@amodalai/amodal 0.3.69 → 0.3.71

package/CHANGELOG.md

@@ -1,5 +1,194 @@
 # @amodalai/amodal
 
+## 0.3.71
+
+### Patch Changes
+
+- bde01f0: Add config-driven auth on top of the `feat/auth-controller` Warden
+  primitive. Agent owners describe their auth in `amodal.json`; the
+  runtime parses, validates, and instantiates the right `AuthStrategy`
+  at boot.
+
+  ```json
+  {
+    "auth": {
+      "type": "oidc",
+      "issuer": "https://acme.okta.com",
+      "clientId": "abc123",
+      "clientSecret": "env:OKTA_CLIENT_SECRET",
+      "callbackUrl": "https://hr-helper.acme.com/auth/callback",
+      "sessionSecret": "env:SESSION_SIGNING_SECRET"
+    }
+  }
+  ```
+
+  ```ts
+  import {
+    parseAuthConfig,
+    createAuthStrategy,
+    JwksAuthStrategy,
+    authenticate,
+    authRouter,
+  } from "@amodalai/runtime";
+
+  const userAuth = await createAuthStrategy(parseAuthConfig(agentConfig.auth));
+  const studioJwt = new JwksAuthStrategy({ jwksUrl: process.env.JWKS_URL });
+
+  app.use("/api/files", authenticate(studioJwt)); // Studio only
+  app.use("/chat", authenticate(studioJwt, userAuth)); // either
+  app.use(authRouter(userAuth)); // OAuth callbacks
+  ```
+
+  **Five `auth.type` modes** covering the persona spectrum:
+  - `none` — synthesized anonymous identity (public chatbots / dev)
+  - `jwt_secret` — HMAC-verify JWTs minted by another server (ISV / server-mediated)
+  - `oidc` — full OAuth2.1/OIDC dance via `openid-client` (Okta, Azure AD, Google Workspace, Auth0 OIDC, Keycloak — anything OIDC-compliant). Handles login redirect, PKCE+state, callback exchange, signed-cookie sessions, JWKS verification.
+  - `header` — trusted upstream `X-Auth-User` (proxied auth)
+  - `custom` — `{module: './my-auth.ts'}` dynamically imports a user-supplied strategy class. The escape hatch for Auth0 SDK / Supabase `getUser` / any auth system that doesn't fit the four modes above.
+
+  **Validation**: `parseAuthConfig(raw)` (zod-backed) gives clear errors on
+  malformed configs at startup, not at first request.
+
+  **`OidcAuthStrategy`** is the meaty piece — ~270 LOC implementing the
+  OAuth dance via `openid-client` v6 (Web-standards), session signing via
+  HMAC, encrypted state cookie for the redirect round-trip. Self-contained;
+  no database needed; survives multi-instance fleets.
+
+  Adds `openid-client` as a runtime dependency.
+
+  This PR delivers the config-facing surface that makes the Warden
+  primitive useful to non-developers — agent owners edit JSON (or, in
+  follow-up PRs, a Studio UI / `amodal auth init` CLI), the runtime
+  wires up auth from there.
+
+- bde01f0: Add a Warden-shape pluggable auth primitive: `authenticate(...strategies)`
+  returns Express middleware that runs the strategies in order, picks the
+  first that applies and authenticates, and attaches a canonical
+  `AuthSession` to `res.locals.session` (or 401s the request). Single-winner
+  chain — no merging across strategies, no implicit identity overrides.
+
+  Each strategy implements two methods (modeled on Rails' Warden):
+  - `valid(req): boolean` — cheap synchronous check, "does this strategy
+    apply at all?". Strategies that return false are skipped without
+    paying the `authenticate` cost.
+  - `authenticate(req): Promise<AuthResult>` — slow path. Returns a
+    discriminated union `{kind: 'authenticated', session}` or
+    `{kind: 'rejected', reason}`. No exceptions for control flow — plugin
+    authors can't accidentally bypass auth by throwing the wrong sentinel.
+
+  Per-route mounting solves the route-bifurcation problem cleanly:
+
+  ```ts
+  const platformJwt = new JwksAuthStrategy({jwksUrl});
+  const endUser     = new OidcStrategy({...}); // user-supplied or built-in
+
+  // Studio routes — only platform JWT is in the chain
+  app.use('/api/files',  authenticate(platformJwt));
+
+  // Chat routes — accept platform JWT (Studio test chat) OR end-user auth
+  app.use('/chat',       authenticate(platformJwt, endUser));
+
+  // Login-flow routes registered by strategies that need them
+  app.use(authRouter(endUser));
+  ```
+
+  A request hitting `/api/files` with an end-user token can't be
+  authenticated by accident — `endUser` isn't in that chain.
+
+  Ships five built-in strategies covering the common amodal personas:
+  - **`JwksAuthStrategy`** — Bearer JWT verified against a remote JWKS.
+    Pass-through to `jose.createRemoteJWKSet` options for ops visibility
+    into key rotation.
+  - **`ApiKeyAuthStrategy`** — `ak_*` Bearer tokens validated via a
+    caller-supplied callback. LRU-cached (configurable cap, default 10k
+    entries) so repeated requests skip the round-trip.
+  - **`HeaderAuthStrategy`** — trusted upstream header (default
+    `X-Auth-User`) for service-to-service / proxied auth.
+  - **`NoneAuthStrategy`** — synthesizes an anonymous session. Place last
+    in the chain for public agents / dev environments.
+  - **`CookieSessionStrategy`** — session JWT in a cookie (default
+    `amodal_session`), verified against JWKS. For SPA + runtime stacks
+    that don't sit behind a Bearer-injecting edge proxy.
+
+  Adds `jose` and `lru-cache` as runtime dependencies.
+
+  The `AuthSession` shape is canonical across all strategies: `{user: {id,
+email?, name?}, method, agentId?, scopeId?, claims?}`. No `token` field
+  on the surface (avoids credential leaks via accidental log serialization);
+  strategies expose raw provider claims under `claims` for callers that
+  need them.
+
+  Per-mount `logger` option emits a structured `AuthLogEvent` per request
+  (`{strategy, outcome, durationMs, reason?}`) for observability.
+
+  External identity providers (Auth0, Supabase, custom OIDC, SAML) are
+  expected to ship as separate strategy classes — either inside an
+  agent's runtime code or as third-party packages — implementing the
+  `AuthStrategy` interface. No first-party provider packages in this PR;
+  the primitive layer is the contract.
+
+- bde01f0: Add a Studio "Authentication" tab for editing the agent's `auth` block
+  in `amodal.json` form-style. Builds on the config-driven layer from the
+  `feat/auth-config` PR.
+
+  Agent owners pick the auth type from a card grid (Sign in with Amodal /
+  Public / Shared JWT secret / OIDC / Trusted header / Custom) and fill
+  in type-specific fields. Saves a draft through the existing
+  workspace-edit pipeline; the user commits via "Publish changes" to land
+  it on disk.
+
+  "Sign in with Amodal" is the zero-config option: visitors sign in with
+  their existing Amodal account, the runtime verifies the platform JWT
+  against Amodal's JWKS, no client setup or secrets required. Backed by a
+  new `AmodalAuthStrategy` (a thin `JwksAuthStrategy` wrapper preconfigured
+  with the Amodal cloud JWKS URL + issuer; both overridable for self-hosted
+  Amodal-equivalent platforms).
+
+  Implementation mirrors the `embed-config` pattern:
+  - `lib/auth-config.ts` — Studio-side editable draft shape +
+    read/write helpers for the `auth` block in `amodal.json`. Serializes
+    the draft back to the runtime's strict `AuthConfig` discriminated
+    union shape on save.
+  - `server/routes/auth-config.ts` — `GET/PUT /api/auth-config`,
+    same shape as `embed-config` (drafts, capability check, etc.).
+    Server-side validation rejects obvious problems before the file
+    lands on disk.
+  - `hooks/useAuthConfig.ts` — fetch + save hook for the page.
+  - `pages/AuthPage.tsx` — the form. Includes a `SecretField` atom that
+    highlights `env:` references and masks plain secret values, so
+    agent owners are nudged toward the right pattern.
+  - Wired into `router.tsx` + `StudioShell` config nav.
+
+  Secret fields default to `env:` reference values so secrets land in
+  the agent's secrets table (encrypted), not in `amodal.json` (in git).
+
+  The form covers every persona walked through in the auth design:
+  Public chatbots → `none`. ISV server-mediated → `jwt_secret`.
+  Internal ops SSO → `oidc` (login dance handled by the runtime).
+  Proxied auth → `header`. Anything else → `custom` module path.
+
+- Updated dependencies [bde01f0]
+- Updated dependencies [bde01f0]
+- Updated dependencies [bde01f0]
+  - @amodalai/runtime@0.3.71
+  - @amodalai/core@0.3.71
+  - @amodalai/studio@0.3.71
+  - @amodalai/runtime-app@0.3.71
+  - @amodalai/types@0.3.71
+  - @amodalai/db@0.3.71
+
+## 0.3.70
+
+### Patch Changes
+
+- Updated dependencies [3b33c27]
+  - @amodalai/studio@0.3.70
+  - @amodalai/runtime@0.3.70
+  - @amodalai/db@0.3.70
+  - @amodalai/types@0.3.70
+  - @amodalai/core@0.3.70
+  - @amodalai/runtime-app@0.3.70
+
 ## 0.3.69
 
 ### Patch Changes