@inkbox/sdk 0.1.4 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +31 -35
- package/dist/_http.d.ts +7 -1
- package/dist/_http.d.ts.map +1 -1
- package/dist/_http.js +13 -1
- package/dist/_http.js.map +1 -1
- package/dist/agent_identity.d.ts +89 -71
- package/dist/agent_identity.d.ts.map +1 -1
- package/dist/agent_identity.js +145 -113
- package/dist/agent_identity.js.map +1 -1
- package/dist/credentials.d.ts +97 -0
- package/dist/credentials.d.ts.map +1 -0
- package/dist/credentials.js +147 -0
- package/dist/credentials.js.map +1 -0
- package/dist/identities/resources/identities.d.ts +1 -16
- package/dist/identities/resources/identities.d.ts.map +1 -1
- package/dist/identities/resources/identities.js +1 -19
- package/dist/identities/resources/identities.js.map +1 -1
- package/dist/identities/types.d.ts +0 -21
- package/dist/identities/types.d.ts.map +1 -1
- package/dist/identities/types.js +0 -11
- package/dist/identities/types.js.map +1 -1
- package/dist/index.d.ts +11 -3
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +7 -1
- package/dist/index.js.map +1 -1
- package/dist/inkbox.d.ts +42 -6
- package/dist/inkbox.d.ts.map +1 -1
- package/dist/inkbox.js +59 -10
- package/dist/inkbox.js.map +1 -1
- package/dist/mail/resources/messages.d.ts +2 -2
- package/dist/mail/resources/messages.d.ts.map +1 -1
- package/dist/mail/resources/messages.js.map +1 -1
- package/dist/mail/types.d.ts +8 -1
- package/dist/mail/types.d.ts.map +1 -1
- package/dist/mail/types.js +8 -0
- package/dist/mail/types.js.map +1 -1
- package/dist/vault/crypto.d.ts +138 -0
- package/dist/vault/crypto.d.ts.map +1 -0
- package/dist/vault/crypto.js +273 -0
- package/dist/vault/crypto.js.map +1 -0
- package/dist/vault/resources/vault.d.ts +183 -0
- package/dist/vault/resources/vault.d.ts.map +1 -0
- package/dist/vault/resources/vault.js +396 -0
- package/dist/vault/resources/vault.js.map +1 -0
- package/dist/vault/totp.d.ts +73 -0
- package/dist/vault/totp.d.ts.map +1 -0
- package/dist/vault/totp.js +230 -0
- package/dist/vault/totp.js.map +1 -0
- package/dist/vault/types.d.ts +239 -0
- package/dist/vault/types.d.ts.map +1 -0
- package/dist/vault/types.js +229 -0
- package/dist/vault/types.js.map +1 -0
- package/package.json +5 -1
- package/dist/authenticator/resources/accounts.d.ts +0 -70
- package/dist/authenticator/resources/accounts.d.ts.map +0 -1
- package/dist/authenticator/resources/accounts.js +0 -91
- package/dist/authenticator/resources/accounts.js.map +0 -1
- package/dist/authenticator/resources/apps.d.ts +0 -38
- package/dist/authenticator/resources/apps.d.ts.map +0 -1
- package/dist/authenticator/resources/apps.js +0 -52
- package/dist/authenticator/resources/apps.js.map +0 -1
- package/dist/authenticator/types.d.ts +0 -83
- package/dist/authenticator/types.d.ts.map +0 -1
- package/dist/authenticator/types.js +0 -43
- package/dist/authenticator/types.js.map +0 -1
package/dist/agent_identity.js
CHANGED
|
@@ -8,19 +8,20 @@
|
|
|
8
8
|
* identity's assigned channels so callers never need to pass an email
|
|
9
9
|
* address or phone number ID explicitly.
|
|
10
10
|
*/
|
|
11
|
-
import {
|
|
11
|
+
import { InkboxError } from "./_http.js";
|
|
12
|
+
import { Credentials } from "./credentials.js";
|
|
12
13
|
export class AgentIdentity {
|
|
13
14
|
_data;
|
|
14
15
|
_inkbox;
|
|
15
16
|
_mailbox;
|
|
16
17
|
_phoneNumber;
|
|
17
|
-
|
|
18
|
+
_credentials = null;
|
|
19
|
+
_credentialsVaultRef = null; // tracks which _unlocked built the cache
|
|
18
20
|
constructor(data, inkbox) {
|
|
19
21
|
this._data = data;
|
|
20
22
|
this._inkbox = inkbox;
|
|
21
23
|
this._mailbox = data.mailbox;
|
|
22
24
|
this._phoneNumber = data.phoneNumber;
|
|
23
|
-
this._authenticatorApp = data.authenticatorApp;
|
|
24
25
|
}
|
|
25
26
|
// ------------------------------------------------------------------
|
|
26
27
|
// Identity properties
|
|
@@ -32,8 +33,134 @@ export class AgentIdentity {
|
|
|
32
33
|
get mailbox() { return this._mailbox; }
|
|
33
34
|
/** The phone number currently assigned to this identity, or `null` if none. */
|
|
34
35
|
get phoneNumber() { return this._phoneNumber; }
|
|
35
|
-
/**
|
|
36
|
-
|
|
36
|
+
/**
|
|
37
|
+
* Identity-scoped credential access.
|
|
38
|
+
*
|
|
39
|
+
* Returns a {@link Credentials} object filtered to the secrets this
|
|
40
|
+
* identity has been granted access to. The vault must be unlocked
|
|
41
|
+
* first via `inkbox.vault.unlock(vaultKey)`.
|
|
42
|
+
*
|
|
43
|
+
* The result is cached and automatically invalidated when the
|
|
44
|
+
* vault is re-unlocked. Call {@link refresh} to manually clear
|
|
45
|
+
* the cache (e.g. after access-rule changes).
|
|
46
|
+
*
|
|
47
|
+
* @throws Error if the vault has not been unlocked.
|
|
48
|
+
*/
|
|
49
|
+
async getCredentials() {
|
|
50
|
+
// If the vault was unlocked via constructor vaultKey, wait for it.
|
|
51
|
+
if (this._inkbox._vaultUnlockPromise !== null) {
|
|
52
|
+
await this._inkbox._vaultUnlockPromise;
|
|
53
|
+
}
|
|
54
|
+
const vault = this._inkbox._vaultResource;
|
|
55
|
+
// Invalidate cache if the vault was re-unlocked since we last built it.
|
|
56
|
+
if (this._credentials !== null && vault._unlocked === this._credentialsVaultRef) {
|
|
57
|
+
return this._credentials;
|
|
58
|
+
}
|
|
59
|
+
this._requireVaultUnlocked();
|
|
60
|
+
const unlocked = vault._unlocked;
|
|
61
|
+
// Filter secrets by identity access rules (same logic as
|
|
62
|
+
// VaultResource.unlock with identityId).
