天翼账号 AST 直连认证 Skill v7.1

Overview

Use this skill to complete Tianyi account AST login and direct authentication. The public version is tianyi-ast-direct-auth-v7.1; the machine skill name is tianyi-ast-direct-auth-v7-1.

This skill handles one path only: direct authentication through /ast/verify. It does not use gateway mode or /ast/introspect.

Core Workflow

Load runtime config from direct_auth_init.json or explicit caller parameters.
Check local agent_session.json with the bundled Python helper.
Resolve business appId from explicit caller input, runtime parameters, or direct_auth_init.json.
If the session is valid and appId is available, call /ast/verify.
If the session is missing, expired, malformed, or near expiry, start AST login.
Call /ast/login/start, then /ast/login/qrcode.
Show the user the QR image and login link.
When the user says "已登录" or "查登录状态", call /ast/login/status/{ticket}.
On success, persist local session and identity material with the helper.
After local persistence succeeds, call /ast/verify to get idToken + expiresAt.

For code plugins, use scripts/get_id_token.py as the stable CLI wrapper around the same flow.

Read references/login-flow.md for login and pending-state details. Read references/verify-flow.md for /ast/verify details. Read references/caller-contract.md when another skill or business flow asks for an idToken. Read references/auth-result-contract.md when returning auth results to a caller. Read references/pending-handoff-contract.md when a caller must resume business work after QR login. Read references/plugin-api-contract.md when a pure code plugin needs a CLI entrypoint. Read references/partner-skill-template.md when writing a partner business skill. Read references/local-session-contract.md before handling local files. Read references/error-handling.md for failure handling.

Trigger Cases

Use this skill when the user or caller asks to:

登录天翼账号
进行天翼账号认证
获取 AST 直连认证凭证
获取 idToken
其他业务 skill 需要天翼账号 idToken
合作方插件需要使用业务 appId 获取天翼账号 idToken
使用业务 appId=xxx 调起天翼账号认证 skill
使用 appId=xxx 获取天翼账号 idToken
检查或复用 agent_session.json
处理业务 401 后重新认证
使用 /ast/verify

Pending Context

After login starts, preserve:

pending_skill = "tianyi-ast-direct-auth-v7-1"
pending_action = "wait_user_confirm_login"
pending_ticket
pending_login_url
pending_ticket_expires_at
pending_last_status
pending_business_app_id when provided by a caller
pending_caller_skill when invoked by another skill
pending_business_intent when the caller must resume business work
pending_return_target = "idToken" when the caller expects an idToken

Only treat "已登录", "查登录状态", or equivalent replies as this skill's continuation when pending_skill, pending_action, and pending_ticket all match.

User Replies

Keep user-facing replies short. Show only the QR image, login link, and next action. Do not expose service URLs, local file paths, private key paths, signing plaintext, appId, or trusted-network details.

Success Rule

/ast/login/status/{ticket} returns status=success
agent_session.json is saved successfully
identity material is saved when privateKeyPem is returned

Direct authentication is complete only after /ast/verify returns idToken + expiresAt.

Caller Contract

When another skill invokes this skill as an authentication dependency, this skill owns the full AST login and /ast/verify flow. The caller receives only the resulting idToken + expiresAt for business API use.

The caller must not receive agentSessionToken, private key material, signing plaintext, or local file paths. See references/caller-contract.md.

For pure code plugins:

python scripts/get_id_token.py --app-id <partner-app-id> --json
python scripts/get_id_token.py --app-id <partner-app-id> --allow-login --json
python scripts/get_id_token.py --app-id <partner-app-id> --ticket <ticket> --json

The CLI output follows references/auth-result-contract.md.

Boundaries

Do not call /ast/introspect.
Do not implement gateway fallback.
Do not expose refresh/logout as user actions in v7.1.
Do not write appId, ticket, loginUrl, or idToken into agent_session.json.
Do not write old login_success.json.