trifle-auth

使用以太坊登录 (SIWE) 通过 Trifle API 进行身份验证。管理 Trifle 生态系统基于钱包的身份验证、JWT 令牌存储和会话管理。

# Trifle Auth Skill

Authenticate with the Trifle API (`bot.trifle.life`) using SIWE (Sign-In with Ethereum) for wallet-based authentication. Stores JWT tokens for use by other skills (snake-game, etc.).

## Setup

### 1. Install dependencies

```bash
cd ~/.openclaw/workspace/skills/trifle-auth
npm install
```

### 2. Generate a wallet

```bash
node trifle-auth.mjs generate
```

This generates a new Ethereum address and **automatically saves the private key to 1Password** (vault: Gigi, item: "EVM Wallet - Trifle Agent"). The key is never printed to stdout. If 1Password is unavailable, it falls back to a restricted file (`~/.trifle-wallet.key`, mode 600).

### 3. Set environment (or use 1Password)

The skill reads the private key from:
1. `TRIFLE_PRIVATE_KEY` environment variable (first priority)
2. 1Password: `op://Gigi/EVM Wallet - Gigi/private_key` <!-- nocheck -->

### 4. Login

```bash
node trifle-auth.mjs login
```

This authenticates via SIWE and stores the JWT token in `~/.local/state/trifle-auth/auth-state.json`.

## Commands

```bash
# Authenticate and store JWT token
node trifle-auth.mjs login

# Check auth status and user info
node trifle-auth.mjs status

# Get JWT token path (written to a secure temp file, not stdout)
TOKEN=$(cat $(node trifle-auth.mjs token))
node trifle-auth.mjs token

# Generate a new wallet keypair
node trifle-auth.mjs generate

# Check ball balance
node trifle-auth.mjs balance
```

## Authentication Flow

1. Gets nonce from `/auth/wallet/nonce`
2. Creates SIWE message with domain `trifle.life`
3. Signs message with private key (no gas cost)
4. Verifies signature at `/auth/wallet/verify`
5. Receives JWT token (valid 30 days)
6. Stores token in state file

## State File

Location: `~/.local/state/trifle-auth/auth-state.json` (XDG-compliant, override with `TRIFLE_AUTH_STATE` env var)

```json
{
  "token": "jwt-token-here",
  "address": "0x...",
  "userId": 123,
  "username": "gigi",
  "totalBalls": 50,
  "lastLogin": "2026-02-05T15:00:00Z"
}
```

## CORS Notes

API requests include `Origin: https://trifle.life` header to satisfy CORS requirements. The backend validates the origin against its allowed list.

## Ball Economy

- **Earning balls**: GM game (1/day), auth bonuses (10 per platform), reactions, etc.
- **Spending balls**: Snake game votes (min 1 per vote)
- **Auth bonuses**: Each platform auth earns 10 balls (wallet, discord, telegram, etc.)

---

## 中文说明

# Trifle Auth 技能

使用 SIWE（使用以太坊登录）对 Trifle API (`bot.trifle.life`) 进行身份验证，实现基于钱包的认证。存储 JWT 令牌供其他技能（snake-game 等）使用。

## 设置

### 1. 安装依赖

```bash
cd ~/.openclaw/workspace/skills/trifle-auth
npm install
```

### 2. 生成钱包

```bash
node trifle-auth.mjs generate
```

这会生成一个新的以太坊地址，并**自动将私钥保存到 1Password**（保险库：Gigi，条目："EVM Wallet - Trifle Agent"）。私钥绝不会打印到 stdout。如果 1Password 不可用，它会回退到一个受限文件 (`~/.trifle-wallet.key`，权限 600)。

### 3. 设置环境（或使用 1Password）

该技能从以下位置读取私钥：
1. `TRIFLE_PRIVATE_KEY` 环境变量（最高优先级）
2. 1Password: `op://Gigi/EVM Wallet - Gigi/private_key` <!-- nocheck -->

### 4. 登录

```bash
node trifle-auth.mjs login
```

这会通过 SIWE 进行身份验证，并将 JWT 令牌存储在 `~/.local/state/trifle-auth/auth-state.json` 中。

## 命令

```bash
# Authenticate and store JWT token
node trifle-auth.mjs login

# Check auth status and user info
node trifle-auth.mjs status

# Get JWT token path (written to a secure temp file, not stdout)
TOKEN=$(cat $(node trifle-auth.mjs token))
node trifle-auth.mjs token

# Generate a new wallet keypair
node trifle-auth.mjs generate

# Check ball balance
node trifle-auth.mjs balance
```

## 身份验证流程

1. 从 `/auth/wallet/nonce` 获取 nonce
2. 使用域名 `trifle.life` 创建 SIWE 消息
3. 使用私钥对消息签名（无 gas 成本）
4. 在 `/auth/wallet/verify` 验证签名
5. 接收 JWT 令牌（有效期 30 天）
6. 将令牌存储到状态文件

## 状态文件

位置：`~/.local/state/trifle-auth/auth-state.json`（符合 XDG 规范，可用 `TRIFLE_AUTH_STATE` 环境变量覆盖）

```json
{
  "token": "jwt-token-here",
  "address": "0x...",
  "userId": 123,
  "username": "gigi",
  "totalBalls": 50,
  "lastLogin": "2026-02-05T15:00:00Z"
}
```

## CORS 说明

API 请求包含 `Origin: https://trifle.life` 头以满足 CORS 要求。后端会根据其允许列表验证来源。

## 小球经济

- **赚取小球**：GM 游戏（每天 1 个）、认证奖励（每个平台 10 个）、互动反应等。
- **消费小球**：贪吃蛇游戏投票（每票至少 1 个）
- **认证奖励**：每个平台认证可获得 10 个小球（钱包、discord、telegram 等）