npm - @datacules/agent-identity-langchain - Versions diffs - 0.10.0 → 0.11.1 - Mend

@datacules/agent-identity-langchain 0.10.0 → 0.11.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/LICENSE ADDED Viewed

@@ -0,0 +1,109 @@
+Datacules Agent Identity License — Version 1.0
+Copyright (c) 2026 Datacules LLC. All rights reserved.
+─────────────────────────────────────────────────────────────────────────────
+PREAMBLE
+─────────────────────────────────────────────────────────────────────────────
+This software — Agent Identity & Auth Patterns — is developed and owned by
+Datacules LLC. It is made available to the public as open-source software
+under the permissive terms below.
+Datacules LLC retains ownership and authorship of this software while
+granting broad, royalty-free rights for anyone to use, copy, modify, and
+distribute it — in commercial or non-commercial contexts — without requiring
+that derivative works also become open source.
+─────────────────────────────────────────────────────────────────────────────
+TERMS AND CONDITIONS
+─────────────────────────────────────────────────────────────────────────────
+1. PERMISSION TO USE
+   Permission is hereby granted, free of charge, to any person or
+   organization obtaining a copy of this software and associated
+   documentation files (the "Software"), to use, copy, modify, merge,
+   publish, distribute, sublicense, and/or sell copies of the Software,
+   and to permit persons to whom the Software is furnished to do so,
+   subject to the conditions below.
+2. ATTRIBUTION
+   a. Redistributions of source code must retain this copyright notice,
+      this list of conditions, and the disclaimer below.
+   b. Redistributions in binary form or as a product must reproduce this
+      copyright notice, this list of conditions, and the disclaimer in the
+      documentation and/or other materials provided with the distribution.
+   c. Neither the name "Datacules LLC" nor the names of its contributors
+      may be used to endorse or promote products derived from this Software
+      without prior written permission from Datacules LLC.
+3. COMMERCIAL USE
+   Use of this Software in commercial products, SaaS platforms, internal
+   enterprise tools, or any revenue-generating context is explicitly
+   permitted without royalty, fee, or additional licensing agreement,
+   provided that the conditions in Section 2 (Attribution) are met.
+4. NO COPYLEFT / NO VIRAL REQUIREMENT
+   This license does NOT require that derivative works, modifications,
+   or software that uses or embeds this Software be made open source.
+   You may incorporate this Software into proprietary or closed-source
+   products under your own license terms.
+5. MODIFICATIONS
+   Modified versions of the Software may be distributed under the same
+   terms as this license or under any other permissive open-source
+   license (e.g. MIT, Apache 2.0, BSD), provided that:
+   a. The original copyright notice of Datacules LLC is preserved.
+   b. Modifications are clearly documented and distinguished from the
+      original work.
+6. COMPATIBILITY
+   This license is compatible with other permissive open-source licenses
+   such as MIT, BSD 2-Clause, BSD 3-Clause, and Apache License 2.0. It
+   is also GPL-compatible — this Software may coexist with GPL-licensed
+   code, though this Software itself is not distributed under the GPL.
+─────────────────────────────────────────────────────────────────────────────
+DISCLAIMER
+─────────────────────────────────────────────────────────────────────────────
+THIS SOFTWARE IS PROVIDED BY DATACULES LLC AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
+AND NON-INFRINGEMENT ARE DISCLAIMED.
+IN NO EVENT SHALL DATACULES LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+─────────────────────────────────────────────────────────────────────────────
+SUMMARY (non-binding)
+─────────────────────────────────────────────────────────────────────────────
+  ✔  Use freely — commercial, proprietary, or open-source projects
+  ✔  Modify and distribute with or without changes
+  ✔  Sell products built on this Software
+  ✔  No royalties or fees
+  ✔  No requirement to open-source your own code
+  ✔  Attribution to Datacules LLC required in source and binary distributions
+  ✗  Do not use "Datacules LLC" to endorse derived products without permission
+─────────────────────────────────────────────────────────────────────────────
+CONTACT
+─────────────────────────────────────────────────────────────────────────────
+Datacules LLC
+For licensing enquiries: legal@datacules.com
+Product: https://github.com/hvrcharon1/agent-identity

package/dist/cjs/index.js ADDED Viewed

@@ -0,0 +1,154 @@
+"use strict";
+/**
+ * LangChain integration for @datacules/agent-identity.
+ *
+ * Provides:
+ *   createAgentIdentityModel()      — wraps ChatOpenAI/ChatAnthropic with credential resolution
+ *   AgentIdentityCallbackHandler    — LangChain callback handler for audit logging
+ *   createAgentIdentityNode()       — LangGraph StateGraph node for credential resolution
+ *
+ * Usage (LangChain):
+ *   const { getModel } = createAgentIdentityModel(ctx, credentials, rules, fetchSecret);
+ *   const model = await getModel();
+ *   const result = await model.invoke([{ role: 'user', content: 'Hello' }]);
+ *
+ * Usage (LangGraph):
+ *   const graph = new StateGraph(...);
+ *   graph.addNode('resolve-creds', createAgentIdentityNode(credentials, rules, logger));
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AgentIdentityCallbackHandler = void 0;
+exports.createAgentIdentityModel = createAgentIdentityModel;
+exports.createAgentIdentityNode = createAgentIdentityNode;
+const agent_identity_1 = require("@datacules/agent-identity");
+const base_1 = require("@langchain/core/callbacks/base");
+/**
+ * Resolve a credential and return a factory that builds the correct
+ * LangChain chat model with the API key injected server-side.
+ *
+ * The raw secret is fetched via fetchSecret(ref) and passed directly to the
+ * model constructor. It never appears in a log, a response body, or the
+ * browser — the model is built on the server and used there.