|
|
63
|
+
const idStr = this.id;
|
|
64
|
+
const filtered = [];
|
|
65
|
+
for (const secret of unlocked.secrets) {
|
|
66
|
+
const rules = await vault.http.get(`/secrets/${secret.id}/access`);
|
|
67
|
+
if (rules.some((r) => r.identity_id === idStr)) {
|
|
68
|
+
filtered.push(secret);
|
|
69
|
+
}
|
|
70
|
+
}
|
|
71
|
+
this._credentials = new Credentials(filtered);
|
|
72
|
+
this._credentialsVaultRef = unlocked;
|
|
73
|
+
return this._credentials;
|
|
74
|
+
}
|
|
75
|
+
/**
|
|
76
|
+
* Revoke this identity's access to a vault secret.
|
|
77
|
+
*
|
|
78
|
+
* Also clears the credentials cache so the next call to
|
|
79
|
+
* {@link getCredentials} reflects the change.
|
|
80
|
+
*
|
|
81
|
+
* @param secretId - UUID of the secret to revoke access from.
|
|
82
|
+
*/
|
|
83
|
+
async revokeCredentialAccess(secretId) {
|
|
84
|
+
await this._inkbox._vaultResource.revokeAccess(secretId, this.id);
|
|
85
|
+
this._credentials = null;
|
|
86
|
+
}
|
|
87
|
+
// ------------------------------------------------------------------
|
|
88
|
+
// Vault secret management
|
|
89
|
+
// ------------------------------------------------------------------
|
|
90
|
+
/**
|
|
91
|
+
* Create a vault secret and grant this identity access to it.
|
|
92
|
+
*
|
|
93
|
+
* The vault must be unlocked first.
|
|
94
|
+
*
|
|
95
|
+
* @param options.name - Display name (max 255 characters).
|
|
96
|
+
* @param options.payload - The secret payload.
|
|
97
|
+
* @param options.description - Optional description.
|
|
98
|
+
* @returns {@link VaultSecret} metadata.
|
|
99
|
+
*/
|
|
100
|
+
async createSecret(options) {
|
|
101
|
+
this._requireVaultUnlocked();
|
|
102
|
+
const unlocked = this._inkbox._vaultResource._unlocked;
|
|
103
|
+
const secret = await unlocked.createSecret(options);
|
|
104
|
+
await this._inkbox._vaultResource.grantAccess(secret.id, this.id);
|
|
105
|
+
this._credentials = null;
|
|
106
|
+
return secret;
|
|
107
|
+
}
|
|
108
|
+
/**
|
|
109
|
+
* Fetch and decrypt a vault secret this identity has access to.
|
|
110
|
+
*
|
|
111
|
+
* @param secretId - UUID of the secret.
|
|
112
|
+
*/
|
|
113
|
+
async getSecret(secretId) {
|
|
114
|
+
this._requireVaultUnlocked();
|
|
115
|
+
return this._inkbox._vaultResource._unlocked.getSecret(secretId);
|
|
116
|
+
}
|
|
117
|
+
/**
|
|
118
|
+
* Add or replace TOTP on a login secret this identity has access to.
|
|
119
|
+
*
|
|
120
|
+
* @param secretId - UUID of the login secret.
|
|
121
|
+
* @param totp - A {@link TOTPConfig} or an `otpauth://totp/...` URI string.
|
|
122
|
+
* @returns Updated {@link VaultSecret} metadata.
|
|
123
|
+
*/
|
|
124
|
+
async setTotp(secretId, totp) {
|
|
125
|
+
this._requireVaultUnlocked();
|
|
126
|
+
const result = await this._inkbox._vaultResource._unlocked.setTotp(secretId, totp);
|
|
127
|
+
this._credentials = null;
|
|
128
|
+
return result;
|
|
129
|
+
}
|
|
130
|
+
/**
|
|
131
|
+
* Remove TOTP from a login secret this identity has access to.
|
|
132
|
+
*
|
|
133
|
+
* @param secretId - UUID of the login secret.
|
|
134
|
+
* @returns Updated {@link VaultSecret} metadata.
|
|
135
|
+
*/
|
|
136
|
+
async removeTotp(secretId) {
|
|
137
|
+
this._requireVaultUnlocked();
|
|
138
|
+
const result = await this._inkbox._vaultResource._unlocked.removeTotp(secretId);
|
|
139
|
+
this._credentials = null;
|
|
140
|
+
return result;
|
|
141
|
+
}
|
|
142
|
+
/**
|
|
143
|
+
* Generate the current TOTP code for a login secret.
|
|
144
|
+
*
|
|
145
|
+
* Uses cached credentials if available, otherwise fetches fresh.
|
|
146
|
+
*
|
|
147
|
+
* @param secretId - UUID of the login secret.
|
|
148
|
+
* @returns A {@link TOTPCode}.
|
|
149
|
+
*/
|
|
150
|
+
async getTotpCode(secretId) {
|
|
151
|
+
this._requireVaultUnlocked();
|
|
152
|
+
return this._inkbox._vaultResource._unlocked.getTotpCode(secretId);
|
|
153
|
+
}
|
|
154
|
+
/**
|
|
155
|
+
* Delete a vault secret.
|
|
156
|
+
*
|
|
157
|
+
* @param secretId - UUID of the secret to delete.
|
|
158
|
+
*/
|
|
159
|
+
async deleteSecret(secretId) {
|
|
160
|
+
this._requireVaultUnlocked();
|
|
161
|
+
await this._inkbox._vaultResource._unlocked.deleteSecret(secretId);
|
|
162
|
+
this._credentials = null;
|
|
163
|
+
}
|
|
37
164
|
// ------------------------------------------------------------------
|
|
38
165
|
// Channel management
|
|
39
166
|
// ------------------------------------------------------------------
|
|
@@ -119,46 +246,6 @@ export class AgentIdentity {
|
|
|
119
246
|
await this._inkbox._idsResource.unlinkPhoneNumber(this.agentHandle);
|
|
120
247
|
this._phoneNumber = null;
|
|
121
248
|
}
|
|
122
|
-
/**
|
|
123
|
-
* Create a new authenticator app and link it to this identity.
|
|
124
|
-
*
|
|
125
|
-
* @returns The newly created {@link AuthenticatorApp}.
