@amodalai/runtime 0.3.62 → 0.3.64
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/src/index.d.ts +2 -0
- package/dist/src/index.js +1 -0
- package/dist/src/index.js.map +1 -1
- package/dist/src/secrets/crypto.d.ts +23 -0
- package/dist/src/secrets/crypto.js +89 -0
- package/dist/src/secrets/crypto.js.map +1 -0
- package/dist/src/secrets/crypto.test.d.ts +6 -0
- package/dist/src/secrets/crypto.test.js +74 -0
- package/dist/src/secrets/crypto.test.js.map +1 -0
- package/dist/src/secrets/db-scope-resolver.d.ts +36 -0
- package/dist/src/secrets/db-scope-resolver.js +31 -0
- package/dist/src/secrets/db-scope-resolver.js.map +1 -0
- package/dist/src/secrets/index.d.ts +10 -0
- package/dist/src/secrets/index.js +9 -0
- package/dist/src/secrets/index.js.map +1 -0
- package/dist/src/secrets/router.d.ts +35 -0
- package/dist/src/secrets/router.js +99 -0
- package/dist/src/secrets/router.js.map +1 -0
- package/dist/src/server.d.ts +10 -1
- package/dist/src/server.js +1 -0
- package/dist/src/server.js.map +1 -1
- package/dist/tsconfig.tsbuildinfo +1 -1
- package/package.json +4 -4
package/dist/src/index.d.ts
CHANGED
|
@@ -33,6 +33,8 @@ export { resolveScope } from './scope.js';
|
|
|
33
33
|
export type { ResolvedScope } from './scope.js';
|
|
34
34
|
export { EnvCredentialResolver, ScopeSecretsResolver, ChainResolver } from './credentials.js';
|
|
35
35
|
export type { CredentialResolver } from './credentials.js';
|
|
36
|
+
export { DbScopeResolver, encryptSecret, decryptSecret, loadSecretsKey, SecretsCryptoError, SecretsKeyError, createSecretsRouter, } from './secrets/index.js';
|
|
37
|
+
export type { DbScopeResolverOptions, CreateSecretsRouterOptions } from './secrets/index.js';
|
|
36
38
|
export type { StreamHooks, TokenCounts, UsageReport } from './session/stream-hooks.js';
|
|
37
39
|
export { routeOutput } from './output/output-router.js';
|
|
38
40
|
export { errorHandler } from './middleware/error-handler.js';
|
package/dist/src/index.js
CHANGED
|
@@ -46,6 +46,7 @@ export { commitSetup, composeAmodalJson, SetupNotReadyError, } from './setup/com
|
|
|
46
46
|
export { resolveScope } from './scope.js';
|
|
47
47
|
// Credential resolution
|
|
48
48
|
export { EnvCredentialResolver, ScopeSecretsResolver, ChainResolver } from './credentials.js';
|
|
49
|
+
export { DbScopeResolver, encryptSecret, decryptSecret, loadSecretsKey, SecretsCryptoError, SecretsKeyError, createSecretsRouter, } from './secrets/index.js';
|
|
49
50
|
// Output routing (for automation result delivery)
|
|
50
51
|
export { routeOutput } from './output/output-router.js';
|
|
51
52
|
// Error handler
|
package/dist/src/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,EAAE,YAAY,EAAuB,MAAM,aAAa,CAAC;AAChE,OAAO,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AAElC,MAAM,CAAC,MAAM,cAAc,GAAG,OAAO,CAAC;AAEtC,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAGpD,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAC9E,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C,OAAO,EAAE,oBAAoB,EAA8B,MAAM,uBAAuB,CAAC;AAEzF,0DAA0D;AAC1D,OAAO,EACL,mBAAmB,EACnB,WAAW,EACX,OAAO,EACP,iBAAiB,GAClB,MAAM,oBAAoB,CAAC;AAO5B,aAAa;AACb,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D,gBAAgB;AAChB,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAGlE,gFAAgF;AAChF,2EAA2E;AAC3E,8EAA8E;AAC9E,wCAAwC;AACxC,OAAO,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AAEnE,kEAAkE;AAClE,OAAO,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AAEjE,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAEpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE1D,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAG9D,mEAAmE;AACnE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAGtD,iEAAiE;AACjE,kEAAkE;AAClE,iEAAiE;AACjE,OAAO,EACL,WAAW,EACX,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,yBAAyB,CAAC;AASjC,yEAAyE;AACzE,2EAA2E;AAC3E,qEAAqE;AACrE,0CAA0C;AAC1C,gEAAgE;AAEhE,mBAAmB;AACnB,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG1C,wBAAwB;AACxB,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,EAAE,YAAY,EAAuB,MAAM,aAAa,CAAC;AAChE,OAAO,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AAElC,MAAM,CAAC,MAAM,cAAc,GAAG,OAAO,CAAC;AAEtC,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAGpD,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAC9E,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C,OAAO,EAAE,oBAAoB,EAA8B,MAAM,uBAAuB,CAAC;AAEzF,0DAA0D;AAC1D,OAAO,EACL,mBAAmB,EACnB,WAAW,EACX,OAAO,EACP,iBAAiB,GAClB,MAAM,oBAAoB,CAAC;AAO5B,aAAa;AACb,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D,gBAAgB;AAChB,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAGlE,gFAAgF;AAChF,2EAA2E;AAC3E,8EAA8E;AAC9E,wCAAwC;AACxC,OAAO,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AAEnE,kEAAkE;AAClE,OAAO,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AAEjE,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAEpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE1D,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAG9D,mEAAmE;AACnE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAGtD,iEAAiE;AACjE,kEAAkE;AAClE,iEAAiE;AACjE,OAAO,EACL,WAAW,EACX,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,yBAAyB,CAAC;AASjC,yEAAyE;AACzE,2EAA2E;AAC3E,qEAAqE;AACrE,0CAA0C;AAC1C,gEAAgE;AAEhE,mBAAmB;AACnB,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG1C,wBAAwB;AACxB,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAE9F,OAAO,EACL,eAAe,EACf,aAAa,EACb,aAAa,EACb,cAAc,EACd,kBAAkB,EAClB,eAAe,EACf,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAM5B,kDAAkD;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAExD,gBAAgB;AAChB,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAE7D,sBAAsB;AACtB,OAAO,EACL,WAAW,EACX,aAAa,EACb,cAAc,EACd,oBAAoB,EACpB,kBAAkB,EAClB,UAAU,EACV,eAAe,EACf,YAAY,EACZ,eAAe,EACf,WAAW,GACZ,MAAM,aAAa,CAAC;AAGrB,SAAS;AACT,OAAO,EAAE,GAAG,EAAE,WAAW,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAGlL,SAAS;AACT,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGzC,2CAA2C;AAC3C,OAAO,EAAE,cAAc,EAAE,MAAM,gCAAgC,CAAC;AAChE,OAAO,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AAajE,6BAA6B;AAC7B,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAmBvD,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAE5D,gBAAgB;AAChB,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AASzD,mBAAmB;AACnB,OAAO,EACL,uBAAuB,EACvB,gBAAgB,GACjB,MAAM,6BAA6B,CAAC;AAErC,8CAA8C;AAC9C,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,oBAAoB,EACpB,kBAAkB,EAClB,eAAe,EACf,qBAAqB,GACtB,MAAM,wBAAwB,CAAC;AAEhC,+BAA+B;AAC/B,OAAO,EAAC,kBAAkB,EAAC,MAAM,kCAAkC,CAAC;AACpE,OAAO,EAAE,0BAA0B,EAAE,MAAM,oCAAoC,CAAC;AAGhF,0BAA0B;AAC1B,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAG/E,cAAc;AACd,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AAGlK,6BAA6B;AAC7B,OAAO,EAAE,wBAAwB,EAAE,MAAM,sBAAsB,CAAC;AAChE,OAAO,EAAE,0BAA0B,EAAE,MAAM,qCAAqC,CAAC;AAiBjF,kBAAkB;AAClB,OAAO,EAAE,sBAAsB,EAAE,iBAAiB,EAAE,wBAAwB,EAAE,MAAM,8BAA8B,CAAC;AAGnH,uBAAuB;AACvB,OAAO,EAAE,wBAAwB,EAAE,MAAM,mCAAmC,CAAC;AAG7E,mBAAmB;AACnB,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAG7E,mBAAmB;AACnB,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAWvD,qBAAqB;AACrB,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AAEjE,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAE5D,OAAO,EAAE,2BAA2B,EAAE,MAAM,sCAAsC,CAAC;AAEnF,OAAO,EAAE,4BAA4B,EAAE,MAAM,wCAAwC,CAAC;AAEtF,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC9E,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAExD,qBAAqB;AACrB,OAAO,EAAE,2BAA2B,EAAE,MAAM,kCAAkC,CAAC;AAO/E,8EAA8E;AAC9E,+BAA+B;AAC/B,8EAA8E;AAE9E,SAAS,eAAe,CAAC,GAAW,EAAE,YAAoB;IACxD,OAAO,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC;AAC1C,CAAC;AAED,SAAS,SAAS,CAAC,GAAW,EAAE,YAAoB;IAClD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,GAAG;QAAE,OAAO,YAAY,CAAC;IAC9B,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACjC,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC;AAC/C,CAAC;AAED,8EAA8E;AAC9E,OAAO;AACP,8EAA8E;AAE9E,KAAK,UAAU,IAAI;IACjB,iBAAiB;IACjB,MAAM,IAAI,GAAG,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,eAAe,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAChD,MAAM,YAAY,GAAG,SAAS,CAAC,gBAAgB,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAEjE,0BAA0B;IAC1B,IAAI,cAA8B,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC;QAE3D,cAAc,GAAG,YAAY,CAAC;YAC5B,MAAM,EAAE;gBACN,IAAI;gBACJ,IAAI;gBACJ,YAAY;gBACZ,WAAW,EAAE,EAAE;gBACf,UAAU;aACX;YACD,OAAO,EAAE,cAAc;SACxB,CAAC,CAAC;QAEH,MAAM,cAAc,CAAC,KAAK,EAAE,CAAC;IAC/B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,GAAG,CAAC,KAAK,CAAC,2BAA2B,OAAO,EAAE,CAAC,CAAC;QAChD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,oBAAoB;IACpB,MAAM,QAAQ,GAAG,KAAK,EAAE,MAAc,EAAiB,EAAE;QACvD,GAAG,CAAC,IAAI,CAAC,YAAY,MAAM,oBAAoB,CAAC,CAAC;QACjD,IAAI,CAAC;YACH,MAAM,cAAc,CAAC,IAAI,EAAE,CAAC;QAC9B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,GAAG,CAAC,KAAK,CAAC,mBAAmB,OAAO,EAAE,CAAC,CAAC;QAC1C,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC;IAEF,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,KAAK,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;IACtD,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,KAAK,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;AACtD,CAAC;AAED,+EAA+E;AAC/E,MAAM,YAAY,GAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACf,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,mBAAmB,CAAC;QAC5C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC;AAEnD,IAAI,YAAY,EAAE,CAAC;IACjB,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACnB,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC"}
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @license
|
|
3
|
+
* Copyright 2026 Amodal Labs, Inc.
|
|
4
|
+
* SPDX-License-Identifier: MIT
|
|
5
|
+
*/
|
|
6
|
+
export declare class SecretsKeyError extends Error {
|
|
7
|
+
}
|
|
8
|
+
export declare class SecretsCryptoError extends Error {
|
|
9
|
+
}
|
|
10
|
+
/**
|
|
11
|
+
* Decode a base64 key from env. Throws `SecretsKeyError` if missing or
|
|
12
|
+
* the wrong length. Callers should call this once at startup so missing
|
|
13
|
+
* keys fail fast instead of at first secret access.
|
|
14
|
+
*/
|
|
15
|
+
export declare function loadSecretsKey(envValue: string | undefined): Buffer;
|
|
16
|
+
/** Encrypt a plain-text value. Returns the storage-formatted ciphertext. */
|
|
17
|
+
export declare function encryptSecret(plain: string, key: Buffer): string;
|
|
18
|
+
/**
|
|
19
|
+
* Decrypt a storage-formatted ciphertext. Throws `SecretsCryptoError`
|
|
20
|
+
* if the format is malformed or the auth tag fails (key mismatch /
|
|
21
|
+
* tampering).
|
|
22
|
+
*/
|
|
23
|
+
export declare function decryptSecret(stored: string, key: Buffer): string;
|
|
@@ -0,0 +1,89 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @license
|
|
3
|
+
* Copyright 2026 Amodal Labs, Inc.
|
|
4
|
+
* SPDX-License-Identifier: MIT
|
|
5
|
+
*/
|
|
6
|
+
/**
|
|
7
|
+
* Symmetric encryption for the `secrets` table. AES-256-GCM with a
|
|
8
|
+
* 32-byte key (provided via the runtime's `SECRETS_ENCRYPTION_KEY`
|
|
9
|
+
* env var, base64-encoded) and a fresh 12-byte IV per encryption.
|
|
10
|
+
*
|
|
11
|
+
* Storage format: `base64(iv).base64(authTag).base64(ciphertext)`.
|
|
12
|
+
*/
|
|
13
|
+
import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto';
|
|
14
|
+
const ALGORITHM = 'aes-256-gcm';
|
|
15
|
+
const KEY_BYTES = 32;
|
|
16
|
+
const IV_BYTES = 12;
|
|
17
|
+
export class SecretsKeyError extends Error {
|
|
18
|
+
}
|
|
19
|
+
export class SecretsCryptoError extends Error {
|
|
20
|
+
}
|
|
21
|
+
/**
|
|
22
|
+
* Decode a base64 key from env. Throws `SecretsKeyError` if missing or
|
|
23
|
+
* the wrong length. Callers should call this once at startup so missing
|
|
24
|
+
* keys fail fast instead of at first secret access.
