@m1a0rz/agent-identity 0.1.4 → 0.1.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.ts +1 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +11 -2
- package/dist/src/actions/identity-actions.d.ts.map +1 -1
- package/dist/src/actions/identity-actions.js +7 -1
- package/dist/src/hooks/before-agent-start.d.ts +5 -8
- package/dist/src/hooks/before-agent-start.d.ts.map +1 -1
- package/dist/src/hooks/before-agent-start.js +37 -57
- package/dist/src/hooks/sessions-send-propagation.d.ts +7 -5
- package/dist/src/hooks/sessions-send-propagation.d.ts.map +1 -1
- package/dist/src/hooks/sessions-send-propagation.js +22 -27
- package/dist/src/hooks/sessions-spawn-propagation.d.ts +27 -0
- package/dist/src/hooks/sessions-spawn-propagation.d.ts.map +1 -0
- package/dist/src/hooks/sessions-spawn-propagation.js +45 -0
- package/dist/src/services/identity-service.d.ts.map +1 -1
- package/dist/src/services/identity-service.js +0 -1
- package/dist/src/services/tip-acquisition.d.ts +18 -0
- package/dist/src/services/tip-acquisition.d.ts.map +1 -0
- package/dist/src/services/tip-acquisition.js +28 -0
- package/dist/src/store/tip-store.d.ts +0 -1
- package/dist/src/store/tip-store.d.ts.map +1 -1
- package/package.json +1 -1
- package/dist/src/hooks/after-tool-call.d.ts +0 -22
- package/dist/src/hooks/after-tool-call.d.ts.map +0 -1
- package/dist/src/hooks/after-tool-call.js +0 -35
- package/dist/src/hooks/subagent-spawned.d.ts +0 -30
- package/dist/src/hooks/subagent-spawned.d.ts.map +0 -1
- package/dist/src/hooks/subagent-spawned.js +0 -30
package/dist/index.d.ts
CHANGED
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
* - UserPool login via /identity login (OIDC URL returned directly, no HTTP start endpoint)
|
|
5
5
|
* - Credential hosting: list-credentials, fetch <provider>, set <provider> <envVar>
|
|
6
6
|
* - TIP token via AgentIdentity GetWorkloadAccessTokenForJWT in before_agent_start
|
|
7
|
-
* - TIP/session propagation
|
|
7
|
+
* - TIP/session propagation: before_tool_call (sessions_send params.sessionKey), subagent_spawned (sessions_spawn)
|
|
8
8
|
* - Optional AuthZ in before_tool_call
|
|
9
9
|
* - HTTP callback: /identity/oauth/callback (OIDC login). Credential OAuth uses Identity-provided callback.
|
|
10
10
|
* - Tools: identity_whoami, identity_logout
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAyD7D,MAAM,CAAC,OAAO,UAAU,QAAQ,CAAC,GAAG,EAAE,iBAAiB,QAkUtD"}
|
package/dist/index.js
CHANGED
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
* - UserPool login via /identity login (OIDC URL returned directly, no HTTP start endpoint)
|
|
5
5
|
* - Credential hosting: list-credentials, fetch <provider>, set <provider> <envVar>
|
|
6
6
|
* - TIP token via AgentIdentity GetWorkloadAccessTokenForJWT in before_agent_start
|
|
7
|
-
* - TIP/session propagation
|
|
7
|
+
* - TIP/session propagation: before_tool_call (sessions_send params.sessionKey), subagent_spawned (sessions_spawn)
|
|
8
8
|
* - Optional AuthZ in before_tool_call
|
|
9
9
|
* - HTTP callback: /identity/oauth/callback (OIDC login). Credential OAuth uses Identity-provided callback.
|
|
10
10
|
* - Tools: identity_whoami, identity_logout
|
|
@@ -12,6 +12,7 @@
|
|
|
12
12
|
import { createIdentityCommand, createIdCommand } from "./src/commands/identity-commands.js";
|
|
13
13
|
import { createBeforeAgentStartHandler } from "./src/hooks/before-agent-start.js";
|
|
14
14
|
import { createSessionsSendPropagationHandler } from "./src/hooks/sessions-send-propagation.js";
|
|
15
|
+
import { createSessionsSpawnPropagationHandler } from "./src/hooks/sessions-spawn-propagation.js";
|
|
15
16
|
import { createBeforeToolCallHandler } from "./src/hooks/before-tool-call.js";
|
|
16
17
|
import { createOIDCCallbackHandler, createOIDCCallbackHandlerLazy, } from "./src/routes/oidc-login.js";
|
|
17
18
|
import { IdentityClient, resolveOIDCConfig, } from "./src/services/identity-client.js";
|
|
@@ -189,7 +190,7 @@ export default function register(api) {
|
|
|
189
190
|
}
|
|
190
191
|
if (target.channel === "feishu") {
|
|
191
192
|
try {
|
|
192
|
-
const cfg =
|
|
193
|
+
const cfg = api.runtime.config.loadConfig();
|
|
193
194
|
await sendNotificationFeishu(cfg, target.to, text, target.accountId);
|
|
194
195
|
}
|
|
195
196
|
catch (err) {
|
|
@@ -293,6 +294,14 @@ export default function register(api) {
|
|
|
293
294
|
}));
|
|
294
295
|
api.on("before_tool_call", createSessionsSendPropagationHandler({
|
|
295
296
|
storeDir,
|
|
297
|
+
identityService,
|
|
298
|
+
configWorkloadName: identityCfg?.workloadName,
|
|
299
|
+
logger: api.logger,
|
|
300
|
+
}));
|
|
301
|
+
api.on("subagent_spawned", createSessionsSpawnPropagationHandler({
|
|
302
|
+
storeDir,
|
|
303
|
+
identityService,
|
|
304
|
+
configWorkloadName: identityCfg?.workloadName,
|
|
296
305
|
logger: api.logger,
|
|
297
306
|
}));
|
|
298
307
