npm - @cowork-trust/trust - Versions diffs - 0.1.0 - Mend

@cowork-trust/trust 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/bin/trust.js +344 -0
package/package.json +17 -0

package/bin/trust.js ADDED Viewed

@@ -0,0 +1,344 @@
+#!/usr/bin/env node
+import { spawn } from 'node:child_process';
+import { existsSync, mkdirSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { dirname, join } from 'node:path';
+const command = process.argv[2];
+const args = parseArgs(process.argv.slice(3));
+let configCache;
+main().catch((error) => {
+  console.error(JSON.stringify({ error: error.message }));
+  process.exit(1);
+});
+async function main() {
+  if (!command || command === 'help' || command === '--help') {
+    printHelp();
+    return;
+  }
+  switch (command) {
+    case 'smoke':
+      await smoke();
+      return;
+    case 'evaluate':
+      await evaluate();
+      return;
+    case 'score':
+      await score();
+      return;
+    case 'feedback':
+      await feedback();
+      return;
+    case 'login':
+      await login();
+      return;
+    case 'logout':
+      await logout();
+      return;
+    case 'whoami':
+    case 'status':
+      await whoami();
+      return;
+    case 'config':
+      await configCommand();
+      return;
+    case 'keys':
+      await keysCommand();
+      return;
+    default:
+      throw new Error(`Unknown command: ${command}`);
+  }
+}
+async function login() {
+  const apiUrl = required('api-url').replace(/\/$/, '');
+  const started = await requestRaw(apiUrl, '/api/cli/auth/start', {
+    method: 'POST',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify({ apiUrl }),
+  });
+  print({ status: 'pending', browserUrl: started.browserUrl, userCode: started.userCode, expiresAt: started.expiresAt });
+  if (args.open !== 'false' && args['no-open'] !== 'true' && process.env.COWORK_TRUST_SKIP_BROWSER !== 'true') {
+    openBrowser(started.browserUrl);
+  }
+  const intervalMs = Number(args['poll-interval-ms'] || process.env.COWORK_TRUST_POLL_INTERVAL_MS || 2000);
+  const timeoutMs = Number(args['poll-timeout-ms'] || process.env.COWORK_TRUST_POLL_TIMEOUT_MS || 10 * 60 * 1000);
+  const deadline = Date.now() + timeoutMs;
+  while (Date.now() < deadline) {
+    await sleep(intervalMs);
+    const result = await requestRaw(apiUrl, `/api/cli/auth/${encodeURIComponent(started.sessionId)}/poll`, {
+      method: 'GET',
+      headers: { authorization: `Bearer ${started.pollToken}` },
+    });
+    if (result.status === 'consumed' && result.apiKey) {
+      const config = {
+        apiUrl,
+        apiKey: result.apiKey,
+        workspaceId: result.workspaceId,
+        authMode: 'api_key',
+        lastLoginAt: new Date().toISOString(),
+      };
+      writeConfig(config);
+      print({ status: 'logged_in', apiUrl, workspaceId: result.workspaceId, configPath: configPath() });
+      return;
+    }
+    if (result.status === 'expired') throw new Error('CLI login expired. Run login again.');
+  }
+  throw new Error('CLI login timed out. Run login again.');
+}
+async function logout() {
+  if (existsSync(configPath())) rmSync(configPath());
+  configCache = {};
+  print({ status: 'logged_out' });
+}
+async function whoami() {
+  print(await get('/api/auth/whoami'));
+}
+async function configCommand() {
+  const subcommand = process.argv[3];
+  if (subcommand === 'get') {
+    const config = readConfig();
+    print({ ...config, apiKey: config.apiKey ? mask(config.apiKey) : undefined, configPath: configPath() });
+    return;
+  }
+  if (subcommand === 'set') {
+    const key = process.argv[4];
+    const value = process.argv[5];
+    if (key !== 'api-url') throw new Error('Only `cowork-trust config set api-url <url>` is supported');
