@agent-vm/gateway-interface 0.0.58 → 0.0.60
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.ts +59 -54
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +35 -11
- package/dist/index.js.map +1 -1
- package/package.json +2 -2
package/dist/index.d.ts
CHANGED
|
@@ -1,49 +1,23 @@
|
|
|
1
|
+
import { SecretResolver, SecretSpec, VfsMountSpec } from "@agent-vm/gondolin-adapter";
|
|
2
|
+
|
|
1
3
|
//#region src/gateway-runtime-contract.d.ts
|
|
2
4
|
declare const gatewayTypeValues: readonly ["openclaw", "worker"];
|
|
3
5
|
type GatewayType = (typeof gatewayTypeValues)[number];
|
|
4
6
|
declare function buildGatewaySessionLabel(projectNamespace: string, zoneId: string): string;
|
|
5
7
|
declare function buildToolSessionLabel(projectNamespace: string, zoneId: string, tcpSlot: number): string;
|
|
6
8
|
//#endregion
|
|
7
|
-
//#region
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
interface
|
|
12
|
-
readonly
|
|
13
|
-
readonly
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
//#region src/types.d.ts
|
|
20
|
-
interface SecretSpec {
|
|
21
|
-
readonly hosts: readonly string[];
|
|
22
|
-
readonly value: string;
|
|
23
|
-
}
|
|
24
|
-
type SecretRef = {
|
|
25
|
-
readonly source: '1password';
|
|
26
|
-
readonly ref: string;
|
|
27
|
-
} | {
|
|
28
|
-
readonly source: 'environment';
|
|
29
|
-
readonly ref: string;
|
|
30
|
-
};
|
|
31
|
-
//#endregion
|
|
32
|
-
//#region src/secret-resolver.d.ts
|
|
33
|
-
|
|
34
|
-
interface SecretResolver {
|
|
35
|
-
resolve(ref: SecretRef): Promise<string>;
|
|
36
|
-
resolveAll(refs: Record<string, SecretRef>): Promise<Record<string, string>>;
|
|
37
|
-
}
|
|
38
|
-
interface VfsMountSpec {
|
|
39
|
-
readonly kind: 'realfs' | 'realfs-readonly' | 'memory' | 'shadow';
|
|
40
|
-
readonly hostPath?: string;
|
|
41
|
-
readonly pinnedHostRoot?: PinnedRealFsRoot;
|
|
42
|
-
readonly shadowConfig?: {
|
|
43
|
-
readonly deny: readonly string[];
|
|
44
|
-
readonly tmpfs: readonly string[];
|
|
45
|
-
};
|
|
46
|
-
}
|
|
9
|
+
//#region src/audience.d.ts
|
|
10
|
+
declare const vmAudienceValues: readonly ["gateway", "tool-vm", "both"];
|
|
11
|
+
type VmAudience = (typeof vmAudienceValues)[number];
|
|
12
|
+
type RuntimeVmAudience = Exclude<VmAudience, 'both'>;
|
|
13
|
+
interface EgressHostConfig {
|
|
14
|
+
readonly host: string;
|
|
15
|
+
readonly audience: VmAudience;
|
|
16
|
+
}
|
|
17
|
+
declare const controllerVmHost = "controller.vm.host";
|
|
18
|
+
declare function targetsAudience(configAudience: VmAudience, runtimeAudience: RuntimeVmAudience): boolean;
|
|
19
|
+
declare function egressHostsForAudience(egressHosts: readonly EgressHostConfig[], runtimeAudience: RuntimeVmAudience): readonly string[];
|
|
20
|
+
declare function gatewayVmAllowedHosts(egressHosts: readonly EgressHostConfig[]): readonly string[];
|
|
47
21
|
//#endregion
|
|
48
22
|
//#region src/gateway-process-spec.d.ts
|
|
49
23
|
type GatewayHealthCheck = {
|
|
@@ -135,30 +109,54 @@ interface WorkerGatewayZoneGatewayConfig extends GatewayZoneBaseGatewayConfig {
|
|
|
135
109
|
readonly type: 'worker';
|
|
136
110
|
}
|
|
137
111
|
type GatewayZoneGatewayConfig = OpenClawGatewayZoneGatewayConfig | WorkerGatewayZoneGatewayConfig;
|
|
112
|
+
interface OnePasswordSecretSourceConfig {
|
|
113
|
+
readonly source: '1password';
|
|
114
|
+
readonly ref: string;
|
|
115
|
+
}
|
|
116
|
+
interface EnvironmentSecretSourceConfig {
|
|
117
|
+
readonly source: 'environment';
|
|
118
|
+
readonly envVar: string;
|
|
119
|
+
}
|
|
120
|
+
type SecretSourceConfig = OnePasswordSecretSourceConfig | EnvironmentSecretSourceConfig;
|
|
121
|
+
type EnvInjectedGatewaySecretConfig = SecretSourceConfig & {
|
|
122
|
+
readonly audience: 'gateway';
|
|
123
|
+
readonly injection: 'env';
|
|
124
|
+
};
|
|
125
|
+
type HttpMediatedGatewaySecretConfig = SecretSourceConfig & {
|
|
126
|
+
readonly audience: VmAudience;
|
|
127
|
+
readonly injection: 'http-mediation';
|
|
128
|
+
readonly hosts: readonly string[];
|
|
129
|
+
};
|
|
130
|
+
type GatewaySecretConfig = EnvInjectedGatewaySecretConfig | HttpMediatedGatewaySecretConfig;
|
|
138
131
|
/**
|
|
139
132
|
* Zone config as the lifecycle sees it.
|
|
140
133
|
* Decoupled from SystemConfig — the controller maps into this shape.
