Fix: always load flat secret as primary regardless of labeled secrets
This commit is contained in:
daniel
@@ -98,8 +98,8 @@ def _load_all_creds(actor_id: str) -> dict[str, Credentials]:
|
||||
except Exception as e:
|
||||
print(f'[google] list_secrets failed: {e}')
|
||||
|
||||
# Backward compat: flat secret path
|
||||
if not result:
|
||||
# Always include flat secret as 'primary' if not already in result
|
||||
if 'primary' not in result:
|
||||
flat = f'agent-claw/google-credentials/{safe}'
|
||||
try:
|
||||
result['primary'] = _load_creds_from_secret(flat)
|
||||
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -16,31 +16,31 @@
|
||||
}
|
||||
}
|
||||
},
|
||||
"4f645198a38249aec43db7c3d289ab4896fad437f79e8cfe1ff77fc2e788167c": {
|
||||
"647684a0ff5a7a3df590aa5532173310dace910d7081be6f3a642f7e81dabc06": {
|
||||
"displayName": "AgentRunner/Code",
|
||||
"source": {
|
||||
"path": "asset.4f645198a38249aec43db7c3d289ab4896fad437f79e8cfe1ff77fc2e788167c",
|
||||
"path": "asset.647684a0ff5a7a3df590aa5532173310dace910d7081be6f3a642f7e81dabc06",
|
||||
"packaging": "zip"
|
||||
},
|
||||
"destinations": {
|
||||
"495395224548-us-east-1-2618668f": {
|
||||
"495395224548-us-east-1-0a4f0d3c": {
|
||||
"bucketName": "cdk-hnb659fds-assets-495395224548-us-east-1",
|
||||
"objectKey": "4f645198a38249aec43db7c3d289ab4896fad437f79e8cfe1ff77fc2e788167c.zip",
|
||||
"objectKey": "647684a0ff5a7a3df590aa5532173310dace910d7081be6f3a642f7e81dabc06.zip",
|
||||
"region": "us-east-1",
|
||||
"assumeRoleArn": "arn:${AWS::Partition}:iam::495395224548:role/cdk-hnb659fds-file-publishing-role-495395224548-us-east-1"
|
||||
}
|
||||
}
|
||||
},
|
||||
"b45b92872bd4af9d3688817f862e6574ff6b4903e68b140bcee6fe0b2678c645": {
|
||||
"99aabce70089266e2352cb313d55ee18b849e39c418e8e9cd25dea8c4bf85fc4": {
|
||||
"displayName": "OAuthHandler/Code",
|
||||
"source": {
|
||||
"path": "asset.b45b92872bd4af9d3688817f862e6574ff6b4903e68b140bcee6fe0b2678c645",
|
||||
"path": "asset.99aabce70089266e2352cb313d55ee18b849e39c418e8e9cd25dea8c4bf85fc4",
|
||||
"packaging": "zip"
|
||||
},
|
||||
"destinations": {
|
||||
"495395224548-us-east-1-d4c72dd0": {
|
||||
"495395224548-us-east-1-793899ae": {
|
||||
"bucketName": "cdk-hnb659fds-assets-495395224548-us-east-1",
|
||||
"objectKey": "b45b92872bd4af9d3688817f862e6574ff6b4903e68b140bcee6fe0b2678c645.zip",
|
||||
"objectKey": "99aabce70089266e2352cb313d55ee18b849e39c418e8e9cd25dea8c4bf85fc4.zip",
|
||||
"region": "us-east-1",
|
||||
"assumeRoleArn": "arn:${AWS::Partition}:iam::495395224548:role/cdk-hnb659fds-file-publishing-role-495395224548-us-east-1"
|
||||
}
|
||||
@@ -76,16 +76,16 @@
|
||||
}
|
||||
}
|
||||
},
|
||||
"f5e50400defa8e717f9f7ae32453df078f55bafc76973f390e22e14616b1eea0": {
|
||||
"bf77d8fb57b225c495e242bd05bd7658713d3e0e810a6701955397f14f68d7e5": {
|
||||
"displayName": "AgentClawStack Template",
|
||||
"source": {
|
||||
"path": "AgentClawStack.template.json",
|
||||
"packaging": "file"
|
||||
},
|
||||
"destinations": {
|
||||
"495395224548-us-east-1-c8fd47dc": {
|
||||
"495395224548-us-east-1-755d45c4": {
|
||||
"bucketName": "cdk-hnb659fds-assets-495395224548-us-east-1",
|
||||
"objectKey": "f5e50400defa8e717f9f7ae32453df078f55bafc76973f390e22e14616b1eea0.json",
|
||||
"objectKey": "bf77d8fb57b225c495e242bd05bd7658713d3e0e810a6701955397f14f68d7e5.json",
|
||||
"region": "us-east-1",
|
||||
"assumeRoleArn": "arn:${AWS::Partition}:iam::495395224548:role/cdk-hnb659fds-file-publishing-role-495395224548-us-east-1"
|
||||
}
|
||||
|
||||
@@ -32,7 +32,7 @@
|
||||
{
|
||||
"type": "aws:cdk:creationStack",
|
||||
"data": [
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:373:5)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:378:5)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -46,7 +46,7 @@
|
||||
{
|
||||
"type": "aws:cdk:creationStack",
|
||||
"data": [
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:377:5)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:382:5)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -60,7 +60,7 @@
|
||||
{
|
||||
"type": "aws:cdk:creationStack",
|
||||
"data": [
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:381:5)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:386:5)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -74,7 +74,7 @@
|
||||
{
|
||||
"type": "aws:cdk:creationStack",
|
||||
"data": [
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:386:5)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:391:5)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -88,7 +88,7 @@
|
||||
{
|
||||
"type": "aws:cdk:creationStack",
|
||||
"data": [
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:391:5)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:396:5)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -102,7 +102,7 @@
|
||||
{
|
||||
"type": "aws:cdk:creationStack",
|
||||
"data": [
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:396:5)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:401:5)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -116,7 +116,7 @@
|
||||
{
|
||||
"type": "aws:cdk:creationStack",
|
||||
"data": [
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:401:5)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:406:5)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -130,7 +130,7 @@
|
||||
{
|
||||
"type": "aws:cdk:creationStack",
|
||||
"data": [
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:406:5)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:411:5)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -144,7 +144,7 @@
|
||||
{
|
||||
"type": "aws:cdk:creationStack",
|
||||
"data": [
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:411:5)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:416:5)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -158,7 +158,7 @@
|
||||
{
|
||||
"type": "aws:cdk:creationStack",
|
||||
"data": [
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:416:5)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:421:5)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -304,7 +304,7 @@
|
||||
"type": "aws:cdk:creationStack",
|
||||
"data": [
|
||||
"...new Function2 in aws-cdk-lib...",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:238:28)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:243:28)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -319,7 +319,7 @@
|
||||
"type": "aws:cdk:creationStack",
|
||||
"data": [
|
||||
"...new Function2 in aws-cdk-lib...",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:309:31)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:314:31)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -334,7 +334,7 @@
