@clef-sh/agent 0.1.8 → 0.1.9-beta.57
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/agent.cjs +419 -187
- package/dist/agent.cjs.map +4 -4
- package/dist/config.js +2 -2
- package/dist/config.js.map +1 -1
- package/dist/health.d.ts +3 -2
- package/dist/health.d.ts.map +1 -1
- package/dist/health.js +39 -16
- package/dist/health.js.map +1 -1
- package/dist/lifecycle/daemon.d.ts +2 -0
- package/dist/lifecycle/daemon.d.ts.map +1 -1
- package/dist/lifecycle/daemon.js +12 -4
- package/dist/lifecycle/daemon.js.map +1 -1
- package/dist/lifecycle/lambda-extension.d.ts.map +1 -1
- package/dist/lifecycle/lambda-extension.js +23 -6
- package/dist/lifecycle/lambda-extension.js.map +1 -1
- package/dist/main.js +21 -2
- package/dist/main.js.map +1 -1
- package/dist/server.d.ts +5 -1
- package/dist/server.d.ts.map +1 -1
- package/dist/server.js +49 -28
- package/dist/server.js.map +1 -1
- package/package.json +1 -1
package/dist/config.js
CHANGED
|
@@ -78,8 +78,8 @@ function resolveConfig(env = process.env) {
|
|
|
78
78
|
}
|
|
79
79
|
const cacheTtlStr = env.CLEF_AGENT_CACHE_TTL ?? "300";
|
|
80
80
|
const cacheTtl = parseInt(cacheTtlStr, 10);
|
|
81
|
-
if (isNaN(cacheTtl) || cacheTtl < 30) {
|
|
82
|
-
throw new ConfigError(`Invalid CLEF_AGENT_CACHE_TTL '${cacheTtlStr}'. Must be an integer >= 30.`);
|
|
81
|
+
if (isNaN(cacheTtl) || cacheTtl < 0 || (cacheTtl > 0 && cacheTtl < 30)) {
|
|
82
|
+
throw new ConfigError(`Invalid CLEF_AGENT_CACHE_TTL '${cacheTtlStr}'. Must be 0 (just-in-time mode) or an integer >= 30.`);
|
|
83
83
|
}
|
|
84
84
|
const ageKey = env.CLEF_AGENT_AGE_KEY;
|
|
85
85
|
const ageKeyFile = env.CLEF_AGENT_AGE_KEY_FILE;
|
package/dist/config.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":";;;AA4EA,sCA2FC;AAvKD,mCAAiD;AA6CjD,0DAA0D;AAC1D,MAAa,WAAY,SAAQ,KAAK;IACpC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;IAC5B,CAAC;CACF;AALD,kCAKC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,SAAgB,aAAa,CAAC,MAA0C,OAAO,CAAC,GAAG;IACjF,MAAM,MAAM,GAAG,GAAG,CAAC,iBAAiB,CAAC;IAErC,oBAAoB;IACpB,MAAM,WAAW,GAAG,GAAG,CAAC,uBAAuB,CAAC;IAChD,MAAM,OAAO,GAAG,GAAG,CAAC,mBAAmB,CAAC;IACxC,MAAM,QAAQ,GAAG,GAAG,CAAC,oBAAoB,CAAC;IAC1C,MAAM,WAAW,GAAG,GAAG,CAAC,uBAAuB,CAAC;IAChD,MAAM,cAAc,GAAG,GAAG,CAAC,0BAA0B,CAAC;IACtD,MAAM,MAAM,GAAG,GAAG,CAAC,kBAAkB,CAAC;IACtC,MAAM,SAAS,GAAG,GAAG,CAAC,sBAAsB,CAAC;IAC7C,MAAM,SAAS,GAAG,GAAG,CAAC,qBAAqB,CAAC;IAE5C,IAAI,GAA0B,CAAC;IAE/B,wDAAwD;IACxD,MAAM,SAAS,GAAG,WAAW,IAAI,OAAO,IAAI,QAAQ,IAAI,WAAW,IAAI,cAAc,CAAC;IACtF,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,CAAC,WAAW,IAAI,CAAC,OAAO,IAAI,CAAC,QAAQ,IAAI,CAAC,WAAW,IAAI,CAAC,cAAc,EAAE,CAAC;YAC7E,MAAM,IAAI,WAAW,CACnB,uEAAuE;gBACrE,4FAA4F,CAC/F,CAAC;QACJ,CAAC;QACD,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,WAAW,CAAC,CAAC;QACzD,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YAC1C,MAAM,IAAI,WAAW,CACnB,oCAAoC,WAAW,sBAAsB,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAClG,CAAC;QACJ,CAAC;QACD,GAAG,GAAG;YACJ,QAAQ,EAAE,WAAoC;YAC9C,IAAI,EAAE,OAAO;YACb,KAAK,EAAE,QAAQ;YACf,QAAQ,EAAE,WAAW;YACrB,WAAW,EAAE,cAAc;YAC3B,GAAG,EAAE,MAAM;YACX,MAAM,EAAE,SAAS;SAClB,CAAC;IACJ,CAAC;IAED,sCAAsC;IACtC,IAAI,CAAC,MAAM,IAAI,CAAC,GAAG,EAAE,CAAC;QACpB,MAAM,IAAI,WAAW,CACnB,+EAA+E,CAChF,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,CAAC,eAAe,IAAI,MAAM,CAAC;IAC9C,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IACnC,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,KAAK,EAAE,CAAC;QAC5C,MAAM,IAAI,WAAW,CACnB,4BAA4B,OAAO,0CAA0C,CAC9E,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAG,GAAG,CAAC,oBAAoB,IAAI,KAAK,CAAC;IACtD,MAAM,QAAQ,GAAG,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IAC3C,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,QAAQ,GAAG,EAAE,EAAE,CAAC;
|
|
1
|
+
{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":";;;AA4EA,sCA2FC;AAvKD,mCAAiD;AA6CjD,0DAA0D;AAC1D,MAAa,WAAY,SAAQ,KAAK;IACpC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;IAC5B,CAAC;CACF;AALD,kCAKC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,SAAgB,aAAa,CAAC,MAA0C,OAAO,CAAC,GAAG;IACjF,MAAM,MAAM,GAAG,GAAG,CAAC,iBAAiB,CAAC;IAErC,oBAAoB;IACpB,MAAM,WAAW,GAAG,GAAG,CAAC,uBAAuB,CAAC;IAChD,MAAM,OAAO,GAAG,GAAG,CAAC,mBAAmB,CAAC;IACxC,MAAM,QAAQ,GAAG,GAAG,CAAC,oBAAoB,CAAC;IAC1C,MAAM,WAAW,GAAG,GAAG,CAAC,uBAAuB,CAAC;IAChD,MAAM,cAAc,GAAG,GAAG,CAAC,0BAA0B,CAAC;IACtD,MAAM,MAAM,GAAG,GAAG,CAAC,kBAAkB,CAAC;IACtC,MAAM,SAAS,GAAG,GAAG,CAAC,sBAAsB,CAAC;IAC7C,MAAM,SAAS,GAAG,GAAG,CAAC,qBAAqB,CAAC;IAE5C,IAAI,GAA0B,CAAC;IAE/B,wDAAwD;IACxD,MAAM,SAAS,GAAG,WAAW,IAAI,OAAO,IAAI,QAAQ,IAAI,WAAW,IAAI,cAAc,CAAC;IACtF,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,CAAC,WAAW,IAAI,CAAC,OAAO,IAAI,CAAC,QAAQ,IAAI,CAAC,WAAW,IAAI,CAAC,cAAc,EAAE,CAAC;YAC7E,MAAM,IAAI,WAAW,CACnB,uEAAuE;gBACrE,4FAA4F,CAC/F,CAAC;QACJ,CAAC;QACD,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,WAAW,CAAC,CAAC;QACzD,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YAC1C,MAAM,IAAI,WAAW,CACnB,oCAAoC,WAAW,sBAAsB,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAClG,CAAC;QACJ,CAAC;QACD,GAAG,GAAG;YACJ,QAAQ,EAAE,WAAoC;YAC9C,IAAI,EAAE,OAAO;YACb,KAAK,EAAE,QAAQ;YACf,QAAQ,EAAE,WAAW;YACrB,WAAW,EAAE,cAAc;YAC3B,GAAG,EAAE,MAAM;YACX,MAAM,EAAE,SAAS;SAClB,CAAC;IACJ,CAAC;IAED,sCAAsC;IACtC,IAAI,CAAC,MAAM,IAAI,