@aexhq/sdk 0.35.0 → 0.36.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (59) hide show
  1. package/README.md +16 -15
  2. package/dist/_contracts/index.d.ts +3 -4
  3. package/dist/_contracts/index.js +1 -4
  4. package/dist/_contracts/operations.d.ts +2 -1
  5. package/dist/_contracts/operations.js +10 -0
  6. package/dist/_contracts/run-config.d.ts +1 -3
  7. package/dist/_contracts/run-config.js +2 -7
  8. package/dist/_contracts/run-trace.d.ts +0 -86
  9. package/dist/_contracts/run-trace.js +1 -184
  10. package/dist/_contracts/run-unit.d.ts +2 -25
  11. package/dist/_contracts/run-unit.js +1 -2
  12. package/dist/_contracts/runtime-manifest.d.ts +1 -1
  13. package/dist/_contracts/runtime-security-profile.d.ts +0 -2
  14. package/dist/_contracts/runtime-security-profile.js +0 -9
  15. package/dist/_contracts/runtime-types.d.ts +25 -4
  16. package/dist/_contracts/stable.d.ts +1 -1
  17. package/dist/_contracts/stable.js +1 -1
  18. package/dist/_contracts/submission.d.ts +4 -72
  19. package/dist/_contracts/submission.js +5 -472
  20. package/dist/cli.mjs +20 -442
  21. package/dist/cli.mjs.sha256 +1 -1
  22. package/dist/client.d.ts +30 -25
  23. package/dist/client.js +251 -66
  24. package/dist/client.js.map +1 -1
  25. package/dist/index.d.ts +7 -15
  26. package/dist/index.js +5 -17
  27. package/dist/index.js.map +1 -1
  28. package/dist/secret.d.ts +2 -2
  29. package/dist/secret.js +1 -1
  30. package/dist/version.d.ts +1 -1
  31. package/dist/version.js +1 -1
  32. package/docs/concepts/composition.md +8 -14
  33. package/docs/credentials.md +59 -101
  34. package/docs/defaults.md +0 -8
  35. package/docs/events.md +8 -9
  36. package/docs/limits-and-quotas.md +1 -4
  37. package/docs/limits.md +2 -6
  38. package/docs/mcp.md +4 -5
  39. package/docs/networking.md +6 -16
  40. package/docs/outputs.md +0 -4
  41. package/docs/public-surface.json +3 -3
  42. package/docs/quickstart.md +3 -7
  43. package/docs/run-config.md +6 -3
  44. package/docs/secrets.md +1 -1
  45. package/docs/skills.md +3 -3
  46. package/docs/vision-skills.md +52 -101
  47. package/examples/feature-tour.ts +4 -21
  48. package/package.json +1 -1
  49. package/dist/_contracts/proxy-protocol.d.ts +0 -305
  50. package/dist/_contracts/proxy-protocol.js +0 -297
  51. package/dist/_contracts/proxy-validation.d.ts +0 -19
  52. package/dist/_contracts/proxy-validation.js +0 -51
  53. package/dist/data-tools.d.ts +0 -82
  54. package/dist/data-tools.js +0 -251
  55. package/dist/data-tools.js.map +0 -1
  56. package/dist/proxy-endpoint.d.ts +0 -131
  57. package/dist/proxy-endpoint.js +0 -144
  58. package/dist/proxy-endpoint.js.map +0 -1
  59. package/examples/chat-corpus.ts +0 -84
@@ -1,73 +1,57 @@
1
1
  ---
2
- title: Call a vision (or any model) API from a skill
2
+ title: Call a vision API from a skill
3
3
  ---
4
4
 
5
- # Call a vision (or any model) API from a skill
5
+ # Call a vision API from a skill
6
6
 
7
- aex has no built-in vision tool. The agent's `provider`/`model` selects the
8
- *reasoning* model it is not an endpoint a skill can POST an image to mid-run.
9
- To give a run image understanding (or to call any other model/HTTP API), ship a
10
- **skill** that POSTs to the provider's OpenAI-compatible endpoint **through the
11
- managed proxy**, with the key supplied on a `ProxyEndpoint.bearer(...)` instance.
12
- The raw key never enters the container.
7
+ aex has no built-in vision tool. The agent's `provider` / `model` selects the
8
+ reasoning model for the run; if a skill needs image understanding mid-run, ship a
9
+ skill that calls the vision provider with normal HTTP and pass that provider key
10
+ as a runtime secret.
13
11
 