+ */
+function createAgentIdentityModel(ctx, options) {
+    const router = (0, agent_identity_1.createRouter)(options.credentials, options.rules, options.logger);
+    const resolved = router.resolve(ctx);
+    if (!resolved)
+        throw new Error(`[agent-identity] No credential resolved for context: ${JSON.stringify(ctx)}`);
+    const getModel = async () => {
+        const apiKey = await options.fetchSecret(resolved.ref);
+        const meta = {
+            agentIdentityCredentialId: resolved.credentialId,
+            agentIdentityResolvedFor: resolved.resolvedFor,
+            traceId: ctx.traceId,
+        };
+        if (ctx.provider === 'openai') {
+            const { ChatOpenAI } = await Promise.resolve(`${'@langchain/openai'}`).then(s => __importStar(require(s)));
+            return new ChatOpenAI({ modelName: ctx.model, openAIApiKey: apiKey, metadata: meta });
+        }
+        if (ctx.provider === 'anthropic') {
+            const { ChatAnthropic } = await Promise.resolve(`${'@langchain/anthropic'}`).then(s => __importStar(require(s)));
+            return new ChatAnthropic({ modelName: ctx.model, anthropicApiKey: apiKey, metadata: meta });
+        }
+        if (ctx.provider === 'gemini') {
+            const { ChatGoogleGenerativeAI } = await Promise.resolve(`${'@langchain/google-genai'}`).then(s => __importStar(require(s)));
+            return new ChatGoogleGenerativeAI({ modelName: ctx.model, apiKey, metadata: meta });
+        }
+        if (ctx.provider === 'mistral') {
+            const { ChatMistralAI } = await Promise.resolve(`${'@langchain/mistralai'}`).then(s => __importStar(require(s)));
+            return new ChatMistralAI({ modelName: ctx.model, apiKey, metadata: meta });
+        }
+        throw new Error(`[agent-identity/langchain] Provider "${ctx.provider}" not yet supported in LangChain adapter.`);
+    };
+    return { resolved, getModel };
+}
+// ─── AgentIdentityCallbackHandler ────────────────────────────────────────────────
+/**
+ * LangChain callback handler that records agent-identity resolution metadata
+ * into each LLM run's metadata. Drop this into any LangChain chain or agent
+ * to get automatic credential tracing without modifying the chain itself.
+ *
+ * Example:
+ *   const handler = new AgentIdentityCallbackHandler(resolved, logger);
+ *   await model.invoke(messages, { callbacks: [handler] });
+ */
+class AgentIdentityCallbackHandler extends base_1.BaseCallbackHandler {
+    constructor(resolved, logger) {
+        super();
+        this.resolved = resolved;
+        this.logger = logger;
+        this.name = 'AgentIdentityCallbackHandler';
+    }
+    async handleLLMStart(_llm, _prompts, runId, _parentRunId, extraParams) {
+        if (extraParams) {
+            extraParams['agentIdentityCredentialId'] = this.resolved.credentialId;
+            extraParams['agentIdentityResolvedFor'] = this.resolved.resolvedFor;
+        }
+        // logger.log() is called by the router at resolve time; no duplicate log here
+        void runId;
+    }
+    async handleLLMEnd(_output, _runId) {
+        // Extension point: log token usage, latency, etc.
+    }
+    async handleLLMError(error, _runId) {
+        console.warn('[agent-identity] LLM error with credential', this.resolved.ref, error.message);
+    }
+}
+exports.AgentIdentityCallbackHandler = AgentIdentityCallbackHandler;
+// ─── createAgentIdentityNode (LangGraph) ────────────────────────────────────────
+/**
+ * Drop-in LangGraph StateGraph node that resolves credentials before any
+ * LLM call in the graph. Attaches resolvedCredential to the state so
+ * downstream nodes can use it without repeating resolution.
+ *
+ * Example:
+ *   const graph = new StateGraph(...);
+ *   graph.addNode('resolve-creds', createAgentIdentityNode(credentials, rules));
+ *   graph.addEdge('resolve-creds', 'llm-call');
+ */
+function createAgentIdentityNode(credentials, rules, logger) {
+    const router = (0, agent_identity_1.createRouter)(credentials, rules, logger);
+    return async (state) => {
+        const ctx = state['agentContext'];
+        if (!ctx)
+            throw new Error('[agent-identity/langchain] state.agentContext is required');
+        const resolved = router.resolve(ctx);
+        if (!resolved)
+            throw new Error(`[agent-identity/langchain] No credential resolved for context: ${JSON.stringify(ctx)}`);
+        return { ...state, resolvedCredential: resolved };
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/cjs/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;GAgBG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA8CH,4DAqCC;AA2DD,0DAgBC;AA5JD,8DAAyD;AAQzD,yDAAqE;AA4BrE;;;;;;;GAOG;AACH,SAAgB,wBAAwB,CACtC,GAAwB,EACxB,OAAkC;IAElC,MAAM,MAAM,GAAG,IAAA,6BAAY,EAAC,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IAChF,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACrC,IAAI,CAAC,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,wDAAwD,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAE9G,MAAM,QAAQ,GAAG,KAAK,IAAsB,EAAE;QAC5C,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAEvD,MAAM,IAAI,GAAG;YACX,yBAAyB,EAAE,QAAQ,CAAC,YAAY;YAChD,wBAAwB,EAAE,QAAQ,CAAC,WAAW;YAC9C,OAAO,EAAE,GAAG,CAAC,OAAO;SACrB,CAAC;QAEF,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,EAAE,UAAU,EAAE,GAAG,yBAAa,mBAA6B,uCAAC,CAAC;YACnE,OAAO,IAAK,UAAkB,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QACjG,CAAC;QACD,