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity-actions.d.ts","sourceRoot":"","sources":["../../../src/actions/identity-actions.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;AAY/E,OAAO,EAKL,KAAK,eAAe,EACrB,MAAM,8BAA8B,CAAC;AAUtC,MAAM,MAAM,oBAAoB,GAAG;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,aAAa,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACnD,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,MAAM,CAAC,EAAE,qBAAqB,CAAC;IAC/B,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,qBAAqB,CAAC,EAAE,CACtB,kBAAkB,EAAE,wBAAwB,GAAG,MAAM,EACrD,IAAI,EAAE,MAAM,KACT,OAAO,CAAC,IAAI,CAAC,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG,aAAa,GAAG,YAAY,GAAG,QAAQ,CAAC;AA+EhE,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,EAAE,OAAO,CAAC;IAClB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;IAChB,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wDAAwD;IACxD,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,4BAA4B;IAC5B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uBAAuB;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAC7C,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC,CAAC;AAEF,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,cAAc,GACtB,OAAO,CAAC,YAAY,CAAC,
|
|
1
|
+
{"version":3,"file":"identity-actions.d.ts","sourceRoot":"","sources":["../../../src/actions/identity-actions.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;AAY/E,OAAO,EAKL,KAAK,eAAe,EACrB,MAAM,8BAA8B,CAAC;AAUtC,MAAM,MAAM,oBAAoB,GAAG;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,aAAa,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACnD,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,MAAM,CAAC,EAAE,qBAAqB,CAAC;IAC/B,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,qBAAqB,CAAC,EAAE,CACtB,kBAAkB,EAAE,wBAAwB,GAAG,MAAM,EACrD,IAAI,EAAE,MAAM,KACT,OAAO,CAAC,IAAI,CAAC,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG,aAAa,GAAG,YAAY,GAAG,QAAQ,CAAC;AA+EhE,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,EAAE,OAAO,CAAC;IAClB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;IAChB,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wDAAwD;IACxD,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,4BAA4B;IAC5B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uBAAuB;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAC7C,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC,CAAC;AAEF,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,cAAc,GACtB,OAAO,CAAC,YAAY,CAAC,CAwDvB;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,mBAAmB,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAC1C;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACrC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,cAAc,CAAC;IAAC,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAA;CAAE,GACtF,OAAO,CAAC,WAAW,CAAC,CAmDtB;AAED,MAAM,MAAM,YAAY,GAAG;IAAE,EAAE,EAAE,OAAO,CAAA;CAAE,CAAC;AAE3C,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,YAAY,CAAC,CAWvB;AAID,MAAM,MAAM,qBAAqB,GAAG;IAClC,SAAS,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClG,UAAU,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtE,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE,MAAU,GACf,OAAO,CAAC,qBAAqB,CAAC,CA2EhC;AAED,MAAM,MAAM,cAAc,GAAG;IAC3B,IAAI,EAAE,KAAK,CAAC;QACV,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC,CAAC;IACH,oDAAoD;IACpD,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CAC3D,CAAC;AAEF,wBAAsB,WAAW,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,cAAc,CAAC,CAsBpF;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,CAAC;AAEF,wBAAsB,SAAS,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,YAAY,CAAC,CAyChF;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACpC;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACtD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IACN,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,SAAS,CAAC;IAChB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAC;IACjD,MAAM,CAAC,EAAE,cAAc,CAAC;CACzB,GACA,OAAO,CAAC,WAAW,CAAC,CA4GtB;AAED,MAAM,MAAM,gBAAgB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEjF,wBAAsB,aAAa,CACjC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC3C,OAAO,CAAC,gBAAgB,CAAC,CAkC3B;AAED,MAAM,MAAM,kBAAkB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnF,wBAAsB,eAAe,CACnC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC3B,OAAO,CAAC,kBAAkB,CAAC,CAW7B"}
|
|
@@ -91,6 +91,12 @@ export async function runStatus(deps, sessionKey, config) {
|
|
|
91
91
|
}
|
|
92
92
|
const credentials = await loadCredentials(storeDir, sessionKey);
|
|
93
93
|
const bindings = await loadCredentialEnvBindings(storeDir, sessionKey);
|
|
94
|
+
const tipChain = tip
|
|
95
|
+
? (() => {
|
|
96
|
+
const c = extractDelegationChainFromJwt(tip.token);
|
|
97
|
+
return c ? [c.principalId, ...c.actors] : [];
|
|
98
|
+
})()
|
|
99
|
+
: undefined;
|
|
94
100
|
return {
|
|
95
101
|
loggedIn: !!(session && identityService.parseUserToken(session.userToken).valid),
|
|
96
102
|
sub: session?.sub ?? null,
|
|
@@ -99,7 +105,7 @@ export async function runStatus(deps, sessionKey, config) {
|
|
|
99
105
|
sessionExpiresAt: session?.expiresAt ?? null,
|
|
100
106
|
tipIssuedAt: tip?.issuedAt,
|
|
101
107
|
tipExpiresAt: tip?.expiresAt,
|
|
102
|
-
tipChain
|
|
108
|
+
tipChain,
|
|
103
109
|
credentials,
|
|
104
110
|
bindings,
|
|
105
111
|
};
|
|
@@ -1,19 +1,16 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* before_agent_start hook: fetch TIP token
|
|
3
|
-
* 1. Inject credentials into process.env per credential-env-bindings
|
|
4
|
-
* 2.
|
|
5
|
-
* 3.
