@m1a0rz/agent-identity 0.1.8 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README-cn.md +1 -1
- package/README.md +1 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +31 -5
- package/dist/src/actions/identity-actions.d.ts +3 -0
- package/dist/src/actions/identity-actions.d.ts.map +1 -1
- package/dist/src/actions/identity-actions.js +53 -57
- package/dist/src/commands/identity-commands.d.ts.map +1 -1
- package/dist/src/commands/identity-commands.js +2 -1
- package/dist/src/hooks/before-agent-start.d.ts +1 -2
- package/dist/src/hooks/before-agent-start.d.ts.map +1 -1
- package/dist/src/hooks/before-agent-start.js +16 -47
- package/dist/src/hooks/before-tool-call.d.ts +7 -1
- package/dist/src/hooks/before-tool-call.d.ts.map +1 -1
- package/dist/src/hooks/before-tool-call.js +63 -19
- package/dist/src/hooks/llm-input.d.ts +19 -0
- package/dist/src/hooks/llm-input.d.ts.map +1 -0
- package/dist/src/hooks/llm-input.js +20 -0
- package/dist/src/hooks/sessions-send-propagation.d.ts +4 -0
- package/dist/src/hooks/sessions-send-propagation.d.ts.map +1 -1
- package/dist/src/hooks/sessions-send-propagation.js +18 -21
- package/dist/src/hooks/sessions-spawn-propagation.d.ts +5 -1
- package/dist/src/hooks/sessions-spawn-propagation.d.ts.map +1 -1
- package/dist/src/hooks/sessions-spawn-propagation.js +20 -22
- package/dist/src/hooks/subagent-ended-cleanup.d.ts +1 -0
- package/dist/src/hooks/subagent-ended-cleanup.d.ts.map +1 -1
- package/dist/src/hooks/subagent-ended-cleanup.js +3 -2
- package/dist/src/risk/classify-risk.d.ts.map +1 -1
- package/dist/src/risk/classify-risk.js +3 -1
- package/dist/src/risk/llm-risk-check.d.ts.map +1 -1
- package/dist/src/risk/llm-risk-check.js +5 -4
- package/dist/src/services/tip-propagation.d.ts +25 -0
- package/dist/src/services/tip-propagation.d.ts.map +1 -0
- package/dist/src/services/tip-propagation.js +43 -0
- package/dist/src/services/tip-with-refresh.d.ts +24 -0
- package/dist/src/services/tip-with-refresh.d.ts.map +1 -0
- package/dist/src/services/tip-with-refresh.js +68 -0
- package/dist/src/store/skill-path-store.d.ts +10 -0
- package/dist/src/store/skill-path-store.d.ts.map +1 -0
- package/dist/src/store/skill-path-store.js +90 -0
- package/dist/src/tools/identity-approve-tool.d.ts.map +1 -1
- package/dist/src/tools/identity-approve-tool.js +3 -2
- package/dist/src/types.d.ts +13 -6
- package/dist/src/types.d.ts.map +1 -1
- package/dist/src/utils/logger.d.ts +17 -0
- package/dist/src/utils/logger.d.ts.map +1 -0
- package/dist/src/utils/logger.js +21 -0
- package/dist/src/utils/parse-available-skills.d.ts +6 -0
- package/dist/src/utils/parse-available-skills.d.ts.map +1 -0
- package/dist/src/utils/parse-available-skills.js +19 -0
- package/dist/src/utils/token-errors.d.ts +5 -0
- package/dist/src/utils/token-errors.d.ts.map +1 -0
- package/dist/src/utils/token-errors.js +7 -0
- package/openclaw.plugin.json +18 -7
- package/package.json +1 -1
- package/skills/SKILL.md +3 -3
|
@@ -8,10 +8,20 @@
|
|
|
8
8
|
*/
|
|
9
9
|
import { diagnoseRisk } from "../risk/diagnose-risk.js";
|
|
10
10
|
import { isLowRiskTool } from "../risk/low-risk-tools.js";
|
|
11
|
-
import
|
|
11
|
+
import * as skillPathStore from "../store/skill-path-store.js";
|
|
12
12
|
import * as toolApprovalStore from "../store/tool-approval-store.js";
|
|
13
|
+
import { getOrRefreshTIPToken } from "../services/tip-with-refresh.js";
|
|
13
14
|
import { supportsSyncApproval } from "../utils/approval-channel.js";
|
|
14
15
|
import { extractDelegationChainFromJwt } from "../utils/auth.js";
|
|
16
|
+
import { logDebug } from "../utils/logger.js";
|
|
17
|
+
function resolveAuthzFlags(authz) {
|
|
18
|
+
return {
|
|
19
|
+
toolCheck: authz?.toolCheck ?? false,
|
|
20
|
+
skillReadCheck: authz?.skillReadCheck ?? false,
|
|
21
|
+
requireRiskApproval: authz?.requireRiskApproval ?? false,
|
|
22
|
+
enableLlmRiskCheck: authz?.enableLlmRiskCheck ?? false,
|
|
23
|
+
};
|
|
24
|
+
}
|
|
15
25
|
function buildApprovalMessage(toolName, params, approvalId, ttlSeconds, riskReason) {