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;YACjC,MAAM,EAAE,aAAa,EAAE,GAAG,yBAAa,sBAAgC,uCAAC,CAAC;YACzE,OAAO,IAAK,aAAqB,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QACvG,CAAC;QACD,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,EAAE,sBAAsB,EAAE,GAAG,yBAAa,yBAAmC,uCAAC,CAAC;YACrF,OAAO,IAAK,sBAA8B,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/F,CAAC;QACD,IAAI,GAAG,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC/B,MAAM,EAAE,aAAa,EAAE,GAAG,yBAAa,sBAAgC,uCAAC,CAAC;YACzE,OAAO,IAAK,aAAqB,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QACtF,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,wCAAwC,GAAG,CAAC,QAAQ,2CAA2C,CAAC,CAAC;IACnH,CAAC,CAAC;IAEF,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;AAChC,CAAC;AAED,oFAAoF;AAEpF;;;;;;;;GAQG;AACH,MAAa,4BAA6B,SAAQ,0BAAmB;IAGnE,YACmB,QAA4B,EAC5B,MAAoB;QAErC,KAAK,EAAE,CAAC;QAHS,aAAQ,GAAR,QAAQ,CAAoB;QAC5B,WAAM,GAAN,MAAM,CAAc;QAJ9B,SAAI,GAAG,8BAA8B,CAAC;IAO/C,CAAC;IAED,KAAK,CAAC,cAAc,CAClB,IAAgB,EAChB,QAAkB,EAClB,KAAa,EACb,YAAqB,EACrB,WAAqC;QAErC,IAAI,WAAW,EAAE,CAAC;YAChB,WAAW,CAAC,2BAA2B,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC;YACtE,WAAW,CAAC,0BAA0B,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;QACtE,CAAC;QACD,8EAA8E;QAC9E,KAAK,KAAK,CAAC;IACb,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,OAAkB,EAAE,MAAc;QACnD,kDAAkD;IACpD,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,KAAY,EAAE,MAAc;QAC/C,OAAO,CAAC,IAAI,CAAC,4CAA4C,EAAE,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;IAC/F,CAAC;CACF;AAhCD,oEAgCC;AAED,mFAAmF;AAEnF;;;;;;;;;GASG;AACH,SAAgB,uBAAuB,CACrC,WAAyB,EACzB,KAAoB,EACpB,MAAoB;IAEpB,MAAM,MAAM,GAAG,IAAA,6BAAY,EAAC,WAAW,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAExD,OAAO,KAAK,EAAE,KAA8B,EAAoC,EAAE;QAChF,MAAM,GAAG,GAAG,KAAK,CAAC,cAAc,CAAoC,CAAC;QACrE,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC;QAEvF,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,CAAC,QAAQ;YAAE,MAAM,IAAI,KAAK,CAAC,kEAAkE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAExH,OAAO,EAAE,GAAG,KAAK,EAAE,kBAAkB,EAAE,QAAQ,EAAE,CAAC;IACpD,CAAC,CAAC;AACJ,CAAC"}

package/dist/esm/index.js ADDED Viewed

@@ -0,0 +1,115 @@
+/**
+ * LangChain integration for @datacules/agent-identity.
+ *
+ * Provides:
+ *   createAgentIdentityModel()      — wraps ChatOpenAI/ChatAnthropic with credential resolution
+ *   AgentIdentityCallbackHandler    — LangChain callback handler for audit logging
+ *   createAgentIdentityNode()       — LangGraph StateGraph node for credential resolution
+ *
+ * Usage (LangChain):
+ *   const { getModel } = createAgentIdentityModel(ctx, credentials, rules, fetchSecret);
+ *   const model = await getModel();
+ *   const result = await model.invoke([{ role: 'user', content: 'Hello' }]);
+ *
+ * Usage (LangGraph):
+ *   const graph = new StateGraph(...);
+ *   graph.addNode('resolve-creds', createAgentIdentityNode(credentials, rules, logger));
+ */
+import { createRouter } from '@datacules/agent-identity';
+import { BaseCallbackHandler } from '@langchain/core/callbacks/base';
+/**
+ * Resolve a credential and return a factory that builds the correct
+ * LangChain chat model with the API key injected server-side.
+ *
+ * The raw secret is fetched via fetchSecret(ref) and passed directly to the
+ * model constructor. It never appears in a log, a response body, or the
+ * browser — the model is built on the server and used there.
+ */
+export function createAgentIdentityModel(ctx, options) {
+    const router = createRouter(options.credentials, options.rules, options.logger);
+    const resolved = router.resolve(ctx);
+    if (!resolved)
+        throw new Error(`[agent-identity] No credential resolved for context: ${JSON.stringify(ctx)}`);
+    const getModel = async () => {
+        const apiKey = await options.fetchSecret(resolved.ref);
+        const meta = {
+            agentIdentityCredentialId: resolved.credentialId,
+            agentIdentityResolvedFor: resolved.resolvedFor,
+            traceId: ctx.traceId,
+        };
+        if (ctx.provider === 'openai') {
+            const { ChatOpenAI } = await import('@langchain/openai');
+            return new ChatOpenAI({ modelName: ctx.model, openAIApiKey: apiKey, metadata: meta });
+        }
+        if (ctx.provider === 'anthropic') {
+            const { ChatAnthropic } = await import('@langchain/anthropic');
+            return new ChatAnthropic({ modelName: ctx.model, anthropicApiKey: apiKey, metadata: meta });
+        }
+        if (ctx.provider === 'gemini') {
+            const { ChatGoogleGenerativeAI } = await import('@langchain/google-genai');
+            return new ChatGoogleGenerativeAI({ modelName: ctx.model, apiKey, metadata: meta });
+        }
+        if (ctx.provider === 'mistral') {
+            const { ChatMistralAI } = await import('@langchain/mistralai');
+            return new ChatMistralAI({ modelName: ctx.model, apiKey, metadata: meta });
+        }
+        throw new Error(`[agent-identity/langchain] Provider "${ctx.provider}" not yet supported in LangChain adapter.`);
+    };
+    return { resolved, getModel };
+}
+// ─── AgentIdentityCallbackHandler ────────────────────────────────────────────────
+/**
+ * LangChain callback handler that records agent-identity resolution metadata
+ * into each LLM run's metadata. Drop this into any LangChain chain or agent
+ * to get automatic credential tracing without modifying the chain itself.
