fix: kilobot findings from PR #14

  1. Plugin-managed authToken now falls through to file-based auto re-auth
     instead of dead-ending at a 'update your openclaw.json' message on
     401. Added isPluginManagedAuthToken() in token-store; Path 0 in
     runShellSecurityFlow now skips when the raw config's authToken is a
     SecretRef pointing at our own provider (the shape writeStoredToken()
     always writes). Covered by 5 new unit tests in token-store.test.ts.

  2. getPublicIp() now clears its 5s abort timer in a finally block so
     dangling timeouts don't accumulate across failed checkups.

  3. Device-auth poll requests now carry a per-request 10s AbortController
     so a hung HTTP call can't outlive the overall 30s POLL_TIMEOUT_MS.
     Cleared in finally so every loop iteration is interruptible.

  4. CHANGELOG regained its '## [Unreleased]' heading per the release
     workflow documented in AGENTS.md + RELEASING.md, and the three fixes
     above are logged under it.

Author: St0rmz1

CHANGELOG.md

@@ -6,6 +6,24 @@ All notable changes to `@kilocode/shell-security` (formerly
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+### Fixed
+
+- `getPublicIp()` now clears its 5-second abort timer on error paths as
+  well as success, so repeated checkups on a flaky network don't leak
+  dangling timeouts.
+- Device-auth poll requests now carry a per-request `AbortController`
+  (10s) so a hung HTTP call can no longer outlive the overall 30s
+  `POLL_TIMEOUT_MS` budget.
+- Expired plugin-managed auth tokens now fall through to the file-based
+  auto re-auth path (Path B) instead of returning the "update your
+  openclaw.json" message. `runShellSecurityFlow` inspects the raw
+  config via `isPluginManagedAuthToken()` and skips Path 0 when the
+  `authToken` is a SecretRef pointing at our own provider — that shape
+  is only ever written by `writeStoredToken()` after device auth, so
+  the plugin (not the user) owns recovery.
+
 ## [0.2.0]
 
 First release under the new `@kilocode/shell-security` name. The plugin

index.ts

@@ -10,6 +10,7 @@ import {
   readPendingCode,
   writePendingCode,
   clearPendingCode,
+  isPluginManagedAuthToken,
   type PluginLogger,
   type PluginRuntimeConfig,
 } from "./src/auth/token-store.js";
@@ -166,8 +167,23 @@ async function runShellSecurityFlow(
   // going through device auth, and it respects the schema contract
   // documented in openclaw.plugin.json + README. Explicit user config
   // wins over everything else.
+  //
+  // Skip this path when the raw config shows a SecretRef aimed at our
+  // OWN provider — that shape is only written by writeStoredToken()
+  // after device auth, and the plugin's file-based auto re-auth path
+  // (Path B below) should own recovery in that case. Without this
+  // check, a plugin-managed token that expires would hit the
+  // "update your openclaw.json" message here instead of falling through
+  // to clear + redo device auth.
   const configToken = api.pluginConfig?.authToken;
-  if (typeof configToken === "string" && configToken.length > 0) {
+  const pluginManaged = isPluginManagedAuthToken(
+    api.runtime.config.loadConfig(),
+  );
+  if (
+    !pluginManaged &&
+    typeof configToken === "string" &&
+    configToken.length > 0
+  ) {
     try {
       return await doCheckup(api, apiBase, configToken, channel);
     } catch (err) {

src/audit.ts

@@ -107,17 +107,18 @@ export function isValidIp(candidate: string): boolean {
  */
 export async function getPublicIp(): Promise<string | undefined> {
   const fetchFn: typeof fetch = resolveFetch() ?? globalThis.fetch;
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), 5_000);
   try {
-    const controller = new AbortController();
-    const timeout = setTimeout(() => controller.abort(), 5_000);
     const resp = await fetchFn("https://ifconfig.me/ip", {
       signal: controller.signal,
     });
-    clearTimeout(timeout);
     if (!resp.ok) return undefined;
     const text = (await resp.text()).trim();
     return isValidIp(text) ? text : undefined;
   } catch {
     return undefined;
+  } finally {
+    clearTimeout(timeout);
   }
 }

src/auth/device-auth.ts

@@ -13,6 +13,13 @@ import type { PluginLogger } from "./token-store.js";
  */
 const POLL_TIMEOUT_MS = 30 * 1_000;
 const POLL_INTERVAL_MS = 3_000;
+/**
+ * Per-request deadline for a single poll HTTP call. Without this,
+ * a hung connection could outlive the overall POLL_TIMEOUT_MS budget,
+ * because the loop only re-checks the deadline between iterations.
+ * Capped below the overall budget so the loop stays interruptible.
+ */
+const POLL_REQUEST_TIMEOUT_MS = 10 * 1_000;
 
 type DeviceAuthInitResponse = {
   code: string;
@@ -110,8 +117,13 @@ export async function pollDeviceAuth(
 
