@meshagent/meshagent 0.5.18 → 0.6.0

package/dist/esm/participant-token.d.ts

@@ -1,9 +1,171 @@
+export type StringList = string[];
+export declare class AgentsGrant {
+    registerAgent: boolean;
+    registerPublicToolkit: boolean;
+    registerPrivateToolkit: boolean;
+    call: boolean;
+    useAgents: boolean;
+    useTools: boolean;
+    constructor({ registerAgent, registerPublicToolkit, registerPrivateToolkit, call, useAgents, useTools, }?: {
+        registerAgent?: boolean;
+        registerPublicToolkit?: boolean;
+        registerPrivateToolkit?: boolean;
+        call?: boolean;
+        useAgents?: boolean;
+        useTools?: boolean;
+    });
+}
+export declare class LivekitGrant {
+    breakoutRooms?: StringList;
+    constructor({ breakoutRooms }?: {
+        breakoutRooms?: StringList;
+    });
+    canJoinBreakoutRoom(name: string): boolean;
+}
+export declare class QueuesGrant {
+    send?: StringList;
+    receive?: StringList;
+    list: boolean;
+    constructor({ send, receive, list }?: {
+        send?: StringList;
+        receive?: StringList;
+        list?: boolean;
+    });
+    canSend(q: string): boolean;
+    canReceive(q: string): boolean;
+}
+export declare class MessagingGrant {
+    broadcast: boolean;
+    list: boolean;
+    send: boolean;
+    constructor({ broadcast, list, send }?: {
+        broadcast?: boolean;
+        list?: boolean;
+        send?: boolean;
+    });
+}
+export declare class TableGrant {
+    name: string;
+    write: boolean;
+    read: boolean;
+    alter: boolean;
+    constructor({ name, write, read, alter }: {
+        name: string;
+        write?: boolean;
+        read?: boolean;
+        alter?: boolean;
+    });
+}
+export declare class DatabaseGrant {
+    tables?: TableGrant[];
+    listTables: boolean;
+    constructor({ tables, listTables }?: {
+        tables?: TableGrant[];
+        listTables?: boolean;
+    });
+    private _match;
+    canWrite(table: string): boolean;
+    canRead(table: string): boolean;
+    canAlter(table: string): boolean;
+}
+export declare class SyncPathGrant {
+    path: string;
+    readOnly: boolean;
+    constructor({ path, readOnly }: {
+        path: string;
+        readOnly?: boolean;
+    });
+}
+export declare class SyncGrant {
+    paths?: SyncPathGrant[];
+    constructor({ paths }?: {
+        paths?: SyncPathGrant[];
+    });
+    private matches;
+    canRead(path: string): boolean;
+    canWrite(path: string): boolean;
+}
+export declare class StoragePathGrant {
+    path: string;
+    readOnly: boolean;
+    constructor({ path, readOnly }: {
+        path: string;
+        readOnly?: boolean;
+    });
+}
+export declare class StorageGrant {
+    paths?: StoragePathGrant[];
+    constructor({ paths }?: {
+        paths?: StoragePathGrant[];
+    });
+    private matches;
+    canRead(path: string): boolean;
+    canWrite(path: string): boolean;
+}
+export declare class ContainersGrant {
+    logs: boolean;
+    pull?: StringList;
+    run?: StringList;
+    useContainers: boolean;
+    constructor({ logs, pull, run, useContainers }?: {
+        logs?: boolean;
+        pull?: StringList;
+        run?: StringList;
+        useContainers?: boolean;
+    });
+    private match;
+    canPull(tag: string): boolean;
+    canRun(tag: string): boolean;
+}
+export declare class DeveloperGrant {
+    logs: boolean;
+    constructor({ logs }?: {
+        logs?: boolean;
+    });
+}
+export declare class AdminGrant {
+}
+export declare class SecretsGrant {
+    requestOauthToken?: StringList;
+    canRequestOauthToken(authorizationEndpoint: string): boolean;
+}
+export declare class ApiScope {
+    livekit?: LivekitGrant;
+    queues?: QueuesGrant;
+    messaging?: MessagingGrant;
+    database?: DatabaseGrant;
+    sync?: SyncGrant;
+    storage?: StorageGrant;
+    containers?: ContainersGrant;
+    developer?: DeveloperGrant;
+    agents?: AgentsGrant;
+    admin?: AdminGrant;
+    secrets?: SecretsGrant;
+    constructor({ livekit, queues, messaging, database, sync, storage, containers, developer, agents, admin, secrets, }?: {
+        livekit?: LivekitGrant;
+        queues?: QueuesGrant;
+        messaging?: MessagingGrant;
+        database?: DatabaseGrant;
+        sync?: SyncGrant;
+        storage?: StorageGrant;
+        containers?: ContainersGrant;
+        developer?: DeveloperGrant;
