@id-wispera/core 0.1.0

package/dist/provisioning/providers/google-cloud.js

@@ -0,0 +1,366 @@
+/**
+ * Google Cloud Provisioning Provider
+ * Creates API keys and service account keys via Google Cloud APIs.
+ * Supports OAuth2 client credentials and service account authentication.
+ */
+import { BaseProvisioningProvider } from '../provider.js';
+const GCP_IAM_URL = 'https://iam.googleapis.com/v1';
+const GCP_APIKEYS_URL = 'https://apikeys.googleapis.com/v2';
+const GCP_TOKEN_URL = 'https://oauth2.googleapis.com/token';
+export class GoogleCloudProvider extends BaseProvisioningProvider {
+    provider = 'google-cloud';
+    capabilities = {
+        canCreate: true,
+        canConfigurePermissions: true,
+        canRotate: true,
+        canRevoke: true,
+        canList: true,
+        supportsExpiry: true,
+        supportsScopedKeys: true,
+    };
+    accessToken;
+    async provision(request) {
+        this.ensureInitialized();
+        const config = request.config;
+        if (config.provider !== 'google-cloud') {
+            return {
+                success: false,
+                error: {
+                    code: 'INVALID_CONFIG',
+                    message: `Expected google-cloud config, got ${config.provider}`,
+                },
+            };
+        }
+        try {
+            await this.ensureAccessToken();
+            if (config.keyType === 'api-key') {
+                return await this.createApiKey(request, config);
+            }
+            else {
+                return await this.createServiceAccountKey(request, config);
+            }
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            return {
+                success: false,
+                error: {
+                    code: 'PROVISIONING_FAILED',
+                    message: `Google Cloud provisioning failed: ${message}`,
+                },
+            };
+        }
+    }
+    async list() {
+        this.ensureInitialized();
+        await this.ensureAccessToken();
+        // List service account keys (most common use case)
+        // For a comprehensive list, callers should specify a service account
+        const response = await fetch(`${GCP_APIKEYS_URL}/projects/-/locations/global/keys`, {
+            headers: {
+                'Authorization': `Bearer ${this.accessToken}`,
+            },
+        });
+        if (!response.ok) {
+            const errorBody = await response.text();
+            throw new Error(`Failed to list Google Cloud keys: ${response.status} ${errorBody}`);
+        }
+        const data = await response.json();
+        return (data.keys ?? []).map((key) => ({
+            id: key.uid,
+            name: key.displayName ?? key.name,
+            createdAt: new Date(key.createTime),
+            status: 'active',
+        }));
+    }
+    async rotate(existingKeyId, request) {
+        const newCredential = await this.provision(request);
+        return {
+            newCredential,
+            oldKeyId: existingKeyId,
+            recommendedRevocationDelay: 120, // 2 minutes for GCP propagation
+        };
+    }
+    async revoke(keyId) {
+        this.ensureInitialized();
+        try {
+            await this.ensureAccessToken();
+            // Try API key deletion first, fall back to service account key
+            const response = await fetch(`${GCP_APIKEYS_URL}/projects/-/locations/global/keys/${keyId}`, {
+                method: 'DELETE',
+                headers: {
+                    'Authorization': `Bearer ${this.accessToken}`,
+                },
+            });
+            if (!response.ok) {
+                const errorBody = await response.text();
+                return { success: false, error: `Failed to revoke: ${response.status} ${errorBody}` };
+            }
+            return { success: true };
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            return { success: false, error: message };
