT,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,OAAO,EAAE,OAAO;SACjB,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,YAAY;QACxB,IAAI,CAAC;YACH,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBAClC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,sCAAsC,CAAC,CAAC;gBAC3E,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;gBAC3D,IAAI,KAAK;oBAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;YAC7B,CAAC;YAED,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;gBACjC,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;gBAChE,OAAO,SAAS,CAAC,IAAI,EAAE,CAAC;YAC1B,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,uBAAuB;QACzB,CAAC;QAED,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC;IACvB,CAAC;IAEO,KAAK,CAAC,cAAc;QAC1B,MAAM,EAAE,CAAC,SAAS,CAChB,IAAI,CAAC,UAAU,EACf,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,EACxC,OAAO,CACR,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,WAAW;QACf,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;QACvB,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,6BAA6B;QAC/B,CAAC;IACH,CAAC;CACF"}

package/dist/gateway.d.ts

@@ -0,0 +1,58 @@
+import { SkillConfig } from './types.js';
+import { DeviceIdentity } from './device-identity.js';
+import { DeviceAuthStore } from './device-auth-store.js';
+export interface GatewayClientOptions {
+    config: SkillConfig;
+    deviceIdentity: DeviceIdentity;
+    deviceAuthStore: DeviceAuthStore;
+}
+/**
+ * OpenClaw Gateway WebSocket client. Performs the device identity pairing
+ * flow (connect.challenge -> signed connect -> hello-ok with persisted
+ * deviceToken) so that operator.write / operator.read scopes are granted.
+ */
+export declare class GatewayClient {
+    private ws;
+    private config;
+    private deviceIdentity;
+    private deviceAuthStore;
+    private isConnected;
+    private requestHandlers;
+    private requestIdCounter;
+    private eventHandlers;
+    constructor(options: GatewayClientOptions);
+    connect(): Promise<void>;
+    /**
+     * 1. Load any previously-persisted deviceToken for this identity.
+     * 2. Wait for `connect.challenge` from gateway (gives us a nonce).
+     * 3. Build a v3 device-auth payload, sign with our Ed25519 private key.
+     * 4. Send `connect` request with the signed device block + token/deviceToken.
+     * 5. On hello-ok, persist any newly issued deviceToken.
+     */
+    private runHandshake;
+    /** Wait for the gateway to emit a connect.challenge event with a nonce. */
+    private waitForConnectChallenge;
+    /**
+     * Build the v3 device-auth payload and sign it with the device's Ed25519
+     * private key. Mirrors openclaw's `buildDeviceAuthPayloadV3` exactly so
+     * the gateway can verify the signature.
+     */
+    private buildDeviceConnectParams;
+    private signDevicePayload;
+    /** Persist newly issued deviceToken from hello-ok response. */
+    private persistHelloOk;
+    private handleMessage;
+    private handleEvent;
+    /** Subscribe to gateway events. Pass '*' to receive all events. */
+    onEvent(eventName: string, handler: (event: any) => void): void;
+    offEvent(eventName: string): void;
+    private sendRequest;
+    agent(message: string, sessionId?: string): Promise<any>;
+    health(): Promise<any>;
+    status(): Promise<any>;
+    nodeList(): Promise<any>;
+    send(message: string): Promise<any>;
+    get connected(): boolean;
+    disconnect(): void;
+}
+//# sourceMappingURL=gateway.d.ts.map

package/dist/gateway.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gateway.d.ts","sourceRoot":"","sources":["../src/gateway.