@aexhq/sdk 0.25.0 → 0.25.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/_contracts/event-stream-client.js +4 -2
- package/dist/_contracts/index.d.ts +0 -1
- package/dist/_contracts/index.js +0 -1
- package/dist/_contracts/operations.d.ts +11 -3
- package/dist/_contracts/operations.js +216 -6
- package/dist/_contracts/provider-support.d.ts +2 -13
- package/dist/_contracts/provider-support.js +2 -14
- package/dist/_contracts/proxy-protocol.d.ts +4 -2
- package/dist/_contracts/proxy-protocol.js +10 -3
- package/dist/_contracts/run-config.d.ts +7 -5
- package/dist/_contracts/run-config.js +10 -7
- package/dist/_contracts/run-cost.d.ts +3 -11
- package/dist/_contracts/run-cost.js +2 -57
- package/dist/_contracts/run-custody.d.ts +1 -52
- package/dist/_contracts/run-custody.js +3 -87
- package/dist/_contracts/run-retention.d.ts +1 -5
- package/dist/_contracts/run-retention.js +2 -14
- package/dist/_contracts/run-unit.d.ts +2 -2
- package/dist/_contracts/runtime-security-profile.js +1 -1
- package/dist/_contracts/runtime-types.d.ts +36 -10
- package/dist/_contracts/side-effect-audit.d.ts +4 -5
- package/dist/_contracts/side-effect-audit.js +1 -4
- package/dist/_contracts/status.d.ts +3 -4
- package/dist/_contracts/status.js +3 -8
- package/dist/_contracts/submission.d.ts +97 -42
- package/dist/_contracts/submission.js +109 -29
- package/dist/cli.mjs +256 -48
- package/dist/cli.mjs.sha256 +1 -1
- package/dist/client.d.ts +25 -17
- package/dist/client.js +29 -10
- package/dist/client.js.map +1 -1
- package/dist/index.d.ts +5 -5
- package/dist/index.js +4 -4
- package/dist/index.js.map +1 -1
- package/dist/version.d.ts +1 -1
- package/dist/version.js +1 -1
- package/docs/concepts/agent-tools.md +30 -23
- package/docs/concepts/runs.md +6 -0
- package/docs/credentials.md +5 -3
- package/docs/events.md +18 -0
- package/docs/limits.md +10 -1
- package/docs/outputs.md +58 -0
- package/docs/provider-runtime-capabilities.md +1 -1
- package/docs/public-surface.json +1 -1
- package/docs/release.md +1 -1
- package/docs/run-config.md +7 -2
- package/docs/skills.md +9 -8
- package/docs/vision-skills.md +11 -13
- package/package.json +2 -2
- package/dist/_contracts/managed-key.d.ts +0 -101
- package/dist/_contracts/managed-key.js +0 -181
|
@@ -1,101 +0,0 @@
|
|
|
1
|
-
import type { RunProvider, RuntimeKind } from "./submission.js";
|
|
2
|
-
import type { RunModel } from "./models.js";
|
|
3
|
-
export declare const CREDENTIAL_MODES: readonly ["byok", "managed"];
|
|
4
|
-
export type CredentialMode = (typeof CREDENTIAL_MODES)[number];
|
|
5
|
-
export declare const DEFAULT_CREDENTIAL_MODE: CredentialMode;
|
|
6
|
-
export declare const MANAGED_KEY_POLICY_SCHEMA_VERSION = 1;
|
|
7
|
-
export declare const MANAGED_KEY_RESERVATION_SCHEMA_VERSION = 1;
|
|
8
|
-
export declare const MANAGED_KEY_LAUNCH_STAGES: readonly ["blocked", "pilot", "ga"];
|
|
9
|
-
export type ManagedKeyLaunchStage = (typeof MANAGED_KEY_LAUNCH_STAGES)[number];
|
|
10
|
-
export declare const MANAGED_KEY_FEATURE_DECISIONS: readonly ["disabled", "allowed"];
|
|
11
|
-
export type ManagedKeyFeatureDecision = (typeof MANAGED_KEY_FEATURE_DECISIONS)[number];
|
|
12
|
-
export declare const MANAGED_KEY_RESERVATION_STATUSES: readonly ["open", "settled", "released"];
|
|
13
|
-
export type ManagedKeyReservationStatus = (typeof MANAGED_KEY_RESERVATION_STATUSES)[number];
|
|
14
|
-
export interface ManagedKeyFeaturePolicyV1 {
|
|
15
|
-
readonly files: ManagedKeyFeatureDecision;
|
|
16
|
-
readonly packages: ManagedKeyFeatureDecision;
|
|
17
|
-
readonly builtins: ManagedKeyFeatureDecision;
|
|
18
|
-
readonly mcpServers: ManagedKeyFeatureDecision;
|
|
19
|
-
readonly proxyEndpoints: ManagedKeyFeatureDecision;
|
|
20
|
-
readonly openNetworking: ManagedKeyFeatureDecision;
|
|
21
|
-
}
|
|
22
|
-
/**
|
|
23
|
-
* Public managed-key policy contract. Concrete policy values, account
|
|
24
|
-
* selection, financial calculation, and deployment wiring live outside this
|
|
25
|
-
* public module.