CAAC,GAAG,EAAE,CAAC;QACpB,MAAM,IAAI,WAAW,CACnB,+EAA+E,CAChF,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,CAAC,eAAe,IAAI,MAAM,CAAC;IAC9C,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IACnC,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,KAAK,EAAE,CAAC;QAC5C,MAAM,IAAI,WAAW,CACnB,4BAA4B,OAAO,0CAA0C,CAC9E,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAG,GAAG,CAAC,oBAAoB,IAAI,KAAK,CAAC;IACtD,MAAM,QAAQ,GAAG,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IAC3C,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,QAAQ,GAAG,CAAC,IAAI,CAAC,QAAQ,GAAG,CAAC,IAAI,QAAQ,GAAG,EAAE,CAAC,EAAE,CAAC;QACvE,MAAM,IAAI,WAAW,CACnB,iCAAiC,WAAW,uDAAuD,CACpG,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,GAAG,CAAC,kBAAkB,CAAC;IACtC,MAAM,UAAU,GAAG,GAAG,CAAC,uBAAuB,CAAC;IAC/C,8DAA8D;IAE9D,MAAM,KAAK,GAAG,GAAG,CAAC,gBAAgB,IAAI,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAEtE,MAAM,OAAO,GAAG,GAAG,CAAC,aAAa,IAAI,IAAA,mBAAU,GAAE,CAAC;IAElD,kGAAkG;IAClG,MAAM,YAAY,GAAG,GAAG,CAAC,wBAAwB,CAAC;IAClD,MAAM,SAAS,GAAgC,YAAY,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAEhG,MAAM,SAAS,GAAG,GAAG,CAAC,qBAAqB,CAAC;IAE5C,OAAO;QACL,MAAM;QACN,GAAG;QACH,SAAS;QACT,IAAI;QACJ,QAAQ;QACR,MAAM;QACN,UAAU;QACV,KAAK;QACL,OAAO;QACP,SAAS;QACT,SAAS;KACV,CAAC;AACJ,CAAC"}
|
package/dist/health.d.ts
CHANGED
|
@@ -1,7 +1,8 @@
|
|
|
1
1
|
import { Request, Response } from "express";
|
|
2
2
|
import { SecretsCache } from "@clef-sh/runtime";
|
|
3
|
+
import type { EncryptedArtifactStore } from "@clef-sh/runtime";
|
|
3
4
|
/** Create health endpoint handler (unauthenticated). */
|
|
4
|
-
export declare function healthHandler(cache: SecretsCache, cacheTtl?: number): (_req: Request, res: Response) => void;
|
|
5
|
+
export declare function healthHandler(cache: SecretsCache, cacheTtl?: number, encryptedStore?: EncryptedArtifactStore): (_req: Request, res: Response) => void;
|
|
5
6
|
/** Create readiness endpoint handler (unauthenticated). */
|
|
6
|
-
export declare function readyHandler(cache: SecretsCache, cacheTtl?: number): (_req: Request, res: Response) => void;
|
|
7
|
+
export declare function readyHandler(cache: SecretsCache, cacheTtl?: number, encryptedStore?: EncryptedArtifactStore): (_req: Request, res: Response) => void;
|
|
7
8
|
//# sourceMappingURL=health.d.ts.map
|
package/dist/health.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"health.d.ts","sourceRoot":"","sources":["../src/health.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;
|
|
1
|
+
{"version":3,"file":"health.d.ts","sourceRoot":"","sources":["../src/health.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAChD,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAE/D,wDAAwD;AACxD,wBAAgB,aAAa,CAC3B,KAAK,EAAE,YAAY,EACnB,QAAQ,CAAC,EAAE,MAAM,EACjB,cAAc,CAAC,EAAE,sBAAsB,IAE/B,MAAM,OAAO,EAAE,KAAK,QAAQ,KAAG,IAAI,CAqB5C;AAED,2DAA2D;AAC3D,wBAAgB,YAAY,CAC1B,KAAK,EAAE,YAAY,EACnB,QAAQ,CAAC,EAAE,MAAM,EACjB,cAAc,CAAC,EAAE,sBAAsB,IAE/B,MAAM,OAAO,EAAE,KAAK,QAAQ,KAAG,IAAI,CAoB5C"}
|
package/dist/health.js
CHANGED
|
@@ -3,29 +3,52 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
3
3
|
exports.healthHandler = healthHandler;
|
|
4
4
|
exports.readyHandler = readyHandler;
|
|
5
5
|
/** Create health endpoint handler (unauthenticated). */
|
|
6
|
-
function healthHandler(cache, cacheTtl) {
|
|
6
|
+
function healthHandler(cache, cacheTtl, encryptedStore) {
|
|
7
7
|
return (_req, res) => {
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
8
|
+
if (encryptedStore) {
|
|
9
|
+
// JIT mode: freshness is proved by KMS on each request, no TTL to expire
|
|
10
|
+
res.json({
|
|
11
|
+
status: "ok",
|
|
12
|
+
mode: "jit",
|
|
13
|
+
revision: encryptedStore.getRevision(),
|
|
14
|
+
lastRefreshAt: encryptedStore.getStoredAt(),
|
|
15
|
+
expired: false,
|
|
16
|
+
});
|
|
17
|
+
}
|
|
18
|
+
else {
|
|
19
|
+
const expired = cacheTtl !== undefined && cache.isExpired(cacheTtl);
|
|
20
|
+
res.json({
|
|
21
|
+
status: "ok",
|
|
22
|
+
mode: "cached",
|
|
23
|
+
revision: cache.getRevision(),
|
|
24
|
+
lastRefreshAt: cache.getSwappedAt(),
|
|
25
|
+
expired,
|
|
26
|
+
});
|
|
27
|
+
}
|
|
15
28
|
};
|
|
16
29
|
}
|
|
17
30
|
/** Create readiness endpoint handler (unauthenticated). */
|
|
18
|
-
function readyHandler(cache, cacheTtl) {
|
|
31
|
+
function readyHandler(cache, cacheTtl, encryptedStore) {
|
|
19
32
|
return (_req, res) => {
|
|
20
|
-
if (
|
|
21
|
-
|
|
22
|
-
|
|
33
|
+
if (encryptedStore) {
|
|
34
|
+
// JIT mode: ready when encrypted artifact is loaded
|
|
35
|
+
if (!encryptedStore.isReady()) {
|
|
36
|
+
res.status(503).json({ ready: false, reason: "not_loaded" });
|
|
37
|
+
return;
|
|
38
|
+
}
|
|
39
|
+
res.status(200).json({ ready: true });
|
|
23
40
|
}
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
41
|
+
else {
|
|
42
|
+
if (!cache.isReady()) {
|
|
43
|
+
res.status(503).json({ ready: false, reason: "not_loaded" });
|
|
44
|
+
return;
|
|
45
|
+
}
|
|
46
|
+
if (cacheTtl !== undefined && cache.isExpired(cacheTtl)) {
|
|
47
|
+
res.status(503).json({ ready: false, reason: "cache_expired" });
|
|
48
|
+
return;
|
|
49
|
+
}
|
|
50
|
+
res.status(200).json({ ready: true });
|
|
27
51
|
}
|
|
28
|
-
res.status(200).json({ ready: true });
|
|
29
52