14
- This is the same proxy described in `credentials.md` — this page is the worked
15
- recipe for the model-API case, which has two wrinkles a plain JSON call does not:
16
- the image rides as a **base64 data URL** in the request body, and that body is
17
- large enough to need a raised `maxRequestBytes`.
12
+ The runnable example lives at [`examples/vision-skill/`](../../../examples/vision-skill).
13
+ It captions a frame with ByteDance Doubao Seed Vision (Ark) and returns a
14
+ per-noun "does the frame depict X?" verdict.
18
15
 
19
- The canonical, runnable example lives in the repo at
20
- [`examples/vision-skill/`](../../../examples/vision-skill) (`SKILL.md`,
21
- `caption_frame.py`, `verify_frame.py`, `run_with_vision_skill.mjs`). It
22
- captions a frame with ByteDance Doubao Seed Vision (Ark) and returns a per-noun
23
- "does the frame depict X?" verdict. Everything below is taken from it.
24
-
25
- ## 1. Declare the model endpoint as a proxy endpoint
26
-
27
- The vision provider's API is just an HTTPS host. Declare it with
28
- `ProxyEndpoint.bearer(...)`, which carries the key on the instance. The two
29
- model-specific settings are `responseMode: "full"` (so the skill gets the upstream
30
- JSON back) and a raised `maxRequestBytes` (so the base64 image fits):
16
+ ## Submit the run
31
17
 
32
18
  ```ts
33
- import { Aex, Models, Tools, ProxyEndpoint } from "@aexhq/sdk";
19
+ import { Aex, Models, Secret, Tools } from "@aexhq/sdk";
34
20
 
35
21
  const aex = new Aex({ apiToken: process.env.AEX_API_TOKEN! });
36
22
 
37
- const doubaoArk = ProxyEndpoint.bearer({
38
- name: "doubao-ark",
39
- baseUrl: "https://ark.ap-southeast.bytepluses.com", // intl BytePlus gateway
40
- token: process.env.DOUBAO_API_KEY!,
41
- allowMethods: ["POST"],
42
- allowPathPrefixes: ["/api/v3/chat/completions"],
43
- maxRequestBytes: 2_000_000, // base64 image POSTs — see note below
44
- responseMode: "full",
45
- timeoutMs: 60_000
46
- });
47
-
48
- await aex.run({
23
+ const result = await aex.run({
49
24
  model: Models.CLAUDE_HAIKU_4_5,
50
- message: "…read skills/frame-vision-gate/SKILL.md, then caption + verify the frame",
25
+ message: "Read skills/frame-vision-gate/SKILL.md, then caption and verify the frame.",
51
26
  tools: [await Tools.fromSkillDir("./vision-skill", { name: "frame-vision-gate" })],
52
- proxyEndpoints: [doubaoArk],
27
+ environment: {
28
+ secrets: {
29
+ DOUBAO_API_KEY: Secret.value(process.env.DOUBAO_API_KEY!)
30
+ },
31
+ networking: {
32
+ mode: "limited",
33
+ allowedHosts: ["ark.ap-southeast.bytepluses.com"]
34
+ }
35
+ },
53
36
  apiKeys: { anthropic: process.env.ANTHROPIC_API_KEY! }
54
37
  });
38
+
39
+ console.log(result.runId, result.text);
55
40
  ```
56
41
 
57
- `Tools.fromSkillDir("./vision-skill", )` is resolved relative to the process CWD, so
58
- run the script from the directory that *contains* `vision-skill/` (in the
59
- repo, that is `examples/`). The same pattern works for OpenAI, Gemini's
60
- OpenAI-compatible endpoint, or any other OpenAI-chat-shaped vision API — only
61
- `baseUrl` and the path prefix change.
42
+ `Tools.fromSkillDir("./vision-skill", ...)` is resolved relative to the process
43
+ CWD. Run the script from the directory that contains `vision-skill/` (in this
44
+ repo, `examples/`).
62
45
 
63
- ## 2. POST the image as a base64 data URL through the proxy
46
+ ## Call the provider from the skill
64
47
 
