@caracalai/admin 0.1.6-rc.3 → 0.2.0-rc.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/client.d.ts +66 -34
- package/dist/client.d.ts.map +1 -1
- package/dist/client.js +174 -72
- package/dist/client.js.map +1 -1
- package/dist/control.d.ts +36 -0
- package/dist/control.d.ts.map +1 -0
- package/dist/control.js +152 -0
- package/dist/control.js.map +1 -0
- package/dist/ensure.d.ts +74 -0
- package/dist/ensure.d.ts.map +1 -0
- package/dist/ensure.js +256 -0
- package/dist/ensure.js.map +1 -0
- package/dist/errors.d.ts +1 -1
- package/dist/errors.d.ts.map +1 -1
- package/dist/errors.js.map +1 -1
- package/dist/index.d.ts +2 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +3 -1
- package/dist/index.js.map +1 -1
- package/dist/types.d.ts +152 -73
- package/dist/types.d.ts.map +1 -1
- package/package.json +4 -4
package/dist/client.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import type {
|
|
1
|
+
import type { AuthorityRecord, AuthorityRecordQuery, Application, ApplicationInput, ApplicationPatchInput, AdminAuditEvent, AdminAuditQuery, AuditDetail, AuditEvent, AuditQuery, DCRInput, DecisionTrace, Delegation, DelegationImpact, DelegationTraversal, EffectiveAuthority, Grant, GrantInput, GrantQuery, SubjectIssuer, SubjectIssuerInput, SubjectIssuerPatch, Policy, PolicyInput, PolicySet, PolicySetActivationStatus, PolicySetSimulation, PolicySetVersion, PolicyTemplate, PolicyValidation, PolicyVersion, Provider, ProviderConnection, ProviderConnectionAuthorize, ProviderConnectionAuthorizeInput, ProviderConnectionInput, ProviderConnectionRevokeInput, ProviderInput, ProviderPatchInput, Resource, ResourceInput, Session, SessionQuery, SubjectRevokeInput, SubjectRevokeResult, StepUpChallenge, StepUpDecision, Workload, WorkloadUpdateInput, Zone, ZoneDcrStatus, ZoneInput, ZonePatchInput } from './types.js';
|
|
2
2
|
export interface AdminClientOptions {
|
|
3
3
|
apiUrl: string;
|
|
4
4
|
coordinatorUrl?: string;
|
|
@@ -23,6 +23,7 @@ export declare class AdminClient {
|
|
|
23
23
|
constructor(opts: AdminClientOptions);
|
|
24
24
|
withDefaultHeaders(headers: Record<string, string>): AdminClient;
|
|
25
25
|
private request;
|
|
26
|
+
private listAll;
|
|
26
27
|
zones: {
|
|
27
28
|
list: () => Promise<Zone[]>;
|
|
28
29
|
get: (id: string) => Promise<Zone>;
|
|
@@ -37,6 +38,9 @@ export declare class AdminClient {
|
|
|
37
38
|
create: (zoneId: string, input: ApplicationInput) => Promise<Application>;
|
|
38
39
|
patch: (zoneId: string, id: string, input: ApplicationPatchInput) => Promise<Application>;
|
|
39
40
|
rotateSecret: (zoneId: string, id: string) => Promise<Application>;
|
|
41
|
+
getClientSecret: (zoneId: string, id: string) => Promise<{
|
|
42
|
+
client_secret: string;
|
|
43
|
+
}>;
|
|
40
44
|
delete: (zoneId: string, id: string) => Promise<void>;
|
|
41
45
|
dcr: (zoneId: string, input: DCRInput) => Promise<Application>;
|
|
42
46
|
};
|
|
@@ -63,8 +67,8 @@ export declare class AdminClient {
|
|
|
63
67
|
version_id: string;
|
|
64
68
|
version: PolicyVersion;
|
|
65
69
|
}>;
|
|
66
|
-
validate: (content: string
|
|
67
|
-
addVersion: (zoneId: string, id: string, content: string
|
|
70
|
+
validate: (content: string) => Promise<PolicyValidation>;
|
|
71
|
+
addVersion: (zoneId: string, id: string, content: string) => Promise<PolicyVersion & {
|
|
68
72
|
version_id: string;
|
|
69
73
|
}>;
|
|
70
74
|
delete: (zoneId: string, id: string) => Promise<void>;
|
|
@@ -79,15 +83,18 @@ export declare class AdminClient {
|
|
|
79
83
|
create: (zoneId: string, name: string, description?: string) => Promise<PolicySet>;
|
|
80
84
|
addVersion: (zoneId: string, id: string, manifest: {
|
|
81
85
|
policy_version_id: string;
|
|
82
|
-
}[]
|
|
86
|
+
}[]) => Promise<PolicySetVersion & {
|
|
83
87
|
version_id: string;
|
|
84
88
|
}>;
|
|
89
|
+
listVersions: (zoneId: string, id: string) => Promise<PolicySetVersion[]>;
|
|
85
90
|
simulate: (zoneId: string, id: string, versionId: string, input?: Record<string, unknown>) => Promise<PolicySetSimulation>;
|
|
86
|
-
activate: (zoneId: string, id: string, versionId: string
|
|
91
|
+
activate: (zoneId: string, id: string, versionId: string) => Promise<{