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EACL,cAAc,EAGf,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,eAAe,EAAqB,MAAM,wBAAwB,CAAC;AAwD5E,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,WAAW,CAAC;IACpB,cAAc,EAAE,cAAc,CAAC;IAC/B,eAAe,EAAE,eAAe,CAAC;CAClC;AAED;;;;GAIG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,EAAE,CAA0B;IACpC,OAAO,CAAC,MAAM,CAAc;IAC5B,OAAO,CAAC,cAAc,CAAiB;IACvC,OAAO,CAAC,eAAe,CAAkB;IACzC,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,eAAe,CAA8D;IACrF,OAAO,CAAC,gBAAgB,CAAK;IAC7B,OAAO,CAAC,aAAa,CAA2C;gBAEpD,OAAO,EAAE,oBAAoB;IAMnC,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAoD9B;;;;;;OAMG;YACW,YAAY;IAgD1B,2EAA2E;IAC3E,OAAO,CAAC,uBAAuB;IA+B/B;;;;OAIG;IACH,OAAO,CAAC,wBAAwB;IAiChC,OAAO,CAAC,iBAAiB;IAOzB,+DAA+D;YACjD,cAAc;IAqB5B,OAAO,CAAC,aAAa;IAyBrB,OAAO,CAAC,WAAW;IAqBnB,mEAAmE;IACnE,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,IAAI,GAAG,IAAI;IAI/D,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;IAIjC,OAAO,CAAC,WAAW;IAuBb,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC;IAkBxD,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC;IAItB,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC;IAItB,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC;IAIxB,IAAI,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC;IAIzC,IAAI,SAAS,IAAI,OAAO,CAEvB;IAED,UAAU,IAAI,IAAI;CAOnB"}

package/dist/gateway.js

@@ -0,0 +1,314 @@
+import WebSocket from 'ws';
+import { randomUUID } from 'crypto';
+import { DeviceIdentityStore, publicKeyRawBase64UrlFromPem, } from './device-identity.js';
+const ROLE = 'operator';
+const SCOPES = ['operator.read', 'operator.write'];
+const CAPS = ['agent', 'tools', 'sessions'];
+const CLIENT_ID = 'node-host';
+const CLIENT_DISPLAY = 'PhoneClaw Skill';
+const CLIENT_VERSION = '1.0.0';
+const PROTOCOL = 4;
+const CONNECT_CHALLENGE_TIMEOUT_MS = 10_000;
+/**
+ * OpenClaw Gateway WebSocket client. Performs the device identity pairing
+ * flow (connect.challenge -> signed connect -> hello-ok with persisted
+ * deviceToken) so that operator.write / operator.read scopes are granted.
+ */
+export class GatewayClient {
+    ws = null;
+    config;
+    deviceIdentity;
+    deviceAuthStore;
+    isConnected = false;
+    requestHandlers = new Map();
+    requestIdCounter = 0;
+    eventHandlers = new Map();
+    constructor(options) {
+        this.config = options.config;
+        this.deviceIdentity = options.deviceIdentity;
+        this.deviceAuthStore = options.deviceAuthStore;
+    }
+    async connect() {
+        return new Promise((resolve, reject) => {
+            try {
+                const url = this.config.gatewayToken
+                    ? `${this.config.gatewayUrl}?token=${this.config.gatewayToken}`
+                    : this.config.gatewayUrl;
+                this.ws = new WebSocket(url);
+                this.ws.on('open', () => {
+                    console.log('[GatewayClient] Connected to OpenClaw Gateway');
+                    this.isConnected = true;
+                });
+                this.ws.on('message', (data) => {
+                    try {
+                        const message = JSON.parse(data.toString());
+                        this.handleMessage(message);
+                    }
+                    catch (error) {
+                        console.error('[GatewayClient] Failed to parse message:', error);
+                    }
+                });
+                this.ws.on('close', () => {
+                    console.log('[GatewayClient] Gateway connection closed');
+                    this.isConnected = false;
+                });
+                this.ws.on('error', (error) => {
+                    console.error('[GatewayClient] Gateway connection error:', error);
+                    if (this.ws) {
+                        try {
+                            this.ws.removeAllListeners();
+                        }
+                        catch {
+                            // Ignore
+                        }
+                        this.ws = null;
+                    }
+                    reject(error);
+                });
+                // Kick off the handshake asynchronously; the 'open' resolve is
+                // intentionally omitted because handshake is what defines success.
+                this.runHandshake()
+                    .then(() => resolve())
+                    .catch((err) => reject(err));
+            }
+            catch (error) {
+                reject(error);
+            }
+        });
+    }
+    /**
+     * 1. Load any previously-persisted deviceToken for this identity.
+     * 2. Wait for `connect.challenge` from gateway (gives us a nonce).
+     * 3. Build a v3 device-auth payload, sign with our Ed25519 private key.