65
- Inside the run, the skill builds the OpenAI-compatible chat-completions body. The
66
- image is **base64-inlined as a data URL** in an `image_url` content part — it is
67
- not uploaded:
48
+ Inside the run, the skill reads `DOUBAO_API_KEY` and makes an
49
+ OpenAI-compatible chat-completions request with Python's standard HTTP client.
50
+ The image is base64-inlined as a data URL in the request body:
68
51
 
69
52
  ```python
70
- import base64, json
53
+ import base64, json, os, urllib.request
54
+
71
55
  b64 = base64.b64encode(open("/workspace/files/frame.jpg", "rb").read()).decode()
72
56
  request_body = {
73
57
  "model": "doubao-seed-1-6-vision-250815",
@@ -81,63 +65,30 @@ request_body = {
81
65
  ]}
82
66
  ]
83
67
  }
84
- ```
85
-
86
- Write the body to a file and hand it to the mounted CLI with `--data @<file>`
87
- (the mount has no execute bit, so invoke through `bun`; see `credentials.md`):
88
68
 
89
- ```python
90
- import subprocess
91
- body_path = "/workspace/.aex/_ark_request.json"
92
- open(body_path, "w").write(json.dumps(request_body))
93
-
94
- result = subprocess.run(
95
- ["bun", "/mnt/session/uploads/aex/aex", "proxy", "doubao-ark",
96
- "--method", "POST",
97
- "--path", "/api/v3/chat/completions",
98
- "--header", "content-type=application/json",
99
- "--data", f"@{body_path}",
100
- "--response-mode", "full"],
101
- capture_output=True, text=True, timeout=90,
69
+ req = urllib.request.Request(
70
+ "https://ark.ap-southeast.bytepluses.com/api/v3/chat/completions",
71
+ data=json.dumps(request_body).encode("utf-8"),
72
+ headers={
73
+ "Authorization": f"Bearer {os.environ['DOUBAO_API_KEY']}",
74
+ "Content-Type": "application/json"
75
+ },
76
+ method="POST",
102
77
  )
103
78
  ```
104
79
 
105
- In `--response-mode full` the CLI prints a `ProxyResponseEnvelope` on stdout. The
106
- upstream JSON is **base64-encoded** in `upstreamBodyBase64`; an error instead
107
- carries an `error` field. Unwrap it:
108
-
109
- ```python
110
- envelope = json.loads(result.stdout)
111
- if "error" in envelope:
112
- raise RuntimeError(f"proxy error: {envelope['error']}: {envelope['message']}")
113
- upstream = json.loads(base64.b64decode(envelope["upstreamBodyBase64"]).decode())
114
- content = upstream["choices"][0]["message"]["content"] # the model's JSON answer
115
- ```
116
-
117
- The key is injected by the hosted proxy on the outbound call; it never appears on disk in
118
- the container or in the model's context.
119
-
120
- ## `maxRequestBytes` and timeout defaults
80
+ The same pattern works for OpenAI, Gemini's OpenAI-compatible endpoint, or any
81
+ other HTTPS model API. Put the key in `environment.secrets`, allow-list the host
82
+ when using limited networking, and use the provider's normal SDK or HTTP API.
121
83
 
122
- The per-endpoint `maxRequestBytes` default is **10 MiB** and the default timeout
123
- is **5 minutes**. That fits typical base64 image/model POSTs without extra
124
- configuration. If a body does exceed the cap, the proxy rejects it before any
125
- upstream call with an explicit error naming the observed size, the configured
126
- cap, and how to raise it:
84
+ ## Payload size
127
85
 
128
- > request body is 2400000 bytes, which exceeds this endpoint's maxRequestBytes
129
- > (10485760). Raise the per-endpoint maxRequestBytes in the proxy endpoint policy …
86
+ Base64 images are larger than their source files. Scale frames before captioning
87
+ when possible, for example:
130
88
 
131
- Two ways to stay under the cap: raise `maxRequestBytes`, and/or scale frames
132
- before captioning (`ffmpeg -i source.mp4 -vf fps=1,scale=960:-1 frame_%03d.jpg`)
133
- so full-res frames do not add payload and model cost without useful signal.
134
-
135
- ## Notes
89
+ ```bash
90
+ ffmpeg -i source.mp4 -vf fps=1,scale=960:-1 frame_%03d.jpg
91
+ ```
136
92
 