|
||||
"type": "aws:cdk:creationStack",
|
||||
"data": [
|
||||
"...new Rule2 in aws-cdk-lib...",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:325:27)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:330:27)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -349,7 +349,7 @@
|
||||
"type": "aws:cdk:creationStack",
|
||||
"data": [
|
||||
"...WrappedClass.<anonymous> in aws-cdk-lib...",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:329:19)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:334:19)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -364,7 +364,7 @@
|
||||
"type": "aws:cdk:creationStack",
|
||||
"data": [
|
||||
"...new Function2 in aws-cdk-lib...",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:332:25)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:337:25)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -379,7 +379,7 @@
|
||||
"type": "aws:cdk:creationStack",
|
||||
"data": [
|
||||
"...WrappedClass.addPermission in aws-cdk-lib...",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:345:17)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:350:17)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -503,7 +503,7 @@
|
||||
".../Users/daniel/agent-claw/cdk/node_modules/aws-cdk-lib/aws-apigatewayv2/lib/http/api.js:1:96 in aws-cdk-lib...",
|
||||
"Array.map (:)",
|
||||
"...WrappedClass.<anonymous> in aws-cdk-lib...",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:274:13)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:279:13)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -520,7 +520,7 @@
|
||||
".../Users/daniel/agent-claw/cdk/node_modules/aws-cdk-lib/aws-apigatewayv2/lib/http/api.js:1:96 in aws-cdk-lib...",
|
||||
"Array.map (:)",
|
||||
"...WrappedClass.<anonymous> in aws-cdk-lib...",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:274:13)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:279:13)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -537,7 +537,7 @@
|
||||
".../Users/daniel/agent-claw/cdk/node_modules/aws-cdk-lib/aws-apigatewayv2/lib/http/api.js:1:96 in aws-cdk-lib...",
|
||||
"Array.map (:)",
|
||||
"...WrappedClass.<anonymous> in aws-cdk-lib...",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:281:13)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:286:13)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -554,7 +554,7 @@
|
||||
".../Users/daniel/agent-claw/cdk/node_modules/aws-cdk-lib/aws-apigatewayv2/lib/http/api.js:1:96 in aws-cdk-lib...",
|
||||
"Array.map (:)",
|
||||
"...WrappedClass.<anonymous> in aws-cdk-lib...",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:281:13)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:286:13)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -571,7 +571,7 @@
|
||||
".../Users/daniel/agent-claw/cdk/node_modules/aws-cdk-lib/aws-apigatewayv2/lib/http/api.js:1:96 in aws-cdk-lib...",
|
||||
"Array.map (:)",
|
||||
"...WrappedClass.<anonymous> in aws-cdk-lib...",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:290:13)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:295:13)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -588,7 +588,7 @@
|
||||
".../Users/daniel/agent-claw/cdk/node_modules/aws-cdk-lib/aws-apigatewayv2/lib/http/api.js:1:96 in aws-cdk-lib...",
|
||||
"Array.map (:)",
|
||||
"...WrappedClass.<anonymous> in aws-cdk-lib...",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:290:13)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:295:13)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -633,7 +633,7 @@
|
||||
"type": "aws:cdk:creationStack",
|
||||
"data": [
|
||||
"...new Function2 in aws-cdk-lib...",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:238:28)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:243:28)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -648,7 +648,7 @@
|
||||
"type": "aws:cdk:creationStack",
|
||||
"data": [
|
||||
"...new Function2 in aws-cdk-lib...",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:309:31)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:314:31)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -663,7 +663,7 @@
|
||||
"type": "aws:cdk:creationStack",
|
||||
"data": [
|
||||
"...new Function2 in aws-cdk-lib...",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:332:25)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:337:25)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -727,7 +727,7 @@
|
||||
".../Users/daniel/agent-claw/cdk/node_modules/aws-cdk-lib/aws-apigatewayv2/lib/http/api.js:1:96 in aws-cdk-lib...",
|
||||
"Array.map (:)",
|
||||
"...WrappedClass.<anonymous> in aws-cdk-lib...",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:274:13)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:279:13)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -744,7 +744,7 @@
|
||||
".../Users/daniel/agent-claw/cdk/node_modules/aws-cdk-lib/aws-apigatewayv2/lib/http/api.js:1:96 in aws-cdk-lib...",
|
||||
"Array.map (:)",
|
||||
"...WrappedClass.<anonymous> in aws-cdk-lib...",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:281:13)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:286:13)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -761,7 +761,7 @@
|
||||
".../Users/daniel/agent-claw/cdk/node_modules/aws-cdk-lib/aws-apigatewayv2/lib/http/api.js:1:96 in aws-cdk-lib...",
|
||||
"Array.map (:)",
|
||||
"...WrappedClass.<anonymous> in aws-cdk-lib...",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:290:13)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:295:13)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -776,7 +776,7 @@
|
||||
"type": "aws:cdk:creationStack",
|
||||
"data": [
|
||||
"...environmentFromArn.grantRead in aws-cdk-lib...",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:253:29)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:258:29)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -791,7 +791,7 @@
|
||||
"type": "aws:cdk:creationStack",
|
||||
"data": [
|
||||
"...WrappedClass.grantSendMessages in aws-cdk-lib...",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:321:18)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:326:18)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
@@ -806,7 +806,7 @@
|
||||
"type": "aws:cdk:creationStack",
|
||||
"data": [
|
||||
"...environmentFromArn.grantRead in aws-cdk-lib...",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:343:20)",
|
||||
"new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:348:20)",
|
||||
"<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
|
||||
"...node internals, ts-node, ts-node, ts-node..."
