refactor: shrink sdk helper surfaces

2026-05-02 03:40:20 +00:00 · 2026-03-20 15:43:14 +00:00
parent ba1bb8505f
commit f6948ce405
39 changed files with 297 additions and 255 deletions
--- a/src/plugin-sdk/core.ts
+++ b/src/plugin-sdk/core.ts
@@ -91,7 +91,6 @@ export {
  parseOptionalDelimitedEntries,
 } from "../channels/plugins/helpers.js";
 export { getChatChannelMeta } from "../channels/registry.js";
-export { buildOauthProviderAuthResult } from "./provider-auth-result.js";
 export {
  channelTargetSchema,
  channelTargetsSchema,
--- a/src/plugin-sdk/device-bootstrap.ts
+++ b/src/plugin-sdk/device-bootstrap.ts
@@ -0,0 +1,4 @@
+// Shared bootstrap/pairing helpers for plugins that provision remote devices.
+
+export { approveDevicePairing, listDevicePairing } from "../infra/device-pairing.js";
+export { issueDeviceBootstrapToken } from "../infra/device-bootstrap.js";
--- a/src/plugin-sdk/minimax-portal-auth.ts
+++ b/src/plugin-sdk/minimax-portal-auth.ts
@@ -1,12 +0,0 @@
-// Narrow plugin-sdk surface for MiniMax OAuth helpers used by the bundled minimax plugin.
-// Keep this list additive and scoped to MiniMax OAuth support code.
-
-export { definePluginEntry } from "./core.js";
-export { buildOauthProviderAuthResult } from "./provider-auth-result.js";
-export type {
-  OpenClawPluginApi,
-  ProviderAuthContext,
-  ProviderCatalogContext,
-  ProviderAuthResult,
-} from "../plugins/types.js";
-export { generatePkceVerifierChallenge, toFormUrlEncoded } from "./oauth-utils.js";
--- a/src/plugin-sdk/plugin-entry.ts
+++ b/src/plugin-sdk/plugin-entry.ts
@@ -11,6 +11,7 @@ export type {
  AnyAgentTool,
  MediaUnderstandingProviderPlugin,
  OpenClawPluginApi,
+  PluginCommandContext,
  OpenClawPluginConfigSchema,
  ProviderDiscoveryContext,
  ProviderCatalogContext,
--- a/src/plugin-sdk/provider-auth.ts
+++ b/src/plugin-sdk/provider-auth.ts
@@ -5,7 +5,6 @@ export type { SecretInput } from "../config/types.secrets.js";
 export type { ProviderAuthResult } from "../plugins/types.js";
 export type { ProviderAuthContext } from "../plugins/types.js";
 export type { AuthProfileStore, OAuthCredential } from "../agents/auth-profiles/types.js";
-export { buildOauthProviderAuthResult } from "./provider-auth-result.js";

 export {
  CLAUDE_CLI_PROFILE_ID,
--- a/src/plugin-sdk/provider-oauth.ts
+++ b/src/plugin-sdk/provider-oauth.ts
@@ -0,0 +1,4 @@
+// Focused OAuth helpers for provider plugins.
+
+export { buildOauthProviderAuthResult } from "./provider-auth-result.js";
+export { generatePkceVerifierChallenge, toFormUrlEncoded } from "./oauth-utils.js";
--- a/src/plugin-sdk/qwen-portal-auth.ts
+++ b/src/plugin-sdk/qwen-portal-auth.ts
@@ -1,14 +0,0 @@
-// Narrow plugin-sdk surface for the bundled qwen-portal-auth plugin.
-// Keep this list additive and scoped to symbols used under extensions/qwen-portal-auth.
-
-export { definePluginEntry } from "./core.js";
-export { buildOauthProviderAuthResult } from "./provider-auth-result.js";
-export type {
-  OpenClawPluginApi,
-  ProviderAuthContext,
-  ProviderCatalogContext,
-} from "../plugins/types.js";
-export { ensureAuthProfileStore, listProfilesForProvider } from "../agents/auth-profiles.js";
-export { QWEN_OAUTH_MARKER } from "../agents/model-auth-markers.js";
-export { refreshQwenPortalCredentials } from "../providers/qwen-portal-oauth.js";
-export { generatePkceVerifierChallenge, toFormUrlEncoded } from "./oauth-utils.js";
--- a/src/plugin-sdk/subpaths.test.ts
+++ b/src/plugin-sdk/subpaths.test.ts
@@ -16,7 +16,9 @@ import * as imessageSdk from "openclaw/plugin-sdk/imessage";
 import * as imessageCoreSdk from "openclaw/plugin-sdk/imessage-core";
 import * as lazyRuntimeSdk from "openclaw/plugin-sdk/lazy-runtime";
 import * as ollamaSetupSdk from "openclaw/plugin-sdk/ollama-setup";
+import * as providerAuthSdk from "openclaw/plugin-sdk/provider-auth";
 import * as providerModelsSdk from "openclaw/plugin-sdk/provider-models";
+import * as providerOauthSdk from "openclaw/plugin-sdk/provider-oauth";
 import * as providerSetupSdk from "openclaw/plugin-sdk/provider-setup";
 import * as replyPayloadSdk from "openclaw/plugin-sdk/reply-payload";
 import * as routingSdk from "openclaw/plugin-sdk/routing";
@@ -56,10 +58,17 @@ const allowlistEditSdk = await import("openclaw/plugin-sdk/allowlist-config-edit