137
- - **Host selection.** Use the provider endpoint that matches your account and
138
- declare it as the proxy endpoint `baseUrl`.
139
- - **Keyless model hosts.** If the upstream takes no credential, declare the
140
- endpoint with `ProxyEndpoint.none(...)` (see `credentials.md`).
141
- - **Response size.** `responseMode: "full"` is required to read the model's reply
142
- back. Leave `maxResponseBytes` at its default (`0` = unlimited, streamed) unless
143
- you want a truncation cap.
93
+ This keeps upload size and model cost bounded without losing the signal most
94
+ vision models need.
@@ -2,7 +2,7 @@
2
2
  * SDK feature tour: one managed session that uses typed model/runtime constants,
3
3
  * inline AGENTS.md guidance, uploaded files, a custom tool bundle, selected
4
4
  * built-in tools, runtime env vars/secrets, streamed events, output reads, and
5
- * corpus-scoped data tools.
5
+ * a follow-up session turn.
6
6
  *
7
7
  * Run from the repository root after building the workspace package:
8
8
  *
@@ -20,13 +20,11 @@ import {
20
20
  AgentsMd,
21
21
  Aex,
22
22
  BuiltinTools,
23
- createCorpusTools,
24
23
  File,
25
24
  isRateLimited,
26
25
  isTextMessage,
27
26
  McpServer,
28
27
  Models,
29
- ProxyEndpoint,
30
28
  Providers,
31
29
  Secret,
32
30
  Sizes,
@@ -132,17 +130,6 @@ const environmentSecrets = demoRuntimeSecret
132
130
  ? { DEMO_RUNTIME_SECRET: Secret.value(demoRuntimeSecret) }
133
131
  : undefined;
134
132
 
135
- const proxyEndpoints = [
136
- ProxyEndpoint.none({
137
- name: "httpbin",
138
- baseUrl: "https://httpbin.org",
139
- allowMethods: ["GET"],
140
- allowPathPrefixes: ["/json"],
141
- responseMode: "full",
142
- timeoutMs: 10_000
143
- })
144
- ];
145
-
146
133
  console.log("creating feature-tour session...");
147
134
  console.log(`optional mcp: ${mcpServers.length > 0 ? "enabled" : "disabled"}`);
148
135
  console.log(`optional runtime secret: ${environmentSecrets ? "enabled" : "disabled"}`);
@@ -165,7 +152,6 @@ const session = await aex.openSession({
165
152
  BuiltinTools.code_execution,
166
153
  metricLookup
167
154
  ],
168
- proxyEndpoints,
169
155
  mcpServers,
170
156
  environment: {
171
157
  networking: { mode: "open" },
@@ -201,8 +187,7 @@ const prompt = [
201
187
  "Analyze the attached quarterly metrics.",
202
188
  "Call metric_lookup for atlas, beacon, and cinder.",
203
189
  "Create /workspace/outputs/feature-tour-report.md with a short table, a ranking by q2_revenue_usd, and two risks.",
204
- "Create /workspace/outputs/summary.json with keys topProduct, totalQ2RevenueUsd, highestActivationProduct, and riskCount.",
205
- "Mention whether the httpbin proxy endpoint is declared, but do not call it unless you need to."
190
+ "Create /workspace/outputs/summary.json with keys topProduct, totalQ2RevenueUsd, highestActivationProduct, and riskCount."
206
191
  ].join(" ");
207
192
 
208
193
  const firstTurn = session.send(prompt);
@@ -272,10 +257,8 @@ if (report) {
272
257
  console.log(reportPreview.text || "(no risk lines found)");
273
258
  }
274
259
 
275
- const corpusTools = createCorpusTools(aex, { sessionIds: [session.id] }, { defaultReadBytes: 4_000 });
276
- const corpusOutputs = await corpusTools.execute("list_outputs", { session_id: session.id });
277
- console.log("corpus-scoped list_outputs result:");
278
- console.log(JSON.stringify(corpusOutputs, null, 2));
260
+ const reopenedOutputs = await aex.sessions.outputs(session.id).list();
261
+ console.log(`outputs via aex.sessions.outputs(...): ${reopenedOutputs.length}`);
279
262
 