|
|
87
92
|
activated: boolean;
|
|
88
93
|
version_id: string;
|
|
89
|
-
|
|
94
|
+
outbox_id: string;
|
|
95
|
+
status_url: string;
|
|
90
96
|
}>;
|
|
97
|
+
activationStatus: (zoneId: string, id: string, versionId?: string, outboxId?: string) => Promise<PolicySetActivationStatus>;
|
|
91
98
|
delete: (zoneId: string, id: string) => Promise<void>;
|
|
92
99
|
};
|
|
93
100
|
grants: {
|
|
@@ -96,16 +103,53 @@ export declare class AdminClient {
|
|
|
96
103
|
create: (zoneId: string, input: GrantInput) => Promise<Grant>;
|
|
97
104
|
revoke: (zoneId: string, id: string) => Promise<void>;
|
|
98
105
|
};
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
106
|
+
subjectIssuers: {
|
|
107
|
+
list: (zoneId: string) => Promise<SubjectIssuer[]>;
|
|
108
|
+
get: (zoneId: string, id: string) => Promise<SubjectIssuer>;
|
|
109
|
+
create: (zoneId: string, input: SubjectIssuerInput) => Promise<SubjectIssuer>;
|
|
110
|
+
patch: (zoneId: string, id: string, input: SubjectIssuerPatch) => Promise<SubjectIssuer>;
|
|
111
|
+
delete: (zoneId: string, id: string) => Promise<void>;
|
|
112
|
+
};
|
|
113
|
+
providerConnections: {
|
|
114
|
+
create: (zoneId: string, input: ProviderConnectionInput) => Promise<ProviderConnection>;
|
|
115
|
+
authorizeOAuth: (zoneId: string, input: ProviderConnectionAuthorizeInput) => Promise<ProviderConnectionAuthorize>;
|
|
116
|
+
revoke: (zoneId: string, input: ProviderConnectionRevokeInput) => Promise<ProviderConnection>;
|
|
117
|
+
};
|
|
118
|
+
workloads: {
|
|
119
|
+
list: (zoneId: string) => Promise<Workload[]>;
|
|
120
|
+
get: (zoneId: string, id: string) => Promise<Workload>;
|
|
121
|
+
create: (zoneId: string, input: {
|
|
122
|
+
name: string;
|
|
123
|
+
}) => Promise<Workload & {
|
|
124
|
+
secret: string;
|
|
125
|
+
}>;
|
|
126
|
+
update: (zoneId: string, id: string, input: WorkloadUpdateInput) => Promise<Workload>;
|
|
127
|
+
rotateSecret: (zoneId: string, id: string) => Promise<Workload & {
|
|
128
|
+
secret: string;
|
|
129
|
+
}>;
|
|
130
|
+
getSecret: (zoneId: string, id: string) => Promise<{
|
|
131
|
+
secret: string;
|
|
132
|
+
}>;
|
|
133
|
+
delete: (zoneId: string, id: string) => Promise<void>;
|
|
134
|
+
};
|
|
135
|
+
authorityRecords: {
|
|
136
|
+
list: (zoneId: string, query?: AuthorityRecordQuery) => Promise<AuthorityRecord[]>;
|
|
137
|
+
};
|
|
138
|
+
subjects: {
|
|
139
|
+
revoke: (zoneId: string, input: SubjectRevokeInput) => Promise<SubjectRevokeResult>;
|
|
103
140
|
};
|
|
104
141
|
sessions: {
|
|
105
142
|
list: (zoneId: string, query?: SessionQuery) => Promise<Session[]>;
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
143
|
+
get: (zoneId: string, sessionId: string) => Promise<Session>;
|
|
144
|
+
children: (zoneId: string, sessionId: string, query?: SessionQuery) => Promise<Session[]>;
|
|
145
|
+
suspend: (zoneId: string, sessionId: string) => Promise<{
|
|
146
|
+
suspended: true;
|
|
147
|
+
}>;
|
|
148
|
+
resume: (zoneId: string, sessionId: string) => Promise<{
|
|
149
|
+
resumed: true;
|
|
150
|
+
}>;
|
|
151
|
+
terminate: (zoneId: string, sessionId: string) => Promise<void>;
|
|
152
|
+
effectiveAuthority: (zoneId: string, sessionId: string) => Promise<EffectiveAuthority>;
|
|
109
153
|
};
|
|
110
154
|
audit: {
|
|
111
155
|
list: (zoneId: string, query?: AuditQuery) => Promise<AuditEvent[]>;
|
|
@@ -118,32 +162,20 @@ export declare class AdminClient {
|
|
|
118
162
|
stepUpChallenges: {
|
|
119
163
|
list: (zoneId: string) => Promise<StepUpChallenge[]>;
|
|
120
164
|
get: (zoneId: string, id: string) => Promise<StepUpChallenge>;
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
agents: {
|
|
124
|
-
list: (zoneId: string, query?: AgentListQuery) => Promise<AgentSession[]>;
|
|
125
|
-
get: (zoneId: string, id: string) => Promise<AgentSession>;
|
|
126
|
-
children: (zoneId: string, id: string, query?: AgentListQuery) => Promise<AgentSession[]>;
|
|
127
|
-
suspend: (zoneId: string, id: string) => Promise<{
|
|
128
|
-
suspended: true;
|
|
129
|
-
}>;
|
|
130
|
-
resume: (zoneId: string, id: string) => Promise<{
|
|
131
|
-
resumed: true;
