RubyGems - legate - Versions diffs - 0.1.0 - Mend

legate 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (317) hide show

checksums.yaml +7 -0
data/LICENSE +21 -0
data/README.md +345 -0
data/bin/legate +13 -0
data/examples/00_quickstart.rb +51 -0
data/examples/01_simple_agent.rb +105 -0
data/examples/02_multi_tool_agent.rb +140 -0
data/examples/03_custom_tool.rb +93 -0
data/examples/04_agent_instructions.rb +84 -0
data/examples/05_state_and_sessions.rb +91 -0
data/examples/06_callbacks.rb +186 -0
data/examples/07_async_jobs.rb +112 -0
data/examples/08_loop_agent.rb +197 -0
data/examples/09_sequential_workflow.rb +40 -0
data/examples/10_parallel_workflow.rb +34 -0
data/examples/11_agent_delegation.rb +24 -0
data/examples/12_http_client_tool.rb +156 -0
data/examples/13_authentication.rb +220 -0
data/examples/14_mcp_client.rb +154 -0
data/examples/15_mcp_server.rb +79 -0
data/examples/16_webhooks.rb +91 -0
data/examples/README_sequential_agents.md +164 -0
data/examples/advanced/auth/cookie_auth_tool.rb +146 -0
data/examples/advanced/auth/custom_auth_flows_example.rb +626 -0
data/examples/advanced/auth/excon_middleware.rb +317 -0
data/examples/advanced/auth/excon_middleware_auth.rb +399 -0
data/examples/advanced/auth/fiber_auth_example.rb +281 -0
data/examples/advanced/auth/fiber_oidc_example.rb +403 -0
data/examples/advanced/auth/httpbin_bearer_tool.rb +159 -0
data/examples/advanced/auth/oauth2_auth.rb +419 -0
data/examples/advanced/auth/oidc_auth.rb +514 -0
data/examples/advanced/auth/openweather_api.rb +251 -0
data/examples/advanced/auth/openweather_tool.rb +153 -0
data/examples/advanced/auth/query_param_middleware_test.rb +138 -0
data/examples/advanced/auth/service_account.rb +135 -0
data/examples/advanced/auth/test_with_httpbin.rb +202 -0
data/examples/advanced/auth/token_lifecycle_example.rb +428 -0
data/examples/advanced/callback_monitoring.rb +679 -0
data/examples/advanced/mas/fixed_delegation_example.rb +191 -0
data/examples/advanced/mas/loop_workflow.rb +28 -0
data/examples/advanced/mas/mock_planner.rb +77 -0
data/examples/advanced/mas/proper_delegation_example.rb +276 -0
data/examples/advanced/mcp/legate_mcp_server_resource_example.rb +182 -0
data/examples/advanced/mcp/mcp_resource_server_example.rb +309 -0
data/examples/advanced/mcp/mcp_server_async.rb +76 -0
data/examples/advanced/mcp/mcp_server_async_tools.rb +122 -0
data/examples/advanced/mcp/mcp_server_legate_agent.rb +95 -0
data/examples/advanced/mcp/mcp_server_rack.rb +89 -0
data/examples/advanced/random_calculator.rb +104 -0
data/examples/advanced/sleep_agent.rb +153 -0
data/examples/advanced/webhooks/webhook_e2e_runner.rb +110 -0
data/examples/advanced/webhooks/webhook_receiver_agent.rb +58 -0
data/examples/advanced/workflows/task_refinement_loop_agent.rb +278 -0
data/examples/advanced/workflows/travel_planner_auto_sequential.rb +444 -0
data/examples/advanced/workflows/travel_planner_parallel.rb +656 -0
data/examples/advanced/workflows/travel_planner_sequential.rb +512 -0
data/examples/tools/oauth2_example.rb +136 -0
data/examples/tools/sleepy_tool.rb +42 -0
data/lib/legate/activity_log.rb +71 -0
data/lib/legate/agent.rb +959 -0