 describe("plugin-sdk subpath exports", () => {
  it("keeps the curated public list free of internal implementation subpaths", () => {
+    expect(pluginSdkSubpaths).not.toContain("acpx");
    expect(pluginSdkSubpaths).not.toContain("compat");
+    expect(pluginSdkSubpaths).not.toContain("device-pair");
+    expect(pluginSdkSubpaths).not.toContain("google");
+    expect(pluginSdkSubpaths).not.toContain("lobster");
    expect(pluginSdkSubpaths).not.toContain("pairing-access");
+    expect(pluginSdkSubpaths).not.toContain("qwen-portal-auth");
    expect(pluginSdkSubpaths).not.toContain("reply-prefix");
+    expect(pluginSdkSubpaths).not.toContain("synology-chat");
    expect(pluginSdkSubpaths).not.toContain("typing");
+    expect(pluginSdkSubpaths).not.toContain("zai");
    expect(pluginSdkSubpaths).not.toContain("provider-model-definitions");
  });

@@ -91,6 +100,13 @@ describe("plugin-sdk subpath exports", () => {
    expect(typeof accountHelpersSdk.createAccountListHelpers).toBe("function");
  });

+  it("exports device bootstrap helpers from the dedicated subpath", async () => {
+    const deviceBootstrapSdk = await import("openclaw/plugin-sdk/device-bootstrap");
+    expect(typeof deviceBootstrapSdk.approveDevicePairing).toBe("function");
+    expect(typeof deviceBootstrapSdk.issueDeviceBootstrapToken).toBe("function");
+    expect(typeof deviceBootstrapSdk.listDevicePairing).toBe("function");
+  });
+
  it("exports allowlist edit helpers from the dedicated subpath", () => {
    expect(typeof allowlistEditSdk.buildDmGroupAccountAllowlistAdapter).toBe("function");
    expect(typeof allowlistEditSdk.createNestedAllowlistOverrideResolver).toBe("function");
@@ -139,6 +155,14 @@ describe("plugin-sdk subpath exports", () => {
    expect(typeof providerSetupSdk.discoverOpenAICompatibleSelfHostedProvider).toBe("function");
  });

+  it("exports oauth helpers from the dedicated provider oauth subpath", () => {
+    expect(typeof providerOauthSdk.buildOauthProviderAuthResult).toBe("function");
+    expect(typeof providerOauthSdk.generatePkceVerifierChallenge).toBe("function");
+    expect(typeof providerOauthSdk.toFormUrlEncoded).toBe("function");
+    expect("buildOauthProviderAuthResult" in asExports(coreSdk)).toBe(false);
+    expect("buildOauthProviderAuthResult" in asExports(providerAuthSdk)).toBe(false);
+  });
+
  it("keeps provider models focused on shared provider primitives", () => {
    expect(typeof providerModelsSdk.applyOpenAIConfig).toBe("function");
    expect(typeof providerModelsSdk.buildKilocodeModelDefinition).toBe("function");
@@ -187,8 +211,11 @@ describe("plugin-sdk subpath exports", () => {
  });

  it("exports webhook ingress helpers from the dedicated subpath", () => {
+    expect(typeof webhookIngressSdk.registerPluginHttpRoute).toBe("function");
    expect(typeof webhookIngressSdk.resolveWebhookPath).toBe("function");
+    expect(typeof webhookIngressSdk.readRequestBodyWithLimit).toBe("function");
    expect(typeof webhookIngressSdk.readJsonWebhookBodyOrReject).toBe("function");
+    expect(typeof webhookIngressSdk.requestBodyErrorToText).toBe("function");
    expect(typeof webhookIngressSdk.withResolvedWebhookRequestPipeline).toBe("function");
  });