|
||||
]
|
||||
|
||||
@@ -387,7 +387,7 @@
|
||||
"Properties": {
|
||||
"Code": {
|
||||
"S3Bucket": "cdk-hnb659fds-assets-495395224548-us-east-1",
|
||||
"S3Key": "4f645198a38249aec43db7c3d289ab4896fad437f79e8cfe1ff77fc2e788167c.zip"
|
||||
"S3Key": "647684a0ff5a7a3df590aa5532173310dace910d7081be6f3a642f7e81dabc06.zip"
|
||||
},
|
||||
"Environment": {
|
||||
"Variables": {
|
||||
@@ -423,7 +423,7 @@
|
||||
],
|
||||
"Metadata": {
|
||||
"aws:cdk:path": "AgentClawStack/AgentRunner/Resource",
|
||||
"aws:asset:path": "asset.4f645198a38249aec43db7c3d289ab4896fad437f79e8cfe1ff77fc2e788167c",
|
||||
"aws:asset:path": "asset.647684a0ff5a7a3df590aa5532173310dace910d7081be6f3a642f7e81dabc06",
|
||||
"aws:asset:is-bundled": false,
|
||||
"aws:asset:property": "Code"
|
||||
}
|
||||
@@ -949,6 +949,12 @@
|
||||
"Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/google-credentials/*",
|
||||
"Sid": "PerUserGoogleCredentialsReadRuntime"
|
||||
},
|
||||
{
|
||||
"Action": "secretsmanager:ListSecrets",
|
||||
"Effect": "Allow",
|
||||
"Resource": "*",
|
||||
"Sid": "GoogleCredentialsListRuntime"
|
||||
},
|
||||
{
|
||||
"Action": [
|
||||
"events:PutRule",
|
||||
@@ -1149,7 +1155,7 @@
|
||||
"Properties": {
|
||||
"Code": {
|
||||
"S3Bucket": "cdk-hnb659fds-assets-495395224548-us-east-1",
|
||||
"S3Key": "b45b92872bd4af9d3688817f862e6574ff6b4903e68b140bcee6fe0b2678c645.zip"
|
||||
"S3Key": "99aabce70089266e2352cb313d55ee18b849e39c418e8e9cd25dea8c4bf85fc4.zip"
|
||||
},
|
||||
"Environment": {
|
||||
"Variables": {
|
||||
@@ -1194,7 +1200,7 @@
|
||||
],
|
||||
"Metadata": {
|
||||
"aws:cdk:path": "AgentClawStack/OAuthHandler/Resource",
|
||||
"aws:asset:path": "asset.b45b92872bd4af9d3688817f862e6574ff6b4903e68b140bcee6fe0b2678c645",
|
||||
"aws:asset:path": "asset.99aabce70089266e2352cb313d55ee18b849e39c418e8e9cd25dea8c4bf85fc4",
|
||||
"aws:asset:is-bundled": false,
|
||||
"aws:asset:property": "Code"
|
||||
}
|
||||
|
||||
@@ -0,0 +1,272 @@
|
||||
import json
|
||||
import os
|
||||
import time
|
||||
import uuid
|
||||
import boto3
|
||||
import urllib.request
|
||||
from typing import Any
|
||||
|
||||
# AWS clients
|
||||
_ddb = None
|
||||
_agentcore = None
|
||||
|
||||
|
||||
def get_ddb():
|
||||
global _ddb
|
||||
if _ddb is None:
|
||||
_ddb = boto3.resource('dynamodb')
|
||||
return _ddb
|
||||
|
||||
|
||||
def get_agentcore():
|
||||
global _agentcore
|
||||
if _agentcore is None:
|
||||
from botocore.config import Config
|
||||
_agentcore = boto3.client(
|
||||
'bedrock-agentcore',
|
||||
region_name='us-east-1',
|
||||
config=Config(read_timeout=600, connect_timeout=10)
|
||||
)
|
||||
return _agentcore
|
||||
|
||||
|
||||
def get_or_create_user(actor_id: str, from_info: dict) -> dict:
|
||||
"""Look up user in registry, auto-registering on first contact."""
|
||||
table_name = os.environ.get('USERS_TABLE_NAME', '')
|
||||
if not table_name:
|
||||
return {'actor_id': actor_id, 'display_name': from_info.get('from_name', actor_id)}
|
||||
table = get_ddb().Table(table_name)
|
||||
response = table.get_item(Key={'actor_id': actor_id})
|
||||
item = response.get('Item')
|
||||
if item:
|
||||
return item
|
||||
now = int(time.time())
|
||||
item = {
|
||||
'actor_id': actor_id,
|
||||
'display_name': from_info.get('from_name') or actor_id,
|
||||
'telegram_username': from_info.get('from_username', ''),
|
||||
'created_at': str(now),
|
||||
'status': 'pending',
|
||||
'services': {},
|
||||
}
|
||||
table.put_item(Item=item)
|
||||
print(f'[agent-runner] Registered new user (pending): {actor_id}')
|
||||
return item
|
||||
|
||||
|
||||
def update_user_status(actor_id: str, name: str, status: str) -> None:
|
||||
table_name = os.environ.get('USERS_TABLE_NAME', '')
|
||||
if not table_name:
|
||||
return
|
||||
table = get_ddb().Table(table_name)
|
||||
table.update_item(
|
||||
Key={'actor_id': actor_id},
|
||||
UpdateExpression='SET display_name = :n, #s = :s',
|
||||
ExpressionAttributeNames={'#s': 'status'},
|
||||
ExpressionAttributeValues={':n': name, ':s': status},
|
||||
)
|
||||
|
||||
|
||||
# Per-invocation dedup: track sent message hashes to prevent AgentCore retry duplicates
|
||||
_sent_hashes: set = set()
|
||||
|
||||
|
||||
def send_telegram_direct(chat_id: str, token: str, text: str) -> None:
|
||||
import hashlib
|
||||
h = hashlib.md5(f'{chat_id}:{text}'.encode()).hexdigest()[:12]
|
||||
if h in _sent_hashes:
|
||||
print(f'[agent-runner] dedup: skipping duplicate message (hash={h})')
|
||||
return
|
||||
_sent_hashes.add(h)
|
||||
url = f'https://api.telegram.org/bot{token}/sendMessage'
|
||||
data = json.dumps({'chat_id': chat_id, 'text': text}).encode()
|
||||
req = urllib.request.Request(url, data=data, headers={'Content-Type': 'application/json'})
|
||||
try:
|
||||
resp = urllib.request.urlopen(req, timeout=10)
|
||||
resp_body = resp.read()
|
||||
import re
|
||||
msg_id = re.search(r'"message_id":(\d+)', resp_body.decode('utf-8', errors='replace'))
|
||||
print(f'[agent-runner] Telegram sendMessage -> msg_id={msg_id.group(1) if msg_id else "?"} hash={h}')
|
||||
except Exception as e:
|
||||
print(f'[agent-runner] Telegram sendMessage FAILED: {type(e).__name__}: {e} hash={h}')
|
||||
raise
|
||||
|
||||
|
||||
def get_or_create_session(actor_id: str) -> str:
|
||||
"""Look up active session for actor, or create a new one."""