data/lib/legate/agent_code_generator.rb +185 -0
data/lib/legate/agent_definition.rb +812 -0
data/lib/legate/agentic/decision.rb +49 -0
data/lib/legate/agentic/loop.rb +134 -0
data/lib/legate/agentic.rb +5 -0
data/lib/legate/agents/loop_agent.rb +248 -0
data/lib/legate/agents/parallel_agent.rb +163 -0
data/lib/legate/agents/sequential_agent.rb +190 -0
data/lib/legate/agents.rb +14 -0
data/lib/legate/auth/config.rb +148 -0
data/lib/legate/auth/coordinator.rb +218 -0
data/lib/legate/auth/coordinators/oauth2_coordinator.rb +99 -0
data/lib/legate/auth/coordinators/oidc_coordinator.rb +68 -0
data/lib/legate/auth/coordinators/service_account_coordinator.rb +122 -0
data/lib/legate/auth/credential.rb +157 -0
data/lib/legate/auth/encryption.rb +108 -0
data/lib/legate/auth/error.rb +94 -0
data/lib/legate/auth/exchanged_credential.rb +180 -0
data/lib/legate/auth/excon_middleware.rb +285 -0
data/lib/legate/auth/http_client_utils.rb +364 -0
data/lib/legate/auth/manager.rb +531 -0
data/lib/legate/auth/manager_store.rb +394 -0
data/lib/legate/auth/middleware_factory.rb +290 -0
data/lib/legate/auth/runner.rb +279 -0
data/lib/legate/auth/scheme.rb +125 -0
data/lib/legate/auth/schemes/api_key.rb +212 -0
data/lib/legate/auth/schemes/google_service_account.rb +108 -0
data/lib/legate/auth/schemes/http_bearer.rb +98 -0
data/lib/legate/auth/schemes/oauth2.rb +396 -0
data/lib/legate/auth/schemes/openid_connect.rb +346 -0
data/lib/legate/auth/schemes/service_account.rb +388 -0
data/lib/legate/auth/schemes.rb +40 -0
data/lib/legate/auth/token_manager.rb +362 -0
data/lib/legate/auth/token_store.rb +86 -0
data/lib/legate/auth/tool_context_extension.rb +97 -0
data/lib/legate/auth/tool_integration.rb +188 -0
data/lib/legate/auth/url_guard.rb +81 -0
data/lib/legate/auth.rb +453 -0
data/lib/legate/callbacks/callback_context.rb +71 -0
data/lib/legate/cli/agent_commands.rb +950 -0
data/lib/legate/cli/auth_commands.rb +520 -0
data/lib/legate/cli/base_command.rb +24 -0
data/lib/legate/cli/deployment_commands.rb +934 -0
data/lib/legate/cli/output_helper.rb +108 -0
data/lib/legate/cli/session_commands.rb +138 -0
data/lib/legate/cli/skaffold_commands.rb +223 -0
data/lib/legate/cli/tool_commands.rb +261 -0
data/lib/legate/cli/web_commands.rb +182 -0
data/lib/legate/cli.rb +40 -0
data/lib/legate/configuration/webhooks.rb +113 -0
data/lib/legate/configuration.rb +39 -0
data/lib/legate/definition_store.rb +23 -0
data/lib/legate/errors.rb +118 -0
data/lib/legate/event.rb +161 -0
data/lib/legate/gemini_ai_beta_patch.rb +39 -0
data/lib/legate/generators/agent_generator.rb +412 -0
data/lib/legate/generators/code_validator.rb +48 -0
data/lib/legate/generators/legate/install_generator.rb +35 -0
data/lib/legate/generators/legate/templates/create_legate_tables.rb.tt +36 -0
data/lib/legate/generators/legate/templates/initializer.rb +18 -0
data/lib/legate/generators/runtime_tool_loader.rb +76 -0
data/lib/legate/generators/tool_generator.rb +408 -0
data/lib/legate/generators.rb +11 -0
data/lib/legate/global_definition_registry.rb +506 -0
data/lib/legate/global_tool_manager.rb +135 -0
data/lib/legate/llm/adapter.rb +69 -0
data/lib/legate/llm/gemini.rb +172 -0
data/lib/legate/llm/ollama.rb +80 -0