+ *
+ * Example:
+ *   const handler = new AgentIdentityCallbackHandler(resolved, logger);
+ *   await model.invoke(messages, { callbacks: [handler] });
+ */
+export class AgentIdentityCallbackHandler extends BaseCallbackHandler {
+    constructor(resolved, logger) {
+        super();
+        this.resolved = resolved;
+        this.logger = logger;
+        this.name = 'AgentIdentityCallbackHandler';
+    }
+    async handleLLMStart(_llm, _prompts, runId, _parentRunId, extraParams) {
+        if (extraParams) {
+            extraParams['agentIdentityCredentialId'] = this.resolved.credentialId;
+            extraParams['agentIdentityResolvedFor'] = this.resolved.resolvedFor;
+        }
+        // logger.log() is called by the router at resolve time; no duplicate log here
+        void runId;
+    }
+    async handleLLMEnd(_output, _runId) {
+        // Extension point: log token usage, latency, etc.
+    }
+    async handleLLMError(error, _runId) {
+        console.warn('[agent-identity] LLM error with credential', this.resolved.ref, error.message);
+    }
+}
+// ─── createAgentIdentityNode (LangGraph) ────────────────────────────────────────
+/**
+ * Drop-in LangGraph StateGraph node that resolves credentials before any
+ * LLM call in the graph. Attaches resolvedCredential to the state so
+ * downstream nodes can use it without repeating resolution.
+ *
+ * Example:
+ *   const graph = new StateGraph(...);
+ *   graph.addNode('resolve-creds', createAgentIdentityNode(credentials, rules));
+ *   graph.addEdge('resolve-creds', 'llm-call');
+ */
+export function createAgentIdentityNode(credentials, rules, logger) {
+    const router = createRouter(credentials, rules, logger);
+    return async (state) => {
+        const ctx = state['agentContext'];
+        if (!ctx)
+            throw new Error('[agent-identity/langchain] state.agentContext is required');
+        const resolved = router.resolve(ctx);
+        if (!resolved)
+            throw new Error(`[agent-identity/langchain] No credential resolved for context: ${JSON.stringify(ctx)}`);
+        return { ...state, resolvedCredential: resolved };
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/esm/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAQzD,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AA4BrE;;;;;;;GAOG;AACH,MAAM,UAAU,wBAAwB,CACtC,GAAwB,EACxB,OAAkC;IAElC,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IAChF,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACrC,IAAI,CAAC,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,wDAAwD,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAE9G,MAAM,QAAQ,GAAG,KAAK,IAAsB,EAAE;QAC5C,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAEvD,MAAM,IAAI,GAAG;YACX,yBAAyB,EAAE,QAAQ,CAAC,YAAY;YAChD,wBAAwB,EAAE,QAAQ,CAAC,WAAW;YAC9C,OAAO,EAAE,GAAG,CAAC,OAAO;SACrB,CAAC;QAEF,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,mBAA6B,CAAC,CAAC;YACnE,OAAO,IAAK,UAAkB,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QACjG,CAAC;QACD,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;YACjC,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAgC,CAAC,CAAC;YACzE,OAAO,IAAK,aAAqB,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QACvG,CAAC;QACD,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,EAAE,sBAAsB,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAmC,CAAC,CAAC;YACrF,OAAO,IAAK,sBAA8B,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/F,CAAC;QACD,IAAI,GAAG,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC/B,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAgC,CAAC,CAAC;YACzE,OAAO,IAAK,aAAqB,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QACtF,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,wCAAwC,GAAG,CAAC,QAAQ,2CAA2C,CAAC,CAAC;IACnH,CAAC,CAAC;IAEF,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;AAChC,CAAC;AAED,oFAAoF;AAEpF;;;;;;;;GAQG;AACH,MAAM,OAAO,4BAA6B,SAAQ,mBAAmB;IAGnE,YACmB,QAA4B,EAC5B,MAAoB;QAErC,KAAK,EAAE,CAAC;QAHS,aAAQ,GAAR,QAAQ,CAAoB;QAC5B,WAAM,GAAN,MAAM,CAAc;QAJ9B,SAAI,GAAG,8BAA8B,CAAC;IAO/C,CAAC;IAED,KAAK,CAAC,cAAc,CAClB,IAAgB,EAChB,QAAkB,EAClB,KAAa,EACb,YAAqB,EACrB,WAAqC;QAErC,IAAI,WAAW,EAAE,CAAC;YAChB,WAAW,CAAC,2BAA2B,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC;YACtE,WAAW,CAAC,0BAA0B,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;QACtE,CAAC;QACD,8EAA8E;QAC9E,KAAK,KAAK,CAAC;IACb,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,OAAkB,EAAE,MAAc;QACnD,kDAAkD;IACpD,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,KAAY,EAAE,MAAc;QAC/C,OAAO,CAAC,IAAI,CAAC,4CAA4C,EAAE,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;IAC/F,CAAC;CACF;AAED,mFAAmF;AAEnF;;;;;;;;;GASG;AACH,MAAM,UAAU,uBAAuB,CACrC,WAAyB,EACzB,KAAoB,EACpB,MAAoB;IAEpB,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAExD,OAAO,KAAK,EAAE,KAA8B,EAAoC,EAAE;QAChF,MAAM,GAAG,GAAG,KAAK,CAAC,cAAc,CAAoC,CAAC;QACrE,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC;QAEvF,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,CAAC,QAAQ;YAAE,MAAM,IAAI,KAAK,CAAC,kEAAkE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAExH,OAAO,EAAE,GAAG,KAAK,EAAE,kBAAkB,EAAE,QAAQ,EAAE,CAAC;IACpD,CAAC,CAAC;AACJ,CAAC"}

package/dist/types/index.d.ts ADDED Viewed

@@ -0,0 +1,80 @@
+/**
+ * LangChain integration for @datacules/agent-identity.