|
||||
table = get_ddb().Table(os.environ['SESSION_TABLE_NAME'])
|
||||
|
||||
response = table.get_item(Key={'actor_id': actor_id})
|
||||
item = response.get('Item')
|
||||
|
||||
now = int(time.time())
|
||||
ttl_8hr = now + (8 * 3600)
|
||||
|
||||
if item and item.get('ttl', 0) > now:
|
||||
# Active session exists — extend TTL
|
||||
table.update_item(
|
||||
Key={'actor_id': actor_id},
|
||||
UpdateExpression='SET #ttl = :ttl',
|
||||
ExpressionAttributeNames={'#ttl': 'ttl'},
|
||||
ExpressionAttributeValues={':ttl': ttl_8hr},
|
||||
)
|
||||
return item['session_id']
|
||||
|
||||
# Create new session
|
||||
session_id = str(uuid.uuid4())
|
||||
table.put_item(Item={
|
||||
'actor_id': actor_id,
|
||||
'session_id': session_id,
|
||||
'created_at': str(now),
|
||||
'ttl': ttl_8hr,
|
||||
})
|
||||
return session_id
|
||||
|
||||
|
||||
def handler(event, context):
|
||||
# ── Parse SQS records (FIFO — all from same actor) ───────────────────
|
||||
records = []
|
||||
for record in event.get('Records', []):
|
||||
try:
|
||||
records.append(json.loads(record['body']))
|
||||
except (json.JSONDecodeError, KeyError):
|
||||
continue
|
||||
|
||||
if not records:
|
||||
return
|
||||
|
||||
first = records[0]
|
||||
channel = first.get('channel', 'telegram')
|
||||
chat_id = first.get('chat_id', '')
|
||||
actor_id = f"{channel}:{chat_id}"
|
||||
|
||||
# ── User registry ─────────────────────────────────────────────────────
|
||||
from_info = first.get('messages', [{}])[0]
|
||||
user_profile = get_or_create_user(actor_id, from_info)
|
||||
|
||||
# ── Onboarding gate ─────────────────────────────────────────────────────
|
||||
table_name = os.environ.get('USERS_TABLE_NAME', '')
|
||||
if table_name and user_profile.get('status', 'active') == 'pending':
|
||||
raw_prompt = records[0]['messages'][0]['text'] if records else ''
|
||||
is_name_msg = bool(raw_prompt and len(raw_prompt.strip()) < 50 and '?' not in raw_prompt)
|
||||
if is_name_msg:
|
||||
name = raw_prompt.strip()
|
||||
update_user_status(actor_id, name=name, status='active')
|
||||
user_profile['display_name'] = name
|
||||
user_profile['status'] = 'active'
|
||||
prompt = f"[System: User just registered with name '{name}'. Welcome them warmly and ask how you can help.]"
|
||||
else:
|
||||
bot_token_secret_arn = os.environ.get('TELEGRAM_BOT_TOKEN_SECRET_ARN', '')
|
||||
bot_token = ''
|
||||
if bot_token_secret_arn:
|
||||
sm = boto3.client('secretsmanager', region_name='us-east-1')
|
||||
bot_token = sm.get_secret_value(SecretId=bot_token_secret_arn)['SecretString']
|
||||
send_telegram_direct(chat_id, bot_token, "Hi! I don't recognize you yet. What's your name?")
|
||||
return
|
||||
# ── Get or create AgentCore session ──────────────────────────────────
|
||||
session_id = get_or_create_session(actor_id)
|
||||
print(f"[agent-runner] actor={actor_id} session={session_id} user={user_profile.get('display_name', '')}")
|
||||
|
||||
# ── Bundle messages ───────────────────────────────────────────────────
|
||||
if len(records) == 1:
|
||||
prompt = records[0]['messages'][0]['text']
|
||||
else:
|
||||
lines = [
|
||||
f"[{i+1}] {r['messages'][0]['text']}"
|
||||
for i, r in enumerate(records)
|
||||
]
|
||||
prompt = f"You have {len(records)} queued messages:\n" + "\n".join(lines)
|
||||
|
||||
# ── Build payload for AgentCore Runtime 1 ────────────────────────────
|
||||
payload: dict[str, Any] = {
|
||||
'prompt': prompt,
|
||||
'actor_id': actor_id,
|
||||
'session_id': session_id,
|
||||
'user_profile': {
|
||||
'display_name': user_profile.get('display_name', actor_id),
|
||||
'telegram_username': user_profile.get('telegram_username', ''),
|
||||
'google_accounts': user_profile.get('google_accounts', {'primary': user_profile['google_email']} if user_profile.get('google_email') else {}),
|
||||
'allowed': user_profile.get('allowed', True),
|
||||
'services': user_profile.get('enrolled_services', user_profile.get('services', {})),
|
||||
},
|
||||
'channel_adapter': {
|
||||
'type': channel,
|
||||
'target_id': str(chat_id),
|
||||
'bot_token_secret_arn': os.environ.get('TELEGRAM_BOT_TOKEN_SECRET_ARN', ''),
|
||||
},
|
||||
}
|
||||
|
||||
# ── Invoke AgentCore Runtime 1 ────────────────────────────────────────
|
||||
runtime_arn = os.environ.get('RUNTIME_1_ARN', '')
|
||||
if not runtime_arn or runtime_arn == 'PLACEHOLDER_SET_AFTER_RUNTIME_DEPLOY':
|
||||
print(f"[agent-runner] RUNTIME_1_ARN not set — skipping AgentCore invoke")
|
||||
print(f"[agent-runner] Would have sent: {json.dumps(payload)[:200]}")
|
||||
return
|
||||
|
||||
client = get_agentcore()
|
||||
response = client.invoke_agent_runtime(
|
||||
agentRuntimeArn=runtime_arn,
|
||||
runtimeSessionId=session_id,
|
||||
payload=json.dumps(payload).encode(),
|
||||
)
|
||||
|
||||
# Process streaming response: buffer text chunks and send to Telegram as paragraphs arrive
|
||||
bot_token = ''
|
||||
bot_token_secret_arn = os.environ.get('TELEGRAM_BOT_TOKEN_SECRET_ARN', '')
|
||||
if bot_token_secret_arn:
|
||||
sm = boto3.client('secretsmanager', region_name='us-east-1')
|
||||
try:
|
||||
bot_token = sm.get_secret_value(SecretId=bot_token_secret_arn)['SecretString']
|
||||
except Exception as e:
|
||||
print(f'[agent-runner] Failed to get bot token: {e}')
|
||||
|
||||
body = response.get('response')
|
||||
text_buffer = ''
|
||||
leftover = ''
|
||||
if body is not None:
|
||||
for raw_chunk in body.iter_chunks():
|
||||
if not raw_chunk:
|
||||
continue
|
||||
# AgentCore streams SSE format: "data: {...}\n\n"
|
||||
text = leftover + raw_chunk.decode('utf-8', errors='replace')
|
||||
parts = text.split('\n\n')
|
||||
leftover = parts[-1]
|
||||
for part in parts[:-1]:
|
||||
for line in part.splitlines():
|
||||
if not line.startswith('data: '):
|
||||
continue
|
||||
data = line[6:].strip()
|
||||
if not data or data == '[DONE]':
|
||||
continue
|
||||
try:
|
||||
event = json.loads(data)
|
||||
except (json.JSONDecodeError, ValueError):
|
||||
continue
|
||||
if not isinstance(event, dict):