data/lib/legate/llm.rb +34 -0
data/lib/legate/mcp/client.rb +320 -0
data/lib/legate/mcp/connection/sse.rb +292 -0
data/lib/legate/mcp/connection/stdio.rb +273 -0
data/lib/legate/mcp/connection_manager.rb +103 -0
data/lib/legate/mcp/server/legate_agent_adapter.rb +170 -0
data/lib/legate/mcp/server/legate_direct_agent_adapter.rb +140 -0
data/lib/legate/mcp/server/legate_tool_adapter.rb +119 -0
data/lib/legate/mcp/tool_wrapper.rb +138 -0
data/lib/legate/mcp/util/schema_converter.rb +134 -0
data/lib/legate/mcp.rb +23 -0
data/lib/legate/plan_executor.rb +375 -0
data/lib/legate/planner.rb +839 -0
data/lib/legate/rails/railtie.rb +43 -0
data/lib/legate/rails.rb +9 -0
data/lib/legate/redaction.rb +32 -0
data/lib/legate/session.rb +299 -0
data/lib/legate/session_service/active_record.rb +300 -0
data/lib/legate/session_service/base.rb +68 -0
data/lib/legate/session_service/event_broadcast.rb +74 -0
data/lib/legate/session_service/in_memory.rb +188 -0
data/lib/legate/tool/metadata_dsl.rb +122 -0
data/lib/legate/tool.rb +276 -0
data/lib/legate/tool_code_generator.rb +103 -0
data/lib/legate/tool_context.rb +350 -0
data/lib/legate/tool_loader.rb +39 -0
data/lib/legate/tool_registry.rb +73 -0
data/lib/legate/tool_result.rb +61 -0
data/lib/legate/tools/agent_tool.rb +187 -0
data/lib/legate/tools/base/http_client.rb +319 -0
data/lib/legate/tools/base/safe_url.rb +56 -0
data/lib/legate/tools/base_async_job_tool.rb +91 -0
data/lib/legate/tools/calculator.rb +89 -0
data/lib/legate/tools/cat_facts.rb +81 -0
data/lib/legate/tools/check_job_status_tool.rb +48 -0
data/lib/legate/tools/current_time_tool.rb +64 -0
data/lib/legate/tools/echo.rb +43 -0
data/lib/legate/tools/http_request_tool.rb +105 -0
data/lib/legate/tools/random_number_tool.rb +64 -0
data/lib/legate/tools/read_webpage_tool.rb +92 -0
data/lib/legate/tools/sleepy_tool.rb +74 -0
data/lib/legate/tools/webhook_tool.rb +146 -0
data/lib/legate/version.rb +5 -0
data/lib/legate/web/app.rb +984 -0
data/lib/legate/web/public/css/main.css +4980 -0
data/lib/legate/web/public/images/favicon-256.png +0 -0
data/lib/legate/web/public/images/favicon-32.png +0 -0
data/lib/legate/web/public/images/legate-logo-dark.png +0 -0
data/lib/legate/web/public/images/legate-logo-light.png +0 -0
data/lib/legate/web/public/js/legate.js +616 -0
data/lib/legate/web/public/styles/main.scss +4402 -0
data/lib/legate/web/routes/agent_authentication_routes.rb +530 -0
data/lib/legate/web/routes/agent_definition_routes.rb +803 -0
data/lib/legate/web/routes/agent_generator_routes.rb +80 -0
data/lib/legate/web/routes/agent_interaction_routes.rb +734 -0
data/lib/legate/web/routes/agent_runtime_routes.rb +323 -0
data/lib/legate/web/routes/api_routes.rb +56 -0
data/lib/legate/web/routes/authentication_routes.rb +1541 -0
data/lib/legate/web/routes/core_routes.rb +111 -0
data/lib/legate/web/routes/documentation_routes.rb +220 -0
data/lib/legate/web/routes/tool_generator_routes.rb +81 -0
data/lib/legate/web/routes/tools_ui_routes.rb +207 -0
data/lib/legate/web/sass_compiler.rb +73 -0
data/lib/legate/web/views/_active_session_info.slim +25 -0
data/lib/legate/web/views/_activity_list.slim +55 -0
data/lib/legate/web/views/_agent_card.slim +56 -0
