@slashfi/agents-sdk 0.80.0 → 0.82.0

package/dist/config-store.js

@@ -32,37 +32,40 @@ const SECRET_PREFIX = "secret:";
  * we evaluate satisfaction against the entry's current `config`.
  *
  * Behavior:
- *   - `mode: 'proxy'` refs → always true. Auth lives server-side; the
- *     proxy is the source of truth, no entry-side fields involved.
  *   - Cache miss (no `authFields` for this ref yet) → returns `null`,
  *     signaling "I don't know — caller should fall back to its own
  *     heuristic or call `auth-status` to populate the cache".
  *   - Cache hit → for every required, non-automated field, checks
- *     presence in `entry.config`. Mirrors the `present || resolvable`
- *     check in `auth-status` but evaluates against current config.
- *     `automated` fields (e.g. dynamic OAuth client_id) count as
- *     satisfied even when absent — adk supplies them at call time.
+ *     presence in `entry.config` OR (if `opts.resolvableFields`
+ *     includes the field name) treats it as satisfied externally.
+ *     Mirrors the `present || resolvable` check in `auth-status`.
+ *     `automated` fields (e.g. dynamic OAuth client_id minted by the
+ *     registry) always count as satisfied.
  *
  * Returning `null` for cache miss is intentional. A boolean would
  * force callers to choose a default that's wrong half the time;
  * `null` lets them branch explicitly.
  */
-export function isRefAuthComplete(entry, cacheEntry) {
+export function isRefAuthComplete(entry, cacheEntry, opts) {
     if (typeof entry === "string")
         return false;
-    if (entry.mode === "proxy")
-        return true;
     const authFields = cacheEntry?.authFields;
     if (!authFields)
         return null;
     const config = entry.config ?? {};
+    const resolvable = opts?.resolvableFields && opts.resolvableFields.length > 0
+        ? new Set(opts.resolvableFields)
+        : null;
     for (const [field, info] of Object.entries(authFields)) {
         if (!info.required)
             continue;
         if (info.automated)
             continue;
-        if (!(field in config))
-            return false;
+        if (field in config)
+            continue;
+        if (resolvable && resolvable.has(field))
+            continue;
+        return false;
     }
     return true;
 }
@@ -617,78 +620,6 @@ export function createAdk(fs, options = {}) {
         return fallback;
     }
     // ==========================================
-    // Proxy Routing
-    // ==========================================
-    /**
-     * Find the configured RegistryEntry for a ref, consulting `sourceRegistry`
-     * first and falling back to the first registry in config. Returns `null` when
-     * the ref is sourced from a raw URL (no registry), in which case proxy routing
-     * does not apply.
-     */
-    async function findRegistryEntryForRef(entry) {
-        const sourceUrl = entry.sourceRegistry?.url;
-        if (!sourceUrl)
-            return null;
-        const config = await readConfig();
-        const match = (config.registries ?? []).find((r) => {
-            if (typeof r === "string")
-                return r === sourceUrl;
-            return r.url === sourceUrl;
-        });
-        if (!match || typeof match === "string")
-            return null;
-        return match;
-    }
-    /**
-     * Returns the proxy settings for a ref when its source registry has
-     * `proxy` configured. `null` means "run locally".
-     *
-     * Callers pass `{ preferLocal: true }` to opt out of `mode: 'optional'`
-     * proxying when they already hold credentials locally. `mode: 'required'`
-     * cannot be bypassed — the registry owns auth server-side and there is
-     * nothing useful the local SDK can do.
-     */
-    async function resolveProxyForRef(entry, opts) {
-        const reg = await findRegistryEntryForRef(entry);
-        if (!reg?.proxy)
-            return null;
-        if (reg.proxy.mode === "optional" && opts?.preferLocal)
-            return null;
-        return { reg, agent: reg.proxy.agent ?? "@config" };
-    }
-    /**
-     * Forward an `@config ref` operation to the proxy agent on a remote registry.
-     *
-     * The remote side speaks the standard adk-tools surface, so the call shape is
-     * identical to what the local `ref` API would do — the only difference is
-     * that tokens and secrets live server-side. `callRegistry` returns the
-     * standard CallAgentResponse envelope: `{ success: true, result }` on
-     * success or `{ success: false, error }` on failure. We unwrap once and
-     * throw on error so callers get a result that matches the local signature.