|
|
126
|
-
*/
|
|
127
|
-
async createAuthenticatorApp() {
|
|
128
|
-
const app = await this._inkbox._authApps.create({ agentHandle: this.agentHandle });
|
|
129
|
-
this._authenticatorApp = {
|
|
130
|
-
id: app.id,
|
|
131
|
-
organizationId: app.organizationId,
|
|
132
|
-
identityId: app.identityId,
|
|
133
|
-
status: app.status,
|
|
134
|
-
createdAt: app.createdAt,
|
|
135
|
-
updatedAt: app.updatedAt,
|
|
136
|
-
};
|
|
137
|
-
return app;
|
|
138
|
-
}
|
|
139
|
-
/**
|
|
140
|
-
* Link an existing authenticator app to this identity.
|
|
141
|
-
*
|
|
142
|
-
* @param authenticatorAppId - UUID of the authenticator app to link. Obtain via
|
|
143
|
-
* `inkbox.authenticatorApps.list()` or `inkbox.authenticatorApps.get()`.
|
|
144
|
-
* @returns The linked {@link IdentityAuthenticatorApp}.
|
|
145
|
-
*/
|
|
146
|
-
async assignAuthenticatorApp(authenticatorAppId) {
|
|
147
|
-
const data = await this._inkbox._idsResource.assignAuthenticatorApp(this.agentHandle, {
|
|
148
|
-
authenticatorAppId,
|
|
149
|
-
});
|
|
150
|
-
this._authenticatorApp = data.authenticatorApp;
|
|
151
|
-
this._data = data;
|
|
152
|
-
return this._authenticatorApp;
|
|
153
|
-
}
|
|
154
|
-
/**
|
|
155
|
-
* Unlink this identity's authenticator app (does not delete the app).
|
|
156
|
-
*/
|
|
157
|
-
async unlinkAuthenticatorApp() {
|
|
158
|
-
this._requireAuthenticatorApp();
|
|
159
|
-
await this._inkbox._idsResource.unlinkAuthenticatorApp(this.agentHandle);
|
|
160
|
-
this._authenticatorApp = null;
|
|
161
|
-
}
|
|
162
249
|
// ------------------------------------------------------------------
|
|
163
250
|
// Mail helpers
|
|
164
251
|
// ------------------------------------------------------------------
|
|
@@ -272,64 +359,6 @@ export class AgentIdentity {
|
|
|
272
359
|
return this._inkbox._transcripts.list(this._phoneNumber.id, callId);
|
|
273
360
|
}
|
|
274
361
|
// ------------------------------------------------------------------
|
|
275
|
-
// Authenticator helpers
|
|
276
|
-
// ------------------------------------------------------------------
|
|
277
|
-
/**
|
|
278
|
-
* Create a new authenticator account from an `otpauth://` URI.
|
|
279
|
-
*
|
|
280
|
-
* @param options.otpauthUri - `otpauth://totp/...` or `otpauth://hotp/...` URI.
|
|
281
|
-
* @param options.displayName - Optional user-managed label (max 255 characters).
|
|
282
|
-
* @param options.description - Optional free-form notes.
|
|
283
|
-
*/
|
|
284
|
-
async createAuthenticatorAccount(options) {
|
|
285
|
-
this._requireAuthenticatorApp();
|
|
286
|
-
return this._inkbox._authAccounts.create(this._authenticatorApp.id, options);
|
|
287
|
-
}
|
|
288
|
-
/** List all authenticator accounts in this identity's app. */
|
|
289
|
-
async listAuthenticatorAccounts() {
|
|
290
|
-
this._requireAuthenticatorApp();
|
|
291
|
-
return this._inkbox._authAccounts.list(this._authenticatorApp.id);
|
|
292
|
-
}
|
|
293
|
-
/**
|
|
294
|
-
* Get a single authenticator account by ID.
|
|
295
|
-
*
|
|
296
|
-
* @param accountId - UUID of the authenticator account.
|
|
297
|
-
*/
|
|
298
|
-
async getAuthenticatorAccount(accountId) {
|
|
299
|
-
this._requireAuthenticatorApp();
|
|
300
|
-
return this._inkbox._authAccounts.get(this._authenticatorApp.id, accountId);
|
|
301
|
-
}
|
|
302
|
-
/**
|
|
303
|
-
* Update user-managed metadata on an authenticator account.
|
|
304
|
-
*
|
|
305
|
-
* @param accountId - UUID of the authenticator account to update.
|
|
306
|
-
* @param options.displayName - New label (max 255 characters).
|
|
307
|
-
* @param options.description - New notes.
|
|
308
|
-
*/
|
|
309
|
-
async updateAuthenticatorAccount(accountId, options) {
|
|
310
|
-
this._requireAuthenticatorApp();
|
|
311
|
-
return this._inkbox._authAccounts.update(this._authenticatorApp.id, accountId, options);
|
|
312
|
-
}
|
|
313
|
-
/**
|
|
314
|
-
* Soft-delete an authenticator account.
|
|
315
|
-
*
|
|
316
|
-
* @param accountId - UUID of the authenticator account to delete.
|
|
317
|
-
*/
|
|
318
|
-
async deleteAuthenticatorAccount(accountId) {
|
|
319
|
-
this._requireAuthenticatorApp();
|
|
320
|
-
await this._inkbox._authAccounts.delete(this._authenticatorApp.id, accountId);
|
|
321
|
-
}
|
|
322
|
-
/**
|
|
323
|
-
* Generate the current OTP code for an authenticator account.
|
|
324
|
-
*
|
|
325
|
-
* @param accountId - UUID of the authenticator account.
|
|
326
|
-
* @returns The generated OTP code with metadata.
|
|
327
|
-
*/
|
|
328
|
-
async generateOtp(accountId) {
|
|
329
|
-
this._requireAuthenticatorApp();
|
|
330
|
-
return this._inkbox._authAccounts.generateOtp(this._authenticatorApp.id, accountId);
|
|
331
|
-
}
|
|
332
|
-
// ------------------------------------------------------------------
|
|
333
362
|
// Identity management
|
|
334
363
|
// ------------------------------------------------------------------
|
|
335
364
|
/**
|
|
@@ -344,12 +373,15 @@ export class AgentIdentity {
|
|
|
344
373
|
...result,
|
|
345
374
|
mailbox: this._mailbox,
|
|
346
375
|
phoneNumber: this._phoneNumber,
|
|
347
|
-
authenticatorApp: this._authenticatorApp,
|
|
348
376
|
};
|
|
349
377
|
}
|
|
350
378
|
/**
|
|
351
379
|
* Re-fetch this identity from the API and update cached channels.
|
|
352
380
|
*
|
|
381
|
+
* Also clears the credentials filter cache so the next call to
|
|
382
|
+
* {@link getCredentials} re-evaluates access rules. (The cache is
|
|
383
|
+
* also automatically invalidated when the vault is re-unlocked.)