|
|
16
26
|
const preview = toolName === "exec" || toolName === "process"
|
|
17
27
|
? String(params.command ?? params.cmd ?? params.script ?? "").slice(0, 80)
|
|
@@ -21,29 +31,56 @@ function buildApprovalMessage(toolName, params, approvalId, ttlSeconds, riskReas
|
|
|
21
31
|
: "";
|
|
22
32
|
return `Tool "${toolName}"${preview ? ` (${preview}...)` : ""} requires your approval.${reasonLine}\nReply "approve" or /identity approve ${approvalId}. Expires in ${ttlSeconds}s.`;
|
|
23
33
|
}
|
|
34
|
+
function isSkillReadPath(pathStr) {
|
|
35
|
+
if (typeof pathStr !== "string")
|
|
36
|
+
return false;
|
|
37
|
+
const p = pathStr.trim().replace(/\\/g, "/");
|
|
38
|
+
return p.endsWith("SKILL.md") || p.endsWith("/SKILL.md");
|
|
39
|
+
}
|
|
24
40
|
export function createBeforeToolCallHandler(deps) {
|
|
25
|
-
const { storeDir, identityClient, namespaceName = "default", logger, sendToSession, authz, approvalTtlMs, } = deps;
|
|
41
|
+
const { storeDir, identityClient, namespaceName = "default", logger, sendToSession, authz, approvalTtlMs, identityService, getOidcConfigForRefresh, configWorkloadName, } = deps;
|
|
42
|
+
const flags = resolveAuthzFlags(authz);
|
|
43
|
+
const tipRefreshOptions = identityService && getOidcConfigForRefresh
|
|
44
|
+
? {
|
|
45
|
+
identityService,
|
|
46
|
+
getOidcConfigForRefresh,
|
|
47
|
+
configWorkloadName,
|
|
48
|
+
logger,
|
|
49
|
+
}
|
|
50
|
+
: undefined;
|
|
26
51
|
const lowRiskBypass = authz?.lowRiskBypass !== false;
|
|
27
|
-
const requireRiskApproval = authz?.requireRiskApproval !== false;
|
|
28
52
|
const extraLowRisk = authz?.lowRiskTools;
|
|
29
53
|
return async (event, ctx) => {
|
|
30
54
|
const { toolName, params } = event;
|
|
31
55
|
const sessionKey = ctx.sessionKey;
|
|
32
|
-
logger
|
|
56
|
+
logDebug(logger, `before_tool_call toolName=${toolName}`);
|
|
33
57
|
if (!sessionKey)
|
|
34
58
|
return;
|
|
35
|
-
|
|
36
|
-
|
|
59
|
+
const pathStr = params?.path ?? params?.file_path;
|
|
60
|
+
const isSkillRead = flags.skillReadCheck &&
|
|
61
|
+
toolName.toLowerCase() === "read" &&
|
|
62
|
+
isSkillReadPath(pathStr);
|
|
63
|
+
const skillName = isSkillRead
|
|
64
|
+
? skillPathStore.getSkillNameForPath(sessionKey, String(pathStr ?? ""))
|
|
65
|
+
: undefined;
|
|
66
|
+
const shouldRunCheckPermission = (flags.toolCheck && !isSkillRead) || (flags.skillReadCheck && isSkillRead && skillName != null);
|
|
67
|
+
const shouldBypassLowRisk = lowRiskBypass &&
|
|
68
|
+
isLowRiskTool(toolName, extraLowRisk) &&
|
|
69
|
+
!(isSkillRead && skillName);
|
|
70
|
+
if (shouldBypassLowRisk) {
|
|
71
|
+
logDebug(logger, `low-risk bypass for ${toolName}`);
|
|
37
72
|
return;
|
|
38
73
|
}
|
|
39
|
-
const tip = await
|
|
74
|
+
const tip = await getOrRefreshTIPToken(storeDir, sessionKey, tipRefreshOptions
|
|
75
|
+
? { ...tipRefreshOptions, ctxAgentId: ctx.agentId }
|
|
76
|
+
: undefined);
|
|
40
77
|
if (!tip) {
|
|
41
78
|
return {
|
|
42
79
|
block: true,
|
|
43
80
|
blockReason: "AuthZ: session has no valid identity (TIP token required)",
|
|
44
81
|
};
|
|
45
82
|
}
|
|
46
|
-
if (identityClient) {
|
|
83
|
+
if (shouldRunCheckPermission && identityClient) {
|
|
47
84
|
const chain = extractDelegationChainFromJwt(tip.token);
|
|
48
85
|
if (!chain) {
|
|
49
86
|
return {
|
|
@@ -53,12 +90,14 @@ export function createBeforeToolCallHandler(deps) {
|
|
|
53
90
|
}
|
|
54
91
|
const principal = { Type: "user", Id: chain.principalId };
|
|
55
92
|
const action = { Type: "Action", Id: "invoke" };
|
|
56
|
-
const resource =
|
|
57
|
-
|
|
93
|
+
const resource = skillName != null
|
|
94
|
+
? { Type: "skill", Id: skillName }
|
|
95
|
+
: { Type: "tool", Id: toolName };
|
|
96
|
+
const originalCallers = chain.actors.slice().reverse().map((id) => ({
|
|
58
97
|
Type: "agent",
|
|
59
98
|
Id: id,
|
|
60
99
|
}));
|
|
61
|
-
logger
|
|
100
|
+
logDebug(logger, `before_tool_call checking permission for ${resource.Type}:${resource.Id} (sub: ${tip.sub}), originalCallers: ${originalCallers.map((c) => c.Id).join(", ")}`);