+    if (!value) throw new Error('api-url value is required');
+    writeConfig({ ...readConfig(), apiUrl: value.replace(/\/$/, '') });
+    print({ status: 'updated', apiUrl: value.replace(/\/$/, ''), configPath: configPath() });
+    return;
+  }
+  throw new Error('Usage: cowork-trust config get | cowork-trust config set api-url <url>');
+}
+async function keysCommand() {
+  const subcommand = process.argv[3];
+  if (subcommand === 'list') {
+    print(await get('/api/workspace/api-keys'));
+    return;
+  }
+  if (subcommand === 'create') {
+    const name = required('name');
+    print(await post('/api/workspace/api-keys', {
+      name,
+      environment: args.environment || 'test',
+    }));
+    return;
+  }
+  if (subcommand === 'revoke' || subcommand === 'rotate') {
+    const id = process.argv[4] || args.id;
+    if (!id) throw new Error(`Usage: cowork-trust keys ${subcommand} <key-id>`);
+    print(await post(`/api/workspace/api-keys/${encodeURIComponent(id)}/${subcommand}`, {}));
+    return;
+  }
+  throw new Error('Usage: cowork-trust keys list | keys create --name <name> [--environment test|live] | keys revoke <key-id> | keys rotate <key-id>');
+}
+async function smoke() {
+  const now = Date.now();
+  const checks = [
+    {
+      name: 'read',
+      expected: 'allow',
+      payload: payload('resource.read', 'read', 'record:smoke-read', `smoke-read-${now}`),
+    },
+    {
+      name: 'write',
+      expected: 'require_approval',
+      payload: payload('resource.write', 'write', 'record:smoke-write', `smoke-write-${now}`),
+    },
+    {
+      name: 'delete',
+      expected: 'deny',
+      payload: payload('resource.delete', 'delete', 'record:smoke-delete', `smoke-delete-${now}`),
+    },
+  ];
+  const results = [];
+  for (const check of checks) {
+    const result = await post('/api/trust/evaluate', check.payload);
+    results.push({ name: check.name, expected: check.expected, decision: result.decision, evaluationId: result.evaluationId });
+    if (result.decision !== check.expected) {
+      throw new Error(`Smoke check ${check.name} expected ${check.expected} but received ${result.decision}`);
+    }
+  }
+  print(results);
+}
+async function evaluate() {
+  const category = required('category');
+  const action = required('action');
+  const resource = required('resource');
+  print(await post('/api/trust/evaluate', payload(action, category, resource, args['idempotency-key'])));
+}
+async function score() {
+  const actor = encodeURIComponent(required('actor'));
+  print(await get(`/api/trust/actors/${actor}/score`));
+}
+async function feedback() {
+  const evaluation = encodeURIComponent(required('evaluation'));
+  const signalType = required('signal');
+  print(await post(`/api/trust/evaluations/${evaluation}/feedback`, {
+    signalType,
+    reason: args.reason,
+    idempotencyKey: args['idempotency-key'],
+  }));
+}
+function payload(actionType, category, resourceValue, idempotencyKey) {
+  const [resourceType, resourceId] = String(resourceValue).split(':');
+  return {
+    workspaceId: option('workspace') || option('workspace-id') || 'cli-workspace',
+    actor: {
+      externalId: option('actor') || 'cli-agent',
+      type: 'agent',
+      platform: 'cli',
+    },
+    action: {
+      type: actionType,
+      category,
+    },
+    resource: {
+      type: resourceType,
+      id: resourceId,
+    },
+    idempotencyKey,
+  };
+}
+async function get(path) {
+  return request(path, { method: 'GET' });
+}
+async function post(path, body) {
+  return request(path, {
+    method: 'POST',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify(body),
+  });
+}
+async function request(path, init) {
+  const apiUrl = required('api-url').replace(/\/$/, '');
