datagrout-conduit 0.4.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 27d8af58b9252394051bb3c764f30bc19b5062664a3bac0295e5bd7aa4e8df94
-  data.tar.gz: 4f6c526fe03897d6666d2b0c76c61651dc9bc71e1eaa269f55f35e321a34671f
+  metadata.gz: d3a08c2cb30deefe712f0083b473838a1ec6b578c1b7decbcc53ac14aca4cffb
+  data.tar.gz: ea88b13e4a5998164c4dfaa1b71d448e5d498b694b8de312449a8c82d4daf555
 SHA512:
-  metadata.gz: bba7f383d85b62c05fff950f527047c830b82842536a31151988d87414c5da597a1b67160f507753a8c43c5cd41f0e9cf463a1bdd93ab0bb898165da7a1afc18
-  data.tar.gz: a8c3fec760966850b04ec6c5e9b0c4af46f967b87a9627130bb6bb18cf84157bd1fa0da90486cc64ff01e97c03d815e153e7e1bccd77579f6b93a5775b75df6f
+  metadata.gz: 70c40acb181dcc382395c454e769e26fede6798a32dc2dab7797ffaf66b1936dd0e89cf767f2f9f16a5e668ad1ceff9dfd3d2a22d03db34bcb146ab1eef78ba6
+  data.tar.gz: 3c2cf29896ae08b63876e60e8807ccb7ea85118fdb5d422aaf9b94e4ef3aa76345786b42bb0406f1c8df1b938d3755cf78a84fd3bf9728f5ecc4fd54a6c7b737

data/README.md

@@ -9,13 +9,13 @@ Connect to remote MCP and JSONRPC servers, invoke tools, discover capabilities w
 Add to your Gemfile:
 
 ```ruby
-gem "datagrout-conduit", "~> 0.4.0"
+gem "datagrout-conduit", "~> 0.5.0"
 ```
 
 Or install directly:
 
 ```sh
-gem install datagrout-conduit -v 0.4.0
+gem install datagrout-conduit -v 0.5.0
 ```
 
 ## Quick Start

data/lib/datagrout_conduit/client.rb

@@ -31,13 +31,15 @@ module DatagroutConduit
     end
 
     def initialize(url:, auth: {}, transport: :mcp, identity: nil, identity_dir: nil,
-                   use_intelligent_interface: nil, max_retries: 3, logger: nil, disable_mtls: false)
+                   use_intelligent_interface: nil, max_retries: 3, logger: nil,
+                   identity_auto: false, disable_mtls: false)
       @url = url
       @auth = auth
       @transport_mode = transport
       @identity = identity
       @identity_dir = identity_dir
-      @disable_mtls = disable_mtls
+      @identity_auto = identity_auto
+      @disable_mtls = disable_mtls  # deprecated, kept for backward compat
       @max_retries = max_retries
       @initialized = false
       @server_info = nil
@@ -104,6 +106,38 @@ module DatagroutConduit
       bootstrap_identity(url: url, auth_token: token, name: name, identity_dir: identity_dir)
     end
 
+    # Bootstrap by performing the autonomous DG onramp flow.
+    #
+    # The all-in-one flow: onramp (no prior credentials required) →
+    # OAuth token exchange → mTLS identity registration and persistence.
+    #
+    # On subsequent runs the saved mTLS identity is auto-discovered and
+    # no credentials are needed.
+    #
+    # @param opts [DatagroutConduit::Onramp::OnrampOptions]
+    # @param url [String, nil] MCP server URL; required when +opts.mcp_url+ is absent
+    # @param name [String] human-readable identity label
+    # @param identity_dir [String, nil] custom identity storage directory
+    # @return [Client] unconnected client; call +#connect+ before use
+    def self.bootstrap_onramp(opts:, url: nil, name: "conduit-client", identity_dir: nil)
+      dir = identity_dir || Registration.default_identity_dir || File.join(Dir.home, ".conduit")
+
+      # Fast path: existing valid identity.
+      identity = Identity.try_discover(override_dir: dir)
+      if identity && !identity.needs_rotation?
+        raise ArgumentError, "'url' must be provided when an existing identity is reused" if url.nil?
+        return new(url: url, identity: identity)
+      end
+
+      # Slow path: full onramp flow.
+      creds, token = Onramp.register_and_exchange(opts)
+
+      mcp_url = creds.mcp_url || url
+      raise ArgumentError, "'url' must be provided when mcp_url is absent from onramp response" if mcp_url.nil?
+
+      bootstrap_identity(url: mcp_url, auth_token: token, name: name, identity_dir: identity_dir)
+    end
+
     def connect
       @transport.connect
 
