Implement local agent JWT authentication for adapters

Add HS256 JWT-based authentication for local adapters (claude_local, codex_local) so agents authenticate automatically without manual API key configuration. The server mints short-lived JWTs per heartbeat run and injects them as PAPERCLIP_API_KEY. The auth middleware verifies JWTs alongside existing static API keys. Includes: CLI onboard/doctor JWT secret management, env command for deployment, config path resolution from ancestor directories, dotenv loading on server startup, event payload secret redaction, multi-status issue filtering, and adapter transcript parsing for thinking/user message kinds. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 16:46:45 -06:00
parent 406f13220d
commit fe6a8687c1
28 changed files with 921 additions and 49 deletions
--- a/doc/plans/agent-authentication.md
+++ b/doc/plans/agent-authentication.md
@@ -205,6 +205,10 @@ On approval, the approver sets:
 | **P2**   | OpenClaw integration              | First real external agent onboarding via invite link.                                            |
 | **P3**   | CLI auth flow                     | `paperclip auth login` for developer-managed remote agents.                                      |

+## P0 Implementation Plan
+
+See [`doc/plans/agent-authentication-implementation.md`](./agent-authentication-implementation.md) for the P0 local JWT execution plan.
+
 ---

 ## Open Questions