280
263
  if (downloadPath) {
281
264
  const bytes = await session.download({ to: downloadPath });
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@aexhq/sdk",
3
- "version": "0.35.0",
3
+ "version": "0.36.0",
4
4
  "description": "TypeScript SDK for running autonomous agent sessions across providers (Anthropic, OpenAI, DeepSeek, Gemini, Mistral) behind one interface.",
5
5
  "license": "Apache-2.0",
6
6
  "repository": {
@@ -1,305 +0,0 @@
1
- /**
2
- * Wire-protocol version. Bumped on any breaking change to the request or
3
- * response shape. The CLI sends this in the `X-Aex-Proxy-Protocol`
4
- * header on every request; the BFF rejects mismatches with HTTP 426
5
- * `unsupported_protocol`.
6
- *
7
- * Bumps are coordinated: CLI and BFF release together, the hosted API
8
- * bundles the matching CLI artifact, and the e2e suite runs both with
9
- * the new version.
10
- */
11
- export declare const PROXY_PROTOCOL_VERSION: "1";
12
- /**
13
- * Streaming named-proxy protocol. A client that sends `"2"` in
14
- * {@link PROXY_PROTOCOL_HEADER} opts into the streamed response path: the
15
- * hosted API pipes the upstream body back unbuffered (no base64, no
16
- * full-body JSON envelope) and carries the envelope metadata
17
- * in the `x-aex-proxy-*` response headers below instead of a JSON envelope.
18
- *
19
- * Additive: `"1"` stays valid and keeps the buffered
20
- * {@link ProxyResponseEnvelope}. Old runners keep working; new runners
21
- * stream. The version is on the request header so the hosted API can serve
22
- * both shapes without a coordinated CLI/BFF release.
23
- */
24
- export declare const PROXY_PROTOCOL_VERSION_V2: "2";
25
- export declare const PROXY_PROTOCOL_HEADER = "x-aex-proxy-protocol";
26
- /**
27
- * Response headers for the streamed (v2) named-proxy path. The hosted API sets
28
- * these BEFORE it starts streaming the upstream body, so the client can
29
- * reconstruct the same fields the v1 {@link ProxyResponseEnvelope} carried
30
- * without buffering. All values are plain strings; numeric fields are
31
- * decimal, booleans are `"true"`/`"false"`.
32
- */
33
- export declare const PROXY_RESP_STATUS_HEADER = "x-aex-proxy-status";
34
- export declare const PROXY_RESP_MODE_HEADER = "x-aex-proxy-effective-mode";
35
- /**
36
- * `"true"` when the cap forced truncation, `"false"` when the full body
37
- * fit, `"unknown"` when the upstream omitted `content-length` and the body
38
- * happened to reach the cap (can't distinguish exact-fit from over-cap
39
- * without buffering). See the streaming byte-cap note in proxy-routes.ts.
40
- */
41
- export declare const PROXY_RESP_TRUNCATED_HEADER = "x-aex-proxy-truncated";
42
- /** JSON object of lowercase upstream header names → values (mode-filtered). */
43
- export declare const PROXY_RESP_UPSTREAM_HEADERS_HEADER = "x-aex-proxy-upstream-headers";
44
- /**
45
- * Default `User-Agent` the proxy attaches to every outbound request when
46
- * the caller did not supply one via `allowHeaders`. Some upstreams reject
47
- * requests that arrive without a meaningful UA — notably the Wikimedia
48
- * family (Wikidata, Wikipedia, Wikimedia Commons), whose policy requires
49
- * a contactable identifier and otherwise returns HTTP 403 with a
50
- * `Please identify your user agent` body.
51
- *
52
- * Callers can override per request by listing `user-agent` in their
53
- * endpoint's `allowHeaders` and setting it on the proxy call; the
54
- * default only fires when nothing was forwarded.
55
- *
56
- * See <https://meta.wikimedia.org/wiki/User-Agent_policy>.
57
- */
58
- export declare const PROXY_DEFAULT_USER_AGENT = "aex-proxy/1.0 (+https://aex.dev/contact)";
59
- export declare const PROXY_METHOD_HEADER = "x-aex-method";
60
- export declare const PROXY_PATH_HEADER = "x-aex-path";
61
- export declare const PROXY_QUERY_HEADER = "x-aex-query";
62
- export declare const PROXY_HEADERS_HEADER = "x-aex-headers";
63
- export declare const PROXY_RESPONSE_MODE_HEADER = "x-aex-response-mode";
64