+        }
+    }
+    async validateAuth() {
+        this.ensureInitialized();
+        try {
+            await this.ensureAccessToken();
+            return { valid: true };
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            return { valid: false, error: message };
+        }
+    }
+    async ensureAccessToken() {
+        if (this.accessToken)
+            return;
+        if (this.auth?.type === 'oauth2') {
+            this.accessToken = await this.getOAuth2Token();
+        }
+        else if (this.auth?.type === 'service-account') {
+            this.accessToken = await this.getServiceAccountToken();
+        }
+        else {
+            throw new Error('Google Cloud provider requires oauth2 or service-account authentication');
+        }
+    }
+    async getOAuth2Token() {
+        const auth = this.auth;
+        const response = await fetch(GCP_TOKEN_URL, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: new URLSearchParams({
+                grant_type: 'client_credentials',
+                client_id: auth.clientId,
+                client_secret: auth.clientSecret,
+                scope: 'https://www.googleapis.com/auth/cloud-platform',
+            }).toString(),
+        });
+        if (!response.ok) {
+            const error = await response.text();
+            throw new Error(`Failed to obtain Google Cloud OAuth2 token: ${response.status} ${error}`);
+        }
+        const data = await response.json();
+        return data.access_token;
+    }
+    async getServiceAccountToken() {
+        const auth = this.auth;
+        const keyData = typeof auth.keyFile === 'string' ? JSON.parse(auth.keyFile) : auth.keyFile;
+        const now = Math.floor(Date.now() / 1000);
+        const header = btoa(JSON.stringify({ alg: 'RS256', typ: 'JWT' }));
+        const payload = btoa(JSON.stringify({
+            iss: keyData.client_email,
+            scope: 'https://www.googleapis.com/auth/cloud-platform',
+            aud: GCP_TOKEN_URL,
+            iat: now,
+            exp: now + 3600,
+        }));
+        // For service account JWT signing, we use the private key from the key file.
+        // Import the PEM key and sign the JWT.
+        const pemKey = keyData.private_key;
+        const binaryDer = pemToArrayBuffer(pemKey);
+        const cryptoKey = await crypto.subtle.importKey('pkcs8', binaryDer, { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' }, false, ['sign']);
+        const signInput = new TextEncoder().encode(`${header}.${payload}`);
+        const signature = await crypto.subtle.sign('RSASSA-PKCS1-v1_5', cryptoKey, signInput);
+        const sig = arrayBufferToBase64Url(signature);
+        const jwt = `${header}.${payload}.${sig}`;
+        const response = await fetch(GCP_TOKEN_URL, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: new URLSearchParams({
+                grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
+                assertion: jwt,
+            }).toString(),
+        });
+        if (!response.ok) {
+            const error = await response.text();
+            throw new Error(`Failed to obtain Google Cloud service account token: ${response.status} ${error}`);
+        }
+        const data = await response.json();
+        return data.access_token;
+    }
+    async createApiKey(request, config) {
+        const body = {
+            displayName: request.name,
+        };
+        // Add API restrictions if specified
+        if (config.apiTargets || config.allowedIps) {
+            const restrictions = {};
+            if (config.apiTargets) {
+                restrictions.apiTargets = config.apiTargets.map((service) => ({
+                    service,
+                }));
+            }
+            if (config.allowedIps) {
+                restrictions.serverKeyRestrictions = {
+                    allowedIps: config.allowedIps,
+                };
+            }