-     */
-    async function forwardRefOpToProxy(reg, agent, operation, params) {
-        const consumer = await buildConsumerForRef({
-            ref: "",
-            name: "",
-            sourceRegistry: { url: reg.url, agentPath: agent },
-        });
-        const resolved = consumer.registries().find((r) => r.url === reg.url);
-        if (!resolved)
-            throw new Error(`Registry ${reg.url} not resolvable for proxy forwarding`);
-        const response = await consumer.callRegistry(resolved, {
-            action: "execute_tool",
-            path: agent,
-            tool: "ref",
-            params: { operation, ...params },
-        });
-        if (!response.success) {
-            const errResponse = response;
-            const msg = errResponse.error ?? `Proxy ${agent}.ref(${operation}) failed`;
-            throw new Error(msg);
-        }
-        return response.result;
-    }
-    // ==========================================
     // Registry API
     // ==========================================
     /**
@@ -701,42 +632,6 @@ export function createAdk(fs, options = {}) {
             return value;
         return `${SECRET_PREFIX}${await encryptSecret(value, options.encryptionKey)}`;
     }
-    /**
-     * Re-probe a registry with the current stored credentials to see whether it
-     * advertises `capabilities.registry.proxy` in its MCP `initialize` response,
-     * and persist the proxy config when it does. Safe to call after a successful
-     * `auth()` / `authLocal()` — on the add path we skip the proxy probe when
-     * auth is required, so this is the second chance to back-fill it.
-     *
-     * Respects explicit user config: if `proxy` is already set, we leave it
-     * alone. Any discovery failure is swallowed — proxy is an optimization,
-     * not a correctness requirement.
-     */
-    async function discoverProxyAfterAuth(nameOrUrl) {
-        const config = await readConfig();
-        const target = findRegistry(config.registries ?? [], nameOrUrl);
-        if (!target || typeof target === "string")
-            return;
-        if (target.proxy)
-            return;
-        try {
-            const consumer = await buildConsumer(nameOrUrl);
-            const discovered = await consumer.discover(target.url);
-            if (!discovered.proxy?.mode)
-                return;
-            await updateRegistryEntry(nameOrUrl, (existing) => {
-                if (existing.proxy)
-                    return;
-                existing.proxy = {
-                    mode: discovered.proxy.mode,
-                    ...(discovered.proxy.agent && { agent: discovered.proxy.agent }),
-                };
-            });
-        }
-        catch {
-            // Proxy probe is best-effort — auth itself already succeeded.
-        }
-    }
     /**
      * Atomic read-modify-write on a registry entry by name or URL. Used by
      * `authLocal` to persist both `auth` and `oauth` together, which `auth()`
@@ -877,14 +772,10 @@ export function createAdk(fs, options = {}) {
             const config = await readConfig();
             const alias = entry.name ?? entry.url;
             const registries = (config.registries ?? []).filter((r) => registryDisplayName(r) !== alias);
-            // Probe the registry before saving. Two things fall out of the probe:
-            //   1. Auth challenge — 401 + WWW-Authenticate points at RFC 9728
-            //      resource metadata; we persist it on `authRequirement` so
-            //      subsequent ops can refuse early with a friendly message.
-            //   2. Proxy capability — the MCP `initialize` response may advertise
-            //      `capabilities.registry.proxy`, which auto-populates `proxy`.
-            // Users who set `proxy` or `auth` explicitly on the entry always win:
-            // discovery only fills in blanks.
+            // Probe the registry before saving. If it returns 401 with a
+            // WWW-Authenticate / RFC 9728 resource metadata pointer, persist
+            // that on `authRequirement` so subsequent ops can refuse early
+            // with a friendly message.
             let final = entry;
             let authRequirement;
             const hasUsableAuth = entry.auth && entry.auth.type !== "none"
@@ -899,30 +790,6 @@ export function createAdk(fs, options = {}) {
                     final = { ...final, authRequirement };
                 }
             }
-            if (!entry.proxy && !authRequirement) {
-                try {
-                    const probeConsumer = await createRegistryConsumer({ registries: [entry], refs: [] }, { token: options.token, fetch: options.fetch });
-                    const resolved = probeConsumer.registries()[0];
-                    if (resolved) {
-                        const discovered = await probeConsumer.discover(resolved.url);
-                        if (discovered.proxy?.mode) {
-                            final = {
-                                ...final,
-                                proxy: {
-                                    mode: discovered.proxy.mode,
-                                    ...(discovered.proxy.agent && {
-                                        agent: discovered.proxy.agent,
-                                    }),
-                                },
-                            };
-                        }
-                    }
-                }
-                catch {
-                    // Discovery is best-effort — offline, unreachable, or non-adk
-                    // registries simply skip proxy auto-configuration.
-                }
-            }
             registries.push(final);
             await writeConfig({ ...config, registries });
             return authRequirement ? { authRequirement } : {};
@@ -968,8 +835,6 @@ export function createAdk(fs, options = {}) {
                     existing.auth = updates.auth;
                 if (updates.headers)
                     existing.headers = { ...existing.headers, ...updates.headers };
-                if (updates.proxy !== undefined)
-                    existing.proxy = updates.proxy;
                 return existing;
             });
             if (!found)
@@ -1069,8 +934,6 @@ export function createAdk(fs, options = {}) {
                 }
                 delete existing.authRequirement;
             });
-            if (updated)
-                await discoverProxyAfterAuth(nameOrUrl);
             return updated;
         },
         async authLocal(nameOrUrl, opts) {
@@ -1217,7 +1080,6 @@ export function createAdk(fs, options = {}) {
                                 };
                                 delete existing.authRequirement;
                             });
-                            await discoverProxyAfterAuth(displayName);
                             resOut.writeHead(200, { "Content-Type": "text/html" });
                             resOut.end(renderAuthSuccess(displayName));
                             server.close();
@@ -1596,12 +1458,6 @@ export function createAdk(fs, options = {}) {
             const entry = findRef(config.refs ?? [], name);
             if (!entry)
                 throw new Error(`Ref "${name}" not found`);
-            // Registry-proxied refs: ask the remote @config for state (secrets live
-            // server-side so local inspection would always return "missing").
