@onkernel/sdk 0.30.0 → 0.32.0

package/src/client.ts

@@ -34,6 +34,8 @@ import {
   CreateCredentialProviderRequest,
   CredentialProvider,
   CredentialProviderCreateParams,
+  CredentialProviderItem,
+  CredentialProviderListItemsResponse,
   CredentialProviderListResponse,
   CredentialProviderTestResult,
   CredentialProviderUpdateParams,
@@ -96,6 +98,7 @@ import {
   ProxyRetrieveResponse,
 } from './resources/proxies';
 import { Agents } from './resources/agents/agents';
+import { Auth } from './resources/auth/auth';
 import {
   BrowserCreateParams,
   BrowserCreateResponse,
@@ -616,9 +619,14 @@ export class Kernel {
   getAPIList<Item, PageClass extends Pagination.AbstractPage<Item> = Pagination.AbstractPage<Item>>(
     path: string,
     Page: new (...args: any[]) => PageClass,
-    opts?: RequestOptions,
+    opts?: PromiseOrValue<RequestOptions>,
   ): Pagination.PagePromise<PageClass, Item> {
-    return this.requestAPIList(Page, { method: 'get', path, ...opts });
+    return this.requestAPIList(
+      Page,
+      opts && 'then' in opts ?
+        opts.then((opts) => ({ method: 'get', path, ...opts }))
+      : { method: 'get', path, ...opts },
+    );
   }
 
   requestAPIList<
@@ -626,7 +634,7 @@ export class Kernel {
     PageClass extends Pagination.AbstractPage<Item> = Pagination.AbstractPage<Item>,
   >(
     Page: new (...args: ConstructorParameters<typeof Pagination.AbstractPage>) => PageClass,
-    options: FinalRequestOptions,
+    options: PromiseOrValue<FinalRequestOptions>,
   ): Pagination.PagePromise<PageClass, Item> {
     const request = this.makeRequest(options, null, undefined);
     return new Pagination.PagePromise<PageClass, Item>(this as any as Kernel, request, Page);
@@ -639,7 +647,7 @@ export class Kernel {
     controller: AbortController,
   ): Promise<Response> {
     const { signal, method, ...options } = init || {};
-    const abort = controller.abort.bind(controller);
+    const abort = this._makeAbort(controller);
     if (signal) signal.addEventListener('abort', abort, { once: true });
 
     const timeout = setTimeout(abort, ms);
@@ -809,6 +817,12 @@ export class Kernel {
     return headers.values;
   }
 
+  private _makeAbort(controller: AbortController) {
+    // note: we can't just inline this method inside `fetchWithTimeout()` because then the closure
+    //       would capture all request options, and cause a memory leak.
+    return () => controller.abort();
+  }
+
   private buildBody({ options: { body, headers: rawHeaders } }: { options: FinalRequestOptions }): {
     bodyHeaders: HeadersLike;
     body: BodyInit | undefined;
@@ -880,6 +894,7 @@ export class Kernel {
   invocations: API.Invocations = new API.Invocations(this);
   browsers: API.Browsers = new API.Browsers(this);
   profiles: API.Profiles = new API.Profiles(this);
+  auth: API.Auth = new API.Auth(this);
   proxies: API.Proxies = new API.Proxies(this);
   extensions: API.Extensions = new API.Extensions(this);
   browserPools: API.BrowserPools = new API.BrowserPools(this);
@@ -893,6 +908,7 @@ Kernel.Apps = Apps;
 Kernel.Invocations = Invocations;
 Kernel.Browsers = Browsers;
 Kernel.Profiles = Profiles;
+Kernel.Auth = Auth;
 Kernel.Proxies = Proxies;
 Kernel.Extensions = Extensions;
 Kernel.BrowserPools = BrowserPools;
@@ -968,6 +984,8 @@ export declare namespace Kernel {
     type ProfileCreateParams as ProfileCreateParams,
   };
 