|
|
25
|
+
*/
|
|
26
|
+
export function loadSecretsKey(envValue) {
|
|
27
|
+
if (!envValue) {
|
|
28
|
+
throw new SecretsKeyError('SECRETS_ENCRYPTION_KEY is not set. Generate a 32-byte key and base64-encode it: ' +
|
|
29
|
+
'`openssl rand -base64 32`.');
|
|
30
|
+
}
|
|
31
|
+
let key;
|
|
32
|
+
try {
|
|
33
|
+
key = Buffer.from(envValue, 'base64');
|
|
34
|
+
}
|
|
35
|
+
catch {
|
|
36
|
+
throw new SecretsKeyError('SECRETS_ENCRYPTION_KEY is not valid base64');
|
|
37
|
+
}
|
|
38
|
+
if (key.length !== KEY_BYTES) {
|
|
39
|
+
throw new SecretsKeyError(`SECRETS_ENCRYPTION_KEY must decode to ${String(KEY_BYTES)} bytes ` +
|
|
40
|
+
`(got ${String(key.length)}). Generate with: openssl rand -base64 32.`);
|
|
41
|
+
}
|
|
42
|
+
return key;
|
|
43
|
+
}
|
|
44
|
+
/** Encrypt a plain-text value. Returns the storage-formatted ciphertext. */
|
|
45
|
+
export function encryptSecret(plain, key) {
|
|
46
|
+
const iv = randomBytes(IV_BYTES);
|
|
47
|
+
const cipher = createCipheriv(ALGORITHM, key, iv);
|
|
48
|
+
const ciphertext = Buffer.concat([cipher.update(plain, 'utf-8'), cipher.final()]);
|
|
49
|
+
const authTag = cipher.getAuthTag();
|
|
50
|
+
return `${iv.toString('base64')}.${authTag.toString('base64')}.${ciphertext.toString('base64')}`;
|
|
51
|
+
}
|
|
52
|
+
/**
|
|
53
|
+
* Decrypt a storage-formatted ciphertext. Throws `SecretsCryptoError`
|
|
54
|
+
* if the format is malformed or the auth tag fails (key mismatch /
|
|
55
|
+
* tampering).
|
|
56
|
+
*/
|
|
57
|
+
export function decryptSecret(stored, key) {
|
|
58
|
+
const parts = stored.split('.');
|
|
59
|
+
if (parts.length !== 3) {
|
|
60
|
+
throw new SecretsCryptoError(`Malformed encrypted secret (expected 3 parts, got ${String(parts.length)})`);
|
|
61
|
+
}
|
|
62
|
+
// ciphertext segment may legitimately be empty (empty plaintext);
|
|
63
|
+
// iv and tag must always be present.
|
|
64
|
+
const [ivPart, tagPart, ctPart = ''] = parts;
|
|
65
|
+
if (!ivPart || !tagPart) {
|
|
66
|
+
throw new SecretsCryptoError('Malformed encrypted secret (empty iv or auth tag)');
|
|
67
|
+
}
|
|
68
|
+
let iv;
|
|
69
|
+
let authTag;
|
|
70
|
+
let ciphertext;
|
|
71
|
+
try {
|
|
72
|
+
iv = Buffer.from(ivPart, 'base64');
|
|
73
|
+
authTag = Buffer.from(tagPart, 'base64');
|
|
74
|
+
ciphertext = Buffer.from(ctPart, 'base64');
|
|
75
|
+
}
|
|
76
|
+
catch {
|
|
77
|
+
throw new SecretsCryptoError('Malformed encrypted secret (base64 decode failed)');
|
|
78
|
+
}
|
|
79
|
+
try {
|
|
80
|
+
const decipher = createDecipheriv(ALGORITHM, key, iv);
|
|
81
|
+
decipher.setAuthTag(authTag);
|
|
82
|
+
const plain = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
|
|
83
|
+
return plain.toString('utf-8');
|
|
84
|
+
}
|
|
85
|
+
catch (err) {
|
|
86
|
+
throw new SecretsCryptoError(`Decryption failed (auth tag mismatch or wrong key): ${err instanceof Error ? err.message : String(err)}`);
|
|
87
|
+
}
|
|
88
|
+
}
|
|
89
|
+
//# sourceMappingURL=crypto.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../../src/secrets/crypto.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;;GAMG;AAEH,OAAO,EAAC,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAC,MAAM,aAAa,CAAC;AAE1E,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,SAAS,GAAG,EAAE,CAAC;AACrB,MAAM,QAAQ,GAAG,EAAE,CAAC;AAEpB,MAAM,OAAO,eAAgB,SAAQ,KAAK;CAAG;AAC7C,MAAM,OAAO,kBAAmB,SAAQ,KAAK;CAAG;AAEhD;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,QAA4B;IACzD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,eAAe,CACvB,kFAAkF;YAChF,4BAA4B,CAC/B,CAAC;IACJ,CAAC;IACD,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,eAAe,CAAC,4CAA4C,CAAC,CAAC;IAC1E,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC7B,MAAM,IAAI,eAAe,CACvB,yCAAyC,MAAM,CAAC,SAAS,CAAC,SAAS;YACjE,QAAQ,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,4CAA4C,CACzE,CAAC;IACJ,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,4EAA4E;AAC5E,MAAM,UAAU,aAAa,CAAC,KAAa,EAAE,GAAW;IACtD,MAAM,EAAE,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;IACjC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAClD,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAClF,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IACpC,OAAO,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;AACnG,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,MAAc,EAAE,GAAW;IACvD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAChC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,kBAAkB,CAC1B,qDAAqD,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAC7E,CAAC;IACJ,CAAC;IACD,kEAAkE;IAClE,qCAAqC;IACrC,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,EAAE,CAAC,GAAG,KAAK,CAAC;IAC7C,IAAI,CAAC,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACxB,MAAM,IAAI,kBAAkB,CAAC,mDAAmD,CAAC,CAAC;IACpF,CAAC;IACD,IAAI,EAAU,CAAC;IACf,IAAI,OAAe,CAAC;IACpB,IAAI,UAAkB,CAAC;IACvB,IAAI,CAAC;QACH,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACnC,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACzC,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,kBAAkB,CAAC,mDAAmD,CAAC,CAAC;IACpF,CAAC;IACD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QACtD,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAC7B,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAC7E,OAAO,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,kBAAkB,CAC1B,uDAAuD,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC1G,CAAC;IACJ,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @license
|
|
3
|
+
* Copyright 2026 Amodal Labs, Inc.