|
||||
continue
|
||||
# Extract text delta from contentBlockDelta ONLY
|
||||
# Do NOT use event.get('data') — that's the full formatted summary,
|
||||
# causing duplicate delivery alongside the token stream.
|
||||
delta = event.get('event', {}).get('contentBlockDelta', {}).get('delta', {})
|
||||
if not isinstance(delta, dict):
|
||||
continue
|
||||
token = delta.get('text', '')
|
||||
if token:
|
||||
text_buffer += token
|
||||
# Only flush if buffer is very large — prevents splitting multi-turn responses
|
||||
if len(text_buffer) > 1200:
|
||||
print(f'[agent-runner] send chunk {len(text_buffer)}c to {chat_id}')
|
||||
send_telegram_direct(str(chat_id), bot_token, text_buffer.strip())
|
||||
text_buffer = ''
|
||||
|
||||
# Flush any remaining text
|
||||
print(f'[agent-runner] stream done buffer={len(text_buffer)} bot_token_set={bool(bot_token)}')
|
||||
if text_buffer.strip() and bot_token:
|
||||
# Suppress heartbeat OK responses
|
||||
if text_buffer.strip().upper().startswith('HEARTBEAT_OK'):
|
||||
print(f'[agent-runner] heartbeat suppressed for {actor_id}')
|
||||
return
|
||||
print(f'[agent-runner] flushing {len(text_buffer)}c to {chat_id}')
|
||||
send_telegram_direct(str(chat_id), bot_token, text_buffer.strip())
|
||||
|
||||
print(f"[agent-runner] Completed session={session_id} actor={actor_id}")
|
||||
@@ -0,0 +1 @@
|
||||
boto3>=1.34.0
|
||||
@@ -0,0 +1,244 @@
|
||||
"""
|
||||
Google OAuth handler Lambda.
|
||||
|
||||
Routes:
|
||||
GET /oauth/start?actor_id=telegram:123&label=work → redirect to Google OAuth consent
|
||||
GET /oauth/callback?code=...&state=... → exchange code, store tokens, update DynamoDB
|
||||
"""
|
||||
import base64
|
||||
import json
|
||||
import os
|
||||
import time
|
||||
import urllib.parse
|
||||
import urllib.request
|
||||
|
||||
import boto3
|
||||
|
||||
_sm = None
|
||||
_ddb = None
|
||||
|
||||
SCOPES = ' '.join([
|
||||
'https://www.googleapis.com/auth/gmail.modify',
|
||||
'https://www.googleapis.com/auth/calendar',
|
||||
'https://www.googleapis.com/auth/drive',
|
||||
'https://www.googleapis.com/auth/spreadsheets',
|
||||
'https://www.googleapis.com/auth/documents',
|
||||
'openid',
|
||||
'email',
|
||||
'profile',
|
||||
])
|
||||
|
||||
|
||||
def get_sm():
|
||||
global _sm
|
||||
if _sm is None:
|
||||
_sm = boto3.client('secretsmanager', region_name=os.environ.get('AWS_REGION', 'us-east-1'))
|
||||
return _sm
|
||||
|
||||
|
||||
def get_ddb():
|
||||
global _ddb
|
||||
if _ddb is None:
|
||||
_ddb = boto3.resource('dynamodb')
|
||||
return _ddb
|
||||
|
||||
|
||||
def get_oauth_client() -> tuple[str, str]:
|
||||
"""Return (client_id, client_secret) from Secrets Manager."""
|
||||
arn = os.environ['GOOGLE_OAUTH_CLIENT_SECRET_ARN']
|
||||
secret = json.loads(get_sm().get_secret_value(SecretId=arn)['SecretString'])
|
||||
return secret['client_id'], secret['client_secret']
|
||||
|
||||
|
||||
def actor_id_to_secret_name(actor_id: str, label: str = 'primary') -> str:
|
||||
safe = actor_id.replace(':', '-').replace('/', '-')
|
||||
return f'agent-claw/google-credentials/{safe}/{label}'
|
||||
|
||||
|
||||
def _redirect(url: str) -> dict:
|
||||
return {'statusCode': 302, 'headers': {'Location': url}, 'body': ''}
|
||||
|
||||
|
||||
def _html(body: str, status: int = 200) -> dict:
|
||||
return {'statusCode': status, 'headers': {'Content-Type': 'text/html'}, 'body': body}
|
||||
|
||||
|
||||
def handler(event, context):
|
||||
path = event.get('rawPath') or event.get('path', '')
|
||||
params = event.get('queryStringParameters') or {}
|
||||
|
||||
if path.endswith('/oauth/start'):
|
||||
return handle_start(params)
|
||||
elif path.endswith('/oauth/callback'):
|
||||
return handle_callback(params)
|
||||
else:
|
||||
return {'statusCode': 404, 'body': 'Not found'}
|
||||
|
||||
|
||||
def handle_start(params: dict) -> dict:
|
||||
actor_id = params.get('actor_id', '')
|
||||
if not actor_id:
|
||||
return _html('<h1>Missing actor_id</h1>', 400)
|
||||
|
||||
label = params.get('label', 'primary')
|
||||
|
||||
client_id, _ = get_oauth_client()
|
||||
redirect_uri = os.environ['OAUTH_REDIRECT_URI']
|
||||
|
||||
# Encode actor_id + label in state (JSON → base64)
|
||||
state_data = json.dumps({'a': actor_id, 'l': label})
|
||||
state = base64.urlsafe_b64encode(state_data.encode()).decode().rstrip('=')
|
||||
|
||||
auth_url = (
|
||||
'https://accounts.google.com/o/oauth2/v2/auth?'