|
|
62
101
|
try {
|
|
63
102
|
const result = await identityClient.checkPermission({
|
|
64
103
|
namespaceName,
|
|
@@ -70,32 +109,37 @@ export function createBeforeToolCallHandler(deps) {
|
|
|
70
109
|
if (!result.allowed) {
|
|
71
110
|
return {
|
|
72
111
|
block: true,
|
|
73
|
-
blockReason: result.message ||
|
|
112
|
+
blockReason: result.message ||
|
|
113
|
+
`AuthZ: CheckPermission denied for ${resource.Type} ${resource.Id}`,
|
|
74
114
|
};
|
|
75
115
|
}
|
|
76
116
|
}
|
|
77
117
|
catch (err) {
|
|
78
|
-
logger
|
|
118
|
+
logDebug(logger, `CheckPermission error: ${String(err)}`);
|
|
79
119
|
return {
|
|
80
120
|
block: true,
|
|
81
121
|
blockReason: `AuthZ: Failed to verify permission: ${String(err)}`,
|
|
82
122
|
};
|
|
83
123
|
}
|
|
124
|
+
if (skillName != null) {
|
|
125
|
+
logDebug(logger, `skill read allowed for ${skillName}`);
|
|
126
|
+
return;
|
|
127
|
+
}
|
|
84
128
|
}
|
|
85
|
-
if (!requireRiskApproval) {
|
|
86
|
-
logger
|
|
129
|
+
if (!flags.requireRiskApproval) {
|
|
130
|
+
logDebug(logger, `AuthZ ok for ${toolName} (sub: ${tip.sub})`);
|
|
87
131
|
return;
|
|
88
132
|
}
|
|
89
133
|
const paramsRecord = params && typeof params === "object" ? params : {};
|
|
90
|
-
const llmConfig =
|
|
134
|
+
const llmConfig = flags.enableLlmRiskCheck && authz?.llmRiskCheck ? authz.llmRiskCheck : undefined;
|
|
91
135
|
const { risk, reason: riskReason } = await diagnoseRisk(toolName, paramsRecord, llmConfig, logger);
|
|
92
136
|
if (risk !== "high") {
|
|
93
|
-
logger
|
|
137
|
+
logDebug(logger, `AuthZ ok for ${toolName} (risk=${risk})`);
|
|
94
138
|
return;
|
|
95
139
|
}
|
|
96
140
|
if (toolApprovalStore.hasRecentApproval(sessionKey, toolName, paramsRecord)) {
|
|
97
141
|
toolApprovalStore.consumeApproval(sessionKey, toolName, paramsRecord);
|
|
98
|
-
logger
|
|
142
|
+
logDebug(logger, `AuthZ ok for ${toolName} (recent approval)`);
|
|
99
143
|
return;
|
|
100
144
|
}
|
|
101
145
|
const fullHash = toolApprovalStore.hashToolParams(toolName, paramsRecord);
|
|
@@ -112,7 +156,7 @@ export function createBeforeToolCallHandler(deps) {
|
|
|
112
156
|
await sendToSession(sessionKey, buildApprovalMessage(toolName, paramsRecord, approvalId, ttlSeconds, riskReason));
|
|
113
157
|
const approved = await toolApprovalStore.pollForApproval(approvalId, approvalTtlMs);
|
|
114
158
|
if (approved) {
|
|
115
|
-
logger
|
|
159
|
+
logDebug(logger, `AuthZ ok for ${toolName} (approved via poll)`);
|
|
116
160
|
return;
|
|
117
161
|
}
|
|
118
162
|
return {
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* llm_input hook: parse <available_skills> from system prompt and store
|
|
3
|
+
* path -> skill name mapping for skill read permission checks in before_tool_call.
|
|
4
|
+
* Only runs when authz.skillReadCheck is enabled.
|
|
5
|
+
*/
|
|
6
|
+
export type LlmInputHandlerDeps = {
|
|
7
|
+
enabled: boolean;
|
|
8
|
+
logger?: {
|
|
9
|
+
debug?: (msg: string) => void;
|
|
10
|
+
};
|
|
11
|
+
};
|
|
12
|
+
export declare function createLlmInputHandler(deps: LlmInputHandlerDeps): (event: {
|
|
13
|
+
systemPrompt?: string;
|
|
14
|
+
}, ctx: {
|
|
15
|
+
sessionKey?: string;
|
|
16
|
+
sessionId?: string;
|
|
17
|
+
workspaceDir?: string;
|
|
18
|
+
}) => void;
|
|
19
|
+
//# sourceMappingURL=llm-input.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"llm-input.d.ts","sourceRoot":"","sources":["../../../src/hooks/llm-input.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CAC5C,CAAC;AAEF,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,mBAAmB,IAI3D,OAAO;IAAE,YAAY,CAAC,EAAE,MAAM,CAAA;CAAE,EAChC,KAAK;IAAE,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAA;CAAE,KACtE,IAAI,CAcR"}
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* llm_input hook: parse <available_skills> from system prompt and store
|
|
3
|
+
* path -> skill name mapping for skill read permission checks in before_tool_call.
|
|
4
|
+
* Only runs when authz.skillReadCheck is enabled.