data/lib/legate/web/views/_agent_generator_modal.slim +382 -0
data/lib/legate/web/views/_agent_status_controls.slim +71 -0
data/lib/legate/web/views/_agent_tool_table.slim +74 -0
data/lib/legate/web/views/_chat_message.slim +95 -0
data/lib/legate/web/views/_display_agent_configuration.slim +26 -0
data/lib/legate/web/views/_display_agent_description.slim +11 -0
data/lib/legate/web/views/_display_agent_fallback.slim +15 -0
data/lib/legate/web/views/_display_agent_hierarchy.slim +93 -0
data/lib/legate/web/views/_display_agent_instruction.slim +17 -0
data/lib/legate/web/views/_display_agent_mcp.slim +13 -0
data/lib/legate/web/views/_display_agent_model.slim +17 -0
data/lib/legate/web/views/_display_agent_name.slim +42 -0
data/lib/legate/web/views/_display_agent_output_key.slim +26 -0
data/lib/legate/web/views/_display_agent_type.slim +65 -0
data/lib/legate/web/views/_edit_agent_configuration.slim +74 -0
data/lib/legate/web/views/_edit_agent_description.slim +16 -0
data/lib/legate/web/views/_edit_agent_fallback.slim +25 -0
data/lib/legate/web/views/_edit_agent_hierarchy.slim +98 -0
data/lib/legate/web/views/_edit_agent_instruction.slim +49 -0
data/lib/legate/web/views/_edit_agent_mcp.slim +33 -0
data/lib/legate/web/views/_edit_agent_model.slim +23 -0
data/lib/legate/web/views/_edit_agent_output_key.slim +36 -0
data/lib/legate/web/views/_edit_agent_tools.slim +40 -0
data/lib/legate/web/views/_edit_agent_type.slim +67 -0
data/lib/legate/web/views/_session_error.slim +4 -0
data/lib/legate/web/views/_skeleton.slim +69 -0
data/lib/legate/web/views/_tool_card.slim +9 -0
data/lib/legate/web/views/_tool_generator_modal.slim +311 -0
data/lib/legate/web/views/agent.slim +436 -0
data/lib/legate/web/views/agent_auth.slim +562 -0
data/lib/legate/web/views/agents.slim +369 -0
data/lib/legate/web/views/auth.slim +112 -0
data/lib/legate/web/views/auth_credential_detail.slim +327 -0
data/lib/legate/web/views/auth_credentials.slim +261 -0
data/lib/legate/web/views/auth_debug.slim +94 -0
data/lib/legate/web/views/auth_mapping_detail.slim +151 -0
data/lib/legate/web/views/auth_mapping_new.slim +123 -0
data/lib/legate/web/views/auth_mappings.slim +120 -0
data/lib/legate/web/views/auth_scheme_detail.slim +274 -0
data/lib/legate/web/views/auth_schemes.slim +259 -0
data/lib/legate/web/views/auth_test.slim +418 -0
data/lib/legate/web/views/chat.slim +192 -0
data/lib/legate/web/views/docs_index.slim +105 -0
data/lib/legate/web/views/docs_show.slim +105 -0
data/lib/legate/web/views/error_404.slim +5 -0
data/lib/legate/web/views/index.slim +148 -0
data/lib/legate/web/views/layout.slim +144 -0
data/lib/legate/web/views/tool_detail.slim +87 -0
data/lib/legate/web/views/tools.slim +50 -0
data/lib/legate/web/webhook_listener.rb +367 -0
data/lib/legate/web.rb +9 -0
data/lib/legate.rb +220 -0
data/public/docs/advanced/callbacks.md +828 -0
data/public/docs/advanced/mcp_schema_conversion.md +59 -0
data/public/docs/authentication/api_reference/config.md +210 -0
data/public/docs/authentication/api_reference/credential.md +246 -0
data/public/docs/authentication/api_reference/encryption.md +218 -0
data/public/docs/authentication/api_reference/exchanged_credential.md +271 -0