@@ -418,8 +452,7 @@ module DatagroutConduit
 
     def resolve_identity!
       return if @identity
-      return if @disable_mtls
-      return unless @is_dg
+      return unless @identity_auto
 
       @identity = Identity.try_discover(override_dir: @identity_dir)
     end

data/lib/datagrout_conduit/identity.rb

@@ -67,31 +67,30 @@ module DatagroutConduit
     # Walk the auto-discovery chain and return the first identity found,
     # or nil if nothing is available.
     def self.try_discover(override_dir: nil)
-      # 1. Override directory
+      # When an explicit directory is given, scope search to that dir only.
       if override_dir
-        id = try_load_from_dir(override_dir)
-        return id if id
+        return try_load_from_dir(override_dir)
       end
 
-      # 2. Environment variables (individual cert/key PEMs)
+      # 1. Environment variables (individual cert/key PEMs)
       id = from_env
       return id if id
 
-      # 3. CONDUIT_IDENTITY_DIR env var
+      # 2. CONDUIT_IDENTITY_DIR env var
       identity_dir = ENV["CONDUIT_IDENTITY_DIR"]
       if identity_dir && !identity_dir.empty?
         id = try_load_from_dir(identity_dir)
         return id if id
       end
 
-      # 4. ~/.conduit/
+      # 3. ~/.conduit/
       home = ENV["HOME"] || ENV["USERPROFILE"]
       if home
         id = try_load_from_dir(File.join(home, ".conduit"))
         return id if id
       end
 
-      # 5. .conduit/ relative to cwd
+      # 4. .conduit/ relative to cwd
       id = try_load_from_dir(File.join(Dir.pwd, ".conduit"))
       return id if id
 