|
|
5
|
+
*/
|
|
6
|
+
import { parseAvailableSkills } from "../utils/parse-available-skills.js";
|
|
7
|
+
import * as skillPathStore from "../store/skill-path-store.js";
|
|
8
|
+
import { logDebug } from "../utils/logger.js";
|
|
9
|
+
export function createLlmInputHandler(deps) {
|
|
10
|
+
const { enabled, logger } = deps;
|
|
11
|
+
return (event, ctx) => {
|
|
12
|
+
if (!enabled || !ctx.sessionKey)
|
|
13
|
+
return;
|
|
14
|
+
const pathToName = parseAvailableSkills(event.systemPrompt);
|
|
15
|
+
if (pathToName.size === 0)
|
|
16
|
+
return;
|
|
17
|
+
skillPathStore.setSkillPathsForSession(ctx.sessionKey, pathToName, ctx.workspaceDir, ctx.sessionId);
|
|
18
|
+
logDebug(logger, `llm_input parsed ${pathToName.size} skill paths for session`);
|
|
19
|
+
};
|
|
20
|
+
}
|
|
@@ -6,10 +6,14 @@
|
|
|
6
6
|
* Copies session (userToken) to target. Only supports params.sessionKey.
|
|
7
7
|
*/
|
|
8
8
|
import type { IdentityService } from "../services/identity-service.js";
|
|
9
|
+
import type { OIDCConfigForRefresh } from "../services/session-refresh.js";
|
|
9
10
|
export type SessionsSendPropagationDeps = {
|
|
10
11
|
storeDir: string;
|
|
11
12
|
identityService: IdentityService;
|
|
12
13
|
configWorkloadName?: string;
|
|
14
|
+
getOidcConfigForRefresh?: () => Promise<OIDCConfigForRefresh>;
|
|
15
|
+
/** When false, skip TIP/session propagation to subagents. Default: false. */
|
|
16
|
+
subagentTipPropagation?: boolean;
|
|
13
17
|
logger: {
|
|
14
18
|
info?: (msg: string) => void;
|
|
15
19
|
debug?: (msg: string) => void;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sessions-send-propagation.d.ts","sourceRoot":"","sources":["../../../src/hooks/sessions-send-propagation.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;
|
|
1
|
+
{"version":3,"file":"sessions-send-propagation.d.ts","sourceRoot":"","sources":["../../../src/hooks/sessions-send-propagation.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAK3E,MAAM,MAAM,2BAA2B,GAAG;IACxC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,6EAA6E;IAC7E,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CACzE,CAAC;AAEF,wBAAgB,oCAAoC,CAAC,IAAI,EAAE,2BAA2B,IAWlF,OAAO;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,EAC5D,KAAK;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,KAC/D,OAAO,CAAC,IAAI,CAAC,CAoCjB"}
|
|
@@ -5,11 +5,11 @@
|
|
|
5
5
|
* Uses caller's TIP token as JWT input for delegation (user → main → sub).
|
|
6
6
|
* Copies session (userToken) to target. Only supports params.sessionKey.
|
|
7
7
|
*/
|
|
8
|
-
import {
|
|
9
|
-
import {
|
|
10
|
-
import {
|
|
8
|
+
import { getOrRefreshTIPToken } from "../services/tip-with-refresh.js";
|
|
9
|
+
import { propagateTIPToTarget } from "../services/tip-propagation.js";
|
|
10
|
+
import { logWarn } from "../utils/logger.js";
|
|
11
11
|
export function createSessionsSendPropagationHandler(deps) {
|
|
12
|
-
const { storeDir, identityService, configWorkloadName, logger } = deps;
|
|
12
|
+
const { storeDir, identityService, configWorkloadName, getOidcConfigForRefresh, subagentTipPropagation, logger, } = deps;
|
|
13
13
|
return async (event, ctx) => {
|
|
14
14
|
if (event.toolName !== "sessions_send")
|
|
15
15
|
return;
|
|
@@ -21,29 +21,26 @@ export function createSessionsSendPropagationHandler(deps) {
|
|
|
21
21
|
return;
|
|
22
22
|
}
|
|
23
23
|
try {
|
|
24
|
-
|
|
25
|
-
if (!callerTIP) {
|
|
26
|
-
logger.debug?.(`agent-identity: sessions_send skip (caller ${callerSessionKey.slice(0, 24)}... has no TIP)`);
|
|
27
|
-
return;
|
|
28
|
-
}
|
|
29
|
-
await fetchAndStoreTIP({
|
|
24
|
+
await propagateTIPToTarget({
|
|
30
25
|
storeDir,
|
|
31
|
-
|
|
26
|
+
callerSessionKey,
|
|
27
|
+
targetSessionKey,
|
|
32
28
|
identityService,
|
|
33
|
-
jwtForExchange: callerTIP.token,
|
|
34
|
-
sub: callerTIP.sub,
|
|
35
|
-
ctxAgentId: ctx.agentId,
|
|
36
29
|
configWorkloadName,
|
|
37
|
-
|
|
30
|
+
subagentTipPropagation,
|
|
31
|
+
ctxAgentId: ctx.agentId,
|
|
32
|
+
getCallerTIP: () => getOrRefreshTIPToken(storeDir, callerSessionKey, {
|
|
33
|
+
identityService,
|
|
34
|
+
getOidcConfigForRefresh,
|
|
35
|
+
configWorkloadName,
|
|
36
|
+
ctxAgentId: ctx.agentId,
|
|
37
|
+
logger,
|
|
38
|
+
}),
|
|
39
|
+
logger,
|
|
38
40
|
});
|
|
39
|
-
logger.info?.(`agent-identity: TIP propagated to ${targetSessionKey.slice(0, 24)}... via sessions_send`);
|
|
40
|
-
const callerSession = await getSession(storeDir, callerSessionKey);
|
|
41
|
-
if (callerSession) {
|
|
42
|
-
await setSession(storeDir, targetSessionKey, callerSession);
|
|
43
|
-
}
|
|
44
41
|
}
|
|
45
42
|
catch (err) {
|
|
46
|
-
logger
|
|
43
|
+
logWarn(logger, `sessions_send propagation failed: ${String(err)}`);
|
|
47
44
|
}
|
|
48
45
|
};
|
|
49
46
|
}
|
|
@@ -7,16 +7,20 @@
|
|
|
7
7
|
* Copies session (userToken) to child.