|
||||
+ urllib.parse.urlencode({
|
||||
'client_id': client_id,
|
||||
'redirect_uri': redirect_uri,
|
||||
'response_type': 'code',
|
||||
'scope': SCOPES,
|
||||
'access_type': 'offline',
|
||||
'prompt': 'consent',
|
||||
'state': state,
|
||||
})
|
||||
)
|
||||
return _redirect(auth_url)
|
||||
|
||||
|
||||
def handle_callback(params: dict) -> dict:
|
||||
code = params.get('code', '')
|
||||
state = params.get('state', '')
|
||||
error = params.get('error', '')
|
||||
|
||||
if error:
|
||||
return _html(f'<h1>OAuth error: {error}</h1>', 400)
|
||||
if not code or not state:
|
||||
return _html('<h1>Missing code or state</h1>', 400)
|
||||
|
||||
# Decode actor_id + label from state
|
||||
try:
|
||||
padding = 4 - len(state) % 4
|
||||
state_data = json.loads(base64.urlsafe_b64decode(state + '=' * padding).decode())
|
||||
actor_id = state_data['a']
|
||||
label = state_data.get('l', 'primary')
|
||||
except Exception:
|
||||
# Backward compat: old state was just base64(actor_id)
|
||||
try:
|
||||
padding = 4 - len(state) % 4
|
||||
actor_id = base64.urlsafe_b64decode(state + '=' * padding).decode()
|
||||
label = 'primary'
|
||||
except Exception:
|
||||
return _html('<h1>Invalid state</h1>', 400)
|
||||
|
||||
client_id, client_secret = get_oauth_client()
|
||||
redirect_uri = os.environ['OAUTH_REDIRECT_URI']
|
||||
|
||||
# Exchange code for tokens
|
||||
token_data = urllib.parse.urlencode({
|
||||
'code': code,
|
||||
'client_id': client_id,
|
||||
'client_secret': client_secret,
|
||||
'redirect_uri': redirect_uri,
|
||||
'grant_type': 'authorization_code',
|
||||
}).encode()
|
||||
|
||||
req = urllib.request.Request(
|
||||
'https://oauth2.googleapis.com/token',
|
||||
data=token_data,
|
||||
headers={'Content-Type': 'application/x-www-form-urlencoded'},
|
||||
)
|
||||
try:
|
||||
with urllib.request.urlopen(req, timeout=15) as resp:
|
||||
tokens = json.loads(resp.read())
|
||||
except Exception as e:
|
||||
print(f'[oauth] Token exchange failed: {e}')
|
||||
return _html(f'<h1>Token exchange failed: {e}</h1>', 500)
|
||||
|
||||
# Fetch user email from Google
|
||||
user_email = ''
|
||||
try:
|
||||
id_token_payload = tokens.get('id_token', '').split('.')[1]
|
||||
padding = 4 - len(id_token_payload) % 4
|
||||
claims = json.loads(base64.urlsafe_b64decode(id_token_payload + '=' * padding))
|
||||
user_email = claims.get('email', '')
|
||||
except Exception:
|
||||
pass
|
||||
|
||||
if not user_email:
|
||||
try:
|
||||
access_token = tokens.get('access_token', '')
|
||||
req2 = urllib.request.Request(
|
||||
'https://www.googleapis.com/oauth2/v3/userinfo',
|
||||
headers={'Authorization': f'Bearer {access_token}'},
|
||||
)
|
||||
with urllib.request.urlopen(req2, timeout=10) as resp2:
|
||||
user_email = json.loads(resp2.read()).get('email', '')
|
||||
except Exception as e:
|
||||
print(f'[oauth] userinfo fetch failed: {e}')
|
||||
|
||||
# Build credentials dict (google-auth format)
|
||||
creds = {
|
||||
'token': tokens.get('access_token'),
|
||||
'refresh_token': tokens.get('refresh_token'),
|
||||
'token_uri': 'https://oauth2.googleapis.com/token',
|
||||
'client_id': client_id,
|
||||
'client_secret': client_secret,
|
||||
'scopes': [s for s in SCOPES.split() if s.startswith('https://')],
|
||||
'email': user_email,
|
||||
'user_email': user_email,
|
||||
}
|
||||
if tokens.get('expires_in'):
|
||||
creds['expiry'] = time.strftime(
|
||||
'%Y-%m-%dT%H:%M:%SZ',
|
||||
time.gmtime(time.time() + int(tokens['expires_in']))
|
||||
)
|
||||
|
||||
# Store in Secrets Manager at labeled path
|
||||
secret_name = actor_id_to_secret_name(actor_id, label)
|
||||
sm = get_sm()
|
||||
try:
|
||||
sm.create_secret(Name=secret_name, SecretString=json.dumps(creds))
|
||||
except sm.exceptions.ResourceExistsException:
|
||||
sm.put_secret_value(SecretId=secret_name, SecretString=json.dumps(creds))
|
||||
print(f'[oauth] Stored credentials for actor={actor_id} label={label} email={user_email}')
|
||||
|
||||
# Update DynamoDB: merge into google_accounts map
|
||||
table_name = os.environ.get('USERS_TABLE_NAME', '')
|
||||
if table_name and actor_id:
|
||||
try:
|
||||
table = get_ddb().Table(table_name)
|
||||
table.update_item(
|
||||
Key={'actor_id': actor_id},
|
||||
UpdateExpression='SET google_accounts = if_not_exists(google_accounts, :empty)',
|
||||
ExpressionAttributeValues={':empty': {}},
|
||||
)
|
||||
table.update_item(
|
||||
Key={'actor_id': actor_id},
|
||||
UpdateExpression='SET google_accounts.#label = :email',
|
||||
ExpressionAttributeNames={'#label': label},
|
||||
ExpressionAttributeValues={':email': user_email},
|
||||
)
|
||||
except Exception as e:
|
||||
print(f'[oauth] DynamoDB update failed: {e}')
|
||||
|
||||
# Best-effort Telegram confirmation
|
||||
try:
|
||||
bot_token_arn = os.environ.get('TELEGRAM_BOT_TOKEN_SECRET_ARN', '')
|
||||
if bot_token_arn and actor_id.startswith('telegram:'):
|
||||
chat_id = actor_id.split(':', 1)[1]
|
||||
bot_token = get_sm().get_secret_value(SecretId=bot_token_arn)['SecretString']
|
||||
tg_text = f'✅ Connected {user_email} as "{label}"'
|
||||
tg_payload = json.dumps({'chat_id': chat_id, 'text': tg_text}).encode()
|
||||
tg_req = urllib.request.Request(
|
||||
f'https://api.telegram.org/bot{bot_token}/sendMessage',
|
||||
data=tg_payload,
|
||||
headers={'Content-Type': 'application/json'},
|
||||
)
|
||||
urllib.request.urlopen(tg_req, timeout=5)
|
||||
except Exception as e:
|
||||
print(f'[oauth] Telegram notification failed: {e}')
|
||||
|
||||
return _html(
|
||||
f'<h1>✅ Google account connected!</h1>'
|
||||
f'<p>Connected <b>{user_email}</b> as "<b>{label}</b>".</p>'
|
||||
f'<p>You can close this window and return to Telegram.</p>'
|
||||
)
|
||||
@@ -0,0 +1 @@
|
||||
boto3>=1.34.0
|
||||
@@ -0,0 +1,238 @@
|
||||
"""
|
||||
Google OAuth handler Lambda.