|
|
132
|
-
}>;
|
|
133
|
-
terminate: (zoneId: string, id: string) => Promise<void>;
|
|
134
|
-
effectiveAuthority: (zoneId: string, id: string) => Promise<EffectiveAuthority>;
|
|
165
|
+
approve: (zoneId: string, id: string, reason?: string) => Promise<StepUpDecision>;
|
|
166
|
+
reject: (zoneId: string, id: string, reason?: string) => Promise<StepUpDecision>;
|
|
135
167
|
};
|
|
136
168
|
delegations: {
|
|
137
169
|
active: (zoneId: string) => Promise<{
|
|
138
|
-
items:
|
|
170
|
+
items: Delegation[];
|
|
139
171
|
next_cursor: string | null;
|
|
140
172
|
}>;
|
|
141
|
-
inbound: (zoneId: string, sessionId: string) => Promise<
|
|
142
|
-
outbound: (zoneId: string, sessionId: string) => Promise<
|
|
143
|
-
traverse: (zoneId: string,
|
|
144
|
-
impact: (zoneId: string,
|
|
145
|
-
revoke: (zoneId: string,
|
|
146
|
-
|
|
173
|
+
inbound: (zoneId: string, sessionId: string) => Promise<Delegation[]>;
|
|
174
|
+
outbound: (zoneId: string, sessionId: string) => Promise<Delegation[]>;
|
|
175
|
+
traverse: (zoneId: string, delegationId: string) => Promise<DelegationTraversal[]>;
|
|
176
|
+
impact: (zoneId: string, delegationId: string) => Promise<DelegationImpact>;
|
|
177
|
+
revoke: (zoneId: string, delegationId: string) => Promise<{
|
|
178
|
+
revoked_delegations: number;
|
|
147
179
|
affected_sessions: number;
|
|
148
180
|
}>;
|
|
149
181
|
};
|
package/dist/client.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EACV,
|
|
1
|
+
{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EACV,eAAe,EACf,oBAAoB,EACpB,WAAW,EACX,gBAAgB,EAChB,qBAAqB,EACrB,eAAe,EACf,eAAe,EACf,WAAW,EACX,UAAU,EACV,UAAU,EACV,QAAQ,EACR,aAAa,EACb,UAAU,EACV,gBAAgB,EAChB,mBAAmB,EACnB,kBAAkB,EAClB,KAAK,EACL,UAAU,EACV,UAAU,EACV,aAAa,EACb,kBAAkB,EAClB,kBAAkB,EAClB,MAAM,EACN,WAAW,EACX,SAAS,EACT,yBAAyB,EACzB,mBAAmB,EACnB,gBAAgB,EAChB,cAAc,EACd,gBAAgB,EAChB,aAAa,EACb,QAAQ,EACR,kBAAkB,EAClB,2BAA2B,EAC3B,gCAAgC,EAChC,uBAAuB,EACvB,6BAA6B,EAC7B,aAAa,EACb,kBAAkB,EAClB,QAAQ,EACR,aAAa,EACb,OAAO,EACP,YAAY,EACZ,kBAAkB,EAClB,mBAAmB,EACnB,eAAe,EACf,cAAc,EACd,QAAQ,EACR,mBAAmB,EACnB,IAAI,EACJ,aAAa,EACb,SAAS,EACT,cAAc,EACf,MAAM,YAAY,CAAA;AAEnB,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAA;IACd,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,UAAU,EAAE,MAAM,CAAA;IAClB,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,SAAS,CAAC,EAAE,OAAO,KAAK,CAAA;IACxB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,MAAM,CAAC,EAAE,WAAW,CAAA;IAGpB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CACjC;AAkGD,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAQ;IAC/B,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAoB;IACnD,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAQ;IACnC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAoB;IACrD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAc;IACtC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAQ;IAClC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAQ;IAChC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAyB;IACtD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAoC;gBAEvD,IAAI,EAAE,kBAAkB;IAepC,kBAAkB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,WAAW;YAclD,OAAO;YAyEP,OAAO;IAcrB,KAAK;;kBAEO,MAAM;wBACA,MAAM;wBACN,SAAS;oBACb,MAAM,SAAS,cAAc;qBAC5B,MAAM;MACpB;IAGD,YAAY;uBACK,MAAM;sBACP,MAAM,MAAM,MAAM;yBACf,MAAM,SAAS,gBAAgB;wBAEhC,MAAM,MAAM,MAAM,SAAS,qBAAqB;+BAIzC,MAAM,MAAM,MAAM;kCAIf,MAAM,MAAM,MAAM;2BACZ,MAAM;;yBACrB,MAAM,MAAM,MAAM;sBAOrB,MAAM,SAAS,QAAQ;MAEtC;IAGD,SAAS;uBACQ,MAAM;sBACP,MAAM,MAAM,MAAM;yBACf,MAAM,SAAS,aAAa;wBAK7B,MAAM,MAAM,MAAM,SAAS,OAAO,CAAC,aAAa,CAAC;yBAKhD,MAAM,MAAM,MAAM;MAEpC;IAGD,SAAS;uBACQ,MAAM;sBACP,MAAM,MAAM,MAAM;yBACf,MAAM,SAAS,aAAa;wBAE7B,MAAM,MAAM,MAAM,SAAS,kBAAkB;yBAE5C,MAAM,MAAM,MAAM;MAEpC;IAGD,QAAQ;uBACS,MAAM;sBACP,MAAM,MAAM,MAAM;sBAAuC,aAAa,EAAE;;yBACrE,MAAM,SAAS,WAAW;wBACL,MAAM;qBAAW,aAAa;;4BAIhD,MAAM;6BAKL,MAAM,MAAM,MAAM,WAAW,MAAM;wBACX,MAAM;;yBAIlC,MAAM,MAAM,MAAM;MAEpC;IAED,eAAe;;kBAEG,MAAM;MAMvB;IAGD,UAAU;uBACO,MAAM;sBACP,MAAM,MAAM,MAAM;yBACf,MAAM,QAAQ,MAAM,gBAAgB,MAAM;6BAKtC,MAAM,MAAM,MAAM,YAAY;YAAE,iBAAiB,EAAE,MAAM,CAAA;SAAE,EAAE;wBAClC,MAAM;;+BAI/B,MAAM,MAAM,MAAM;2BAEtB,MAAM,MAAM,MAAM,aAAa,MAAM,UAAU,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;2BAKtE,MAAM,MAAM,MAAM,aAAa,MAAM;uBAC5B,OAAO;wBAAc,MAAM;uBAAa,MAAM;wBAAc,MAAM;;mCAInE,MAAM,MAAM,MAAM,cAAc,MAAM,aAAa,MAAM;yBAOnE,MAAM,MAAM,MAAM;MAEpC;IAGD,MAAM;uBACW,MAAM,UAAU,UAAU;sBAC3B,MAAM,MAAM,MAAM;yBACf,MAAM,SAAS,UAAU;yBACzB,MAAM,MAAM,MAAM;MACpC;IAED,cAAc;uBACG,MAAM;sBACP,MAAM,MAAM,MAAM;yBACf,MAAM,SAAS,kBAAkB;wBAElC,MAAM,MAAM,MAAM,SAAS,kBAAkB;yBAE5C,MAAM,MAAM,MAAM;MAEpC;IAED,mBAAmB;yBACA,MAAM,SAAS,uBAAuB;iCAE9B,MAAM,SAAS,gCAAgC;yBAKvD,MAAM,SAAS,6BAA6B;MAE9D;IAGD,SAAS;uBACQ,MAAM;sBACP,MAAM,MAAM,MAAM;yBAGf,MAAM,SAAS;YAAE,IAAI,EAAE,MAAM,CAAA;SAAE;oBACZ,MAAM;;yBACzB,MAAM,MAAM,MAAM,SAAS,mBAAmB;+BAIxC,MAAM,MAAM,MAAM;oBACL,MAAM;;4BAGtB,MAAM,MAAM,MAAM;oBAA4B,MAAM;;yBACvD,MAAM,MAAM,MAAM;MAEpC;IAGD,gBAAgB;uBACO,MAAM,UAAU,oBAAoB;MAK1D;IAMD,QAAQ;yBACW,MAAM,SAAS,kBAAkB;MAEnD;IAGD,QAAQ;uBACe,MAAM,UAAU,YAAY;sBAK7B,MAAM,aAAa,MAAM;2BAEpB,MAAM,aAAa,MAAM,UAAU,YAAY;0BAQtD,MAAM,aAAa,MAAM;uBACf,IAAI;;yBACf,MAAM,aAAa,MAAM;qBAChB,IAAI;;4BACV,MAAM,aAAa,MAAM;qCAEV,MAAM,aAAa,MAAM;MAI7D;IAGD,KAAK;uBACkB,MAAM,UAAU,UAAU;4BAK3B,MAAM,aAAa,MAAM;0BAC3B,MAAM,aAAa,MAAM;MAE5C;IAED,UAAU;uBACa,MAAM,UAAU,eAAe;MAKrD;IAED,gBAAgB;uBACC,MAAM;sBACP,MAAM,MAAM,MAAM;0BACd,MAAM,MAAM,MAAM,WAAW,MAAM;yBAKpC,MAAM,MAAM,MAAM,WAAW,MAAM;MAKrD;IAGD,WAAW;yBACc,MAAM;;yBAnelB,MAAM,GAAG,IAAI;;0BAyeA,MAAM,aAAa,MAAM;2BAIxB,MAAM,aAAa,MAAM;2BAIzB,MAAM,gBAAgB,MAAM;yBAI9B,MAAM,gBAAgB,MAAM;yBAI5B,MAAM,gBAAgB,MAAM;;;;MAOpD;CACF"}
|
package/dist/client.js
CHANGED
|
@@ -1,11 +1,50 @@
|
|
|
1
1
|
// Copyright (C) 2026 Garudex Labs. All Rights Reserved.
|
|
2
2
|
// Caracal, a product of Garudex Labs
|
|
3
3
|
//
|
|
4
|
-
// AdminClient: typed wrapper over the Caracal
|
|
4
|
+
// AdminClient: typed wrapper over the Caracal Admin API and Coordinator.
|
|
5
5
|
import { AdminApiError } from './errors.js';
|
|
6
6
|
const DEFAULT_TIMEOUT_MS = 30_000;
|
|
7
7
|
const DEFAULT_RETRIES = 3;
|
|
8
8
|
const MAX_RETRY_AFTER_MS = 30_000;
|
|
9
|
+
const MAX_LIST_PAGES = 50;
|
|
10
|
+
function mapSession(row) {
|
|
11
|
+
const { agent_session_id, parent_id, subject_authority_record_id, ...rest } = row;
|
|
12
|
+
return {
|
|
13
|
+
...rest,
|
|
14
|
+
session_id: String(agent_session_id),
|
|
15
|
+
parent_session_id: parent_id === null ? null : String(parent_id),
|
|
16
|
+
authority_record_id: String(subject_authority_record_id),
|
|
17
|
+
};
|
|
18
|
+
}
|
|
19
|
+
function mapEffectiveAuthority(row) {
|
|
20
|
+
const { agent_session_id, inbound_edges, ...rest } = row;
|
|
21
|
+
return {
|
|
22
|
+
...rest,
|
|
23
|
+
session_id: String(agent_session_id),
|
|
24
|
+
inbound_delegations: Array.isArray(inbound_edges) ? inbound_edges : [],
|
|
25
|
+
};
|
|
26
|
+
}
|
|
27
|
+
function mapDelegationImpact(row) {
|
|
28
|
+
const { edge_id, affected_edges, affected_agents, ...rest } = row;
|
|
29
|
+
return {
|
|
30
|
+
...rest,
|
|
31
|
+
delegation_id: String(edge_id),
|
|
32
|
+
affected_delegations: Array.isArray(affected_edges) ? affected_edges.map(mapDelegationTraversal) : [],
|
|
33
|
+
affected_sessions: Array.isArray(affected_agents) ? affected_agents : [],
|
|
34
|
+
};
|
|
35
|
+
}
|
|
36
|
+
function mapDelegation(row) {
|
|
37
|
+
const { id, parent_edge_id, ...rest } = row;
|
|
38
|
+
return {
|
|
39
|
+
...rest,
|
|
40
|
+
delegation_id: String(id),
|
|
41
|
+
parent_delegation_id: parent_edge_id === null ? null : String(parent_edge_id),
|
|
42
|
+
};
|
|
43
|
+
}
|
|
44
|
+
function mapDelegationTraversal(row) {
|
|
45
|
+
const { id, ...rest } = row;
|
|
46
|
+
return { ...rest, delegation_id: String(id) };
|
|
47
|
+
}
|
|
9
48
|
function grantListQuery(query) {
|
|
10
49
|
if (!query)
|
|
11
50
|
return undefined;
|
|
@@ -150,9 +189,26 @@ export class AdminClient {
|
|
|
150
189
|
}
|
|
151
190
|
throw lastErr ?? new Error('admin_request_exhausted');
|
|
152
191
|
}
|
|
192
|
+
// Drains a keyset-paginated collection by following next_cursor until exhausted, so a
|
|
193
|
+
// list is the complete collection rather than a silently truncated first page. The page
|
|
194
|
+
// cap bounds the walk against a server bug that never terminates the cursor chain.