|
|
4
|
+
* SPDX-License-Identifier: MIT
|
|
5
|
+
*/
|
|
6
|
+
import { randomBytes } from 'node:crypto';
|
|
7
|
+
import { describe, it, expect } from 'vitest';
|
|
8
|
+
import { encryptSecret, decryptSecret, loadSecretsKey, SecretsCryptoError, SecretsKeyError, } from './crypto.js';
|
|
9
|
+
describe('secrets crypto', () => {
|
|
10
|
+
const key = randomBytes(32);
|
|
11
|
+
describe('loadSecretsKey', () => {
|
|
12
|
+
it('rejects missing key', () => {
|
|
13
|
+
expect(() => loadSecretsKey(undefined)).toThrow(SecretsKeyError);
|
|
14
|
+
expect(() => loadSecretsKey('')).toThrow(SecretsKeyError);
|
|
15
|
+
});
|
|
16
|
+
it('rejects wrong-length key', () => {
|
|
17
|
+
expect(() => loadSecretsKey(Buffer.alloc(16).toString('base64'))).toThrow(SecretsKeyError);
|
|
18
|
+
expect(() => loadSecretsKey(Buffer.alloc(64).toString('base64'))).toThrow(SecretsKeyError);
|
|
19
|
+
});
|
|
20
|
+
it('accepts a valid 32-byte base64 key', () => {
|
|
21
|
+
const k = loadSecretsKey(randomBytes(32).toString('base64'));
|
|
22
|
+
expect(k.length).toBe(32);
|
|
23
|
+
});
|
|
24
|
+
});
|
|
25
|
+
describe('encrypt/decrypt roundtrip', () => {
|
|
26
|
+
it('roundtrips ASCII text', () => {
|
|
27
|
+
const enc = encryptSecret('hubspot-api-key-abc123', key);
|
|
28
|
+
expect(decryptSecret(enc, key)).toBe('hubspot-api-key-abc123');
|
|
29
|
+
});
|
|
30
|
+
it('roundtrips empty string', () => {
|
|
31
|
+
const enc = encryptSecret('', key);
|
|
32
|
+
expect(decryptSecret(enc, key)).toBe('');
|
|
33
|
+
});
|
|
34
|
+
it('roundtrips Unicode', () => {
|
|
35
|
+
const enc = encryptSecret('🔐 password: pässwörd', key);
|
|
36
|
+
expect(decryptSecret(enc, key)).toBe('🔐 password: pässwörd');
|
|
37
|
+
});
|
|
38
|
+
it('produces a different ciphertext each call (fresh IV)', () => {
|
|
39
|
+
const a = encryptSecret('same-plaintext', key);
|
|
40
|
+
const b = encryptSecret('same-plaintext', key);
|
|
41
|
+
expect(a).not.toBe(b);
|
|
42
|
+
expect(decryptSecret(a, key)).toBe(decryptSecret(b, key));
|
|
43
|
+
});
|
|
44
|
+
it('storage format is iv.tag.ciphertext (3 base64 segments)', () => {
|
|
45
|
+
const enc = encryptSecret('x', key);
|
|
46
|
+
expect(enc.split('.').length).toBe(3);
|
|
47
|
+
});
|
|
48
|
+
});
|
|
49
|
+
describe('decrypt failure modes', () => {
|
|
50
|
+
it('rejects malformed ciphertext (wrong segment count)', () => {
|
|
51
|
+
expect(() => decryptSecret('not.real', key)).toThrow(SecretsCryptoError);
|
|
52
|
+
expect(() => decryptSecret('a.b.c.d', key)).toThrow(SecretsCryptoError);
|
|
53
|
+
});
|
|
54
|
+
it('rejects empty iv or auth tag', () => {
|
|
55
|
+
expect(() => decryptSecret('.tag.ct', key)).toThrow(SecretsCryptoError);
|
|
56
|
+
expect(() => decryptSecret('iv..ct', key)).toThrow(SecretsCryptoError);
|
|
57
|
+
});
|
|
58
|
+
it('rejects auth-tag mismatch (wrong key)', () => {
|
|
59
|
+
const enc = encryptSecret('secret-value', key);
|
|
60
|
+
const wrongKey = randomBytes(32);
|
|
61
|
+
expect(() => decryptSecret(enc, wrongKey)).toThrow(SecretsCryptoError);
|
|
62
|
+
});
|
|
63
|
+
it('rejects tampered ciphertext', () => {
|
|
64
|
+
const enc = encryptSecret('secret-value', key);
|
|
65
|
+
const parts = enc.split('.');
|
|
66
|
+
// Flip one bit in the ciphertext
|
|
67
|
+
const ct = Buffer.from(parts[2], 'base64');
|
|
68
|
+
ct[0] = (ct[0] ^ 0x01);
|
|
69
|
+
const tampered = `${parts[0]}.${parts[1]}.${ct.toString('base64')}`;
|
|
70
|
+
expect(() => decryptSecret(tampered, key)).toThrow(SecretsCryptoError);
|
|
71
|
+
});
|
|
72
|
+
});
|
|
73
|
+
});
|
|
74
|
+
//# sourceMappingURL=crypto.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"crypto.test.js","sourceRoot":"","sources":["../../../src/secrets/crypto.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAC,WAAW,EAAC,MAAM,aAAa,CAAC;AACxC,OAAO,EAAC,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAC,MAAM,QAAQ,CAAC;AAC5C,OAAO,EACL,aAAa,EACb,aAAa,EACb,cAAc,EACd,kBAAkB,EAClB,eAAe,GAChB,MAAM,aAAa,CAAC;AAErB,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;IAC9B,MAAM,GAAG,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAE5B,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;QAC9B,EAAE,CAAC,qBAAqB,EAAE,GAAG,EAAE;YAC7B,MAAM,CAAC,GAAG,EAAE,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;YACjE,MAAM,CAAC,GAAG,EAAE,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAC5D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;YAClC,MAAM,CAAC,GAAG,EAAE,CAAC,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;YAC3F,MAAM,CAAC,GAAG,EAAE,CAAC,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAC7F,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;YAC5C,MAAM,CAAC,GAAG,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;YAC7D,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC5B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACzC,EAAE,CAAC,uBAAuB,EAAE,GAAG,EAAE;YAC/B,MAAM,GAAG,GAAG,aAAa,CAAC,wBAAwB,EAAE,GAAG,CAAC,CAAC;YACzD,MAAM,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;YACjC,MAAM,GAAG,GAAG,aAAa,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;YACnC,MAAM,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC3C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oBAAoB,EAAE,GAAG,EAAE;YAC5B,MAAM,GAAG,GAAG,aAAa,CAAC,uBAAuB,EAAE,GAAG,CAAC,CAAC;YACxD,MAAM,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sDAAsD,EAAE,GAAG,EAAE;YAC9D,MAAM,CAAC,GAAG,aAAa,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC;YAC/C,MAAM,CAAC,GAAG,aAAa,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC;YAC/C,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACtB,MAAM,CAAC,aAAa,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;QAC5D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;YACjE,MAAM,GAAG,GAAG,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YACpC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;QACrC,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;YAC5D,MAAM,CAAC,GAAG,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;YACzE,MAAM,CAAC,GAAG,EAAE,CAAC,aAAa,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAC1E,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;YACtC,MAAM,CAAC,GAAG,EAAE,CAAC,aAAa,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;YACxE,MAAM,CAAC,GAAG,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;QACzE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;YAC/C,MAAM,GAAG,GAAG,aAAa,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC;YAC/C,MAAM,QAAQ,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;YACjC,MAAM,CAAC,GAAG,EAAE,CAAC,aAAa,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;QACzE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;YACrC,MAAM,GAAG,GAAG,aAAa,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC;YAC/C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC7B,iCAAiC;YAEjC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;YAE3C,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;YACvB,MAAM,QAAQ,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpE,MAAM,CAAC,GAAG,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;QACzE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @license
|
|
3
|
+
* Copyright 2026 Amodal Labs, Inc.
|
|
4
|
+
* SPDX-License-Identifier: MIT
|
|
5
|
+
*/
|
|
6
|
+
/**
|
|
7
|
+
* `scope:KEY` credential resolver backed by the runtime's own per-agent
|
|
8
|
+
* Postgres `secrets` table. Replaces the platform-side resolver call
|
|
9
|
+
* that hosted runtimes used to make on every `scope:KEY` reference.
|
|
10
|
+
*
|
|
11
|
+
* Lookup order:
|
|
12
|
+
* 1. `(name, scope='user', scope_id)` — per-end-user OAuth tokens
|
|
13
|
+
* 2. `(name, scope='org', scope_id='')` — org-level fallback
|
|
14
|
+
*
|
|
15
|
+
* The org-level fallback lets agents reference shared connection
|
|
16
|
+
* credentials with the same `scope:` prefix as user-specific ones.
|
|
17
|
+
* If neither row exists, `resolve` returns `undefined`.
