@slashfi/agents-sdk 0.80.0 → 0.82.0

package/src/config-store.ts

@@ -103,12 +103,6 @@ export interface RegistryCacheEntry {
    * entry's `config` — no network round-trip needed. Absent when the
    * scheme couldn't be fetched (e.g. registry was offline at add
    * time); fall back to whatever heuristic the caller chooses.
-   *
-   * Note on proxy refs: when the entry is in `proxy` mode the
-   * security scheme is exposed by the *proxy*, and the answer to
-   * "is this callable?" lives server-side — `authFields` is omitted
-   * locally and hosts should treat proxy refs as authoritative
-   * regardless of entry-side fields.
    */
   authFields?: Record<string, RegistryCacheAuthField>;
   /** ISO timestamp of the most recent registry round-trip that wrote this. */
@@ -124,6 +118,25 @@ export interface RegistryCache {
   refs: Record<string, RegistryCacheEntry>;
 }
 
+/**
+ * Options for `isRefAuthComplete`.
+ */
+export interface RefAuthCompleteOptions {
+  /**
+   * Field names the consumer can resolve at call time without them
+   * being present in `entry.config` — typically OAuth client_id /
+   * client_secret resolved from environment variables or platform
+   * config by the host's `resolveCredentials` callback.
+   *
+   * Required-non-automated fields listed here count as satisfied even
+   * when missing from `entry.config`. The default behaviour (no opt
+   * passed) requires every such field to live in config, which is
+   * correct for self-hosted SDK consumers but wrong for platforms
+   * that inject OAuth client credentials at runtime.
+   */
+  resolvableFields?: ReadonlyArray<string>;
+}
+
 /**
  * "Is this ref ready to call?" answered locally using the cached
  * security-scheme requirements. Mirrors the `complete` boolean
@@ -132,16 +145,15 @@ export interface RegistryCache {
  * we evaluate satisfaction against the entry's current `config`.
  *
  * Behavior:
- *   - `mode: 'proxy'` refs → always true. Auth lives server-side; the
- *     proxy is the source of truth, no entry-side fields involved.
  *   - Cache miss (no `authFields` for this ref yet) → returns `null`,
  *     signaling "I don't know — caller should fall back to its own
  *     heuristic or call `auth-status` to populate the cache".
  *   - Cache hit → for every required, non-automated field, checks
- *     presence in `entry.config`. Mirrors the `present || resolvable`
- *     check in `auth-status` but evaluates against current config.
- *     `automated` fields (e.g. dynamic OAuth client_id) count as
- *     satisfied even when absent — adk supplies them at call time.
+ *     presence in `entry.config` OR (if `opts.resolvableFields`
+ *     includes the field name) treats it as satisfied externally.
+ *     Mirrors the `present || resolvable` check in `auth-status`.
+ *     `automated` fields (e.g. dynamic OAuth client_id minted by the
+ *     registry) always count as satisfied.
  *
  * Returning `null` for cache miss is intentional. A boolean would
  * force callers to choose a default that's wrong half the time;
@@ -150,16 +162,22 @@ export interface RegistryCache {
 export function isRefAuthComplete(
   entry: RefEntry,
   cacheEntry: RegistryCacheEntry | undefined,
+  opts?: RefAuthCompleteOptions,
 ): boolean | null {
   if (typeof entry === "string") return false;
-  if ((entry as { mode?: unknown }).mode === "proxy") return true;
   const authFields = cacheEntry?.authFields;
   if (!authFields) return null;
   const config = entry.config ?? {};
+  const resolvable =
+    opts?.resolvableFields && opts.resolvableFields.length > 0
+      ? new Set(opts.resolvableFields)
+      : null;
   for (const [field, info] of Object.entries(authFields)) {
     if (!info.required) continue;
     if (info.automated) continue;
-    if (!(field in config)) return false;
+    if (field in config) continue;
+    if (resolvable && resolvable.has(field)) continue;
+    return false;
   }
   return true;
 }
@@ -405,12 +423,6 @@ export interface AdkRefApi {
       stateContext?: Record<string, unknown>;
       /** Additional scopes to request (e.g., optional scopes declared by the agent) */
       scopes?: string[];
-      /**
-       * Opt out of proxy routing when the ref's source registry has
-       * `proxy: { mode: 'optional' }`. Ignored for `mode: 'required'`.
-       * Defaults to `false` — if a registry offers a proxy we use it.
-       */
-      preferLocal?: boolean;
     },
   ): Promise<AuthStartResult>;
   /**
@@ -1161,96 +1173,6 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
     return fallback;
   }
 
