@slashfi/agents-sdk 0.29.0 → 0.30.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (39) hide show
  1. package/dist/agent-definitions/auth.d.ts +2 -6
  2. package/dist/agent-definitions/auth.d.ts.map +1 -1
  3. package/dist/agent-definitions/auth.js +5 -5
  4. package/dist/agent-definitions/auth.js.map +1 -1
  5. package/dist/agent-definitions/integrations.d.ts.map +1 -1
  6. package/dist/agent-definitions/integrations.js +0 -1
  7. package/dist/agent-definitions/integrations.js.map +1 -1
  8. package/dist/cjs/agent-definitions/auth.js +5 -5
  9. package/dist/cjs/agent-definitions/auth.js.map +1 -1
  10. package/dist/cjs/agent-definitions/integrations.js +0 -1
  11. package/dist/cjs/agent-definitions/integrations.js.map +1 -1
  12. package/dist/cjs/index.js +4 -3
  13. package/dist/cjs/index.js.map +1 -1
  14. package/dist/cjs/registry-consumer.js +41 -5
  15. package/dist/cjs/registry-consumer.js.map +1 -1
  16. package/dist/cjs/secret-collection.js.map +1 -1
  17. package/dist/cjs/server.js +17 -28
  18. package/dist/cjs/server.js.map +1 -1
  19. package/dist/index.d.ts +2 -2
  20. package/dist/index.d.ts.map +1 -1
  21. package/dist/index.js +2 -2
  22. package/dist/index.js.map +1 -1
  23. package/dist/registry-consumer.d.ts.map +1 -1
  24. package/dist/registry-consumer.js +41 -5
  25. package/dist/registry-consumer.js.map +1 -1
  26. package/dist/secret-collection.d.ts +0 -1
  27. package/dist/secret-collection.d.ts.map +1 -1
  28. package/dist/secret-collection.js.map +1 -1
  29. package/dist/server.d.ts +3 -2
  30. package/dist/server.d.ts.map +1 -1
  31. package/dist/server.js +16 -28
  32. package/dist/server.js.map +1 -1
  33. package/package.json +1 -1
  34. package/src/agent-definitions/auth.ts +5 -11
  35. package/src/agent-definitions/integrations.ts +0 -1
  36. package/src/index.ts +2 -1
  37. package/src/registry-consumer.ts +56 -6
  38. package/src/secret-collection.ts +0 -1
  39. package/src/server.ts +17 -32
package/src/server.ts CHANGED
@@ -180,7 +180,7 @@ interface JsonRpcResponse {
180
180
 
181
181
  export interface AuthConfig {
182
182
  store?: AuthStore;
183
- rootKey?: string;
183
+ /** @deprecated Use JWT scopes instead. Will be removed in a future version. */
184
184
  tokenTtl?: number;
185
185
  }
186
186
 
@@ -189,11 +189,16 @@ export interface ResolvedAuth {
189
189
  callerId: string;
190
190
  callerType: "agent" | "user" | "system";
191
191
  scopes: string[];
192
- isRoot: boolean;
193
192
  /** All JWT claims from the verified token (passthrough) */
194
193
  claims: Record<string, unknown>;
195
194
  }
196
195
 
196
+ /** Check if auth has admin-level access (wildcard or admin scope) */
197
+ export function hasAdminScope(auth: ResolvedAuth | null): boolean {
198
+ if (!auth) return false;
199
+ return auth.scopes.includes("*") || auth.scopes.includes("admin");
200
+ }
201
+
197
202
  // ============================================
198
203
  // HTTP Helpers
199
204
  // ============================================
@@ -265,16 +270,14 @@ export function detectAuth(registry: AgentRegistry): AuthConfig {
265
270
  const authAgent = registry.get("@auth") as
266
271
  | (AgentDefinition & {
267
272
  __authStore?: AuthStore;
268
- __rootKey?: string;
269
273
  __tokenTtl?: number;
270
274
  })
271
275
  | undefined;
272
276
 
273
- if (!authAgent?.__authStore || !authAgent.__rootKey) return {};
277
+ if (!authAgent?.__authStore) return {};
274
278
 
275
279
  return {
276
280
  store: authAgent.__authStore,
277
- rootKey: authAgent.__rootKey,
278
281
  tokenTtl: authAgent.__tokenTtl ?? 3600,
279
282
  };
280
283
  }
@@ -293,17 +296,6 @@ export async function resolveAuth(
293
296
  const [scheme, credential] = authHeader.split(" ", 2);
294
297
  if (scheme?.toLowerCase() !== "bearer" || !credential) return null;
295
298
 
