squad-openclaw 2026.2.192 → 2026.2.193

package/dist/index.js

@@ -879,6 +879,7 @@ function registerVersionMethods(api) {
 
 // src/relay-client.ts
 import { WebSocket as NodeWebSocket } from "ws";
+import crypto2 from "crypto";
 import fs5 from "fs";
 import path5 from "path";
 import os from "os";
@@ -997,6 +998,51 @@ function deleteClaimToken() {
   } catch {
   }
 }
+function toBase64Url(buf) {
+  return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function loadOrCreateDeviceKeys() {
+  const keysPath = path5.join(os.homedir(), ".squad", "relay-device-keys.json");
+  try {
+    const raw = fs5.readFileSync(keysPath, "utf-8");
+    const keys2 = JSON.parse(raw);
+    if (keys2.deviceId && keys2.publicKey && keys2.privateKey) {
+      return keys2;
+    }
+  } catch {
+  }
+  const { publicKey, privateKey } = crypto2.generateKeyPairSync("ed25519");
+  const pubDer = publicKey.export({ type: "spki", format: "der" });
+  const privDer = privateKey.export({ type: "pkcs8", format: "der" });
+  const rawPub = pubDer.subarray(pubDer.length - 32);
+  const deviceId = crypto2.createHash("sha256").update(rawPub).digest("hex");
+  const pubB64 = toBase64Url(rawPub);
+  const privB64 = toBase64Url(privDer);
+  const keys = { deviceId, publicKey: pubB64, privateKey: privB64 };
+  const dir = path5.dirname(keysPath);
+  if (!fs5.existsSync(dir)) {
+    fs5.mkdirSync(dir, { recursive: true });
+  }
+  fs5.writeFileSync(keysPath, JSON.stringify(keys, null, 2), { mode: 384 });
+  console.log(`[relay-client] Generated new device keys: ${deviceId.substring(0, 12)}...`);
+  return keys;
+}
+function signDeviceIdentity(keys, clientId, clientMode, role, scopes, token) {
+  const signedAtMs = Date.now();
+  const nonce = crypto2.randomBytes(16).toString("hex");
+  const scopeStr = scopes.join(",");
+  const payload = `v2|${keys.deviceId}|${clientId}|${clientMode}|${role}|${scopeStr}|${signedAtMs}|${token ?? ""}|${nonce}`;
+  const privDer = Buffer.from(keys.privateKey.replace(/-/g, "+").replace(/_/g, "/") + "==", "base64");
+  const privateKey = crypto2.createPrivateKey({ key: privDer, format: "der", type: "pkcs8" });
+  const signature = crypto2.sign(null, Buffer.from(payload), privateKey);
+  return {
+    id: keys.deviceId,
+    publicKey: keys.publicKey,
+    signature: toBase64Url(signature),
+    signedAt: signedAtMs,
+    nonce
+  };
+}
 var RelayClient = class {
   config;
   relayWs = null;
@@ -1008,6 +1054,8 @@ var RelayClient = class {
   destroyed = false;
   /** Pending claim token — sent on first successful connect, then cleared */
   pendingClaimToken = null;
+  /** Device keys for authenticating local WS connections to the gateway */
+  deviceKeys;
   constructor(config) {
     this.config = {
       relayUrl: config.relayUrl,
@@ -1017,6 +1065,7 @@ var RelayClient = class {
       claimToken: config.claimToken ?? null
     };
     this.pendingClaimToken = this.config.claimToken ?? readClaimToken();
+    this.deviceKeys = loadOrCreateDeviceKeys();
   }
   /** Start connecting to the relay */
   start() {
@@ -1155,8 +1204,19 @@ var RelayClient = class {
       const params = msg.params ?? {};
       if (this.config.operatorToken) {
         params.auth = { token: this.config.operatorToken };
-        msg.params = params;
       }
+      const client = params.client ?? {};
+      const role = params.role ?? "operator";
+      const scopes = params.scopes ?? [];
+      params.device = signDeviceIdentity(
+        this.deviceKeys,
+        client.id ?? "cli",
+        client.mode ?? "ui",
+        role,
+        scopes,
+        this.config.operatorToken
+      );
+      msg.params = params;
       conn.connectHandshakeComplete = false;
     }
     conn.localWs.send(JSON.stringify(msg));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "squad-openclaw",
-  "version": "2026.2.192",
+  "version": "2026.2.193",
   "description": "Entity registry, filesystem tools, and version management plugin for OpenClaw gateway",
   "type": "module",
   "main": "./dist/index.js",