+ *
+ * Provides:
+ *   createAgentIdentityModel()      — wraps ChatOpenAI/ChatAnthropic with credential resolution
+ *   AgentIdentityCallbackHandler    — LangChain callback handler for audit logging
+ *   createAgentIdentityNode()       — LangGraph StateGraph node for credential resolution
+ *
+ * Usage (LangChain):
+ *   const { getModel } = createAgentIdentityModel(ctx, credentials, rules, fetchSecret);
+ *   const model = await getModel();
+ *   const result = await model.invoke([{ role: 'user', content: 'Hello' }]);
+ *
+ * Usage (LangGraph):
+ *   const graph = new StateGraph(...);
+ *   graph.addNode('resolve-creds', createAgentIdentityNode(credentials, rules, logger));
+ */
+import type { AgentRequestContext, AuditLogger, Credential, ResolvedCredential, RoutingRule } from '@datacules/agent-identity';
+import { BaseCallbackHandler } from '@langchain/core/callbacks/base';
+import type { Serialized } from '@langchain/core/load/serializable';
+import type { LLMResult } from '@langchain/core/outputs';
+export interface AgentIdentityModelOptions {
+    credentials: Credential[];
+    rules: RoutingRule[];
+    /**
+     * Server-side secret fetcher. Receives the credential ref and returns
+     * the raw API key. NEVER call this client-side — use in a server route only.
+     */
+    fetchSecret: (ref: string) => Promise<string>;
+    logger?: AuditLogger;
+}
+export interface AgentIdentityModelResult {
+    /** Resolved credential metadata (safe to log, never contains raw secret) */
+    resolved: ResolvedCredential;
+    /**
+     * Returns the LangChain model instance with the API key injected.
+     * Dynamic import keeps @langchain/openai and @langchain/anthropic as
+     * optional peer deps — only the provider actually used is imported.
+     */
+    getModel: () => Promise<unknown>;
+}
+/**
+ * Resolve a credential and return a factory that builds the correct
+ * LangChain chat model with the API key injected server-side.
+ *
+ * The raw secret is fetched via fetchSecret(ref) and passed directly to the
+ * model constructor. It never appears in a log, a response body, or the
+ * browser — the model is built on the server and used there.
+ */
+export declare function createAgentIdentityModel(ctx: AgentRequestContext, options: AgentIdentityModelOptions): AgentIdentityModelResult;
+/**
+ * LangChain callback handler that records agent-identity resolution metadata
+ * into each LLM run's metadata. Drop this into any LangChain chain or agent
+ * to get automatic credential tracing without modifying the chain itself.
+ *
+ * Example:
+ *   const handler = new AgentIdentityCallbackHandler(resolved, logger);
+ *   await model.invoke(messages, { callbacks: [handler] });
+ */
+export declare class AgentIdentityCallbackHandler extends BaseCallbackHandler {
+    private readonly resolved;
+    private readonly logger?;
+    readonly name = "AgentIdentityCallbackHandler";
+    constructor(resolved: ResolvedCredential, logger?: AuditLogger | undefined);
+    handleLLMStart(_llm: Serialized, _prompts: string[], runId: string, _parentRunId?: string, extraParams?: Record<string, unknown>): Promise<void>;
+    handleLLMEnd(_output: LLMResult, _runId: string): Promise<void>;
+    handleLLMError(error: Error, _runId: string): Promise<void>;
+}
+/**
+ * Drop-in LangGraph StateGraph node that resolves credentials before any
+ * LLM call in the graph. Attaches resolvedCredential to the state so
+ * downstream nodes can use it without repeating resolution.
