arkclaw-webchat-cli 0.5.3__tar.gz → 0.6.0__tar.gz

{arkclaw_webchat_cli-0.5.3 → arkclaw_webchat_cli-0.6.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: arkclaw-webchat-cli
-Version: 0.5.3
+Version: 0.6.0
 Summary: CLI to chat with an ArkClaw EE space's Claw over enterprise SSO — zero permanent AK/SK.
 Author: ArkClaw Team
 Keywords: arkclaw,cli,ee,openclaw,sso,sts

{arkclaw_webchat_cli-0.5.3 → arkclaw_webchat_cli-0.6.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "arkclaw-webchat-cli"
-version = "0.5.3"
+version = "0.6.0"
 description = "CLI to chat with an ArkClaw EE space's Claw over enterprise SSO — zero permanent AK/SK."
 readme = "README.md"
 requires-python = ">=3.10"

{arkclaw_webchat_cli-0.5.3 → arkclaw_webchat_cli-0.6.0}/src/ee_claw/flows.py

@@ -53,7 +53,7 @@ from ee_claw.identity import (
 from ee_claw.oauth import OAuthClient
 from ee_claw.output import Emitter
 from ee_claw.providers import ProviderContext, resolve_token_source
-from ee_claw.sts import assume_role_with_oidc
+from ee_claw.sts import assume_role_with_oidc, get_chat_token
 from ee_claw.transport.a2a import A2ATransport, agent_card
 from ee_claw.transport.base import Approver, Attachment, Transport, TurnEvent, TurnResult
 from ee_claw.transport.openclaw import OpenClawTransport, session_key_for
@@ -116,6 +116,37 @@ def _user_identity(id_token: str | None) -> dict[str, str]:
     return ident
 
 
+def _probe_claw_access(
+    cfg: SessionConfig, id_token: str, claw_ids: list[str]
+) -> tuple[set[str], set[str]]:
+    """Which of ``claw_ids`` the current user can ACTUALLY chat — checked live by
+    minting a (throwaway) ChatToken for each, the only per-user check the CLI's
+    role can do. Returns (accessible, denied). A transient/non-permission error
+    keeps the claw (don't hide it on a network blip). Raises ArkclawError if
+    creds can't be obtained at all (caller falls back to the unchecked list)."""
+    from concurrent.futures import ThreadPoolExecutor
+
+    creds = _openclaw_creds(cfg, id_token)  # may raise (offline / expired / no creds)
+    identity = _user_identity(id_token)
+    region = str(cfg.region)
+
+    def check(cid: str) -> tuple[str, bool]:
+        try:
+            get_chat_token(cid, region, creds, identity=identity)
+            return cid, True
+        except ClawAccessDeniedError:
+            return cid, False
+        except ArkclawError:
+            return cid, True  # transient/other — keep, don't silently drop
+
+    accessible: set[str] = set()
+    denied: set[str] = set()
+    with ThreadPoolExecutor(max_workers=min(8, max(1, len(claw_ids)))) as ex:
+        for cid, ok in ex.map(check, claw_ids):
+            (accessible if ok else denied).add(cid)
+    return accessible, denied
+
+
 def _normalize(url: str) -> tuple[str, str]:
     base = (url if "//" in url else "https://" + url).rstrip("/")
     host = urllib.parse.urlparse(base).hostname or ""
@@ -131,55 +162,72 @@ def _is_userpool_address(host: str) -> bool:
 
 
 def do_init(emitter: Emitter, address: str | None = None) -> dict[str, Any]:
-    """``arkclaw init``: one-time interactive setup. Captures the login address
-    plus the bits not yet auto-discoverable (the CLI's OAuth client, the STS
-    role) so that afterwards ``arkclaw login`` needs no env vars or flags.
-    Anything the space already self-describes (issuer, region, and — once the
-    platform publishes it — client_id/role) is auto-filled and not asked."""
-    if emitter.json or not sys.stdin.isatty():
-        raise ValidationError(
-            "arkclaw init 是交互式的,需要终端。",
-            hint="在终端直接运行 `arkclaw init`;脚本里改用 env(ARKCLAW_CLIENT_ID/ROLE_TRN)+ flags。",
-        )
+    """``arkclaw init``: one-time setup. The GOAL is **address-only** — when the
+    space publishes its CLI config (issuer/region/client_id/role…) via
+    ``/.well-known/arkclaw-cli`` or GetAuthConfig, the user gives ONLY the
+    address and nothing is asked (works non-interactively too). Until then, it
+    prompts for the few bits discovery can't provide (the CLI's OAuth client,
+    the STS role)."""
+    interactive = not emitter.json and sys.stdin.isatty()
 