+     * 4. Send `connect` request with the signed device block + token/deviceToken.
+     * 5. On hello-ok, persist any newly issued deviceToken.
+     */
+    async runHandshake() {
+        const stored = await this.deviceAuthStore.loadToken(ROLE, this.deviceIdentity.deviceId);
+        const challenge = await this.waitForConnectChallenge();
+        const signedAt = Date.now();
+        const device = this.buildDeviceConnectParams({
+            nonce: challenge.nonce,
+            signedAt,
+        });
+        const params = {
+            minProtocol: PROTOCOL,
+            maxProtocol: PROTOCOL,
+            client: {
+                id: CLIENT_ID,
+                displayName: CLIENT_DISPLAY,
+                version: CLIENT_VERSION,
+                platform: process.platform,
+                mode: 'node',
+            },
+            role: ROLE,
+            scopes: SCOPES,
+            caps: CAPS,
+            auth: {
+                token: this.config.gatewayToken || undefined,
+                deviceToken: stored?.token,
+            },
+            device,
+        };
+        const response = await this.sendRequest('connect', params);
+        if (response?.type !== 'hello-ok') {
+            throw new Error(`Gateway handshake failed: unexpected payload ${JSON.stringify(response)}`);
+        }
+        await this.persistHelloOk(response);
+        console.log(`[GatewayClient] Gateway handshake successful, protocol=${response.protocol} ` +
+            `(device=${this.deviceIdentity.deviceId.slice(0, 12)}...)`);
+    }
+    /** Wait for the gateway to emit a connect.challenge event with a nonce. */
+    waitForConnectChallenge() {
+        return new Promise((resolve, reject) => {
+            const handler = (event) => {
+                if (event?.event === 'connect.challenge') {
+                    const nonce = event?.payload?.nonce;
+                    if (typeof nonce !== 'string' || nonce.length === 0) {
+                        reject(new Error('Gateway connect.challenge missing nonce'));
+                        return;
+                    }
+                    clearTimeout(timer);
+                    resolve({ nonce });
+                }
+            };
+            // Reuse the existing request handler map by keying on event name.
+            this.requestHandlers.set('event:connect.challenge', {
+                resolve: (event) => handler(event),
+                reject,
+            });
+            const timer = setTimeout(() => {
+                this.requestHandlers.delete('event:connect.challenge');
+                reject(new Error(`Gateway connect.challenge timeout after ${CONNECT_CHALLENGE_TIMEOUT_MS}ms`));
+            }, CONNECT_CHALLENGE_TIMEOUT_MS);
+        });
+    }
+    /**
+     * Build the v3 device-auth payload and sign it with the device's Ed25519
+     * private key. Mirrors openclaw's `buildDeviceAuthPayloadV3` exactly so
+     * the gateway can verify the signature.
+     */
+    buildDeviceConnectParams(params) {
+        const scopesCsv = SCOPES.join(',');
+        const signatureToken = this.config.gatewayToken ?? '';
+        const platform = (process.platform ?? '').toLowerCase();
+        const payload = [
+            'v3',
+            this.deviceIdentity.deviceId,
+            CLIENT_ID,
+            'node',
+            ROLE,
+            scopesCsv,
+            String(params.signedAt),
+            signatureToken,
+            params.nonce,
+            platform,
+            '', // deviceFamily — not used by node-host
+        ].join('|');
+        const signature = this.deviceIdentity ? this.signDevicePayload(payload) : '';
+        return {
+            id: this.deviceIdentity.deviceId,
+            publicKey: publicKeyRawBase64UrlFromPem(this.deviceIdentity.publicKeyPem),
+            signature,
+            signedAt: params.signedAt,
+            nonce: params.nonce,
+        };
+    }
+    signDevicePayload(payload) {
+        // We delegate to the DeviceIdentityStore's helper for testability and to
+        // keep all Ed25519 primitives in one place.