+ *
+ * Example:
+ *   const graph = new StateGraph(...);
+ *   graph.addNode('resolve-creds', createAgentIdentityNode(credentials, rules));
+ *   graph.addEdge('resolve-creds', 'llm-call');
+ */
+export declare function createAgentIdentityNode(credentials: Credential[], rules: RoutingRule[], logger?: AuditLogger): (state: Record<string, unknown>) => Promise<Record<string, unknown>>;
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAGH,OAAO,KAAK,EACV,mBAAmB,EACnB,WAAW,EACX,UAAU,EACV,kBAAkB,EAClB,WAAW,EACZ,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AAIzD,MAAM,WAAW,yBAAyB;IACxC,WAAW,EAAE,UAAU,EAAE,CAAC;IAC1B,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB;;;OAGG;IACH,WAAW,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAC9C,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED,MAAM,WAAW,wBAAwB;IACvC,4EAA4E;IAC5E,QAAQ,EAAE,kBAAkB,CAAC;IAC7B;;;;OAIG;IACH,QAAQ,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;CAClC;AAED;;;;;;;GAOG;AACH,wBAAgB,wBAAwB,CACtC,GAAG,EAAE,mBAAmB,EACxB,OAAO,EAAE,yBAAyB,GACjC,wBAAwB,CAkC1B;AAID;;;;;;;;GAQG;AACH,qBAAa,4BAA6B,SAAQ,mBAAmB;IAIjE,OAAO,CAAC,QAAQ,CAAC,QAAQ;IACzB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;IAJ1B,QAAQ,CAAC,IAAI,kCAAkC;gBAG5B,QAAQ,EAAE,kBAAkB,EAC5B,MAAM,CAAC,EAAE,WAAW,YAAA;IAKjC,cAAc,CAClB,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,MAAM,EAAE,EAClB,KAAK,EAAE,MAAM,EACb,YAAY,CAAC,EAAE,MAAM,EACrB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACpC,OAAO,CAAC,IAAI,CAAC;IASV,YAAY,CAAC,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI/D,cAAc,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAGlE;AAID;;;;;;;;;GASG;AACH,wBAAgB,uBAAuB,CACrC,WAAW,EAAE,UAAU,EAAE,EACzB,KAAK,EAAE,WAAW,EAAE,EACpB,MAAM,CAAC,EAAE,WAAW,IAIN,OAAO,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAShF"}

package/package.json CHANGED Viewed

@@ -1,17 +1,44 @@
 {
   "name": "@datacules/agent-identity-langchain",
-  "version": "0.10.0",
+  "version": "0.11.1",
   "private": false,
   "description": "LangChain and LangGraph integration for @datacules/agent-identity",
+  "author": "Datacules LLC",
+  "license": "SEE LICENSE IN LICENSE",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/hvrcharon1/agent-identity.git",
+    "directory": "packages/integrations/langchain"
+  },
+  "keywords": [
+    "agent-identity",
+    "langchain",
+    "langgraph",
+    "ai-agents",
+    "credential-routing",
+    "datacules"
+  ],
   "main": "./dist/cjs/index.js",
   "module": "./dist/esm/index.js",
   "types": "./dist/types/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/esm/index.js",
+      "require": "./dist/cjs/index.js",
+      "types": "./dist/types/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "LICENSE",
+    "README.md"
+  ],
   "scripts": {
-    "build": "tsc -p tsconfig.build.json",
+    "build": "tsc -p tsconfig.build.json && tsc -p tsconfig.cjs.json",
     "type-check": "tsc --noEmit"
   },
   "peerDependencies": {
-    "@datacules/agent-identity": "^0.6.0",
+    "@datacules/agent-identity": "^0.11.1",
     "@langchain/core": ">=0.2.0"
   },
   "peerDependenciesMeta": {

package/src/index.ts DELETED Viewed

@@ -1,175 +0,0 @@
-/**
- * LangChain integration for @datacules/agent-identity.
- *
- * Provides:
- *   createAgentIdentityModel()      — wraps ChatOpenAI/ChatAnthropic with credential resolution
- *   AgentIdentityCallbackHandler    — LangChain callback handler for audit logging
- *   createAgentIdentityNode()       — LangGraph StateGraph node for credential resolution
- *
- * Usage (LangChain):
- *   const { getModel } = createAgentIdentityModel(ctx, credentials, rules, fetchSecret);
- *   const model = await getModel();
- *   const result = await model.invoke([{ role: 'user', content: 'Hello' }]);
- *
- * Usage (LangGraph):
- *   const graph = new StateGraph(...);
- *   graph.addNode('resolve-creds', createAgentIdentityNode(credentials, rules, logger));
- */
-import { createRouter } from '@datacules/agent-identity';
-import type {
-  AgentRequestContext,
-  AuditLogger,
-  Credential,
-  ResolvedCredential,
-  RoutingRule,
-} from '@datacules/agent-identity';
-import { BaseCallbackHandler } from '@langchain/core/callbacks/base';
-import type { Serialized } from '@langchain/core/load/serializable';
-import type { LLMResult } from '@langchain/core/outputs';
-// ─── createAgentIdentityModel ──────────────────────────────────────────────────────
-export interface AgentIdentityModelOptions {
-  credentials: Credential[];
-  rules: RoutingRule[];
-  /**
-   * Server-side secret fetcher. Receives the credential ref and returns
-   * the raw API key. NEVER call this client-side — use in a server route only.
-   */
-  fetchSecret: (ref: string) => Promise<string>;
-  logger?: AuditLogger;
-}
-export interface AgentIdentityModelResult {
-  /** Resolved credential metadata (safe to log, never contains raw secret) */
-  resolved: ResolvedCredential;
-  /**
-   * Returns the LangChain model instance with the API key injected.
-   * Dynamic import keeps @langchain/openai and @langchain/anthropic as
-   * optional peer deps — only the provider actually used is imported.
-   */
-  getModel: () => Promise<unknown>;
-}
-/**
- * Resolve a credential and return a factory that builds the correct
- * LangChain chat model with the API key injected server-side.
- *
- * The raw secret is fetched via fetchSecret(ref) and passed directly to the
- * model constructor. It never appears in a log, a response body, or the
- * browser — the model is built on the server and used there.
