Files
openclaw/src/shared/device-auth.ts
Peter Steinberger 85beee613c docs: clarify inline code comments
Comment-only follow-up documenting reusable gateway, auth, proxy, device, Talk, session, and agent helper contracts.\n\nVerification: git diff --check plus targeted tests recorded in PR body.
2026-05-31 14:37:41 +01:00

45 lines
1.2 KiB
TypeScript

/** Stored bearer token metadata for one authorized device role. */
export type DeviceAuthEntry = {
token: string;
role: string;
scopes: string[];
updatedAtMs: number;
};
/** Versioned on-disk device-auth cache for a gateway device identity. */
export type DeviceAuthStore = {
version: 1;
deviceId: string;
tokens: Record<string, DeviceAuthEntry>;
};
/** Normalize a device-auth role id without changing its case or namespace. */
export function normalizeDeviceAuthRole(role: string): string {
return role.trim();
}
/** Normalize device-auth scopes, dedupe/sort them, and include implied operator scopes. */
export function normalizeDeviceAuthScopes(scopes: readonly unknown[] | undefined): string[] {
if (!Array.isArray(scopes)) {
return [];
}
const out = new Set<string>();
for (const scope of scopes) {
if (typeof scope !== "string") {
continue;
}
const trimmed = scope.trim();
if (trimmed) {
out.add(trimmed);
}
}
// Operator scope implication keeps older approval checks working with broader grants.
if (out.has("operator.admin")) {
out.add("operator.read");
out.add("operator.write");
} else if (out.has("operator.write")) {
out.add("operator.read");
}
return [...out].toSorted();
}