+            body.restrictions = restrictions;
+        }
+        const url = `${GCP_APIKEYS_URL}/projects/${config.projectId}/locations/global/keys`;
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                'Authorization': `Bearer ${this.accessToken}`,
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify(body),
+        });
+        if (!response.ok) {
+            const errorBody = await response.json().catch(() => ({}));
+            return {
+                success: false,
+                error: {
+                    code: `GCP_${errorBody.error?.code ?? response.status}`,
+                    message: errorBody.error?.message ?? `HTTP ${response.status}`,
+                    details: errorBody,
+                },
+            };
+        }
+        const data = await response.json();
+        const now = new Date().toISOString();
+        return {
+            success: true,
+            credentialValue: data.keyString,
+            providerKeyId: data.uid,
+            metadata: {
+                resourceName: data.name,
+                projectId: config.projectId,
+                keyType: 'api-key',
+                apiTargets: config.apiTargets,
+                allowedIps: config.allowedIps,
+            },
+            passportInput: {
+                name: request.name,
+                credentialType: 'api-key',
+                credentialValue: data.keyString,
+                visaType: this.mapToVisaType('google-cloud', false),
+                issuingAuthority: 'Google Cloud',
+                platforms: [this.mapToPlatform('google-cloud')],
+                scope: config.apiTargets ?? ['unrestricted'],
+                validFrom: now,
+                humanOwner: request.humanOwner,
+                agentId: request.agentId,
+                delegationChain: request.delegationChain ?? [
+                    {
+                        from: request.humanOwner,
+                        to: request.agentId ?? request.name,
+                        grantedAt: now,
+                        scope: config.apiTargets ?? ['unrestricted'],
+                        notes: `Provisioned via Google Cloud API Keys API (project: ${config.projectId})`,
+                    },
+                ],
+                tags: [...(request.tags ?? []), 'provisioned', 'google-cloud', 'api-key'],
+                notes: request.notes ?? `Google Cloud API key for project ${config.projectId}`,
+            },
+        };
+    }
+    async createServiceAccountKey(request, config) {
+        if (!config.serviceAccountEmail) {
+            return {
+                success: false,
+                error: {
+                    code: 'MISSING_SERVICE_ACCOUNT',
+                    message: 'serviceAccountEmail is required for service-account-key type',
+                },
+            };
+        }
+        const url = `${GCP_IAM_URL}/projects/-/serviceAccounts/${config.serviceAccountEmail}/keys`;
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                'Authorization': `Bearer ${this.accessToken}`,
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+                privateKeyType: 'TYPE_GOOGLE_CREDENTIALS_FILE',
+                keyAlgorithm: 'KEY_ALG_RSA_2048',
+            }),
+        });
+        if (!response.ok) {
+            const errorBody = await response.json().catch(() => ({}));
+            return {
+                success: false,
+                error: {
+                    code: `GCP_${errorBody.error?.code ?? response.status}`,
+                    message: errorBody.error?.message ?? `HTTP ${response.status}`,
+                    details: errorBody,
+                },
+            };
+        }
+        const data = await response.json();
+        const now = new Date().toISOString();
+        const permissions = request.permissions;
+        const hasElevated = permissions?.roles?.some((r) => r.includes('admin') || r.includes('owner') || r.includes('editor')) ?? false;