|
|
6
|
-
* 4. On
|
|
7
|
-
* 5. Store TIP token in tip-store for use by before_tool_call (AuthZ) and downstream
|
|
2
|
+
* before_agent_start hook: fetch TIP token for main agent only.
|
|
3
|
+
* 1. Inject credentials into process.env per credential-env-bindings
|
|
4
|
+
* 2. Subagent: skip (TIP comes from sessions_send propagation)
|
|
5
|
+
* 3. Main: lookup session (userToken), call getWorkloadAccessToken, store TIP
|
|
6
|
+
* 4. On token expired: refresh userToken via refresh_token grant, retry
|
|
8
7
|
*/
|
|
9
8
|
import type { IdentityService } from "../services/identity-service.js";
|
|
10
9
|
import type { OIDCConfigForRefresh } from "../services/session-refresh.js";
|
|
11
10
|
export type BeforeAgentStartDeps = {
|
|
12
11
|
storeDir: string;
|
|
13
12
|
identityService: IdentityService;
|
|
14
|
-
/** From config.identity.workloadName; used as workload name for main sessions when no roleTrn. */
|
|
15
13
|
configWorkloadName?: string;
|
|
16
|
-
/** When set, used to refresh userToken on expiry before retrying TIP fetch. */
|
|
17
14
|
getOidcConfigForRefresh?: () => Promise<OIDCConfigForRefresh>;
|
|
18
15
|
logger: {
|
|
19
16
|
info?: (msg: string) => void;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"before-agent-start.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-agent-start.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"before-agent-start.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-agent-start.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAS3E,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CACxE,CAAC;AAOF,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,oBAAoB,IAIpE,QAAQ;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,OAAO,EAAE,CAAA;CAAE,EAChD,KAAK;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,KAC7C,OAAO,CAAC;IAAE,cAAc,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAgE/C"}
|
|
@@ -1,17 +1,17 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* before_agent_start hook: fetch TIP token
|
|
3
|
-
* 1. Inject credentials into process.env per credential-env-bindings
|
|
4
|
-
* 2.
|
|
5
|
-
* 3.
|
|
6
|
-
* 4. On
|
|
7
|
-
* 5. Store TIP token in tip-store for use by before_tool_call (AuthZ) and downstream
|
|
2
|
+
* before_agent_start hook: fetch TIP token for main agent only.
|
|
3
|
+
* 1. Inject credentials into process.env per credential-env-bindings
|
|
4
|
+
* 2. Subagent: skip (TIP comes from sessions_send propagation)
|
|
5
|
+
* 3. Main: lookup session (userToken), call getWorkloadAccessToken, store TIP
|
|
6
|
+
* 4. On token expired: refresh userToken via refresh_token grant, retry
|
|
8
7
|
*/
|
|
9
8
|
import { refreshSessionUserToken } from "../services/session-refresh.js";
|
|
10
9
|
import { loadCredentialEnvBindings } from "../store/credential-env-bindings.js";
|
|
11
10
|
import { getCredential, resolveCredentialValue } from "../store/credential-store.js";
|
|
12
11
|
import { getSession } from "../store/session-store.js";
|
|
13
|
-
import { getTIPToken
|
|
14
|
-
import {
|
|
12
|
+
import { getTIPToken } from "../store/tip-store.js";
|
|
13
|
+
import { fetchAndStoreTIP } from "../services/tip-acquisition.js";
|
|
14
|
+
import { isSubagentSessionKey } from "../utils/derive-session-key.js";
|
|
15
15
|
function isTokenExpiredError(err) {
|
|
16
16
|
const msg = err instanceof Error ? err.message : String(err);
|
|
17
17
|
return /token has expired|Invalid token/i.test(msg);
|
|
@@ -22,83 +22,63 @@ export function createBeforeAgentStartHandler(deps) {
|
|
|
22
22
|
const sessionKey = ctx.sessionKey;
|
|
23
23
|
if (!sessionKey)
|
|
24
24
|
return;
|
|
25
|
+
if (isSubagentSessionKey(sessionKey))
|
|
26
|
+
return;
|
|
25
27
|
try {
|
|
26
|
-
// 0. Inject credentials into process.env per bindings (clear if no cred to avoid cross-session leak)
|
|
27
28
|
const bindings = await loadCredentialEnvBindings(storeDir, sessionKey);
|
|
28
29
|
for (const [provider, envVar] of Object.entries(bindings)) {
|
|
29
30
|
const cred = await getCredential(storeDir, sessionKey, provider);
|
|
30
31
|
const value = cred ? resolveCredentialValue(cred) : undefined;
|
|
31
|
-
if (value)
|
|
32
|
+
if (value)
|
|
32
33
|
process.env[envVar] = value;
|
|
33
|
-
|
|
34
|
-
else {
|
|
34
|
+
else
|
|
35
35
|
delete process.env[envVar];
|
|
36
|
-
}
|
|
37
36
|
}
|
|
38
37
|
}
|
|
39
38
|
catch {
|
|
40
|
-
|
|
39
|
+
/* best-effort */
|
|
41
40
|
}
|
|
42
41
|
try {
|
|
43
|
-
// 1. Check if we already have a valid TIP token cached
|
|
44
42
|
const cached = await getTIPToken(storeDir, sessionKey);
|
|
45
43
|
if (cached)
|
|
46
44
|
return;
|
|
47
|
-
// 2. Look up userToken from session store
|
|
48
45
|
let session = await getSession(storeDir, sessionKey);