-  // ==========================================
-  // Proxy Routing
-  // ==========================================
-
-  /**
-   * Find the configured RegistryEntry for a ref, consulting `sourceRegistry`
-   * first and falling back to the first registry in config. Returns `null` when
-   * the ref is sourced from a raw URL (no registry), in which case proxy routing
-   * does not apply.
-   */
-  async function findRegistryEntryForRef(
-    entry: RefEntry,
-  ): Promise<RegistryEntry | null> {
-    const sourceUrl = entry.sourceRegistry?.url;
-    if (!sourceUrl) return null;
-    const config = await readConfig();
-    const match = (config.registries ?? []).find((r) => {
-      if (typeof r === "string") return r === sourceUrl;
-      return r.url === sourceUrl;
-    });
-    if (!match || typeof match === "string") return null;
-    return match;
-  }
-
-  /**
-   * Returns the proxy settings for a ref when its source registry has
-   * `proxy` configured. `null` means "run locally".
-   *
-   * Callers pass `{ preferLocal: true }` to opt out of `mode: 'optional'`
-   * proxying when they already hold credentials locally. `mode: 'required'`
-   * cannot be bypassed — the registry owns auth server-side and there is
-   * nothing useful the local SDK can do.
-   */
-  async function resolveProxyForRef(
-    entry: RefEntry,
-    opts?: { preferLocal?: boolean },
-  ): Promise<{ reg: RegistryEntry; agent: string } | null> {
-    const reg = await findRegistryEntryForRef(entry);
-    if (!reg?.proxy) return null;
-    if (reg.proxy.mode === "optional" && opts?.preferLocal) return null;
-    return { reg, agent: reg.proxy.agent ?? "@config" };
-  }
-
-  /**
-   * Forward an `@config ref` operation to the proxy agent on a remote registry.
-   *
-   * The remote side speaks the standard adk-tools surface, so the call shape is
-   * identical to what the local `ref` API would do — the only difference is
-   * that tokens and secrets live server-side. `callRegistry` returns the
-   * standard CallAgentResponse envelope: `{ success: true, result }` on
-   * success or `{ success: false, error }` on failure. We unwrap once and
-   * throw on error so callers get a result that matches the local signature.
-   */
-  async function forwardRefOpToProxy<T>(
-    reg: RegistryEntry,
-    agent: string,
-    operation: string,
-    params: Record<string, unknown>,
-  ): Promise<T> {
-    const consumer = await buildConsumerForRef({
-      ref: "",
-      name: "",
-      sourceRegistry: { url: reg.url, agentPath: agent },
-    });
-    const resolved = consumer.registries().find((r) => r.url === reg.url);
-    if (!resolved)
-      throw new Error(
-        `Registry ${reg.url} not resolvable for proxy forwarding`,
-      );
-
-    const response = await consumer.callRegistry(resolved, {
-      action: "execute_tool",
-      path: agent,
-      tool: "ref",
-      params: { operation, ...params },
-    });
-
-    if (!response.success) {
-      const errResponse = response as {
-        success: false;
-        error?: string;
-        code?: string;
-      };
-      const msg =
-        errResponse.error ?? `Proxy ${agent}.ref(${operation}) failed`;
-      throw new Error(msg);
-    }
-    return (response as { success: true; result: unknown }).result as T;
-  }
-
   // ==========================================
   // Registry API
   // ==========================================
@@ -1265,39 +1187,6 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
     return `${SECRET_PREFIX}${await encryptSecret(value, options.encryptionKey)}`;
   }
 