|
|
8
8
|
*/
|
|
9
9
|
import type { IdentityService } from "../services/identity-service.js";
|
|
10
|
+
import type { OIDCConfigForRefresh } from "../services/session-refresh.js";
|
|
10
11
|
export type SessionsSpawnPropagationDeps = {
|
|
11
12
|
storeDir: string;
|
|
12
13
|
identityService: IdentityService;
|
|
13
14
|
configWorkloadName?: string;
|
|
15
|
+
getOidcConfigForRefresh?: () => Promise<OIDCConfigForRefresh>;
|
|
16
|
+
/** When false, skip TIP/session propagation to subagents. Default: false. */
|
|
17
|
+
subagentTipPropagation?: boolean;
|
|
14
18
|
logger: {
|
|
15
19
|
info?: (msg: string) => void;
|
|
16
20
|
debug?: (msg: string) => void;
|
|
17
21
|
};
|
|
18
22
|
};
|
|
19
|
-
export declare function createSessionsSpawnPropagationHandler(deps: SessionsSpawnPropagationDeps): (
|
|
23
|
+
export declare function createSessionsSpawnPropagationHandler(deps: SessionsSpawnPropagationDeps): (event: {
|
|
20
24
|
childSessionKey: string;
|
|
21
25
|
runId: string;
|
|
22
26
|
agentId: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sessions-spawn-propagation.d.ts","sourceRoot":"","sources":["../../../src/hooks/sessions-spawn-propagation.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;
|
|
1
|
+
{"version":3,"file":"sessions-spawn-propagation.d.ts","sourceRoot":"","sources":["../../../src/hooks/sessions-spawn-propagation.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAK3E,MAAM,MAAM,4BAA4B,GAAG;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,6EAA6E;IAC7E,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CACzE,CAAC;AAEF,wBAAgB,qCAAqC,CAAC,IAAI,EAAE,4BAA4B,IAWpF,OAAO;IAAE,eAAe,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,EAClE,KAAK;IAAE,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAAC,eAAe,CAAC,EAAE,MAAM,CAAA;CAAE,KAC9D,OAAO,CAAC,IAAI,CAAC,CA+BjB"}
|
|
@@ -6,40 +6,38 @@
|
|
|
6
6
|
* Uses requester's TIP token as JWT input for delegation (user → main → sub).
|
|
7
7
|
* Copies session (userToken) to child.
|
|
8
8
|
*/
|
|
9
|
-
import {
|
|
10
|
-
import {
|
|
11
|
-
import {
|
|
9
|
+
import { getOrRefreshTIPToken } from "../services/tip-with-refresh.js";
|
|
10
|
+
import { propagateTIPToTarget } from "../services/tip-propagation.js";
|
|
11
|
+
import { logWarn } from "../utils/logger.js";
|
|
12
12
|
export function createSessionsSpawnPropagationHandler(deps) {
|
|
13
|
-
const { storeDir, identityService, configWorkloadName, logger } = deps;
|
|
14
|
-
return async (
|
|
13
|
+
const { storeDir, identityService, configWorkloadName, getOidcConfigForRefresh, subagentTipPropagation, logger, } = deps;
|
|
14
|
+
return async (event, ctx) => {
|
|
15
15
|
const callerSessionKey = ctx.requesterSessionKey;
|
|
16
|
-
const targetSessionKey = ctx.childSessionKey ??
