npm - @clef-sh/agent - Versions diffs - 0.1.10 → 0.1.11-beta.66 - Mend

@clef-sh/agent 0.1.10 → 0.1.11-beta.66

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/README.md +118 -34
package/dist/agent.cjs +193 -143
package/dist/agent.cjs.map +4 -4
package/dist/initial-fetch.d.ts +12 -0
package/dist/initial-fetch.d.ts.map +1 -0
package/dist/initial-fetch.js +46 -0
package/dist/initial-fetch.js.map +1 -0
package/dist/main.js +8 -11
package/dist/main.js.map +1 -1
package/dist/server.d.ts.map +1 -1
package/dist/server.js +15 -3
package/dist/server.js.map +1 -1
package/package.json +2 -2

package/README.md CHANGED Viewed

@@ -1,36 +1,40 @@
 # @clef-sh/agent
-Sidecar secrets agent for [Clef](https://clef.sh). Wraps `@clef-sh/runtime` in an HTTP API that serves decrypted secrets on `127.0.0.1:7779`. Deploy as a sidecar container, a daemon process, or an AWS Lambda extension.
+Sidecar secrets agent for [Clef](https://clef.sh). Serves decrypted secrets over a localhost HTTP API (`127.0.0.1:7779`). Deploy as a container sidecar, a standalone daemon, or an AWS Lambda extension.
-## Install
+## Quick Start
+### Docker
 ```bash
-npm install @clef-sh/agent
+docker run --rm \
+  -e CLEF_AGENT_SOURCE=https://my-bucket.s3.amazonaws.com/clef/api-gateway/production.age.json \
+  -e CLEF_AGENT_AGE_KEY=AGE-SECRET-KEY-1... \
+  ghcr.io/clef-sh/agent:latest
 ```
-Or use the standalone binary (no Node.js required):
+In KMS envelope mode, no age key is needed — the container's IAM role provides `kms:Decrypt` permission:
 ```bash
-# Download from GitHub releases
-curl -Lo clef-agent https://github.com/clef-sh/clef/releases/latest/download/clef-agent-linux-x64
-chmod +x clef-agent
+docker run --rm \
+  -e CLEF_AGENT_SOURCE=https://my-bucket.s3.amazonaws.com/clef/api-gateway/production.age.json \
+  ghcr.io/clef-sh/agent:latest
 ```
-## Usage
+### Standalone Binary
 ```bash
-# Point at an HTTP artifact source (S3, CDN, broker URL)
+curl -Lo clef-agent https://github.com/clef-sh/clef/releases/latest/download/clef-agent-linux-x64
+chmod +x clef-agent
 export CLEF_AGENT_SOURCE=https://my-bucket.s3.amazonaws.com/clef/api-gateway/production.age.json
-export CLEF_AGENT_TOKEN=$(openssl rand -hex 32)
-clef-agent
-# Listening on http://127.0.0.1:7779
+./clef-agent
 ```
-Your application reads secrets via HTTP:
+### npm
 ```bash
-curl -H "Authorization: Bearer $CLEF_AGENT_TOKEN" http://127.0.0.1:7779/v1/secrets
+npm install @clef-sh/agent
+npx clef-agent
 ```
 ## API
@@ -43,36 +47,116 @@ curl -H "Authorization: Bearer $CLEF_AGENT_TOKEN" http://127.0.0.1:7779/v1/secre
 | `GET /v1/secrets/:key` | Bearer | Single secret by key                               |
 | `GET /v1/keys`         | Bearer | List available key names                           |
+```bash
+curl -H "Authorization: Bearer $CLEF_AGENT_TOKEN" http://127.0.0.1:7779/v1/secrets
+```
+## Configuration
+All configuration is via environment variables. Provide either `SOURCE` (HTTP URL or file path) or the `VCS_*` fields to tell the agent where to fetch the packed artifact.
+### Artifact Source
+| Variable                     | Default | Description                                    |
+| ---------------------------- | ------- | ---------------------------------------------- |
+| `CLEF_AGENT_SOURCE`          | —       | HTTP URL or file path to a packed artifact     |
+| `CLEF_AGENT_VCS_PROVIDER`    | —       | VCS provider (`github`, `gitlab`, `bitbucket`) |
+| `CLEF_AGENT_VCS_REPO`        | —       | Repository (`org/repo`)                        |
+| `CLEF_AGENT_VCS_TOKEN`       | —       | VCS authentication token                       |
+| `CLEF_AGENT_VCS_IDENTITY`    | —       | Service identity name                          |
+| `CLEF_AGENT_VCS_ENVIRONMENT` | —       | Target environment                             |
+| `CLEF_AGENT_VCS_REF`         | —       | Git ref (branch/tag/sha)                       |
+| `CLEF_AGENT_VCS_API_URL`     | —       | Custom VCS API base URL                        |
+### Decryption
+| Variable                  | Default | Description            |
+| ------------------------- | ------- | ---------------------- |
+| `CLEF_AGENT_AGE_KEY`      | —       | Inline age private key |
+| `CLEF_AGENT_AGE_KEY_FILE` | —       | Path to age key file   |
+Not needed for KMS envelope artifacts — the container's IAM role provides `kms:Decrypt` permission on the envelope key.
+### Server
+| Variable           | Default        | Description               |
+| ------------------ | -------------- | ------------------------- |
+| `CLEF_AGENT_PORT`  | `7779`         | HTTP listen port          |
+| `CLEF_AGENT_TOKEN` | auto-generated | Bearer token for API auth |