- */
-export function createAgentIdentityModel(
-  ctx: AgentRequestContext,
-  options: AgentIdentityModelOptions
-): AgentIdentityModelResult {
-  const router = createRouter(options.credentials, options.rules, options.logger);
-  const resolved = router.resolve(ctx);
-  if (!resolved) throw new Error(`[agent-identity] No credential resolved for context: ${JSON.stringify(ctx)}`);
-  const getModel = async (): Promise<unknown> => {
-    const apiKey = await options.fetchSecret(resolved.ref);
-    const meta = {
-      agentIdentityCredentialId: resolved.credentialId,
-      agentIdentityResolvedFor: resolved.resolvedFor,
-      traceId: ctx.traceId,
-    };
-    if (ctx.provider === 'openai') {
-      const { ChatOpenAI } = await import('@langchain/openai' as string);
-      return new (ChatOpenAI as any)({ modelName: ctx.model, openAIApiKey: apiKey, metadata: meta });
-    }
-    if (ctx.provider === 'anthropic') {
-      const { ChatAnthropic } = await import('@langchain/anthropic' as string);
-      return new (ChatAnthropic as any)({ modelName: ctx.model, anthropicApiKey: apiKey, metadata: meta });
-    }
-    if (ctx.provider === 'gemini') {
-      const { ChatGoogleGenerativeAI } = await import('@langchain/google-genai' as string);
-      return new (ChatGoogleGenerativeAI as any)({ modelName: ctx.model, apiKey, metadata: meta });
-    }
-    if (ctx.provider === 'mistral') {
-      const { ChatMistralAI } = await import('@langchain/mistralai' as string);
-      return new (ChatMistralAI as any)({ modelName: ctx.model, apiKey, metadata: meta });
-    }
-    throw new Error(`[agent-identity/langchain] Provider "${ctx.provider}" not yet supported in LangChain adapter.`);
-  };
-  return { resolved, getModel };
-}
-// ─── AgentIdentityCallbackHandler ────────────────────────────────────────────────
-/**
- * LangChain callback handler that records agent-identity resolution metadata
- * into each LLM run's metadata. Drop this into any LangChain chain or agent
- * to get automatic credential tracing without modifying the chain itself.
- *
- * Example:
- *   const handler = new AgentIdentityCallbackHandler(resolved, logger);
- *   await model.invoke(messages, { callbacks: [handler] });
- */
-export class AgentIdentityCallbackHandler extends BaseCallbackHandler {
-  readonly name = 'AgentIdentityCallbackHandler';
-  constructor(
-    private readonly resolved: ResolvedCredential,
-    private readonly logger?: AuditLogger
-  ) {
-    super();
-  }
-  async handleLLMStart(
-    _llm: Serialized,
-    _prompts: string[],
-    runId: string,
-    _parentRunId?: string,
-    extraParams?: Record<string, unknown>
-  ): Promise<void> {
-    if (extraParams) {
-      extraParams['agentIdentityCredentialId'] = this.resolved.credentialId;
-      extraParams['agentIdentityResolvedFor'] = this.resolved.resolvedFor;
-    }
-    // logger.log() is called by the router at resolve time; no duplicate log here
-    void runId;
-  }
-  async handleLLMEnd(_output: LLMResult, _runId: string): Promise<void> {
-    // Extension point: log token usage, latency, etc.
-  }
-  async handleLLMError(error: Error, _runId: string): Promise<void> {
-    console.warn('[agent-identity] LLM error with credential', this.resolved.ref, error.message);
-  }
-}
-// ─── createAgentIdentityNode (LangGraph) ────────────────────────────────────────
-/**
- * Drop-in LangGraph StateGraph node that resolves credentials before any
- * LLM call in the graph. Attaches resolvedCredential to the state so
- * downstream nodes can use it without repeating resolution.
- *
- * Example:
- *   const graph = new StateGraph(...);
- *   graph.addNode('resolve-creds', createAgentIdentityNode(credentials, rules));
- *   graph.addEdge('resolve-creds', 'llm-call');
- */
-export function createAgentIdentityNode(
-  credentials: Credential[],
-  rules: RoutingRule[],
-  logger?: AuditLogger
-) {
-  const router = createRouter(credentials, rules, logger);
-  return async (state: Record<string, unknown>): Promise<Record<string, unknown>> => {
-    const ctx = state['agentContext'] as AgentRequestContext | undefined;
-    if (!ctx) throw new Error('[agent-identity/langchain] state.agentContext is required');
-    const resolved = router.resolve(ctx);
-    if (!resolved) throw new Error(`[agent-identity/langchain] No credential resolved for context: ${JSON.stringify(ctx)}`);
-    return { ...state, resolvedCredential: resolved };
-  };
-}

package/src/langchain.test.ts DELETED Viewed

@@ -1,179 +0,0 @@
-/**
- * langchain.test.ts
- *
- * Vitest unit tests for @datacules/agent-identity-langchain.
- *
- * Covers createAgentIdentityModel, AgentIdentityCallbackHandler,
- * and createAgentIdentityNode.
- *
- * @langchain/core/callbacks/base is mocked via vi.mock() factory.
- * vi.mock() calls are hoisted to the top of the module by vitest so
- * the mock is in place before the source file is imported. This means
- * the tests work whether or not @langchain/core is installed in the
- * root node_modules.
- */
-import { describe, it, expect, vi } from 'vitest';
-// ─── Mock @langchain/core ─────────────────────────────────────────────────────
-// Must be declared before the import of ./index because vi.mock() is hoisted.