|
|
195
|
+
async listAll(path, label, query) {
|
|
196
|
+
const items = [];
|
|
197
|
+
let cursor;
|
|
198
|
+
for (let page = 0; page < MAX_LIST_PAGES; page++) {
|
|
199
|
+
const response = await this.request(path, { query: { ...query, cursor } });
|
|
200
|
+
if (!Array.isArray(response.items))
|
|
201
|
+
throw new Error(`${label} response missing items`);
|
|
202
|
+
items.push(...response.items);
|
|
203
|
+
if (!response.next_cursor)
|
|
204
|
+
return items;
|
|
205
|
+
cursor = response.next_cursor;
|
|
206
|
+
}
|
|
207
|
+
throw new Error(`${label} pagination did not terminate`);
|
|
208
|
+
}
|
|
153
209
|
// Zones
|
|
154
210
|
zones = {
|
|
155
|
-
list: () => this.
|
|
211
|
+
list: () => this.listAll('/v1/zones', 'zones'),
|
|
156
212
|
get: (id) => this.request(`/v1/zones/${id}`),
|
|
157
213
|
dcrStatus: (id) => this.request(`/v1/zones/${id}/dcr-status`),
|
|
158
214
|
create: (input) => this.request('/v1/zones', { method: 'POST', body: input }),
|
|
@@ -161,12 +217,16 @@ export class AdminClient {
|
|
|
161
217
|
};
|
|
162
218
|
// Applications
|
|
163
219
|
applications = {
|
|
164
|
-
list: (zoneId) => this.
|
|
220
|
+
list: (zoneId) => this.listAll(`/v1/zones/${zoneId}/applications`, 'applications'),
|
|
165
221
|
get: (zoneId, id) => this.request(`/v1/zones/${zoneId}/applications/${id}`),
|
|
166
222
|
create: (zoneId, input) => this.request(`/v1/zones/${zoneId}/applications`, { method: 'POST', body: input }),
|
|
167
223
|
patch: (zoneId, id, input) => this.request(`/v1/zones/${zoneId}/applications/${id}`, { method: 'PATCH', body: input }),
|
|
168
|
-
// Rotates the credential server-side; the response carries the
|
|
224
|
+
// Rotates the credential server-side; the response carries the plaintext secret and
|
|
225
|
+
// the sealed custody copy in the Secret Store is replaced with it.
|
|
169
226
|
rotateSecret: (zoneId, id) => this.request(`/v1/zones/${zoneId}/applications/${id}/rotate-secret`, { method: 'POST' }),
|
|
227
|
+
// Retrieves the client secret from Secret Store custody. Every call is recorded
|
|
228
|
+
// in the zone audit timeline as a credential reveal.
|
|
229
|
+
getClientSecret: (zoneId, id) => this.request(`/v1/zones/${zoneId}/applications/${id}/client-secret`),
|
|
170
230
|
delete: (zoneId, id) => this.request(`/v1/zones/${zoneId}/applications/${id}`, { method: 'DELETE', expectEmpty: true }),
|
|
171
231
|
// DCR (Dynamic Client Registration) is the sole programmatic path for minting
|
|
172
232
|
// short-lived self-registering client identities. Caracal does not create DCR
|
|
@@ -177,7 +237,7 @@ export class AdminClient {
|
|
|
177
237
|
};
|
|
178
238
|
// Resources
|
|
179
239
|
resources = {
|
|
180
|
-
list: (zoneId) => this.
|
|
240
|
+
list: (zoneId) => this.listAll(`/v1/zones/${zoneId}/resources`, 'resources'),
|
|
181
241
|
get: (zoneId, id) => this.request(`/v1/zones/${zoneId}/resources/${id}`),
|
|
182
242
|
create: (zoneId, input) => this.request(`/v1/zones/${zoneId}/resources`, {
|
|
183
243
|
method: 'POST',
|
|
@@ -191,7 +251,7 @@ export class AdminClient {
|
|
|
191
251
|
};
|
|
192
252
|
// Providers
|
|
193
253
|
providers = {
|
|
194
|
-
list: (zoneId) => this.
|
|
254
|
+
list: (zoneId) => this.listAll(`/v1/zones/${zoneId}/providers`, 'providers'),
|
|
195
255
|
get: (zoneId, id) => this.request(`/v1/zones/${zoneId}/providers/${id}`),
|
|
196
256
|
create: (zoneId, input) => this.request(`/v1/zones/${zoneId}/providers`, { method: 'POST', body: input }),
|
|
197
257
|
patch: (zoneId, id, input) => this.request(`/v1/zones/${zoneId}/providers/${id}`, { method: 'PATCH', body: input }),
|
|
@@ -199,19 +259,19 @@ export class AdminClient {
|
|
|
199
259
|
};
|
|
200
260
|
// Policies (immutable Rego versions)
|
|
201
261
|
policies = {
|
|
202
|
-
list: (zoneId) => this.
|
|
262
|
+
list: (zoneId) => this.listAll(`/v1/zones/${zoneId}/policies`, 'policies'),
|
|
203
263
|
get: (zoneId, id) => this.request(`/v1/zones/${zoneId}/policies/${id}`),
|
|
204
264
|
create: (zoneId, input) => this.request(`/v1/zones/${zoneId}/policies`, {
|
|
205
265
|
method: 'POST',
|
|
206
266
|
body: input,
|
|
207
267
|
}),
|
|
208
|
-
validate: (content
|
|
268
|
+
validate: (content) => this.request('/v1/policies/validate', {
|
|
209
269
|
method: 'POST',
|
|
210
|
-
body: { content
|
|
270
|
+
body: { content },
|
|
211
271
|
}),
|
|
212
|
-
addVersion: (zoneId, id, content
|
|
272
|
+
addVersion: (zoneId, id, content) => this.request(`/v1/zones/${zoneId}/policies/${id}/versions`, {
|
|
213
273
|
method: 'POST',
|
|
214
|
-
body: { content
|
|
274
|
+
body: { content },
|
|
215
275
|
}),
|
|
216
276
|
delete: (zoneId, id) => this.request(`/v1/zones/${zoneId}/policies/${id}`, { method: 'DELETE', expectEmpty: true }),
|
|
217
277
|
};
|
|
@@ -227,61 +287,114 @@ export class AdminClient {
|
|
|
227
287
|
};
|
|
228
288
|
// Policy sets
|
|
229
289
|
policySets = {
|
|
230
|
-
list: (zoneId) => this.