|
|
384
|
+
*
|
|
353
385
|
* @returns `this` for chaining.
|
|
354
386
|
*/
|
|
355
387
|
async refresh() {
|
|
@@ -357,29 +389,29 @@ export class AgentIdentity {
|
|
|
357
389
|
this._data = data;
|
|
358
390
|
this._mailbox = data.mailbox;
|
|
359
391
|
this._phoneNumber = data.phoneNumber;
|
|
360
|
-
this.
|
|
392
|
+
this._credentials = null;
|
|
361
393
|
return this;
|
|
362
394
|
}
|
|
363
|
-
/**
|
|
395
|
+
/** Delete this identity (unlinks channels without deleting them). */
|
|
364
396
|
async delete() {
|
|
365
397
|
await this._inkbox._idsResource.delete(this.agentHandle);
|
|
366
398
|
}
|
|
367
399
|
// ------------------------------------------------------------------
|
|
368
400
|
// Internal guards
|
|
369
401
|
// ------------------------------------------------------------------
|
|
402
|
+
_requireVaultUnlocked() {
|
|
403
|
+
if (this._inkbox._vaultResource._unlocked === null) {
|
|
404
|
+
throw new InkboxError("Vault must be unlocked before accessing credentials. Call inkbox.vault.unlock(vaultKey) first.");
|
|
405
|
+
}
|
|
406
|
+
}
|
|
370
407
|
_requireMailbox() {
|
|
371
408
|
if (!this._mailbox) {
|
|
372
|
-
throw new
|
|
409
|
+
throw new InkboxError(`Identity '${this.agentHandle}' has no mailbox assigned. Call identity.createMailbox() or identity.assignMailbox() first.`);
|
|
373
410
|
}
|
|
374
411
|
}
|
|
375
412
|
_requirePhone() {
|
|
376
413
|
if (!this._phoneNumber) {
|
|
377
|
-
throw new
|
|
378
|
-
}
|
|
379
|
-
}
|
|
380
|
-
_requireAuthenticatorApp() {
|
|
381
|
-
if (!this._authenticatorApp) {
|
|
382
|
-
throw new InkboxAPIError(0, `Identity '${this.agentHandle}' has no authenticator app assigned. Call identity.createAuthenticatorApp() or identity.assignAuthenticatorApp() first.`);
|
|
414
|
+
throw new InkboxError(`Identity '${this.agentHandle}' has no phone number assigned. Call identity.provisionPhoneNumber() or identity.assignPhoneNumber() first.`);
|
|
383
415
|
}
|
|
384
416
|
}
|
|
385
417
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"agent_identity.js","sourceRoot":"","sources":["../src/agent_identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,
|
|
1
|
+
{"version":3,"file":"agent_identity.js","sourceRoot":"","sources":["../src/agent_identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAkB,WAAW,EAAE,MAAM,YAAY,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAc/C,MAAM,OAAO,aAAa;IAChB,KAAK,CAAqB;IACjB,OAAO,CAAS;IACzB,QAAQ,CAAyB;IACjC,YAAY,CAA6B;IACzC,YAAY,GAAuB,IAAI,CAAC;IACxC,oBAAoB,GAAkB,IAAI,CAAC,CAAC,yCAAyC;IAE7F,YAAY,IAAwB,EAAE,MAAc;QAClD,IAAI,CAAC,KAAK,GAAgB,IAAI,CAAC;QAC/B,IAAI,CAAC,OAAO,GAAc,MAAM,CAAC;QACjC,IAAI,CAAC,QAAQ,GAAa,IAAI,CAAC,OAAO,CAAC;QACvC,IAAI,CAAC,YAAY,GAAS,IAAI,CAAC,WAAW,CAAC;IAC7C,CAAC;IAED,qEAAqE;IACrE,sBAAsB;IACtB,qEAAqE;IAErE,IAAI,WAAW,KAAa,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC;IAC5D,IAAI,EAAE,KAAuB,OAAO,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;IACpD,IAAI,MAAM,KAAmB,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;IAExD,0EAA0E;IAC1E,IAAI,OAAO,KAA6B,OAAO,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;IAE/D,+EAA+E;IAC/E,IAAI,WAAW,KAAiC,OAAO,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC;IAE3E;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,cAAc;QAClB,mEAAmE;QACnE,IAAI,IAAI,CAAC,OAAO,CAAC,mBAAmB,KAAK,IAAI,EAAE,CAAC;YAC9C,MAAM,IAAI,CAAC,OAAO,CAAC,mBAAmB,CAAC;QACzC,CAAC;QACD,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC;QAC1C,wEAAwE;QACxE,IAAI,IAAI,CAAC,YAAY,KAAK,IAAI,IAAI,KAAK,CAAC,SAAS,KAAK,IAAI,CAAC,oBAAoB,EAAE,CAAC;YAChF,OAAO,IAAI,CAAC,YAAY,CAAC;QAC3B,CAAC;QACD,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,KAAK,CAAC,SAAU,CAAC;QAClC,yDAAyD;QACzD,yCAAyC;QACzC,MAAM,KAAK,GAAG,IAAI,CAAC,EAAE,CAAC;QACtB,MAAM,QAAQ,GAAG,EAAE,CAAC;QACpB,KAAK,MAAM,MAAM,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACtC,MAAM,KAAK,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,CAEhC,YAAY,MAAM,CAAC,EAAE,SAAS,CAAC,CAAC;YAClC,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,KAAK,CAAC,EAAE,CAAC;gBAC/C,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;QACD,IAAI,CAAC,YAAY,GAAG,IAAI,WAAW,CAAC,QAAQ,CAAC,CAAC;QAC9C,IAAI,CAAC,oBAAoB,GAAG,QAAQ,CAAC;QACrC,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,sBAAsB,CAAC,QAAgB;QAC3C,MAAM,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,YAAY,CAAC,QAAQ,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;QAClE,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;IAC3B,CAAC;IAED,qEAAqE;IACrE,0BAA0B;IAC1B,qEAAqE;IAErE;;;;;;;;;OASG;IACH,KAAK,CAAC,YAAY,CAAC,OAIlB;QACC,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,SAAU,CAAC;QACxD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QACpD,MAAM,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;QAClE,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QACzB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,SAAS,CAAC,QAAgB;QAC9B,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,SAAU,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IACpE,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,OAAO,CAAC,QAAgB,EAAE,IAAyB;QACvD,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,SAAU,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACpF,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QACzB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,UAAU,CAAC,QAAgB;QAC/B,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,SAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;QACjF,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QACzB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,WAAW,CAAC,QAAgB;QAChC,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,SAAU,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IACtE,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,YAAY,CAAC,QAAgB;QACjC,