data/public/docs/authentication/api_reference/excon_middleware.md +175 -0
data/public/docs/authentication/api_reference/index.md +30 -0
data/public/docs/authentication/api_reference/scheme.md +250 -0
data/public/docs/authentication/api_reference/schemes/api_key.md +175 -0
data/public/docs/authentication/api_reference/schemes/google_service_account.md +221 -0
data/public/docs/authentication/api_reference/schemes/http_bearer.md +169 -0
data/public/docs/authentication/api_reference/schemes/oauth2.md +343 -0
data/public/docs/authentication/api_reference/schemes/oidc.md +73 -0
data/public/docs/authentication/api_reference/schemes/openid_connect.md +311 -0
data/public/docs/authentication/api_reference/schemes/service_account.md +287 -0
data/public/docs/authentication/api_reference/token_manager.md +221 -0
data/public/docs/authentication/api_reference/token_store.md +146 -0
data/public/docs/authentication/api_reference/tool_context_extension.md +166 -0
data/public/docs/authentication/guides/api_key.md +190 -0
data/public/docs/authentication/guides/bearer.md +172 -0
data/public/docs/authentication/guides/configuration.md +255 -0
data/public/docs/authentication/guides/custom_flow.md +523 -0
data/public/docs/authentication/guides/index.md +24 -0
data/public/docs/authentication/guides/migration.md +435 -0
data/public/docs/authentication/guides/oauth2.md +252 -0
data/public/docs/authentication/guides/oidc.md +241 -0
data/public/docs/authentication/guides/overview.md +155 -0
data/public/docs/authentication/guides/secure_storage.md +301 -0
data/public/docs/authentication/guides/service_account.md +228 -0
data/public/docs/authentication/guides/token_lifecycle.md +295 -0
data/public/docs/authentication/guides/web_ui_integration.md +504 -0
data/public/docs/authentication/index.md +58 -0
data/public/docs/authentication/troubleshooting/credential_storage.md +550 -0
data/public/docs/authentication/troubleshooting/environment_variables.md +540 -0
data/public/docs/authentication/troubleshooting/index.md +11 -0
data/public/docs/authentication/troubleshooting/oauth2_issues.md +220 -0
data/public/docs/authentication/troubleshooting/oidc_issues.md +412 -0
data/public/docs/authentication/troubleshooting/token_refresh.md +338 -0
data/public/docs/cli/legate_cli_usage.md +363 -0
data/public/docs/core_concepts/legate_agent_lifecycle.md +124 -0
data/public/docs/core_concepts/legate_architecture_overview.md +110 -0
data/public/docs/core_concepts/legate_configuration.md +116 -0
data/public/docs/core_concepts/legate_definition_store.md +102 -0
data/public/docs/core_concepts/legate_planner.md +94 -0
data/public/docs/core_concepts/legate_session_service.md +104 -0
data/public/docs/error_handling/legate_error_handling.md +122 -0
data/public/docs/examples.md +199 -0
data/public/docs/getting_started.md +111 -0
data/public/docs/guides/agentic_agents.md +137 -0
data/public/docs/guides/ai_code_generators.md +437 -0
data/public/docs/guides/auto_loading.md +326 -0
data/public/docs/guides/configuring_agent_webhooks.md +219 -0
data/public/docs/guides/http_client_usage.md +264 -0
data/public/docs/guides/llm_providers.md +137 -0
data/public/docs/guides/mcp_client_integration.md +232 -0