+        agents?: AgentsGrant;
+        admin?: AdminGrant;
+        secrets?: SecretsGrant;
+    });
+    static agentDefault(): ApiScope;
+    static userDefault(): ApiScope;
+    static full(): ApiScope;
+    toJSON(): Record<string, any>;
+    static fromJSON(obj: any): ApiScope;
+}
 export declare class ParticipantGrant {
     name: string;
-    scope?: string;
+    scope?: string | ApiScope;
     constructor({ name, scope }: {
         name: string;
-        scope?: string;
+        scope?: string | ApiScope;
     });
     toJson(): Record<string, any>;
     static fromJson(json: Record<string, any>): ParticipantGrant;
@@ -12,25 +174,35 @@ export declare class ParticipantToken {
     name: string;
     projectId?: string;
     apiKeyId?: string;
+    version?: string;
     grants: ParticipantGrant[];
     extra?: Record<string, any>;
-    constructor({ name, projectId, apiKeyId, extra, grants, }: {
+    constructor({ name, projectId, apiKeyId, version, extra, grants, }: {
         name: string;
         projectId?: string;
         apiKeyId?: string;
+        version?: string;
         extra?: Record<string, any>;
         grants?: ParticipantGrant[];
     });
+    get role(): string;
     get isAgent(): boolean;
+    get isUser(): boolean;
+    addTunnelGrant(ports: number[]): void;
     addRoleGrant(role: string): void;
     addRoomGrant(roomName: string): void;
+    addApiGrant(grant: ApiScope): void;
+    grantScope(name: string): string | ApiScope | undefined;
+    getApiGrant(): string | ApiScope | undefined;
     toJson(): Record<string, any>;
-    toJwt({ token }: {
-        token: string;
+    toJwt({ token, expiration, apiKey }?: {
+        token?: string;
+        expiration?: Date;
+        apiKey?: string;
     }): Promise<string>;
     static fromJson(json: Record<string, any>): ParticipantToken;
-    static fromJwt(jwtStr: string, options: {
-        token: string;
+    static fromJwt(jwtStr: string, options?: {
+        token?: string;
         verify?: boolean;
     }): Promise<ParticipantToken>;
 }

package/dist/esm/participant-token.js

@@ -1,30 +1,275 @@
 import { decodeJwt, jwtVerify, SignJWT } from "jose";
+import { parseApiKey } from "./api_keys";
+export class AgentsGrant {
+    constructor({ registerAgent, registerPublicToolkit, registerPrivateToolkit, call, useAgents, useTools, } = {}) {
+        this.registerAgent = registerAgent ?? true;
+        this.registerPublicToolkit = registerPublicToolkit ?? true;
+        this.registerPrivateToolkit = registerPrivateToolkit ?? true;
+        this.call = call ?? true;
+        this.useAgents = useAgents ?? true;
+        this.useTools = useTools ?? true;
+    }
+}
+export class LivekitGrant {
+    constructor({ breakoutRooms } = {}) {
+        this.breakoutRooms = breakoutRooms;
+    }
+    canJoinBreakoutRoom(name) {
+        return !this.breakoutRooms || this.breakoutRooms.includes(name);
+    }
+}
+export class QueuesGrant {
+    constructor({ send, receive, list } = {}) {
+        this.list = true;
+        this.send = send;
+        this.receive = receive;
+        this.list = list ?? true;
+    }
+    canSend(q) {
+        return !this.send || this.send.includes(q);
+    }
+    canReceive(q) {
+        return !this.receive || this.receive.includes(q);
+    }
+}
+export class MessagingGrant {
+    constructor({ broadcast, list, send } = {}) {
+        this.broadcast = broadcast ?? true;
+        this.list = list ?? true;
+        this.send = send ?? true;
+    }
+}
+export class TableGrant {
+    constructor({ name, write, read, alter }) {
+        this.write = false;
+        this.read = true;
+        this.alter = false;
+        this.name = name;
+        this.write = write ?? false;
+        this.read = read ?? true;
+        this.alter = alter ?? false;
+    }
+}
+export class DatabaseGrant {
+    constructor({ tables, listTables } = {}) {
+        this.listTables = true;
+        this.tables = tables;
+        this.listTables = listTables ?? true;
+    }
+    _match(table) {
+        if (!this.tables)
+            return undefined;
+        return this.tables.find(t => t.name === table);
+    }
+    canWrite(table) {
+        const t = this._match(table);
+        return t ? t.write : this.tables === undefined;
+    }
+    canRead(table) {
+        const t = this._match(table);
+        return t ? t.read : this.tables === undefined;