- export declare const PROXY_ALLOWED_METHODS: readonly ["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD"];
65
- export type ProxyMethod = (typeof PROXY_ALLOWED_METHODS)[number];
66
- export declare const PROXY_RESPONSE_MODES: readonly ["status_only", "headers_only", "full"];
67
- export type ProxyResponseMode = (typeof PROXY_RESPONSE_MODES)[number];
68
- export declare const PROXY_RETRY_JITTERS: readonly ["full", "none"];
69
- export type ProxyRetryJitter = (typeof PROXY_RETRY_JITTERS)[number];
70
- export interface ProxyRetryPolicy {
71
- /** Total attempts, including the initial request. */
72
- readonly maxAttempts?: number;
73
- readonly initialDelayMs?: number;
74
- readonly maxDelayMs?: number;
75
- readonly jitter?: ProxyRetryJitter;
76
- readonly retryOnStatuses?: readonly number[];
77
- readonly retryOnMethods?: readonly ProxyMethod[];
78
- readonly respectRetryAfter?: boolean;
79
- }
80
- export type ResolvedProxyRetryPolicy = Required<ProxyRetryPolicy>;
81
- export declare const PROXY_RETRY_POLICY_DEFAULTS: ResolvedProxyRetryPolicy;
82
- export declare function resolveProxyRetryPolicy(policy: ProxyRetryPolicy): ResolvedProxyRetryPolicy;
83
- /**
84
- * Returns the narrower of the two response modes (lower width wins).
85
- * Pure function so the CLI and BFF can both call it without import cycles.
86
- */
87
- export declare function narrowResponseMode(policy: ProxyResponseMode, requested: ProxyResponseMode): ProxyResponseMode;
88
- /**
89
- * Error codes returned by the proxy route. Stable strings — the CLI
90
- * matches against them in scripts. Adding a new code is non-breaking;
91
- * removing or renaming an existing code requires a protocol bump.
92
- */
93
- export declare const PROXY_ERROR_CODES: readonly ["unsupported_protocol", "unauthorized", "endpoint_not_found", "policy_denied", "rate_limited", "ssrf_denied", "upstream_timeout", "upstream_error", "exceeded_cap", "bad_request", "internal_error"];
94
- export type ProxyErrorCode = (typeof PROXY_ERROR_CODES)[number];
95
- /**
96
- * Shape of the JSON written to the per-run manifest mounted inside
97
- * the container (`/mnt/session/uploads/aex/index.json`).
98
- *
99
- * Always present (every run), regardless of whether any proxy endpoints
100
- * were declared. With zero endpoints, `endpoints` is `[]` and
101
- * `proxyBaseUrl` is `null` — this keeps `aex --help` working
102
- * uniformly and makes the always-on surface observable in tests.
103
- *
104
- * Auth values NEVER appear in this file. The file is mounted into the
105
- * container; treat it as world-readable from the agent's perspective.
106
- */
107
- export interface ProxyIndexFile {
108
- readonly protocolVersion: typeof PROXY_PROTOCOL_VERSION;
109
- readonly runId: string;
110
- readonly proxyBaseUrl: string | null;
111
- readonly endpoints: readonly ProxyIndexEntry[];
112
- }
113
- export interface ProxyIndexEntry {
114
- readonly name: string;
115
- readonly baseUrl: string;
116
- readonly authShape: ProxyAuthShape;
117
- readonly allowMethods: readonly ProxyMethod[];
118
- readonly allowPathPrefixes: readonly string[];
119
- readonly allowHeaders: readonly string[];
120
- readonly responseMode: ProxyResponseMode;
121
- readonly maxRequestBytes: number;
122
- readonly maxResponseBytes: number;
123
- readonly timeoutMs: number;
124
- readonly retry?: ResolvedProxyRetryPolicy;
125
- }
126
- /**
127
- * Default caps for a proxy endpoint when the submission doesn't specify one.
128
- * Lives in the protocol module (next to the index-file shape) so
129
- * {@link buildProxyIndexFile} can fill every optional cap with a concrete
130
- * value; the submission parser re-exports it.
131
- *
132
- * `maxResponseBytes: 0` means UNLIMITED — the v2 path streams the upstream body
133
- * unbuffered (O(1) memory regardless of size), so there is no cap to apply by
134
- * default. A customer can opt into a per-response truncation cap by setting a
135
- * positive value. There is no cumulative per-run call/byte budget: it needed a
