npm - @seclai/sdk - Versions diffs - 1.1.0 → 1.1.1 - Mend

@seclai/sdk 1.1.0 → 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md CHANGED Viewed

@@ -33,25 +33,66 @@ console.log(result);
 | Option | Environment variable | Default |
 | --- | --- | --- |
-| `apiKey` | `SECLAI_API_KEY` | *required* |
+| `apiKey` | `SECLAI_API_KEY` | — |
+| `accessToken` | — | — |
+| `profile` | `SECLAI_PROFILE` | `"default"` |
+| `configDir` | `SECLAI_CONFIG_DIR` | `~/.seclai` |
+| `autoRefresh` | — | `true` |
+| `accountId` | — | — |
 | `baseUrl` | `SECLAI_API_URL` | `https://api.seclai.com` |
 | `apiKeyHeader` | — | `x-api-key` |
 | `defaultHeaders` | — | `{}` |
 | `fetch` | — | `globalThis.fetch` |
+### Authentication
+Credentials are resolved via a chain (first match wins):
+1. Explicit `apiKey` option
+2. Explicit `accessToken` option (string or `() => string | Promise<string>`)
+3. `SECLAI_API_KEY` environment variable
+4. SSO profile from `~/.seclai/config` with cached tokens in `~/.seclai/sso/cache/`
+```ts
+// API key
+const client = new Seclai({ apiKey: "sk-..." });
+```
 ```ts
+// Static bearer token
+const client = new Seclai({ accessToken: "eyJhbGciOi..." });
+```
+```ts
+// Dynamic bearer token provider (called per request)
 const client = new Seclai({
-  apiKey: "sk-...",
-  baseUrl: "https://staging-api.seclai.com",
-  defaultHeaders: { "X-Custom": "value" },
+  accessToken: async () => fetchTokenFromVault(),
 });
 ```
+```ts
+// SSO profile (uses cached tokens, auto-refreshes)
+const client = new Seclai({ profile: "my-profile" });
+```
+```ts
+// Environment variable (no options needed)
+// export SECLAI_API_KEY="sk-..."
+const client = new Seclai();
+```
+To set up SSO authentication, install the [Seclai CLI](https://www.npmjs.com/package/seclai) and run:
+```bash
+seclai configure sso    # set up an SSO profile
+seclai auth login       # authenticate via browser
+```
 ## API documentation
 Online API documentation (latest):
-https://seclai.github.io/seclai-javascript/1.1.0/
+https://seclai.github.io/seclai-javascript/1.1.1/
 ## Resources

package/dist/index.cjs CHANGED Viewed

@@ -1,7 +1,9 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -15,6 +17,14 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 // src/index.ts
@@ -80,9 +90,283 @@ var SeclaiStreamingError = class extends SeclaiError {
   }
 };
+// src/auth.ts
+var DEFAULT_CONFIG_DIR = ".seclai";
+var SSO_CACHE_DIR = "sso/cache";
+var CONFIG_FILE = "config";
+var EXPIRY_BUFFER_MS = 3e4;
+var DEFAULT_API_KEY_HEADER = "x-api-key";
+function getEnv(name) {
+  const p = globalThis?.process;
+  return p?.env?.[name];
+}
+function getHomeDir() {
+  const p = globalThis?.process;
+  return p?.env?.HOME ?? p?.env?.USERPROFILE;
+}
+async function sha1Hex(input) {
+  try {
+    const { createHash } = await import("crypto");
+    return createHash("sha1").update(input).digest("hex");
+  } catch {
+    const encoded = new TextEncoder().encode(input);
+    const buffer = await crypto.subtle.digest("SHA-1", encoded);
+    return Array.from(new Uint8Array(buffer)).map((b) => b.toString(16).padStart(2, "0")).join("");
+  }
+}