|
|
49
46
|
if (!session)
|
|
50
47
|
return;
|
|
51
|
-
let userToken = session.userToken;
|
|
52
48
|
try {
|
|
53
|
-
|
|
54
|
-
|
|
49
|
+
await fetchAndStoreTIP({
|
|
50
|
+
storeDir,
|
|
55
51
|
sessionKey,
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
sessionKey,
|
|
59
|
-
agentId: ctx.agentId,
|
|
60
|
-
configWorkloadName,
|
|
61
|
-
});
|
|
62
|
-
const tipEntry = await identityService.getWorkloadAccessToken({
|
|
63
|
-
agentId,
|
|
64
|
-
workloadName,
|
|
65
|
-
userToken,
|
|
52
|
+
identityService,
|
|
53
|
+
jwtForExchange: session.userToken,
|
|
66
54
|
sub: session.sub,
|
|
55
|
+
ctxAgentId: ctx.agentId,
|
|
56
|
+
configWorkloadName,
|
|
67
57
|
});
|
|
68
|
-
|
|
69
|
-
await setTIPToken(storeDir, sessionKey, tipEntry);
|
|
70
|
-
logger.info?.(`agent-identity: TIP token acquired for session ${sessionKey.slice(0, 24)}...`);
|
|
58
|
+
logger.info?.(`agent-identity: TIP acquired for ${sessionKey.slice(0, 24)}...`);
|
|
71
59
|
}
|
|
72
60
|
catch (err) {
|
|
73
|
-
if (isTokenExpiredError(err)
|
|
74
|
-
|
|
75
|
-
if (refreshed) {
|
|
76
|
-
session = (await getSession(storeDir, sessionKey)) ?? session;
|
|
77
|
-
const agentId = resolveAgentId({
|
|
78
|
-
agentId: ctx.agentId,
|
|
79
|
-
sessionKey,
|
|
80
|
-
});
|
|
81
|
-
const workloadName = resolveWorkloadNameForSession({
|
|
82
|
-
sessionKey,
|
|
83
|
-
agentId: ctx.agentId,
|
|
84
|
-
configWorkloadName,
|
|
85
|
-
});
|
|
86
|
-
const tipEntry = await identityService.getWorkloadAccessToken({
|
|
87
|
-
agentId,
|
|
88
|
-
workloadName,
|
|
89
|
-
userToken: refreshed,
|
|
90
|
-
sub: session.sub,
|
|
91
|
-
});
|
|
92
|
-
await setTIPToken(storeDir, sessionKey, tipEntry);
|
|
93
|
-
logger.info?.(`agent-identity: TIP token acquired after user token refresh for ${sessionKey.slice(0, 24)}...`);
|
|
94
|
-
return;
|
|
95
|
-
}
|
|
61
|
+
if (!isTokenExpiredError(err) || !getOidcConfigForRefresh || !session.refreshToken) {
|
|
62
|
+
throw err;
|
|
96
63
|
}
|
|
97
|
-
|
|
64
|
+
const refreshed = await refreshSessionUserToken(storeDir, sessionKey, getOidcConfigForRefresh);
|
|
65
|
+
if (!refreshed)
|
|
66
|
+
throw err;
|
|
67
|
+
session = (await getSession(storeDir, sessionKey)) ?? session;
|
|
68
|
+
await fetchAndStoreTIP({
|
|
69
|
+
storeDir,
|
|
70
|
+
sessionKey,
|
|
71
|
+
identityService,
|
|
72
|
+
jwtForExchange: refreshed,
|
|
73
|
+
sub: session.sub,
|
|
74
|
+
ctxAgentId: ctx.agentId,
|
|
75
|
+
configWorkloadName,
|
|
76
|
+
});
|
|
77
|
+
logger.info?.(`agent-identity: TIP acquired after refresh for ${sessionKey.slice(0, 24)}...`);
|
|
98
78
|
}
|
|
99
79
|
}
|
|
100
80
|
catch (err) {
|
|
101
|
-
logger.warn?.(`agent-identity: failed to get TIP
|
|
81
|
+
logger.warn?.(`agent-identity: failed to get TIP for ${sessionKey}: ${String(err)}`);
|
|
102
82
|
}
|
|
103
83
|
};
|
|
104
84
|
}
|
|
@@ -1,13 +1,15 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* before_tool_call hook: propagate TIP
|
|
3
|
-
*
|
|
2
|
+
* before_tool_call hook: propagate TIP and session to target when sessions_send
|
|
3
|
+
* is invoked with params.sessionKey.
|
|
4
4
|
*
|
|
5
|
-
*
|
|
6
|
-
* Copies
|
|
7
|
-
* follows the same logic as main (cached TIP or session → TIP fetch).
|
|
5
|
+
* Uses caller's TIP token as JWT input for delegation (user → main → sub).
|
|
6
|
+
* Copies session (userToken) to target. Only supports params.sessionKey.
|
|
8
7
|
*/
|
|
8
|
+
import type { IdentityService } from "../services/identity-service.js";
|
|
9
9
|
export type SessionsSendPropagationDeps = {
|
|
10
10
|
storeDir: string;
|
|
11
|
+
identityService: IdentityService;
|
|
12
|
+
configWorkloadName?: string;
|
|
11
13
|
logger: {
|
|
12
14
|
info?: (msg: string) => void;
|
|
13
15
|
debug?: (msg: string) => void;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sessions-send-propagation.d.ts","sourceRoot":"","sources":["../../../src/hooks/sessions-send-propagation.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"sessions-send-propagation.d.ts","sourceRoot":"","sources":["../../../src/hooks/sessions-send-propagation.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AAKvE,MAAM,MAAM,2BAA2B,GAAG;IACxC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CACzE,CAAC;AAEF,wBAAgB,oCAAoC,CAAC,IAAI,EAAE,2BAA2B,IAIlF,OAAO;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,EAC5D,KAAK;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,KAC/D,OAAO,CAAC,IAAI,CAAC,CA4CjB"}
|
|
@@ -1,15 +1,15 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* before_tool_call hook: propagate TIP
|
|
3
|
-
*
|
|
2
|
+
* before_tool_call hook: propagate TIP and session to target when sessions_send
|
|
3
|
+
* is invoked with params.sessionKey.