+        // The key ID is the last segment of the resource name
+        const keyId = data.name.split('/').pop() ?? data.name;
+        return {
+            success: true,
+            credentialValue: data.privateKeyData,
+            providerKeyId: keyId,
+            metadata: {
+                resourceName: data.name,
+                serviceAccountEmail: config.serviceAccountEmail,
+                projectId: config.projectId,
+                keyType: 'service-account-key',
+                keyAlgorithm: data.keyAlgorithm,
+                validAfterTime: data.validAfterTime,
+                validBeforeTime: data.validBeforeTime,
+            },
+            expiresAt: data.validBeforeTime ? new Date(data.validBeforeTime) : undefined,
+            passportInput: {
+                name: request.name,
+                credentialType: 'secret',
+                credentialValue: data.privateKeyData,
+                visaType: this.mapToVisaType('google-cloud', hasElevated),
+                issuingAuthority: 'Google Cloud',
+                platforms: [this.mapToPlatform('google-cloud')],
+                scope: permissions?.roles ?? ['roles/viewer'],
+                validFrom: data.validAfterTime ?? now,
+                validUntil: data.validBeforeTime,
+                humanOwner: request.humanOwner,
+                agentId: request.agentId,
+                delegationChain: request.delegationChain ?? [
+                    {
+                        from: request.humanOwner,
+                        to: request.agentId ?? request.name,
+                        grantedAt: now,
+                        scope: permissions?.roles ?? ['roles/viewer'],
+                        notes: `Provisioned via Google Cloud IAM API (SA: ${config.serviceAccountEmail})`,
+                    },
+                ],
+                tags: [...(request.tags ?? []), 'provisioned', 'google-cloud', 'service-account-key'],
+                notes: request.notes ?? `Google Cloud service account key for ${config.serviceAccountEmail}`,
+            },
+        };
+    }
+}
+/**
+ * Convert a PEM-encoded key to an ArrayBuffer
+ */
+function pemToArrayBuffer(pem) {
+    const lines = pem.split('\n').filter((line) => !line.startsWith('-----'));
+    const base64 = lines.join('');
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes.buffer;
+}
+/**
+ * Convert an ArrayBuffer to base64url encoding
+ */
+function arrayBufferToBase64Url(buffer) {
+    const bytes = new Uint8Array(buffer);
+    let binary = '';
+    for (let i = 0; i < bytes.length; i++) {
+        binary += String.fromCharCode(bytes[i]);
+    }
+    return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+//# sourceMappingURL=google-cloud.js.map

package/dist/provisioning/providers/google-cloud.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"google-cloud.js","sourceRoot":"","sources":["../../../src/provisioning/providers/google-cloud.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AA6C1D,MAAM,WAAW,GAAG,+BAA+B,CAAC;AACpD,MAAM,eAAe,GAAG,mCAAmC,CAAC;AAC5D,MAAM,aAAa,GAAG,qCAAqC,CAAC;AAE5D,MAAM,OAAO,mBAAoB,SAAQ,wBAAwB;IACtD,QAAQ,GAAyB,cAAc,CAAC;IAEhD,YAAY,GAAyB;QAC5C,SAAS,EAAE,IAAI;QACf,uBAAuB,EAAE,IAAI;QAC7B,SAAS,EAAE,IAAI;QACf,SAAS,EAAE,IAAI;QACf,OAAO,EAAE,IAAI;QACb,cAAc,EAAE,IAAI;QACpB,kBAAkB,EAAE,IAAI;KACzB,CAAC;IAEM,WAAW,CAAU;IAE7B,KAAK,CAAC,SAAS,CAAC,OAA4B;QAC1C,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAEzB,MAAM,MAAM,GAAG,OAAO,CAAC,MAA2B,CAAC;QACnD,IAAI,MAAM,CAAC,QAAQ,KAAK,cAAc,EAAE,CAAC;YACvC,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,gBAAgB;oBACtB,OAAO,EAAE,qCAAqC,MAAM,CAAC,QAAQ,EAAE;iBAChE;aACF,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAE/B,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;gBACjC,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAClD,CAAC;iBAAM,CAAC;gBACN,OAAO,MAAM,IAAI,CAAC,uBAAuB