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC7B,MAAM,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,SAAU,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;QACpE,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;IAC3B,CAAC;IAED,qEAAqE;IACrE,qBAAqB;IACrB,qEAAqE;IAErE;;;;;OAKG;IACH,KAAK,CAAC,aAAa,CAAC,UAAoC,EAAE;QACxD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC;YACnD,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,GAAG,OAAO;SACX,CAAC,CAAC;QACH,MAAM,MAAM,GAAoB;YAC9B,EAAE,EAAE,OAAO,CAAC,EAAE;YACd,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,SAAS,EAAE,OAAO,CAAC,SAAS;SAC7B,CAAC;QACF,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC;QACvB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,MAAM,IAAI,GAAM,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,aAAa,CAAC,IAAI,CAAC,WAAW,EAAE;YAC9E,SAAS;SACV,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,GAAI,IAAI,CAAC,OAAO,CAAC;QAC9B,IAAI,CAAC,KAAK,GAAO,IAAI,CAAC;QACtB,OAAO,IAAI,CAAC,QAAS,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa;QACjB,IAAI,CAAC,eAAe,EAAE,CAAC;QACvB,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,aAAa,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAChE,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;IACvB,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,oBAAoB,CACxB,UAA6C,EAAE;QAE/C,MAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE,GAAG,OAAO,EAAE,CAAC,CAAC;QACrF,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACnE,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,WAAW,CAAC;QACrC,IAAI,CAAC,KAAK,GAAU,IAAI,CAAC;QACzB,OAAO,IAAI,CAAC,YAAa,CAAC;IAC5B,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,iBAAiB,CAAC,aAAqB;QAC3C,MAAM,IAAI,GAAK,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,iBAAiB,CAAC,IAAI,CAAC,WAAW,EAAE;YACjF,aAAa;SACd,CAAC,CAAC;QACH,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,WAAW,CAAC;QACrC,IAAI,CAAC,KAAK,GAAU,IAAI,CAAC;QACzB,OAAO,IAAI,CAAC,YAAa,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,iBAAiB;QACrB,IAAI,CAAC,aAAa,EAAE,CAAC;QACrB,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,iBAAiB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACpE,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;IAC3B,CAAC;IAED,qEAAqE;IACrE,eAAe;IACf,qEAAqE;IAErE;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,SAAS,CAAC,OASf;QACC,IAAI,CAAC,eAAe,EAAE,CAAC;QACvB,OAAO,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,QAAS,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAC3E,CAAC;IAED;;;;;;;OAOG;IACH,UAAU,CAAC,UAA+D,EAAE;QAC1E,IAAI,CAAC,eAAe,EAAE,CAAC;QACvB,OAAO,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,QAAS,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAC3E,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,CAAC,gBAAgB,CAAC,UAA+D,EAAE;QACvF,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACjD,IAAI,CAAC,GAAG,CAAC,MAAM;gBAAE,MAAM,GAAG,CAAC;QAC7B,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,cAAc,CAAC,UAAoB;QACvC,IAAI,CAAC,eAAe,EAAE,CAAC;QACvB,KAAK,MAAM,EAAE,IAAI,UAAU,EAAE,CAAC;YAC5B,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAS,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,UAAU,CAAC,SAAiB;QAChC,IAAI,CAAC,eAAe,EAAE,CAAC;QACvB,OAAO,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,QAAS,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;IAC5E,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,SAAS,CAAC,QAAgB;QAC9B,IAAI,CAAC,eAAe,EAAE,CAAC;QACvB,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,QAAS,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;IAC1E,CAAC;IAED,qEAAqE;IACrE,gBAAgB;IAChB,qEAAqE;IAErE;;;;;OAKG;IACH,KAAK,CAAC,SAAS,CAAC,OAGf;QACC,IAAI,CAAC,aAAa,EAAE,CAAC;QACrB,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC;YAC/B,UAAU,EAAW,IAAI,CAAC,YAAa,CAAC,MAAM;YAC9C,QAAQ,EAAa,OAAO,CAAC,QAAQ;YACrC,kBAAkB,EAAG,OAAO,CAAC,kBAAkB;SAChD,CAAC,CAAC;IACL,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,SAAS,CAAC,UAA+C,EAAE;QAC/D,IAAI,CAAC,aAAa,EAAE,CAAC;QACrB,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,YAAa,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;IAClE,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,eAAe,CAAC,MAAc;QAClC,IAAI,CAAC,aAAa,EAAE,CAAC;QACrB,OAAO,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,YAAa,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IACvE,CAAC;IAED,qEAAqE;IACrE,sBAAsB;IACtB,qEAAqE;IAErE;;;;;OAKG;IACH,KAAK,CAAC,MAAM,CAAC,OAAgD;QAC3D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QACjF,IAAI,CAAC,KAAK,GAAG;YACX,GAAG,MAAM;YACT,OAAO,EAAW,IAAI,CAAC,QAAQ;YAC/B,WAAW,EAAO,IAAI,CAAC,YAAY;SACpC,CAAC;IACJ,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,OAAO;QACX,MAAM,IAAI,GAAe,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC/E,IAAI,CAAC,KAAK,GAAe,IAAI,CAAC;QAC9B,IAAI,CAAC,QAAQ,GAAY,IAAI,CAAC,OAAO,CAAC;QACtC,IAAI,CAAC,YAAY,GAAQ,IAAI,CAAC,WAAW,CAAC;QAC1C,IAAI,CAAC,YAAY,GAAQ,IAAI,CAAC;QAC9B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,qEAAqE;IACrE,KAAK,CAAC,MAAM;QACV,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC3D,CAAC;IAED,qEAAqE;IACrE,kBAAkB;IAClB,qEAAqE;IAE7D,qBAAqB;QAC3B,IAAI,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,SAAS,KAAK,IAAI,EAAE,CAAC;YACnD,MAAM,IAAI,WAAW,CACnB,gGAAgG,CACjG,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,eAAe;QACrB,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnB,MAAM,IAAI,WAAW,CACnB,aAAa,IAAI,CAAC,WAAW,6FAA6F,CAC3H,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,aAAa;QACnB,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,MAAM,IAAI,WAAW,CACnB,aAAa,IAAI,CAAC,WAAW,6GAA6G,CAC3I,CAAC;QACJ,CAAC;IACH,CAAC;CAEF"}
|
|
@@ -0,0 +1,97 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* inkbox/src/credentials.ts
|
|
3
|
+
*
|
|
4
|
+
* Credentials — agent-facing credential access, typed and identity-scoped.
