@slashfi/agents-sdk 0.5.0 → 0.7.0

package/src/agent-definitions/secrets.ts

@@ -8,7 +8,7 @@
  * - AES-256-GCM encryption via crypto.ts
  */
 
-import { encryptSecret, decryptSecret } from "../crypto.js";
+import { decryptSecret, encryptSecret } from "../crypto.js";
 import { defineAgent, defineTool } from "../define.js";
 import type { AgentDefinition, ToolContext, ToolDefinition } from "../types.js";
 
@@ -20,13 +20,42 @@ import type { AgentDefinition, ToolContext, ToolDefinition } from "../types.js";
  * Pluggable secret storage backend.
  * Stores encrypted values, resolves refs.
  */
+/**
+ * Scope for multi-tenant secret isolation.
+ * When provided, secrets are partitioned by tenant/instance.
+ */
+export interface SecretScope {
+  tenantId: string;
+  instanceKey?: string;
+}
+
 export interface SecretStore {
   /** Store a secret. Returns the secret ID (without prefix). */
-  store(value: string, ownerId: string): Promise<string>;
+  store(value: string, ownerId: string, scope?: SecretScope): Promise<string>;
+
   /** Resolve a secret ID to its decrypted value. */
-  resolve(id: string, ownerId: string): Promise<string | null>;
+  resolve(id: string, ownerId: string, scope?: SecretScope): Promise<string | null>;
+
   /** Delete a secret. */
-  delete(id: string, ownerId: string): Promise<boolean>;
+  delete(id: string, ownerId: string, scope?: SecretScope): Promise<boolean>;
+
+  /**
+   * Store multiple secrets in a single operation.
+   * Returns an array of secret IDs in the same order as the input values.
+   */
+  storeBatch?(values: string[], ownerId: string, scope?: SecretScope): Promise<string[]>;
+
+  /**
+   * Associate a secret with an entity (e.g., a provider config, a connection).
+   * Enables lookup of secrets by entity rather than by ID.
+   */
+  associate?(secretId: string, entityType: string, entityId: string, scope?: SecretScope): Promise<void>;
+
+  /**
+   * Resolve secrets associated with an entity.
+   * Returns all secret IDs linked to the given entity.
+   */
+  resolveByEntity?(entityType: string, entityId: string, scope?: SecretScope): Promise<string[]>;
 }
 
 // ============================================
@@ -50,7 +79,8 @@ export function makeSecretRef(id: string): string {
 function randomSecretId(): string {
   const chars = "abcdefghijklmnopqrstuvwxyz0123456789";
   let id = "";
-  for (let i = 0; i < 24; i++) id += chars[Math.floor(Math.random() * chars.length)];
+  for (let i = 0; i < 24; i++)
+    id += chars[Math.floor(Math.random() * chars.length)];
   return id;
 }
 
@@ -60,27 +90,53 @@ function randomSecretId(): string {
 
 export function createInMemorySecretStore(encryptionKey: string): SecretStore {
   const secrets = new Map<string, { encrypted: string; ownerId: string }>();
+  const associations = new Map<string, string[]>(); // "entityType:entityId" -> secretIds
 
   return {
-    async store(value, ownerId) {
+    async store(value, ownerId, _scope?) {
       const id = randomSecretId();
       const encrypted = await encryptSecret(value, encryptionKey);
       secrets.set(id, { encrypted, ownerId });
       return id;
     },
 
-    async resolve(id, ownerId) {
+    async resolve(id, ownerId, _scope?) {
       const entry = secrets.get(id);
       if (!entry || entry.ownerId !== ownerId) return null;
       return decryptSecret(entry.encrypted, encryptionKey);
     },
 
-    async delete(id, ownerId) {
+    async delete(id, ownerId, _scope?) {
       const entry = secrets.get(id);
       if (!entry || entry.ownerId !== ownerId) return false;
       secrets.delete(id);
       return true;
     },
+
+    async storeBatch(values, ownerId, _scope?) {
+      const ids: string[] = [];
+      for (const value of values) {
+        const id = randomSecretId();
+        const encrypted = await encryptSecret(value, encryptionKey);
+        secrets.set(id, { encrypted, ownerId });
+        ids.push(id);
+      }
+      return ids;
+    },
+
+    async associate(secretId, entityType, entityId, _scope?) {
+      const key = `${entityType}:${entityId}`;
+      const existing = associations.get(key) ?? [];
+      if (!existing.includes(secretId)) {
+        existing.push(secretId);
+        associations.set(key, existing);
+      }
+    },
+
+    async resolveByEntity(entityType, entityId, _scope?) {
+      const key = `${entityType}:${entityId}`;
+      return associations.get(key) ?? [];
+    },
   };
 }
 