|
|
4
4
|
*
|
|
5
|
-
*
|
|
6
|
-
* Copies
|
|
7
|
-
* follows the same logic as main (cached TIP or session → TIP fetch).
|
|
5
|
+
* Uses caller's TIP token as JWT input for delegation (user → main → sub).
|
|
6
|
+
* Copies session (userToken) to target. Only supports params.sessionKey.
|
|
8
7
|
*/
|
|
9
8
|
import { getSession, setSession } from "../store/session-store.js";
|
|
10
|
-
import { getTIPToken
|
|
9
|
+
import { getTIPToken } from "../store/tip-store.js";
|
|
10
|
+
import { fetchAndStoreTIP } from "../services/tip-acquisition.js";
|
|
11
11
|
export function createSessionsSendPropagationHandler(deps) {
|
|
12
|
-
const { storeDir, logger } = deps;
|
|
12
|
+
const { storeDir, identityService, configWorkloadName, logger } = deps;
|
|
13
13
|
return async (event, ctx) => {
|
|
14
14
|
if (event.toolName !== "sessions_send")
|
|
15
15
|
return;
|
|
@@ -17,34 +17,29 @@ export function createSessionsSendPropagationHandler(deps) {
|
|
|
17
17
|
const targetSessionKey = typeof event.params?.sessionKey === "string"
|
|
18
18
|
? event.params.sessionKey.trim()
|
|
19
19
|
: undefined;
|
|
20
|
-
if (!callerSessionKey || !targetSessionKey) {
|
|
21
|
-
logger.debug?.("agent-identity: sessions_send propagation skip (caller or target sessionKey missing)");
|
|
22
|
-
return;
|
|
23
|
-
}
|
|
24
|
-
if (callerSessionKey === targetSessionKey) {
|
|
25
|
-
logger.debug?.("agent-identity: sessions_send propagation skip (self-send)");
|
|
20
|
+
if (!callerSessionKey || !targetSessionKey || callerSessionKey === targetSessionKey) {
|
|
26
21
|
return;
|
|
27
22
|
}
|
|
28
23
|
try {
|
|
29
24
|
const callerTIP = await getTIPToken(storeDir, callerSessionKey);
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
logger.debug?.(`agent-identity: sessions_send propagation skip (caller ${callerSessionKey.slice(0, 24)}... has no TIP or session)`);
|
|
25
|
+
if (!callerTIP) {
|
|
26
|
+
logger.debug?.(`agent-identity: sessions_send skip (caller ${callerSessionKey.slice(0, 24)}... has no TIP)`);
|
|
33
27
|
return;
|
|
34
28
|
}
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
}
|
|
29
|
+
await fetchAndStoreTIP({
|
|
30
|
+
storeDir,
|
|
31
|
+
sessionKey: targetSessionKey,
|
|
32
|
+
identityService,
|
|
33
|
+
jwtForExchange: callerTIP.token,
|
|
34
|
+
sub: callerTIP.sub,
|
|
35
|
+
ctxAgentId: ctx.agentId,
|
|
36
|
+
configWorkloadName,
|
|
37
|
+
parentSessionKey: callerSessionKey,
|
|
38
|
+
});
|
|
39
|
+
logger.info?.(`agent-identity: TIP propagated to ${targetSessionKey.slice(0, 24)}... via sessions_send`);
|
|
40
|
+
const callerSession = await getSession(storeDir, callerSessionKey);
|
|
45
41
|
if (callerSession) {
|
|
46
42
|
await setSession(storeDir, targetSessionKey, callerSession);
|
|
47
|
-
logger.info?.(`agent-identity: session (userToken) propagated from ${callerSessionKey.slice(0, 24)}... to ${targetSessionKey.slice(0, 24)}... via sessions_send`);
|
|
48
43
|
}
|
|
49
44
|
}
|
|
50
45
|
catch (err) {
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* subagent_spawned hook: propagate TIP and session to child when sessions_spawn
|
|
3
|
+
* creates a subagent.
|
|
4
|
+
*
|
|
5
|
+
* First-time spawn does not go through sessions_send, so we handle it here.
|
|
6
|
+
* Uses requester's TIP token as JWT input for delegation (user → main → sub).
|
|
7
|
+
* Copies session (userToken) to child.
|
|
8
|
+
*/
|
|
9
|
+
import type { IdentityService } from "../services/identity-service.js";
|
|
10
|
+
export type SessionsSpawnPropagationDeps = {
|
|
11
|
+
storeDir: string;
|
|
12
|
+
identityService: IdentityService;
|
|
13
|
+
configWorkloadName?: string;
|
|
14
|
+
logger: {
|
|
15
|
+
info?: (msg: string) => void;
|
|
16
|
+
debug?: (msg: string) => void;
|
|
17
|
+
};
|
|
18
|
+
};
|
|
19
|
+
export declare function createSessionsSpawnPropagationHandler(deps: SessionsSpawnPropagationDeps): (_event: {
|
|
20
|
+
childSessionKey: string;
|
|
21
|
+
runId: string;
|
|
22
|
+
agentId: string;
|
|
23
|
+
}, ctx: {
|
|
24
|
+
requesterSessionKey?: string;
|
|
25
|
+
childSessionKey?: string;
|
|
26
|
+
}) => Promise<void>;
|
|
27
|
+
//# sourceMappingURL=sessions-spawn-propagation.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"sessions-spawn-propagation.d.ts","sourceRoot":"","sources":["../../../src/hooks/sessions-spawn-propagation.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AAKvE,MAAM,MAAM,4BAA4B,GAAG;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CACzE,CAAC;AAEF,wBAAgB,qCAAqC,CAAC,IAAI,EAAE,4BAA4B,IAIpF,QAAQ;IAAE,eAAe,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,EACnE,KAAK;IAAE,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAAC,eAAe,CAAC,EAAE,MAAM,CAAA;CAAE,KAC9D,OAAO,CAAC,IAAI,CAAC,CAsCjB"}
|
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* subagent_spawned hook: propagate TIP and session to child when sessions_spawn
|
|
3
|
+
* creates a subagent.