+  const apiKey = required('api-key');
+  return requestRaw(apiUrl, path, {
+    ...init,
+    headers: {
+      ...(init.headers || {}),
+      authorization: `Bearer ${apiKey}`,
+    },
+  });
+}
+async function requestRaw(apiUrl, path, init) {
+  const response = await fetch(`${apiUrl}${path}`, init);
+  const text = await response.text();
+  const body = text ? JSON.parse(text) : {};
+  if (!response.ok) {
+    throw new Error(body.message || `Request failed with status ${response.status}`);
+  }
+  return body;
+}
+function parseArgs(values) {
+  const parsed = {};
+  for (let index = 0; index < values.length; index += 1) {
+    const value = values[index];
+    if (!value.startsWith('--')) continue;
+    const key = value.slice(2);
+    const next = values[index + 1];
+    if (!next || next.startsWith('--')) {
+      parsed[key] = 'true';
+    } else {
+      parsed[key] = next;
+      index += 1;
+    }
+  }
+  return parsed;
+}
+function required(name) {
+  const value = option(name);
+  if (!value) {
+    if (name === 'api-key') throw new Error('Missing API key. Run `cowork-trust login --api-url <url>` or pass --api-key.');
+    if (name === 'api-url') throw new Error('Missing API URL. Run `cowork-trust login --api-url <url>` or pass --api-url.');
+    throw new Error(`Missing required option --${name}`);
+  }
+  return value;
+}
+function option(name) {
+  const envName = `COWORK_${name.replaceAll('-', '_').toUpperCase()}`;
+  const configKey = name.replace(/-([a-z])/g, (_, char) => char.toUpperCase());
+  return args[name] || process.env[envName] || readConfig()[configKey];
+}
+function readConfig() {
+  if (configCache) return configCache;
+  const path = configPath();
+  if (!existsSync(path)) {
+    configCache = {};
+    return configCache;
+  }
+  configCache = JSON.parse(readFileSync(path, 'utf8'));
+  return configCache;
+}
+function writeConfig(config) {
+  const path = configPath();
+  mkdirSync(dirname(path), { recursive: true });
+  writeFileSync(path, JSON.stringify(config, null, 2) + '\n', { mode: 0o600 });
+  configCache = config;
+}
+function configPath() {
+  return process.env.COWORK_TRUST_CONFIG || join(homedir(), '.cowork', 'trust', 'config.json');
+}
+function openBrowser(url) {
+  const command = process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'cmd' : 'xdg-open';
+  const commandArgs = process.platform === 'win32' ? ['/c', 'start', '', url] : [url];
+  const child = spawn(command, commandArgs, { detached: true, stdio: 'ignore' });
+  child.unref();
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function mask(value) {
+  return `${value.slice(0, 8)}...${value.slice(-4)}`;
+}
+function print(value) {
+  console.log(JSON.stringify(value));
+}
+function printHelp() {
+  console.log(`Usage:
+  cowork-trust login --api-url <url>
+  cowork-trust logout
+  cowork-trust whoami
+  cowork-trust status
+  cowork-trust config get
+  cowork-trust config set api-url <url>
+  cowork-trust keys list
+  cowork-trust keys create --name connector-prod [--environment test|live]
+  cowork-trust keys revoke <key-id>
+  cowork-trust keys rotate <key-id>
+  cowork-trust smoke [--api-url <url>] [--api-key <key>]
+  cowork-trust evaluate --category read --action resource.read --resource record:123
+  cowork-trust score --actor agent-1
+  cowork-trust feedback --evaluation <id> --signal approved`);
+}

package/package.json ADDED Viewed

@@ -0,0 +1,17 @@
+{
+  "name": "@cowork-trust/trust",
+  "version": "0.1.0",
+  "private": false,
+  "type": "module",
+  "bin": {
+    "cowork-trust": "bin/trust.js"
+  },
+  "scripts": {
+    "test": "vitest run",
+    "typecheck": "tsc --noEmit",
+    "build": "tsc --noEmit"
+  },
+  "files": [
+    "bin"
+  ]
+}