|
|
141
134
|
*/
|
|
142
135
|
interface GatewayZoneConfig {
|
|
143
136
|
readonly id: string;
|
|
137
|
+
readonly agents?: readonly GatewayZoneAgentConfig[];
|
|
144
138
|
readonly gateway: GatewayZoneGatewayConfig;
|
|
139
|
+
readonly mcp?: GatewayZoneMcpPortalConfig;
|
|
140
|
+
readonly runtimeMcpServers?: Readonly<Record<string, GatewayZoneMcpServerConfig>>;
|
|
145
141
|
readonly runtimeEnvironment?: Readonly<Record<string, string>>;
|
|
146
142
|
readonly runtimePluginConfigs?: Readonly<Record<string, Readonly<Record<string, unknown>>>>;
|
|
147
|
-
readonly secrets: Record<string,
|
|
148
|
-
|
|
149
|
-
readonly ref: string;
|
|
150
|
-
readonly injection: 'env' | 'http-mediation';
|
|
151
|
-
readonly hosts?: readonly string[] | undefined;
|
|
152
|
-
} | {
|
|
153
|
-
readonly source: 'environment';
|
|
154
|
-
readonly envVar: string;
|
|
155
|
-
readonly injection: 'env' | 'http-mediation';
|
|
156
|
-
readonly hosts?: readonly string[] | undefined;
|
|
157
|
-
}>;
|
|
158
|
-
readonly allowedHosts: readonly string[];
|
|
143
|
+
readonly secrets: Readonly<Record<string, GatewaySecretConfig>>;
|
|
144
|
+
readonly egressHosts: readonly EgressHostConfig[];
|
|
159
145
|
readonly websocketBypass: readonly string[];
|
|
160
146
|
readonly defaultToolVmProfile?: string;
|
|
161
147
|
}
|
|
148
|
+
interface GatewayZoneAgentConfig {
|
|
149
|
+
readonly id: string;
|
|
150
|
+
readonly toolVmProfile?: string | undefined;
|
|
151
|
+
}
|
|
152
|
+
interface GatewayZoneMcpPortalConfig {
|
|
153
|
+
readonly configDir: string;
|
|
154
|
+
}
|
|
155
|
+
interface GatewayZoneMcpServerConfig {
|
|
156
|
+
readonly headers?: Readonly<Record<string, string>>;
|
|
157
|
+
readonly transport: 'streamable-http';
|
|
158
|
+
readonly url: string;
|
|
159
|
+
}
|
|
162
160
|
interface BuildGatewayVmSpecOptions {
|
|
163
161
|
readonly controllerPort: number;
|
|
164
162
|
readonly gatewayCacheDir: string;
|
|
@@ -195,11 +193,18 @@ interface GatewayLifecycle {
|
|
|
195
193
|
}
|
|
196
194
|
//#endregion
|
|
197
195
|
//#region src/split-resolved-gateway-secrets.d.ts
|
|
198
|
-
interface
|
|
196
|
+
interface SplitResolvedSecretsResult {
|
|
199
197
|
readonly environmentSecrets: Record<string, string>;
|
|
200
198
|
readonly mediatedSecrets: Record<string, SecretSpec>;
|
|
201
199
|
}
|
|
200
|
+
type SecretInjectionConfig = GatewaySecretConfig;
|
|
201
|
+
interface SplitResolvedSecretsOptions {
|
|
202
|
+
readonly audience: RuntimeVmAudience;
|
|
203
|
+
readonly logPrefix?: string;
|
|
204
|
+
}
|
|
205
|
+
declare function splitResolvedSecretsByInjection(secretConfigs: Readonly<Record<string, SecretInjectionConfig>>, resolvedSecrets: Record<string, string>, options: SplitResolvedSecretsOptions): SplitResolvedSecretsResult;
|
|
206
|
+
type SplitResolvedGatewaySecretsResult = SplitResolvedSecretsResult;
|
|
202
207
|
declare function splitResolvedGatewaySecrets(zone: GatewayZoneConfig, resolvedSecrets: Record<string, string>): SplitResolvedGatewaySecretsResult;
|
|
203
208
|
//#endregion
|
|
204
|
-
export { type BuildGatewayVmSpecOptions, type GatewayAuthConfig, type GatewayHealthCheck, type GatewayLifecycle, type GatewayProcessSpec, type GatewayType, type GatewayVmSpec, type GatewayZoneConfig, type SplitResolvedGatewaySecretsResult, buildGatewaySessionLabel, buildToolSessionLabel, gatewayTypeValues, splitResolvedGatewaySecrets };
|
|
209
|
+
export { type BuildGatewayVmSpecOptions, type EgressHostConfig, type EnvInjectedGatewaySecretConfig, type GatewayAuthConfig, type GatewayHealthCheck, type GatewayLifecycle, type GatewayProcessSpec, type GatewaySecretConfig, type GatewayType, type GatewayVmSpec, type GatewayZoneAgentConfig, type GatewayZoneConfig, type GatewayZoneMcpPortalConfig, type HttpMediatedGatewaySecretConfig, type RuntimeVmAudience, type SecretInjectionConfig, type SplitResolvedGatewaySecretsResult, type SplitResolvedSecretsResult, type VmAudience, buildGatewaySessionLabel, buildToolSessionLabel, controllerVmHost, egressHostsForAudience, gatewayTypeValues, gatewayVmAllowedHosts, splitResolvedGatewaySecrets, splitResolvedSecretsByInjection, targetsAudience, vmAudienceValues };
|
|
205
210
