let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: wire role-scoped device creds

Browse Source
This commit is contained in:
Peter Steinberger
2026-01-20 11:35:08 +00:00
parent dfbf6ac263
commit d8cc7db5e6
17 changed files with 633 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/gateway/client.ts
View File

@@ -8,7 +8,11 @@ import {
publicKeyRawBase64UrlFromPem,
signDevicePayload,
} from "../infra/device-identity.js";
import { loadDeviceAuthToken, storeDeviceAuthToken } from "../infra/device-auth-store.js";
import {
clearDeviceAuthToken,
loadDeviceAuthToken,
storeDeviceAuthToken,
} from "../infra/device-auth-store.js";
import {
GATEWAY_CLIENT_MODES,
GATEWAY_CLIENT_NAMES,
@@ -160,7 +164,8 @@ export class GatewayClient {
const storedToken = this.opts.deviceIdentity
? loadDeviceAuthToken({ deviceId: this.opts.deviceIdentity.deviceId, role })?.token
: null;
const authToken = this.opts.token ?? storedToken ?? undefined;
const authToken = storedToken ?? this.opts.token ?? undefined;
const canFallbackToShared = Boolean(storedToken && this.opts.token);
const auth =
authToken || this.opts.password
? {
@@ -236,6 +241,12 @@ export class GatewayClient {
this.opts.onHelloOk?.(helloOk);
})
.catch((err) => {
if (canFallbackToShared && this.opts.deviceIdentity) {
clearDeviceAuthToken({
deviceId: this.opts.deviceIdentity.deviceId,
role,
});
}
this.opts.onConnectError?.(err instanceof Error ? err : new Error(String(err)));
const msg = `gateway connect failed: ${String(err)}`;
if (this.opts.mode === GATEWAY_CLIENT_MODES.PROBE) logDebug(msg);

17
src/gateway/server-methods/devices.ts
View File

@@ -19,7 +19,9 @@ import {
} from "../protocol/index.js";
import type { GatewayRequestHandlers } from "./types.js";
function redactPairedDevice(device: { tokens?: Record<string, DeviceAuthToken> } & Record<string, unknown>) {
function redactPairedDevice(
device: { tokens?: Record<string, DeviceAuthToken> } & Record<string, unknown>,
) {
const { tokens, ...rest } = device;
return {
...rest,
@@ -72,6 +74,9 @@ export const deviceHandlers: GatewayRequestHandlers = {
respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "unknown requestId"));
return;
}
context.logGateway.info(
`device pairing approved device=${approved.device.deviceId} role=${approved.device.role ?? "unknown"}`,
);
context.broadcast(
"device.pair.resolved",
{
@@ -79,7 +84,7 @@ export const deviceHandlers: GatewayRequestHandlers = {
deviceId: approved.device.deviceId,
decision: "approved",
ts: Date.now(),
},
},
{ dropIfSlow: true },
);
respond(true, { requestId, device: redactPairedDevice(approved.device) }, undefined);
@@ -116,7 +121,7 @@ export const deviceHandlers: GatewayRequestHandlers = {
);
respond(true, rejected, undefined);
},
"device.token.rotate": async ({ params, respond }) => {
"device.token.rotate": async ({ params, respond, context }) => {
if (!validateDeviceTokenRotateParams(params)) {
respond(
false,
@@ -140,6 +145,9 @@ export const deviceHandlers: GatewayRequestHandlers = {
respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "unknown deviceId/role"));
return;
}
context.logGateway.info(
`device token rotated device=${deviceId} role=${entry.role} scopes=${entry.scopes.join(",")}`,
);
respond(
true,
{
@@ -152,7 +160,7 @@ export const deviceHandlers: GatewayRequestHandlers = {
undefined,
);
},
"device.token.revoke": async ({ params, respond }) => {
"device.token.revoke": async ({ params, respond, context }) => {
if (!validateDeviceTokenRevokeParams(params)) {
respond(
false,
@@ -172,6 +180,7 @@ export const deviceHandlers: GatewayRequestHandlers = {
respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "unknown deviceId/role"));
return;
}
context.logGateway.info(`device token revoked device=${deviceId} role=${entry.role}`);
respond(
true,
{ deviceId, role: entry.role, revokedAtMs: entry.revokedAtMs ?? Date.now() },

5
src/gateway/server-methods/types.ts
View File

@@ -8,6 +8,9 @@ import type { NodeRegistry } from "../node-registry.js";
import type { ConnectParams, ErrorShape, RequestFrame } from "../protocol/index.js";
import type { ChannelRuntimeSnapshot } from "../server-channels.js";
import type { DedupeEntry } from "../server-shared.js";
import type { createSubsystemLogger } from "../../logging/subsystem.js";
type SubsystemLogger = ReturnType<typeof createSubsystemLogger>;
export type GatewayClient = {
connect: ConnectParams;
@@ -28,7 +31,7 @@ export type GatewayRequestContext = {
getHealthCache: () => HealthSummary | null;
refreshHealthSnapshot: (opts?: { probe?: boolean }) => Promise<HealthSummary>;
logHealth: { error: (message: string) => void };
logGateway: { warn: (message: string) => void };
logGateway: SubsystemLogger;
incrementPresenceVersion: () => number;
getHealthVersion: () => number;
broadcast: (

3
src/gateway/server/ws-connection/message-handler.ts
View File

@@ -487,6 +487,9 @@ export function attachGatewayWsMessageHandler(params: {
if (pairing.request.silent === true) {
const approved = await approveDevicePairing(pairing.request.requestId);
if (approved) {
logGateway.info(
`device pairing auto-approved device=${approved.device.deviceId} role=${approved.device.role ?? "unknown"}`,
);
context.broadcast(
"device.pair.resolved",
{

19
src/infra/device-auth-store.ts
View File

@@ -102,3 +102,22 @@ export function storeDeviceAuthToken(params: {
writeStore(filePath, next);
return entry;
}
export function clearDeviceAuthToken(params: {
deviceId: string;
role: string;
env?: NodeJS.ProcessEnv;
}): void {
const filePath = resolveDeviceAuthPath(params.env);
const store = readStore(filePath);
if (!store || store.deviceId !== params.deviceId) return;
const role = normalizeRole(params.role);
if (!store.tokens[role]) return;
const next: DeviceAuthStore = {
version: 1,
deviceId: store.deviceId,
tokens: { ...store.tokens },
};
delete next.tokens[role];
writeStore(filePath, next);
}