|
};
|
|
30
53
|
}
|
|
31
54
|
//# sourceMappingURL=health.js.map
|
package/dist/health.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"health.js","sourceRoot":"","sources":["../src/health.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"health.js","sourceRoot":"","sources":["../src/health.ts"],"names":[],"mappings":";;AAKA,sCA0BC;AAGD,oCAyBC;AAvDD,wDAAwD;AACxD,SAAgB,aAAa,CAC3B,KAAmB,EACnB,QAAiB,EACjB,cAAuC;IAEvC,OAAO,CAAC,IAAa,EAAE,GAAa,EAAQ,EAAE;QAC5C,IAAI,cAAc,EAAE,CAAC;YACnB,yEAAyE;YACzE,GAAG,CAAC,IAAI,CAAC;gBACP,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,KAAK;gBACX,QAAQ,EAAE,cAAc,CAAC,WAAW,EAAE;gBACtC,aAAa,EAAE,cAAc,CAAC,WAAW,EAAE;gBAC3C,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,MAAM,OAAO,GAAG,QAAQ,KAAK,SAAS,IAAI,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YACpE,GAAG,CAAC,IAAI,CAAC;gBACP,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,KAAK,CAAC,WAAW,EAAE;gBAC7B,aAAa,EAAE,KAAK,CAAC,YAAY,EAAE;gBACnC,OAAO;aACR,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED,2DAA2D;AAC3D,SAAgB,YAAY,CAC1B,KAAmB,EACnB,QAAiB,EACjB,cAAuC;IAEvC,OAAO,CAAC,IAAa,EAAE,GAAa,EAAQ,EAAE;QAC5C,IAAI,cAAc,EAAE,CAAC;YACnB,oDAAoD;YACpD,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,EAAE,CAAC;gBAC9B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC;gBAC7D,OAAO;YACT,CAAC;YACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACxC,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,CAAC;gBACrB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC;gBAC7D,OAAO;YACT,CAAC;YACD,IAAI,QAAQ,KAAK,SAAS,IAAI,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACxD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;gBAChE,OAAO;YACT,CAAC;YACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACxC,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}
|
|
@@ -18,6 +18,8 @@ export declare class Daemon {
|
|
|
18
18
|
private shutdownResolve?;
|
|
19
19
|
private readonly shutdownPromise;
|
|
20
20
|
private readonly startedAt;
|
|
21
|
+
private sigTermHandler?;
|
|
22
|
+
private sigIntHandler?;
|
|
21
23
|
constructor(options: DaemonOptions);
|
|
22
24
|
/** Start the daemon and register signal handlers. */
|
|
23
25
|
start(): Promise<void>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"daemon.d.ts","sourceRoot":"","sources":["../../src/lifecycle/daemon.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpE,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAE9C,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,cAAc,CAAC;IACvB,MAAM,EAAE,iBAAiB,CAAC;IAC1B,SAAS,CAAC,EAAE,gBAAgB,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;CACnC;AAED;;;;;GAKG;AACH,qBAAa,MAAM;IACjB,OAAO,CAAC,iBAAiB,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAgB;IACxC,OAAO,CAAC,eAAe,CAAC,CAAa;IACrC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAgB;IAChD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;gBAEvB,OAAO,EAAE,aAAa;IAQlC,qDAAqD;IAC/C,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;
|
|
1
|
+
{"version":3,"file":"daemon.d.ts","sourceRoot":"","sources":["../../src/lifecycle/daemon.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpE,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAE9C,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,cAAc,CAAC;IACvB,MAAM,EAAE,iBAAiB,CAAC;IAC1B,SAAS,CAAC,EAAE,gBAAgB,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;CACnC;AAED;;;;;GAKG;AACH,qBAAa,MAAM;IACjB,OAAO,CAAC,iBAAiB,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAgB;IACxC,OAAO,CAAC,eAAe,CAAC,CAAa;IACrC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAgB;IAChD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,cAAc,CAAC,CAAa;IACpC,OAAO,CAAC,aAAa,CAAC,CAAa;gBAEvB,OAAO,EAAE,aAAa;IAQlC,qDAAqD;IAC/C,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IA2C5B,2EAA2E;IAC3E,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC;CAGjC"}
|
package/dist/lifecycle/daemon.js
CHANGED
|
@@ -13,6 +13,8 @@ class Daemon {
|
|
|
13
13
|
shutdownResolve;
|
|
14
14
|
shutdownPromise;
|
|
15
15
|
startedAt;
|
|
16
|
+
sigTermHandler;
|
|
17
|
+
sigIntHandler;
|
|
16
18
|
constructor(options) {
|
|
17
19
|
this.options = options;
|
|
18
20
|
this.startedAt = Date.now();
|
|
@@ -28,6 +30,10 @@ class Daemon {
|
|
|
28
30
|
return;
|
|
29
31
|
this.shutdownRequested = true;
|
|
30
32
|
onLog?.("Shutting down...");
|
|
33
|
+
if (this.sigTermHandler)
|
|
34
|
+
process.off("SIGTERM", this.sigTermHandler);
|
|
35
|
+
if (this.sigIntHandler)
|
|
36
|
+
process.off("SIGINT", this.sigIntHandler);
|
|
31
37
|
poller.stop();
|
|
32
38
|
telemetry?.agentStopped({
|
|
33
39
|
reason: "signal",
|
|
@@ -48,12 +54,14 @@ class Daemon {
|
|
|
48
54
|
onLog?.("Shutdown complete.");
|
|
49
55
|
this.shutdownResolve?.();
|
|
50
56
|
};
|
|
51
|
-
|
|
57
|
+
this.sigTermHandler = () => {
|
|
52
58
|
shutdown().catch(() => { });
|
|
53
|
-
}
|
|
54
|
-
|
|
59
|
+
};
|
|
60
|
+
this.sigIntHandler = () => {
|
|
55
61
|
shutdown().catch(() => { });
|
|
56
|
-
}
|
|
62
|
+
};
|
|
63
|
+
process.on("SIGTERM", this.sigTermHandler);
|
|
64
|
+
process.on("SIGINT", this.sigIntHandler);
|
|
57
65
|
onLog?.(`Agent server listening at ${server.url}`);
|
|
58
66
|
// main.ts already calls fetchAndDecrypt() — only start the polling schedule.