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","names":["BuildConfig","BuildConfig$1","CreateHttpHooksResult","EnableIngressOptions","EnableSshOptions","IngressRoute","IngressRoute$1","ShadowPredicate","ShadowProviderOptions","VMOptions","VirtualProvider","getDefaultBuildConfig","BuildImageOptions","BuildOutput","Uint8Array","BuildImageResult","buildImageAssetFileNames","BuildPipelineDependencies","Promise","hasBuiltImageAssets","computeBuildFingerprint","computeEffectiveBuildFingerprint","buildImage","parseMinimumZigVersion","resolveGondolinPackageJsonPath","resolveGondolinPackageSpec","ResolveGondolinMinimumZigVersionOptions","resolveGondolinMinimumZigVersion","WritableMountPolicy","RuntimeMountPolicyConfig","Record","Readonly","resolveGuestMountPath","validateWritableMount","validateRuntimeMountPolicy","PinnedRealFsRoot","CreatePinnedRealFsProviderOptions","pinRealFsRoot","closePinnedRealFsRoot","assertPinnedRealFsRoot","createPinnedRealFsProvider","PolicySources","normalizeHostname","dedupeStable","compilePolicy","SecretSpec","SecretRef","SecretResolverClient","SecretResolver","TokenSource","ExecFileOptions","ExecFileResult","resolveServiceAccountToken","CreateSecretResolverDependencies","createSecretResolver","createOpCliSecretResolver","Pick","SYNTHETIC_DNS_IPV4_BENCHMARK","SYNTHETIC_DNS_IPV6_IPV4_MAPPED_BENCHMARK","ExecResult","SshAccess","IngressAccess","ManagedVmInstance","ManagedVmDependencies","Request","Response","VfsMountSpec","CreateVmOptions","ManagedVm","createManagedVm","VolumeConfigEntry","ResolvedVolume","ensureVolumeDir","resolveVolumeDirs","writeFileAtomically"],"sources":["../src/gateway-runtime-contract.ts","../../gondolin-adapter/dist/index.d.ts","../src/gateway-process-spec.ts","../src/gateway-vm-spec.ts","../src/gateway-lifecycle.ts","../src/split-resolved-gateway-secrets.ts"],"sourcesContent":["import { BuildConfig, BuildConfig as BuildConfig$1, CreateHttpHooksResult, EnableIngressOptions, EnableSshOptions, IngressRoute as IngressRoute$1, ShadowPredicate, ShadowProviderOptions, VMOptions, VirtualProvider, getDefaultBuildConfig } from \"@earendil-works/gondolin\";\n\n//#region src/build-pipeline.d.ts\ninterface BuildImageOptions {\n readonly buildConfig: BuildConfig$1;\n readonly cacheDir: string;\n /** Directory to resolve relative paths in buildConfig (e.g. postBuild.copy.src).\n * Defaults to process.cwd() if not provided. */\n readonly configDir?: string;\n readonly fullReset?: boolean;\n readonly fingerprintInput?: unknown;\n readonly output?: BuildOutput;\n}\ninterface BuildOutput {\n write(chunk: string | Uint8Array): boolean;\n}\ninterface BuildImageResult {\n readonly built: boolean;\n readonly fingerprint: string;\n readonly imagePath: string;\n}\ndeclare const buildImageAssetFileNames: readonly [\"manifest.json\", \"rootfs.ext4\", \"initramfs.cpio.lz4\", \"vmlinuz-virt\"];\ninterface BuildPipelineDependencies {\n readonly buildAssets?: (buildConfig: BuildConfig$1, outputDirectory: string, configDir?: string) => Promise<unknown>;\n readonly gondolinVersion?: string;\n}\ndeclare function hasBuiltImageAssets(outputDirectoryPath: string): Promise<boolean>;\ndeclare function computeBuildFingerprint(buildConfig: BuildConfig$1, gondolinVersion?: string, fingerprintInput?: unknown): string;\ndeclare function computeEffectiveBuildFingerprint(options: {\n readonly buildConfig: BuildConfig$1;\n readonly configDir?: string;\n readonly fingerprintInput?: unknown;\n readonly gondolinVersion?: string;\n}): Promise<{\n readonly fingerprint: string;\n readonly rootfsInitExtraContent: string;\n}>;\ndeclare function buildImage(options: BuildImageOptions, dependencies?: BuildPipelineDependencies): Promise<BuildImageResult>;\n//#endregion\n//#region src/gondolin-package.d.ts\ndeclare function parseMinimumZigVersion(rawContents: string): string;\ndeclare function resolveGondolinPackageJsonPath(): string;\ndeclare function resolveGondolinPackageSpec(): Promise<string>;\ninterface ResolveGondolinMinimumZigVersionOptions {\n readonly buildZigZonPath?: string;\n}\ndeclare function resolveGondolinMinimumZigVersion(options?: ResolveGondolinMinimumZigVersionOptions): Promise<string>;\n//#endregion\n//#region src/mount-policy.d.ts\ninterface WritableMountPolicy {\n readonly allowAuthWrite: boolean;\n readonly writableAllowedGuestPrefixes: readonly string[];\n}\ninterface RuntimeMountPolicyConfig {\n readonly extraMounts: Readonly<Record<string, string>>;\n readonly mountControls: WritableMountPolicy;\n}\ndeclare function resolveGuestMountPath(guestPath: string, workDir: string): string;\ndeclare function validateWritableMount(guestPath: string, policy: WritableMountPolicy, options: {\n readonly workDir: string;\n}): void;\ndeclare function validateRuntimeMountPolicy(config: RuntimeMountPolicyConfig, options: {\n readonly hostHome: string;\n readonly workDir: string;\n}): Promise<void>;\n//#endregion\n//#region src/pinned-realfs.d.ts\ninterface PinnedRealFsRoot {\n readonly hostPath: string;\n readonly realPath: string;\n readonly fd: number;\n readonly device: number;\n readonly inode: number;\n}\ninterface CreatePinnedRealFsProviderOptions {\n readonly root: PinnedRealFsRoot;\n readonly createRealFsProvider: (hostPath: string) => VirtualProvider;\n}\ndeclare function pinRealFsRoot(hostPath: string): PinnedRealFsRoot;\ndeclare function closePinnedRealFsRoot(root: PinnedRealFsRoot): void;\ndeclare function assertPinnedRealFsRoot(root: PinnedRealFsRoot): void;\ndeclare function createPinnedRealFsProvider(options: CreatePinnedRealFsProviderOptions): VirtualProvider;\n//#endregion\n//#region