296
- // Root key check
297
- if (authConfig.rootKey && credential === authConfig.rootKey) {
298
- return {
299
- callerId: "root",
300
- callerType: "system",
301
- scopes: ["*"],
302
- isRoot: true,
303
- claims: {},
304
- };
305
- }
306
-
307
299
  // Try ES256 verification against own signing keys
308
300
  const parts = credential.split(".");
309
301
  if (parts.length === 3 && jwksOptions?.signingKeys?.length) {
@@ -315,7 +307,6 @@ export async function resolveAuth(
315
307
  callerId: verified.sub ?? verified.name ?? "unknown",
316
308
  callerType: "agent",
317
309
  scopes: verified.scopes ?? ["*"],
318
- isRoot: false,
319
310
  claims: verified as unknown as Record<string, unknown>,
320
311
  };
321
312
  }
@@ -347,7 +338,6 @@ export async function resolveAuth(
347
338
  callerId: verified.sub ?? verified.name ?? "unknown",
348
339
  callerType: isSystem ? "system" : "agent",
349
340
  scopes,
350
- isRoot: isSystem,
351
341
  claims: verified as unknown as Record<string, unknown>,
352
342
  };
353
343
  }
@@ -379,7 +369,6 @@ export async function resolveAuth(
379
369
  callerId: verified.name || client.name,
380
370
  callerType: "agent",
381
371
  scopes: verified.scopes,
382
- isRoot: false,
383
372
  claims: verified as unknown as Record<string, unknown>,
384
373
  };
385
374
  }
@@ -400,7 +389,6 @@ export async function resolveAuth(
400
389
  callerId: client?.name ?? token.clientId,
401
390
  callerType: "agent",
402
391
  scopes: token.scopes,
403
- isRoot: false,
404
392
  claims: {},
405
393
  };
406
394
  }
@@ -412,7 +400,7 @@ export function canSeeAgent(
412
400
  const visibility = ((agent as any).visibility ??
413
401
  agent.config?.visibility ??
414
402
  "internal") as Visibility;
415
- if (auth?.isRoot) return true;
403
+ if (hasAdminScope(auth)) return true;
416
404
  if (visibility === "public") return true;
417
405
  if (visibility === "internal" && auth) return true;
418
406
  return false;
@@ -445,10 +433,10 @@ function getVisibleTools(
445
433
  "internal") as Visibility;
446
434
  return agent.tools.filter((t) => {
447
435
  const tv = t.visibility;
448
- if (auth?.isRoot) return true;
436
+ if (hasAdminScope(auth)) return true;
449
437
  // Tool has explicit visibility — respect it
450
438
  if (tv === "public") return true;
451
- if (tv === "private") return auth?.isRoot ?? false;
439
+ if (tv === "private") return hasAdminScope(auth) ?? false;
452
440
  if (tv === "internal" && auth) return true;
453
441
  // No explicit tool visibility — inherit from agent
454
442
  if (!tv && agentVisibility === "public") return true;
@@ -622,10 +610,9 @@ export function createAgentServer(
622
610
  req.callerType = auth.callerType;
623
611
  if (!req.metadata) req.metadata = {};
624
612
  req.metadata.scopes = auth.scopes;
625
- req.metadata.isRoot = auth.isRoot;
626
613
  if (auth.issuer) req.metadata.issuer = auth.issuer;
627
614
  }
628
- if (auth?.isRoot) {
615
+ if (hasAdminScope(auth)) {
629
616
  req.callerType = "system";
630
617
  }
631
618
 
@@ -663,7 +650,7 @@ export function createAgentServer(
663
650
  tools: agent.tools
664
651
  .filter((t) => {
665
652
  const tv = t.visibility ?? "internal";
666
- if (auth?.isRoot) return true;
653
+ if (hasAdminScope(auth)) return true;
667
654
  if (tv === "public") return true;
668
655
  if (
669
656
  tv === "authenticated" &&
@@ -707,7 +694,7 @@ export function createAgentServer(
707
694
  for (const agent of visible) {
708
695
  const visibleTools = agent.tools.filter((t) => {
709
696
  const tv = t.visibility ?? "internal";
710
- if (auth?.isRoot) return true;
697
+ if (hasAdminScope(auth)) return true;
711
698
  if (tv === "public") return true;
712
699
  if (
713
700
  tv === "authenticated" &&
@@ -1053,7 +1040,6 @@ export function createAgentServer(
1053
1040
  callerId: actorId,
1054
1041
  callerType: (actorType as any) ?? "agent",
1055
1042
  scopes: ["*"],
1056
- isRoot: false,
1057
1043
  claims: {},
1058
1044
  };
1059
1045
  }
@@ -1230,7 +1216,7 @@ export function createAgentServer(
1230
1216
  jwks_uri: `${baseUrl}/.well-known/jwks.json`,
1231
1217
  token_endpoint: `${baseUrl}/oauth/token`,
1232
1218
  agents_endpoint: `${baseUrl}/list`,
1233
- call_endpoint: `${baseUrl}/call`,
1219
+ call_endpoint: baseUrl,
1234
1220
  supported_grant_types: ["client_credentials", "jwt_exchange"],
1235
1221
  authorization_endpoint: `${baseUrl}/oauth/authorize`,
1236
1222
  ...(oidcSignIn
@@ -1281,7 +1267,7 @@ export function createAgentServer(
1281
1267
  tools: agent.tools
1282
1268
  .filter((t) => {
1283
1269
  const tv = t.visibility ?? "internal";
1284
- if (effectiveAuth?.isRoot) return true;
1270
+ if (hasAdminScope(effectiveAuth)) return true;
1285
1271
  if (tv === "public") return true;
1286
1272
  if (tv === "internal" && effectiveAuth) return true;
1287
1273
  return false;
@@ -1383,7 +1369,7 @@ export function createAgentServer(
1383
1369
  callerId: effectiveAuth?.callerId,
1384
1370
  callerType: effectiveAuth?.callerType ?? "system",
1385
1371
  metadata: effectiveAuth
1386
- ? { scopes: effectiveAuth.scopes, isRoot: effectiveAuth.isRoot }
1372
+ ? { scopes: effectiveAuth.scopes }
1387
1373
  : undefined,
1388
1374
  });
1389
1375
  const res = jsonResponse({ success: true, result });
@@ -1468,7 +1454,6 @@ export function createAgentServer(
1468
1454
  metadata: effectiveAuth
1469
1455
  ? {
1470
1456
  scopes: effectiveAuth.scopes,
1471
- isRoot: effectiveAuth.isRoot,
1472
1457
  ...(effectiveAuth.issuer
1473
1458
  ? { issuer: effectiveAuth.issuer }
1474
1459
  : {}),