feat(openclaw-plugin): align auth, namespace, and role id handling

[jcp0578]

Description

This PR updates the OpenClaw OpenViking plugin to align authentication behavior, canonical namespace expansion, and session role_id propagation with the current multi-tenant integration flow. It also adds test coverage and a Chinese test report for the validated matrix.

Related Issue

#1479
#1351

Related PR

#1356
#1507

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional changes)
• Performance improvement
• Test update

Changes Made

• Align plugin auth handling with serverAuthMode and canonical namespace policy configuration.
• Propagate role_id from sender context in both afterTurn and memory_store session writes.
• Add/update unit tests and a Chinese multi-tenant test report covering the validated matrix.

Testing

• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• I have tested this on the following platforms:
  • Linux
  • macOS
  • Windows

维度	case	结果	说明
api_key	api_key_without_key_dev	通过	default/default dev fallback 生效
api_key	personal_token_default	通过	命中 DEFAULT_USER_TOKEN_19950
api_key	agentid_prefix_worker	通过	实际 agent 值为 worker_main
兼容	deprecated_agent_alias	通过	agentScopeMode=agent 兼容正常
覆盖优先级	new_policy_overrides_deprecated	通过	新 policy 覆盖旧 alias
namespace	ff_user_token	通过	user 共享空间命中正确
namespace	ff_agent_token	通过	agent 共享空间命中正确
namespace	tf_user_token	通过	user 按 agent 隔离命中正确
namespace	tf_agent_token	通过	agent 共享空间命中正确
namespace	tt_user_token	通过	user/agent 双隔离命中正确
namespace	tt_agent_token	通过	agent/user 双隔离命中正确
trusted	trusted_without_key	通过	无 key trusted 路径正常
trusted	trusted_with_key	通过	带 key trusted 路径正常
trusted	trusted_root_key_required	通过	不带 key 被服务侧拒绝
trusted	trusted_root_key_optional_ok	通过	带 root key 正常
senderId -> role_id	senderid_trusted_user_msg	通过	telegram:12345 -> telegram_12345
senderId -> role_id	senderid_trusted_blank	通过	role_id:null
senderId -> role_id	senderid_sanitize_symbols	通过	wx/user-01@abc -> wx_user-01_abc
真实机器人	私聊 sender 映射	通过	sender 稳定映射到真实 role_id
真实机器人	群聊多成员 role_id	通过	不同成员落不同 role_id
memory_store	requesterSenderId -> role_id	通过	memory_store 已使用 requesterSenderId 写出真实 role_id

Checklist

• My code follows the project's coding style
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• Any dependent changes have been merged and published

Screenshots (if applicable)

Additional Notes

[CLAassistant]

All committers have signed the CLA.

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis ✅ 1479 - Fully compliant Compliant requirements: Added extractRuntimeSenderId function to extract senderId from runtimeContext Added serverAuthMode, isolateUserScopeByAgent, isolateAgentScopeByUser configs Passed role_id (derived from senderId) in afterTurn and memory_store 1351 - Fully compliant Compliant requirements: Plugin now uses canonical URIs based on isolateUserScopeByAgent and isolateAgentScopeByUser configs Added role_id support in session messages Aligned auth handling with serverAuthMode

⏱️ Estimated effort to review: 4 🔵🔵🔵🔵⚪

🏅 Score: 85

🧪 PR contains tests

🔒 No security concerns identified

✅ No TODO sections

🔀 No multiple PR themes

⚡ Recommended focus areas for review Default Namespace Policy Mismatch The plugin's default for isolateAgentScopeByUser is true when agentScopeMode is "user_agent", but the server-side default from #1351 is false. This may cause mismatches if users don't explicitly configure the policy to match the server. const isolateUserScopeByAgent = explicitIsolateUserScopeByAgent ?? envIsolateUserScopeByAgent ?? (agentScopeMode === "agent" ? false : false); const isolateAgentScopeByUser = explicitIsolateAgentScopeByUser ?? envIsolateAgentScopeByUser ?? (agentScopeMode === "agent" ? false : true); Duplicate Code The toRoleId function is duplicated in both context-engine.ts and index.ts. This could lead to inconsistency if the sanitization logic changes in one place but not the other. function toRoleId(senderId: string | undefined): string | undefined { if (!senderId) { return undefined; } const normalized = senderId .trim() .replace(/[^a-zA-Z0-9_-]+/g, "_") .replace(/^_+|_+$/g, "") .replace(/_+/g, "_"); return normalized || undefined; }

[github-actions]

PR Code Suggestions ✨

No code suggestions found for the PR.

[Mijamind719]

AI说测试写偏了？看看是不是如此：这个剩余问题就是 tests/server/test_auth.py (line 38) 里的 helper 还在用 UserIdentifier(...).agent_space_name() 生成旧的 hash agent URI。PR 这次想验证的是 canonical namespace 行为，但这组测试实际没有用到插件现在会发出的 canonical agent 路径，所以会给人“都测过了”的错觉。换句话说，这个 PR 不是“完全没问题”，而是“主逻辑我没再看到明显 bug，但测试覆盖有一个实质缺口”。

[jcp0578]

AI说测试写偏了？看看是不是如此：这个剩余问题就是 tests/server/test_auth.py (line 38) 里的 helper 还在用 UserIdentifier(...).agent_space_name() 生成旧的 hash agent URI。PR 这次想验证的是 canonical namespace 行为，但这组测试实际没有用到插件现在会发出的 canonical agent 路径，所以会给人“都测过了”的错觉。换句话说，这个 PR 不是“完全没问题”，而是“主逻辑我没再看到明显 bug，但测试覆盖有一个实质缺口”。

的确写偏了，是原命名空间的残留，因为本PR是插件代码修改，不涉及server侧，故删除相关test代码

[qin-ctx]

This review only includes blocking issues. The current implementation conflicts with the server's existing api_key auth/session contracts in two places, so the plugin would regress common root-key and user-key deployments.

[jcp0578]

本次审查仅包含阻塞性问题。当前实现与服务器现有的 api_key 认证/会话协议存在两处冲突，因此该插件会降低常用根密钥和用户密钥部署的兼容性。

问题1. 已修复
问题2. 经沟通当前保留role_id透传