|
|
4
|
+
*
|
|
5
|
+
* First-time spawn does not go through sessions_send, so we handle it here.
|
|
6
|
+
* Uses requester's TIP token as JWT input for delegation (user → main → sub).
|
|
7
|
+
* Copies session (userToken) to child.
|
|
8
|
+
*/
|
|
9
|
+
import { getSession, setSession } from "../store/session-store.js";
|
|
10
|
+
import { getTIPToken } from "../store/tip-store.js";
|
|
11
|
+
import { fetchAndStoreTIP } from "../services/tip-acquisition.js";
|
|
12
|
+
export function createSessionsSpawnPropagationHandler(deps) {
|
|
13
|
+
const { storeDir, identityService, configWorkloadName, logger } = deps;
|
|
14
|
+
return async (_event, ctx) => {
|
|
15
|
+
const callerSessionKey = ctx.requesterSessionKey;
|
|
16
|
+
const targetSessionKey = ctx.childSessionKey ?? _event.childSessionKey;
|
|
17
|
+
if (!callerSessionKey || !targetSessionKey || callerSessionKey === targetSessionKey) {
|
|
18
|
+
return;
|
|
19
|
+
}
|
|
20
|
+
try {
|
|
21
|
+
const callerTIP = await getTIPToken(storeDir, callerSessionKey);
|
|
22
|
+
if (!callerTIP) {
|
|
23
|
+
logger.debug?.(`agent-identity: sessions_spawn skip (requester ${callerSessionKey.slice(0, 24)}... has no TIP)`);
|
|
24
|
+
return;
|
|
25
|
+
}
|
|
26
|
+
await fetchAndStoreTIP({
|
|
27
|
+
storeDir,
|
|
28
|
+
sessionKey: targetSessionKey,
|
|
29
|
+
identityService,
|
|
30
|
+
jwtForExchange: callerTIP.token,
|
|
31
|
+
sub: callerTIP.sub,
|
|
32
|
+
configWorkloadName,
|
|
33
|
+
parentSessionKey: callerSessionKey,
|
|
34
|
+
});
|
|
35
|
+
logger.info?.(`agent-identity: TIP propagated to ${targetSessionKey.slice(0, 24)}... via sessions_spawn`);
|
|
36
|
+
const callerSession = await getSession(storeDir, callerSessionKey);
|
|
37
|
+
if (callerSession) {
|
|
38
|
+
await setSession(storeDir, targetSessionKey, callerSession);
|
|
39
|
+
}
|
|
40
|
+
}
|
|
41
|
+
catch (err) {
|
|
42
|
+
logger.info?.(`agent-identity: sessions_spawn propagation failed: ${String(err)}`);
|
|
43
|
+
}
|
|
44
|
+
};
|
|
45
|
+
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity-service.d.ts","sourceRoot":"","sources":["../../../src/services/identity-service.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAC;AAEpE,MAAM,MAAM,qBAAqB,GAAG;IAClC,cAAc,EAAE,uBAAuB,CAAC;IACxC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,+EAA+E;IAC/E,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,qBAAa,eAAe;IACd,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,qBAAqB;IAEpD,sBAAsB,CAAC,MAAM,EAAE;QACnC,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,sFAAsF;QACtF,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,SAAS,EAAE,MAAM,CAAC;QAClB,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,GAAG,OAAO,CAAC,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"identity-service.d.ts","sourceRoot":"","sources":["../../../src/services/identity-service.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAC;AAEpE,MAAM,MAAM,qBAAqB,GAAG;IAClC,cAAc,EAAE,uBAAuB,CAAC;IACxC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,+EAA+E;IAC/E,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,qBAAa,eAAe;IACd,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,qBAAqB;IAEpD,sBAAsB,CAAC,MAAM,EAAE;QACnC,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,sFAAsF;QACtF,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,SAAS,EAAE,MAAM,CAAC;QAClB,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,GAAG,OAAO,CAAC,aAAa,CAAC;IA0B1B;;;OAGG;IACH,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAA;KAAE;CAiBpE"}
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Shared TIP acquisition and store logic.
|
|
3
|
+
* Used by before_agent_start (main) and sessions_send_propagation (subagent).
|
|
4
|
+
*/
|
|
5
|
+
import type { IdentityService } from "./identity-service.js";
|
|
6
|
+
export type FetchAndStoreTIPParams = {
|
|
7
|
+
storeDir: string;
|
|
8
|
+
sessionKey: string;
|
|
9
|
+
identityService: IdentityService;
|
|
10
|
+
jwtForExchange: string;
|
|
11
|
+
sub: string;
|
|
12
|
+
ctxAgentId?: string;
|
|
13
|
+
configWorkloadName?: string;
|
|
14
|
+
targetWorkloadSessionKey?: string;
|
|
15
|
+
parentSessionKey?: string;
|
|
16
|
+
};
|
|
17
|
+
export declare function fetchAndStoreTIP(params: FetchAndStoreTIPParams): Promise<void>;
|
|
18
|
+
//# sourceMappingURL=tip-acquisition.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"tip-acquisition.d.ts","sourceRoot":"","sources":["../../../src/services/tip-acquisition.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAO7D,MAAM,MAAM,sBAAsB,GAAG;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,EAAE,eAAe,CAAC;IACjC,cAAc,EAAE,MAAM,CAAC;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AAEF,wBAAsB,gBAAgB,CAAC,MAAM,EAAE,sBAAsB,GAAG,OAAO,CAAC,IAAI,CAAC,CA+BpF"}
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Shared TIP acquisition and store logic.