-  /**
-   * Re-probe a registry with the current stored credentials to see whether it
-   * advertises `capabilities.registry.proxy` in its MCP `initialize` response,
-   * and persist the proxy config when it does. Safe to call after a successful
-   * `auth()` / `authLocal()` — on the add path we skip the proxy probe when
-   * auth is required, so this is the second chance to back-fill it.
-   *
-   * Respects explicit user config: if `proxy` is already set, we leave it
-   * alone. Any discovery failure is swallowed — proxy is an optimization,
-   * not a correctness requirement.
-   */
-  async function discoverProxyAfterAuth(nameOrUrl: string): Promise<void> {
-    const config = await readConfig();
-    const target = findRegistry(config.registries ?? [], nameOrUrl);
-    if (!target || typeof target === "string") return;
-    if (target.proxy) return;
-
-    try {
-      const consumer = await buildConsumer(nameOrUrl);
-      const discovered = await consumer.discover(target.url);
-      if (!discovered.proxy?.mode) return;
-      await updateRegistryEntry(nameOrUrl, (existing) => {
-        if (existing.proxy) return;
-        existing.proxy = {
-          mode: discovered.proxy!.mode,
-          ...(discovered.proxy!.agent && { agent: discovered.proxy!.agent }),
-        };
-      });
-    } catch {
-      // Proxy probe is best-effort — auth itself already succeeded.
-    }
-  }
-
   /**
    * Atomic read-modify-write on a registry entry by name or URL. Used by
    * `authLocal` to persist both `auth` and `oauth` together, which `auth()`
@@ -1449,14 +1338,10 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
         (r) => registryDisplayName(r) !== alias,
       );
 
-      // Probe the registry before saving. Two things fall out of the probe:
-      //   1. Auth challenge — 401 + WWW-Authenticate points at RFC 9728
-      //      resource metadata; we persist it on `authRequirement` so
-      //      subsequent ops can refuse early with a friendly message.
-      //   2. Proxy capability — the MCP `initialize` response may advertise
-      //      `capabilities.registry.proxy`, which auto-populates `proxy`.
-      // Users who set `proxy` or `auth` explicitly on the entry always win:
-      // discovery only fills in blanks.
+      // Probe the registry before saving. If it returns 401 with a
+      // WWW-Authenticate / RFC 9728 resource metadata pointer, persist
+      // that on `authRequirement` so subsequent ops can refuse early
+      // with a friendly message.
       let final: RegistryEntry = entry;
       let authRequirement: RegistryAuthRequirement | undefined;
 
@@ -1475,33 +1360,6 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
         }
       }
 
-      if (!entry.proxy && !authRequirement) {
-        try {
-          const probeConsumer = await createRegistryConsumer(
-            { registries: [entry], refs: [] },
-            { token: options.token, fetch: options.fetch },
-          );
-          const resolved = probeConsumer.registries()[0];
-          if (resolved) {
-            const discovered = await probeConsumer.discover(resolved.url);
-            if (discovered.proxy?.mode) {
-              final = {
-                ...final,
-                proxy: {
-                  mode: discovered.proxy.mode,
-                  ...(discovered.proxy.agent && {
-                    agent: discovered.proxy.agent,
-                  }),
-                },
-              };
-            }
-          }
-        } catch {
-          // Discovery is best-effort — offline, unreachable, or non-adk
-          // registries simply skip proxy auto-configuration.
-        }
-      }
-
       registries.push(final);
       await writeConfig({ ...config, registries });
       return authRequirement ? { authRequirement } : {};
@@ -1552,7 +1410,6 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
         if (updates.auth) existing.auth = updates.auth;
         if (updates.headers)
           existing.headers = { ...existing.headers, ...updates.headers };
-        if (updates.proxy !== undefined) existing.proxy = updates.proxy;
         return existing;
       });
       if (!found) return false;
@@ -1669,7 +1526,6 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
         }
         delete existing.authRequirement;
       });
-      if (updated) await discoverProxyAfterAuth(nameOrUrl);
       return updated;
     },
 
