CLI to chat with an ArkClaw EE space's Claw over enterprise SSO — zero permanent AK/SK.
Project description
ee-claw
A tiny CLI to chat with a Claw in an ArkClaw EE space from your terminal — authenticated by your existing enterprise SSO session, with zero permanent AK/SK ever stored.
pip install ee-claw
arkclaw login https://<space>.arkclaw-enterprise-bj.volceapi.com/
arkclaw chat
That's it. login reuses the SSO session your browser already holds for the
space; chat talks to the Claw you last had open there.
How it works
Chrome login (id_token) → STS AssumeRoleWithOIDC → temporary creds
→ GetClawInstanceChatToken → ChatToken
→ OpenClaw WebSocket → chat
login <space-url>reads theid_tokenChrome already holds for the space (you must be logged in there), validates it by exchanging it for temporary credentials via Volcengine STS, and caches the session in~/.arkclaw/ee_login.json(mode0600). No browser is opened, nothing is pasted, no permanent AK/SK is ever written.chatuses the cached login to mint a one-timeChatToken(GetClawInstanceChatToken) and opens an OpenClaw WebSocket. Without--clawidit uses the claw you most recently opened in the browser (read from Chrome history); pass--clawid ci-...to target a specific one.
Admin setup (once per space)
The CLI needs one piece of space-level configuration: the STS role whose
trust policy accepts the space's enterprise-SSO identity pool and whose
permission policy allows arkclaw:GetClawInstanceChatToken. Provide it via
(highest precedence first):
--role-trn trn:iam::<account>:role/<name>ARKCLAW_ROLE_TRNenvironment variable- the space serving
GET <space-url>/.well-known/arkclaw-cli→{"region": ..., "role_trn": ..., "provider_trn": ...}(then the user types only the URL)
Nothing is hardcoded per space. Region is derived from the URL (override with
--region); the OIDC provider is inferred from the token issuer (override with
--provider-trn). If no role can be resolved, login fails with
ARKCLAW_E_UNCONFIGURED.
Security
The role is a least-privilege bridge: enterprise SSO identity → 1-hour
temporary credentials that can do exactly one thing
(GetClawInstanceChatToken) and nothing else in the account. See the error
codes (ARKCLAW_E_NOLOGIN, ARKCLAW_E_STS, ARKCLAW_E_UNCONFIGURED, …) for
clear diagnostics.
Scope
- Platform: Chrome on macOS/Linux (reads Chrome's Local Storage + history).
- This is the ArkClaw EE companion CLI; the general-purpose public SDK is
arkclaw-sdk(standard OIDC login + a2a chat) and lives separately.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file arkclaw_webchat_cli-0.1.0.tar.gz.
File metadata
- Download URL: arkclaw_webchat_cli-0.1.0.tar.gz
- Upload date:
- Size: 10.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.9.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5dc59bf30be8706b0ce42c09203a05430c369fac1a1dc65eaa932a0545f4ad56
|
|
| MD5 |
de5b4fefa73f6b041b32ee64707104fb
|
|
| BLAKE2b-256 |
ef28ca1fde3be74b3235d57cc9b7b68c1b70f81ee61dd7c559561e65b489636c
|
File details
Details for the file arkclaw_webchat_cli-0.1.0-py3-none-any.whl.
File metadata
- Download URL: arkclaw_webchat_cli-0.1.0-py3-none-any.whl
- Upload date:
- Size: 11.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.9.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
66494ccf56dae4f03ec12e9ef4c872c441a3b4f03151bc10a9a893509674e02e
|
|
| MD5 |
9938afc76506c3d296cebe63ab775fcf
|
|
| BLAKE2b-256 |
d9ac9d0f6f3a6d12c0eac2f8e084eabb9906f8e96b998a07a4c42699b63de8c0
|