|
|
18
|
+
*/
|
|
19
|
+
import type { NodePgDatabase } from 'drizzle-orm/node-postgres';
|
|
20
|
+
import type { CredentialResolver } from '../credentials.js';
|
|
21
|
+
type Db = NodePgDatabase<Record<string, unknown>>;
|
|
22
|
+
export interface DbScopeResolverOptions {
|
|
23
|
+
db: Db;
|
|
24
|
+
/** AES-256 key bytes (loaded once via `loadSecretsKey` at startup). */
|
|
25
|
+
encryptionKey: Buffer;
|
|
26
|
+
/** End-user ID this resolver is scoped to. */
|
|
27
|
+
scopeId: string;
|
|
28
|
+
}
|
|
29
|
+
export declare class DbScopeResolver implements CredentialResolver {
|
|
30
|
+
private readonly db;
|
|
31
|
+
private readonly encryptionKey;
|
|
32
|
+
private readonly scopeId;
|
|
33
|
+
constructor(opts: DbScopeResolverOptions);
|
|
34
|
+
resolve(ref: string): Promise<string | undefined>;
|
|
35
|
+
}
|
|
36
|
+
export {};
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @license
|
|
3
|
+
* Copyright 2026 Amodal Labs, Inc.
|
|
4
|
+
* SPDX-License-Identifier: MIT
|
|
5
|
+
*/
|
|
6
|
+
import { getSecret } from '@amodalai/db';
|
|
7
|
+
import { decryptSecret } from './crypto.js';
|
|
8
|
+
export class DbScopeResolver {
|
|
9
|
+
db;
|
|
10
|
+
encryptionKey;
|
|
11
|
+
scopeId;
|
|
12
|
+
constructor(opts) {
|
|
13
|
+
this.db = opts.db;
|
|
14
|
+
this.encryptionKey = opts.encryptionKey;
|
|
15
|
+
this.scopeId = opts.scopeId;
|
|
16
|
+
}
|
|
17
|
+
async resolve(ref) {
|
|
18
|
+
if (!ref.startsWith('scope:'))
|
|
19
|
+
return undefined;
|
|
20
|
+
const name = ref.slice(6);
|
|
21
|
+
// Try user-scoped first, then org-level fallback.
|
|
22
|
+
const userRow = this.scopeId
|
|
23
|
+
? await getSecret(this.db, name, 'user', this.scopeId)
|
|
24
|
+
: null;
|
|
25
|
+
const row = userRow ?? (await getSecret(this.db, name, 'org', ''));
|
|
26
|
+
if (!row)
|
|
27
|
+
return undefined;
|
|
28
|
+
return decryptSecret(row.valueEnc, this.encryptionKey);
|
|
29
|
+
}
|
|
30
|
+
}
|
|
31
|
+
//# sourceMappingURL=db-scope-resolver.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"db-scope-resolver.js","sourceRoot":"","sources":["../../../src/secrets/db-scope-resolver.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAkBH,OAAO,EAAC,SAAS,EAAC,MAAM,cAAc,CAAC;AAEvC,OAAO,EAAC,aAAa,EAAC,MAAM,aAAa,CAAC;AAY1C,MAAM,OAAO,eAAe;IACT,EAAE,CAAK;IACP,aAAa,CAAS;IACtB,OAAO,CAAS;IAEjC,YAAY,IAA4B;QACtC,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;QAClB,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC;QACxC,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW;QACvB,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC;YAAE,OAAO,SAAS,CAAC;QAChD,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAE1B,kDAAkD;QAClD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO;YAC1B,CAAC,CAAC,MAAM,SAAS,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC;YACtD,CAAC,CAAC,IAAI,CAAC;QACT,MAAM,GAAG,GAAG,OAAO,IAAI,CAAC,MAAM,SAAS,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC;QACnE,IAAI,CAAC,GAAG;YAAE,OAAO,SAAS,CAAC;QAE3B,OAAO,aAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;IACzD,CAAC;CACF"}
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @license
|
|
3
|
+
* Copyright 2026 Amodal Labs, Inc.
|
|
4
|
+
* SPDX-License-Identifier: MIT
|
|
5
|
+
*/
|
|
6
|
+
export { DbScopeResolver } from './db-scope-resolver.js';
|
|
7
|
+
export type { DbScopeResolverOptions } from './db-scope-resolver.js';
|
|
8
|
+
export { encryptSecret, decryptSecret, loadSecretsKey, SecretsCryptoError, SecretsKeyError, } from './crypto.js';
|
|
9
|
+
export { createSecretsRouter } from './router.js';
|
|
10
|
+
export type { CreateSecretsRouterOptions } from './router.js';
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @license
|
|
3
|
+
* Copyright 2026 Amodal Labs, Inc.
|
|
4
|
+
* SPDX-License-Identifier: MIT
|
|
5
|
+
*/
|
|
6
|
+
export { DbScopeResolver } from './db-scope-resolver.js';
|
|
7
|
+
export { encryptSecret, decryptSecret, loadSecretsKey, SecretsCryptoError, SecretsKeyError, } from './crypto.js';
|
|
8
|
+
export { createSecretsRouter } from './router.js';
|
|
9
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/secrets/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAC,eAAe,EAAC,MAAM,wBAAwB,CAAC;AAEvD,OAAO,EACL,aAAa,EACb,aAAa,EACb,cAAc,EACd,kBAAkB,EAClB,eAAe,GAChB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAC,mBAAmB,EAAC,MAAM,aAAa,CAAC"}
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @license
|
|
3
|
+
* Copyright 2026 Amodal Labs, Inc.
|
|
4
|
+
* SPDX-License-Identifier: MIT
|
|
5
|
+
*/
|
|
6
|
+
/**
|
|
7
|
+
* Express router exposing CRUD over the agent's `secrets` table.
|
|
8
|
+
*
|
|
9
|
+
* Hosting layers mount this behind admin auth — anyone reaching these
|
|
10
|
+
* endpoints can write or delete secrets for the agent. Routes:
|
|
11
|
+
*
|
|
12
|
+
* POST /api/secrets — upsert a secret (encrypts on the way in)
|
|
13
|
+
* GET /api/secrets — list secrets (metadata only, never the value)
|
|
14
|
+
* DELETE /api/secrets — delete a secret by (name, scope, scopeId)
|
|
15
|
+
*
|
|
16
|
+
* The router never returns decrypted secret values over HTTP. Resolution
|
|
17
|
+
* happens server-side at agent-loop time via `DbScopeResolver`.
|
|
18
|
+
*/
|
|
19
|
+
import { Router } from 'express';
|
|
20
|
+
import type { RequestHandler } from 'express';
|
|
21
|
+
import type { NodePgDatabase } from 'drizzle-orm/node-postgres';
|
|
22
|
+
type Db = NodePgDatabase<Record<string, unknown>>;
|
|
23
|
+
export interface CreateSecretsRouterOptions {
|
|
24
|
+
db: Db;
|
|
25
|
+
/** AES-256 key bytes (loaded once via `loadSecretsKey` at startup). */
|
|
26
|
+
encryptionKey: Buffer;
|
|
27
|
+
/**
|
|
28
|
+
* Auth middleware applied to every route. Hosting layers should pass
|
|
29
|
+
* an admin-role-gated middleware — these routes can read/write/delete
|
|
30
|
+
* any secret on the agent.
|
|
31
|
+
*/
|
|
32
|
+
authMiddleware?: RequestHandler;
|
|
33
|
+
}
|
|
34
|
+
export declare function createSecretsRouter(options: CreateSecretsRouterOptions): Router;
|
|
35
|
+
export {};
|
|
@@ -0,0 +1,99 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @license
|
|
3
|
+
* Copyright 2026 Amodal Labs, Inc.
|
|
4
|
+
* SPDX-License-Identifier: MIT
|
|
5
|
+
*/
|
|
6
|
+
/**
|
|
7
|
+
* Express router exposing CRUD over the agent's `secrets` table.