+async function cacheFileName(domain, clientId) {
+  return sha1Hex(`${domain}|${clientId}`);
+}
+function parseIni(content) {
+  const sections = {};
+  let currentSection = null;
+  for (const rawLine of content.split(/\r?\n/)) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith("#") || line.startsWith(";")) continue;
+    const sectionMatch = line.match(/^\[(.+)\]$/);
+    if (sectionMatch) {
+      const raw = sectionMatch[1].trim();
+      currentSection = raw.startsWith("profile ") ? raw.slice("profile ".length).trim() : raw;
+      sections[currentSection] ??= {};
+      continue;
+    }
+    if (currentSection !== null) {
+      const eqIdx = line.indexOf("=");
+      if (eqIdx > 0) {
+        const key = line.slice(0, eqIdx).trim();
+        const value = line.slice(eqIdx + 1).trim();
+        sections[currentSection][key] = value;
+      }
+    }
+  }
+  return sections;
+}
+var _fs = null;
+var _path = null;
+async function getFs() {
+  if (!_fs) {
+    _fs = await import("fs");
+  }
+  return _fs;
+}
+async function getPath() {
+  if (!_path) {
+    _path = await import("path");
+  }
+  return _path;
+}
+async function resolveConfigDir(override) {
+  if (override) return override;
+  const envDir = getEnv("SECLAI_CONFIG_DIR");
+  if (envDir) return envDir;
+  const home = getHomeDir();
+  if (!home) {
+    throw new Error("Cannot determine home directory. Set SECLAI_CONFIG_DIR.");
+  }
+  const pathMod = await getPath();
+  return pathMod.join(home, DEFAULT_CONFIG_DIR);
+}
+async function loadSsoProfile(configDir, profileName) {
+  const fs = await getFs();
+  const pathMod = await getPath();
+  const configPath = pathMod.join(configDir, CONFIG_FILE);
+  if (!fs.existsSync(configPath)) return null;
+  const content = fs.readFileSync(configPath, "utf-8");
+  const sections = parseIni(content);
+  const defaultSection = sections["default"] ?? {};
+  const profileSection = profileName === "default" ? defaultSection : sections[profileName];
+  if (!profileSection) return null;
+  const merged = profileName === "default" ? profileSection : { ...defaultSection, ...profileSection };
+  const ssoAccountId = merged["sso_account_id"];
+  const ssoRegion = merged["sso_region"];
+  const ssoClientId = merged["sso_client_id"];
+  const ssoDomain = merged["sso_domain"];
+  if (!ssoAccountId || !ssoRegion || !ssoClientId || !ssoDomain) return null;
+  return { ssoAccountId, ssoRegion, ssoClientId, ssoDomain };
+}
+async function resolveCachePath(configDir, profile) {
+  const pathMod = await getPath();
+  const hash = await cacheFileName(profile.ssoDomain, profile.ssoClientId);
+  return pathMod.join(configDir, SSO_CACHE_DIR, `${hash}.json`);
+}
+async function readSsoCache(configDir, profile) {
+  const fs = await getFs();
+  const cachePath = await resolveCachePath(configDir, profile);
+  if (!fs.existsSync(cachePath)) return null;
+  try {
+    const raw = fs.readFileSync(cachePath, "utf-8");
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+async function writeSsoCache(configDir, profile, entry) {
+  const fs = await getFs();
+  const pathMod = await getPath();