@@ -1850,7 +1706,6 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
                 };
                 delete existing.authRequirement;
               });
-              await discoverProxyAfterAuth(displayName);
               resOut.writeHead(200, { "Content-Type": "text/html" });
               resOut.end(renderAuthSuccess(displayName));
               server.close();
@@ -2297,18 +2152,6 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
       const entry = findRef(config.refs ?? [], name);
       if (!entry) throw new Error(`Ref "${name}" not found`);
 
-      // Registry-proxied refs: ask the remote @config for state (secrets live
-      // server-side so local inspection would always return "missing").
-      const proxy = await resolveProxyForRef(entry);
-      if (proxy) {
-        return forwardRefOpToProxy<RefAuthStatus>(
-          proxy.reg,
-          proxy.agent,
-          "auth-status",
-          { name },
-        );
-      }
-
       let security: SecuritySchemeSummary | null = null;
       try {
         const consumer = await buildConsumerForRef(entry);
@@ -2465,38 +2308,12 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
         stateContext?: Record<string, unknown>;
         /** Additional scopes to request (e.g., optional scopes declared by the agent) */
         scopes?: string[];
-        /**
-         * Opt out of proxy routing when the ref's source registry has
-         * `proxy: { mode: 'optional' }`. Ignored for `mode: 'required'`.
-         */
-        preferLocal?: boolean;
       },
     ): Promise<AuthStartResult> {
       const config = await readConfig();
       const entry = findRef(config.refs ?? [], name);
       if (!entry) throw new Error(`Ref "${name}" not found`);
 
-      // Registry-proxied auth: forward the start-of-flow to the remote @config
-      // agent. The registry owns the client_id/secret and returns an authorize
-      // URL pointing at the registry's OAuth callback domain, so the user
-      // completes the flow against the registry instead of localhost.
-      const proxy = await resolveProxyForRef(entry, {
-        preferLocal: opts?.preferLocal,
-      });
-      if (proxy) {
-        const params: Record<string, unknown> = { name };
-        if (opts?.apiKey !== undefined) params.apiKey = opts.apiKey;
-        if (opts?.credentials) params.credentials = opts.credentials;
-        if (opts?.scopes) params.scopes = opts.scopes;
-        if (opts?.stateContext) params.stateContext = opts.stateContext;
-        return forwardRefOpToProxy<AuthStartResult>(
-          proxy.reg,
-          proxy.agent,
-          "auth",
-          params,
-        );
-      }
-
       const status = await ref.authStatus(name);
       const security = status.security;
       const tryResolve = makeTryResolve({ name, entry, security });
@@ -2825,38 +2642,19 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
         timeoutMs?: number;
       },
     ): Promise<{ complete: boolean }> {
-      // `ref.auth` is already proxy-aware — for proxied refs it returns
-      // the authorizeUrl that the registry minted against its own
-      // callback domain. Everything below is identical for local and
-      // proxied refs except the last step (polling for the callback),
-      // which only makes sense when we own the redirect URI.
       const result = await ref.auth(name);
       if (result.complete) return { complete: true };
 
-      const config = await readConfig();
-      const entry = findRef(config.refs ?? [], name);
-      const proxy = entry ? await resolveProxyForRef(entry) : null;
-
       const port = options.oauthCallbackPort ?? 8919;
       const timeout = opts?.timeoutMs ?? 300_000;
       const { createServer } = await import("node:http");
 