+  export { Auth as Auth };
+
   export {
     Proxies as Proxies,
     type ProxyCreateResponse as ProxyCreateResponse,
@@ -1015,9 +1033,11 @@ export declare namespace Kernel {
     CredentialProviders as CredentialProviders,
     type CreateCredentialProviderRequest as CreateCredentialProviderRequest,
     type CredentialProvider as CredentialProvider,
+    type CredentialProviderItem as CredentialProviderItem,
     type CredentialProviderTestResult as CredentialProviderTestResult,
     type UpdateCredentialProviderRequest as UpdateCredentialProviderRequest,
     type CredentialProviderListResponse as CredentialProviderListResponse,
+    type CredentialProviderListItemsResponse as CredentialProviderListItemsResponse,
     type CredentialProviderCreateParams as CredentialProviderCreateParams,
     type CredentialProviderUpdateParams as CredentialProviderUpdateParams,
   };

package/src/resources/agents/auth/auth.ts

@@ -19,46 +19,33 @@ export class Auth extends APIResource {
   invocations: InvocationsAPI.Invocations = new InvocationsAPI.Invocations(this._client);
 
   /**
-   * Creates a new auth agent for the specified domain and profile combination, or
-   * returns an existing one if it already exists. This is idempotent - calling with
-   * the same domain and profile will return the same agent. Does NOT start an
-   * invocation - use POST /agents/auth/invocations to start an auth flow.
+   * **Deprecated: Use POST /auth/connections instead.** Creates a new auth agent for
+   * the specified domain and profile combination, or returns an existing one if it
+   * already exists. This is idempotent - calling with the same domain and profile
+   * will return the same agent. Does NOT start an invocation - use POST
+   * /agents/auth/invocations to start an auth flow.
    *
-   * @example
-   * ```ts
-   * const authAgent = await client.agents.auth.create({
-   *   domain: 'netflix.com',
-   *   profile_name: 'user-123',
-   * });
-   * ```
+   * @deprecated
    */
   create(body: AuthCreateParams, options?: RequestOptions): APIPromise<AuthAgent> {
     return this._client.post('/agents/auth', { body, ...options });
   }
 
   /**
-   * Retrieve an auth agent by its ID. Returns the current authentication status of
-   * the managed profile.
+   * **Deprecated: Use GET /auth/connections/{id} instead.** Retrieve an auth agent
+   * by its ID. Returns the current authentication status of the managed profile.
    *
-   * @example
-   * ```ts
-   * const authAgent = await client.agents.auth.retrieve('id');
-   * ```
+   * @deprecated
    */
   retrieve(id: string, options?: RequestOptions): APIPromise<AuthAgent> {
     return this._client.get(path`/agents/auth/${id}`, options);
   }
 
   /**
-   * List auth agents with optional filters for profile_name and domain.
+   * **Deprecated: Use GET /auth/connections instead.** List auth agents with
+   * optional filters for profile_name and domain.
    *
-   * @example
-   * ```ts
-   * // Automatically fetches more pages as needed.
-   * for await (const authAgent of client.agents.auth.list()) {
-   *   // ...
-   * }
-   * ```
+   * @deprecated
    */
   list(
     query: AuthListParams | null | undefined = {},
@@ -68,16 +55,14 @@ export class Auth extends APIResource {
   }
 
   /**
-   * Deletes an auth agent and terminates its workflow. This will:
+   * **Deprecated: Use DELETE /auth/connections/{id} instead.** Deletes an auth agent
+   * and terminates its workflow. This will:
    *
    * - Soft delete the auth agent record
    * - Gracefully terminate the agent's Temporal workflow
    * - Cancel any in-progress invocations
    *
-   * @example
-   * ```ts
-   * await client.agents.auth.delete('id');
-   * ```
+   * @deprecated
    */
   delete(id: string, options?: RequestOptions): APIPromise<void> {
     return this._client.delete(path`/agents/auth/${id}`, {
@@ -126,13 +111,12 @@ export interface AgentAuthInvocationResponse {
     | 'expired';
 
   /**
-   * The invocation type:
+   * The session type:
    *
-   * - login: First-time authentication
-   * - reauth: Re-authentication for previously authenticated agents
-   * - auto_login: Legacy type (no longer created, kept for backward compatibility)
+   * - login: User-initiated authentication
+   * - reauth: System-triggered re-authentication (via health check)
    */
-  type: 'login' | 'auto_login' | 'reauth';
+  type: 'login' | 'reauth';
 