|
|
59
67
|
poller.startPolling();
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"daemon.js","sourceRoot":"","sources":["../../src/lifecycle/daemon.ts"],"names":[],"mappings":";;;AAUA;;;;;GAKG;AACH,MAAa,MAAM;IACT,iBAAiB,GAAG,KAAK,CAAC;IACjB,OAAO,CAAgB;IAChC,eAAe,CAAc;IACpB,eAAe,CAAgB;IAC/B,SAAS,CAAS;IAEnC,YAAY,OAAsB;QAChC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC5B,IAAI,CAAC,eAAe,GAAG,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;YACnD,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC;QACjC,CAAC,CAAC,CAAC;IACL,CAAC;IAED,qDAAqD;IACrD,KAAK,CAAC,KAAK;QACT,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QAE1D,MAAM,QAAQ,GAAG,KAAK,IAAI,EAAE;YAC1B,IAAI,IAAI,CAAC,iBAAiB;gBAAE,OAAO;YACnC,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC;YAC9B,KAAK,EAAE,CAAC,kBAAkB,CAAC,CAAC;YAC5B,MAAM,CAAC,IAAI,EAAE,CAAC;YACd,SAAS,EAAE,YAAY,CAAC;gBACtB,MAAM,EAAE,QAAQ;gBAChB,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC;aAChE,CAAC,CAAC;YACH,IAAI,CAAC;gBACH,MAAM,SAAS,EAAE,SAAS,EAAE,CAAC;YAC/B,CAAC;YAAC,MAAM,CAAC;gBACP,oBAAoB;YACtB,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;YACtB,CAAC;YAAC,MAAM,CAAC;gBACP,mBAAmB;YACrB,CAAC;YACD,KAAK,EAAE,CAAC,oBAAoB,CAAC,CAAC;YAC9B,IAAI,CAAC,eAAe,EAAE,EAAE,CAAC;QAC3B,CAAC,CAAC;QAEF,
|
|
1
|
+
{"version":3,"file":"daemon.js","sourceRoot":"","sources":["../../src/lifecycle/daemon.ts"],"names":[],"mappings":";;;AAUA;;;;;GAKG;AACH,MAAa,MAAM;IACT,iBAAiB,GAAG,KAAK,CAAC;IACjB,OAAO,CAAgB;IAChC,eAAe,CAAc;IACpB,eAAe,CAAgB;IAC/B,SAAS,CAAS;IAC3B,cAAc,CAAc;IAC5B,aAAa,CAAc;IAEnC,YAAY,OAAsB;QAChC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC5B,IAAI,CAAC,eAAe,GAAG,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;YACnD,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC;QACjC,CAAC,CAAC,CAAC;IACL,CAAC;IAED,qDAAqD;IACrD,KAAK,CAAC,KAAK;QACT,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QAE1D,MAAM,QAAQ,GAAG,KAAK,IAAI,EAAE;YAC1B,IAAI,IAAI,CAAC,iBAAiB;gBAAE,OAAO;YACnC,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC;YAC9B,KAAK,EAAE,CAAC,kBAAkB,CAAC,CAAC;YAC5B,IAAI,IAAI,CAAC,cAAc;gBAAE,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC;YACrE,IAAI,IAAI,CAAC,aAAa;gBAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;YAClE,MAAM,CAAC,IAAI,EAAE,CAAC;YACd,SAAS,EAAE,YAAY,CAAC;gBACtB,MAAM,EAAE,QAAQ;gBAChB,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC;aAChE,CAAC,CAAC;YACH,IAAI,CAAC;gBACH,MAAM,SAAS,EAAE,SAAS,EAAE,CAAC;YAC/B,CAAC;YAAC,MAAM,CAAC;gBACP,oBAAoB;YACtB,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;YACtB,CAAC;YAAC,MAAM,CAAC;gBACP,mBAAmB;YACrB,CAAC;YACD,KAAK,EAAE,CAAC,oBAAoB,CAAC,CAAC;YAC9B,IAAI,CAAC,eAAe,EAAE,EAAE,CAAC;QAC3B,CAAC,CAAC;QAEF,IAAI,CAAC,cAAc,GAAG,GAAG,EAAE;YACzB,QAAQ,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAC7B,CAAC,CAAC;QACF,IAAI,CAAC,aAAa,GAAG,GAAG,EAAE;YACxB,QAAQ,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAC7B,CAAC,CAAC;QACF,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC;QAC3C,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;QAEzC,KAAK,EAAE,CAAC,6BAA6B,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;QACnD,6EAA6E;QAC7E,MAAM,CAAC,YAAY,EAAE,CAAC;QACtB,KAAK,EAAE,CAAC,mCAAmC,CAAC,CAAC;IAC/C,CAAC;IAED,2EAA2E;IAC3E,eAAe;QACb,OAAO,IAAI,CAAC,eAAe,CAAC;IAC9B,CAAC;CACF;AAjED,wBAiEC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"lambda-extension.d.ts","sourceRoot":"","sources":["../../src/lifecycle/lambda-extension.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpE,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAS9C,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,cAAc,CAAC;IACvB,MAAM,EAAE,iBAAiB,CAAC;IAC1B,sEAAsE;IACtE,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,gBAAgB,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;CACnC;AAED;;;;;GAKG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,WAAW,CAAK;IACxB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyB;IACjD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;gBAEvB,OAAO,EAAE,sBAAsB;IAK3C,0CAA0C;IACpC,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;
|
|
1
|
+
{"version":3,"file":"lambda-extension.d.ts","sourceRoot":"","sources":["../../src/lifecycle/lambda-extension.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpE,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAS9C,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,cAAc,CAAC;IACvB,MAAM,EAAE,iBAAiB,CAAC;IAC1B,sEAAsE;IACtE,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,gBAAgB,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;CACnC;AAED;;;;;GAKG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,WAAW,CAAK;IACxB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyB;IACjD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;gBAEvB,OAAO,EAAE,sBAAsB;IAK3C,0CAA0C;IACpC,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;YA6Dd,QAAQ;YAmBR,SAAS;CAYxB"}
|
|
@@ -21,8 +21,13 @@ class LambdaExtension {
|
|
|
21
21
|
const extensionId = await this.register();
|
|
22
22
|
onLog?.(`Registered with Lambda Extensions API (id: ${extensionId})`);
|
|
23
23
|
onLog?.(`Agent server listening at ${server.url}`);
|
|
24
|
-
// Initial fetch
|
|
25
|
-
|
|
24
|
+
// Initial fetch — JIT mode fetches without decrypting
|
|
25
|
+
if (refreshTtl === 0) {
|
|
26
|
+
await poller.fetchAndValidate();
|
|
27
|
+
}
|
|
28
|
+
else {
|
|
29
|
+
await poller.fetchAndDecrypt();
|
|
30
|
+
}
|
|
26
31
|
this.lastRefresh = Date.now();
|
|
27
32
|
onLog?.("Initial secrets loaded.");
|
|
28
33
|
// Event loop
|
|
@@ -44,18 +49,30 @@ class LambdaExtension {
|
|
|
44
49
|
await server.stop();
|
|
45
50
|
break;
|
|
46
51
|
}
|
|
47
|
-
// INVOKE event — refresh
|
|
52
|
+
// INVOKE event — refresh artifact
|
|
48
53
|
if (event.eventType === "INVOKE") {
|
|
49
|
-
|
|
50
|
-
|
|
54
|
+
if (refreshTtl === 0) {
|
|
55
|
+
// JIT mode: always fetch fresh encrypted artifact on every invocation
|
|
51
56
|
try {
|
|
52
|
-
await poller.