|
|
5
|
+
*
|
|
6
|
+
* This is the *runtime* surface for agents that need their credentials.
|
|
7
|
+
* The vault remains the *admin* surface for creating secrets, managing
|
|
8
|
+
* keys, and configuring access rules.
|
|
9
|
+
*/
|
|
10
|
+
import type { TOTPCode } from "./vault/totp.js";
|
|
11
|
+
import type { APIKeyPayload, DecryptedVaultSecret, KeyPairPayload, LoginPayload, SSHKeyPayload } from "./vault/types.js";
|
|
12
|
+
/**
|
|
13
|
+
* Agent-facing credential access — typed, identity-scoped.
|
|
14
|
+
*
|
|
15
|
+
* Wraps a pre-filtered list of {@link DecryptedVaultSecret} objects and
|
|
16
|
+
* provides typed accessors so agents can retrieve credentials without
|
|
17
|
+
* dealing with vault internals.
|
|
18
|
+
*
|
|
19
|
+
* Obtain via {@link AgentIdentity.getCredentials} after unlocking the vault:
|
|
20
|
+
*
|
|
21
|
+
* ```ts
|
|
22
|
+
* await inkbox.vault.unlock("my-Vault-key-01!");
|
|
23
|
+
* const identity = await inkbox.getIdentity("support-bot");
|
|
24
|
+
*
|
|
25
|
+
* const creds = await identity.getCredentials();
|
|
26
|
+
* const logins = creds.listLogins();
|
|
27
|
+
* const apiKey = creds.getApiKey("cccc3333-...");
|
|
28
|
+
* ```
|
|
29
|
+
*/
|
|
30
|
+
export declare class Credentials {
|
|
31
|
+
private readonly _secrets;
|
|
32
|
+
private readonly _byId;
|
|
33
|
+
constructor(secrets: DecryptedVaultSecret[]);
|
|
34
|
+
/** List all credentials this identity has access to. */
|
|
35
|
+
list(): DecryptedVaultSecret[];
|
|
36
|
+
/** List login credentials (username/password). */
|
|
37
|
+
listLogins(): DecryptedVaultSecret[];
|
|
38
|
+
/** List API key credentials. */
|
|
39
|
+
listApiKeys(): DecryptedVaultSecret[];
|
|
40
|
+
/** List key pair credentials (access key + secret key). */
|
|
41
|
+
listKeyPairs(): DecryptedVaultSecret[];
|
|
42
|
+
/** List SSH key credentials. */
|
|
43
|
+
listSshKeys(): DecryptedVaultSecret[];
|
|
44
|
+
/**
|
|
45
|
+
* Get any credential by UUID.
|
|
46
|
+
*
|
|
47
|
+
* @param secretId - UUID of the secret.
|
|
48
|
+
* @throws Error if no credential with this UUID is accessible.
|
|
49
|
+
*/
|
|
50
|
+
get(secretId: string): DecryptedVaultSecret;
|
|
51
|
+
/**
|
|
52
|
+
* Get a login credential's payload by UUID.
|
|
53
|
+
*
|
|
54
|
+
* @param secretId - UUID of the secret.
|
|
55
|
+
* @throws Error if not found.
|
|
56
|
+
* @throws TypeError if the credential is not a login type.
|
|
57
|
+
*/
|
|
58
|
+
getLogin(secretId: string): LoginPayload;
|
|
59
|
+
/**
|
|
60
|
+
* Get an API key credential's payload by UUID.
|
|
61
|
+
*
|
|
62
|
+
* @param secretId - UUID of the secret.
|
|
63
|
+
* @throws Error if not found.
|
|
64
|
+
* @throws TypeError if the credential is not an api_key type.
|
|
65
|
+
*/
|
|
66
|
+
getApiKey(secretId: string): APIKeyPayload;
|
|
67
|
+
/**
|
|
68
|
+
* Get a key pair credential's payload by UUID.
|
|
69
|
+
*
|
|
70
|
+
* @param secretId - UUID of the secret.
|
|
71
|
+
* @throws Error if not found.
|
|
72
|
+
* @throws TypeError if the credential is not a key_pair type.
|
|
73
|
+
*/
|
|
74
|
+
getKeyPair(secretId: string): KeyPairPayload;
|
|
75
|
+
/**
|
|
76
|
+
* Get an SSH key credential's payload by UUID.
|
|
77
|
+
*
|
|
78
|
+
* @param secretId - UUID of the secret.
|
|
79
|
+
* @throws Error if not found.
|
|
80
|
+
* @throws TypeError if the credential is not an ssh_key type.
|
|
81
|
+
*/
|
|
82
|
+
getSshKey(secretId: string): SSHKeyPayload;
|
|
83
|
+
private _getTyped;
|
|
84
|
+
/**
|
|
85
|
+
* Generate the current TOTP code for a login credential.
|
|
86
|
+
*
|
|
87
|
+
* @param secretId - UUID of the login secret.
|
|
88
|
+
* @returns A {@link TOTPCode}.
|
|
89
|
+
* @throws Error if not found.
|
|
90
|
+
* @throws TypeError if the credential is not a login type.
|
|
91
|
+
* @throws Error if the login has no TOTP configured.
|
|
92
|
+
*/
|
|
93
|
+
getTotpCode(secretId: string): TOTPCode;
|
|
94
|
+
/** Number of credentials accessible to this identity. */
|
|
95
|
+
get length(): number;
|
|
96
|
+
}
|
|
97
|
+
//# sourceMappingURL=credentials.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../src/credentials.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAEhD,OAAO,KAAK,EACV,aAAa,EACb,oBAAoB,EACpB,cAAc,EACd,YAAY,EACZ,aAAa,EACd,MAAM,kBAAkB,CAAC;AAG1B;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAyB;IAClD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAoC;gBAE9C,OAAO,EAAE,oBAAoB,EAAE;IAS3C,wDAAwD;IACxD,IAAI,IAAI,oBAAoB,EAAE;IAI9B,kDAAkD;IAClD,UAAU,IAAI,oBAAoB,EAAE;IAIpC,gCAAgC;IAChC,WAAW,IAAI,oBAAoB,EAAE;IAIrC,2DAA2D;IAC3D,YAAY,IAAI,oBAAoB,EAAE;IAItC,gCAAgC;IAChC,WAAW,IAAI,oBAAoB,EAAE;IAQrC;;;;;OAKG;IACH,GAAG,CAAC,QAAQ,EAAE,MAAM,GAAG,oBAAoB;IAU3C;;;;;;OAMG;IACH,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,YAAY;IAIxC;;;;;;OAMG;IACH,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa;IAI1C;;;;;;OAMG;IACH,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,cAAc;IAI5C;;;;;;OAMG;IACH,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa;IAQ1C,OAAO,CAAC,SAAS;IAUjB;;;;;;;;OAQG;IACH,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,QAAQ;IAQvC,yDAAyD;IACzD,IAAI,MAAM,IAAI,MAAM,CAEnB;CACF"}
|
|
@@ -0,0 +1,147 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* inkbox/src/credentials.ts
|
|
3
|
+
*
|
|
4
|
+
* Credentials — agent-facing credential access, typed and identity-scoped.
