@rainfall-devkit/sdk 0.1.8 → 0.2.1

package/dist/index.d.ts

@@ -1,4 +1,251 @@
-export { A as AI, a as ApiError, b as ApiResponse, c as Articles, d as AuthenticationError, D as Data, I as Integrations, M as Memory, N as NetworkError, e as NotFoundError, R as Rainfall, f as RainfallClient, g as RainfallConfig, h as RainfallError, i as RateLimitError, j as RateLimitInfo, k as RequestOptions, S as ServerError, T as TimeoutError, l as ToolNotFoundError, m as ToolSchema, U as Utils, V as ValidationError, W as Web } from './errors-COkXMRZk.js';
+import { l as RainfallClient } from './sdk-4OvXPr8E.js';
+export { A as AI, b as ApiError, c as ApiResponse, d as Articles, D as Data, I as Integrations, M as Memory, a as Rainfall, R as RainfallConfig, e as RateLimitInfo, f as RequestOptions, T as ToolSchema, U as Utils, W as Web } from './sdk-4OvXPr8E.js';
+export { A as AuthenticationError, N as NetworkError, a as NotFoundError, R as RainfallError, b as RateLimitError, S as ServerError, T as TimeoutError, c as ToolNotFoundError, V as ValidationError } from './errors-BMPseAnM.js';
+export { C as ContextOptions, c as CronTriggerConfig, E as EdgeNodeRegistration, F as FileWatcherConfig, L as ListenerEvent, d as ListenerRegistry, M as MemoryEntry, N as NetworkedExecutorOptions, e as NodeCapabilities, Q as QueuedJob, a as RainfallDaemonContext, b as RainfallListenerRegistry, R as RainfallNetworkedExecutor, S as SessionContext, T as ToolExecutionRecord, f as createCronWorkflow, g as createFileWatcherWorkflow } from './listeners-B5Vy9Ao5.js';
+import 'ws';
+import '@modelcontextprotocol/sdk/client/index.js';
+import '@modelcontextprotocol/sdk/client/stdio.js';
+import '@modelcontextprotocol/sdk/client/streamableHttp.js';
+
+/**
+ * Edge Node Security Module
+ *
+ * Provides:
+ * - JWT token generation/validation for edge node authentication
+ * - ACL enforcement for job routing (same-subscriber only)
+ * - Libsodium-based encryption for job parameters
+ * - Key pair generation for edge nodes
+ */
+interface EdgeNodeJWT {
+    sub: string;
+    iss: string;
+    iat: number;
+    exp: number;
+    jti: string;
+    scope: string[];
+}
+interface JWTPayload {
+    edgeNodeId: string;
+    subscriberId: string;
+    scopes: string[];
+    expiresAt: number;
+}
+interface ACLCheck {
+    edgeNodeId: string;
+    subscriberId: string;
+    jobSubscriberId: string;
+    action: 'claim' | 'submit' | 'queue' | 'heartbeat';
+}
+interface ACLResult {
+    allowed: boolean;
+    reason?: string;
+}
+interface EncryptedPayload {
+    ciphertext: string;
+    nonce: string;
+    ephemeralPublicKey: string;
+}
+interface KeyPair {
+    publicKey: string;
+    privateKey: string;
+}
+/**
+ * Edge Node Security Manager
+ */
+declare class EdgeNodeSecurity {
+    private sodiumReady;
+    private backendSecret?;
+    private keyPair?;
+    constructor(options?: {
+        backendSecret?: string;
+        keyPair?: KeyPair;
+    });
+    /**
+     * Initialize libsodium
+     */
+    initialize(): Promise<void>;
+    /**
+     * Generate a JWT token for an edge node
+     * Note: In production, this is done by the backend. This is for testing.
+     */
+    generateJWT(edgeNodeId: string, subscriberId: string, expiresInDays?: number): string;
+    /**
+     * Validate a JWT token
+     */
+    validateJWT(token: string): JWTPayload;
+    /**
+     * Extract bearer token from Authorization header
+     */
+    extractBearerToken(authHeader: string | undefined): string | null;
+    /**
+     * Check if an edge node is allowed to perform an action on a job
+     * Rule: Edge nodes can only access jobs for their own subscriber
+     */
+    checkACL(check: ACLCheck): ACLResult;
+    /**
+     * Middleware-style ACL check for job operations
+     */
+    requireSameSubscriber(edgeNodeSubscriberId: string, jobSubscriberId: string, operation: string): void;
+    /**
+     * Generate a new Ed25519 key pair for an edge node
+     */
+    generateKeyPair(): Promise<KeyPair>;
+    /**
+     * Encrypt job parameters for a target edge node using its public key
+     */
+    encryptForEdgeNode(plaintext: string, targetPublicKeyBase64: string): Promise<EncryptedPayload>;
+    /**
+     * Decrypt job parameters received from the backend
+     */
+    decryptFromBackend(encrypted: EncryptedPayload): Promise<string>;