|
|
57
|
+
await poller.fetchAndValidate();
|
|
53
58
|
this.lastRefresh = Date.now();
|
|
54
59
|
}
|
|
55
60
|
catch (err) {
|
|
56
61
|
onLog?.(`Refresh failed: ${err instanceof Error ? err.message : String(err)}`);
|
|
57
62
|
}
|
|
58
63
|
}
|
|
64
|
+
else {
|
|
65
|
+
const elapsed = (Date.now() - this.lastRefresh) / 1000;
|
|
66
|
+
if (elapsed >= refreshTtl) {
|
|
67
|
+
try {
|
|
68
|
+
await poller.fetchAndDecrypt();
|
|
69
|
+
this.lastRefresh = Date.now();
|
|
70
|
+
}
|
|
71
|
+
catch (err) {
|
|
72
|
+
onLog?.(`Refresh failed: ${err instanceof Error ? err.message : String(err)}`);
|
|
73
|
+
}
|
|
74
|
+
}
|
|
75
|
+
}
|
|
59
76
|
}
|
|
60
77
|
}
|
|
61
78
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"lambda-extension.js","sourceRoot":"","sources":["../../src/lifecycle/lambda-extension.ts"],"names":[],"mappings":";;;AAmBA;;;;;GAKG;AACH,MAAa,eAAe;IAClB,WAAW,GAAG,CAAC,CAAC;IACP,OAAO,CAAyB;IAChC,SAAS,CAAS;IAEnC,YAAY,OAA+B;QACzC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC9B,CAAC;IAED,0CAA0C;IAC1C,KAAK,CAAC,KAAK;QACT,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QAEtE,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC1C,KAAK,EAAE,CAAC,8CAA8C,WAAW,GAAG,CAAC,CAAC;QACtE,KAAK,EAAE,CAAC,6BAA6B,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;QAEnD,gBAAgB;
|
|
1
|
+
{"version":3,"file":"lambda-extension.js","sourceRoot":"","sources":["../../src/lifecycle/lambda-extension.ts"],"names":[],"mappings":";;;AAmBA;;;;;GAKG;AACH,MAAa,eAAe;IAClB,WAAW,GAAG,CAAC,CAAC;IACP,OAAO,CAAyB;IAChC,SAAS,CAAS;IAEnC,YAAY,OAA+B;QACzC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC9B,CAAC;IAED,0CAA0C;IAC1C,KAAK,CAAC,KAAK;QACT,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QAEtE,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC1C,KAAK,EAAE,CAAC,8CAA8C,WAAW,GAAG,CAAC,CAAC;QACtE,KAAK,EAAE,CAAC,6BAA6B,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;QAEnD,sDAAsD;QACtD,IAAI,UAAU,KAAK,CAAC,EAAE,CAAC;YACrB,MAAM,MAAM,CAAC,gBAAgB,EAAE,CAAC;QAClC,CAAC;aAAM,CAAC;YACN,MAAM,MAAM,CAAC,eAAe,EAAE,CAAC;QACjC,CAAC;QACD,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC9B,KAAK,EAAE,CAAC,yBAAyB,CAAC,CAAC;QAEnC,aAAa;QACb,OAAO,IAAI,EAAE,CAAC;YACZ,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;YAEhD,IAAI,KAAK,CAAC,SAAS,KAAK,UAAU,EAAE,CAAC;gBACnC,KAAK,EAAE,CAAC,0BAA0B,CAAC,CAAC;gBACpC,MAAM,CAAC,IAAI,EAAE,CAAC;gBACd,SAAS,EAAE,YAAY,CAAC;oBACtB,MAAM,EAAE,iBAAiB;oBACzB,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC;iBAChE,CAAC,CAAC;gBACH,IAAI,CAAC;oBACH,MAAM,SAAS,EAAE,SAAS,EAAE,CAAC;gBAC/B,CAAC;gBAAC,MAAM,CAAC;oBACP,oBAAoB;gBACtB,CAAC;gBACD,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;gBACpB,MAAM;YACR,CAAC;YAED,kCAAkC;YAClC,IAAI,KAAK,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;gBACjC,IAAI,UAAU,KAAK,CAAC,EAAE,CAAC;oBACrB,sEAAsE;oBACtE,IAAI,CAAC;wBACH,MAAM,MAAM,CAAC,gBAAgB,EAAE,CAAC;wBAChC,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;oBAChC,CAAC;oBAAC,OAAO,GAAG,EAAE,CAAC;wBACb,KAAK,EAAE,CAAC,mBAAmB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;oBACjF,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,IAAI,CAAC;oBACvD,IAAI,OAAO,IAAI,UAAU,EAAE,CAAC;wBAC1B,IAAI,CAAC;4BACH,MAAM,MAAM,CAAC,eAAe,EAAE,CAAC;4BAC/B,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;wBAChC,CAAC;wBAAC,OAAO,GAAG,EAAE,CAAC;4BACb,KAAK,EAAE,CAAC,mBAAmB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;wBACjF,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,QAAQ;QACpB,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,qDAAqD,EAAE;YAC7E,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,uBAAuB,EAAE,YAAY,EAAE;YAClD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,CAAC;SACzD,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,0CAA0C,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QAC1E,CAAC;QAED,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;QACnE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;QAC3E,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;IAEO,KAAK,CAAC,SAAS,CAAC,WAAmB;QACzC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,uDAAuD,EAAE;YAC/E,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,EAAE,6BAA6B,EAAE,WAAW,EAAE;SACxD,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,4CAA4C,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QAC5E,CAAC;QAED,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuB,CAAC;IAClD,CAAC;CACF;AAvGD,0CAuGC"}
|
package/dist/main.js
CHANGED
|
@@ -14,6 +14,7 @@ const daemon_1 = require("./lifecycle/daemon");
|
|
|
14
14
|
const package_json_1 = require("../package.json");
|
|
15
15
|
async function main() {
|
|
16
16
|
const config = (0, config_1.resolveConfig)();
|
|
17
|
+
const jitMode = config.cacheTtl === 0;
|
|
17
18
|
// Age key is optional — KMS envelope artifacts don't need one
|
|
18
19
|
let privateKey;
|
|
19
20
|
try {
|
|
@@ -48,6 +49,7 @@ async function main() {
|
|
|
48
49
|
? new runtime_1.DiskCache(config.cachePath, config.vcs.identity, config.vcs.environment)
|
|
49
50
|
: undefined;
|
|
50
51
|
const cache = new runtime_1.SecretsCache();
|
|
52
|
+
const encryptedStore = jitMode ? new runtime_1.EncryptedArtifactStore() : undefined;
|
|
51
53
|
const poller = new runtime_1.ArtifactPoller({
|
|
52
54
|
source,
|
|
53
55
|
privateKey,
|
|
@@ -55,9 +57,20 @@ async function main() {
|
|
|
55
57
|
diskCache,
|
|
56
58
|
cacheTtl: config.cacheTtl,
|
|
57
59
|
verifyKey: config.verifyKey,
|
|
60
|
+
encryptedStore,
|
|
58
61
|
onError: (err) => console.error(`[clef-agent] poll error: ${err.message}`),
|
|
59
62
|
});
|
|
60
|
-
|
|
63
|
+
if (jitMode) {
|
|
64
|
+
// JIT mode: fetch + validate (no decrypt) — stores encrypted artifact
|
|
65
|
+
await poller.fetchAndValidate();
|
|
66
|
+
// One-shot decrypt for telemetry bootstrap, then wipe the cache
|
|
67
|
+
const artifact = encryptedStore.get();
|
|
68
|
+
const { values } = await poller.getDecryptor().decrypt(artifact);
|
|
69
|
+
cache.swap(values, artifact.keys, artifact.revision);
|
|
70
|
+
}
|
|
71
|
+
else {
|
|
72
|
+
await poller.fetchAndDecrypt();
|
|
73
|
+
}
|
|
61
74
|
// Telemetry setup — after first fetch so the auth token can be read from packed secrets
|
|
62
75
|
let telemetry;
|
|
63
76
|
if (config.telemetry) {
|
|
@@ -88,11 +101,16 @@ async function main() {
|
|
|
88
101
|
});
|
|
89
102
|
poller.setTelemetry(telemetry);
|
|
90
103
|
}
|
|
104
|
+
// Wipe the cache after telemetry bootstrap in JIT mode — no plaintext in memory
|
|
105
|
+
if (jitMode) {
|
|
106
|
+
cache.wipe();
|
|
107
|
+
}
|
|
91
108
|
const server = await (0, server_1.startAgentServer)({