src/policy-compiler.d.ts\ninterface PolicySources {\n readonly base: readonly string[];\n readonly profile: readonly string[];\n readonly extra: readonly string[];\n}\ndeclare function normalizeHostname(rawHostname: string): string;\ndeclare function dedupeStable(values: readonly string[]): string[];\ndeclare function compilePolicy(sources: PolicySources): string[];\n//#endregion\n//#region src/types.d.ts\ninterface SecretSpec {\n readonly hosts: readonly string[];\n readonly value: string;\n}\ntype SecretRef = {\n readonly source: '1password';\n readonly ref: string;\n} | {\n readonly source: 'environment';\n readonly ref: string;\n};\n//#endregion\n//#region src/secret-resolver.d.ts\ninterface SecretResolverClient {\n readonly secrets: {\n resolve(secretReference: string): Promise<string>;\n resolveAll(secretReferences: readonly string[]): Promise<unknown>;\n };\n}\ninterface SecretResolver {\n resolve(ref: SecretRef): Promise<string>;\n resolveAll(refs: Record<string, SecretRef>): Promise<Record<string, string>>;\n}\ntype TokenSource = {\n readonly type: 'op-cli';\n readonly ref: string;\n} | {\n readonly type: 'env';\n readonly envVar?: string | undefined;\n} | {\n readonly type: 'keychain';\n readonly service: string;\n readonly account: string;\n};\ninterface ExecFileOptions {\n readonly env?: Readonly<Record<string, string | undefined>>;\n}\ninterface ExecFileResult {\n readonly stdout: string;\n readonly stderr: string;\n}\ndeclare function resolveServiceAccountToken(source: TokenSource, dependencies?: {\n readonly execFileAsync?: (command: string, args: readonly string[], options?: ExecFileOptions) => Promise<ExecFileResult>;\n}): Promise<string>;\ninterface CreateSecretResolverDependencies {\n readonly createClient?: (config: {\n auth: string;\n integrationName: string;\n integrationVersion: string;\n }) => Promise<SecretResolverClient>;\n readonly execFileAsync?: (command: string, args: readonly string[], options?: ExecFileOptions) => Promise<ExecFileResult>;\n readonly integrationName?: string;\n readonly integrationVersion?: string;\n}\ndeclare function createSecretResolver(options: {\n readonly serviceAccountToken: string;\n}, dependencies?: CreateSecretResolverDependencies): Promise<SecretResolver>;\ndeclare function createOpCliSecretResolver(options: {\n readonly serviceAccountToken: string;\n}, dependencies?: Pick<CreateSecretResolverDependencies, 'execFileAsync'>): Promise<SecretResolver>;\n//#endregion\n//#region src/vm-adapter.d.ts\ndeclare const SYNTHETIC_DNS_IPV4_BENCHMARK = \"198.18.0.1\";\ndeclare const SYNTHETIC_DNS_IPV6_IPV4_MAPPED_BENCHMARK = \"::ffff:198.18.0.1\";\ninterface ExecResult {\n readonly exitCode: number;\n readonly stdout: string;\n readonly stderr: string;\n}\ntype IngressRoute = IngressRoute$1;\ninterface SshAccess {\n readonly host: string;\n readonly command?: string;\n readonly identityFile?: string;\n readonly port: number;\n readonly user?: string;\n}\ninterface IngressAccess {\n readonly host: string;\n readonly port: number;\n}\ninterface ManagedVmInstance {\n readonly id: string;\n exec(command: string): Promise<{\n readonly exitCode: number;\n readonly stdout?: string;\n readonly stderr?: string;\n }>;\n enableSsh(options?: EnableSshOptions): Promise<SshAccess>;\n enableIngress(options?: EnableIngressOptions): Promise<IngressAccess>;\n setIngressRoutes(routes: readonly IngressRoute[]): void;\n close(): Promise<void>;\n}\ninterface ManagedVmDependencies {\n createVm(vmOptions: VMOptions): Promise<ManagedVmInstance>;\n createHttpHooks(options: {\n readonly allowedHosts: readonly string[];\n readonly secrets: Record<string, SecretSpec>;\n readonly onRequest?: (request: Request) => Promise<Request | Response | void>;\n readonly onResponse?: (response: Response) => Promise<Response | void>;\n }): Pick<CreateHttpHooksResult, 'env' | 'httpHooks'>;\n closePinnedRealFsRoot(root: PinnedRealFsRoot): void;\n createPinnedRealFsProvider(root: PinnedRealFsRoot): VirtualProvider;\n createRealFsProvider(hostPath: string): VirtualProvider;\n createReadonlyProvider(provider: VirtualProvider): VirtualProvider;\n createMemoryProvider(): VirtualProvider;\n createShadowProvider(provider: VirtualProvider, options: ShadowProviderOptions): VirtualProvider;\n createShadowPathPredicate(paths: readonly string[]): ShadowPredicate;\n}\ninterface VfsMountSpec {\n readonly kind: 'realfs' | 'realfs-readonly' | 'memory' | 'shadow';\n readonly hostPath?: string;\n readonly pinnedHostRoot?: PinnedRealFsRoot;\n readonly shadowConfig?: {\n readonly deny: readonly string[];\n readonly tmpfs: readonly string[];\n };\n}\ninterface CreateVmOptions {\n readonly imagePath: string;\n readonly memory: string;\n readonly cpus: number;\n readonly rootfsMode: 'readonly' | 'memory' | 'cow';\n readonly allowedHosts: readonly string[];\n readonly secrets: Record<string, SecretSpec>;\n readonly vfsMounts: Record<string, VfsMountSpec>;\n