136
- * per-call counter on the hot path and only existed to bound memory, which
137
- * streaming already does. The platform records named-proxy request bytes,
138
- * response bytes, attempts, and retries as run-log usage telemetry only; no
139
- * pricing/charging model is derived here.
140
- */
141
- export declare const PROXY_ENDPOINT_DEFAULTS: {
142
- readonly allowHeaders: readonly string[];
143
- readonly responseMode: ProxyResponseMode;
144
- readonly maxRequestBytes: number;
145
- readonly maxResponseBytes: 0;
146
- readonly timeoutMs: number;
147
- };
148
- /**
149
- * Non-secret endpoint policy the index builder consumes. Structurally a
150
- * subset of `PlatformProxyEndpoint` (submission.ts) — declared here so the
151
- * protocol module stays free of an import cycle with the submission parser.
152
- */
153
- export interface ProxyEndpointPolicy {
154
- readonly name: string;
155
- readonly baseUrl: string;
156
- readonly authShape: ProxyAuthShape;
157
- readonly allowMethods: readonly ProxyMethod[];
158
- readonly allowPathPrefixes: readonly string[];
159
- readonly allowHeaders?: readonly string[];
160
- readonly responseMode?: ProxyResponseMode;
161
- readonly maxRequestBytes?: number;
162
- readonly maxResponseBytes?: number;
163
- readonly timeoutMs?: number;
164
- readonly retry?: ProxyRetryPolicy;
165
- }
166
- export interface BuildProxyIndexFileInput {
167
- readonly runId: string;
168
- /**
169
- * Hosted API origin that serves `/api/runs/:runId/proxy/:endpointName`.
170
- * When unset
171
- * (or empty) the run has no reachable proxy plane and `proxyBaseUrl`
172
- * resolves to `null`.
173
- */
174
- readonly proxyPublicBaseUrl?: string;
175
- readonly endpoints?: readonly ProxyEndpointPolicy[];
176
- }
177
- /**
178
- * Build the per-run {@link ProxyIndexFile} mounted into the container at
179
- * `/mnt/session/uploads/aex/index.json`. Pure: applies
180
- * {@link PROXY_ENDPOINT_DEFAULTS} so every optional cap is concrete, and
181
- * carries ONLY the non-secret endpoint policy — auth values never appear.
182
- *
183
- * ALWAYS emits a file (the always-on surface). With zero endpoints OR no
184
- * `proxyPublicBaseUrl`, `proxyBaseUrl` is `null` and `endpoints` is `[]`.
185
- * Otherwise `proxyBaseUrl` is `<trimmed base>/api/runs/<runId>/proxy`, the
186
- * prefix the in-container runtime bridge appends `/<endpointName>` to (proxy.ts).
187
- */
188
- export declare function buildProxyIndexFile(input: BuildProxyIndexFileInput): ProxyIndexFile;
189
- /**
190
- * Structural description of how the upstream endpoint expects auth.
191
- * The actual auth value lives in the run's Vault bundle under
192
- * `secrets.proxyEndpointAuth[i].value` and is never reflected back
193
- * into the container or index file.
194
- *
195
- * The `none` variant declares an upstream that takes no auth (public
196
- * APIs like Wikimedia Commons or NASA Images). It still routes through
197
- * the proxy for unified egress and audit, but
198
- * carries no `proxyEndpointAuth[]` entry and the BFF injects no
199
- * header or query value.
200
- */
201
- export type ProxyAuthShape = {
202
- readonly type: "none";
203
- } | {
204
- readonly type: "bearer";
205
- } | {
206
- readonly type: "basic";
207
- } | {
208
- readonly type: "header";
209
- readonly name: string;
210
- } | {
211
- readonly type: "query";
212
- readonly name: string;
213
- };
214
- export type ProxyAuthType = ProxyAuthShape["type"];
215
- /**
216
- * Header name (lowercase) that an upstream auth shape uses as its
217
- * carrier. Returns `undefined` for query-based and keyless auth.
218
- *
219
- * Used by the submission parser to forbid `allowHeaders` from listing
220
- * the auth header (avoids leaks via caller-supplied headers), and by
221
- * the proxy route to strip any caller header that would collide with
222
- * the auth carrier at request time.
223
- */
224
- export declare function authShapeHeaderName(shape: ProxyAuthShape): string | undefined;
225
- /**
226