|
|
16
|
+
const targetSessionKey = ctx.childSessionKey ?? event.childSessionKey;
|
|
17
17
|
if (!callerSessionKey || !targetSessionKey || callerSessionKey === targetSessionKey) {
|
|
18
18
|
return;
|
|
19
19
|
}
|
|
20
20
|
try {
|
|
21
|
-
|
|
22
|
-
if (!callerTIP) {
|
|
23
|
-
logger.debug?.(`agent-identity: sessions_spawn skip (requester ${callerSessionKey.slice(0, 24)}... has no TIP)`);
|
|
24
|
-
return;
|
|
25
|
-
}
|
|
26
|
-
await fetchAndStoreTIP({
|
|
21
|
+
await propagateTIPToTarget({
|
|
27
22
|
storeDir,
|
|
28
|
-
|
|
23
|
+
callerSessionKey,
|
|
24
|
+
targetSessionKey,
|
|
29
25
|
identityService,
|
|
30
|
-
jwtForExchange: callerTIP.token,
|
|
31
|
-
sub: callerTIP.sub,
|
|
32
26
|
configWorkloadName,
|
|
33
|
-
|
|
27
|
+
subagentTipPropagation,
|
|
28
|
+
ctxAgentId: event.agentId,
|
|
29
|
+
getCallerTIP: () => getOrRefreshTIPToken(storeDir, callerSessionKey, {
|
|
30
|
+
identityService,
|
|
31
|
+
getOidcConfigForRefresh,
|
|
32
|
+
configWorkloadName,
|
|
33
|
+
ctxAgentId: event.agentId,
|
|
34
|
+
logger,
|
|
35
|
+
}),
|
|
36
|
+
logger,
|
|
34
37
|
});
|
|
35
|
-
logger.info?.(`agent-identity: TIP propagated to ${targetSessionKey.slice(0, 24)}... via sessions_spawn`);
|
|
36
|
-
const callerSession = await getSession(storeDir, callerSessionKey);
|
|
37
|
-
if (callerSession) {
|
|
38
|
-
await setSession(storeDir, targetSessionKey, callerSession);
|
|
39
|
-
}
|
|
40
38
|
}
|
|
41
39
|
catch (err) {
|
|
42
|
-
logger
|
|
40
|
+
logWarn(logger, `sessions_spawn propagation failed: ${String(err)}`);
|
|
43
41
|
}
|
|
44
42
|
};
|
|
45
43
|
}
|
|
@@ -9,6 +9,7 @@ export type SubagentEndedCleanupDeps = {
|
|
|
9
9
|
logger: {
|
|
10
10
|
info?: (msg: string) => void;
|
|
11
11
|
debug?: (msg: string) => void;
|
|
12
|
+
warn?: (msg: string) => void;
|
|
12
13
|
};
|
|
13
14
|
};
|
|
14
15
|
export declare function createSubagentEndedCleanupHandler(deps: SubagentEndedCleanupDeps): (event: {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"subagent-ended-cleanup.d.ts","sourceRoot":"","sources":["../../../src/hooks/subagent-ended-cleanup.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;
|
|
1
|
+
{"version":3,"file":"subagent-ended-cleanup.d.ts","sourceRoot":"","sources":["../../../src/hooks/subagent-ended-cleanup.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,MAAM,MAAM,wBAAwB,GAAG;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CACvG,CAAC;AAEF,wBAAgB,iCAAiC,CAAC,IAAI,EAAE,wBAAwB,IAI5E,OAAO;IAAE,gBAAgB,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,KACtD,OAAO,CAAC,IAAI,CAAC,CAcjB"}
|
|
@@ -6,6 +6,7 @@
|
|
|
6
6
|
*/
|
|
7
7
|
import { deleteSession } from "../store/session-store.js";
|
|
8
8
|
import { deleteTIPToken } from "../store/tip-store.js";
|
|
9
|
+
import { logDebug, logWarn } from "../utils/logger.js";
|
|
9
10
|
export function createSubagentEndedCleanupHandler(deps) {
|
|
10
11
|
const { storeDir, logger } = deps;
|
|
11
12
|
return async (event) => {
|
|
@@ -17,10 +18,10 @@ export function createSubagentEndedCleanupHandler(deps) {
|
|
|
17
18
|
try {
|
|
18
19
|
await deleteTIPToken(storeDir, targetSessionKey);
|
|
19
20
|
await deleteSession(storeDir, targetSessionKey);
|
|
20
|
-
logger
|
|
21
|
+
logDebug(logger, `cleaned up TIP and session for ${targetSessionKey.slice(0, 24)}... on subagent_ended`);
|
|
21
22
|
}
|
|
22
23
|
catch (err) {
|
|
23
|
-
logger
|
|
24
|
+
logWarn(logger, `subagent_ended cleanup failed for ${targetSessionKey.slice(0, 24)}...: ${String(err)}`);
|
|
24
25
|
}
|
|
25
26
|
};
|
|
26
27
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"classify-risk.d.ts","sourceRoot":"","sources":["../../../src/risk/classify-risk.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,MAAM,SAAS,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;AAElD,MAAM,MAAM,cAAc,GAAG;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AA+BlE;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,cAAc,
|
|
1
|
+
{"version":3,"file":"classify-risk.d.ts","sourceRoot":"","sources":["../../../src/risk/classify-risk.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,MAAM,SAAS,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;AAElD,MAAM,MAAM,cAAc,GAAG;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AA+BlE;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,cAAc,CAoBhB;AAED;;GAEG;AACH,wBAAgB,eAAe,IAAI;IACjC,eAAe,EAAE,KAAK,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC5D,cAAc,EAAE,MAAM,EAAE,CAAC;CAC1B,CAQA"}
|
|
@@ -38,14 +38,16 @@ export function classifyRiskRules(toolName, params) {
|
|
|
38
38
|
if (isDangerousCommand(cmd)) {
|
|
39
39
|
return { risk: "high", reason: getDangerousCommandReason(cmd) };
|
|
40
40
|
}
|
|
41
|
+
return { risk: "low" };
|
|
41
42
|
}
|
|
42
43
|
if (normalized === "write" || normalized === "edit" || normalized === "apply_patch") {
|
|
43
44
|
const path = params.path ?? params.target ?? params.filePath ?? "";
|
|
44
45
|
if (containsSensitivePath(path)) {
|
|
45
46
|
return { risk: "high", reason: "Writes to system or sensitive path" };
|
|
46
47
|
}
|
|
48
|
+
return { risk: "low" };
|
|
47
49
|
}
|
|
48
|
-
return { risk: "
|
|
50
|
+
return { risk: "low" };
|
|
49
51
|
}
|
|
50
52
|
/**
|
|
51
53
|
* Return built-in risk patterns for display (e.g. identity_list_risk_patterns).