|
|
26
|
-
*/
|
|
27
|
-
export interface ManagedKeyPolicyV1 {
|
|
28
|
-
readonly schemaVersion: typeof MANAGED_KEY_POLICY_SCHEMA_VERSION;
|
|
29
|
-
readonly credentialMode: "managed";
|
|
30
|
-
readonly launchStage: ManagedKeyLaunchStage;
|
|
31
|
-
readonly privateImplementationAvailable: boolean;
|
|
32
|
-
readonly billingRequired: true;
|
|
33
|
-
readonly providers: readonly RunProvider[];
|
|
34
|
-
readonly runtimes: readonly RuntimeKind[];
|
|
35
|
-
readonly models?: readonly RunModel[];
|
|
36
|
-
readonly features: ManagedKeyFeaturePolicyV1;
|
|
37
|
-
}
|
|
38
|
-
/**
|
|
39
|
-
* Public-safe reservation lifecycle summary. It intentionally carries only
|
|
40
|
-
* credit-unit invariants and public row identifiers; private key handles,
|
|
41
|
-
* account selection, rate cards, margins, and payment-provider references
|
|
42
|
-
* remain outside this contract.
|
|
43
|
-
*/
|
|
44
|
-
export interface ManagedKeyReservationLifecycleV1 {
|
|
45
|
-
readonly schemaVersion: typeof MANAGED_KEY_RESERVATION_SCHEMA_VERSION;
|
|
46
|
-
readonly reservationId: string;
|
|
47
|
-
readonly workspaceId: string;
|
|
48
|
-
readonly runId: string;
|
|
49
|
-
readonly credentialMode: "managed";
|
|
50
|
-
readonly status: ManagedKeyReservationStatus;
|
|
51
|
-
readonly reservedCreditUnits: number;
|
|
52
|
-
readonly chargedCreditUnits: number;
|
|
53
|
-
readonly releasedCreditUnits: number;
|
|
54
|
-
readonly createdAt?: string;
|
|
55
|
-
readonly closedAt?: string;
|
|
56
|
-
}
|
|
57
|
-
export type ManagedKeyReservationLifecycleInput = Omit<ManagedKeyReservationLifecycleV1, "schemaVersion" | "credentialMode"> & {
|
|
58
|
-
readonly credentialMode?: "managed";
|
|
59
|
-
};
|
|
60
|
-
export declare const BLOCKED_MANAGED_KEY_FEATURE_POLICY_V1: ManagedKeyFeaturePolicyV1;
|
|
61
|
-
export declare const BLOCKED_MANAGED_KEY_POLICY_V1: ManagedKeyPolicyV1;
|
|
62
|
-
export declare class ManagedKeyUnavailableError extends Error {
|
|
63
|
-
readonly code = "managed_key_unavailable";
|
|
64
|
-
constructor(message?: string);
|
|
65
|
-
}
|
|
66
|
-
export declare function parseCredentialMode(input: unknown): CredentialMode;
|
|
67
|
-
export declare function credentialModeOrDefault(input: CredentialMode | undefined): CredentialMode;
|
|
68
|
-
export declare function isCredentialMode(input: unknown): input is CredentialMode;
|
|
69
|
-
export declare function buildManagedKeyReservationLifecycle(input: ManagedKeyReservationLifecycleInput): ManagedKeyReservationLifecycleV1;
|
|
70
|
-
export declare function isManagedKeyGenerallyAvailable(policy: ManagedKeyPolicyV1): boolean;
|
|
71
|
-
export declare function isManagedKeyAdmissionAllowed(policy: ManagedKeyPolicyV1): boolean;
|
|
72
|
-
export declare function assertManagedKeyModeAvailable(policy?: ManagedKeyPolicyV1): void;
|
|
73
|
-
export declare function assertManagedKeyAdmissionAllowed(policy?: ManagedKeyPolicyV1): void;
|
|
74
|
-
export interface ManagedCredentialResolutionInput {
|
|
75
|
-
readonly workspaceId: string;
|
|
76
|
-
readonly runId: string;
|
|
77
|
-
readonly provider: RunProvider;
|
|
78
|
-
readonly runtime: RuntimeKind;
|
|
79