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,qBAAqB;oBAC3B,OAAO,EAAE,qCAAqC,OAAO,EAAE;iBACxD;aACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI;QACR,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACzB,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAE/B,mDAAmD;QACnD,qEAAqE;QACrE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,eAAe,mCAAmC,EAAE;YAClF,OAAO,EAAE;gBACP,eAAe,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;aAC9C;SACF,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CAAC,qCAAqC,QAAQ,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC,CAAC;QACvF,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA+F,CAAC;QAChI,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;YACrC,EAAE,EAAE,GAAG,CAAC,GAAG;YACX,IAAI,EAAE,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,IAAI;YACjC,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;YACnC,MAAM,EAAE,QAAQ;SACjB,CAAC,CAAC,CAAC;IACN,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,aAAqB,EAAE,OAA4B;QAC9D,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAEpD,OAAO;YACL,aAAa;YACb,QAAQ,EAAE,aAAa;YACvB,0BAA0B,EAAE,GAAG,EAAE,gCAAgC;SAClE,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAEzB,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAE/B,+DAA+D;YAC/D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,eAAe,qCAAqC,KAAK,EAAE,EAAE;gBAC3F,MAAM,EAAE,QAAQ;gBAChB,OAAO,EAAE;oBACP,eAAe,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;iBAC9C;aACF,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACxC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,qBAAqB,QAAQ,CAAC,MAAM,IAAI,SAAS,EAAE,EAAE,CAAC;YACxF,CAAC;YAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;QAC5C,CAAC;IACH,CAAC;IAED,KAAK,CAAC,YAAY;QAChB,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAEzB,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC/B,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QACzB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;QAC1C,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,iBAAiB;QAC7B,IAAI,IAAI,CAAC,WAAW;YAAE,OAAO;QAE7B,IAAI,IAAI,CAAC,IAAI,EAAE,IAAI,KAAK,QAAQ,EAAE,CAAC;YACjC,IAAI,CAAC,WAAW,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QACjD,CAAC;aAAM,IAAI,IAAI,CAAC,IAAI,EAAE,IAAI,KAAK,iBAAiB,EAAE,CAAC;YACjD,IAAI,CAAC,WAAW,GAAG,MAAM,IAAI,CAAC,sBAAsB,EAAE,CAAC;QACzD,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,yEAAyE,CAAC,CAAC;QAC7F,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,cAAc;QAC1B,MAAM,IAAI,GAAG,IAAI,CAAC,IAAkE,CAAC;QAErF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI,EAAE,IAAI,eAAe,CAAC;gBACxB,UAAU,EAAE,oBAAoB;gBAChC,SAAS,EAAE,IAAI,CAAC,QAAQ;gBACxB,aAAa,EAAE,IAAI,CAAC,YAAY;gBAChC,KAAK,EAAE,gDAAgD;aACxD,CAAC,CAAC,QAAQ,EAAE;SACd,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,+CAA+C,QAAQ,CAAC,MAAM,IAAI,KAAK,EAAE,CAAC,CAAC;QAC7F,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA8B,CAAC;QAC/D,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAEO,KAAK,CAAC,sBAAsB;QAClC,MAAM,IAAI,GAAG,IAAI,CAAC,IAA6D,CAAC;QAChF,MAAM,OAAO,GAAG,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC;QAE3F,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QAClE,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YAClC,GAAG,EAAE,OAAO,CAAC,YAAY;YACzB,KAAK,EAAE,gDAAgD;YACvD,GAAG,EAAE,aAAa;YAClB,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,GAAG,GAAG,IAAI;SAChB,CAAC,CAAC,CAAC;QAEJ,6EAA6E;QAC7E,uCAAuC;QACvC,MAAM,MAAM,GAAG,OAAO,CAAC,WAAqB,CAAC;QAC7C,MAAM,SAAS,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;QAC3C,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC7C,OAAO,EACP,SAAS,EACT,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,SAAS,EAAE,EAC9C,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;QAEF,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC,CAAC;QACnE,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,mBAAmB,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QACtF,MAAM,GAAG,GAAG,sBAAsB,CAAC,SAAS,CAAC,CAAC;QAE9C,MAAM,GAAG,GAAG,GAAG,MAAM,IAAI,OAAO,IAAI,GAAG,EAAE,CAAC;QAE1C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI,EAAE,IAAI,eAAe,CAAC;gBACxB,UAAU,EAAE,6CAA6C;gBACzD,SAAS,EAAE,GAAG;aACf,CAAC,CAAC,QAAQ,EAAE;SACd,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,wDAAwD,QAAQ,CAAC,MAAM,IAAI,KAAK,EAAE,CAAC,CAAC;QACtG,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA8B,CAAC;QAC/D,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAEO,KAAK,CAAC,YAAY,CACxB,OAA4B,EAC5B,MAAyB;QAEzB,MAAM,IAAI,GAA4B;YACpC,WAAW,EAAE,OAAO,CAAC,IAAI;SAC1B,CAAC;QAEF,oCAAoC;QACpC,IAAI,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YAC3C,MAAM,YAAY,GAA4B,EAAE,CAAC;YACjD,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;gBACtB,YAAY,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;oBAC5D,OAAO;iBACR,CAAC,CAAC,CAAC;YACN,CAAC;YACD,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;gBACtB,YAAY,CAAC,qBAAqB,GAAG;oBACnC,UAAU,EAAE,MAAM,CAAC,UAAU;iBAC9B,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;QACnC,CAAC;QAED,MAAM,GAAG,GAAG,GAAG,eAAe,aAAa,MAAM,CAAC,SAAS,wBAAwB,CAAC;QACpF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,eAAe,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;gBAC7C,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;SAC3B,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAqB,CAAC;YAC9E,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,OAAO,SAAS,CAAC,KAAK,EAAE,IAAI,IAAI,QAAQ,CAAC,MAAM,EAAE;oBACvD,OAAO,EAAE,SAAS,CAAC,KAAK,EAAE,OAAO,IAAI,QAAQ,QAAQ,CAAC,MAAM,EAAE;oBAC9D,OAAO,EAAE,SAAS;iBACnB;aACF,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAuB,CAAC;QACxD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAErC,OAAO;YACL,OAAO,EAAE,IAAI;YACb,eAAe,EAAE,IAAI,CAAC,SAAS;YAC/B,aAAa,EAAE,IAAI,CAAC,GAAG;YACvB,QAAQ,EAAE;gBACR,YAAY,EAAE,IAAI,CAAC,IAAI;gBACvB,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,OAAO,EAAE,SAAS;gBAClB,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;aAC9B;YACD,aAAa,EAAE;gBACb,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,cAAc,EAAE,SAAS;gBACzB,eAAe,EAAE,IAAI,CAAC,SAAS;gBAC/B,QAAQ,EAAE,IAAI,CAAC,aAAa,CAAC,cAAc,EAAE,KAAK,CAAC;gBACnD,gBAAgB,EAAE,cAAc;gBAChC,SAAS,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,cAAc,CAAC,CAAC;gBAC/C,KAAK,EAAE,MAAM,CAAC,UAAU,IAAI,CAAC,cAAc,CAAC;gBAC5C,SAAS,EAAE,GAAG;gBACd,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,eAAe,EAAE,OAAO,CAAC,eAAe,IAAI;oBAC1C;wBACE,IAAI,EAAE,OAAO,CAAC,UAAU;wBACxB,EAAE,EAAE,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI;wBACnC,SAAS,EAAE,GAAG;wBACd,KAAK,EAAE,MAAM,CAAC,UAAU,IAAI,CAAC,cAAc,CAAC;wBAC5C,KAAK,EAAE,uDAAuD,MAAM,CAAC,SAAS,GAAG;qBAClF;iBACF;gBACD,IAAI,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC,EAAE,aAAa,EAAE,cAAc,EAAE,SAAS,CAAC;gBACzE,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,oCAAoC,MAAM,CAAC,SAAS,EAAE;aAC/E;SACF,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,uBAAuB,CACnC,OAA4B,EAC5B,MAAyB;QAEzB,IAAI,CAAC,MAAM,CAAC,mBAAmB,EAAE,CAAC;YAChC,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,yBAAyB;oBAC/B,OAAO,EAAE,8DAA8D;iBACxE;aACF,CAAC;QACJ,CAAC;QAED,MAAM,GAAG,GAAG,GAAG,WAAW,+BAA+B,MAAM,CAAC,mBAAmB,OAAO,CAAC;QAC3F,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,eAAe,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;gBAC7C,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,cAAc,EAAE,8BAA8B;gBAC9C,YAAY,EAAE,kBAAkB;aACjC,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAqB,CAAC;YAC9E,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,OAAO,SAAS,CAAC,KAAK,EAAE,IAAI,IAAI,QAAQ,CAAC,MAAM,EAAE;oBACvD,OAAO,EAAE,SAAS,CAAC,KAAK,EAAE,OAAO,IAAI,QAAQ,QAAQ,CAAC,MAAM,EAAE;oBAC9D,OAAO,EAAE,SAAS;iBACnB;aACF,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAkC,CAAC;QACnE,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACrC,MAAM,WAAW,GAAG,OAAO,CAAC,WAAiD,CAAC;QAC9E,MAAM,WAAW,GAAG,WAAW,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CACjD,