+  const cacheDir = pathMod.join(configDir, SSO_CACHE_DIR);
+  fs.mkdirSync(cacheDir, { recursive: true, mode: 448 });
+  const cachePath = await resolveCachePath(configDir, profile);
+  const tmpPath = `${cachePath}.tmp`;
+  fs.writeFileSync(tmpPath, JSON.stringify(entry, null, 2), { mode: 384 });
+  if (fs.existsSync(cachePath)) {
+    try {
+      fs.unlinkSync(cachePath);
+    } catch {
+    }
+  }
+  fs.renameSync(tmpPath, cachePath);
+}
+function isTokenValid(entry) {
+  const expiresAt = new Date(entry.expiresAt).getTime();
+  return Date.now() + EXPIRY_BUFFER_MS < expiresAt;
+}
+async function refreshToken(profile, refreshTokenValue, fetcher) {
+  const tokenUrl = `https://${profile.ssoDomain}/oauth2/token`;
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    client_id: profile.ssoClientId,
+    refresh_token: refreshTokenValue
+  });
+  const response = await fetcher(tokenUrl, {
+    method: "POST",
+    headers: { "content-type": "application/x-www-form-urlencoded" },
+    body: body.toString()
+  });
+  if (!response.ok) {
+    const text = await response.text().catch(() => "");
+    throw new Error(`Token refresh failed (HTTP ${response.status}): ${text}`);
+  }
+  const data = await response.json();
+  const expiresAt = new Date(Date.now() + data.expires_in * 1e3).toISOString();
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token ?? refreshTokenValue,
+    idToken: data.id_token ?? void 0,
+    expiresAt,
+    clientId: profile.ssoClientId,
+    region: profile.ssoRegion,
+    cognitoDomain: profile.ssoDomain
+  };
+}
+async function resolveCredentialChain(opts) {
+  const apiKeyHeader = opts.apiKeyHeader ?? DEFAULT_API_KEY_HEADER;
+  if (opts.apiKey) {
+    return {
+      mode: "apiKey",
+      apiKey: opts.apiKey,
+      apiKeyHeader,
+      accountId: opts.accountId,
+      autoRefresh: false
+    };
+  }
+  if (opts.accessToken) {
+    return {
+      mode: "bearerStatic",
+      accessToken: opts.accessToken,
+      apiKeyHeader,
+      accountId: opts.accountId,
+      autoRefresh: false
+    };
+  }
+  if (opts.accessTokenProvider) {
+    return {
+      mode: "bearerProvider",
+      accessTokenProvider: opts.accessTokenProvider,
+      apiKeyHeader,
+      accountId: opts.accountId,
+      autoRefresh: false
+    };
+  }
+  const envApiKey = getEnv("SECLAI_API_KEY");
+  if (envApiKey) {
+    return {
+      mode: "apiKey",
+      apiKey: envApiKey,
+      apiKeyHeader,
+      accountId: opts.accountId,
+      autoRefresh: false
+    };
+  }
+  try {
+    const configDir = await resolveConfigDir(opts.configDir);
+    const profileName = opts.profile ?? getEnv("SECLAI_PROFILE") ?? "default";
+    const ssoProfile = await loadSsoProfile(configDir, profileName);
+    if (ssoProfile) {
+      return {
+        mode: "sso",
+        apiKeyHeader,
+        accountId: opts.accountId ?? ssoProfile.ssoAccountId,
+        ssoProfile,
+        configDir,
+        autoRefresh: opts.autoRefresh !== false,
+        fetcher: opts.fetch
+      };
+    }
+  } catch {
+  }
+  throw new Error(
+    "Missing credentials. Provide apiKey, accessToken, set SECLAI_API_KEY, or run `seclai auth login`."