readonly tcpHosts?: Record<string, string>;\n readonly env?: Record<string, string>;\n readonly sessionLabel?: string;\n readonly onRequest?: (request: Request) => Promise<Request | Response | void>;\n readonly onResponse?: (response: Response) => Promise<Response | void>;\n}\ninterface ManagedVm {\n readonly id: string;\n exec(command: string): Promise<ExecResult>;\n enableSsh(options?: EnableSshOptions): Promise<SshAccess>;\n enableIngress(options?: EnableIngressOptions): Promise<IngressAccess>;\n getVmInstance(): ManagedVmInstance;\n setIngressRoutes(routes: readonly IngressRoute[]): void;\n close(): Promise<void>;\n}\ndeclare function createManagedVm(options: CreateVmOptions, dependencies?: ManagedVmDependencies): Promise<ManagedVm>;\n//#endregion\n//#region src/volume-manager.d.ts\ninterface VolumeConfigEntry {\n readonly guestPath: string;\n}\ninterface ResolvedVolume {\n readonly hostDir: string;\n readonly guestPath: string;\n}\ndeclare function ensureVolumeDir(cacheBase: string, workspaceHash: string, volumeName: string): Promise<string>;\ndeclare function resolveVolumeDirs(cacheBase: string, workspaceHash: string, volumes: Readonly<Record<string, VolumeConfigEntry>>): Promise<Record<string, ResolvedVolume>>;\n//#endregion\n//#region src/write-file-atomically.d.ts\ndeclare function writeFileAtomically(filePath: string, content: string, options?: {\n readonly mode?: number;\n}): Promise<void>;\n//#endregion\nexport { type BuildConfig, BuildImageOptions, BuildImageResult, BuildOutput, CreatePinnedRealFsProviderOptions, CreateSecretResolverDependencies, CreateVmOptions, ExecFileOptions, ExecFileResult, ExecResult, IngressAccess, IngressRoute, ManagedVm, ManagedVmDependencies, ManagedVmInstance, PinnedRealFsRoot, PolicySources, ResolveGondolinMinimumZigVersionOptions, ResolvedVolume, RuntimeMountPolicyConfig, SYNTHETIC_DNS_IPV4_BENCHMARK, SYNTHETIC_DNS_IPV6_IPV4_MAPPED_BENCHMARK, SecretRef, SecretResolver, SecretResolverClient, SecretSpec, SshAccess, TokenSource, VfsMountSpec, VolumeConfigEntry, WritableMountPolicy, assertPinnedRealFsRoot, buildImage, buildImageAssetFileNames, closePinnedRealFsRoot, compilePolicy, computeBuildFingerprint, computeEffectiveBuildFingerprint, createManagedVm, createOpCliSecretResolver, createPinnedRealFsProvider, createSecretResolver, dedupeStable, ensureVolumeDir, getDefaultBuildConfig, hasBuiltImageAssets, normalizeHostname, parseMinimumZigVersion, pinRealFsRoot, resolveGondolinMinimumZigVersion, resolveGondolinPackageJsonPath, resolveGondolinPackageSpec, resolveGuestMountPath, resolveServiceAccountToken, resolveVolumeDirs, validateRuntimeMountPolicy, validateWritableMount, writeFileAtomically };\n//# sourceMappingURL=index.d.ts.map"],"mappings":";cAAa;AAAA,KAED,WAAA,GAFoD,CAAA,OAE9B,iBAF8B,CAAA,CAAA,MAAA,CAAA;AAEpD,iBAEI,wBAAA,CAFmC,gBAAA,EAAA,MAAA,EAAA,MAAA,EAAA,MAAA,CAAA,EAAA,MAAA;AAEnC,iBAIA,qBAAA,CAJwB,gBAAA,EAAA,MAAA,EAAA,MAAA,EAAA,MAAA,EAAA,OAAA,EAAA,MAAA,CAAA,EAAA,MAAA;;;;;;UC+D9BmC,gBAAAA,CGmBuB;EACd,SAAA,QAAA,EAAA,MAAA;EAAM,SAAA,QAAA,EAAA,MAAA;EAoBzB,SAAiB,EAAA,EAAA,MAAA;EAajB,SAAiB,MAAA,EAAA,MAAgB;EAKV,SAAA,KAAA,EAAA,MAAA;;;;UH/BbU,UAAAA,CIlF0B;;;;KJsF/BC,SAAAA;;;;;;;;;;UAeKE,cAAAA;eACKF,YAAY5B;mBACRY,eAAegB,aAAa5B,QAAQY;;UAwF7CoC,YAAAA;;;4BAGkB/B;;;;;;;;KC9MhB,kBAAA;EFAC,SAAA,IAAA,EAAA,MAAmD;EAEpD,SAAA,IAAA,EAAW,MAAA;EAEP,SAAA,IAAA,EAAA,MAAA;AAIhB,CAAA,GAAgB;;;;ACwDL;AA2B0C;AAGjC;AAgBwC;AAI7CW,UC1GE,kBAAA,CD0GFA;EAAY5B,SAAAA,gBAAAA,EAAAA,MAAAA;EACO4B,SAAAA,YAAAA,EAAAA,MAAAA;EAAfhB,SAAAA,WAAAA,ECxGI,kBDwGJA;EAAoCA,SAAAA,eAAAA,EAAAA,MAAAA;EAARZ,SAAAA,OAAAA,EAAAA,MAAAA;;;;ADnH/C;AAEA;AAEA;AAIA;UGFiB,aAAA;wBACM;sBACF,eAAe;EF2D1BiB,SAAAA,eAAgB,EE1DC,MF0DD,CAAA,MAAA,EE1DgB,UF0DhB,CAAA;EA2BhBU,SAAAA,QAAU,EEpFA,MFoFA,CAAA,MAAA,EAAA,MAAA,CAAA;EAIfC,SAAAA,YAAS,EAAA,SAAA,MAAA,EAAA;EAeJE,SAAAA,UAAc,EAAA,UAAA,GAAA,QAAA,GAAA,KAAA;EACTF,SAAAA,YAAAA,EAAAA,MAAAA;;;;AD1Gf;;;;AC2DUX,UGzDO,iBAAA,CHyDS;EA2BhBU;AAAU;AAgBwC;;EAIjC3B,SAAAA,oBAAAA,EAAAA,MAAAA;EACO4B;;;;EAAoB,SAAA,iBAAA,EAAA,CAAA,QAAA,EAAA,MAAA,EAAA,QAAA,EAAA;IAwF5CoB,SAAAA,UAAY,CAAA,EAAA,OAGM/B;;;;AC9M5B,UE8BU,sBAAA,CF9BoB;EAQb,SAAA,MAAA,EAAA,WAAkB,GAAA,aAGZ;;UEuBb,iCAAA,SAA0C;;ED5BnC,SAAA,GAAA,EAAA,MAAa;;UCiCpB,iCAAA,SAA0C,sBD/BhB,CAAA;EAAf,SAAA,MAAA,EAAA,aAAA;EACqB,SAAA,MAAA,EAAA,MAAA;;AACtB,KCkCR,uBAAA,GDlCQ,QAAA,GAAA,UAAA,GAAA,OAAA;AAAM,UCoCT,gBAAA,CDpCS;sBCqCL;;UAGX,4BAAA;EAxCO,SAAA,IAAA,EAyCD,WAzCkB;EAoBxB,SAAA,MAAA,EAAA,MAAA;EAIA,SAAA,IAAA,EAAA,MAAA;EAKA,SAAA,IAAA,EAAA,MAAA;EAKE,SAAA,MAAA,EAAA,MAAA;EAEK,SAAA,QAAA,EAAgB,MAAA;EAIvB,SAAA,GAAA,EAOK,gBAPL;EACM,SAAA,eAAA,CAAA,EAQZ,iCARY,GASZ,iCATY,GAAA,SAAA;;UAaN,gCAAA,SAAyC,4BAL/C,CAAA;EACA,SAAA,IAAA,EAAA,UAAA;EAAiC,SAAA,YAAA,EAAA,MAAA;EAI3B,SAAA,mBAAA,CAAA,EAGsB,QAHW,CAIzC,MAJyC,CAAA,MAAA,EAI1B,iCAJ0B,GAIU,iCAJV,CAAA,CAAA;;UAQjC,8BAAA,SAAuC,4BAJI,CAAA;EAAnD,SAAA,IAAA,EAAA,QAAA;;KAQG,wBAAA,GAA2B,gCAZmB,GAYgB,8BAZhB;;AAA4B;AAQF;AAU7E;AAEmB,UAFF,iBAAA,CAEE;EACqB,SAAA,EAAA,EAAA,MAAA;EAAT,SAAA,OAAA,EADZ,wBACY;EACmC,SAAA,kBAAA,CAAA,EADnC,QACmC,CAD1B,MAC0B,CAAA,MAAA,EAAA,MAAA,CAAA,CAAA;EAAT,SAAA,oBAAA,CAAA,EAAxB,QAAwB,CAAf,MAAe,CAAA,MAAA,EAAA,QAAA,CAAS,MAAT,CAAA,MAAA,EAAA,OAAA,CAAA,CAAA,CAAA,CAAA;EAAf,SAAA,OAAA,EACvB,MADuB,CAAA,MAAA,EAAA;IAAT,SAAA,MAAA,EAAA,WAAA;IACd,SAAA,GAAA,EAAA,MAAA;IAAM,SAAA,SAAA,EAAA,KAAA,GAAA,gBAAA;IAoBR,SAAA,KAAA,CAAA,EAAA,SAAyB,MAAA,EAAA,GAIf,SAMX;EAGC,CAAA,GAAA;IAKM,SAAA,MAAA,EAAA,aAAA;IAMD,SAAA,MAAA,EAAA,MAAA;IAA4B,SAAA,SAAA,EAAA,KAAA,GAAA,gBAAA;IAO1C,SAAA,KAAA,CAAA,EAAA,SAAA,MAAA,EAAA,GAAA,SAAA;EACW,CAAA,CAAA;EACf,SAAA,YAAA,EAAA,SAAA,MAAA,EAAA;EAMqB,SAAA,eAAA,EAAA,SAAA,MAAA,EAAA;EAAmC,SAAA,oBAAA,CAAA,EAAA,MAAA;;AAAwB,UAvCnE,yBAAA,CAuCmE;;;;EC9InE,SAAA,eAAA,ED2GU,MC3GV,CAAA,MAAiC,EAAA,MAAA,CAAA;EACpB,SAAA,UAAA,EAAA,MAAA;EACY,SAAA,OAAA,EAAA;IAAf,SAAA,QAAA,EAAA,MAAA;IAAM,SAAA,IAAA,EAAA,MAAA;EAGjB,CAAA;EACT,SAAA,IAAA,ED2GS,iBC3GT;;AAEJ,UD4Gc,gBAAA,CC5Gd;EAAiC;;;;wBDiHb;;;;;uBAMD,4BAA4B;;;;;yBAO1C,oCACW,yBACf;;;;;0BAMqB,mCAAmC,iBAAiB;;;;AJhJjE,UKEK,iCAAA,CLFkC;EAEnC,SAAA,kBAAwB,EKCV,MLDU,CAAA,MAAA,EAAA,MAAA,CAAA;EAIxB,SAAA,eAAqB,EKFV,MLEU,CAAA,MAAA,EKFK,ULEL,CAAA;;iBKCrB,2BAAA,OACT,oCACW,yBACf"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","names":[],"sources":["../src/gateway-runtime-contract.ts","../src/audience.ts","../src/gateway-process-spec.ts","../src/gateway-vm-spec.ts","../src/gateway-lifecycle.ts","../src/split-resolved-gateway-secrets.ts"],"mappings":";;;cAAa,iBAAA;AAAA,KAED,WAAA,WAAsB,iBAAA;AAAA,iBAElB,wBAAA,CAAyB,gBAAA,UAA0B,MAAA;AAAA,iBAInD,qBAAA,CACf,gBAAA,UACA,MAAA,UACA,OAAA;;;cCXY,gBAAA;AAAA,KAED,UAAA,WAAqB,gBAAA;AAAA,KACrB,iBAAA,GAAoB,OAAA,CAAQ,UAAA;AAAA,UAEvB,gBAAA;EAAA,SACP,IAAA;EAAA,SACA,QAAA,EAAU,UAAA;AAAA;AAAA,cAGP,gBAAA;AAAA,iBAEG,eAAA,CACf,cAAA,EAAgB,UAAA,EAChB,eAAA,EAAiB,iBAAA;AAAA,iBAKF,sBAAA,CACf,WAAA,WAAsB,gBAAA,IACtB,eAAA,EAAiB,iBAAA;AAAA,iBAOF,qBAAA,CAAsB,WAAA,WAAsB,gBAAA;;;KC5BhD,kBAAA;EAAA,SACE,IAAA;EAAA,SAAuB,IAAA;EAAA,SAAuB,IAAA;AAAA;EAAA,SAC9C,IAAA;EAAA,SAA0B,OAAA;AAAA;AFAxC;;;;AAAA,UEMiB,kBAAA;EAAA,SACP,gBAAA;EAAA,SACA,YAAA;EAAA,SACA,WAAA,EAAa,kBAAA;EAAA,SACb,eAAA;EAAA,SACA,OAAA;AAAA;;;;;AFbV;;UGMiB,aAAA;EAAA,SACP,WAAA,EAAa,MAAA;EAAA,SACb,SAAA,EAAW,MAAA,SAAe,YAAA;EAAA,SAC1B,eAAA,EAAiB,MAAA,SAAe,UAAA;EAAA,SAChC,QAAA,EAAU,MAAA;EAAA,SACV,YAAA;EAAA,SACA,UAAA;EAAA,SACA,YAAA;AAAA;;;;;;AHXV;UISiB,iBAAA;;;;AJPjB;WIYU,oBAAA;;;;AJRV;WIcU,iBAAA,GACR,QAAA,UACA,OAAA;IAAA,SACU,UAAA;IAAA,SACA,UAAA;EAAA;AAAA;AAAA,UAKF,sBAAA;EAAA,SACA,MAAA;AAAA;AAAA,UAGA,iCAAA,SAA0C,sBAAA;EAAA,SAC1C,MAAA;EAAA,SACA,GAAA;AAAA;AAAA,UAGA,iCAAA,SAA0C,sBAAA;EAAA,SAC1C,MAAA;EAAA,SACA,MAAA;AAAA;AAAA,KAGE,uBAAA;AAAA,UAEK,gBAAA;EAAA,SACP,SAAA,EAAW,uBAAA;AAAA;AAAA,UAGX,4BAAA;EAAA,SACA,IAAA,EAAM,WAAA;EAAA,SACN,MAAA;EAAA,SACA,IAAA;EAAA,SACA,IAAA;EAAA,SACA,MAAA;EAAA,SACA,QAAA;EAAA,SACA,GAAA,EAAK,gBAAA;EAAA,SACL,eAAA,GACN,iCAAA,GACA,iCAAA;AAAA;AAAA,UAIM,gCAAA,SAAyC,4BAAA;EAAA,SACzC,IAAA;EAAA,SACA,YAAA;EAAA,SACA,mBAAA,GAAsB,QAAA,CAC9B,MAAA,SAAe,iCAAA,GAAoC,iCAAA;AAAA;AAAA,UAI3C,8BAAA,SAAuC,4BAAA;EAAA,SACvC,IAAA;AAAA;AAAA,KAGL,wBAAA,GAA2B,gCAAA,GAAmC,8BAAA;AAAA,UAEzD,6BAAA;EAAA,SACA,MAAA;EAAA,SACA,GAAA;AAAA;AAAA,UAGA,6BAAA;EAAA,SACA,MAAA;EAAA,SACA,MAAA;AAAA;AAAA,KAGL,kBAAA,GAAqB,6BAAA,GAAgC,6BAAA;AAAA,KAE9C,8BAAA,GAAiC,kBAAA;EAAA,SACnC,QAAA;EAAA,SACA,SAAA;AAAA;AAAA,KAGE,+BAAA,GAAkC,kBAAA;EAAA,SACpC,QAAA,EAAU,UAAA;EAAA,SACV,SAAA;EAAA,SACA,KAAA;AAAA;AAAA,KAGE,mBAAA,GAAsB,8BAAA,GAAiC,+BAAA;;;AH1EnE;;UGgFiB,iBAAA;EAAA,SACP,EAAA;EAAA,SACA,MAAA,YAAkB,sBAAA;EAAA,SAClB,OAAA,EAAS,wBAAA;EAAA,SACT,GAAA,GAAM,0BAAA;EAAA,SACN,iBAAA,GAAoB,QAAA,CAAS,MAAA,SAAe,0BAAA;EAAA,SAC5C,kBAAA,GAAqB,QAAA,CAAS,MAAA;EAAA,SAC9B,oBAAA,GAAuB,QAAA,CAAS,MAAA,SAAe,QAAA,CAAS,MAAA;EAAA,SACxD,OAAA,EAAS,QAAA,CAAS,MAAA,SAAe,mBAAA;EAAA,SACjC,WAAA,WAAsB,gBAAA;EAAA,SACtB,eAAA;EAAA,SACA,oBAAA;AAAA;AAAA,UAGO,sBAAA;EAAA,SACP,EAAA;EAAA,SACA,aAAA;AAAA;AAAA,UAGO,0BAAA;EAAA,SACP,SAAA;AAAA;AAAA,UAGO,0BAAA;EAAA,SACP,OAAA,GAAU,QAAA,CAAS,MAAA;EAAA,SACnB,SAAA;EAAA,SACA,GAAA;AAAA;AAAA,UAGO,yBAAA;EAAA,SACP,cAAA;EAAA,SACA,eAAA;EAAA,SACA,gBAAA;EAAA,SACA,eAAA,EAAiB,MAAA;EAAA,SACjB,UAAA;EAAA,SACA,OAAA;IAAA,SACC,QAAA;IAAA,SACA,IAAA;EAAA;EAAA,SAED,IAAA,EAAM,iBAAA;AAAA;AAAA,UAGC,gBAAA;ED7IyB;;;;EAAA,SCkJhC,UAAA,GAAa,iBAAA;EDpJb;;;;EC0JT,WAAA,CAAY,OAAA,EAAS,yBAAA,GAA4B,aAAA;EDxJxC;;;;EC8JT,gBAAA,CACC,IAAA,EAAM,iBAAA,EACN,eAAA,EAAiB,MAAA,mBACf,kBAAA;ED/JM;;;;ECqKT,gBAAA,EAAkB,IAAA,EAAM,iBAAA,EAAmB,cAAA,EAAgB,cAAA,GAAiB,OAAA;AAAA;;;UC3K5D,0BAAA;EAAA,SACP,kBAAA,EAAoB,MAAA;EAAA,SACpB,eAAA,EAAiB,MAAA,SAAe,UAAA;AAAA;AAAA,KAG9B,qBAAA,GAAwB,mBAAA;AAAA,UAEnB,2BAAA;EAAA,SACP,QAAA,EAAU,iBAAA;EAAA,SACV,SAAA;AAAA;AAAA,iBAGM,+BAAA,CACf,aAAA,EAAe,QAAA,CAAS,MAAA,SAAe,qBAAA,IACvC,eAAA,EAAiB,MAAA,kBACjB,OAAA,EAAS,2BAAA,GACP,0BAAA;AAAA,KA2CS,iCAAA,GAAoC,0BAAA;AAAA,iBAEhC,2BAAA,CACf,IAAA,EAAM,iBAAA,EACN,eAAA,EAAiB,MAAA,mBACf,iCAAA"}
|
package/dist/index.js
CHANGED
|
@@ -6,33 +6,57 @@ function buildGatewaySessionLabel(projectNamespace, zoneId) {