   /**
    * Error message explaining why the invocation failed (present when status=FAILED)
@@ -188,9 +172,9 @@ export namespace AgentAuthInvocationResponse {
     label: string;
 
     /**
-     * The MFA delivery method type
+     * The MFA delivery method type (includes password for auth method selection pages)
      */
-    type: 'sms' | 'call' | 'email' | 'totp' | 'push' | 'security_key';
+    type: 'sms' | 'call' | 'email' | 'totp' | 'push' | 'password';
 
     /**
      * Additional instructions from the site
@@ -263,6 +247,21 @@ export interface AuthAgent {
    * Additional domains that are valid for this auth agent's authentication flow
    * (besides the primary domain). Useful when login pages redirect to different
    * domains.
+   *
+   * The following SSO/OAuth provider domains are automatically allowed by default
+   * and do not need to be specified:
+   *
+   * - Google: accounts.google.com
+   * - Microsoft/Azure AD: login.microsoftonline.com, login.live.com
+   * - Okta: _.okta.com, _.oktapreview.com
+   * - Auth0: _.auth0.com, _.us.auth0.com, _.eu.auth0.com, _.au.auth0.com
+   * - Apple: appleid.apple.com
+   * - GitHub: github.com
+   * - Facebook/Meta: www.facebook.com
+   * - LinkedIn: www.linkedin.com
+   * - Amazon Cognito: \*.amazoncognito.com
+   * - OneLogin: \*.onelogin.com
+   * - Ping Identity: _.pingone.com, _.pingidentity.com
    */
   allowed_domains?: Array<string>;
 
@@ -273,14 +272,24 @@ export interface AuthAgent {
   can_reauth?: boolean;
 
   /**
-   * ID of the linked credential for automatic re-authentication
+   * Reason why automatic re-authentication is or is not possible
    */
-  credential_id?: string;
+  can_reauth_reason?: string;
 
   /**
-   * Name of the linked credential for automatic re-authentication
+   * Reference to credentials for managed auth. Use one of:
+   *
+   * - { name } for Kernel credentials
+   * - { provider, path } for external provider item
+   * - { provider, auto: true } for external provider domain lookup
    */
-  credential_name?: string;
+  credential?: AuthAgent.Credential;
+
+  /**
+   * ID of the linked Kernel credential for automatic re-authentication (deprecated,
+   * use credential)
+   */
+  credential_id?: string;
 
   /**
    * Whether this auth agent has stored selectors for deterministic re-authentication
@@ -299,6 +308,37 @@ export interface AuthAgent {
   post_login_url?: string;
 }
 
+export namespace AuthAgent {
+  /**
+   * Reference to credentials for managed auth. Use one of:
+   *
+   * - { name } for Kernel credentials
+   * - { provider, path } for external provider item
+   * - { provider, auto: true } for external provider domain lookup
+   */
+  export interface Credential {
+    /**
+     * If true, lookup by domain from the specified provider
+     */
+    auto?: boolean;
+
+    /**
+     * Kernel credential name
+     */
+    name?: string;
+
+    /**
+     * Provider-specific path (e.g., "VaultName/ItemName" for 1Password)
+     */
+    path?: string;
+
+    /**
+     * External provider name (e.g., "my-1p")
+     */
+    provider?: string;
+  }
+}
+
 /**
  * Request to create or find an auth agent
  */
@@ -317,6 +357,21 @@ export interface AuthAgentCreateRequest {
    * Additional domains that are valid for this auth agent's authentication flow
    * (besides the primary domain). Useful when login pages redirect to different
    * domains.
+   *
+   * The following SSO/OAuth provider domains are automatically allowed by default
+   * and do not need to be specified:
+   *
+   * - Google: accounts.google.com
+   * - Microsoft/Azure AD: login.microsoftonline.com, login.live.com
+   * - Okta: _.okta.com, _.oktapreview.com
+   * - Auth0: _.auth0.com, _.us.auth0.com, _.eu.auth0.com, _.au.auth0.com
+   * - Apple: appleid.apple.com
+   * - GitHub: github.com
+   * - Facebook/Meta: www.facebook.com
+   * - LinkedIn: www.linkedin.com
+   * - Amazon Cognito: \*.amazoncognito.com
+   * - OneLogin: \*.onelogin.com
+   * - Ping Identity: _.pingone.com, _.pingidentity.com
    */
   allowed_domains?: Array<string>;
 