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"llm-risk-check.d.ts","sourceRoot":"","sources":["../../../src/risk/llm-risk-check.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;
|
|
1
|
+
{"version":3,"file":"llm-risk-check.d.ts","sourceRoot":"","sources":["../../../src/risk/llm-risk-check.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAmDpD,MAAM,MAAM,kBAAkB,GAAG;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,QAAQ,GAAG,oBAAoB,CAAC;IACtC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kDAAkD;IAClD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AA0CF,MAAM,MAAM,aAAa,GAAG;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAyJjE;;GAEG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,MAAM,EAAE,kBAAkB,EAC1B,MAAM,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;CAAE,GACvE,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAiE/B"}
|
|
@@ -4,6 +4,7 @@
|
|
|
4
4
|
* Reference: GuardSpine plugin (ollamaGenerate, runCouncilReview).
|
|
5
5
|
*/
|
|
6
6
|
import { hashToolParams } from "../store/tool-approval-store.js";
|
|
7
|
+
import { logDebug, logWarn } from "../utils/logger.js";
|
|
7
8
|
/** Max chars for params JSON; critical fields (command, path) get smarter truncation. */
|
|
8
9
|
const PARAMS_MAX_CHARS = 800;
|
|
9
10
|
const CACHE_TTL_MS_DEFAULT = 300_000; // 5 min
|
|
@@ -224,7 +225,7 @@ async function callOpenAiCompletions(endpoint, model, messages, apiKey, timeoutM
|
|
|
224
225
|
export async function evaluateRiskLlm(toolName, params, config, logger) {
|
|
225
226
|
const { endpoint, api = "ollama", model, apiKey, timeoutMs = 10_000, } = config;
|
|
226
227
|
if (!endpoint?.trim() || !model?.trim()) {
|
|
227
|
-
logger
|
|
228
|
+
logWarn(logger, "llmRiskCheck requires endpoint and model");
|
|
228
229
|
return null;
|
|
229
230
|
}
|
|
230
231
|
const paramsRecord = params && typeof params === "object" ? params : {};
|
|
@@ -234,7 +235,7 @@ export async function evaluateRiskLlm(toolName, params, config, logger) {
|
|
|
234
235
|
const cacheKey = hashToolParams(toolName, paramsRecord);
|
|
235
236
|
const cached = riskCache.get(cacheKey);
|
|
236
237
|
if (cached && now < cached.expiresAt) {
|
|
237
|
-
logger
|
|
238
|
+
logDebug(logger, `LLM risk check cache hit for ${toolName}`);
|
|
238
239
|
return cached.result;
|
|
239
240
|
}
|
|
240
241
|
}
|
|
@@ -264,11 +265,11 @@ export async function evaluateRiskLlm(toolName, params, config, logger) {
|
|
|
264
265
|
}
|
|
265
266
|
}
|
|
266
267
|
}
|
|
267
|
-
logger
|
|
268
|
+
logDebug(logger, `LLM risk check for ${toolName} -> ${result?.risk ?? "parse_fail"}`);
|
|
268
269
|
return result;
|
|
269
270
|
}
|
|
270
271
|
catch (err) {
|
|
271
|
-
logger
|
|
272
|
+
logWarn(logger, `LLM risk check failed: ${String(err)}`);
|
|
272
273
|
return null;
|
|
273
274
|
}
|
|
274
275
|
}
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Shared TIP propagation logic for sessions_send and sessions_spawn.
|
|
3
|
+
*/
|
|
4
|
+
import type { IdentityService } from "./identity-service.js";
|
|
5
|
+
import type { TIPTokenEntry } from "../store/tip-store.js";
|
|
6
|
+
export type PropagateTIPParams = {
|
|
7
|
+
storeDir: string;
|
|
8
|
+
callerSessionKey: string;
|
|
9
|
+
targetSessionKey: string;
|
|
10
|
+
identityService: IdentityService;
|
|
11
|
+
configWorkloadName?: string;
|
|
12
|
+
subagentTipPropagation?: boolean;
|
|
13
|
+
ctxAgentId?: string;
|
|
14
|
+
getCallerTIP: () => Promise<TIPTokenEntry | null>;
|
|
15
|
+
logger: {
|
|
16
|
+
info?: (msg: string) => void;
|
|
17
|
+
debug?: (msg: string) => void;
|
|
18
|
+
};
|
|
19
|
+
};
|
|
20
|
+
/**
|
|
21
|
+
* Propagate TIP and session from caller to target.
|
|
22
|
+
* Uses getCallerTIP() to obtain caller's TIP (supports refresh).