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CACnE,IAAI,KAAK,CAAC;QAEX,sDAAsD;QACtD,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC;QAEtD,OAAO;YACL,OAAO,EAAE,IAAI;YACb,eAAe,EAAE,IAAI,CAAC,cAAc;YACpC,aAAa,EAAE,KAAK;YACpB,QAAQ,EAAE;gBACR,YAAY,EAAE,IAAI,CAAC,IAAI;gBACvB,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;gBAC/C,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,OAAO,EAAE,qBAAqB;gBAC9B,YAAY,EAAE,IAAI,CAAC,YAAY;gBAC/B,cAAc,EAAE,IAAI,CAAC,cAAc;gBACnC,eAAe,EAAE,IAAI,CAAC,eAAe;aACtC;YACD,SAAS,EAAE,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,SAAS;YAC5E,aAAa,EAAE;gBACb,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,cAAc,EAAE,QAAQ;gBACxB,eAAe,EAAE,IAAI,CAAC,cAAc;gBACpC,QAAQ,EAAE,IAAI,CAAC,aAAa,CAAC,cAAc,EAAE,WAAW,CAAC;gBACzD,gBAAgB,EAAE,cAAc;gBAChC,SAAS,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,cAAc,CAAC,CAAC;gBAC/C,KAAK,EAAE,WAAW,EAAE,KAAK,IAAI,CAAC,cAAc,CAAC;gBAC7C,SAAS,EAAE,IAAI,CAAC,cAAc,IAAI,GAAG;gBACrC,UAAU,EAAE,IAAI,CAAC,eAAe;gBAChC,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,eAAe,EAAE,OAAO,CAAC,eAAe,IAAI;oBAC1C;wBACE,IAAI,EAAE,OAAO,CAAC,UAAU;wBACxB,EAAE,EAAE,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI;wBACnC,SAAS,EAAE,GAAG;wBACd,KAAK,EAAE,WAAW,EAAE,KAAK,IAAI,CAAC,cAAc,CAAC;wBAC7C,KAAK,EAAE,6CAA6C,MAAM,CAAC,mBAAmB,GAAG;qBAClF;iBACF;gBACD,IAAI,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC,EAAE,aAAa,EAAE,cAAc,EAAE,qBAAqB,CAAC;gBACrF,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,wCAAwC,MAAM,CAAC,mBAAmB,EAAE;aAC7F;SACF,CAAC;IACJ,CAAC;CACF;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,GAAW;IACnC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC;IAC1E,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,KAAK,CAAC,MAAqB,CAAC;AACrC,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,MAAmB;IACjD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACrC,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACjF,CAAC"}

package/dist/provisioning/providers/openai.d.ts

@@ -0,0 +1,29 @@
+/**
+ * OpenAI Provisioning Provider
+ * Creates API keys via OpenAI's admin API
+ */
+import { BaseProvisioningProvider } from '../provider.js';
+import { ProvisioningProvider, ProviderCapabilities, ProvisioningRequest, ProvisioningResult, RotationResult } from '../types.js';
+export declare class OpenAIProvider extends BaseProvisioningProvider {
+    readonly provider: ProvisioningProvider;
+    readonly capabilities: ProviderCapabilities;
+    provision(request: ProvisioningRequest): Promise<ProvisioningResult>;
+    list(): Promise<Array<{
+        id: string;
+        name: string;
+        createdAt: Date;
+        status: string;
+    }>>;
+    rotate(existingKeyId: string, request: ProvisioningRequest): Promise<RotationResult>;
+    revoke(keyId: string): Promise<{
+        success: boolean;
+        error?: string;
+    }>;
+    validateAuth(): Promise<{
+        valid: boolean;
+        error?: string;
+    }>;
+    private createServiceAccountKey;
+    private createAdminKey;
+}
+//# sourceMappingURL=openai.d.ts.map

package/dist/provisioning/providers/openai.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"openai.d.ts","sourceRoot":"","sources":["../../../src/provisioning/providers/openai.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAC1D,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,mBAAmB,EACnB,kBAAkB,EAClB,cAAc,EAEf,MAAM,aAAa,CAAC;AAkDrB,qBAAa,cAAe,SAAQ,wBAAwB;IAC1D,QAAQ,CAAC,QAAQ,EAAE,oBAAoB,CAAY;IAEnD,QAAQ,CAAC,YAAY,EAAE,oBAAoB,CAQzC;IAEI,SAAS,CAAC,OAAO,EAAE,mBAAmB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IA0CpE,IAAI,IAAI,OAAO,CAAC,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IA4BrF,MAAM,CAAC,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,mBAAmB,GAAG,OAAO,CAAC,cAAc,CAAC;IAWpF,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IA4BpE,YAAY,IAAI,OAAO,CAAC;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;YAyBnD,uBAAuB;YA8EvB,cAAc;CAiE7B"}