|
||||
|
||||
Routes:
|
||||
GET /oauth/start?actor_id=telegram:123&label=work → redirect to Google OAuth consent
|
||||
GET /oauth/callback?code=...&state=... → exchange code, store tokens, update DynamoDB
|
||||
"""
|
||||
import base64
|
||||
import json
|
||||
import os
|
||||
import time
|
||||
import urllib.parse
|
||||
import urllib.request
|
||||
|
||||
import boto3
|
||||
|
||||
_sm = None
|
||||
_ddb = None
|
||||
|
||||
SCOPES = ' '.join([
|
||||
'https://www.googleapis.com/auth/gmail.modify',
|
||||
'https://www.googleapis.com/auth/calendar',
|
||||
'https://www.googleapis.com/auth/drive',
|
||||
'https://www.googleapis.com/auth/spreadsheets',
|
||||
'https://www.googleapis.com/auth/documents',
|
||||
'openid',
|
||||
'email',
|
||||
'profile',
|
||||
])
|
||||
|
||||
|
||||
def get_sm():
|
||||
global _sm
|
||||
if _sm is None:
|
||||
_sm = boto3.client('secretsmanager', region_name=os.environ.get('AWS_REGION', 'us-east-1'))
|
||||
return _sm
|
||||
|
||||
|
||||
def get_ddb():
|
||||
global _ddb
|
||||
if _ddb is None:
|
||||
_ddb = boto3.resource('dynamodb')
|
||||
return _ddb
|
||||
|
||||
|
||||
def get_oauth_client() -> tuple[str, str]:
|
||||
"""Return (client_id, client_secret) from Secrets Manager."""
|
||||
arn = os.environ['GOOGLE_OAUTH_CLIENT_SECRET_ARN']
|
||||
secret = json.loads(get_sm().get_secret_value(SecretId=arn)['SecretString'])
|
||||
return secret['client_id'], secret['client_secret']
|
||||
|
||||
|
||||
def actor_id_to_secret_name(actor_id: str, label: str = 'primary') -> str:
|
||||
safe = actor_id.replace(':', '-').replace('/', '-')
|
||||
return f'agent-claw/google-credentials/{safe}/{label}'
|
||||
|
||||
|
||||
def _redirect(url: str) -> dict:
|
||||
return {'statusCode': 302, 'headers': {'Location': url}, 'body': ''}
|
||||
|
||||
|
||||
def _html(body: str, status: int = 200) -> dict:
|
||||
return {'statusCode': status, 'headers': {'Content-Type': 'text/html'}, 'body': body}
|
||||
|
||||
|
||||
def handler(event, context):
|
||||
path = event.get('rawPath') or event.get('path', '')
|
||||
params = event.get('queryStringParameters') or {}
|
||||
|
||||
if path.endswith('/oauth/start'):
|
||||
return handle_start(params)
|
||||
elif path.endswith('/oauth/callback'):
|
||||
return handle_callback(params)
|
||||
else:
|
||||
return {'statusCode': 404, 'body': 'Not found'}
|
||||
|
||||
|
||||
def handle_start(params: dict) -> dict:
|
||||
actor_id = params.get('actor_id', '')
|
||||
if not actor_id:
|
||||
return _html('<h1>Missing actor_id</h1>', 400)
|
||||
|
||||
label = params.get('label', 'primary')
|
||||
|
||||
client_id, _ = get_oauth_client()
|
||||
redirect_uri = os.environ['OAUTH_REDIRECT_URI']
|
||||
|
||||
# Encode actor_id + label in state (JSON → base64)
|
||||
state_data = json.dumps({'a': actor_id, 'l': label})
|
||||
state = base64.urlsafe_b64encode(state_data.encode()).decode().rstrip('=')
|
||||
|
||||
auth_url = (
|
||||
'https://accounts.google.com/o/oauth2/v2/auth?'
|
||||
+ urllib.parse.urlencode({
|
||||
'client_id': client_id,
|
||||
'redirect_uri': redirect_uri,
|
||||
'response_type': 'code',
|
||||
'scope': SCOPES,
|
||||
'access_type': 'offline',
|
||||
'prompt': 'consent',
|
||||
'state': state,
|
||||
})
|
||||
)
|
||||
return _redirect(auth_url)
|
||||
|
||||
|
||||
def handle_callback(params: dict) -> dict:
|
||||
code = params.get('code', '')
|
||||
state = params.get('state', '')
|
||||
error = params.get('error', '')
|
||||
|
||||
if error:
|
||||
return _html(f'<h1>OAuth error: {error}</h1>', 400)
|
||||
if not code or not state:
|
||||
return _html('<h1>Missing code or state</h1>', 400)
|
||||
|
||||
# Decode actor_id + label from state
|
||||
try:
|
||||
padding = 4 - len(state) % 4
|
||||
state_data = json.loads(base64.urlsafe_b64decode(state + '=' * padding).decode())
|
||||
actor_id = state_data['a']
|
||||
label = state_data.get('l', 'primary')
|
||||
except Exception:
|
||||
# Backward compat: old state was just base64(actor_id)
|
||||
try:
|
||||
padding = 4 - len(state) % 4
|
||||
actor_id = base64.urlsafe_b64decode(state + '=' * padding).decode()
|
||||
label = 'primary'
|
||||
except Exception:
|
||||
return _html('<h1>Invalid state</h1>', 400)
|
||||
|
||||
client_id, client_secret = get_oauth_client()
|
||||
redirect_uri = os.environ['OAUTH_REDIRECT_URI']
|
||||
|
||||
# Exchange code for tokens
|
||||
token_data = urllib.parse.urlencode({
|
||||
'code': code,
|
||||
'client_id': client_id,
|
||||
'client_secret': client_secret,
|
||||
'redirect_uri': redirect_uri,
|
||||
'grant_type': 'authorization_code',
|
||||
}).encode()
|
||||
|
||||
req = urllib.request.Request(
|
||||
'https://oauth2.googleapis.com/token',
|
||||
data=token_data,
|
||||
headers={'Content-Type': 'application/x-www-form-urlencoded'},
|
||||
)
|
||||
try:
|
||||
with urllib.request.urlopen(req, timeout=15) as resp:
|
||||
tokens = json.loads(resp.read())
|
||||
except Exception as e:
|
||||
print(f'[oauth] Token exchange failed: {e}')
|
||||
return _html(f'<h1>Token exchange failed: {e}</h1>', 500)