|
|
290
|
+
list: (zoneId) => this.listAll(`/v1/zones/${zoneId}/policy-sets`, 'policy sets'),
|
|
231
291
|
get: (zoneId, id) => this.request(`/v1/zones/${zoneId}/policy-sets/${id}`),
|
|
232
292
|
create: (zoneId, name, description) => this.request(`/v1/zones/${zoneId}/policy-sets`, {
|
|
233
293
|
method: 'POST',
|
|
234
294
|
body: { name, description },
|
|
235
295
|
}),
|
|
236
|
-
addVersion: (zoneId, id, manifest
|
|
296
|
+
addVersion: (zoneId, id, manifest) => this.request(`/v1/zones/${zoneId}/policy-sets/${id}/versions`, {
|
|
237
297
|
method: 'POST',
|
|
238
|
-
body: { manifest
|
|
298
|
+
body: { manifest },
|
|
239
299
|
}),
|
|
300
|
+
listVersions: (zoneId, id) => this.listAll(`/v1/zones/${zoneId}/policy-sets/${id}/versions`, 'policy set versions'),
|
|
240
301
|
simulate: (zoneId, id, versionId, input) => this.request(`/v1/zones/${zoneId}/policy-sets/${id}/simulate`, {
|
|
241
302
|
method: 'POST',
|
|
242
303
|
body: { version_id: versionId, input },
|
|
243
304
|
}),
|
|
244
|
-
activate: (zoneId, id, versionId
|
|
305
|
+
activate: (zoneId, id, versionId) => this.request(`/v1/zones/${zoneId}/policy-sets/${id}/activate`, { method: 'POST', body: { version_id: versionId } }),
|
|
306
|
+
activationStatus: (zoneId, id, versionId, outboxId) => this.request(`/v1/zones/${zoneId}/policy-sets/${id}/activation-status`, {
|
|
307
|
+
query: {
|
|
308
|
+
...(versionId ? { version_id: versionId } : {}),
|
|
309
|
+
...(outboxId ? { outbox_id: outboxId } : {}),
|
|
310
|
+
},
|
|
311
|
+
}),
|
|
245
312
|
delete: (zoneId, id) => this.request(`/v1/zones/${zoneId}/policy-sets/${id}`, { method: 'DELETE', expectEmpty: true }),
|
|
246
313
|
};
|
|
247
314
|
// Grants
|
|
248
315
|
grants = {
|
|
249
|
-
list: (zoneId, query) => this.
|
|
316
|
+
list: (zoneId, query) => this.listAll(`/v1/zones/${zoneId}/grants`, 'grants', grantListQuery(query)),
|
|
250
317
|
get: (zoneId, id) => this.request(`/v1/zones/${zoneId}/grants/${id}`),
|
|
251
318
|
create: (zoneId, input) => this.request(`/v1/zones/${zoneId}/grants`, { method: 'POST', body: input }),
|
|
252
319
|
revoke: (zoneId, id) => this.request(`/v1/zones/${zoneId}/grants/${id}`, { method: 'DELETE', expectEmpty: true }),
|
|
253
320
|
};
|
|
254
|
-
|
|
255
|
-
|
|
256
|
-
|
|
257
|
-
|
|
321
|
+
subjectIssuers = {
|
|
322
|
+
list: (zoneId) => this.listAll(`/v1/zones/${zoneId}/subject-issuers`, 'subject issuers'),
|
|
323
|
+
get: (zoneId, id) => this.request(`/v1/zones/${zoneId}/subject-issuers/${id}`),
|
|
324
|
+
create: (zoneId, input) => this.request(`/v1/zones/${zoneId}/subject-issuers`, { method: 'POST', body: input }),
|
|
325
|
+
patch: (zoneId, id, input) => this.request(`/v1/zones/${zoneId}/subject-issuers/${id}`, { method: 'PATCH', body: input }),
|
|
326
|
+
delete: (zoneId, id) => this.request(`/v1/zones/${zoneId}/subject-issuers/${id}`, { method: 'DELETE', expectEmpty: true }),
|
|
258
327
|
};
|
|
259
|
-
|
|
260
|
-
|
|
328
|
+
providerConnections = {
|
|
329
|
+
create: (zoneId, input) => this.request(`/v1/zones/${zoneId}/provider-connections`, { method: 'POST', body: input }),
|
|
330
|
+
authorizeOAuth: (zoneId, input) => this.request(`/v1/zones/${zoneId}/provider-connections/oauth/authorize`, {
|
|
331
|
+
method: 'POST',
|
|
332
|
+
body: input,
|
|
333
|
+
}),
|
|
334
|
+
revoke: (zoneId, input) => this.request(`/v1/zones/${zoneId}/provider-connections/revoke`, { method: 'POST', body: input }),
|
|
335
|
+
};
|
|
336
|
+
// Workloads (launcher identities and their credential bindings for caracal run)
|
|
337
|
+
workloads = {
|
|
338
|
+
list: (zoneId) => this.listAll(`/v1/zones/${zoneId}/workloads`, 'workloads'),
|
|
339
|
+
get: (zoneId, id) => this.request(`/v1/zones/${zoneId}/workloads/${id}`),
|
|
340
|
+
// The response carries the plaintext workload secret; a sealed custody copy stays
|
|
341
|
+
// retrievable through getSecret.