|
|
92
109
|
port: config.port,
|
|
93
110
|
token: config.token,
|
|
94
111
|
cache,
|
|
95
112
|
cacheTtl: config.cacheTtl,
|
|
113
|
+
...(jitMode ? { decryptor: poller.getDecryptor(), encryptedStore } : {}),
|
|
96
114
|
});
|
|
97
115
|
const daemon = new daemon_1.Daemon({
|
|
98
116
|
poller,
|
|
@@ -101,7 +119,8 @@ async function main() {
|
|
|
101
119
|
onLog: (msg) => console.log(`[clef-agent] ${msg}`),
|
|
102
120
|
});
|
|
103
121
|
telemetry?.agentStarted({ version: package_json_1.version });
|
|
104
|
-
console.log(`[clef-agent]
|
|
122
|
+
console.log(`[clef-agent] mode: ${jitMode ? "jit" : "cached"}`);
|
|
123
|
+
console.log(`[clef-agent] token: [set]`);
|
|
105
124
|
await daemon.start();
|
|
106
125
|
}
|
|
107
126
|
main().catch((err) => {
|
package/dist/main.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"main.js","sourceRoot":"","sources":["../src/main.ts"],"names":[],"mappings":";;AAAA,iGAAiG;AACjG;;;;;GAKG;AACH,qCAAsD;AACtD,
|
|
1
|
+
{"version":3,"file":"main.js","sourceRoot":"","sources":["../src/main.ts"],"names":[],"mappings":";;AAAA,iGAAiG;AACjG;;;;;GAKG;AACH,qCAAsD;AACtD,8CAW0B;AAE1B,qCAA4C;AAC5C,+CAA4C;AAE5C,kDAA0D;AAE1D,KAAK,UAAU,IAAI;IACjB,MAAM,MAAM,GAAG,IAAA,sBAAa,GAAE,CAAC;IAC/B,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,KAAK,CAAC,CAAC;IAEtC,8DAA8D;IAC9D,IAAI,UAA8B,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,IAAI,sBAAY,EAAE,CAAC;QACrC,UAAU,GAAG,SAAS,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;IACtE,CAAC;IAAC,MAAM,CAAC;QACP,0DAA0D;IAC5D,CAAC;IAED,4BAA4B;IAC5B,IAAI,MAAsB,CAAC;IAC3B,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;QACf,MAAM,QAAQ,GAAG,IAAA,2BAAiB,EAAC;YACjC,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC,QAAQ;YAC7B,IAAI,EAAE,MAAM,CAAC,GAAG,CAAC,IAAI;YACrB,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,KAAK;YACvB,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,GAAG;YACnB,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,MAAM;SAC1B,CAAC,CAAC;QACH,MAAM,GAAG,IAAI,2BAAiB,CAAC,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACxF,CAAC;SAAM,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QACzB,MAAM;YACJ,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC;gBACzE,CAAC,CAAC,IAAI,4BAAkB,CAAC,MAAM,CAAC,MAAM,CAAC;gBACvC,CAAC,CAAC,IAAI,4BAAkB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC9C,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,oBAAW,CAAC,gCAAgC,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,SAAS,GACb,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,GAAG;QAC5B,CAAC,CAAC,IAAI,mBAAS,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC;QAC9E,CAAC,CAAC,SAAS,CAAC;IAEhB,MAAM,KAAK,GAAG,IAAI,sBAAY,EAAE,CAAC;IACjC,MAAM,cAAc,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,gCAAsB,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAE1E,MAAM,MAAM,GAAG,IAAI,wBAAc,CAAC;QAChC,MAAM;QACN,UAAU;QACV,KAAK;QACL,SAAS;QACT,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,cAAc;QACd,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,4BAA4B,GAAG,CAAC,OAAO,EAAE,CAAC;KAC3E,CAAC,CAAC;IAEH,IAAI,OAAO,EAAE,CAAC;QACZ,sEAAsE;QACtE,MAAM,MAAM,CAAC,gBAAgB,EAAE,CAAC;QAEhC,gEAAgE;QAChE,MAAM,QAAQ,GAAG,cAAe,CAAC,GAAG,EAAG,CAAC;QACxC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,YAAY,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACjE,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACvD,CAAC;SAAM,CAAC;QACN,MAAM,MAAM,CAAC,eAAe,EAAE,CAAC;IACjC,CAAC;IAED,wFAAwF;IACxF,IAAI,SAAuC,CAAC;IAE5C,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,2CAA2C;QAC3C,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,MAAM,UAAU,GAAG,KAAK,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;QACvD,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;QACnD,IAAI,UAAU,EAAE,CAAC;YACf,oDAAoD;YACpD,KAAK,MAAM,IAAI,IAAI,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;gBACzC,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBAC7B,IAAI,EAAE,GAAG,CAAC;oBAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC5E,CAAC;QACH,CAAC;aAAM,IAAI,QAAQ,EAAE,CAAC;YACpB,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,QAAQ,EAAE,CAAC;QAClD,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;QAC5F,SAAS,GAAG,IAAI,0BAAgB,CAAC;YAC/B,GAAG,EAAE,MAAM,CAAC,SAAS,CAAC,GAAG;YACzB,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;YAC9D,OAAO,EAAE,sBAAY;YACrB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,QAAQ,EAAE,MAAM,CAAC,GAAG,EAAE,QAAQ,IAAI,SAAS;YAC3C,WAAW,EAAE,MAAM,CAAC,GAAG,EAAE,WAAW,IAAI,SAAS;YACjD,UAAU;SACX,CAAC,CAAC;QACH,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;IACjC,CAAC;IAED,gFAAgF;IAChF,IAAI,OAAO,EAAE,CAAC;QACZ,KAAK,CAAC,IAAI,EAAE,CAAC;IACf,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,IAAA,yBAAgB,EAAC;QACpC,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,KAAK;QACL,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,YAAY,EAAE,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACzE,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,IAAI,eAAM,CAAC;QACxB,MAAM;QACN,MAAM;QACN,SAAS;QACT,KAAK,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,GAAG,EAAE,CAAC;KACnD,CAAC,CAAC;IAEH,SAAS,EAAE,YAAY,CAAC,EAAE,OAAO,EAAE,sBAAY,EAAE,CAAC,CAAC;IACnD,OAAO,CAAC,GAAG,CAAC,sBAAsB,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;IAChE,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;IACzC,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC;AACvB,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,IAAI,GAAG,YAAY,oBAAW,EAAE,CAAC;QAC/B,OAAO,CAAC,KAAK,CAAC,8BAA8B,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;IAC7D,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,KAAK,CAAC,uBAAuB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}
|
package/dist/server.d.ts
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import type { AddressInfo } from "net";
|
|
2
2
|
import { SecretsCache } from "@clef-sh/runtime";
|
|
3
|
+
import type { ArtifactDecryptor, EncryptedArtifactStore } from "@clef-sh/runtime";
|
|
3
4
|
export interface AgentServerHandle {
|
|
4
5
|
url: string;
|
|
5
6
|
stop: () => Promise<void>;
|
|
@@ -10,13 +11,16 @@ export interface AgentServerOptions {
|
|
|
10
11
|
token: string;
|
|
11
12
|
cache: SecretsCache;
|
|
12
13
|
cacheTtl?: number;
|
|
14
|
+
/** JIT mode: decrypt on every request instead of serving from cache. */
|
|
15
|
+
decryptor?: ArtifactDecryptor;
|
|
16
|
+
/** JIT mode: encrypted artifact store (required when decryptor is set). */
|
|
17
|
+
encryptedStore?: EncryptedArtifactStore;
|
|
13
18
|
}
|
|
14
19
|
/**
|
|
15
20
|
* Start the agent HTTP API server on 127.0.0.1.