+    /**
+     * Encrypt job parameters for local storage (using secretbox)
+     */
+    encryptLocal(plaintext: string, key: string): Promise<{
+        ciphertext: string;
+        nonce: string;
+    }>;
+    /**
+     * Decrypt locally stored job parameters
+     */
+    decryptLocal(encrypted: {
+        ciphertext: string;
+        nonce: string;
+    }, key: string): Promise<string>;
+    private generateTokenId;
+    private base64UrlEncode;
+    private base64UrlDecode;
+    private hmacSha256;
+    private timingSafeEqual;
+    private bytesToBase64;
+    private base64ToBytes;
+    private deriveKey;
+}
+/**
+ * Create security manager from environment or config
+ */
+declare function createEdgeNodeSecurity(options?: {
+    backendSecret?: string;
+    keyPair?: KeyPair;
+}): Promise<EdgeNodeSecurity>;
+
+/**
+ * Secure Edge Node Client
+ *
+ * Handles secure communication with the Rainfall backend:
+ * - JWT authentication on all requests
+ * - ACL validation
+ * - Job parameter encryption/decryption
+ */
+
+interface SecureEdgeConfig {
+    /** Rainfall client instance */
+    client: RainfallClient;
+    /** Edge node ID from backend registration */
+    edgeNodeId: string;
+    /** JWT secret from backend */
+    edgeNodeSecret: string;
+    /** Path to key directory (contains edge-node.pub and edge-node.key) */
+    keysPath: string;
+    /** Backend secret for JWT validation (optional, for testing) */
+    backendSecret?: string;
+}
+interface SecureJob {
+    id: string;
+    subscriberId: string;
+    type: string;
+    params?: string;
+    encrypted?: boolean;
+}
+interface JobResult {
+    jobId: string;
+    success: boolean;
+    output?: string;
+    error?: string;
+}
+/**
+ * Secure Edge Node Client
+ *
+ * Wraps the Rainfall Client with security features for edge node operation.
+ */
+declare class SecureEdgeClient {
+    private client;
+    private security;
+    private edgeNodeId;
+    private edgeNodeSecret;
+    private keysPath;
+    private jwtPayload?;
+    private keyPair?;
+    constructor(config: SecureEdgeConfig);
+    /**
+     * Initialize the secure client
+     */
+    initialize(): Promise<void>;
+    /**
+     * Load key pair from disk
+     */
+    private loadKeyPair;
+    /**
+     * Get public key for sharing with backend
+     */
+    getPublicKey(): string;
+    /**
+     * Send heartbeat with authentication
+     */
+    heartbeat(): Promise<{
+        status: string;
+        timestamp: number;
+    }>;
+    /**
+     * Claim a job from the queue
+     */
+    claimJob(): Promise<SecureJob | null>;
+    /**
+     * Submit job result
+     */
+    submitJobResult(result: JobResult): Promise<void>;
+    /**
+     * Queue a job for processing
+     */
+    queueJob(type: string, params: Record<string, unknown>, targetPublicKey?: string): Promise<{
+        jobId: string;
+    }>;
+    /**
+     * Decrypt job params received from backend
+     */
+    private decryptJobParams;
+    /**
+     * Encrypt job result for sending to backend
+     */
+    private encryptJobResult;
+    /**
+     * Encrypt job params for a specific target edge node
+     */
+    private encryptJobParamsForTarget;
+    /**
+     * Check if client is authenticated
+     */
+    private requireAuth;
+    /**
+     * Get current authentication status
+     */
+    getAuthStatus(): {
+        authenticated: boolean;
+        edgeNodeId?: string;
+        subscriberId?: string;
+        expiresAt?: number;
+        scopes?: string[];
+    };
+}
+/**
+ * Factory function to create secure edge client from config
+ */
+declare function createSecureEdgeClient(client: RainfallClient, options: {
+    edgeNodeId: string;
+    edgeNodeSecret: string;
+    keysPath: string;
+    backendSecret?: string;
+}): Promise<SecureEdgeClient>;
 
 /**
  * Rainfall SDK - Official SDK for Rainfall API
@@ -26,4 +273,4 @@ export { A as AI, a as ApiError, b as ApiResponse, c as Articles, d as Authentic
 
 declare const VERSION = "0.1.0";
 
-export { VERSION };
+export { type ACLCheck, type ACLResult, type EdgeNodeJWT, EdgeNodeSecurity, type EncryptedPayload, type JWTPayload, type JobResult, type KeyPair, RainfallClient, SecureEdgeClient, type SecureEdgeConfig, type SecureJob, VERSION, createEdgeNodeSecurity, createSecureEdgeClient };