|
|
|
6
6
|
function buildToolSessionLabel(projectNamespace, zoneId, tcpSlot) {
|
|
7
7
|
return `${projectNamespace}:${zoneId}:tool:${tcpSlot}`;
|
|
8
8
|
}
|
|
9
|
-
|
|
9
|
+
//#endregion
|
|
10
|
+
//#region src/audience.ts
|
|
11
|
+
const vmAudienceValues = [
|
|
12
|
+
"gateway",
|
|
13
|
+
"tool-vm",
|
|
14
|
+
"both"
|
|
15
|
+
];
|
|
16
|
+
const controllerVmHost = "controller.vm.host";
|
|
17
|
+
function targetsAudience(configAudience, runtimeAudience) {
|
|
18
|
+
return configAudience === runtimeAudience || configAudience === "both";
|
|
19
|
+
}
|
|
20
|
+
function egressHostsForAudience(egressHosts, runtimeAudience) {
|
|
21
|
+
return egressHosts.filter((egressHost) => targetsAudience(egressHost.audience, runtimeAudience)).map((egressHost) => egressHost.host);
|
|
22
|
+
}
|
|
23
|
+
function gatewayVmAllowedHosts(egressHosts) {
|
|
24
|
+
return Array.from(new Set([controllerVmHost, ...egressHostsForAudience(egressHosts, "gateway")]));
|
|
25
|
+
}
|
|
10
26
|
//#endregion
|
|
11
27
|
//#region src/split-resolved-gateway-secrets.ts
|
|
12
|
-
function
|
|
28
|
+
function splitResolvedSecretsByInjection(secretConfigs, resolvedSecrets, options) {
|
|
13
29
|
const environmentSecrets = {};
|
|
14
30
|
const mediatedSecrets = {};
|
|
31
|
+
const logPrefix = options.logPrefix ?? "split-resolved-secrets";
|
|
15
32
|
for (const [secretName, secretValue] of Object.entries(resolvedSecrets)) {
|
|
16
|
-
const secretConfig =
|
|
17
|
-
if (!secretConfig) {
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
if (secretConfig.injection === "http-mediation" && secretConfig.hosts) {
|
|
33
|
+
const secretConfig = secretConfigs[secretName];
|
|
34
|
+
if (!secretConfig) throw new Error(`[${logPrefix}] Secret '${secretName}' was resolved but has no matching secret config.`);
|
|
35
|
+
if (!targetsAudience(secretConfig.audience, options.audience)) continue;
|
|
36
|
+
if (secretConfig.injection === "http-mediation") {
|
|
37
|
+
if (secretConfig.hosts.length === 0) throw new Error(`[${logPrefix}] Secret '${secretName}' uses http-mediation but declares no hosts.`);
|
|
22
38
|
mediatedSecrets[secretName] = {
|
|
23
39
|
hosts: [...secretConfig.hosts],
|
|
24
40
|
value: secretValue
|
|
25
41
|
};
|
|
26
42
|
continue;
|
|
27
43
|
}
|
|
28
|
-
|
|
44
|
+
const envSecretAudience = secretConfig.audience;
|
|
45
|
+
if (envSecretAudience !== "gateway") throw new Error(`[${logPrefix}] Secret '${secretName}' uses env injection with non-gateway audience '${envSecretAudience}'.`);
|
|
46
|
+
if (options.audience === "gateway") environmentSecrets[secretName] = secretValue;
|
|
29
47
|
}
|
|
30
48
|
return {
|
|
31
49
|
environmentSecrets,
|
|
32
50
|
mediatedSecrets
|
|
33
51
|
};
|
|
34
52
|
}
|
|
35
|
-
|
|
53
|
+
function splitResolvedGatewaySecrets(zone, resolvedSecrets) {
|
|
54
|
+
return splitResolvedSecretsByInjection(zone.secrets, resolvedSecrets, {
|
|
55
|
+
audience: "gateway",
|
|
56
|
+
logPrefix: "split-resolved-gateway-secrets"
|
|
57
|
+
});
|
|
58
|
+
}
|
|
36
59
|
//#endregion
|
|
37
|
-
export { buildGatewaySessionLabel, buildToolSessionLabel, gatewayTypeValues, splitResolvedGatewaySecrets };
|
|
60
|
+
export { buildGatewaySessionLabel, buildToolSessionLabel, controllerVmHost, egressHostsForAudience, gatewayTypeValues, gatewayVmAllowedHosts, splitResolvedGatewaySecrets, splitResolvedSecretsByInjection, targetsAudience, vmAudienceValues };
|
|
61
|
+
|
|
38
62
|
//# sourceMappingURL=index.js.map
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","names":[
|
|
1
|
+
{"version":3,"file":"index.js","names":[],"sources":["../src/gateway-runtime-contract.ts","../src/audience.ts","../src/split-resolved-gateway-secrets.ts"],"sourcesContent":["export const gatewayTypeValues = ['openclaw', 'worker'] as const;\n\nexport type GatewayType = (typeof gatewayTypeValues)[number];\n\nexport function buildGatewaySessionLabel(projectNamespace: string, zoneId: string): string {\n\treturn `${projectNamespace}:${zoneId}:gateway`;\n}\n\nexport function buildToolSessionLabel(\n\tprojectNamespace: string,\n\tzoneId: string,\n\ttcpSlot: number,\n): string {\n\treturn `${projectNamespace}:${zoneId}:tool:${tcpSlot}`;\n}\n","export const vmAudienceValues = ['gateway', 'tool-vm', 'both'] as const;\n\nexport type VmAudience = (typeof vmAudienceValues)[number];\nexport type RuntimeVmAudience = Exclude<VmAudience, 'both'>;\n\nexport interface EgressHostConfig {\n\treadonly host: string;\n\treadonly audience: VmAudience;\n}\n\nexport const controllerVmHost = 'controller.vm.host';\n\nexport function targetsAudience(\n\tconfigAudience: VmAudience,\n\truntimeAudience: RuntimeVmAudience,\n): boolean {\n\treturn configAudience === runtimeAudience || configAudience === 'both';\n}\n\nexport function egressHostsForAudience(\n\tegressHosts: readonly EgressHostConfig[],\n\truntimeAudience: RuntimeVmAudience,\n): readonly