|
|
342
|
+
create: (zoneId, input) => this.request(`/v1/zones/${zoneId}/workloads`, { method: 'POST', body: input }),
|
|
343
|
+
update: (zoneId, id, input) => this.request(`/v1/zones/${zoneId}/workloads/${id}`, { method: 'PUT', body: input }),
|
|
344
|
+
// Rotates the credential server-side; the response carries the plaintext secret and
|
|
345
|
+
// the sealed custody copy in the Secret Store is replaced with it.
|
|
346
|
+
rotateSecret: (zoneId, id) => this.request(`/v1/zones/${zoneId}/workloads/${id}/rotate-secret`, { method: 'POST' }),
|
|
347
|
+
// Retrieves the workload secret from Secret Store custody. Every call is recorded
|
|
348
|
+
// in the zone audit timeline as a credential reveal.
|
|
349
|
+
getSecret: (zoneId, id) => this.request(`/v1/zones/${zoneId}/workloads/${id}/secret`),
|
|
350
|
+
delete: (zoneId, id) => this.request(`/v1/zones/${zoneId}/workloads/${id}`, { method: 'DELETE', expectEmpty: true }),
|
|
351
|
+
};
|
|
352
|
+
// Authority records issued by STS. Revocation is performed through the owning authority operation.
|
|
353
|
+
authorityRecords = {
|
|
261
354
|
list: async (zoneId, query) => {
|
|
262
|
-
const response = await this.request(`/v1/zones/${zoneId}/
|
|
263
|
-
if (!Array.isArray(response.
|
|
264
|
-
throw new Error('
|
|
265
|
-
return response.
|
|
355
|
+
const response = await this.request(`/v1/zones/${zoneId}/authority-records`, { query: { ...query } });
|
|
356
|
+
if (!Array.isArray(response.items))
|
|
357
|
+
throw new Error('authority-records response missing items');
|
|
358
|
+
return response.items;
|
|
266
359
|
},
|
|
267
360
|
};
|
|
268
|
-
//
|
|
269
|
-
//
|
|
270
|
-
|
|
361
|
+
// Subjects: the kill switch. One call cuts every authority path a subject
|
|
362
|
+
// holds - session records, governed sessions riding them, delegations, and
|
|
363
|
+
// provider connections - and feeds the revocation stream so in-flight
|
|
364
|
+
// mandates die before their exp. Idempotent.
|
|
365
|
+
subjects = {
|
|
366
|
+
revoke: (zoneId, input) => this.request(`/v1/zones/${zoneId}/subjects/revoke`, { method: 'POST', body: input }),
|
|
367
|
+
};
|
|
368
|
+
// Governed sessions. Reads use the Admin API; lifecycle operations map to Coordinator wire routes.
|
|
369
|
+
sessions = {
|
|
271
370
|
list: async (zoneId, query) => {
|
|
272
|
-
const response = await this.request(`/v1/zones/${zoneId}/
|
|
273
|
-
if (!Array.isArray(response.
|
|
274
|
-
throw new Error('
|
|
275
|
-
return response.
|
|
371
|
+
const response = await this.request(`/v1/zones/${zoneId}/sessions`, { query: { ...query } });
|
|
372
|
+
if (!Array.isArray(response.items))
|
|
373
|
+
throw new Error('sessions response missing items');
|
|
374
|
+
return response.items;
|
|
375
|
+
},
|
|
376
|
+
get: async (zoneId, sessionId) => mapSession(await this.request(`/zones/${zoneId}/agents/${sessionId}`, { base: 'coordinator' })),
|
|
377
|
+
children: async (zoneId, sessionId, query) => {
|
|
378
|
+
const response = await this.request(`/zones/${zoneId}/agents/${sessionId}/children`, {
|
|
379
|
+
base: 'coordinator',
|
|
380
|
+
query: { ...query },
|
|
381
|
+
});
|
|
382
|
+
if (!Array.isArray(response.items))
|
|
383
|
+
throw new Error('session children response missing items');
|
|
384
|
+
return response.items.map(mapSession);
|
|
276
385
|
},
|
|
386
|
+
suspend: (zoneId, sessionId) => this.request(`/zones/${zoneId}/agents/${sessionId}/suspend`, { method: 'PATCH', base: 'coordinator' }),
|
|
387
|
+
resume: (zoneId, sessionId) => this.request(`/zones/${zoneId}/agents/${sessionId}/resume`, { method: 'PATCH', base: 'coordinator' }),
|
|
388
|
+
terminate: (zoneId, sessionId) => this.request(`/zones/${zoneId}/agents/${sessionId}`, { method: 'DELETE', base: 'coordinator', expectEmpty: true }),
|
|
389
|
+
effectiveAuthority: async (zoneId, sessionId) => mapEffectiveAuthority(await this.request(`/zones/${zoneId}/agents/${sessionId}/effective-authority`, { base: 'coordinator' })),
|
|
277
390
|
};
|
|
278
391
|
// Audit
|
|
279
392
|
audit = {
|
|
280
393
|
list: async (zoneId, query) => {
|
|
281
394
|
const response = await this.request(`/v1/zones/${zoneId}/audit`, { query: { ...query } });
|
|
282
|
-
if (!Array.isArray(response.
|
|
283
|
-
throw new Error('audit response missing
|
|
284
|
-
return response.
|
|
395
|
+
if (!Array.isArray(response.items))
|
|
396
|
+
throw new Error('audit response missing items');
|
|
397
|
+
return response.items;
|
|
285
398
|
},
|
|
286
399
|
byRequest: (zoneId, requestId) => this.request(`/v1/zones/${zoneId}/audit/by-request/${requestId}`),
|
|
287
400
|
explain: (zoneId, requestId) => this.request(`/v1/zones/${zoneId}/audit/by-request/${requestId}/explain`),
|
|
@@ -289,50 +402,39 @@ export class AdminClient {
|
|
|
289
402
|
adminAudit = {
|
|
290
403
|
list: async (zoneId, query) => {
|
|
291
404
|
const response = await this.request(`/v1/zones/${zoneId}/admin-audit`, { query: { ...query } });
|
|
292
|
-
if (!Array.isArray(response.