+  );
+}
+async function resolveAuthHeaders(state) {
+  const headers = {};
+  switch (state.mode) {
+    case "apiKey":
+      headers[state.apiKeyHeader] = state.apiKey;
+      break;
+    case "bearerStatic":
+      headers["authorization"] = `Bearer ${state.accessToken}`;
+      break;
+    case "bearerProvider": {
+      const token = await Promise.resolve(state.accessTokenProvider());
+      headers["authorization"] = `Bearer ${token}`;
+      break;
+    }
+    case "sso": {
+      const token = await resolveSsoToken(state);
+      headers["authorization"] = `Bearer ${token}`;
+      break;
+    }
+  }
+  if (state.accountId) {
+    headers["x-account-id"] = state.accountId;
+  }
+  return headers;
+}
+async function resolveSsoToken(state) {
+  const profile = state.ssoProfile;
+  const configDir = state.configDir;
+  const cached = await readSsoCache(configDir, profile);
+  if (cached && isTokenValid(cached)) {
+    return cached.accessToken;
+  }
+  if (cached?.refreshToken && state.autoRefresh) {
+    if (state._refreshPromise) {
+      return state._refreshPromise;
+    }
+    const fetcher = state.fetcher ?? globalThis.fetch;
+    if (!fetcher) {
+      throw new Error("No fetch implementation available for token refresh.");
+    }
+    state._refreshPromise = (async () => {
+      try {
+        const refreshed = await refreshToken(profile, cached.refreshToken, fetcher);
+        await writeSsoCache(configDir, profile, refreshed);
+        return refreshed.accessToken;
+      } finally {
+        state._refreshPromise = void 0;
+      }
+    })();
+    return state._refreshPromise;
+  }
+  throw new Error(
+    `SSO token expired. Run \`seclai auth login\` to re-authenticate.`
+  );
+}
 // src/client.ts
 var SECLAI_API_URL = "https://api.seclai.com";
-function getEnv(name) {
+function getEnv2(name) {
   const p = globalThis?.process;
   return p?.env?.[name];
 }
@@ -209,23 +493,29 @@ function inferMimeType(fileName) {
   return ext ? MIME_TYPES[ext] : void 0;
 }
 var Seclai = class {
-  apiKey;
   baseUrl;
-  apiKeyHeader;
   defaultHeaders;
   fetcher;
+  _authState = null;
+  _authInitPromise = null;
+  _authInitError = null;
   /**
    * Create a new Seclai client.
    *
+   * Credentials are resolved via a chain (first match wins):
+   * 1. Explicit `apiKey` option
+   * 2. Explicit `accessToken` option (static string or provider function)
+   * 3. `SECLAI_API_KEY` environment variable
+   * 4. SSO profile from `~/.seclai/config` + cached tokens in `~/.seclai/sso/cache/`
+   *
    * @param opts - Client configuration.
-   * @throws {@link SeclaiConfigurationError} If no API key is provided (and `SECLAI_API_KEY` is not set).
    * @throws {@link SeclaiConfigurationError} If no `fetch` implementation is available.
+   * @throws {@link SeclaiConfigurationError} If both `apiKey` and `accessToken` are provided.
    */
   constructor(opts = {}) {
-    const apiKey = opts.apiKey ?? getEnv("SECLAI_API_KEY");
-    if (!apiKey) {
+    if (opts.apiKey && opts.accessToken) {
       throw new SeclaiConfigurationError(
-        "Missing API key. Provide apiKey or set SECLAI_API_KEY."
+        "Provide either apiKey or accessToken, not both."
       );
     }
     const fetcher = opts.fetch ?? globalThis.fetch;
@@ -234,11 +524,49 @@ var Seclai = class {
         "No fetch implementation available. Provide opts.fetch or run in an environment with global fetch."