--- a/src/plugin-sdk/webhook-ingress.ts
+++ b/src/plugin-sdk/webhook-ingress.ts
@@ -14,14 +14,18 @@ export {
  beginWebhookRequestPipelineOrReject,
  createWebhookInFlightLimiter,
  isJsonContentType,
+  isRequestBodyLimitError,
+  readRequestBodyWithLimit,
  readJsonWebhookBodyOrReject,
  readWebhookBodyOrReject,
+  requestBodyErrorToText,
  WEBHOOK_BODY_READ_DEFAULTS,
  WEBHOOK_IN_FLIGHT_DEFAULTS,
  type WebhookBodyReadProfile,
  type WebhookInFlightLimiter,
 } from "./webhook-request-guards.js";
 export {
+  registerPluginHttpRoute,
  registerWebhookTarget,
  registerWebhookTargetWithPluginRoute,
  resolveSingleWebhookTarget,
--- a/src/plugin-sdk/webhook-request-guards.ts
+++ b/src/plugin-sdk/webhook-request-guards.ts
@@ -10,6 +10,12 @@ import type { FixedWindowRateLimiter } from "./webhook-memory-guards.js";

 export type WebhookBodyReadProfile = "pre-auth" | "post-auth";

+export {
+  isRequestBodyLimitError,
+  readRequestBodyWithLimit,
+  requestBodyErrorToText,
+} from "../infra/http-body.js";
+
 export const WEBHOOK_BODY_READ_DEFAULTS = Object.freeze({
  preAuth: {
    maxBytes: 64 * 1024,
--- a/src/plugin-sdk/webhook-targets.ts
+++ b/src/plugin-sdk/webhook-targets.ts
@@ -19,6 +19,8 @@ export type RegisterWebhookTargetOptions<T extends { path: string }> = {

 type RegisterPluginHttpRouteParams = Parameters<typeof registerPluginHttpRoute>[0];

+export { registerPluginHttpRoute };
+
 export type RegisterWebhookPluginRouteOptions = Omit<
  RegisterPluginHttpRouteParams,
  "path" | "fallbackPath"
--- a/src/plugins/contracts/runtime.contract.test.ts
+++ b/src/plugins/contracts/runtime.contract.test.ts
@@ -23,8 +23,8 @@ vi.mock("@mariozechner/pi-ai/oauth", async () => {
  };
 });