-            const proxy = await resolveProxyForRef(entry);
-            if (proxy) {
-                return forwardRefOpToProxy(proxy.reg, proxy.agent, "auth-status", { name });
-            }
             let security = null;
             try {
                 const consumer = await buildConsumerForRef(entry);
@@ -1723,25 +1579,6 @@ export function createAdk(fs, options = {}) {
             const entry = findRef(config.refs ?? [], name);
             if (!entry)
                 throw new Error(`Ref "${name}" not found`);
-            // Registry-proxied auth: forward the start-of-flow to the remote @config
-            // agent. The registry owns the client_id/secret and returns an authorize
-            // URL pointing at the registry's OAuth callback domain, so the user
-            // completes the flow against the registry instead of localhost.
-            const proxy = await resolveProxyForRef(entry, {
-                preferLocal: opts?.preferLocal,
-            });
-            if (proxy) {
-                const params = { name };
-                if (opts?.apiKey !== undefined)
-                    params.apiKey = opts.apiKey;
-                if (opts?.credentials)
-                    params.credentials = opts.credentials;
-                if (opts?.scopes)
-                    params.scopes = opts.scopes;
-                if (opts?.stateContext)
-                    params.stateContext = opts.stateContext;
-                return forwardRefOpToProxy(proxy.reg, proxy.agent, "auth", params);
-            }
             const status = await ref.authStatus(name);
             const security = status.security;
             const tryResolve = makeTryResolve({ name, entry, security });
@@ -1995,32 +1832,16 @@ export function createAdk(fs, options = {}) {
             return { type: security.type, complete: false };
         },
         async authLocal(name, opts) {
-            // `ref.auth` is already proxy-aware — for proxied refs it returns
-            // the authorizeUrl that the registry minted against its own
-            // callback domain. Everything below is identical for local and
-            // proxied refs except the last step (polling for the callback),
-            // which only makes sense when we own the redirect URI.
             const result = await ref.auth(name);
             if (result.complete)
                 return { complete: true };
-            const config = await readConfig();
-            const entry = findRef(config.refs ?? [], name);
-            const proxy = entry ? await resolveProxyForRef(entry) : null;
             const port = options.oauthCallbackPort ?? 8919;
             const timeout = opts?.timeoutMs ?? 300_000;
             const { createServer } = await import("node:http");
             // API key / HTTP auth — local credential form.
-            //
-            // We refuse to serve the form for a proxied ref: the registry
-            // owns the credential store, so the user needs to submit via
-            // whatever UI the registry exposes. Supporting this through the
-            // proxy would need a remote form endpoint — out of scope here.
             if (result.fields &&
                 result.fields.length > 0 &&
                 result.type !== "oauth2") {
-                if (proxy) {
-                    throw new Error(`Ref "${name}" is sourced from a proxied registry; submit credentials through ${proxy.agent} instead of a local form.`);
-                }
                 return new Promise((resolve, reject) => {
                     const server = createServer(async (req, res) => {
                         const reqUrl = new URL(req.url ?? "/", `http://localhost:${port}`);
@@ -2082,13 +1903,8 @@ export function createAdk(fs, options = {}) {
             if (opts?.onAuthorizeUrl) {
                 opts.onAuthorizeUrl(result.authorizeUrl);
             }
-            // Proxied refs: the registry owns the callback endpoint, so there's
-            // nothing to poll here. Callers poll `ref.authStatus` on their own
-            // schedule once the user finishes the remote consent screen.
-            if (proxy)
-                return { complete: false };
-            // Local refs: spin up the callback server on oauthCallbackPort and
-            // block until the OAuth provider redirects back.
+            // Spin up the callback server on oauthCallbackPort and block
+            // until the OAuth provider redirects back.
             return new Promise((resolve, reject) => {
                 const server = createServer(async (req, res) => {
                     const reqUrl = new URL(req.url ?? "/", `http://localhost:${port}`);
@@ -2127,14 +1943,6 @@ export function createAdk(fs, options = {}) {
             });
         },
         async refreshToken(name) {
-            // Registry-proxied refs: the remote @config holds the refresh_token.
-            const entryForProxy = await ref.get(name);
-            if (entryForProxy) {
-                const proxy = await resolveProxyForRef(entryForProxy);
-                if (proxy) {
-                    return forwardRefOpToProxy(proxy.reg, proxy.agent, "refresh-token", { name });
-                }
-            }
             // Read stored refresh_token
             const refreshToken = await readRefSecret(name, "refresh_token");
             if (!refreshToken)