|
|
16
21
|
*
|
|
17
22
|
* Routes:
|
|
18
23
|
* GET /v1/secrets → all secrets (authenticated)
|
|
19
|
-
* GET /v1/secrets/:key → single secret (authenticated)
|
|
20
24
|
* GET /v1/keys → key names (authenticated)
|
|
21
25
|
* GET /v1/health → health check (unauthenticated)
|
|
22
26
|
* GET /v1/ready → readiness probe (unauthenticated)
|
package/dist/server.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,KAAK,CAAC;AACvC,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;
|
|
1
|
+
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,KAAK,CAAC;AACvC,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAChD,OAAO,KAAK,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAGlF,MAAM,WAAW,iBAAiB;IAChC,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1B,OAAO,EAAE,MAAM,WAAW,GAAG,MAAM,GAAG,IAAI,CAAC;CAC5C;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,YAAY,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,wEAAwE;IACxE,SAAS,CAAC,EAAE,iBAAiB,CAAC;IAC9B,2EAA2E;IAC3E,cAAc,CAAC,EAAE,sBAAsB,CAAC;CACzC;AAED;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,kBAAkB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CA8GxF"}
|
package/dist/server.js
CHANGED
|
@@ -12,21 +12,20 @@ const health_1 = require("./health");
|
|
|
12
12
|
*
|
|
13
13
|
* Routes:
|
|
14
14
|
* GET /v1/secrets → all secrets (authenticated)
|
|
15
|
-
* GET /v1/secrets/:key → single secret (authenticated)
|
|
16
15
|
* GET /v1/keys → key names (authenticated)
|
|
17
16
|
* GET /v1/health → health check (unauthenticated)
|
|
18
17
|
* GET /v1/ready → readiness probe (unauthenticated)
|
|
19
18
|
*/
|
|
20
19
|
function startAgentServer(options) {
|
|
21
|
-
const { port, token, cache, cacheTtl } = options;
|
|
20
|
+
const { port, token, cache, cacheTtl, decryptor, encryptedStore } = options;
|
|
21
|
+
const jitMode = !!decryptor && !!encryptedStore;
|
|
22
22
|
const app = (0, express_1.default)();
|
|
23
|
-
|
|
24
|
-
//
|
|
23
|
+
// Host header validation — block DNS rebinding attacks.
|
|
24
|
+
// Allowed hosts are static after startup; compute once.
|
|
25
|
+
const allowedHosts = new Set([`127.0.0.1:${port}`, "127.0.0.1"]);
|
|
25
26
|
app.use("/v1", (req, res, next) => {
|
|
26
27
|
const host = req.headers.host ?? "";
|
|
27
|
-
|
|
28
|
-
const allowedHosts = [`127.0.0.1:${actualPort}`, `127.0.0.1:${port}`];
|
|
29
|
-
if (!allowedHosts.includes(host)) {
|
|
28
|
+
if (!allowedHosts.has(host)) {
|
|
30
29
|
res.status(403).json({ error: "Forbidden: invalid Host header" });
|
|
31
30
|
return;
|
|
32
31
|
}
|
|
@@ -38,14 +37,21 @@ function startAgentServer(options) {
|
|
|
38
37
|
next();
|
|
39
38
|
});
|
|
40
39
|
// Unauthenticated endpoints — must be mounted before the auth middleware
|
|
41
|
-
app.get("/v1/health", (0, health_1.healthHandler)(cache, cacheTtl));
|
|
42
|
-
app.get("/v1/ready", (0, health_1.readyHandler)(cache, cacheTtl));
|
|
40
|
+
app.get("/v1/health", (0, health_1.healthHandler)(cache, cacheTtl, encryptedStore));
|
|
41
|
+
app.get("/v1/ready", (0, health_1.readyHandler)(cache, cacheTtl, encryptedStore));
|
|
43
42
|
// Bearer token authentication for secrets endpoints
|
|
44
43
|
app.use("/v1/secrets", authMiddleware(token));
|
|
45
44
|
app.use("/v1/keys", authMiddleware(token));
|
|
46
|
-
// TTL guard — reject requests when cache has expired
|
|
45
|
+
// TTL guard — reject requests when cache has expired (cached mode only)
|
|
46
|
+
// In JIT mode, freshness is proved by KMS success on each request.