+    }
+    canAlter(table) {
+        const t = this._match(table);
+        return t ? t.alter : this.tables === undefined;
+    }
+}
+export class SyncPathGrant {
+    constructor({ path, readOnly }) {
+        this.path = path;
+        this.readOnly = readOnly ?? false;
+    }
+}
+export class SyncGrant {
+    constructor({ paths } = {}) {
+        this.paths = paths;
+    }
+    matches(p, path) {
+        return p.path === path || (p.path.endsWith("*") && path.startsWith(p.path.slice(0, -1)));
+    }
+    canRead(path) {
+        if (this.paths) {
+            return this.paths.some(p => this.matches(p, path));
+        }
+        return true;
+    }
+    canWrite(path) {
+        if (this.paths) {
+            const p = this.paths.find(pp => this.matches(pp, path));
+            return p ? !p.readOnly : false;
+        }
+        return true;
+    }
+}
+export class StoragePathGrant {
+    constructor({ path, readOnly }) {
+        this.path = path;
+        this.readOnly = readOnly ?? false;
+    }
+}
+export class StorageGrant {
+    constructor({ paths } = {}) {
+        this.paths = paths;
+    }
+    matches(p, path) {
+        return path.startsWith(p.path);
+    }
+    canRead(path) {
+        if (!this.paths)
+            return true;
+        return this.paths.some(p => this.matches(p, path));
+    }
+    canWrite(path) {
+        if (!this.paths)
+            return true;
+        const p = this.paths.find(pp => this.matches(pp, path));
+        return p ? !p.readOnly : false;
+    }
+}
+export class ContainersGrant {
+    constructor({ logs, pull, run, useContainers } = {}) {
+        this.logs = logs ?? true;
+        this.pull = pull;
+        this.run = run;
+        this.useContainers = useContainers ?? true;
+    }
+    match(list, tag) {
+        if (!list) {
+            return true;
+        }
+        return list.some(t => tag === t || tag.startsWith(t.endsWith("*") ? t.slice(0, -1) : t));
+    }
+    canPull(tag) {
+        return this.match(this.pull, tag);
+    }
+    canRun(tag) {
+        return this.match(this.run, tag);
+    }
+}
+export class DeveloperGrant {
+    constructor({ logs } = {}) {
+        this.logs = logs ?? true;
+    }
+}
+export class AdminGrant {
+}
+export class SecretsGrant {
+    canRequestOauthToken(authorizationEndpoint) {
+        if (!this.requestOauthToken) {
+            return true;
+        }
+        return this.requestOauthToken.some(t => t === authorizationEndpoint || ((t.endsWith("*") && authorizationEndpoint.startsWith(t.slice(0, -1)))));
+    }
+}
+export class ApiScope {
+    constructor({ livekit, queues, messaging, database, sync, storage, containers, developer, agents, admin, secrets, } = {}) {
+        this.livekit = livekit;
+        this.queues = queues;
+        this.messaging = messaging;
+        this.database = database;
+        this.sync = sync;
+        this.storage = storage;
+        this.containers = containers;
+        this.developer = developer;
+        this.agents = agents;
+        this.admin = admin;
+        this.secrets = secrets;
+    }
+    static agentDefault() {
+        const s = new ApiScope();
+        s.livekit = new LivekitGrant();
+        s.queues = new QueuesGrant();
+        s.messaging = new MessagingGrant();
+        s.database = new DatabaseGrant();
+        s.sync = new SyncGrant();
+        s.storage = new StorageGrant();
+        s.containers = new ContainersGrant();
+        s.developer = new DeveloperGrant();
+        s.agents = new AgentsGrant();
+        return s;
+    }
+    static userDefault() {
+        const s = new ApiScope();
+        s.livekit = new LivekitGrant();
+        s.queues = new QueuesGrant();
+        s.messaging = new MessagingGrant();
+        s.database = new DatabaseGrant();
+        s.sync = new SyncGrant();
+        s.storage = new StorageGrant();
+        s.containers = new ContainersGrant();
+        s.developer = new DeveloperGrant();
+        s.agents = new AgentsGrant();
+        s.secrets = new SecretsGrant();
+        return s;
+    }
+    static full() {
+        const s = ApiScope.agentDefault();
+        s.admin = new AdminGrant();
+        return s;
+    }
+    toJSON() {
+        return { ...this };
+    }
+    static fromJSON(obj) {
+        return Object.assign(new ApiScope(), obj);
+    }
+}
 export class ParticipantGrant {
     constructor({ name, scope }) {