+        const store = new DeviceIdentityStore();
+        return store.signPayload(payload, this.deviceIdentity);
+    }
+    /** Persist newly issued deviceToken from hello-ok response. */
+    async persistHelloOk(payload) {
+        const auth = payload.auth;
+        if (!auth?.deviceToken) {
+            console.log('[GatewayClient] No deviceToken in hello-ok; using existing token (if any)');
+            return;
+        }
+        const stored = {
+            token: auth.deviceToken,
+            role: auth.role ?? ROLE,
+            scopes: Array.isArray(auth.scopes) && auth.scopes.length > 0
+                ? auth.scopes
+                : SCOPES,
+            deviceId: this.deviceIdentity.deviceId,
+            updatedAt: new Date().toISOString(),
+        };
+        await this.deviceAuthStore.saveToken(stored);
+    }
+    handleMessage(message) {
+        if (message.type === 'res' && message.id) {
+            const handler = this.requestHandlers.get(message.id);
+            if (handler) {
+                if (message.ok) {
+                    handler.resolve(message.payload);
+                }
+                else {
+                    handler.reject(new Error(JSON.stringify(message.error)));
+                }
+                this.requestHandlers.delete(message.id);
+            }
+        }
+        else if (message.type === 'event') {
+            console.log(`[GatewayClient] ← event: ${message.event} payload=${JSON.stringify(message.payload).slice(0, 500)}`);
+            const handler = this.requestHandlers.get(`event:${message.event}`);
+            if (handler) {
+                handler.resolve(message);
+                // One-shot for connect.challenge: remove after dispatch.
+                if (message.event === 'connect.challenge') {
+                    this.requestHandlers.delete(`event:${message.event}`);
+                }
+            }
+            this.handleEvent(message);
+        }
+    }
+    handleEvent(event) {
+        // 触发通用 '*' 订阅者
+        const wildcard = this.eventHandlers.get('*');
+        if (wildcard) {
+            try {
+                wildcard(event);
+            }
+            catch (err) {
+                console.error('[GatewayClient] event handler * threw:', err);
+            }
+        }
+        // 触发按 event 名订阅者
+        const named = this.eventHandlers.get(event?.event ?? '');
+        if (named) {
+            try {
+                named(event);
+            }
+            catch (err) {
+                console.error(`[GatewayClient] event handler ${event?.event} threw:`, err);
+            }
+        }
+    }
+    /** Subscribe to gateway events. Pass '*' to receive all events. */
+    onEvent(eventName, handler) {
+        this.eventHandlers.set(eventName, handler);
+    }
+    offEvent(eventName) {
+        this.eventHandlers.delete(eventName);
+    }
+    sendRequest(method, params) {
+        return new Promise((resolve, reject) => {
+            const id = String(++this.requestIdCounter);
+            this.requestHandlers.set(id, { resolve, reject });
+            this.ws?.send(JSON.stringify({
+                type: 'req',
+                id,
+                method,
+                params,
+            }));
+            setTimeout(() => {
+                if (this.requestHandlers.has(id)) {
+                    this.requestHandlers.delete(id);
+                    reject(new Error(`Request timeout: ${method}`));
+                }
+            }, 30_000);
+        });
+    }
+    async agent(message, sessionId) {
+        // OpenClaw Gateway `agent` 协议要求：
+        //   - 必传 idempotencyKey（用于去重，避免重复触发同一个 run）
+        //   - 不允许 stream 字段（流式响应通过 event 通道单独推，不再走 req/res）
+        //   - sessionKey 用于把 run 归类到同一个 session，会话续接时同一个 sessionId
+        //     必须使用同一个 sessionKey，否则会开新 session
+        const params = {
+            message,
+            idempotencyKey: randomUUID(),
+            timeout: 300,
+        };
+        if (sessionId) {
+            params.sessionId = sessionId;
+            params.sessionKey = `phoneclaw:${sessionId}`;
+        }
+        return this.sendRequest('agent', params);
+    }
+    async health() {
+        return this.sendRequest('health', {});
+    }
+    async status() {
+        return this.sendRequest('status', {});
+    }
+    async nodeList() {
+        return this.sendRequest('node.list', {});
+    }
+    async send(message) {
+        return this.sendRequest('send', { message });
+    }
+    get connected() {
+        return this.isConnected;
+    }
+    disconnect() {
+        if (this.ws) {
+            this.ws.close();
+            this.ws = null;
+        }
+        this.isConnected = false;
+    }
+}
+//# sourceMappingURL=gateway.js.map