       // API key / HTTP auth — local credential form.
-      //
-      // We refuse to serve the form for a proxied ref: the registry
-      // owns the credential store, so the user needs to submit via
-      // whatever UI the registry exposes. Supporting this through the
-      // proxy would need a remote form endpoint — out of scope here.
       if (
         result.fields &&
         result.fields.length > 0 &&
         result.type !== "oauth2"
       ) {
-        if (proxy) {
-          throw new Error(
-            `Ref "${name}" is sourced from a proxied registry; submit credentials through ${proxy.agent} instead of a local form.`,
-          );
-        }
         return new Promise<{ complete: boolean }>((resolve, reject) => {
           const server = createServer(async (req, res) => {
             const reqUrl = new URL(req.url ?? "/", `http://localhost:${port}`);
@@ -2935,13 +2733,8 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
         opts.onAuthorizeUrl(result.authorizeUrl);
       }
 
-      // Proxied refs: the registry owns the callback endpoint, so there's
-      // nothing to poll here. Callers poll `ref.authStatus` on their own
-      // schedule once the user finishes the remote consent screen.
-      if (proxy) return { complete: false };
-
-      // Local refs: spin up the callback server on oauthCallbackPort and
-      // block until the OAuth provider redirects back.
+      // Spin up the callback server on oauthCallbackPort and block
+      // until the OAuth provider redirects back.
       return new Promise<{ complete: boolean }>((resolve, reject) => {
         const server = createServer(async (req, res) => {
           const reqUrl = new URL(req.url ?? "/", `http://localhost:${port}`);
@@ -2986,20 +2779,6 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
     },
 
     async refreshToken(name: string): Promise<{ accessToken: string } | null> {
-      // Registry-proxied refs: the remote @config holds the refresh_token.
-      const entryForProxy = await ref.get(name);
-      if (entryForProxy) {
-        const proxy = await resolveProxyForRef(entryForProxy);
-        if (proxy) {
-          return forwardRefOpToProxy<{ accessToken: string } | null>(
-            proxy.reg,
-            proxy.agent,
-            "refresh-token",
-            { name },
-          );
-        }
-      }
-
       // Read stored refresh_token
       const refreshToken = await readRefSecret(name, "refresh_token");
       if (!refreshToken) return null;

package/src/define-config.ts

@@ -34,30 +34,6 @@ export type RegistryAuth =
   | { type: "api-key"; key?: string; header?: string }
   | { type: "jwt"; issuer?: string };
 
-/**
- * Proxy configuration for a registry.
- *
- * When set, ref operations (`auth`, `auth-status`, `call`, `inspect`,
- * `resources`, `read`, `refresh-token`) for refs sourced from this
- * registry are forwarded to a server-side agent that implements the
- * adk-tools surface. Use this for cloud-hosted registries that own
- * OAuth client credentials and/or user tokens on behalf of consumers
- * (e.g. `api.twin.slash.com/mcp`).
- *
- * - `mode: 'required'` — all ref ops MUST route through the proxy agent.
- *   Local handshake (`ref.authLocal`) is refused for refs from this
- *   registry because the local environment has no way to build an
- *   authorize URL without the server's client credentials.
- * - `mode: 'optional'` — proxy is the default; callers may opt out via
- *   `{ preferLocal: true }` on a per-op basis when they already hold
- *   local credentials.
- */
-export interface RegistryProxy {
-  mode: "required" | "optional";
-  /** Agent path to forward to. Defaults to `@config`. */
-  agent?: string;
-}
-
 /**
  * OAuth state captured after `adk registry auth` completes a dynamic-client
  * registration + authorization-code flow against a registry. Stored alongside
@@ -121,13 +97,6 @@ export interface RegistryEntry {
   /** Connection status — set by validation/test, used to filter active entries */
   status?: "active" | "inactive" | "error";
 