data/public/docs/guides/mcp_server_exposure.md +206 -0
data/public/docs/guides/rails_integration.md +128 -0
data/public/docs/guides/sending_outbound_webhooks.md +227 -0
data/public/docs/guides/streaming.md +112 -0
data/public/docs/guides/webhooks.md +288 -0
data/public/docs/introduction.md +51 -0
data/public/docs/multi_agent_systems/advanced_features.md +57 -0
data/public/docs/multi_agent_systems/agent_delegation.md +190 -0
data/public/docs/multi_agent_systems/agent_hierarchy.md +49 -0
data/public/docs/multi_agent_systems/state_management.md +47 -0
data/public/docs/multi_agent_systems/workflow_agents.md +72 -0
data/public/docs/tools/legate_built_in_tools.md +332 -0
data/public/docs/tools/legate_tools_and_registry.md +263 -0
data/public/docs/web_ui/legate_web_ui.md +137 -0
metadata +823 -0

data/lib/legate/auth/tool_integration.rb ADDED Viewed

@@ -0,0 +1,188 @@
+# File: lib/legate/auth/tool_integration.rb
+# frozen_string_literal: true
+require_relative 'credential'
+require_relative 'exchanged_credential'
+require_relative 'schemes/api_key'
+require_relative 'schemes/http_bearer'
+require_relative 'token_manager'
+module Legate
+  module Auth
+    # Utility module for integrating authentication with tools.
+    # Provides methods for applying authentication to requests and
+    # detecting authentication errors in responses.
+    module ToolIntegration
+      module_function
+      # Apply authentication to a request based on scheme and credential
+      # @param request [Hash] The request to modify
+      # @param scheme [Legate::Auth::Scheme] The authentication scheme to use
+      # @param credential [Legate::Auth::Credential, Legate::Auth::ExchangedCredential] The credential to use
+      # @param token_store [Legate::Auth::TokenStore, nil] Optional token store for retrieving cached tokens
+      # @param token_manager [Legate::Auth::TokenManager, nil] Optional token manager for token lifecycle management
+      # @return [Hash] The modified request with authentication applied
+      # @raise [Legate::Auth::Error] If authentication cannot be applied
+      def apply_authentication(request, scheme, credential, token_store = nil, token_manager = nil)
+        raise ArgumentError, 'Request must be a Hash' unless request.is_a?(Hash)
+        raise ArgumentError, 'Scheme must be an Legate::Auth::Scheme' unless scheme.is_a?(Legate::Auth::Scheme)
+        # If we have a token manager, use it for getting tokens
+        if token_manager && token_manager.is_a?(Legate::Auth::TokenManager)
+          # Get a token using the token manager
+          token = token_manager.get_token(scheme, credential)
+          # Use the token if available
+          credential = token if token
+        # Fall back to the old mechanism if token_manager not available
+        elsif token_store && credential.is_a?(Legate::Auth::Credential)
+          cache_key = generate_cache_key(scheme, credential)
+          exchanged_credential = token_store.get(cache_key)
+          if exchanged_credential
+            # Check if token is expired and needs refresh
+            if exchanged_credential.expired? && scheme.supports_refresh?
