@clef-sh/agent 0.1.20-beta.142 → 0.1.20-beta.143

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/dist/agent.cjs +68 -13
  2. package/dist/agent.cjs.map +2 -2
  3. package/dist/main.js +3 -1
  4. package/dist/main.js.map +1 -1
  5. package/dist/server.d.ts +6 -0
  6. package/dist/server.d.ts.map +1 -1
  7. package/dist/server.js +37 -4
  8. package/dist/server.js.map +1 -1
  9. package/package.json +2 -2
package/dist/agent.cjs CHANGED
@@ -193923,21 +193923,48 @@ var VcsArtifactSource = class {
193923
193923
  // ../runtime/src/sources/s3.ts
193924
193924
  var crypto17 = __toESM(require("crypto"));
193925
193925
  function isS3Url(url) {
193926
- return parseS3UrlSafe(url) !== null;
193926
+ let u;
193927
+ try {
193928
+ u = new URL(url);
193929
+ } catch {
193930
+ return false;
193931
+ }
193932
+ if (u.protocol === "s3:") {
193933
+ return !!u.hostname && u.pathname.length > 1;
193934
+ }
193935
+ if (u.protocol === "https:") {
193936
+ return parseHttpsS3Url(u) !== null;
193937
+ }
193938
+ return false;
193927
193939
  }
193928
193940
  function parseS3Url(url) {
193929
- const loc = parseS3UrlSafe(url);
193930
- if (!loc) throw new Error(`Not a valid S3 URL: ${url}`);
193931
- return loc;
193932
- }
193933
- function parseS3UrlSafe(url) {
193934
193941
  let u;
193935
193942
  try {
193936
193943
  u = new URL(url);
193937
193944
  } catch {
193938
- return null;
193945
+ throw new Error(`Not a valid URL: ${url}`);
193946
+ }
193947
+ if (u.protocol === "s3:") {
193948
+ const bucket = u.hostname;
193949
+ const key = u.pathname.slice(1);
193950
+ if (!bucket || !key) {
193951
+ throw new Error(`Invalid s3:// URL (missing bucket or key): ${url}`);
193952
+ }
193953
+ const region = process.env.AWS_REGION ?? process.env.AWS_DEFAULT_REGION;
193954
+ if (!region) {
193955
+ throw new Error(
193956
+ `s3:// URLs require AWS_REGION or AWS_DEFAULT_REGION to be set. Lambda and ECS set AWS_REGION automatically; set it explicitly for other environments, or use the https://bucket.s3.region.amazonaws.com/key form instead. URL: ${url}`
193957
+ );
193958
+ }
193959
+ return { bucket, key, region };
193960
+ }
193961
+ if (u.protocol === "https:") {
193962
+ const loc = parseHttpsS3Url(u);
193963
+ if (loc) return loc;
193939
193964
  }
193940
- if (u.protocol !== "https:") return null;
193965
+ throw new Error(`Not a valid S3 URL: ${url}`);
193966
+ }
193967
+ function parseHttpsS3Url(u) {
193941
193968
  const host = u.hostname;
193942
193969
  const key = u.pathname.slice(1);
193943
193970
  if (!key) return null;
@@ -194141,9 +194168,19 @@ function readyHandler(cache5, cacheTtl, encryptedStore) {
194141
194168
 
194142
194169
  // src/server.ts
194143
194170
  function startAgentServer(options) {
194144
- const { port, token, cache: cache5, cacheTtl, decryptor, encryptedStore } = options;
194171
+ const { port, token, cache: cache5, cacheTtl, refresh, decryptor, encryptedStore } = options;
194145
194172
  const jitMode = !!decryptor && !!encryptedStore;
194146
194173
  const app = (0, import_express.default)();
194174
+ let inflightRefresh = null;
194175
+ const refreshOnce = () => {
194176
+ if (!refresh) return Promise.resolve();
194177
+ if (!inflightRefresh) {
194178
+ inflightRefresh = refresh().finally(() => {
194179
+ inflightRefresh = null;
194180
+ });
194181
+ }
194182
+ return inflightRefresh;
194183
+ };
194147
194184
  const allowedHosts = /* @__PURE__ */ new Set([`127.0.0.1:${port}`, "127.0.0.1"]);
194148
194185
  app.use("/v1", (req, res, next) => {
194149
194186
  const host = req.headers.host ?? "";
@@ -194161,13 +194198,31 @@ function startAgentServer(options) {
194161
194198
  app.get("/v1/ready", readyHandler(cache5, cacheTtl, encryptedStore));
194162
194199
  app.use("/v1/secrets", authMiddleware(token));
194163
194200
  app.use("/v1/keys", authMiddleware(token));
194164
- const ttlGuard = (_req, res, next) => {
194201
+ const ttlGuard = async (_req, res, next) => {
194165
194202
  if (jitMode) {
194166
194203
  if (!encryptedStore.isReady()) {
194167
194204
  res.status(503).json({ error: "Secrets not yet loaded" });
194168
194205
  return;
194169
194206
  }
194170
- } else if (cacheTtl !== void 0 && cache5.isExpired(cacheTtl)) {
194207
+ next();
194208
+ return;
194209
+ }
194210
+ if (cacheTtl === void 0 || !cache5.isExpired(cacheTtl)) {
194211
+ next();
194212
+ return;
194213
+ }
194214
+ if (!refresh) {
194215
+ res.status(503).json({ error: "Secrets expired" });
194216
+ return;
194217
+ }
194218
+ try {
194219
+ await refreshOnce();
194220
+ } catch (err) {
194221
+ const message = err instanceof Error ? err.message : String(err);
194222
+ res.status(503).json({ error: "Refresh failed", detail: message });
194223
+ return;
194224
+ }
194225
+ if (cache5.isExpired(cacheTtl)) {
194171
194226
  res.status(503).json({ error: "Secrets expired" });
194172
194227
  return;
194173
194228
  }
@@ -194446,7 +194501,7 @@ async function initialFetch(poller, jitMode, encryptedStore, cache5, sourceDesc)
194446
194501
  }
194447
194502
 
194448
194503
  // package.json
194449
- var version5 = "0.1.20-beta.142";
194504
+ var version5 = "0.1.20-beta.143";
194450
194505
 
194451
194506
  // src/main.ts
194452
194507
  var isLambda = !!process.env.AWS_LAMBDA_RUNTIME_API;
@@ -194530,7 +194585,7 @@ async function main() {
194530
194585
  token: config.token,
194531
194586
  cache: cache5,
194532
194587
  cacheTtl: config.cacheTtl,
194533
- ...jitMode ? { decryptor: poller.getDecryptor(), encryptedStore } : {}
194588
+ ...jitMode ? { decryptor: poller.getDecryptor(), encryptedStore } : { refresh: () => poller.fetchAndDecrypt() }
194534
194589
  });
194535
194590
  const onLog = (msg) => console.log(`[clef-agent] ${msg}`);
194536
194591
  telemetry?.agentStarted({ version: version5 });