|
|
23
|
+
*/
|
|
24
|
+
export declare function propagateTIPToTarget(params: PropagateTIPParams): Promise<void>;
|
|
25
|
+
//# sourceMappingURL=tip-propagation.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"tip-propagation.d.ts","sourceRoot":"","sources":["../../../src/services/tip-propagation.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAM3D,MAAM,MAAM,kBAAkB,GAAG;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,eAAe,EAAE,eAAe,CAAC;IACjC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;IAClD,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CACzE,CAAC;AAEF;;;GAGG;AACH,wBAAsB,oBAAoB,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CA2CpF"}
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Shared TIP propagation logic for sessions_send and sessions_spawn.
|
|
3
|
+
*/
|
|
4
|
+
import { getSession, setSession } from "../store/session-store.js";
|
|
5
|
+
import { setTIPToken } from "../store/tip-store.js";
|
|
6
|
+
import { logDebug, logInfo } from "../utils/logger.js";
|
|
7
|
+
import { fetchAndStoreTIP } from "./tip-acquisition.js";
|
|
8
|
+
/**
|
|
9
|
+
* Propagate TIP and session from caller to target.
|
|
10
|
+
* Uses getCallerTIP() to obtain caller's TIP (supports refresh).
|
|
11
|
+
*/
|
|
12
|
+
export async function propagateTIPToTarget(params) {
|
|
13
|
+
const { storeDir, callerSessionKey, targetSessionKey, identityService, configWorkloadName, subagentTipPropagation, ctxAgentId, getCallerTIP, logger, } = params;
|
|
14
|
+
const callerTIP = await getCallerTIP();
|
|
15
|
+
if (!callerTIP) {
|
|
16
|
+
logDebug(logger, `propagation skip (caller ${callerSessionKey.slice(0, 24)}... has no TIP)`);
|
|
17
|
+
return;
|
|
18
|
+
}
|
|
19
|
+
if (subagentTipPropagation === true) {
|
|
20
|
+
await fetchAndStoreTIP({
|
|
21
|
+
storeDir,
|
|
22
|
+
sessionKey: targetSessionKey,
|
|
23
|
+
identityService,
|
|
24
|
+
jwtForExchange: callerTIP.token,
|
|
25
|
+
sub: callerTIP.sub,
|
|
26
|
+
ctxAgentId,
|
|
27
|
+
configWorkloadName,
|
|
28
|
+
parentSessionKey: callerSessionKey,
|
|
29
|
+
});
|
|
30
|
+
logInfo(logger, `TIP propagated to ${targetSessionKey.slice(0, 24)}...`);
|
|
31
|
+
}
|
|
32
|
+
else {
|
|
33
|
+
await setTIPToken(storeDir, targetSessionKey, {
|
|
34
|
+
...callerTIP,
|
|
35
|
+
...(callerSessionKey && { parentSessionKey: callerSessionKey }),
|
|
36
|
+
});
|
|
37
|
+
logDebug(logger, `TIP passed through to ${targetSessionKey.slice(0, 24)}...`);
|
|
38
|
+
}
|
|
39
|
+
const callerSession = await getSession(storeDir, callerSessionKey);
|
|
40
|
+
if (callerSession) {
|
|
41
|
+
await setSession(storeDir, targetSessionKey, callerSession);
|
|
42
|
+
}
|
|
43
|
+
}
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Get TIP token with optional refresh when expired.
|
|
3
|
+
* When refresh options are provided and TIP is missing/expired, attempts to
|
|
4
|
+
* fetch TIP from session userToken (and refresh userToken if expired).
|
|
5
|
+
*/
|
|
6
|
+
import type { IdentityService } from "./identity-service.js";
|
|
7
|
+
import type { OIDCConfigForRefresh } from "./session-refresh.js";
|
|
8
|
+
import { getTIPToken } from "../store/tip-store.js";
|
|
9
|
+
export type GetOrRefreshTIPOptions = {
|
|
10
|
+
identityService: IdentityService;
|
|
11
|
+
getOidcConfigForRefresh?: () => Promise<OIDCConfigForRefresh>;
|
|
12
|
+
configWorkloadName?: string;
|
|
13
|
+
ctxAgentId?: string;
|
|
14
|
+
logger?: {
|
|
15
|
+
debug?: (msg: string) => void;
|
|
16
|
+
info?: (msg: string) => void;
|
|
17
|
+
};
|
|
18
|
+
};
|
|
19
|
+
/**
|
|
20
|
+
* Get TIP token for session. If missing or expired and refresh options provided,
|
|
21
|
+
* attempts to fetch TIP (refreshing userToken if needed).
|
|
22
|
+
*/
|
|
23
|
+
export declare function getOrRefreshTIPToken(storeDir: string, sessionKey: string, options?: GetOrRefreshTIPOptions): Promise<Awaited<ReturnType<typeof getTIPToken>>>;
|
|
24
|
+
//# sourceMappingURL=tip-with-refresh.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"tip-with-refresh.d.ts","sourceRoot":"","sources":["../../../src/services/tip-with-refresh.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAEjE,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAMpD,MAAM,MAAM,sBAAsB,GAAG;IACnC,eAAe,EAAE,eAAe,CAAC;IACjC,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CAC1E,CAAC;AAEF;;;GAGG;AACH,wBAAsB,oBAAoB,CACxC,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC,CAAC,CA6DlD"}
|