-vi.mock('@langchain/core/callbacks/base', () => ({
-  BaseCallbackHandler: class MockBaseCallbackHandler {
-    name: string = '';
-  },
-}));
-import {
-  createAgentIdentityModel,
-  AgentIdentityCallbackHandler,
-  createAgentIdentityNode,
-} from './index';
-import type { AgentRequestContext, Credential, RoutingRule } from '@datacules/agent-identity';
-// ─── Fixtures ─────────────────────────────────────────────────────────────────
-const credentials: Credential[] = [
-  {
-    id:       'cred-openai',
-    kind:     'fixed',
-    name:     'OpenAI prod',
-    scope:    'openai:all',
-    status:   'active',
-    provider: 'openai',
-    ref:      'openai-prod-slot',
-  },
-];
-const rules: RoutingRule[] = [
-  {
-    id:             'rule-openai',
-    description:    'Route all OpenAI requests',
-    credentialRef:  'openai-prod-slot',
-    credentialKind: 'fixed',
-    priority:       10,
-    matchProvider:  'openai',
-  },
-];
-// Empty rules — no credential will resolve for any context
-const rulesNoMatch: RoutingRule[] = [];
-function makeCtx(overrides: Partial<AgentRequestContext> = {}): AgentRequestContext {
-  return {
-    userId:       'user-alice',
-    resourceId:   'res-001',
-    resourceKind: 'personal',
-    provider:     'openai',
-    model:        'gpt-4o',
-    action:       'read',
-    traceId:      'trace-abc',
-    requestedAt:  new Date().toISOString(),
-    ...overrides,
-  };
-}
-// ─── createAgentIdentityModel ─────────────────────────────────────────────────
-describe('createAgentIdentityModel', () => {
-  it('returns resolved credential metadata', () => {
-    const fetchSecret = vi.fn(async () => 'sk-secret');
-    const result = createAgentIdentityModel(makeCtx(), { credentials, rules, fetchSecret });
-    expect(result.resolved).toBeDefined();
-    expect(result.resolved.ref).toBe('openai-prod-slot');
-  });
-  it('resolved has correct credentialId and resolvedFor', () => {
-    const fetchSecret = vi.fn(async () => 'sk-secret');
-    const { resolved } = createAgentIdentityModel(makeCtx(), { credentials, rules, fetchSecret });
-    expect(resolved.credentialId).toBe('cred-openai');
-    // kind=fixed → resolvedFor is 'service'
-    expect(resolved.resolvedFor).toBe('service');
-  });
-  it('returns a getModel function', () => {
-    const fetchSecret = vi.fn(async () => 'sk-secret');
-    const { getModel } = createAgentIdentityModel(makeCtx(), { credentials, rules, fetchSecret });
-    expect(typeof getModel).toBe('function');
-  });
-  it('throws when no routing rule matches the context', () => {
-    const fetchSecret = vi.fn(async () => 'sk-secret');
-    expect(() =>
-      createAgentIdentityModel(makeCtx(), { credentials, rules: rulesNoMatch, fetchSecret })
-    ).toThrow('[agent-identity] No credential resolved');
-  });
-  it('getModel() calls fetchSecret with the resolved ref then throws for unsupported provider', async () => {
-    const fetchSecret = vi.fn(async () => 'sk-secret');
-    // Use 'local' provider — it matches a rule but has no provider adapter in getModel()
-    const localCredential: Credential = { ...credentials[0], provider: 'local', ref: 'local-slot' };
-    const localRule: RoutingRule = { ...rules[0], credentialRef: 'local-slot', matchProvider: 'local' };
-    const { getModel } = createAgentIdentityModel(
-      makeCtx({ provider: 'local' }),
-      { credentials: [localCredential], rules: [localRule], fetchSecret }
-    );
-    // getModel() calls fetchSecret first, then throws because 'local' is unsupported
-    await expect(getModel()).rejects.toThrow('not yet supported');
-    expect(fetchSecret).toHaveBeenCalledWith('local-slot');
-  });
-});
-// ─── AgentIdentityCallbackHandler ────────────────────────────────────────────
-describe('AgentIdentityCallbackHandler', () => {
-  const resolved = {
-    credentialId: 'cred-openai',
-    kind:         'fixed' as const,
-    ref:          'openai-prod-slot',
-    resolvedFor:  'service',
-  };
-  it('instantiates without errors', () => {
-    expect(() => new AgentIdentityCallbackHandler(resolved)).not.toThrow();
-  });
-  it('handleLLMStart attaches agentIdentity metadata to extraParams', async () => {
-    const handler     = new AgentIdentityCallbackHandler(resolved);
-    const extraParams: Record<string, unknown> = {};
-    // Pass extraParams as the 5th argument; _llm and _prompts are unused
-    await handler.handleLLMStart({} as never, [], 'run-001', undefined, extraParams);
-    expect(extraParams['agentIdentityCredentialId']).toBe('cred-openai');
-    expect(extraParams['agentIdentityResolvedFor']).toBe('service');
-  });
-  it('handleLLMEnd resolves without throwing', async () => {
-    const handler = new AgentIdentityCallbackHandler(resolved);
-    await expect(handler.handleLLMEnd({} as never, 'run-001')).resolves.toBeUndefined();
-  });
-});
-// ─── createAgentIdentityNode ──────────────────────────────────────────────────
-describe('createAgentIdentityNode', () => {
-  it('injects resolvedCredential into state', async () => {
-    const node   = createAgentIdentityNode(credentials, rules);
-    const state  = { agentContext: makeCtx() };
-    const result = await node(state);
-    expect(result.resolvedCredential).toBeDefined();
-    expect((result.resolvedCredential as { ref: string }).ref).toBe('openai-prod-slot');
-  });
-  it('preserves all existing state properties alongside resolvedCredential', async () => {
-    const node   = createAgentIdentityNode(credentials, rules);
-    const state  = { agentContext: makeCtx(), sessionId: 'sess-xyz', count: 42 };
-    const result = await node(state);
-    expect(result.sessionId).toBe('sess-xyz');
-    expect(result.count).toBe(42);
-    expect(result.agentContext).toStrictEqual(state.agentContext);
-  });
-  it('throws when state.agentContext is missing', async () => {
-    const node = createAgentIdentityNode(credentials, rules);
-    await expect(node({ otherField: true })).rejects.toThrow('state.agentContext is required');
-  });
-  it('throws when no credential resolves for the context', async () => {
-    const node  = createAgentIdentityNode(credentials, rulesNoMatch);
-    const state = { agentContext: makeCtx() };
-    await expect(node(state)).rejects.toThrow('No credential resolved');
-  });
-});