+              begin
+                # Try to refresh the token
+                refreshed = scheme.refresh_token(exchanged_credential, credential)
+                # Store refreshed token
+                token_store.store(cache_key, refreshed)
+                # Use the refreshed credential
+                credential = refreshed
+              rescue Legate::Auth::TokenRefreshError => e
+                Legate.logger.warn("Failed to refresh token: #{e.message}. Using original credential.") if defined?(Legate.logger)
+                # Fall back to original credential if refresh fails
+              end
+            else
+              # Use cached credential
+              credential = exchanged_credential
+            end
+          end
+        end
+        # Apply the credential to the request using the scheme
+        begin
+          scheme.apply_to_request(request, credential)
+        rescue StandardError => e
+          # Log the error but return the original request to allow the request to continue
+          Legate.logger.error("Error applying authentication: #{e.message}") if defined?(Legate.logger)
+          request
+        end
+      end
+      # Check if a response indicates an authentication error
+      # @param response [Hash] The HTTP response to check
+      # @return [Boolean] True if the response indicates an authentication error
+      def authentication_error?(response)
+        return false unless response.is_a?(Hash)
+        # Check for common authentication error status codes
+        return true if [401, 403].include?(response[:status])
+        # Check for common error messages in response body
+        if response[:body] && response[:body].is_a?(String)
+          body_lower = response[:body].downcase
+          auth_error_indicators = [
+            'unauthorized', 'not authorized', 'invalid token',
+            'invalid api key', 'access denied', 'forbidden',
+            'authentication failed'
+          ]
+          return true if auth_error_indicators.any? { |indicator| body_lower.include?(indicator) }
+        end
+        # Check for error responses with auth error messages in JSON
+        if response[:body] && (response[:body].is_a?(Hash) ||
+            (response[:body].is_a?(String) && response[:body].start_with?('{')))
+          begin
+            body = response[:body].is_a?(Hash) ? response[:body] : JSON.parse(response[:body])
+            # Look for common error fields
+            %w[error errors message].each do |field|
+              next unless body[field]
+              error_text = body[field].is_a?(String) ? body[field].downcase : body[field].to_s.downcase
+              auth_error_indicators = [
+                'unauthorized', 'not authorized', 'invalid token',
+                'invalid api key', 'access denied', 'forbidden',
+                'authentication failed'
+              ]
+              return true if auth_error_indicators.any? { |indicator| error_text.include?(indicator) }
+            end
+          rescue JSON::ParserError
+            # Ignore parsing errors
+          end
+        end
+        false
+      end
+      # Generate a cache key for storing/retrieving tokens
+      # @param scheme [Legate::Auth::Scheme] The authentication scheme
+      # @param credential [Legate::Auth::Credential] The credential
+      # @return [String] A unique cache key
+      def generate_cache_key(scheme, credential)
+        # Create a hash based on scheme type and relevant credential properties
+        parts = [
+          scheme.scheme_type.to_s,
+          credential.auth_type.to_s
+        ]
+        # Add scheme-specific information
+        case scheme.scheme_type
+        when :api_key
+          parts << credential[:api_key, resolve_env: false].to_s
+        when :http_bearer
+          parts << credential[:bearer_token, resolve_env: false].to_s
+        when :oauth2, :oidc
+          parts << credential[:client_id, resolve_env: false].to_s
+          parts << credential[:scope, resolve_env: false].to_s
+        when :service_account
+          parts << credential[:client_email, resolve_env: false].to_s
+        end
+        # Create a unique key using a digest
+        require 'digest/sha2'
+        "auth_#{Digest::SHA256.hexdigest(parts.join(':'))}"
+      end
+      # Determine if a request requires authentication based on URL or headers
+      # @param request [Hash] The request to check
+      # @return [Boolean] True if the request likely requires authentication
+      def requires_authentication?(request)
+        return false unless request.is_a?(Hash)
+        # In test environments, always require authentication
+        return true if request[:test_auth] == true
+        # Check common indicators that a request requires authentication
+        # 1. Check if path or URL contains auth-protected paths
+        protected_paths = %w[
+          /api/ /v1/ /v2/ /v3/ /private/ /user/ /admin/
+          /account/ /secure/ /protected/ /internal/ /test/
+        ]
+        return true if request[:url] && protected_paths.any? { |path| request[:url].to_s.include?(path) }
+        return true if request[:path] && protected_paths.any? { |path| request[:path].to_s.include?(path) }
+        # 2. Check for Content-Type that often requires auth
+        if request[:headers] && request[:headers]['Content-Type']
+          auth_content_types = [
+            'application/json', 'application/xml',
+            'application/vnd.api+json'
+          ]
+          return true if auth_content_types.any? { |type| request[:headers]['Content-Type'].to_s.include?(type) }
+        end
+        # 3. Check for non-GET methods that typically require auth
+        return true if request[:method] && !%w[GET HEAD OPTIONS].include?(request[:method].to_s.upcase)
+        false
+      end
+    end
+  end
+end

data/lib/legate/auth/url_guard.rb ADDED Viewed

@@ -0,0 +1,81 @@
+# File: lib/legate/auth/url_guard.rb
+# frozen_string_literal: true
+require 'resolv'
+require 'ipaddr'
+require 'uri'
+require_relative 'error'
+module Legate
+  module Auth
+    # Canonical SSRF guard for outbound auth and credential-test URLs.