|
-
readonly model: RunModel;
|
|
80
|
-
readonly policy: ManagedKeyPolicyV1;
|
|
81
|
-
}
|
|
82
|
-
export interface ManagedCredentialLease {
|
|
83
|
-
readonly credentialMode: "managed";
|
|
84
|
-
readonly provider: RunProvider;
|
|
85
|
-
readonly runtime: RuntimeKind;
|
|
86
|
-
readonly custodyClass: "managed-provider-credential";
|
|
87
|
-
}
|
|
88
|
-
export type ManagedCredentialResolution = {
|
|
89
|
-
readonly ok: true;
|
|
90
|
-
readonly lease: ManagedCredentialLease;
|
|
91
|
-
} | {
|
|
92
|
-
readonly ok: false;
|
|
93
|
-
readonly code: "managed_key_unavailable" | "provider_not_allowed" | "runtime_not_allowed" | "model_not_allowed";
|
|
94
|
-
readonly message: string;
|
|
95
|
-
};
|
|
96
|
-
export interface ManagedCredentialResolver {
|
|
97
|
-
resolveManagedCredential(input: ManagedCredentialResolutionInput): Promise<ManagedCredentialResolution>;
|
|
98
|
-
}
|
|
99
|
-
export declare class FakeManagedCredentialResolver implements ManagedCredentialResolver {
|
|
100
|
-
resolveManagedCredential(input: ManagedCredentialResolutionInput): Promise<ManagedCredentialResolution>;
|
|
101
|
-
}
|
|
@@ -1,181 +0,0 @@
|
|
|
1
|
-
export const CREDENTIAL_MODES = ["byok", "managed"];
|
|
2
|
-
export const DEFAULT_CREDENTIAL_MODE = "byok";
|
|
3
|
-
export const MANAGED_KEY_POLICY_SCHEMA_VERSION = 1;
|
|
4
|
-
export const MANAGED_KEY_RESERVATION_SCHEMA_VERSION = 1;
|
|
5
|
-
export const MANAGED_KEY_LAUNCH_STAGES = ["blocked", "pilot", "ga"];
|
|
6
|
-
export const MANAGED_KEY_FEATURE_DECISIONS = ["disabled", "allowed"];
|
|
7
|
-
export const MANAGED_KEY_RESERVATION_STATUSES = ["open", "settled", "released"];
|
|
8
|
-
export const BLOCKED_MANAGED_KEY_FEATURE_POLICY_V1 = Object.freeze({
|
|
9
|
-
files: "disabled",
|
|
10
|
-
packages: "disabled",
|
|
11
|
-
builtins: "disabled",
|
|
12
|
-
mcpServers: "disabled",
|
|
13
|
-
proxyEndpoints: "disabled",
|
|
14
|
-
openNetworking: "disabled"
|
|
15
|
-
});
|
|
16
|
-
export const BLOCKED_MANAGED_KEY_POLICY_V1 = Object.freeze({
|
|
17
|
-
schemaVersion: MANAGED_KEY_POLICY_SCHEMA_VERSION,
|
|
18
|
-
credentialMode: "managed",
|
|
19
|
-
launchStage: "blocked",
|
|
20
|
-
privateImplementationAvailable: false,
|
|
21
|
-
billingRequired: true,
|
|
22
|
-
providers: Object.freeze([]),
|
|
23
|
-
runtimes: Object.freeze([]),
|
|
24
|
-
features: BLOCKED_MANAGED_KEY_FEATURE_POLICY_V1
|
|
25
|
-
});
|
|
26
|
-
export class ManagedKeyUnavailableError extends Error {
|
|
27
|
-
code = "managed_key_unavailable";
|
|
28
|
-
constructor(message = "credentialMode: \"managed\" is not available without a private managed-key implementation") {
|
|
29
|
-
super(message);
|
|
30
|
-
this.name = "ManagedKeyUnavailableError";
|
|
31
|
-
}
|
|
32
|
-
}
|
|
33
|
-
export function parseCredentialMode(input) {
|
|
34
|
-
if (input === undefined) {
|
|
35
|
-
return DEFAULT_CREDENTIAL_MODE;
|
|
36
|
-
}
|
|
37
|
-
if (!isCredentialMode(input)) {
|
|
38
|
-
throw new Error(`credentialMode must be one of: ${CREDENTIAL_MODES.join(", ")} (got ${JSON.stringify(input)})`);
|
|
39
|
-
}
|
|
40
|
-
return input;
|
|
41
|
-
}
|
|
42
|
-
export function credentialModeOrDefault(input) {