@@ -393,13 +448,12 @@ export interface AuthAgentInvocationCreateResponse {
   invocation_id: string;
 
   /**
-   * The invocation type:
+   * The session type:
    *
-   * - login: First-time authentication
-   * - reauth: Re-authentication for previously authenticated agents
-   * - auto_login: Legacy type (no longer created, kept for backward compatibility)
+   * - login: User-initiated authentication
+   * - reauth: System-triggered re-authentication (via health check)
    */
-  type: 'login' | 'auto_login' | 'reauth';
+  type: 'login' | 'reauth';
 }
 
 /**
@@ -426,6 +480,12 @@ export interface DiscoveredField {
    */
   type: 'text' | 'email' | 'password' | 'tel' | 'number' | 'url' | 'code' | 'totp';
 
+  /**
+   * If this field is associated with an MFA option, the type of that option (e.g.,
+   * password field linked to "Enter password" option)
+   */
+  linked_mfa_type?: 'sms' | 'call' | 'email' | 'totp' | 'push' | 'password' | null;
+
   /**
    * Field placeholder
    */
@@ -452,6 +512,21 @@ export interface AuthCreateParams {
    * Additional domains that are valid for this auth agent's authentication flow
    * (besides the primary domain). Useful when login pages redirect to different
    * domains.
+   *
+   * The following SSO/OAuth provider domains are automatically allowed by default
+   * and do not need to be specified:
+   *
+   * - Google: accounts.google.com
+   * - Microsoft/Azure AD: login.microsoftonline.com, login.live.com
+   * - Okta: _.okta.com, _.oktapreview.com
+   * - Auth0: _.auth0.com, _.us.auth0.com, _.eu.auth0.com, _.au.auth0.com
+   * - Apple: appleid.apple.com
+   * - GitHub: github.com
+   * - Facebook/Meta: www.facebook.com
+   * - LinkedIn: www.linkedin.com
+   * - Amazon Cognito: \*.amazoncognito.com
+   * - OneLogin: \*.onelogin.com
+   * - Ping Identity: _.pingone.com, _.pingidentity.com
    */
   allowed_domains?: Array<string>;
 

package/src/resources/agents/auth/invocations.ts

@@ -8,17 +8,11 @@ import { path } from '../../../internal/utils/path';
 
 export class Invocations extends APIResource {
   /**
-   * Creates a new authentication invocation for the specified auth agent. This
-   * starts the auth flow and returns a hosted URL for the user to complete
-   * authentication.
+   * **Deprecated: Use POST /auth/connections/{id}/login instead.** Creates a new
+   * authentication invocation for the specified auth agent. This starts the auth
+   * flow and returns a hosted URL for the user to complete authentication.
    *
-   * @example
-   * ```ts
-   * const authAgentInvocationCreateResponse =
-   *   await client.agents.auth.invocations.create({
-   *     auth_agent_id: 'abc123xyz',
-   *   });
-   * ```
+   * @deprecated
    */
   create(
     body: InvocationCreateParams,
@@ -28,33 +22,22 @@ export class Invocations extends APIResource {
   }
 
   /**
-   * Returns invocation details including status, app_name, and domain. Supports both
-   * API key and JWT (from exchange endpoint) authentication.
+   * **Deprecated: Use GET /auth/connections/{id} instead.** Returns invocation
+   * details including status, app_name, and domain. Supports both API key and JWT
+   * (from exchange endpoint) authentication.
    *
-   * @example
-   * ```ts
-   * const agentAuthInvocationResponse =
-   *   await client.agents.auth.invocations.retrieve(
-   *     'invocation_id',
-   *   );
-   * ```
+   * @deprecated
    */
   retrieve(invocationID: string, options?: RequestOptions): APIPromise<AuthAPI.AgentAuthInvocationResponse> {
     return this._client.get(path`/agents/auth/invocations/${invocationID}`, options);
   }
 