   while (Date.now() < deadline) {
     await sleep(POLL_INTERVAL_MS);
+    const controller = new AbortController();
+    const requestTimeout = setTimeout(
+      () => controller.abort(),
+      POLL_REQUEST_TIMEOUT_MS,
+    );
     try {
-      const resp = await fetchFn(pollUrl);
+      const resp = await fetchFn(pollUrl, { signal: controller.signal });
       if (resp.status === 202) continue; // pending
       if (resp.status === 403) return { kind: "denied" };
       if (resp.status === 410) return { kind: "expired" };
@@ -123,10 +135,13 @@ export async function pollDeviceAuth(
         if (data.status === "expired") return { kind: "expired" };
       }
     } catch (err) {
-      // Transient network error. Log at debug level so it's visible
-      // when investigating real failures but not noisy on the happy path.
+      // Transient network error (including per-request abort due to a
+      // hung connection). Log at debug level so it's visible when
+      // investigating real failures but not noisy on the happy path.
       const message = err instanceof Error ? err.message : String(err);
       logger?.debug?.(`shell-security: poll transient error: ${message}`);
+    } finally {
+      clearTimeout(requestTimeout);
     }
   }
 

src/auth/token-store.ts

@@ -39,6 +39,53 @@ export function secretFilePath(): string {
   return join(homedir(), ".openclaw", "secrets", `${PLUGIN_ID}-auth-token`);
 }
 
+/**
+ * True when the raw openclaw.json has a SecretRef at
+ * `plugins.entries.shell-security.config.authToken` that points at
+ * OUR provider (`kilocode_shell_security`). That shape is only ever
+ * written by writeStoredToken() — a user configuring the plugin by
+ * hand would use a plain string or a SecretRef aimed at a different
+ * provider.
+ *
+ * The plugin can't tell from `api.pluginConfig.authToken` alone
+ * whether the resolved string came from a user-typed value or from
+ * OpenClaw resolving our own SecretRef. Callers use this helper to
+ * treat those cases differently (see `runShellSecurityFlow` in
+ * index.ts): plugin-managed tokens should auto re-auth on 401, but
+ * user-managed ones should surface an "update your openclaw.json"
+ * message.
+ */
+export function isPluginManagedAuthToken(config: unknown): boolean {
+  const root = (config && typeof config === "object" ? config : {}) as Record<
+    string,
+    unknown
+  >;
+  const plugins = (
+    root.plugins && typeof root.plugins === "object" ? root.plugins : {}
+  ) as Record<string, unknown>;
+  const entries = (
+    plugins.entries && typeof plugins.entries === "object"
+      ? plugins.entries
+      : {}
+  ) as Record<string, unknown>;
+  const entry = (
+    entries[PLUGIN_ID] && typeof entries[PLUGIN_ID] === "object"
+      ? entries[PLUGIN_ID]
+      : {}
+  ) as Record<string, unknown>;
+  const entryConfig = (
+    entry.config && typeof entry.config === "object" ? entry.config : {}
+  ) as Record<string, unknown>;
+  const authToken = entryConfig.authToken;
+  if (!authToken || typeof authToken !== "object") return false;
+  const ref = authToken as Record<string, unknown>;
+  return (
+    ref.source === "file" &&
+    ref.provider === PROVIDER_ID &&
+    typeof ref.id === "string"
+  );
+}
+
 function pendingCodeFilePath(): string {
   return join(homedir(), ".openclaw", "secrets", `${PLUGIN_ID}-pending-code`);
 }

test/token-store.test.ts

@@ -1,5 +1,5 @@
 import { describe, test, expect } from "bun:test";
-import { patchConfig } from "../src/auth/token-store";
+import { patchConfig, isPluginManagedAuthToken } from "../src/auth/token-store";
 
 const TEST_PATH = "/home/node/.openclaw/secrets/shell-security-auth-token";
 
@@ -124,3 +124,57 @@ describe("patchConfig", () => {
     expect(getAuthToken(next)).toBeDefined();
   });
 });
+
+describe("isPluginManagedAuthToken", () => {
+  test("true for a SecretRef pointing at our own provider", () => {
+    const cfg = patchConfig({}, TEST_PATH);
+    expect(isPluginManagedAuthToken(cfg)).toBe(true);
+  });
+
+  test("false for a plain-string authToken (user-set)", () => {
+    const cfg = {
+      plugins: {
+        entries: {
+          "shell-security": { config: { authToken: "user-typed-string" } },
+        },
+      },
+    };
+    expect(isPluginManagedAuthToken(cfg)).toBe(false);
+  });
+
+  test("false for a SecretRef pointing at a different provider", () => {
+    const cfg = {
+      plugins: {
+        entries: {
+          "shell-security": {
+            config: {
+              authToken: {
+                source: "file",
+                provider: "some_other_provider",
+                id: "value",
+              },
+            },
+          },
+        },
+      },
+    };
+    expect(isPluginManagedAuthToken(cfg)).toBe(false);
+  });
+
+  test("false when authToken is unset", () => {
+    expect(isPluginManagedAuthToken({})).toBe(false);
+    expect(isPluginManagedAuthToken({ plugins: {} })).toBe(false);
+    expect(
+      isPluginManagedAuthToken({
+        plugins: { entries: { "shell-security": { config: {} } } },
+      }),
+    ).toBe(false);
+  });
+
+  test("tolerates null/undefined/non-object config", () => {
+    expect(isPluginManagedAuthToken(null)).toBe(false);
+    expect(isPluginManagedAuthToken(undefined)).toBe(false);
+    expect(isPluginManagedAuthToken("string")).toBe(false);
+    expect(isPluginManagedAuthToken({ plugins: "not-an-object" })).toBe(false);
+  });
+});