|
|
43
|
-
return input ?? DEFAULT_CREDENTIAL_MODE;
|
|
44
|
-
}
|
|
45
|
-
export function isCredentialMode(input) {
|
|
46
|
-
return typeof input === "string" && CREDENTIAL_MODES.includes(input);
|
|
47
|
-
}
|
|
48
|
-
export function buildManagedKeyReservationLifecycle(input) {
|
|
49
|
-
const status = normalizeManagedKeyReservationStatus(input.status);
|
|
50
|
-
const reservedCreditUnits = nonNegativeFinite(input.reservedCreditUnits, "reservedCreditUnits");
|
|
51
|
-
const chargedCreditUnits = nonNegativeFinite(input.chargedCreditUnits, "chargedCreditUnits");
|
|
52
|
-
const releasedCreditUnits = nonNegativeFinite(input.releasedCreditUnits, "releasedCreditUnits");
|
|
53
|
-
if (input.credentialMode !== undefined && input.credentialMode !== "managed") {
|
|
54
|
-
throw new Error("managed-key reservation credentialMode must be managed");
|
|
55
|
-
}
|
|
56
|
-
if (status === "open") {
|
|
57
|
-
if (input.closedAt !== undefined) {
|
|
58
|
-
throw new Error("managed-key open reservation must not have closedAt");
|
|
59
|
-
}
|
|
60
|
-
if (chargedCreditUnits !== 0 || releasedCreditUnits !== 0) {
|
|
61
|
-
throw new Error("managed-key open reservation cannot have charged or released credit units");
|
|
62
|
-
}
|
|
63
|
-
}
|
|
64
|
-
if (status === "settled") {
|
|
65
|
-
if (!input.closedAt) {
|
|
66
|
-
throw new Error("managed-key settled reservation requires closedAt");
|
|
67
|
-
}
|
|
68
|
-
const expectedReleased = Math.max(0, reservedCreditUnits - chargedCreditUnits);
|
|
69
|
-
if (!nearlyEqual(releasedCreditUnits, expectedReleased)) {
|
|
70
|
-
throw new Error("managed-key settlement releasedCreditUnits must equal max(reserved - charged, 0)");
|
|
71
|
-
}
|
|
72
|
-
}
|
|
73
|
-
if (status === "released") {
|
|
74
|
-
if (!input.closedAt) {
|
|
75
|
-
throw new Error("managed-key released reservation requires closedAt");
|
|
76
|
-
}
|
|
77
|
-
if (chargedCreditUnits !== 0 || !nearlyEqual(releasedCreditUnits, reservedCreditUnits)) {
|
|
78
|
-
throw new Error("managed-key released reservation must release all reserved credit units without charge");
|
|
79
|
-
}
|
|
80
|
-
}
|
|
81
|
-
return Object.freeze({
|
|
82
|
-
schemaVersion: MANAGED_KEY_RESERVATION_SCHEMA_VERSION,
|
|
83
|
-
reservationId: nonEmptyString(input.reservationId, "reservationId"),
|
|
84
|
-
workspaceId: nonEmptyString(input.workspaceId, "workspaceId"),
|
|
85
|
-
runId: nonEmptyString(input.runId, "runId"),
|
|
86
|
-
credentialMode: "managed",
|
|
87
|
-
status,
|
|
88
|
-
reservedCreditUnits,
|
|
89
|
-
chargedCreditUnits,
|
|
90
|
-
releasedCreditUnits,
|
|
91
|
-
...(input.createdAt ? { createdAt: input.createdAt } : {}),
|
|
92
|
-
...(input.closedAt ? { closedAt: input.closedAt } : {})
|
|
93
|
-
});
|
|
94
|
-
}
|
|
95
|
-
export function isManagedKeyGenerallyAvailable(policy) {
|
|
96
|
-
return policy.launchStage === "ga" && policy.privateImplementationAvailable;
|
|
97
|
-
}
|
|
98
|
-
export function isManagedKeyAdmissionAllowed(policy) {
|
|
99
|
-
return policy.launchStage !== "blocked" && policy.privateImplementationAvailable;
|
|
100
|
-
}
|
|
101
|
-