|
|
8
|
+
*
|
|
9
|
+
* Hosting layers mount this behind admin auth — anyone reaching these
|
|
10
|
+
* endpoints can write or delete secrets for the agent. Routes:
|
|
11
|
+
*
|
|
12
|
+
* POST /api/secrets — upsert a secret (encrypts on the way in)
|
|
13
|
+
* GET /api/secrets — list secrets (metadata only, never the value)
|
|
14
|
+
* DELETE /api/secrets — delete a secret by (name, scope, scopeId)
|
|
15
|
+
*
|
|
16
|
+
* The router never returns decrypted secret values over HTTP. Resolution
|
|
17
|
+
* happens server-side at agent-loop time via `DbScopeResolver`.
|
|
18
|
+
*/
|
|
19
|
+
import { Router } from 'express';
|
|
20
|
+
import { z } from 'zod';
|
|
21
|
+
import { deleteSecret, listSecrets, upsertSecret, } from '@amodalai/db';
|
|
22
|
+
import { asyncHandler } from '../routes/route-helpers.js';
|
|
23
|
+
import { encryptSecret } from './crypto.js';
|
|
24
|
+
const ScopeSchema = z.enum(['org', 'user']);
|
|
25
|
+
const UpsertBodySchema = z.object({
|
|
26
|
+
name: z.string().min(1).max(255),
|
|
27
|
+
value: z.string(),
|
|
28
|
+
scope: ScopeSchema,
|
|
29
|
+
scopeId: z.string().optional(),
|
|
30
|
+
}).refine((b) => b.scope === 'org' || (b.scopeId !== undefined && b.scopeId.length > 0), { message: 'scopeId is required when scope is "user"' });
|
|
31
|
+
const ScopeQuerySchema = z.object({
|
|
32
|
+
scope: ScopeSchema.optional(),
|
|
33
|
+
scopeId: z.string().optional(),
|
|
34
|
+
});
|
|
35
|
+
const DeleteQuerySchema = z.object({
|
|
36
|
+
name: z.string().min(1),
|
|
37
|
+
scope: ScopeSchema,
|
|
38
|
+
scopeId: z.string().optional(),
|
|
39
|
+
});
|
|
40
|
+
function metadataResponse(m) {
|
|
41
|
+
return {
|
|
42
|
+
id: m.id,
|
|
43
|
+
name: m.name,
|
|
44
|
+
scope: m.scope,
|
|
45
|
+
scopeId: m.scopeId,
|
|
46
|
+
createdAt: m.createdAt.toISOString(),
|
|
47
|
+
updatedAt: m.updatedAt.toISOString(),
|
|
48
|
+
};
|
|
49
|
+
}
|
|
50
|
+
export function createSecretsRouter(options) {
|
|
51
|
+
const router = Router();
|
|
52
|
+
const { db, encryptionKey, authMiddleware } = options;
|
|
53
|
+
if (authMiddleware) {
|
|
54
|
+
router.use('/api/secrets', authMiddleware);
|
|
55
|
+
}
|
|
56
|
+
router.post('/api/secrets', asyncHandler(async (req, res) => {
|
|
57
|
+
const parsed = UpsertBodySchema.safeParse(req.body);
|
|
58
|
+
if (!parsed.success) {
|
|
59
|
+
res.status(400).json({ error: { code: 'invalid_body', message: parsed.error.message } });
|
|
60
|
+
return;
|
|
61
|
+
}
|
|
62
|
+
const { name, value, scope, scopeId } = parsed.data;
|
|
63
|
+
const valueEnc = encryptSecret(value, encryptionKey);
|
|
64
|
+
await upsertSecret(db, { name, valueEnc, scope, scopeId });
|
|
65
|
+
const all = await listSecrets(db, { scope, scopeId });
|
|
66
|
+
const created = all.find((m) => m.name === name);
|
|
67
|
+
if (!created) {
|
|
68
|
+
// Shouldn't happen — we just upserted — but keeps types honest.
|
|
69
|
+
res.status(500).json({ error: { code: 'upsert_failed', message: 'Secret was not persisted' } });
|
|
70
|
+
return;
|
|
71
|
+
}
|
|
72
|
+
res.status(200).json(metadataResponse(created));
|
|
73
|
+
}));
|
|
74
|
+
router.get('/api/secrets', asyncHandler(async (req, res) => {
|
|
75
|
+
const parsed = ScopeQuerySchema.safeParse(req.query);
|
|
76
|
+
if (!parsed.success) {
|
|
77
|
+
res.status(400).json({ error: { code: 'invalid_query', message: parsed.error.message } });
|
|
78
|
+
return;
|
|
79
|
+
}
|
|
80
|
+
const rows = await listSecrets(db, parsed.data);
|
|
81
|
+
res.status(200).json(rows.map(metadataResponse));
|
|
82
|
+
}));
|
|
83
|
+
router.delete('/api/secrets', asyncHandler(async (req, res) => {
|
|
84
|
+
const parsed = DeleteQuerySchema.safeParse(req.query);
|
|
85
|
+
if (!parsed.success) {
|
|
86
|
+
res.status(400).json({ error: { code: 'invalid_query', message: parsed.error.message } });
|
|
87
|
+
return;
|
|
88
|
+
}
|
|
89
|
+
const { name, scope, scopeId } = parsed.data;
|
|
90
|
+
const deleted = await deleteSecret(db, name, scope, scopeId ?? '');
|
|
91
|
+
if (!deleted) {
|
|
92
|
+
res.status(404).json({ error: { code: 'not_found', message: 'Secret not found' } });
|
|
93
|
+
return;
|
|
94
|
+
}
|
|
95
|
+
res.status(200).json({ ok: true });
|
|
96
|
+
}));
|
|
97
|
+
return router;
|
|
98
|
+
}
|
|
99
|
+
//# sourceMappingURL=router.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"router.js","sourceRoot":"","sources":["../../../src/secrets/router.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAC,MAAM,EAAC,MAAM,SAAS,CAAC;AAE/B,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,EACL,YAAY,EACZ,WAAW,EACX,YAAY,GAGb,MAAM,cAAc,CAAC;AACtB,OAAO,EAAC,YAAY,EAAC,MAAM,4BAA4B,CAAC;AACxD,OAAO,EAAC,aAAa,EAAC,MAAM,aAAa,CAAC;AAgB1C,MAAM,WAAW,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC;AAE5C,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;IAChC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IACjB,KAAK,EAAE,WAAW;IAClB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC/B,CAAC,CAAC,MAAM,CACP,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,KAAK,IAAI,CAAC,CAAC,CAAC,OAAO,KAAK,SAAS,IAAI,CAAC,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,EAC7E,EAAC,OAAO,EAAE,0CAA0C,EAAC,CACtD,CAAC;AAEF,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChC,KAAK,EAAE,WAAW,CAAC,QAAQ,EAAE;IAC7B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC/B,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC;IACjC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,KAAK,EAAE,WAAW;IAClB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC/B,CAAC,CAAC;AAEH,SAAS,gBAAgB,CAAC,CAAiB;IAQzC,OAAO;QACL,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,KAAK,EAAE,CAAC,CAAC,KAAK;QACd,OAAO,EAAE,CAAC,CAAC,OAAO;QAClB,SAAS,EAAE,CAAC,CAAC,SAAS,CAAC,WAAW,EAAE;QACpC,SAAS,EAAE,CAAC,CAAC,SAAS,CAAC,WAAW,EAAE;KACrC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,OAAmC;IACrE,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB,MAAM,EAAC,EAAE,EAAE,aAAa,EAAE,cAAc,EAAC,GAAG,OAAO,CAAC;IAEpD,