|
|
3
|
+
* Used by before_agent_start (main) and sessions_send_propagation (subagent).
|
|
4
|
+
*/
|
|
5
|
+
import { setTIPToken } from "../store/tip-store.js";
|
|
6
|
+
import { resolveAgentId, resolveWorkloadNameForSession, } from "../utils/derive-session-key.js";
|
|
7
|
+
export async function fetchAndStoreTIP(params) {
|
|
8
|
+
const { storeDir, sessionKey, identityService, jwtForExchange, sub, ctxAgentId, configWorkloadName, targetWorkloadSessionKey, parentSessionKey, } = params;
|
|
9
|
+
const workloadKey = targetWorkloadSessionKey ?? sessionKey;
|
|
10
|
+
const agentId = resolveAgentId({ agentId: ctxAgentId, sessionKey: workloadKey });
|
|
11
|
+
const workloadName = resolveWorkloadNameForSession({
|
|
12
|
+
sessionKey: workloadKey,
|
|
13
|
+
agentId: ctxAgentId,
|
|
14
|
+
configWorkloadName,
|
|
15
|
+
});
|
|
16
|
+
const tipEntry = await identityService.getWorkloadAccessToken({
|
|
17
|
+
agentId,
|
|
18
|
+
workloadName,
|
|
19
|
+
userToken: jwtForExchange,
|
|
20
|
+
sub,
|
|
21
|
+
});
|
|
22
|
+
const entry = {
|
|
23
|
+
...tipEntry,
|
|
24
|
+
...(parentSessionKey && { parentSessionKey }),
|
|
25
|
+
issuedAt: Date.now(),
|
|
26
|
+
};
|
|
27
|
+
await setTIPToken(storeDir, sessionKey, entry);
|
|
28
|
+
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tip-store.d.ts","sourceRoot":"","sources":["../../../src/store/tip-store.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,MAAM,MAAM,aAAa,GAAG;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,
|
|
1
|
+
{"version":3,"file":"tip-store.d.ts","sourceRoot":"","sources":["../../../src/store/tip-store.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,MAAM,MAAM,aAAa,GAAG;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AAIF,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAEpE;AAaD,wBAAsB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC,CAc5F;AAED,wBAAsB,aAAa,CACjC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,GACpC,OAAO,CAAC,IAAI,CAAC,CAKf;AAED,wBAAsB,WAAW,CAC/B,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAU/B;AAED,wBAAsB,WAAW,CAC/B,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,aAAa,GACnB,OAAO,CAAC,IAAI,CAAC,CAIf"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@m1a0rz/agent-identity",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.6",
|
|
4
4
|
"description": "Agent Identity: UserPool (用户池) login, TIP token (工作负载令牌), credential hosting (凭据托管 OAuth2/API key), optional tool risk approval. Integrates with Volcengine 智能体身份和权限管理平台.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist/index.js",
|
|
@@ -1,22 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* after_tool_call hook: propagate TIP token to child session on sessions_spawn.
|
|
3
|
-
* When parent spawns a sub-agent, inherit TIP with extended chain-of-custody.
|
|
4
|
-
*/
|
|
5
|
-
export type AfterToolCallDeps = {
|
|
6
|
-
storeDir: string;
|
|
7
|
-
logger: {
|
|
8
|
-
info?: (msg: string) => void;
|
|
9
|
-
};
|
|
10
|
-
};
|
|
11
|
-
export declare function createAfterToolCallHandler(deps: AfterToolCallDeps): (event: {
|
|
12
|
-
toolName: string;
|
|
13
|
-
params: Record<string, unknown>;
|
|
14
|
-
result?: unknown;
|
|
15
|
-
error?: string;
|
|
16
|
-
durationMs?: number;
|
|
17
|
-
}, ctx: {
|
|
18
|
-
agentId?: string;
|
|
19
|
-
sessionKey?: string;
|
|
20
|
-
toolName: string;
|
|
21
|
-
}) => Promise<void>;
|
|
22
|
-
//# sourceMappingURL=after-tool-call.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"after-tool-call.d.ts","sourceRoot":"","sources":["../../../src/hooks/after-tool-call.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,MAAM,MAAM,iBAAiB,GAAG;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CAC1C,CAAC;AAEF,wBAAgB,0BAA0B,CAAC,IAAI,EAAE,iBAAiB,IAI9D,OAAO;IACL,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,EACD,KAAK;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,KAC/D,OAAO,CAAC,IAAI,CAAC,CA4BjB"}
|
|
@@ -1,35 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* after_tool_call hook: propagate TIP token to child session on sessions_spawn.
|
|
3
|
-
* When parent spawns a sub-agent, inherit TIP with extended chain-of-custody.