-    def ask(label: str, default: str | None = None, *, required: bool = False) -> str | None:
+    def need_tty() -> None:
+        if not interactive:
+            raise ValidationError(
+                "该空间尚未发布 CLI 配置,需要补充 client_id/role,而当前非交互终端。",
+                hint="在终端运行 `arkclaw init <地址>`;或脚本里用 env(ARKCLAW_CLIENT_ID/ROLE_TRN)+ flags。",
+            )
+
+    def ask(label: str, default: str | None = None, *, required: bool = False) -> str:
         suffix = f" [{default}]" if default else ""
         while True:
             ans = input(f"  {label}{suffix}: ").strip() or (default or "")
             if ans or not required:
-                return ans or None
+                return ans
             emitter.line("    (必填)")
 
-    emitter.line("arkclaw init —— 一次性配置(能自动发现的不会问你)\n")
-    address = address or ask("空间登录地址 (https://…)", required=True)
+    if not address:
+        need_tty()
+        emitter.line("arkclaw init —— 配置一次(能自动发现的不问你)\n")
+        address = ask("空间登录地址 (https://…)", required=True)
     base, host = _normalize(str(address))
     disc = discover_cli_config(base) or {}
     issuer = disc.get("issuer") or (f"https://{host}" if _is_userpool_address(host) else None)
     region = disc.get("region") or derive_region(base)
-    if issuer:
-        emitter.line("  ✓ 自动发现身份池 issuer")
-    if region:
-        emitter.line(f"  ✓ 区域: {region}")
-
-    # User-facing name is "webchat" (the ChatToken/wss path); internally it's
-    # the "openclaw" transport. "a2a" is unchanged.
-    disc_t = str(disc.get("transport") or "")
-    transport_in = ask("传输方式 (webchat/a2a)", default=("a2a" if disc_t == "a2a" else "webchat")) or "webchat"
-    transport = "a2a" if transport_in.lower() == "a2a" else "openclaw"
-    client_id = disc.get("client_id") or ask(
-        "CLI client_id(public OAuth 客户端,问管理员;平台发布发现后免此项)", required=True
-    )
-    role_trn: object = None
-    endpoint: object = None
-    if transport == "openclaw":
-        role_trn = disc.get("role_trn") or ask("STS role TRN (trn:iam::<账号>:role/<名字>)", required=True)
+    transport = "a2a" if str(disc.get("transport") or "").lower() == "a2a" else "openclaw"
+    client_id = disc.get("client_id")
+    role_trn = disc.get("role_trn")
+    provider_trn = disc.get("provider_trn")
+    endpoint = disc.get("endpoint")
+    clawid = disc.get("clawid")
+
+    # Fully discovered = the space published this CLI's client + target plane →
+    # nothing to ask (address-only). Otherwise prompt ONLY for what's missing.
+    complete = bool(client_id) and (bool(role_trn) if transport == "openclaw" else bool(endpoint))
+    if complete:
+        emitter.line("✓ 该空间已发布 CLI 配置 —— 全部自动解析,无需手动输入。")
     else:
-        endpoint = disc.get("endpoint") or ask("A2A endpoint (https://…)", required=True)
-    clawid = disc.get("clawid") or ask("默认 claw id (ci-…,可留空,登录后用 arkclaw agents 选)")
+        need_tty()
+        if issuer:
+            emitter.line("  ✓ 自动发现身份池 issuer")
+        if region:
+            emitter.line(f"  ✓ 区域: {region}")
+        # "webchat" = the ChatToken/wss path (internal name "openclaw"); "a2a" unchanged.
+        t_in = ask("传输方式 (webchat/a2a)", default=("a2a" if transport == "a2a" else "webchat"))
+        transport = "a2a" if t_in.lower() == "a2a" else "openclaw"
+        if not client_id:
+            client_id = ask(
+                "CLI client_id(public OAuth 客户端,问管理员;平台发布发现后免此项)", required=True
+            )
+        if transport == "openclaw" and not role_trn:
+            role_trn = ask("STS role TRN (trn:iam::<账号>:role/<名字>)", required=True)
+        elif transport == "a2a" and not endpoint:
+            endpoint = ask("A2A endpoint (https://…)", required=True)
+        if not clawid:
+            clawid = ask("默认 claw id (ci-…,可留空,登录后用 arkclaw agents 选)") or None
 