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE,cAAc,CAAC,CAAC;IAC7C,CAAC;IAED,MAAM,CAAC,IAAI,CACT,cAAc,EACd,YAAY,CAAC,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACpD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,EAAC,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,OAAO,EAAC,EAAC,CAAC,CAAC;YACrF,OAAO;QACT,CAAC;QACD,MAAM,EAAC,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAC,GAAG,MAAM,CAAC,IAAI,CAAC;QAClD,MAAM,QAAQ,GAAG,aAAa,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC;QACrD,MAAM,YAAY,CAAC,EAAE,EAAE,EAAC,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAC,CAAC,CAAC;QACzD,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,EAAC,KAAK,EAAE,OAAO,EAAC,CAAC,CAAC;QACpD,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;QACjD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,gEAAgE;YAChE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,EAAC,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,0BAA0B,EAAC,EAAC,CAAC,CAAC;YAC5F,OAAO;QACT,CAAC;QACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC,CAAC;IAClD,CAAC,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,GAAG,CACR,cAAc,EACd,YAAY,CAAC,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACrD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,EAAC,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,OAAO,EAAC,EAAC,CAAC,CAAC;YACtF,OAAO;QACT,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;QAChD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC;IACnD,CAAC,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,MAAM,CACX,cAAc,EACd,YAAY,CAAC,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,iBAAiB,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACtD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,EAAC,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,OAAO,EAAC,EAAC,CAAC,CAAC;YACtF,OAAO;QACT,CAAC;QACD,MAAM,EAAC,IAAI,EAAE,KAAK,EAAE,OAAO,EAAC,GAAG,MAAM,CAAC,IAAI,CAAC;QAC3C,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC;QACnE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,EAAC,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,kBAAkB,EAAC,EAAC,CAAC,CAAC;YAChF,OAAO;QACT,CAAC;QACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,EAAE,EAAE,IAAI,EAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CACH,CAAC;IAEF,OAAO,MAAM,CAAC;AAChB,CAAC"}
|
package/dist/src/server.d.ts
CHANGED
|
@@ -12,7 +12,7 @@
|
|
|
12
12
|
import express from 'express';
|
|
13
13
|
import type { Express } from 'express';
|
|
14
14
|
import type http from 'node:http';
|
|
15
|
-
import type { AgentBundle, ChannelAdapter, ChannelSessionMapper, StoreBackend } from '@amodalai/types';
|
|
15
|
+
import type { AgentBundle, ChannelAdapter, ChannelSessionMapper, CustomToolExecutor, StoreBackend } from '@amodalai/types';
|
|
16
16
|
import type { StreamHooks } from './session/stream-hooks.js';
|
|
17
17
|
import type { AuthContext } from './middleware/auth.js';
|
|
18
18
|
import type { SessionComponents } from './session/session-builder.js';
|
|
@@ -93,6 +93,15 @@ export interface CreateServerOptions {
|
|
|
93
93
|
sessionStore?: SessionStore;
|
|
94
94
|
/** Optional store backend for document stores. Passed to agent tools. */
|
|
95
95
|
storeBackend?: StoreBackend;
|
|
96
|
+
/**
|
|
97
|
+
* Custom tool executor for handling agent-defined custom tools. When
|
|
98
|
+
* unset, custom tools in the bundle are silently not registered.
|
|
99
|
+
* `createSnapshotServer` and `createLocalServer` auto-instantiate a
|
|
100
|
+
* `LocalToolExecutor` if one isn't provided; `createServer` requires
|
|
101
|
+
* the hosting layer to pass it explicitly because the hosting layer
|
|
102
|
+
* may want a different implementation (remote sandbox, etc.).
|
|
103
|
+
*/
|
|
104
|
+
toolExecutor?: CustomToolExecutor;
|
|
96
105
|
}
|
|
97
106
|
/**
|
|
98
107
|
* Create the Express server with all routes, session management, and graceful shutdown.
|
package/dist/src/server.js
CHANGED
package/dist/src/server.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/server.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;;;GAKG;AAEH,OAAO,OAAO,MAAM,SAAS,CAAC;AAI9B,OAAO,EAAC,YAAY,EAAC,MAAM,+BAA+B,CAAC;AAC3D,OAAO,EAAC,sBAAsB,EAAC,MAAM,yBAAyB,CAAC;AAC/D,OAAO,EAAC,oBAAoB,EAAC,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EAAC,wBAAwB,EAAC,MAAM,sBAAsB,CAAC;AAK9D,OAAO,EAAC,eAAe,EAAC,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAC,oBAAoB,EAAC,MAAM,sBAAsB,CAAC;AAC1D,OAAO,EAAC,iBAAiB,EAAC,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAC,GAAG,EAAE,YAAY,EAAC,MAAM,aAAa,CAAC;AAC9C,OAAO,EAAC,mBAAmB,EAAoB,MAAM,oBAAoB,CAAC;AAC1E,OAAO,EAAC,YAAY,EAAC,MAAM,2BAA2B,CAAC;AACvD,OAAO,EAAC,2BAA2B,EAAC,MAAM,8BAA8B,CAAC;
|
|
1
|
+
{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/server.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;;;GAKG;AAEH,OAAO,OAAO,MAAM,SAAS,CAAC;AAI9B,OAAO,EAAC,YAAY,EAAC,MAAM,+BAA+B,CAAC;AAC3D,OAAO,EAAC,sBAAsB,EAAC,MAAM,yBAAyB,CAAC;AAC/D,OAAO,EAAC,oBAAoB,EAAC,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EAAC,wBAAwB,EAAC,MAAM,sBAAsB,CAAC;AAK9D,OAAO,EAAC,eAAe,EAAC,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAC,oBAAoB,EAAC,MAAM,sBAAsB,CAAC;AAC1D,OAAO,EAAC,iBAAiB,EAAC,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAC,GAAG,EAAE,YAAY,EAAC,MAAM,aAAa,CAAC;AAC9C,OAAO,EAAC,mBAAmB,EAAoB,MAAM,oBAAoB,CAAC;AAC1E,OAAO,EAAC,YAAY,EAAC,MAAM,2BAA2B,CAAC;AACvD,OAAO,EAAC,2BAA2B,EAAC,MAAM,8BAA8B,CAAC;AAyFzE;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,OAA4B;IACvD,MAAM,EAAC,MAAM,EAAC,GAAG,OAAO,CAAC;IACzB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,6BAA6B;IAC7B,MAAM,aAAa,GAAG,YAAY,CAAC,EAAC,SAAS,EAAE,gBAAgB,EAAC,CAAC,CAAC;IAClE,MAAM,cAAc,GAAG,IAAI,wBAAwB,CAAC;QAClD,MAAM,EAAE,aAAa;QACrB,KAAK,EAAE,MAAM,CAAC,YAAY;QAC1B,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,EAAC,KAAK,EAAE,OAAO,CAAC,YAAY,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;KAC/D,CAAC,CAAC;IACH,cAAc,CAAC,KAAK,EAAE,CAAC;IAEvB,MAAM,MAAM,GAAG;QACb,YAAY,EAAE,OAAO,CAAC,YAAY,IAAI,IAAI;QAC1C,UAAU,EAAE,IAAI;QAChB,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,MAAM,EAAE,GAAG;QACX,KAAK,EAAE,MAAM,CAAC,KAAK;KACpB,CAAC;IAEF,yCAAyC;IACzC,MAAM,QAAQ,GAAG,IAAI,eAAe,EAAE,CAAC;IAEvC,sBAAsB;IACtB,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;IAEtB,kBAAkB;IAClB,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,GAAG,CAAC;IAC5C,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC1B,GAAG,CAAC,MAAM,CAAC,6BAA6B,EAAE,UAAU,CAAC,CAAC;QACtD,GAAG,CAAC,MAAM,CAAC,8BAA8B,EAAE,+DAA+D,CAAC,CAAC;QAC5G,GAAG,CAAC,MAAM,CAAC,8BAA8B,EAAE,wCAAwC,CAAC,CAAC;QACrF,GAAG,CAAC,MAAM,CAAC,+BAA+B,EAAE,+BAA+B,CAAC,CAAC;QAC7E,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC9B,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;YACpB,OAAO;QACT,CAAC;QACD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAExB,iEAAiE;IACjE,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;QAC1B,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IACjC,CAAC;IAED,SAAS;IACT,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;QAC/B,GAAG,CAAC,IAAI,CAAC;YACP,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YACjC,eAAe,EAAE,cAAc,CAAC,IAAI;SACrC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,kFAAkF;IAClF,qEAAqE;IACrE,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,mBAAmB,CAAC;IAEjE,iDAAiD;IACjD,8EAA8E;IAC9E,0DAA0D;IAC1D,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,YAAY,CAAC,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACjD,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACjD,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,GAAG,CAAC,IAAI,CAAC,wBAAwB,EAAE,EAAC,IAAI,EAAE,GAAG,CAAC,IAAI,EAAC,CAAC,CAAC;YACrD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,EAAC,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,yBAAyB,EAAC;aACrE,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,GAAG,CAAC,KAAK,CAAC,iBAAiB,EAAE,EAAC,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAC,CAAC,CAAC;QAClE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjB,CAAC,CAAC,CAAC,CAAC;IAEJ,wCAAwC;IACxC,wFAAwF;IACxF,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAC5C,MAAM,uBAAuB,GAC3B,OAAO,CAAC,cAAc,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACxD,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAC5C,IAAI,MAAM,KAAK,UAAU,SAAS,EAAE,EAAE,CAAC;YACrC,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,GAAG;gBAC1B,KAAK,EAAE,SAAS;gBAChB,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,SAAS;gBACnD,UAAU,EAAE,OAAO;aACpB,CAAC;YACF,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,wBAAwB,EAAE,EAAE,CAAC,CAAC;IAC/F,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAEjB,IAAI,uBAAuB,EAAE,CAAC;QAC5B,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,uBAAuB,CAAC,CAAC;QAC1C,GAAG,CAAC,GAAG,CAAC,cAAc,EAAE,uBAAuB,CAAC,CAAC;QACjD,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,uBAAuB,CAAC,CAAC;IAChD,CAAC;IAED,GAAG,CAAC,GAAG,CAAC,sBAAsB,CAAC;QAC7B,cAAc;QACd,cAAc,EAAE,EAAC,cAAc,EAAE,OAAO,CAAC,cAAc,EAAC;QACxD,MAAM;QACN,iBAAiB,EAAE,OAAO,CAAC,iBAAiB;QAC5C,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;QAChD,cAAc,EAAE,OAAO,CAAC,cAAc;KACvC,CAAC,CAAC,CAAC;IACJ,GAAG,CAAC,GAAG,CAAC,oBAAoB,CAAC;QAC3B,cAAc;QACd,cAAc,EAAE,EAAC,cAAc,EAAE,OAAO,CAAC,cAAc,EAAC;QACxD,MAAM;QACN,iBAAiB,EAAE,OAAO,CAAC,iBAAiB;QAC5C,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;QAChD,cAAc,EAAE,OAAO,CAAC,cAAc;KACvC,CAAC,CAAC,CAAC;IAEJ,qBAAqB;IACrB,IAAI,OAAO,CAAC,eAAe,IAAI,OAAO,CAAC,eAAe,CAAC,IAAI,GAAG,CAAC,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;QAChG,MAAM,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,IAAI,eAAe,CAAC;YACrE,eAAe,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;gBAC9B,GAAG,CAAC,IAAI,CAAC,kCAAkC,EAAE;oBAC3C,GAAG,EAAE,KAAK,CAAC,GAAG;oBACd,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;iBACxD,CAAC,CAAC;YACL,CAAC;SACF,CAAC,CAAC;QAEH,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,oBAAoB,CAAC;YACxC,QAAQ,EAAE,OAAO,CAAC,eAAe;YACjC,aAAa,EAAE,OAAO,CAAC,oBAAoB;YAC3C,cAAc;YACd,UAAU,EAAE,IAAI,iBAAiB,EAAE;YACnC,QAAQ,EAAE,eAAe;YACzB,MAAM,EAAE,GAAG;SACZ,CAAC,CAAC,CAAC;QAEJ,GAAG,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAC,QAAQ,EAAE,CAAC,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC,EAAC,CAAC,CAAC;IACvF,CAAC;IAED,2DAA2D;IAC3D,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QACzB,GAAG,CAAC,GAAG,CAAC,2BAA2B,CAAC;YAClC,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,cAAc;YACd,QAAQ;YACR,OAAO,EAAE,MAAM,CAAC,KAAK,IAAI,OAAO;SACjC,CAAC,CAAC,CAAC;IACN,CAAC;IAED,sEAAsE;IACtE,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;QAC9B,KAAK,MAAM,MAAM,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;YAC/C,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,qEAAqE;IACrE,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC;QAC/B,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACtC,CAAC;IAED,+BAA+B;IAC/B,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAEtB,IAAI,MAAM,GAAuB,IAAI,CAAC;IAEtC,OAAO;QACL,GAAG;QAEH,KAAK,CAAC,KAAK;YACT,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;gBAC7B,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE;oBAC3D,GAAG,CAAC,IAAI,CAAC,uBAAuB,EAAE,EAAC,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAC,CAAC,CAAC;oBAC1E,OAAO,CAAC,UAAU,CAAC,CAAC;gBACtB,CAAC,CAAC,CAAC;gBACH,MAAM,GAAG,UAAU,CAAC;YACtB,CAAC,CAAC,CAAC;QACL,CAAC;QAED,KAAK,CAAC,IAAI;YACR,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,CAAC,GAAG,MAAM,CAAC;gBACjB,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;oBAC1C,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;wBACd,IAAI,GAAG;4BAAE,MAAM,CAAC,GAAG,CAAC,CAAC;;4BAChB,OAAO,EAAE,CAAC;oBACjB,CAAC,CAAC,CAAC;oBACH,CAAC,CAAC,mBAAmB,EAAE,CAAC;gBAC1B,CAAC,CAAC,CAAC;gBACH,MAAM,GAAG,IAAI,CAAC;YAChB,CAAC;YAED,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;gBACvB,MAAM,OAAO,CAAC,UAAU,EAAE,CAAC;YAC7B,CAAC;YAED,MAAM,cAAc,CAAC,QAAQ,EAAE,CAAC;YAEhC,GAAG,CAAC,IAAI,CAAC,uBAAuB,EAAE,EAAE,CAAC,CAAC;QACxC,CAAC;KACF,CAAC;AACJ,CAAC"}
|