|
|
4
|
-
*/
|
|
5
|
-
import { getTIPToken, setTIPToken } from "../store/tip-store.js";
|
|
6
|
-
export function createAfterToolCallHandler(deps) {
|
|
7
|
-
const { storeDir, logger } = deps;
|
|
8
|
-
return async (event, ctx) => {
|
|
9
|
-
if (event.toolName !== "sessions_spawn")
|
|
10
|
-
return;
|
|
11
|
-
const result = event.result;
|
|
12
|
-
const childSessionKey = result?.childSessionKey;
|
|
13
|
-
if (!childSessionKey || typeof childSessionKey !== "string")
|
|
14
|
-
return;
|
|
15
|
-
const parentSessionKey = ctx.sessionKey;
|
|
16
|
-
if (!parentSessionKey)
|
|
17
|
-
return;
|
|
18
|
-
try {
|
|
19
|
-
const parentTIP = await getTIPToken(storeDir, parentSessionKey);
|
|
20
|
-
if (!parentTIP)
|
|
21
|
-
return;
|
|
22
|
-
const childTIP = {
|
|
23
|
-
...parentTIP,
|
|
24
|
-
chain: [...(parentTIP.chain ?? []), ctx.agentId ?? "unknown"],
|
|
25
|
-
parentSessionKey,
|
|
26
|
-
issuedAt: Date.now(),
|
|
27
|
-
};
|
|
28
|
-
await setTIPToken(storeDir, childSessionKey, childTIP);
|
|
29
|
-
logger.info?.(`agent-identity: TIP propagated to child ${childSessionKey.slice(0, 32)}...`);
|
|
30
|
-
}
|
|
31
|
-
catch (err) {
|
|
32
|
-
logger.info?.(`agent-identity: failed to propagate TIP to child: ${String(err)}`);
|
|
33
|
-
}
|
|
34
|
-
};
|
|
35
|
-
}
|
|
@@ -1,30 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* subagent_spawned hook: propagate TIP token to child session.
|
|
3
|
-
* Replaces after_tool_call (sessions_spawn) with dedicated lifecycle hook.
|
|
4
|
-
* When parent spawns a sub-agent, inherit TIP with extended chain-of-custody.
|
|
5
|
-
*/
|
|
6
|
-
export type SubagentSpawnedDeps = {
|
|
7
|
-
storeDir: string;
|
|
8
|
-
logger: {
|
|
9
|
-
info?: (msg: string) => void;
|
|
10
|
-
};
|
|
11
|
-
};
|
|
12
|
-
export declare function createSubagentSpawnedHandler(deps: SubagentSpawnedDeps): (event: {
|
|
13
|
-
runId: string;
|
|
14
|
-
childSessionKey: string;
|
|
15
|
-
agentId: string;
|
|
16
|
-
label?: string;
|
|
17
|
-
mode: "run" | "session";
|
|
18
|
-
requester?: {
|
|
19
|
-
channel?: string;
|
|
20
|
-
accountId?: string;
|
|
21
|
-
to?: string;
|
|
22
|
-
threadId?: string | number;
|
|
23
|
-
};
|
|
24
|
-
threadRequested: boolean;
|
|
25
|
-
}, ctx: {
|
|
26
|
-
runId?: string;
|
|
27
|
-
childSessionKey?: string;
|
|
28
|
-
requesterSessionKey?: string;
|
|
29
|
-
}) => Promise<void>;
|
|
30
|
-
//# sourceMappingURL=subagent-spawned.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"subagent-spawned.d.ts","sourceRoot":"","sources":["../../../src/hooks/subagent-spawned.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CAC1C,CAAC;AAEF,wBAAgB,4BAA4B,CAAC,IAAI,EAAE,mBAAmB,IAIlE,OAAO;IACL,KAAK,EAAE,MAAM,CAAC;IACd,eAAe,EAAE,MAAM,CAAC;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,KAAK,GAAG,SAAS,CAAC;IACxB,SAAS,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,EAAE,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAC;IAC9F,eAAe,EAAE,OAAO,CAAC;CAC1B,EACD,KAAK;IAAE,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,eAAe,CAAC,EAAE,MAAM,CAAC;IAAC,mBAAmB,CAAC,EAAE,MAAM,CAAA;CAAE,KAC9E,OAAO,CAAC,IAAI,CAAC,CAsBjB"}
|
|
@@ -1,30 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* subagent_spawned hook: propagate TIP token to child session.
|
|
3
|
-
* Replaces after_tool_call (sessions_spawn) with dedicated lifecycle hook.
|
|
4
|
-
* When parent spawns a sub-agent, inherit TIP with extended chain-of-custody.
|
|
5
|
-
*/
|
|
6
|
-
import { getTIPToken, setTIPToken } from "../store/tip-store.js";
|
|
7
|
-
export function createSubagentSpawnedHandler(deps) {
|
|
8
|
-
const { storeDir, logger } = deps;
|
|
9
|
-
return async (event, ctx) => {
|
|
10
|
-
const parentSessionKey = ctx.requesterSessionKey;
|
|
11
|
-
if (!parentSessionKey)
|
|
12
|
-
return;
|
|
13
|
-
try {
|
|
14
|
-
const parentTIP = await getTIPToken(storeDir, parentSessionKey);
|
|
15
|
-
if (!parentTIP)
|
|
16
|
-
return;
|
|
17
|
-
const childTIP = {
|
|
18
|
-
...parentTIP,
|
|
19
|
-
chain: [...(parentTIP.chain ?? []), event.agentId ?? "unknown"],
|
|
20
|
-
parentSessionKey,
|
|
21
|
-
issuedAt: Date.now(),
|
|
22
|
-
};
|
|
23
|
-
await setTIPToken(storeDir, event.childSessionKey, childTIP);
|
|
24
|
-
logger.info?.(`agent-identity: TIP propagated to child ${event.childSessionKey.slice(0, 32)}...`);
|
|
25
|
-
}
|
|
26
|
-
catch (err) {
|
|
27
|
-
logger.info?.(`agent-identity: failed to propagate TIP to child: ${String(err)}`);
|
|
28
|
-
}
|
|
29
|
-
};
|
|
30
|
-
}
|