@@ -104,7 +160,8 @@ export function createSecretsAgent(
 
   const storeSecretTool = defineTool({
     name: "store",
-    description: "Store secret values. Returns secret:<id> refs for each value.",
+    description:
+      "Store secret values. Returns secret:<id> refs for each value.",
     visibility: "internal" as const,
     inputSchema: {
       type: "object" as const,
@@ -117,7 +174,10 @@ export function createSecretsAgent(
       },
       required: ["secrets"],
     },
-    execute: async (input: { secrets: Record<string, string> }, ctx: ToolContext) => {
+    execute: async (
+      input: { secrets: Record<string, string> },
+      ctx: ToolContext,
+    ) => {
       const ownerId = ctx.callerId ?? "anonymous";
       const refs: Record<string, string> = {};
       for (const [key, value] of Object.entries(input.secrets)) {
@@ -130,27 +190,6 @@ export function createSecretsAgent(
     },
   });
 
-  const resolveSecretTool = defineTool({
-    name: "resolve",
-    description: "Resolve a secret ref to its value. Only accessible to the owner.",
-    visibility: "internal" as const,
-    inputSchema: {
-      type: "object" as const,
-      properties: {
-        ref: { type: "string" as const, description: "Secret ref (secret:xxx)" },
-      },
-      required: ["ref"],
-    },
-    execute: async (input: { ref: string }, ctx: ToolContext) => {
-      const ownerId = ctx.callerId ?? "anonymous";
-      const id = getSecretId(input.ref);
-      const value = await store.resolve(id, ownerId);
-      if (!value) throw new Error("Secret not found or unauthorized");
-      // Return wrapped so actor can handle it
-      return { value: { $agent_type: "secret", value } };
-    },
-  });
-
   const revokeSecretTool = defineTool({
     name: "revoke",
     description: "Delete a stored secret.",
@@ -172,13 +211,17 @@ export function createSecretsAgent(
 
   return defineAgent({
     path: "@secrets",
-    entrypoint: "Secret storage agent. Stores, resolves, and manages encrypted secrets.",
+    entrypoint:
+      "Secret storage agent. Stores, resolves, and manages encrypted secrets.",
     config: {
       name: "Secrets",
       description: "Encrypted secret storage and management",
       visibility: "internal",
     },
-    tools: [storeSecretTool, resolveSecretTool, revokeSecretTool] as ToolDefinition<ToolContext>[],
+    tools: [
+      storeSecretTool,
+      revokeSecretTool,
+    ] as ToolDefinition<ToolContext>[],
   });
 }
 
@@ -200,7 +243,10 @@ export async function processSecretParams(
   schema: { properties?: Record<string, SchemaProperty> } | undefined,
   secretStore: SecretStore,
   ownerId: string,
-): Promise<{ resolved: Record<string, unknown>; redacted: Record<string, unknown> }> {
+): Promise<{
+  resolved: Record<string, unknown>;
+  redacted: Record<string, unknown>;
+}> {
   const resolved: Record<string, unknown> = { ...params };
   const redacted: Record<string, unknown> = { ...params };
 
@@ -210,7 +256,11 @@ export async function processSecretParams(
     const value = params[key];
     if (value === undefined || value === null) continue;
 
-    if (schemaProp.type === "object" && typeof value === "object" && !Array.isArray(value)) {
+    if (
+      schemaProp.type === "object" &&
+      typeof value === "object" &&
+      !Array.isArray(value)
+    ) {
       const nested = await processSecretParams(
         value as Record<string, unknown>,
         schemaProp,
@@ -239,7 +289,6 @@ export async function processSecretParams(
       const id = await secretStore.store(value, ownerId);
       resolved[key] = value;
       redacted[key] = makeSecretRef(id);
-      continue;
     }
   }