|
|
5
|
+
*
|
|
6
|
+
* This is the *runtime* surface for agents that need their credentials.
|
|
7
|
+
* The vault remains the *admin* surface for creating secrets, managing
|
|
8
|
+
* keys, and configuring access rules.
|
|
9
|
+
*/
|
|
10
|
+
import { generateTotp } from "./vault/totp.js";
|
|
11
|
+
import { VaultSecretType } from "./vault/types.js";
|
|
12
|
+
/**
|
|
13
|
+
* Agent-facing credential access — typed, identity-scoped.
|
|
14
|
+
*
|
|
15
|
+
* Wraps a pre-filtered list of {@link DecryptedVaultSecret} objects and
|
|
16
|
+
* provides typed accessors so agents can retrieve credentials without
|
|
17
|
+
* dealing with vault internals.
|
|
18
|
+
*
|
|
19
|
+
* Obtain via {@link AgentIdentity.getCredentials} after unlocking the vault:
|
|
20
|
+
*
|
|
21
|
+
* ```ts
|
|
22
|
+
* await inkbox.vault.unlock("my-Vault-key-01!");
|
|
23
|
+
* const identity = await inkbox.getIdentity("support-bot");
|
|
24
|
+
*
|
|
25
|
+
* const creds = await identity.getCredentials();
|
|
26
|
+
* const logins = creds.listLogins();
|
|
27
|
+
* const apiKey = creds.getApiKey("cccc3333-...");
|
|
28
|
+
* ```
|
|
29
|
+
*/
|
|
30
|
+
export class Credentials {
|
|
31
|
+
_secrets;
|
|
32
|
+
_byId;
|
|
33
|
+
constructor(secrets) {
|
|
34
|
+
this._secrets = secrets;
|
|
35
|
+
this._byId = new Map(secrets.map((s) => [s.id, s]));
|
|
36
|
+
}
|
|
37
|
+
// ------------------------------------------------------------------
|
|
38
|
+
// Discovery — return full DecryptedVaultSecret for name/metadata
|
|
39
|
+
// ------------------------------------------------------------------
|
|
40
|
+
/** List all credentials this identity has access to. */
|
|
41
|
+
list() {
|
|
42
|
+
return [...this._secrets];
|
|
43
|
+
}
|
|
44
|
+
/** List login credentials (username/password). */
|
|
45
|
+
listLogins() {
|
|
46
|
+
return this._secrets.filter((s) => s.secretType === VaultSecretType.LOGIN);
|
|
47
|
+
}
|
|
48
|
+
/** List API key credentials. */
|
|
49
|
+
listApiKeys() {
|
|
50
|
+
return this._secrets.filter((s) => s.secretType === VaultSecretType.API_KEY);
|
|
51
|
+
}
|
|
52
|
+
/** List key pair credentials (access key + secret key). */
|
|
53
|
+
listKeyPairs() {
|
|
54
|
+
return this._secrets.filter((s) => s.secretType === VaultSecretType.KEY_PAIR);
|
|
55
|
+
}
|
|
56
|
+
/** List SSH key credentials. */
|
|
57
|
+
listSshKeys() {
|
|
58
|
+
return this._secrets.filter((s) => s.secretType === VaultSecretType.SSH_KEY);
|
|
59
|
+
}
|
|
60
|
+
// ------------------------------------------------------------------
|
|
61
|
+
// Access by UUID — return typed payload directly
|
|
62
|
+
// ------------------------------------------------------------------
|
|
63
|
+
/**
|
|
64
|
+
* Get any credential by UUID.
|
|
65
|
+
*
|
|
66
|
+
* @param secretId - UUID of the secret.
|
|
67
|
+
* @throws Error if no credential with this UUID is accessible.
|
|
68
|
+
*/
|
|
69
|
+
get(secretId) {
|
|
70
|
+
const secret = this._byId.get(secretId);
|
|
71
|
+
if (!secret) {
|
|
72
|
+
throw new Error(`No credential with id '${secretId}' is accessible to this identity`);
|
|
73
|
+
}
|
|
74
|
+
return secret;
|
|
75
|
+
}
|
|
76
|
+
/**
|
|
77
|
+
* Get a login credential's payload by UUID.
|
|
78
|
+
*
|
|
79
|
+
* @param secretId - UUID of the secret.
|
|
80
|
+
* @throws Error if not found.
|
|
81
|
+
* @throws TypeError if the credential is not a login type.
|
|
82
|
+
*/
|
|
83
|
+
getLogin(secretId) {
|
|
84
|
+
return this._getTyped(secretId, VaultSecretType.LOGIN);
|
|
85
|
+
}
|
|
86
|
+
/**
|
|
87
|
+
* Get an API key credential's payload by UUID.
|
|
88
|
+
*
|
|
89
|
+
* @param secretId - UUID of the secret.
|
|
90
|
+
* @throws Error if not found.
|
|
91
|
+
* @throws TypeError if the credential is not an api_key type.
|
|
92
|
+
*/
|
|
93
|
+
getApiKey(secretId) {
|
|
94
|
+
return this._getTyped(secretId, VaultSecretType.API_KEY);
|
|
95
|
+
}
|
|
96
|
+
/**
|
|
97
|
+
* Get a key pair credential's payload by UUID.
|
|
98
|
+
*
|
|
99
|
+
* @param secretId - UUID of the secret.
|
|
100
|
+
* @throws Error if not found.
|
|
101
|
+
* @throws TypeError if the credential is not a key_pair type.
|
|
102
|
+
*/
|
|
103
|
+
getKeyPair(secretId) {
|
|
104
|
+
return this._getTyped(secretId, VaultSecretType.KEY_PAIR);
|
|
105
|
+
}
|
|
106
|
+
/**
|
|
107
|
+
* Get an SSH key credential's payload by UUID.
|
|
108
|
+
*
|
|
109
|
+
* @param secretId - UUID of the secret.
|
|
110
|
+
* @throws Error if not found.
|
|
111
|
+
* @throws TypeError if the credential is not an ssh_key type.