string[] {\n\treturn egressHosts\n\t\t.filter((egressHost) => targetsAudience(egressHost.audience, runtimeAudience))\n\t\t.map((egressHost) => egressHost.host);\n}\n\nexport function gatewayVmAllowedHosts(egressHosts: readonly EgressHostConfig[]): readonly string[] {\n\treturn Array.from(new Set([controllerVmHost, ...egressHostsForAudience(egressHosts, 'gateway')]));\n}\n","import type { SecretSpec } from '@agent-vm/gondolin-adapter';\n\nimport { targetsAudience, type RuntimeVmAudience } from './audience.js';\nimport type { GatewaySecretConfig, GatewayZoneConfig } from './gateway-lifecycle.js';\n\nexport interface SplitResolvedSecretsResult {\n\treadonly environmentSecrets: Record<string, string>;\n\treadonly mediatedSecrets: Record<string, SecretSpec>;\n}\n\nexport type SecretInjectionConfig = GatewaySecretConfig;\n\nexport interface SplitResolvedSecretsOptions {\n\treadonly audience: RuntimeVmAudience;\n\treadonly logPrefix?: string;\n}\n\nexport function splitResolvedSecretsByInjection(\n\tsecretConfigs: Readonly<Record<string, SecretInjectionConfig>>,\n\tresolvedSecrets: Record<string, string>,\n\toptions: SplitResolvedSecretsOptions,\n): SplitResolvedSecretsResult {\n\tconst environmentSecrets: Record<string, string> = {};\n\tconst mediatedSecrets: Record<string, SecretSpec> = {};\n\tconst logPrefix = options.logPrefix ?? 'split-resolved-secrets';\n\n\tfor (const [secretName, secretValue] of Object.entries(resolvedSecrets)) {\n\t\tconst secretConfig = secretConfigs[secretName];\n\t\tif (!secretConfig) {\n\t\t\tthrow new Error(\n\t\t\t\t`[${logPrefix}] Secret '${secretName}' was resolved but has no matching secret config.`,\n\t\t\t);\n\t\t}\n\t\tif (!targetsAudience(secretConfig.audience, options.audience)) {\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (secretConfig.injection === 'http-mediation') {\n\t\t\tif (secretConfig.hosts.length === 0) {\n\t\t\t\tthrow new Error(\n\t\t\t\t\t`[${logPrefix}] Secret '${secretName}' uses http-mediation but declares no hosts.`,\n\t\t\t\t);\n\t\t\t}\n\t\t\tmediatedSecrets[secretName] = {\n\t\t\t\thosts: [...secretConfig.hosts],\n\t\t\t\tvalue: secretValue,\n\t\t\t};\n\t\t\tcontinue;\n\t\t}\n\n\t\tconst envSecretAudience = (secretConfig as { readonly audience: string }).audience;\n\t\tif (envSecretAudience !== 'gateway') {\n\t\t\tthrow new Error(\n\t\t\t\t`[${logPrefix}] Secret '${secretName}' uses env injection with non-gateway audience '${envSecretAudience}'.`,\n\t\t\t);\n\t\t}\n\t\tif (options.audience === 'gateway') {\n\t\t\tenvironmentSecrets[secretName] = secretValue;\n\t\t}\n\t}\n\n\treturn { environmentSecrets, mediatedSecrets };\n}\n\nexport type SplitResolvedGatewaySecretsResult = SplitResolvedSecretsResult;\n\nexport function splitResolvedGatewaySecrets(\n\tzone: GatewayZoneConfig,\n\tresolvedSecrets: Record<string, string>,\n): SplitResolvedGatewaySecretsResult {\n\treturn splitResolvedSecretsByInjection(zone.secrets, resolvedSecrets, {\n\t\taudience: 'gateway',\n\t\tlogPrefix: 'split-resolved-gateway-secrets',\n\t});\n}\n"],"mappings":";AAAA,MAAa,oBAAoB,CAAC,YAAY,SAAS;AAIvD,SAAgB,yBAAyB,kBAA0B,QAAwB;CAC1F,OAAO,GAAG,iBAAiB,GAAG,OAAO;;AAGtC,SAAgB,sBACf,kBACA,QACA,SACS;CACT,OAAO,GAAG,iBAAiB,GAAG,OAAO,QAAQ;;;;ACb9C,MAAa,mBAAmB;CAAC;CAAW;CAAW;CAAO;AAU9D,MAAa,mBAAmB;AAEhC,SAAgB,gBACf,gBACA,iBACU;CACV,OAAO,mBAAmB,mBAAmB,mBAAmB;;AAGjE,SAAgB,uBACf,aACA,iBACoB;CACpB,OAAO,YACL,QAAQ,eAAe,gBAAgB,WAAW,UAAU,gBAAgB,CAAC,CAC7E,KAAK,eAAe,WAAW,KAAK;;AAGvC,SAAgB,sBAAsB,aAA6D;CAClG,OAAO,MAAM,KAAK,IAAI,IAAI,CAAC,kBAAkB,GAAG,uBAAuB,aAAa,UAAU,CAAC,CAAC,CAAC;;;;ACZlG,SAAgB,gCACf,eACA,iBACA,SAC6B;CAC7B,MAAM,qBAA6C,EAAE;CACrD,MAAM,kBAA8C,EAAE;CACtD,MAAM,YAAY,QAAQ,aAAa;CAEvC,KAAK,MAAM,CAAC,YAAY,gBAAgB,OAAO,QAAQ,gBAAgB,EAAE;EACxE,MAAM,eAAe,cAAc;EACnC,IAAI,CAAC,cACJ,MAAM,IAAI,MACT,IAAI,UAAU,YAAY,WAAW,mDACrC;EAEF,IAAI,CAAC,gBAAgB,aAAa,UAAU,QAAQ,SAAS,EAC5D;EAGD,IAAI,aAAa,cAAc,kBAAkB;GAChD,IAAI,aAAa,MAAM,WAAW,GACjC,MAAM,IAAI,MACT,IAAI,UAAU,YAAY,WAAW,8CACrC;GAEF,gBAAgB,cAAc;IAC7B,OAAO,CAAC,GAAG,aAAa,MAAM;IAC9B,OAAO;IACP;GACD;;EAGD,MAAM,oBAAqB,aAA+C;EAC1E,IAAI,sBAAsB,WACzB,MAAM,IAAI,MACT,IAAI,UAAU,YAAY,WAAW,kDAAkD,kBAAkB,IACzG;EAEF,IAAI,QAAQ,aAAa,WACxB,mBAAmB,cAAc;;CAInC,OAAO;EAAE;EAAoB;EAAiB;;AAK/C,SAAgB,4BACf,MACA,iBACoC;CACpC,OAAO,gCAAgC,KAAK,SAAS,iBAAiB;EACrE,UAAU;EACV,WAAW;EACX,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@agent-vm/gateway-interface",
|
|
3
|
-
"version": "0.0.
|
|
3
|
+
"version": "0.0.60",
|
|
4
4
|
"description": "Shared TypeScript interfaces for VM gateway lifecycles, VmSpec, and ProcessSpec.",
|
|
5
5
|
"homepage": "https://github.com/ShravanSunder/agent-vm#readme",
|
|
6
6
|
"bugs": {
|
|
@@ -29,7 +29,7 @@
|
|
|
29
29
|
"access": "public"
|
|
30
30
|
},
|
|
31
31
|
"dependencies": {
|
|
32
|
-
"@agent-vm/gondolin-adapter": "0.0.
|
|
32
|
+
"@agent-vm/gondolin-adapter": "0.0.60"
|
|
33
33
|
},
|
|
34
34
|
"scripts": {
|
|
35
35
|
"build": "tsdown",
|