   /**
-   * Validates the handoff code and returns a JWT token for subsequent requests. No
-   * authentication required (the handoff code serves as the credential).
+   * **Deprecated: Use POST /auth/connections/{id}/exchange instead.** Validates the
+   * handoff code and returns a JWT token for subsequent requests. No authentication
+   * required (the handoff code serves as the credential).
    *
-   * @example
-   * ```ts
-   * const response =
-   *   await client.agents.auth.invocations.exchange(
-   *     'invocation_id',
-   *     { code: 'abc123xyz' },
-   *   );
-   * ```
+   * @deprecated
    */
   exchange(
     invocationID: string,
@@ -65,23 +48,11 @@ export class Invocations extends APIResource {
   }
 
   /**
-   * Submits field values for the discovered login form. Returns immediately after
-   * submission is accepted. Poll the invocation endpoint to track progress and get
-   * results.
+   * **Deprecated: Use POST /auth/connections/{id}/submit instead.** Submits field
+   * values for the discovered login form. Returns immediately after submission is
+   * accepted. Poll the invocation endpoint to track progress and get results.
    *
-   * @example
-   * ```ts
-   * const agentAuthSubmitResponse =
-   *   await client.agents.auth.invocations.submit(
-   *     'invocation_id',
-   *     {
-   *       field_values: {
-   *         email: 'user@example.com',
-   *         password: '********',
-   *       },
-   *     },
-   *   );
-   * ```
+   * @deprecated
    */
   submit(
     invocationID: string,
@@ -150,9 +121,9 @@ export declare namespace InvocationSubmitParams {
 
   export interface Variant2 {
     /**
-     * The MFA delivery method type
+     * The MFA delivery method type (includes password for auth method selection pages)
      */
-    selected_mfa_type: 'sms' | 'call' | 'email' | 'totp' | 'push' | 'security_key';
+    selected_mfa_type: 'sms' | 'call' | 'email' | 'totp' | 'push' | 'password';
   }
 }
 

package/src/resources/auth/auth.ts

@@ -0,0 +1,43 @@
+// File generated from our OpenAPI spec by Stainless. See CONTRIBUTING.md for details.
+
+import { APIResource } from '../../core/resource';
+import * as ConnectionsAPI from './connections';
+import {
+  ConnectionCreateParams,
+  ConnectionFollowResponse,
+  ConnectionListParams,
+  ConnectionLoginParams,
+  ConnectionSubmitParams,
+  Connections,
+  LoginRequest,
+  LoginResponse,
+  ManagedAuth,
+  ManagedAuthCreateRequest,
+  ManagedAuthsOffsetPagination,
+  SubmitFieldsRequest,
+  SubmitFieldsResponse,
+} from './connections';
+
+export class Auth extends APIResource {
+  connections: ConnectionsAPI.Connections = new ConnectionsAPI.Connections(this._client);
+}
+
+Auth.Connections = Connections;
+
+export declare namespace Auth {
+  export {
+    Connections as Connections,
+    type LoginRequest as LoginRequest,
+    type LoginResponse as LoginResponse,
+    type ManagedAuth as ManagedAuth,
+    type ManagedAuthCreateRequest as ManagedAuthCreateRequest,
+    type SubmitFieldsRequest as SubmitFieldsRequest,
+    type SubmitFieldsResponse as SubmitFieldsResponse,
+    type ConnectionFollowResponse as ConnectionFollowResponse,
+    type ManagedAuthsOffsetPagination as ManagedAuthsOffsetPagination,
+    type ConnectionCreateParams as ConnectionCreateParams,
+    type ConnectionListParams as ConnectionListParams,
+    type ConnectionLoginParams as ConnectionLoginParams,
+    type ConnectionSubmitParams as ConnectionSubmitParams,
+  };
+}