         this.name = name;
         this.scope = scope;
     }
     toJson() {
+        if (this.name === "api" && this.scope && typeof this.scope !== "string") {
+            return {
+                name: this.name,
+                scope: this.scope.toJSON(),
+            };
+        }
         return {
             name: this.name,
             scope: this.scope,
         };
     }
     static fromJson(json) {
+        const name = json["name"];
+        let scope = json["scope"];
+        if (name === "api" && scope && typeof scope === "object") {
+            scope = ApiScope.fromJSON(scope);
+        }
         return new ParticipantGrant({
-            name: json["name"],
-            scope: json["scope"],
+            name,
+            scope,
         });
     }
 }
+function compareSemver(a, b) {
+    const pa = a.split(".").map(n => parseInt(n, 10));
+    const pb = b.split(".").map(n => parseInt(n, 10));
+    for (let i = 0; i < Math.max(pa.length, pb.length); i++) {
+        const x = pa[i] || 0, y = pb[i] || 0;
+        if (x !== y)
+            return x - y;
+    }
+    return 0;
+}
 export class ParticipantToken {
-    constructor({ name, projectId, apiKeyId, extra, grants, }) {
+    constructor({ name, projectId, apiKeyId, version, extra, grants, }) {
         this.name = name;
         this.projectId = projectId;
         this.apiKeyId = apiKeyId;
+        this.version = version;
         this.extra = extra ?? {};
         this.grants = grants ?? [];
     }
+    get role() {
+        for (const g of this.grants) {
+            if (g.name === "role" && g.scope !== "user") {
+                return String(g.scope);
+            }
+        }
+        return "user";
+    }
     get isAgent() {
         for (const grant of this.grants) {
             if (grant.name === "role" && grant.scope === "agent") {
@@ -33,44 +278,136 @@ export class ParticipantToken {
         }
         return false;
     }
+    get isUser() {
+        for (const grant of this.grants) {
+            if (grant.name === "role" && grant.scope !== "user") {
+                return false;
+            }
+        }
+        return true;
+    }
+    addTunnelGrant(ports) {
+        const portsStr = ports.join(",");
+        this.grants.push(new ParticipantGrant({ name: "tunnel_ports", scope: portsStr }));
+    }
     addRoleGrant(role) {
         this.grants.push(new ParticipantGrant({ name: "role", scope: role }));
     }
     addRoomGrant(roomName) {
         this.grants.push(new ParticipantGrant({ name: "room", scope: roomName }));
     }
+    addApiGrant(grant) {
+        this.grants.push(new ParticipantGrant({ name: "api", scope: grant }));
+    }
+    grantScope(name) {
+        return this.grants.find(g => g.name === name)?.scope;
+    }
+    getApiGrant() {
+        const api = this.grantScope("api");
+        if (api && typeof api !== "string") {
+            return api;
+        }
+        if (this.version && compareSemver(this.version, "0.6.0") < 0 && !api) {
+            return new ApiScope({
+                livekit: new LivekitGrant(),
+                queues: new QueuesGrant(),
+                messaging: new MessagingGrant(),
+                database: new DatabaseGrant(),
+                sync: new SyncGrant(),
+                storage: new StorageGrant(),
+                agents: new AgentsGrant(),
+                developer: new DeveloperGrant(),
+            });
+        }
+        return api;
+    }
     toJson() {
-        return {
+        const base = {
             name: this.name,
-            ...(this.projectId ? { sub: this.projectId } : {}),
-            ...(this.apiKeyId ? { kid: this.apiKeyId } : {}),
-            grants: this.grants.map((g) => g.toJson()),
+            grants: this.grants.map(g => g.toJson()),
         };
+        if (this.projectId) {
+            base["sub"] = this.projectId;
+        }
+        if (this.apiKeyId) {
+            base["kid"] = this.apiKeyId;
+        }
+        if (this.version) {
+            base["version"] = this.version;
+        }
+        return base;
     }
-    async toJwt({ token }) {
-        const secretKey = new TextEncoder().encode(token);
-        const payload = {
-            ...this.toJson(),
-            ...this.extra,
-        };
-        const jwt = await new SignJWT(payload)
-            .setProtectedHeader({ alg: "HS256", typ: "JWT" })