+| `CLEF_AGENT_ID`    | auto-generated | Unique agent instance ID  |
+### Cache and Reliability
+| Variable                | Default | Description                                                                                            |
+| ----------------------- | ------- | ------------------------------------------------------------------------------------------------------ |
+| `CLEF_AGENT_CACHE_TTL`  | `300`   | Max seconds to serve without a successful refresh. Set to `0` for JIT mode (decrypt on every request). |
+| `CLEF_AGENT_CACHE_PATH` | —       | Disk cache directory for fallback during source outages                                                |
+### Security
+| Variable                | Default | Description                                                                                                                             |
+| ----------------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------- |
+| `CLEF_AGENT_VERIFY_KEY` | —       | Public key for artifact signature verification (base64 DER SPKI). When set, unsigned or incorrectly signed artifacts are hard-rejected. |
+### Telemetry
+| Variable                   | Default | Description                     |
+| -------------------------- | ------- | ------------------------------- |
+| `CLEF_AGENT_TELEMETRY_URL` | —       | OTLP endpoint URL for telemetry |
+## Deployment Models
+### Container Sidecar (Kubernetes / ECS)
+Run the agent as a sidecar container in the same pod or task as your application. Your app reads secrets from `http://127.0.0.1:7779/v1/secrets`.
+```yaml
+# Kubernetes sidecar example
+containers:
+  - name: app
+    image: my-app:latest
+    env:
+      - name: CLEF_AGENT_TOKEN
+        value: "my-token"
+  - name: clef-agent
+    image: ghcr.io/clef-sh/agent:latest
+    env:
+      - name: CLEF_AGENT_SOURCE
+        value: "https://my-bucket.s3.amazonaws.com/clef/api-gateway/production.age.json"
+      - name: CLEF_AGENT_TOKEN
+        value: "my-token"
+    livenessProbe:
+      httpGet:
+        path: /v1/health
+        port: 7779
+    readinessProbe:
+      httpGet:
+        path: /v1/ready
+        port: 7779
+```
+### Lambda Extension
+The SEA binary auto-detects the Lambda environment and runs as an extension. Pre-built layer zips are attached to each [GitHub Release](https://github.com/clef-sh/clef/releases). See the [Lambda Extension docs](https://docs.clef.sh/guide/agent#lambda-extension) for setup instructions.
+### Standalone Daemon
+Run directly as a system service or background process. The agent handles SIGTERM/SIGINT for graceful shutdown.
 ## Security
 - Binds exclusively to `127.0.0.1` — never `0.0.0.0`
 - Timing-safe bearer token authentication
 - DNS rebinding protection via Host header validation
 - `Cache-Control: no-store` on all secrets endpoints
-- KMS envelope mode requires no static age key — IAM role is the authentication
-## Configuration
-| Variable                     | Required | Default | Description                                   |
-| ---------------------------- | -------- | ------- | --------------------------------------------- |
-| `CLEF_AGENT_SOURCE`          | Yes\*    | —       | HTTP URL or file path to a packed artifact    |
-| `CLEF_AGENT_VCS_PROVIDER`    | Yes\*    | —       | VCS provider (github, gitlab, bitbucket)      |
-| `CLEF_AGENT_VCS_REPO`        | Yes\*    | —       | Repository (org/repo)                         |
-| `CLEF_AGENT_VCS_TOKEN`       | Yes\*    | —       | VCS authentication token                      |
-| `CLEF_AGENT_VCS_IDENTITY`    | Yes\*    | —       | Service identity name                         |
-| `CLEF_AGENT_VCS_ENVIRONMENT` | Yes\*    | —       | Target environment                            |
-| `CLEF_AGENT_PORT`            | No       | 7779    | HTTP listen port                              |
-| `CLEF_AGENT_TOKEN`           | No       | auto    | Bearer token (auto-generated if not set)      |
-| `CLEF_AGENT_AGE_KEY`         | No       | —       | Age private key (not needed for KMS envelope) |
-| `CLEF_AGENT_CACHE_TTL`       | No       | 300     | Max seconds to serve without refresh          |
-\_Provide either `SOURCE` or the `VCS\__` fields.
+- No plaintext on disk — decrypted values exist only in process memory
+- KMS envelope mode requires no static key — IAM role is the authentication
 ## Documentation
 - [Runtime Agent guide](https://docs.clef.sh/guide/agent)
 - [Service Identities guide](https://docs.clef.sh/guide/service-identities)
-- [Dynamic Secrets guide](https://docs.clef.sh/guide/dynamic-secrets)
+- [CLI pack reference](https://docs.clef.sh/cli/pack)
 ## License