|
|
112
|
+
*/
|
|
113
|
+
getSshKey(secretId) {
|
|
114
|
+
return this._getTyped(secretId, VaultSecretType.SSH_KEY);
|
|
115
|
+
}
|
|
116
|
+
// ------------------------------------------------------------------
|
|
117
|
+
// Internal
|
|
118
|
+
// ------------------------------------------------------------------
|
|
119
|
+
_getTyped(secretId, expectedType) {
|
|
120
|
+
const secret = this.get(secretId);
|
|
121
|
+
if (secret.secretType !== expectedType) {
|
|
122
|
+
throw new TypeError(`Credential '${secretId}' is a '${secret.secretType}' secret, not '${expectedType}'`);
|
|
123
|
+
}
|
|
124
|
+
return secret.payload;
|
|
125
|
+
}
|
|
126
|
+
/**
|
|
127
|
+
* Generate the current TOTP code for a login credential.
|
|
128
|
+
*
|
|
129
|
+
* @param secretId - UUID of the login secret.
|
|
130
|
+
* @returns A {@link TOTPCode}.
|
|
131
|
+
* @throws Error if not found.
|
|
132
|
+
* @throws TypeError if the credential is not a login type.
|
|
133
|
+
* @throws Error if the login has no TOTP configured.
|
|
134
|
+
*/
|
|
135
|
+
getTotpCode(secretId) {
|
|
136
|
+
const payload = this.getLogin(secretId);
|
|
137
|
+
if (!payload.totp) {
|
|
138
|
+
throw new Error(`Login '${secretId}' has no TOTP configured`);
|
|
139
|
+
}
|
|
140
|
+
return generateTotp(payload.totp);
|
|
141
|
+
}
|
|
142
|
+
/** Number of credentials accessible to this identity. */
|
|
143
|
+
get length() {
|
|
144
|
+
return this._secrets.length;
|
|
145
|
+
}
|
|
146
|
+
}
|
|
147
|
+
//# sourceMappingURL=credentials.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../src/credentials.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAQ/C,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAEnD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,OAAO,WAAW;IACL,QAAQ,CAAyB;IACjC,KAAK,CAAoC;IAE1D,YAAY,OAA+B;QACzC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC;QACxB,IAAI,CAAC,KAAK,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IACtD,CAAC;IAED,qEAAqE;IACrE,iEAAiE;IACjE,qEAAqE;IAErE,wDAAwD;IACxD,IAAI;QACF,OAAO,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC5B,CAAC;IAED,kDAAkD;IAClD,UAAU;QACR,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,eAAe,CAAC,KAAK,CAAC,CAAC;IAC7E,CAAC;IAED,gCAAgC;IAChC,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,eAAe,CAAC,OAAO,CAAC,CAAC;IAC/E,CAAC;IAED,2DAA2D;IAC3D,YAAY;QACV,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,eAAe,CAAC,QAAQ,CAAC,CAAC;IAChF,CAAC;IAED,gCAAgC;IAChC,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,eAAe,CAAC,OAAO,CAAC,CAAC;IAC/E,CAAC;IAED,qEAAqE;IACrE,iDAAiD;IACjD,qEAAqE;IAErE;;;;;OAKG;IACH,GAAG,CAAC,QAAgB;QAClB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACxC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,0BAA0B,QAAQ,kCAAkC,CACrE,CAAC;QACJ,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;OAMG;IACH,QAAQ,CAAC,QAAgB;QACvB,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,eAAe,CAAC,KAAK,CAAiB,CAAC;IACzE,CAAC;IAED;;;;;;OAMG;IACH,SAAS,CAAC,QAAgB;QACxB,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,eAAe,CAAC,OAAO,CAAkB,CAAC;IAC5E,CAAC;IAED;;;;;;OAMG;IACH,UAAU,CAAC,QAAgB;QACzB,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,eAAe,CAAC,QAAQ,CAAmB,CAAC;IAC9E,CAAC;IAED;;;;;;OAMG;IACH,SAAS,CAAC,QAAgB;QACxB,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,eAAe,CAAC,OAAO,CAAkB,CAAC;IAC5E,CAAC;IAED,qEAAqE;IACrE,WAAW;IACX,qEAAqE;IAE7D,SAAS,CAAC,QAAgB,EAAE,YAA6B;QAC/D,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAClC,IAAI,MAAM,CAAC,UAAU,KAAK,YAAY,EAAE,CAAC;YACvC,MAAM,IAAI,SAAS,CACjB,eAAe,QAAQ,WAAW,MAAM,CAAC,UAAU,kBAAkB,YAAY,GAAG,CACrF,CAAC;QACJ,CAAC;QACD,OAAO,MAAM,CAAC,OAAO,CAAC;IACxB,CAAC;IAED;;;;;;;;OAQG;IACH,WAAW,CAAC,QAAgB;QAC1B,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,UAAU,QAAQ,0BAA0B,CAAC,CAAC;QAChE,CAAC;QACD,OAAO,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC;IAED,yDAAyD;IACzD,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;IAC9B,CAAC;CACF"}
|
|
@@ -39,7 +39,7 @@ export declare class IdentitiesResource {
|
|
|
39
39
|
status?: string;
|
|
40
40
|
}): Promise<AgentIdentitySummary>;
|
|
41
41
|
/**
|
|
42
|
-
*
|
|
42
|
+
* Delete an identity.
|
|
43
43
|
*
|
|
44
44
|
* Unlinks any assigned channels without deleting them.
|
|
45
45
|
*
|
|
@@ -76,20 +76,5 @@ export declare class IdentitiesResource {
|
|
|
76
76
|
* @param agentHandle - Handle of the identity.
|
|
77
77
|
*/
|
|
78
78
|
unlinkPhoneNumber(agentHandle: string): Promise<void>;
|
|
79
|
-
/**
|
|
80
|
-
* Assign an authenticator app to an identity.
|
|
81
|
-
*
|
|
82
|
-
* @param agentHandle - Handle of the identity.
|
|
83
|
-
* @param options.authenticatorAppId - UUID of the authenticator app to assign.
|
|
84
|
-
*/
|
|
85
|
-
assignAuthenticatorApp(agentHandle: string, options: {
|
|
86
|
-
authenticatorAppId: string;
|
|
87
|
-
}): Promise<_AgentIdentityData>;
|
|
88
|
-
/**
|
|
89
|
-
* Unlink the authenticator app from an identity (does not delete the app).
|
|
90
|
-
*
|
|
91
|
-
* @param agentHandle - Handle of the identity.
|
|
92
|
-
*/
|
|
93
|
-
unlinkAuthenticatorApp(agentHandle: string): Promise<void>;
|
|
94
79
|
}
|
|
95
80
|
//# sourceMappingURL=identities.d.ts.map
|