|
||||
|
||||
# Fetch user email from Google
|
||||
user_email = ''
|
||||
try:
|
||||
id_token_payload = tokens.get('id_token', '').split('.')[1]
|
||||
padding = 4 - len(id_token_payload) % 4
|
||||
claims = json.loads(base64.urlsafe_b64decode(id_token_payload + '=' * padding))
|
||||
user_email = claims.get('email', '')
|
||||
except Exception:
|
||||
pass
|
||||
|
||||
if not user_email:
|
||||
try:
|
||||
access_token = tokens.get('access_token', '')
|
||||
req2 = urllib.request.Request(
|
||||
'https://www.googleapis.com/oauth2/v3/userinfo',
|
||||
headers={'Authorization': f'Bearer {access_token}'},
|
||||
)
|
||||
with urllib.request.urlopen(req2, timeout=10) as resp2:
|
||||
user_email = json.loads(resp2.read()).get('email', '')
|
||||
except Exception as e:
|
||||
print(f'[oauth] userinfo fetch failed: {e}')
|
||||
|
||||
# Build credentials dict (google-auth format)
|
||||
creds = {
|
||||
'token': tokens.get('access_token'),
|
||||
'refresh_token': tokens.get('refresh_token'),
|
||||
'token_uri': 'https://oauth2.googleapis.com/token',
|
||||
'client_id': client_id,
|
||||
'client_secret': client_secret,
|
||||
'scopes': [s for s in SCOPES.split() if s.startswith('https://')],
|
||||
'email': user_email,
|
||||
'user_email': user_email,
|
||||
}
|
||||
if tokens.get('expires_in'):
|
||||
creds['expiry'] = time.strftime(
|
||||
'%Y-%m-%dT%H:%M:%SZ',
|
||||
time.gmtime(time.time() + int(tokens['expires_in']))
|
||||
)
|
||||
|
||||
# Store in Secrets Manager at labeled path
|
||||
secret_name = actor_id_to_secret_name(actor_id, label)
|
||||
sm = get_sm()
|
||||
try:
|
||||
sm.create_secret(Name=secret_name, SecretString=json.dumps(creds))
|
||||
except sm.exceptions.ResourceExistsException:
|
||||
sm.put_secret_value(SecretId=secret_name, SecretString=json.dumps(creds))
|
||||
print(f'[oauth] Stored credentials for actor={actor_id} label={label} email={user_email}')
|
||||
|
||||
# Update DynamoDB: merge into google_accounts map
|
||||
table_name = os.environ.get('USERS_TABLE_NAME', '')
|
||||
if table_name and actor_id:
|
||||
try:
|
||||
get_ddb().Table(table_name).update_item(
|
||||
Key={'actor_id': actor_id},
|
||||
UpdateExpression='SET google_accounts = if_not_exists(google_accounts, :empty), google_accounts.#label = :email',
|
||||
ExpressionAttributeNames={'#label': label},
|
||||
ExpressionAttributeValues={':email': user_email, ':empty': {}},
|
||||
)
|
||||
except Exception as e:
|
||||
print(f'[oauth] DynamoDB update failed: {e}')
|
||||
|
||||
# Best-effort Telegram confirmation
|
||||
try:
|
||||
bot_token_arn = os.environ.get('TELEGRAM_BOT_TOKEN_SECRET_ARN', '')
|
||||
if bot_token_arn and actor_id.startswith('telegram:'):
|
||||
chat_id = actor_id.split(':', 1)[1]
|
||||
bot_token = get_sm().get_secret_value(SecretId=bot_token_arn)['SecretString']
|
||||
tg_text = f'✅ Connected {user_email} as "{label}"'
|
||||
tg_payload = json.dumps({'chat_id': chat_id, 'text': tg_text}).encode()
|
||||
tg_req = urllib.request.Request(
|
||||
f'https://api.telegram.org/bot{bot_token}/sendMessage',
|
||||
data=tg_payload,
|
||||
headers={'Content-Type': 'application/json'},
|
||||
)
|
||||
urllib.request.urlopen(tg_req, timeout=5)
|
||||
except Exception as e:
|
||||
print(f'[oauth] Telegram notification failed: {e}')
|
||||
|
||||
return _html(
|
||||
f'<h1>✅ Google account connected!</h1>'
|
||||
f'<p>Connected <b>{user_email}</b> as "<b>{label}</b>".</p>'
|
||||
f'<p>You can close this window and return to Telegram.</p>'
|
||||
)
|
||||
@@ -0,0 +1 @@
|
||||
boto3>=1.34.0
|
||||
@@ -18,7 +18,7 @@
|
||||
"validateOnSynth": false,
|
||||
"assumeRoleArn": "arn:${AWS::Partition}:iam::495395224548:role/cdk-hnb659fds-deploy-role-495395224548-us-east-1",
|
||||
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::495395224548:role/cdk-hnb659fds-cfn-exec-role-495395224548-us-east-1",
|
||||
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-495395224548-us-east-1/f5e50400defa8e717f9f7ae32453df078f55bafc76973f390e22e14616b1eea0.json",
|
||||
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-495395224548-us-east-1/bf77d8fb57b225c495e242bd05bd7658713d3e0e810a6701955397f14f68d7e5.json",
|
||||
"requiresBootstrapStackVersion": 6,
|
||||
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
|
||||
"additionalDependencies": [
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -230,6 +230,11 @@ export class AgentClawStack extends cdk.Stack {
|
||||
actions: ['secretsmanager:GetSecretValue'],
|
||||
resources: [`arn:aws:secretsmanager:${this.region}:${this.account}:secret:agent-claw/google-credentials/*`],
|
||||
}));
|
||||
runtime1Role.addToPolicy(new iam.PolicyStatement({
|
||||
sid: 'GoogleCredentialsListRuntime',
|
||||
actions: ['secretsmanager:ListSecrets'],
|
||||
resources: ['*'],
|
||||
}));
|
||||
|
||||
// Pass workspace_mcp MCP URL to agent-runner (informational)
|
||||
agentRunnerFn.addEnvironment('WORKSPACE_MCP_URL', workspaceMcpMcpUrl);
|
||||
|
||||
Reference in New Issue
Block a user