-  /**
-   * If set, ref ops for refs sourced from this registry are forwarded
-   * to a server-side adk-tools agent (default `@config`) instead of
-   * running locally. See {@link RegistryProxy}.
-   */
-  proxy?: RegistryProxy;
-
   /**
    * Populated by `adk registry add` when the probe returned 401. Cleared
    * by `adk registry auth`. Registry ops refuse to run while this is set

package/src/materialize.ts

@@ -294,10 +294,9 @@ export async function materializeRef(
   // to actually fetch the body. Then the per-resource field is `content`,
   // not `text` (per `CallAgentReadResourcesResponse`).
   //
-  // Response shape varies depending on the call path: direct calls return
-  // `{success, agentPath, resources}` while proxied calls return
-  // `{success, result: {success, agentPath, resources}}` (the proxy wraps
-  // the inner registry response). Unwrap both shapes the same way.
+  // The unwrap below tolerates both `{success, resources}` (direct) and
+  // `{success, result: {resources}}` (registries that wrap responses
+  // through their MCP `tools/call` envelope) without caring which.
   try {
     type ResourceListEntry = {
       uri?: string;

package/src/registry-consumer.ts

@@ -209,16 +209,6 @@ export interface RegistryConfiguration {
   jwks_uri?: string;
   token_endpoint?: string;
   supported_grant_types?: string[];
-  /**
-   * When the registry advertises proxy support in its `initialize` response,
-   * consumers can auto-populate `RegistryEntry.proxy` at add time so ref ops
-   * forward to the server-side adk-tools agent automatically.
-   */
-  proxy?: {
-    mode: "required" | "optional";
-    /** Agent path to forward to. Defaults to '@config'. */
-    agent?: string;
-  };
 }
 
 /** Fields common to every agent reference a registry can return. */
@@ -498,34 +488,17 @@ async function discoverRegistryViaMcp(
     clientInfo: { name: "agents-sdk-consumer", version: "1.0.0" },
   })) as {
     serverInfo?: { name?: string; version?: string };
-    capabilities?: {
-      registry?: {
-        proxy?: {
-          mode?: "required" | "optional";
-          agent?: string;
-        };
-      };
-    };
   };
 
   await rpc("notifications/initialized").catch(() => {});
 
   const issuer = issuerFromMcpUrlAndServerInfo(serverUrl, initResult?.serverInfo);
 
-  const advertisedProxy = initResult?.capabilities?.registry?.proxy;
-  const proxy = advertisedProxy?.mode
-    ? {
-        mode: advertisedProxy.mode,
-        ...(advertisedProxy.agent && { agent: advertisedProxy.agent }),
-      }
-    : undefined;
-
   return {
     issuer,
     jwks_uri: `${issuer}/.well-known/jwks.json`,
     token_endpoint: `${issuer}/oauth/token`,
     supported_grant_types: ["client_credentials", "jwt_exchange"],
-    ...(proxy && { proxy }),
   };
 }
 

package/src/server.ts

@@ -206,17 +206,6 @@ export interface AgentServerOptions {
     features?: string[];
     /** OAuth callback URL for shared OAuth flows */
     oauthCallbackUrl?: string;
-    /**
-     * Announce that ref operations for agents sourced from this registry
-     * should be forwarded to a server-side adk-tools agent instead of
-     * running locally. Consumers pick this up during `registry.add` and
-     * auto-populate `RegistryEntry.proxy` — no user flag needed.
-     */
-    proxy?: {
-      mode: "required" | "optional";
-      /** Agent path to forward to. Defaults to '@config'. */
-      agent?: string;
-    };
   };
   /**
    * Structured logger for server-side errors (tool-call failures, JWT
@@ -602,14 +591,6 @@ export function createAgentServer(
                 ...(options.registry.oauthCallbackUrl && {
                   oauthCallbackUrl: options.registry.oauthCallbackUrl,
                 }),
-                ...(options.registry.proxy && {
-                  proxy: {
-                    mode: options.registry.proxy.mode,
-                    ...(options.registry.proxy.agent && {
-                      agent: options.registry.proxy.agent,
-                    }),
-                  },
-                }),
               },
             }),
           },