+    #
+    # Resolves the host and refuses loopback, link-local, private,
+    # 0.0.0.0/8 and CGNAT (100.64.0.0/10) targets so a misconfigured or
+    # attacker-supplied URL cannot reach internal services or cloud metadata.
+    # Set LEGATE_ALLOW_PRIVATE_AUTH_URLS=1 to bypass in development.
+    module UrlGuard
+      BLOCKED_RANGES = [
+        IPAddr.new('0.0.0.0/8'),
+        IPAddr.new('100.64.0.0/10')
+      ].freeze
+      module_function
+      # @param url [String] The URL to validate
+      # @param label [String] A label used in error messages
+      # @raise [Legate::Auth::Error] If the URL resolves to a restricted address
+      def validate!(url, label: 'Auth URL')
+        return if ENV['LEGATE_ALLOW_PRIVATE_AUTH_URLS']
+        hostname = parse_http_uri!(url, label).host
+        ips = resolved_ips(hostname)
+        # Fail closed: if we can't resolve the host, refuse rather than letting
+        # the request through (an unresolvable host can't be checked, and a
+        # resolver discrepancy could otherwise be used to slip past the guard).
+        if ips.empty?
+          raise Legate::Auth::Error,
+                "#{label}: could not resolve host '#{hostname}' for SSRF validation."
+        end
+        ips.each do |ip_str|
+          ip = IPAddr.new(ip_str)
+          next unless restricted?(ip)
+          raise Legate::Auth::Error,
+                "#{label} resolves to restricted network address (#{hostname} -> #{ip_str}). " \
+                'Set LEGATE_ALLOW_PRIVATE_AUTH_URLS=1 for development.'
+        rescue IPAddr::InvalidAddressError
+          next # skip unparseable IPs from the resolver
+        end
+      end
+      # @raise [Legate::Auth::Error] unless the URL uses an http/https scheme
+      def parse_http_uri!(url, label)
+        uri = URI.parse(url.to_s)
+        return uri if uri.is_a?(URI::HTTP) || uri.is_a?(URI::HTTPS)
+        raise Legate::Auth::Error, "#{label} must use http or https scheme"
+      end
+      # @return [Array<String>] resolved IP strings ([] when resolution fails —
+      #   the caller treats empty as a hard failure / fail-closed).
+      def resolved_ips(hostname)
+        [IPAddr.new(hostname).to_s]
+      rescue IPAddr::InvalidAddressError
+        begin
+          Resolv.getaddresses(hostname)
+        rescue Resolv::ResolvError
+          []
+        end
+      end
+      def restricted?(ip)
+        # Normalize IPv4-mapped IPv6 (e.g. ::ffff:127.0.0.1) to its IPv4 form so
+        # the loopback/private/link-local checks aren't bypassed by the mapping.
+        ip = ip.native if ip.ipv4_mapped?
+        ip.loopback? || ip.link_local? || ip.private? || BLOCKED_RANGES.any? { |r| r.include?(ip) }
+      end
+    end
+  end
+end