|
|
293
|
-
throw new Error('admin audit response missing
|
|
294
|
-
return response.
|
|
405
|
+
if (!Array.isArray(response.items))
|
|
406
|
+
throw new Error('admin audit response missing items');
|
|
407
|
+
return response.items;
|
|
295
408
|
},
|
|
296
409
|
};
|
|
297
410
|
stepUpChallenges = {
|
|
298
|
-
list: (zoneId) => this.
|
|
411
|
+
list: (zoneId) => this.listAll(`/v1/zones/${zoneId}/step-up-challenges`, 'step-up challenges'),
|
|
299
412
|
get: (zoneId, id) => this.request(`/v1/zones/${zoneId}/step-up-challenges/${id}`),
|
|
300
|
-
|
|
413
|
+
approve: (zoneId, id, reason) => this.request(`/v1/zones/${zoneId}/step-up-challenges/${id}/approve`, {
|
|
414
|
+
method: 'POST',
|
|
415
|
+
body: reason ? { reason } : {},
|
|
416
|
+
}),
|
|
417
|
+
reject: (zoneId, id, reason) => this.request(`/v1/zones/${zoneId}/step-up-challenges/${id}/reject`, {
|
|
418
|
+
method: 'POST',
|
|
419
|
+
body: reason ? { reason } : {},
|
|
420
|
+
}),
|
|
301
421
|
};
|
|
302
|
-
//
|
|
303
|
-
|
|
304
|
-
|
|
305
|
-
const response = await this.request(`/zones/${zoneId}/
|
|
306
|
-
if (!Array.isArray(response.items))
|
|
307
|
-
throw new Error('agents response missing items');
|
|
308
|
-
return response.items;
|
|
309
|
-
},
|
|
310
|
-
get: (zoneId, id) => this.request(`/zones/${zoneId}/agents/${id}`, { base: 'coordinator' }),
|
|
311
|
-
children: async (zoneId, id, query) => {
|
|
312
|
-
const response = await this.request(`/zones/${zoneId}/agents/${id}/children`, {
|
|
422
|
+
// Delegations (coordinator)
|
|
423
|
+
delegations = {
|
|
424
|
+
active: async (zoneId) => {
|
|
425
|
+
const response = await this.request(`/zones/${zoneId}/delegations/active`, {
|
|
313
426
|
base: 'coordinator',
|
|
314
|
-
query: { ...query },
|
|
315
427
|
});
|
|
316
|
-
|
|
317
|
-
|
|
318
|
-
|
|
428
|
+
return { ...response, items: response.items.map(mapDelegation) };
|
|
429
|
+
},
|
|
430
|
+
inbound: async (zoneId, sessionId) => (await this.request(`/zones/${zoneId}/delegations/inbound/${sessionId}`, { base: 'coordinator' })).map(mapDelegation),
|
|
431
|
+
outbound: async (zoneId, sessionId) => (await this.request(`/zones/${zoneId}/delegations/outbound/${sessionId}`, { base: 'coordinator' })).map(mapDelegation),
|
|
432
|
+
traverse: async (zoneId, delegationId) => (await this.request(`/zones/${zoneId}/delegations/${delegationId}/traverse`, { base: 'coordinator' })).map(mapDelegationTraversal),
|
|
433
|
+
impact: async (zoneId, delegationId) => mapDelegationImpact(await this.request(`/zones/${zoneId}/delegations/${delegationId}/impact`, { base: 'coordinator' })),
|
|
434
|
+
revoke: async (zoneId, delegationId) => {
|
|
435
|
+
const response = await this.request(`/zones/${zoneId}/delegations/${delegationId}/revoke`, { method: 'PATCH', base: 'coordinator' });
|
|
436
|
+
return { revoked_delegations: response.revoked_edges, affected_sessions: response.affected_sessions };
|
|
319
437
|
},
|
|
320
|
-
suspend: (zoneId, id) => this.request(`/zones/${zoneId}/agents/${id}/suspend`, { method: 'PATCH', base: 'coordinator' }),
|
|
321
|
-
resume: (zoneId, id) => this.request(`/zones/${zoneId}/agents/${id}/resume`, { method: 'PATCH', base: 'coordinator' }),
|
|
322
|
-
terminate: (zoneId, id) => this.request(`/zones/${zoneId}/agents/${id}`, { method: 'DELETE', base: 'coordinator', expectEmpty: true }),
|
|
323
|
-
effectiveAuthority: (zoneId, id) => this.request(`/zones/${zoneId}/agents/${id}/effective-authority`, { base: 'coordinator' }),
|
|
324
|
-
};
|
|
325
|
-
// Delegations (coordinator)
|
|
326
|
-
delegations = {
|
|
327
|
-
active: (zoneId) => this.request(`/zones/${zoneId}/delegations/active`, { base: 'coordinator' }),
|
|
328
|
-
inbound: (zoneId, sessionId) => this.request(`/zones/${zoneId}/delegations/inbound/${sessionId}`, { base: 'coordinator' }),
|
|
329
|
-
outbound: (zoneId, sessionId) => this.request(`/zones/${zoneId}/delegations/outbound/${sessionId}`, { base: 'coordinator' }),
|
|
330
|
-
traverse: (zoneId, id) => this.request(`/zones/${zoneId}/delegations/${id}/traverse`, { base: 'coordinator' }),
|
|
331
|
-
impact: (zoneId, id) => this.request(`/zones/${zoneId}/delegations/${id}/impact`, { base: 'coordinator' }),
|
|
332
|
-
revoke: (zoneId, id) => this.request(`/zones/${zoneId}/delegations/${id}/revoke`, {
|
|
333
|
-
method: 'PATCH',
|
|
334
|
-
base: 'coordinator',
|
|
335
|
-
}),
|
|
336
438
|
};
|
|
337
439
|
}
|
|
338
440
|
//# sourceMappingURL=client.js.map
|