-            .sign(secretKey);
-        return jwt;
+    async toJwt({ token, expiration, apiKey } = {}) {
+        let apiGrant = null;
+        for (const g of this.grants) {
+            if (g.name === "api") {
+                apiGrant = g;
+                break;
+            }
+        }
+        if (!apiGrant && this.version && compareSemver(this.version, "0.5.3") >= 0) {
+            console.error("ParticipantToken.toJwt: No API grant found, but version is >= 0.5.3. " +
+                "This may cause issues with older clients that expect an API grant.");
+        }
+        let resolvedSecret = token;
+        let resolvedKid = this.apiKeyId;
+        let resolvedSub = this.projectId;
+        const apiKeyValue = apiKey ?? process.env.MESHAGENT_API_KEY;
+        if (apiKeyValue) {
+            const parsed = parseApiKey(apiKeyValue);
+            resolvedSecret ?? (resolvedSecret = parsed.secret);
+            resolvedKid = parsed.id;
+            resolvedSub = parsed.projectId;
+        }
+        let usingDefaultSecret = false;
+        if (!resolvedSecret) {
+            const envSecret = process.env.MESHAGENT_SECRET;
+            if (!envSecret) {
+                throw new Error("ParticipantToken.toJwt: No secret provided. Pass `token`, `apiKey`, or set MESHAGENT_SECRET / MESHAGENT_API_KEY.");
+            }
+            resolvedSecret = envSecret;
+            usingDefaultSecret = true;
+        }
+        const secretKey = new TextEncoder().encode(resolvedSecret);
+        const payload = this.toJson();
+        if (resolvedSub) {
+            payload["sub"] = resolvedSub;
+        }
+        else {
+            delete payload["sub"];
+        }
+        if (usingDefaultSecret) {
+            delete payload["kid"];
+        }
+        else if (resolvedKid) {
+            payload["kid"] = resolvedKid;
+        }
+        else {
+            delete payload["kid"];
+        }
+        if (expiration) {
+            payload.exp = Math.floor(expiration.getTime() / 1000);
+        }
+        const jwt = new SignJWT(payload)
+            .setProtectedHeader({ alg: "HS256", typ: "JWT" });
+        const jwtToken = await jwt.sign(secretKey);
+        return jwtToken;
     }
     static fromJson(json) {
-        const { name, sub, grants, kid, ...rest } = json;
+        const { name, sub, grants, kid, version, ...rest } = json;
         const extra = { ...rest };
+        const v = version ? version : "0.5.3";
         return new ParticipantToken({
             name: name,
             projectId: sub,
             apiKeyId: kid,
+            version: v,
             grants: grants?.map((g) => ParticipantGrant.fromJson(g)),
             extra,
         });
     }
-    static async fromJwt(jwtStr, options) {
-        const { token, verify = true } = options;
+    static async fromJwt(jwtStr, options = {}) {
+        const { token, verify = true } = options ?? {};
         if (verify) {
             const secretKey = new TextEncoder().encode(token);
             const { payload } = await jwtVerify(jwtStr, secretKey, {

package/dist/esm/stream-controller.js

@@ -35,10 +35,7 @@ export class StreamController {
                     },
                     async return() {
                         cleanup();
-                        return {
-                            done: true,
-                            value: undefined
-                        };
+                        return { done: true, value: undefined };
                     },
                     async throw(e) {
                         cleanup();
@@ -55,10 +52,7 @@ export class StreamController {
             if (sub.waiter) {
                 const w = sub.waiter;
                 sub.waiter = null;
-                try {
-                    w({ done: false, value });
-                }
-                catch { }
+                w({ done: false, value });
             }
             else {
                 sub.queue.push(value);
@@ -73,12 +67,7 @@ export class StreamController {
             if (sub.waiter) {
                 const w = sub.waiter;
                 sub.waiter = null;
-                try {
-                    w({ done: true, value: undefined });
-                }
-                catch { }
-            }
-            else {
+                w({ done: true, value: undefined });
             }
         }
     }