       );
     }
-    this.apiKey = apiKey;
-    this.baseUrl = opts.baseUrl ?? getEnv("SECLAI_API_URL") ?? SECLAI_API_URL;
-    this.apiKeyHeader = opts.apiKeyHeader ?? "x-api-key";
+    this.baseUrl = opts.baseUrl ?? getEnv2("SECLAI_API_URL") ?? SECLAI_API_URL;
     this.defaultHeaders = { ...opts.defaultHeaders ?? {} };
     this.fetcher = fetcher;
+    const accessTokenProvider = typeof opts.accessToken === "function" ? opts.accessToken : void 0;
+    const accessTokenStatic = typeof opts.accessToken === "string" ? opts.accessToken : void 0;
+    this._authInitPromise = resolveCredentialChain({
+      apiKey: opts.apiKey,
+      accessToken: accessTokenStatic,
+      accessTokenProvider,
+      profile: opts.profile,
+      configDir: opts.configDir,
+      autoRefresh: opts.autoRefresh,
+      accountId: opts.accountId,
+      apiKeyHeader: opts.apiKeyHeader,
+      fetch: fetcher
+    }).then((state) => {
+      this._authState = state;
+    }).catch((err) => {
+      this._authInitError = new SeclaiConfigurationError(
+        err instanceof Error ? err.message : String(err)
+      );
+    });
+  }
+  /** Ensure the credential chain has been resolved. */
+  async ensureAuth() {
+    if (this._authInitPromise) {
+      await this._authInitPromise;
+      this._authInitPromise = null;
+    }
+    if (this._authInitError) {
+      throw this._authInitError;
+    }
+    if (!this._authState) {
+      throw new SeclaiConfigurationError(
+        "Missing credentials. Provide apiKey, accessToken, set SECLAI_API_KEY, or run `seclai auth login`."
+      );
+    }
+    return this._authState;
+  }
+  /** Resolve auth headers for the current request. */
+  async authHeaders() {
+    const state = await this.ensureAuth();
+    return resolveAuthHeaders(state);
   }
   // ═══════════════════════════════════════════════════════════════════════════
   // Low-level request
@@ -257,10 +585,11 @@ var Seclai = class {
    */
   async request(method, path, opts) {
     const url = buildURL(this.baseUrl, path, opts?.query);
+    const authHeaders = await this.authHeaders();
     const headers = {
       ...this.defaultHeaders,
       ...opts?.headers ?? {},
-      [this.apiKeyHeader]: this.apiKey
+      ...authHeaders
     };
     let body;
     if (opts?.json !== void 0) {
@@ -312,13 +641,16 @@ var Seclai = class {
    * @param path - Request path relative to `baseUrl`.
    * @param opts - Query params, JSON body, per-request headers, and optional AbortSignal.
    * @returns The raw `Response` object.
+   * @throws {SeclaiAPIValidationError} On HTTP 422 responses.
+   * @throws {SeclaiAPIStatusError} On other non-2xx responses.
    */
   async requestRaw(method, path, opts) {
     const url = buildURL(this.baseUrl, path, opts?.query);
+    const authHeaders = await this.authHeaders();
     const headers = {
       ...this.defaultHeaders,
       ...opts?.headers ?? {},
-      [this.apiKeyHeader]: this.apiKey
+      ...authHeaders
     };
     let body;
     if (opts?.json !== void 0) {
@@ -355,9 +687,10 @@ var Seclai = class {
   /** Shared multipart upload helper. */
   async uploadFile(path, opts) {
     const url = buildURL(this.baseUrl, path);
+    const authHeaders = await this.authHeaders();
     const headers = {
       ...this.defaultHeaders,
-      [this.apiKeyHeader]: this.apiKey
+      ...authHeaders
     };
     delete headers["content-type"];
     delete headers["Content-Type"];
@@ -545,9 +878,10 @@ var Seclai = class {
    */
   async runStreamingAgentAndWait(agentId, body, opts) {
     const url = buildURL(this.baseUrl, `/agents/${agentId}/runs/stream`);
+    const authHdrs = await this.authHeaders();
     const headers = {
       ...this.defaultHeaders,
-      [this.apiKeyHeader]: this.apiKey,
+      ...authHdrs,
       accept: "text/event-stream",
       "content-type": "application/json"
     };
@@ -654,9 +988,10 @@ var Seclai = class {
    */
   async *runStreamingAgent(agentId, body, opts) {
     const url = buildURL(this.baseUrl, `/agents/${agentId}/runs/stream`);
+    const authHdrs = await this.authHeaders();
     const headers = {
       ...this.defaultHeaders,
-      [this.apiKeyHeader]: this.apiKey,
+      ...authHdrs,
       accept: "text/event-stream",
       "content-type": "application/json"
     };