     saved = {
         "address": base, "issuer": issuer, "client_id": client_id, "transport": transport,
-        "region": region, "role_trn": role_trn, "provider_trn": disc.get("provider_trn"),
+        "region": region, "role_trn": role_trn, "provider_trn": provider_trn,
         "endpoint": endpoint, "space_id": disc.get("space_id"), "clawid": clawid,
     }
     config_mod.save_defaults(saved)
@@ -982,12 +1030,11 @@ def do_agents(emitter: Emitter) -> dict[str, Any]:
             )
     elif cfg.transport == "openclaw":
         emitter.line(f"★ 当前登录(openclaw)· 空间 {cfg.space}")
-        # The claws you can chat = the ones YOU have used from this machine,
-        # remembered locally — NOT a server enumeration of the space. The
-        # space-wide ListClawInstances returns every member's claws to anyone
-        # (no per-user scoping reachable by the CLI's role), so we don't call it.
-        # New claws enter via `arkclaw chat ci-...`; each chat is recorded
-        # (record_session) and shows up here next time.
+        # Candidates = the claws YOU have used from this machine (local history) +
+        # your default — NOT a server enumeration (the space-wide list isn't
+        # per-user scoped for the CLI's role). We then VERIFY access to each by
+        # minting a throwaway ChatToken, so only claws you can actually chat are
+        # shown; denied ones are pruned from history (and cleared as default).
         seen: dict[str, float] = {}
         for s in config_mod.list_sessions():
             cid = s.get("claw")
@@ -996,12 +1043,29 @@ def do_agents(emitter: Emitter) -> dict[str, Any]:
                 seen[str(cid)] = max(seen.get(str(cid), 0.0), float(ts) if isinstance(ts, (int, float)) else 0.0)
         if cfg.claw and str(cfg.claw) not in seen:
             seen[str(cfg.claw)] = 0.0  # the default claw, even if not chatted yet
-        claws = [
-            {"ClawInstanceId": cid, "last_used": ts}
-            for cid, ts in sorted(seen.items(), key=lambda kv: kv[1], reverse=True)
-        ]
+
+        claw_ids = sorted(seen, key=lambda c: seen[c], reverse=True)
+        checked = False
+        if claw_ids:
+            if not emitter.json:
+                emitter.line("  核对访问权限中…")
+            try:
+                _, id_token = _load_session(cfg)
+                accessible, denied = _probe_claw_access(cfg, id_token, claw_ids)
+                checked = True
+                for cid in denied:
+                    config_mod.forget_claw(str(cfg.space), cid)  # stop listing it
+                    if cfg.claw == cid:
+                        config_mod.save_config(dataclasses.replace(cfg, claw=None))
+                        cfg = config_mod.load_config() or cfg
+                        current["default_claw"] = cfg.claw
+                claw_ids = [c for c in claw_ids if c in accessible]
+            except ArkclawError:
+                checked = False  # offline / expired / no creds → show unchecked
+
+        claws = [{"ClawInstanceId": cid, "last_used": seen[cid]} for cid in claw_ids]
         current["claws"] = claws
-        current["source"] = "local-history"
+        current["source"] = "verified" if checked else "local-history-unchecked"
         if claws:
             emitter.table(
                 ["Claw(可 chat)", "上次使用", "默认"],
@@ -1014,6 +1078,10 @@ def do_agents(emitter: Emitter) -> dict[str, Any]:
                     for c in claws
                 ],
             )
+            if not checked:
+                emitter.line("  ⚠ 未能核对权限(离线/会话过期),以上为本地历史,可能含你无权访问的。")
+        elif checked:
+            emitter.line("  你在本空间没有可访问的 claw(历史里的都已无权或不存在)。")
         else:
             emitter.line("  还没用过任何 claw。用 `arkclaw chat ci-xxxx` 开始,之后这里会记住它。")
 

{arkclaw_webchat_cli-0.5.3 → arkclaw_webchat_cli-0.6.0}/src/ee_claw/identity.py

@@ -118,6 +118,20 @@ def discover_cli_config(url: str) -> dict[str, object] | None:
         if result.get(k):
             out["client_id"] = result[k]
             break
+    # The remaining CLI-plane fields (platform-added). Once the BFF surfaces
+    # these on GetAuthConfig, the user types ONLY the address — login/init
+    # resolve everything. (camelCase from the BFF → snake_case the CLI uses.)
+    for src, dst in (
+        ("roleTrn", "role_trn"),
+        ("providerTrn", "provider_trn"),
+        ("region", "region"),
+        ("spaceId", "space_id"),
+        ("transport", "transport"),
+        ("endpoint", "endpoint"),
+        ("defaultClawId", "clawid"),
+    ):
+        if result.get(src):
+            out[dst] = result[src]
     return out or None