-vi.mock("../../plugin-sdk/qwen-portal-auth.js", async () => {
-  const actual = await vi.importActual<object>("../../plugin-sdk/qwen-portal-auth.js");
+vi.mock("../../../extensions/qwen-portal-auth/refresh.js", async () => {
+  const actual = await vi.importActual<object>("../../../extensions/qwen-portal-auth/refresh.js");
  return {
    ...actual,
    refreshQwenPortalCredentials: refreshQwenPortalCredentialsMock,
--- a/src/providers/qwen-portal-oauth.test.ts
+++ b/src/providers/qwen-portal-oauth.test.ts
@@ -1,140 +0,0 @@
-import { describe, expect, it, vi, afterEach } from "vitest";
-import { refreshQwenPortalCredentials } from "./qwen-portal-oauth.js";
-
-const originalFetch = globalThis.fetch;
-
-afterEach(() => {
-  vi.unstubAllGlobals();
-  globalThis.fetch = originalFetch;
-});
-
-describe("refreshQwenPortalCredentials", () => {
-  const expiredCredentials = () => ({
-    access: "old-access",
-    refresh: "old-refresh",
-    expires: Date.now() - 1000,
-  });
-
-  const runRefresh = async () => await refreshQwenPortalCredentials(expiredCredentials());
-
-  const stubFetchResponse = (response: unknown) => {
-    const fetchSpy = vi.fn().mockResolvedValue(response);
-    vi.stubGlobal("fetch", fetchSpy);
-    return fetchSpy;
-  };
-
-  it("refreshes tokens with a new access token", async () => {
-    const fetchSpy = stubFetchResponse({
-      ok: true,
-      status: 200,
-      json: async () => ({
-        access_token: "new-access",
-        refresh_token: "new-refresh",
-        expires_in: 3600,
-      }),
-    });
-
-    const result = await runRefresh();
-
-    expect(fetchSpy).toHaveBeenCalledWith(
-      "https://chat.qwen.ai/api/v1/oauth2/token",
-      expect.objectContaining({
-        method: "POST",
-      }),
-    );
-    expect(result.access).toBe("new-access");
-    expect(result.refresh).toBe("new-refresh");
-    expect(result.expires).toBeGreaterThan(Date.now());
-  });
-
-  it("keeps refresh token when refresh response omits it", async () => {
-    stubFetchResponse({
-      ok: true,
-      status: 200,
-      json: async () => ({
-        access_token: "new-access",
-        expires_in: 1800,
-      }),
-    });
-
-    const result = await runRefresh();
-
-    expect(result.refresh).toBe("old-refresh");
-  });
-
-  it("keeps refresh token when response sends an empty refresh token", async () => {
-    stubFetchResponse({
-      ok: true,
-      status: 200,
-      json: async () => ({
-        access_token: "new-access",
-        refresh_token: "",
-        expires_in: 1800,
-      }),
-    });
-
-    const result = await runRefresh();
-
-    expect(result.refresh).toBe("old-refresh");
-  });
-
-  it("errors when refresh response has invalid expires_in", async () => {
-    stubFetchResponse({
-      ok: true,
-      status: 200,
-      json: async () => ({
-        access_token: "new-access",
-        refresh_token: "new-refresh",
-        expires_in: 0,
-      }),
-    });
-
-    await expect(runRefresh()).rejects.toThrow(
-      "Qwen OAuth refresh response missing or invalid expires_in",
-    );
-  });
-
-  it("errors when refresh token is invalid", async () => {
-    stubFetchResponse({
-      ok: false,
-      status: 400,
-      text: async () => "invalid_grant",
-    });
-
-    await expect(runRefresh()).rejects.toThrow("Qwen OAuth refresh token expired or invalid");
-  });
-
-  it("errors when refresh token is missing before any request", async () => {
-    await expect(
-      refreshQwenPortalCredentials({
-        access: "old-access",
-        refresh: "   ",
-        expires: Date.now() - 1000,
-      }),
-    ).rejects.toThrow("Qwen OAuth refresh token missing");
-  });
-
-  it("errors when refresh response omits access token", async () => {
-    stubFetchResponse({
-      ok: true,
-      status: 200,
-      json: async () => ({
-        refresh_token: "new-refresh",
-        expires_in: 1800,
-      }),
-    });
-
-    await expect(runRefresh()).rejects.toThrow("Qwen OAuth refresh response missing access token");
-  });
-
-  it("errors with server payload text for non-400 status", async () => {
-    stubFetchResponse({
-      ok: false,
-      status: 500,
-      statusText: "Server Error",
-      text: async () => "gateway down",
-    });
-
-    await expect(runRefresh()).rejects.toThrow("Qwen OAuth refresh failed: gateway down");
-  });
-});
--- a/src/providers/qwen-portal-oauth.ts
+++ b/src/providers/qwen-portal-oauth.ts
@@ -1,62 +0,0 @@
-import type { OAuthCredentials } from "@mariozechner/pi-ai";
-import { formatCliCommand } from "../cli/command-format.js";
-
-const QWEN_OAUTH_BASE_URL = "https://chat.qwen.ai";
-const QWEN_OAUTH_TOKEN_ENDPOINT = `${QWEN_OAUTH_BASE_URL}/api/v1/oauth2/token`;
-const QWEN_OAUTH_CLIENT_ID = "f0304373b74a44d2b584a3fb70ca9e56";
-
-export async function refreshQwenPortalCredentials(
-  credentials: OAuthCredentials,
-): Promise<OAuthCredentials> {
-  const refreshToken = credentials.refresh?.trim();
-  if (!refreshToken) {
-    throw new Error("Qwen OAuth refresh token missing; re-authenticate.");
-  }
-
-  const response = await fetch(QWEN_OAUTH_TOKEN_ENDPOINT, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/x-www-form-urlencoded",
-      Accept: "application/json",
-    },
-    body: new URLSearchParams({
-      grant_type: "refresh_token",
-      refresh_token: refreshToken,
-      client_id: QWEN_OAUTH_CLIENT_ID,
-    }),
-  });
-
-  if (!response.ok) {
-    const text = await response.text();
-    if (response.status === 400) {
-      throw new Error(
-        `Qwen OAuth refresh token expired or invalid. Re-authenticate with \`${formatCliCommand("openclaw models auth login --provider qwen-portal")}\`.`,
-      );
-    }
-    throw new Error(`Qwen OAuth refresh failed: ${text || response.statusText}`);
-  }
-
-  const payload = (await response.json()) as {
-    access_token?: string;
-    refresh_token?: string;
-    expires_in?: number;
-  };
-  const accessToken = payload.access_token?.trim();
-  const newRefreshToken = payload.refresh_token?.trim();
-  const expiresIn = payload.expires_in;
-
-  if (!accessToken) {
-    throw new Error("Qwen OAuth refresh response missing access token.");
-  }
-  if (typeof expiresIn !== "number" || !Number.isFinite(expiresIn) || expiresIn <= 0) {
-    throw new Error("Qwen OAuth refresh response missing or invalid expires_in.");
-  }
-
-  return {
-    ...credentials,
-    access: accessToken,
-    // RFC 6749 section 6: new refresh token is optional; if present, replace old.
-    refresh: newRefreshToken || refreshToken,
-    expires: Date.now() + expiresIn * 1000,
-  };
-}