|
|
47
47
|
const ttlGuard = (_req, res, next) => {
|
|
48
|
-
if (
|
|
48
|
+
if (jitMode) {
|
|
49
|
+
if (!encryptedStore.isReady()) {
|
|
50
|
+
res.status(503).json({ error: "Secrets not yet loaded" });
|
|
51
|
+
return;
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
else if (cacheTtl !== undefined && cache.isExpired(cacheTtl)) {
|
|
49
55
|
res.status(503).json({ error: "Secrets expired" });
|
|
50
56
|
return;
|
|
51
57
|
}
|
|
@@ -54,26 +60,41 @@ function startAgentServer(options) {
|
|
|
54
60
|
app.use("/v1/secrets", ttlGuard);
|
|
55
61
|
app.use("/v1/keys", ttlGuard);
|
|
56
62
|
// GET /v1/secrets — all secrets
|
|
57
|
-
app.get("/v1/secrets", (_req, res) => {
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
63
|
+
app.get("/v1/secrets", async (_req, res) => {
|
|
64
|
+
if (jitMode) {
|
|
65
|
+
// JIT mode: decrypt on every request — KMS is the live authorization gate
|
|
66
|
+
const artifact = encryptedStore.get();
|
|
67
|
+
if (!artifact) {
|
|
68
|
+
res.status(503).json({ error: "Secrets not yet loaded" });
|
|
69
|
+
return;
|
|
70
|
+
}
|
|
71
|
+
try {
|
|
72
|
+
const { values } = await decryptor.decrypt(artifact);
|
|
73
|
+
res.json(values);
|
|
74
|
+
}
|
|
75
|
+
catch (err) {
|
|
76
|
+
const message = err instanceof Error ? err.message : String(err);
|
|
77
|
+
res.status(503).json({ error: "Decryption failed", detail: message });
|
|
78
|
+
}
|
|
62
79
|
}
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
80
|
+
else {
|
|
81
|
+
// Cached mode: serve from in-memory cache
|
|
82
|
+
const all = cache.getAll();
|
|
83
|
+
if (!all) {
|
|
84
|
+
res.status(503).json({ error: "Secrets not yet loaded" });
|
|
85
|
+
return;
|
|
86
|
+
}
|
|
87
|
+
res.json(all);
|
|
71
88
|
}
|
|
72
|
-
res.json({ value });
|
|
73
89
|
});
|
|
74
|
-
// GET /v1/keys — list key names
|
|
90
|
+
// GET /v1/keys — list key names (no decryption needed)
|
|
75
91
|
app.get("/v1/keys", (_req, res) => {
|
|
76
|
-
|
|
92
|
+
if (jitMode) {
|
|
93
|
+
res.json(encryptedStore.getKeys());
|
|
94
|
+
}
|
|
95
|
+
else {
|
|
96
|
+
res.json(cache.getKeys());
|
|
97
|
+
}
|
|
77
98
|
});
|
|
78
99
|
const url = `http://127.0.0.1:${port}`;
|
|
79
100
|
return new Promise((resolve, reject) => {
|
|
@@ -101,11 +122,11 @@ function startAgentServer(options) {
|
|
|
101
122
|
});
|
|
102
123
|
}
|
|
103
124
|
function authMiddleware(token) {
|
|
125
|
+
const expectedBuf = Buffer.from(token);
|
|
104
126
|
return (req, res, next) => {
|
|
105
127
|
const authHeader = req.headers.authorization ?? "";
|
|
106
128
|
const provided = authHeader.startsWith("Bearer ") ? authHeader.slice(7) : "";
|
|
107
129
|
const providedBuf = Buffer.from(provided);
|
|
108
|
-
const expectedBuf = Buffer.from(token);
|
|
109
130
|
if (!provided ||
|
|
110
131
|
providedBuf.length !== expectedBuf.length ||
|
|
111
132
|
!(0, crypto_1.timingSafeEqual)(providedBuf, expectedBuf)) {
|
package/dist/server.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":";;;;;
|
|
1
|
+
{"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":";;;;;AAkCA,4CA8GC;AAhJD,mCAAyC;AACzC,sDAAmE;AAKnE,qCAAuD;AAmBvD;;;;;;;;GAQG;AACH,SAAgB,gBAAgB,CAAC,OAA2B;IAC1D,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,cAAc,EAAE,GAAG,OAAO,CAAC;IAC5E,MAAM,OAAO,GAAG,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,cAAc,CAAC;IAChD,MAAM,GAAG,GAAG,IAAA,iBAAO,GAAE,CAAC;IAEtB,wDAAwD;IACxD,wDAAwD;IACxD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,CAAC,aAAa,IAAI,EAAE,EAAE,WAAW,CAAC,CAAC,CAAC;IACjE,GAAG,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QACjE,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC;QACpC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gCAAgC,EAAE,CAAC,CAAC;YAClE,OAAO;QACT,CAAC;QACD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC,CAAC;IAEH,mEAAmE;IACnE,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC,IAAa,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QAC1E,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;QAC3C,IAAI,EAAE,CAAC;IACT,CAAC,CAAC,CAAC;IAEH,yEAAyE;IACzE,GAAG,CAAC,GAAG,CAAC,YAAY,EAAE,IAAA,sBAAa,EAAC,KAAK,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC;IACtE,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,IAAA,qBAAY,EAAC,KAAK,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC;IAEpE,oDAAoD;IACpD,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC;IAC9C,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC;IAE3C,wEAAwE;IACxE,mEAAmE;IACnE,MAAM,QAAQ,GAAG,CAAC,IAAa,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC1E,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,EAAE,CAAC;gBAC9B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,wBAAwB,EAAE,CAAC,CAAC;gBAC1D,OAAO;YACT,CAAC;QACH,CAAC;aAAM,IAAI,QAAQ,KAAK,SAAS,IAAI,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC/D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,CAAC;YACnD,OAAO;QACT,CAAC;QACD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;IACF,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;IACjC,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IAE9B,gCAAgC;IAChC,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,KAAK,EAAE,IAAa,EAAE,GAAa,EAAE,EAAE;QAC5D,IAAI,OAAO,EAAE,CAAC;YACZ,0EAA0E;YAC1E,MAAM,QAAQ,GAAG,cAAc,CAAC,GAAG,EAAE,CAAC;YACtC,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,wBAAwB,EAAE,CAAC,CAAC;gBAC1D,OAAO;YACT,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;gBACrD,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACnB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBACjE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;YACxE,CAAC;QACH,CAAC;aAAM,CAAC;YACN,0CAA0C;YAC1C,MAAM,GAAG,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;YAC3B,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,wBAAwB,EAAE,CAAC,CAAC;gBAC1D,OAAO;YACT,CAAC;YACD,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAChB,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,uDAAuD;IACvD,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,IAAa,EAAE,GAAa,EAAE,EAAE;QACnD,IAAI,OAAO,EAAE,CAAC;YACZ,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC;QACrC,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,oBAAoB,IAAI,EAAE,CAAC;IAEvC,OAAO,IAAI,OAAO,CAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACxD,IAAI,MAAc,CAAC;QACnB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,EAAE,GAAG,EAAE;gBAC1C,OAAO,CAAC;oBACN,GAAG;oBACH,IAAI,EAAE,GAAG,EAAE,CACT,IAAI,OAAO,CAAO,CAAC,WAAW,EAAE,UAAU,EAAE,EAAE;wBAC5C,4EAA4E;wBAC5E,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;wBAC/D,MAAM,UAAU,GAAG,UAAU,CAAC,GAAG,EAAE;4BACjC,MAAM,CAAC,mBAAmB,EAAE,CAAC;wBAC/B,CAAC,EAAE,IAAI,CAAC,CAAC;wBACT,UAAU,CAAC,KAAK,EAAE,CAAC;oBACrB,CAAC,CAAC;oBACJ,OAAO,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE;iBAChC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,GAAG,CAAC,CAAC;QACd,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,cAAc,CAAC,KAAa;IACnC,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACvC,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC/D,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,IAAI,EAAE,CAAC;QACnD,MAAM,QAAQ,GAAG,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAC7E,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC1C,IACE,CAAC,QAAQ;YACT,WAAW,CAAC,MAAM,KAAK,WAAW,CAAC,MAAM;YACzC,CAAC,IAAA,wBAAe,EAAC,WAAW,EAAE,WAAW,CAAC,EAC1C,CAAC;YACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAChD,OAAO;QACT,CAAC;QACD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}
|