data/lib/datagrout_conduit/onramp.rb

@@ -0,0 +1,155 @@
+# frozen_string_literal: true
+
+require "faraday"
+require "json"
+
+module DatagroutConduit
+  # Autonomous agent self-registration (onramp) for DataGrout.
+  #
+  # The onramp flow lets a machine intelligence register itself with DG
+  # without a human in the loop, using only plain HTTP JSON — no MCP client
+  # required.
+  #
+  # == Flow
+  #
+  # 1. POST to +/onramp+ with agent identity metadata (no auth).
+  # 2. DG returns a short-lived +session_token+ (5 minutes).
+  # 3. POST to +/onramp/complete+ with +Authorization: Bearer <session_token>+.
+  # 4. DG issues provisional +client_id+ + +client_secret+ (restricted scopes).
+  #
+  # == Example
+  #
+  #   opts = DatagroutConduit::Onramp::OnrampOptions.new(
+  #     gateway: "https://app.datagrout.ai",
+  #     agent_name: "my-research-agent",
+  #     agent_type: "claude-sonnet-4-6"
+  #   )
+  #   client = DatagroutConduit::Client.bootstrap_onramp(opts: opts, url: nil)
+  module Onramp
+    # Options for the autonomous agent onramp flow.
+    OnrampOptions = Struct.new(
+      :gateway,
+      :agent_name,
+      :agent_type,
+      :intended_use,
+      :access_code,
+      keyword_init: true
+    )
+
+    # Provisional credentials returned by the DG onramp complete endpoint.
+    #
+    # Store +client_id+ and +client_secret+ securely — the secret is shown
+    # exactly once and cannot be recovered after this point.
+    OnrampCredentials = Struct.new(
+      :client_id,
+      :client_secret,
+      :token_url,
+      :scopes,
+      :expires_in,
+      :rpc_url,
+      :mcp_url,
+      keyword_init: true
+    )
+
+    class OnrampError < StandardError; end
+
+    # Perform the onramp handshake and return provisional OAuth credentials.
+    #
+    # Low-level entry point. Most callers should use
+    # {DatagroutConduit::Client.bootstrap_onramp} instead.
+    #
+    # @param opts [OnrampOptions]
+    # @return [OnrampCredentials]
+    def self.register_only(opts)
+      register(opts)
+    end
+
+    # Perform the full onramp handshake and OAuth token exchange.
+    #
+    # @param opts [OnrampOptions]
+    # @return [Array(OnrampCredentials, String)] credentials and access token
+    def self.register_and_exchange(opts)
+      creds = register(opts)
+      token = exchange_token(creds)
+      [creds, token]
+    end
+
+    # @api private
+    def self.register(opts)
+      base = opts.gateway.chomp("/")
+
+      body = { agent_name: opts.agent_name }
+      body[:agent_type] = opts.agent_type if opts.agent_type
+      body[:intended_use] = opts.intended_use if opts.intended_use
+      body[:access_code] = opts.access_code if opts.access_code
+
+      conn = build_conn
+
+      init_resp = conn.post("#{base}/onramp") do |req|
+        req.headers["Content-Type"] = "application/json"
+        req.body = JSON.generate(body)
+      end
+
+      raise OnrampError, "onramp init rejected (HTTP #{init_resp.status}): #{init_resp.body}" \
+        unless init_resp.success?
+
+      init_data = parse_body(init_resp.body)
+      session_token = init_data["session_token"]
+
+      complete_resp = conn.post("#{base}/onramp/complete") do |req|
+        req.headers["Authorization"] = "Bearer #{session_token}"
+      end
+
+      raise OnrampError, "onramp complete rejected (HTTP #{complete_resp.status}): #{complete_resp.body}" \
+        unless complete_resp.success?
+
+      data = parse_body(complete_resp.body)
+
+      OnrampCredentials.new(
+        client_id: data["client_id"],
+        client_secret: data["client_secret"],
+        token_url: data["token_url"],
+        scopes: data["scopes"] || [],
+        expires_in: data["expires_in"] || 0,
+        rpc_url: data["rpc_url"],
+        mcp_url: data["mcp_url"]
+      )
+    end
+    private_class_method :register
+
+    # @api private
+    def self.exchange_token(creds)
+      conn = Faraday.new do |f|
+        f.request :url_encoded
+        f.response :json, content_type: /\bjson$/
+        f.adapter Faraday.default_adapter
+      end
+
+      resp = conn.post(creds.token_url, {
+        grant_type: "client_credentials",
+        client_id: creds.client_id,
+        client_secret: creds.client_secret
+      })
+
+      raise OnrampError, "token exchange failed (HTTP #{resp.status}): #{resp.body}" \
+        unless resp.success?
+
+      data = parse_body(resp.body)
+      data["access_token"]
+    end
+    private_class_method :exchange_token
+
+    def self.build_conn
+      Faraday.new do |f|
+        f.response :json, content_type: /\bjson$/
+        f.adapter Faraday.default_adapter
+      end
+    end
+    private_class_method :build_conn
+
+    def self.parse_body(body)
+      body.is_a?(String) ? JSON.parse(body) : body
+    end
+    private_class_method :parse_body
+  end
+end

data/lib/datagrout_conduit/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DatagroutConduit
-  VERSION = "0.4.0"
+  VERSION = "0.5.0"
 end

data/lib/datagrout_conduit.rb

@@ -8,6 +8,7 @@ require_relative "datagrout_conduit/types"
 require_relative "datagrout_conduit/identity"
 require_relative "datagrout_conduit/oauth"
 require_relative "datagrout_conduit/registration"
+require_relative "datagrout_conduit/onramp"
 require_relative "datagrout_conduit/transport/base"
 require_relative "datagrout_conduit/transport/mcp"
 require_relative "datagrout_conduit/transport/jsonrpc"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: datagrout-conduit
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
 platform: ruby
 authors:
 - DataGrout
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-05-02 00:00:00.000000000 Z
+date: 2026-05-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -129,6 +129,7 @@ files:
 - lib/datagrout_conduit/namespaces/prism.rb
 - lib/datagrout_conduit/namespaces/warden.rb
 - lib/datagrout_conduit/oauth.rb
+- lib/datagrout_conduit/onramp.rb
 - lib/datagrout_conduit/registration.rb
 - lib/datagrout_conduit/transport/base.rb
 - lib/datagrout_conduit/transport/jsonrpc.rb