- * Query-string key that an upstream query-based auth shape uses as its
227
- * carrier. Returns `undefined` for non-query shapes (including "none").
228
- */
229
- export declare function authShapeQueryName(shape: ProxyAuthShape): string | undefined;
230
- /**
231
- * Inbound request headers every Aex proxy plane STRIPS before
232
- * forwarding a runtime/runner request upstream. Three categories:
233
- *
234
- * - Credential carriers (`authorization`, `x-api-key`, `cookie`,
235
- * `proxy-authorization`) — these belong to Aex's own auth gate
236
- * (the per-run bearer) or to the caller, never the upstream. The
237
- * legitimate upstream credential is injected server-side from the
238
- * run's Vault bundle / endpoint auth shape AFTER this strip, so it is
239
- * never sourced from an inbound header.
240
- * - Hop-by-hop fields (RFC 7230 §6.1: `connection`, `keep-alive`,
241
- * `transfer-encoding`, `te`, `trailer`, `upgrade`, `expect`,
242
- * `proxy-authenticate`, `proxy-connection`) — must not survive a
243
- * proxy hop.
244
- * - Routing primitives a compromised runner could spoof to bypass an
245
- * upstream's IP allowlist / rate-limit (`host`, `content-length`,
246
- * `x-forwarded-*`, `x-real-ip`, `forwarded`).
247
- *
248
- * The platform API provider-proxy and the dashboard MCP proxy strip exactly
249
- * this set (both inject upstream auth separately — the provider key, or the
250
- * Vault MCP-bundle headers, applied AFTER the strip). The dashboard
251
- * customer HTTP proxy hard-denies this set MINUS `x-api-key`, because a
252
- * customer endpoint may legitimately declare `x-api-key` as its auth
253
- * carrier; it derives from this constant so the hop-by-hop + routing
254
- * entries never drift. Keeping the membership here is the single source of
255
- * truth that stops those surfaces diverging.
256
- */
257
- export declare const PROXY_STRIPPED_INBOUND_HEADERS: ReadonlySet<string>;
258
- /**
259
- * JSON body returned on a successful proxy call. The actual HTTP
260
- * response from the BFF to the CLI is always 200 once the BFF accepts
261
- * the request; the upstream's status/headers/body are reflected inside
262
- * this envelope so the CLI can decide what to write to stdout/stderr.
263
- */
264
- export interface ProxyResponseEnvelope {
265
- readonly endpointName: string;
266
- readonly upstreamStatus: number;
267
- /** Lowercase header names → values. Allowlist-filtered by the BFF. */
268
- readonly upstreamHeaders: Readonly<Record<string, string>>;
269
- /**
270
- * Base64-encoded upstream body. Present only when the effective
271
- * response mode is `full`. Truncated to `maxResponseBytes`; if the
272
- * upstream exceeded the cap, `truncated` is `true`.
273
- */
274
- readonly upstreamBodyBase64?: string;
275
- readonly truncated?: boolean;
276
- /**
277
- * Echoed back so the CLI can warn the agent when its requested mode
278
- * was clamped against the policy ceiling.
279
- */
280
- readonly effectiveResponseMode: ProxyResponseMode;
281
- readonly modeClamped: boolean;
282
- }
283
- /**
284
- * JSON body returned on any error. The CLI emits this verbatim on
285
- * stderr and exits non-zero. Audit row carries the same `code`.
286
- */
287
- export interface ProxyErrorBody {
288
- readonly error: ProxyErrorCode;
289
- /** Human-readable message. Never includes auth values. */
290
- readonly message: string;
291
- /**
292
- * Optional diagnostic fields. Always safe to surface — auth values
293
- * and full URLs are stripped at the BFF.
294
- */
295
- readonly endpointName?: string;
296
- readonly upstreamStatus?: number;
297
- /** Server-supplied protocol version on `unsupported_protocol`. */
298
- readonly serverProtocolVersion?: string;
299
- }
300
- /**
301
- * Status code → error code mapping used by the BFF to ensure the audit
302
- * row's error code and the HTTP response line up. Kept here so callers
303
- * can do a sanity check in tests.
304
- */
305
- export declare const PROXY_ERROR_HTTP_STATUS: Record<ProxyErrorCode, number>;