export function assertManagedKeyModeAvailable(policy = BLOCKED_MANAGED_KEY_POLICY_V1) {
|
|
102
|
-
if (!isManagedKeyGenerallyAvailable(policy)) {
|
|
103
|
-
throw new ManagedKeyUnavailableError();
|
|
104
|
-
}
|
|
105
|
-
}
|
|
106
|
-
export function assertManagedKeyAdmissionAllowed(policy = BLOCKED_MANAGED_KEY_POLICY_V1) {
|
|
107
|
-
if (!isManagedKeyAdmissionAllowed(policy)) {
|
|
108
|
-
throw new ManagedKeyUnavailableError();
|
|
109
|
-
}
|
|
110
|
-
}
|
|
111
|
-
export class FakeManagedCredentialResolver {
|
|
112
|
-
async resolveManagedCredential(input) {
|
|
113
|
-
const denial = resolvePolicyDenial(input);
|
|
114
|
-
if (denial) {
|
|
115
|
-
return denial;
|
|
116
|
-
}
|
|
117
|
-
return {
|
|
118
|
-
ok: true,
|
|
119
|
-
lease: Object.freeze({
|
|
120
|
-
credentialMode: "managed",
|
|
121
|
-
provider: input.provider,
|
|
122
|
-
runtime: input.runtime,
|
|
123
|
-
custodyClass: "managed-provider-credential"
|
|
124
|
-
})
|
|
125
|
-
};
|
|
126
|
-
}
|
|
127
|
-
}
|
|
128
|
-
function resolvePolicyDenial(input) {
|
|
129
|
-
if (!isManagedKeyGenerallyAvailable(input.policy)) {
|
|
130
|
-
return {
|
|
131
|
-
ok: false,
|
|
132
|
-
code: "managed_key_unavailable",
|
|
133
|
-
message: "managed-key mode is not generally available for this public policy"
|
|
134
|
-
};
|
|
135
|
-
}
|
|
136
|
-
if (!input.policy.providers.includes(input.provider)) {
|
|
137
|
-
return {
|
|
138
|
-
ok: false,
|
|
139
|
-
code: "provider_not_allowed",
|
|
140
|
-
message: `provider ${input.provider} is not allowed by managed-key policy`
|
|
141
|
-
};
|
|
142
|
-
}
|
|
143
|
-
if (!input.policy.runtimes.includes(input.runtime)) {
|
|
144
|
-
return {
|
|
145
|
-
ok: false,
|
|
146
|
-
code: "runtime_not_allowed",
|
|
147
|
-
message: `runtime ${input.runtime} is not allowed by managed-key policy`
|
|
148
|
-
};
|
|
149
|
-
}
|
|
150
|
-
if (input.policy.models && !input.policy.models.includes(input.model)) {
|
|
151
|
-
return {
|
|
152
|
-
ok: false,
|
|
153
|
-
code: "model_not_allowed",
|
|
154
|
-
message: "model is not allowed by managed-key policy"
|
|
155
|
-
};
|
|
156
|
-
}
|
|
157
|
-
return null;
|
|
158
|
-
}
|
|
159
|
-
function normalizeManagedKeyReservationStatus(input) {
|
|
160
|
-
if (typeof input !== "string" ||
|
|
161
|
-
!MANAGED_KEY_RESERVATION_STATUSES.includes(input)) {
|
|
162
|
-
throw new Error(`managed-key reservation status ${String(input)} is not supported`);
|
|
163
|
-
}
|
|
164
|
-
return input;
|
|
165
|
-
}
|
|
166
|
-
function nonEmptyString(value, field) {
|
|
167
|
-
if (typeof value !== "string" || value.trim().length === 0) {
|
|
168
|
-
throw new Error(`managed-key reservation ${field} must be a non-empty string`);
|
|
169
|
-
}
|
|
170
|
-
return value;
|
|
171
|
-
}
|
|
172
|
-
function nonNegativeFinite(value, field) {
|
|
173
|
-
if (!Number.isFinite(value) || value < 0) {
|
|
174
|
-
throw new Error(`managed-key reservation ${field} must be a non-negative finite number`);
|
|
175
|
-
}
|
|
176
|
-
return value;
|
|
177
|
-
}
|
|
178
|
-
function nearlyEqual(left, right) {
|
|
179
|
-
return Math.abs(left - right) <= 1e-9;
|
|
180
|
-
}
|
|
181
|
-
//# sourceMappingURL=managed-key.js.map
|