@slashfi/agents-sdk 0.85.0 → 0.87.0

package/src/config-store.test.ts

@@ -532,6 +532,38 @@ describe("ADK ref.call() full auto-refresh flow", () => {
     expect((result as any)?.result?.message).toBe("success");
     expect((result as any)?.result?.token).toBe("refreshed-token");
   });
+
+  test("ref.authStatus reports access_token.automated=false for authorizationCode (user must consent)", async () => {
+    // Regression: previously `access_token.automated` was hardcoded to
+    // `true` for every oauth2 scheme. That made cached-authFields
+    // callers think the ref was "connected" the moment `ref.add` ran,
+    // even when the user had never completed OAuth — because the
+    // `automated:true` flag tells `isRefAuthComplete` to skip the
+    // presence check. For authorizationCode (which requires user
+    // consent), `automated` must be `false`.
+    const fs = createMemoryFs();
+    const adk = createAdk(fs, {
+      encryptionKey: "test-key-32-chars-long-enough!!",
+    });
+
+    await adk.registry.add({
+      name: "oauth-reg",
+      url: `http://localhost:${REG_PORT}`,
+    });
+    await adk.ref.add({
+      ref: "oauth-api",
+      name: "oauth-api-unauthed",
+      sourceRegistry: {
+        url: `http://localhost:${REG_PORT}`,
+        agentPath: "oauth-api",
+      },
+    });
+
+    const status = await adk.ref.authStatus("oauth-api-unauthed");
+    expect(status.complete).toBe(false);
+    expect(status.fields?.access_token?.automated).toBe(false);
+    expect(status.fields?.access_token?.present).toBe(false);
+  });
 });
 
 // ─── Registry auth lifecycle ─────────────────────────────────────

package/src/config-store.ts

@@ -811,11 +811,31 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
     const entry = findRef(config.refs ?? [], name);
     const value = entry?.config?.[key];
     if (typeof value !== "string") return null;
-    if (value.startsWith(SECRET_PREFIX) && options.encryptionKey) {
-      return decryptSecret(
-        value.slice(SECRET_PREFIX.length),
-        options.encryptionKey,
-      );
+    if (value.startsWith(SECRET_PREFIX)) {
+      // Encrypted credential. Refuse to forward the ciphertext verbatim;
+      // upstreams will silently reject `secret:...` as a bearer token
+      // and the cause becomes invisible.
+      if (!options.encryptionKey) {
+        throw new AdkError({
+          code: "encryption_key_missing",
+          message: `ref.call(${name}): credential "${key}" is encrypted (secret:...) but this Adk instance was constructed without an encryptionKey.`,
+          hint: "Pass `encryptionKey` when constructing the Adk (createAdk/createAdkForUser/createAdkForTenant).",
+          details: { ref: name, field: key },
+        });
+      }
+      try {
+        return await decryptSecret(
+          value.slice(SECRET_PREFIX.length),
+          options.encryptionKey,
+        );
+      } catch (err) {
+        throw new AdkError({
+          code: "encryption_key_mismatch",
+          message: `ref.call(${name}): failed to decrypt credential "${key}". The configured encryptionKey does not match the key used to encrypt this value.`,
+          hint: "Re-encrypt the ref's credentials with the current encryptionKey, or restore the previous key.",
+          details: { ref: name, field: key, cause: (err as Error)?.message },
+        });
+      }
     }
     return value;
   }
@@ -2098,16 +2118,35 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
       if (rawHeaders && typeof rawHeaders === "object") {
         resolvedHeaders = {};
         for (const [k, v] of Object.entries(rawHeaders)) {
-          if (
-            typeof v === "string" &&
-            v.startsWith(SECRET_PREFIX) &&
-            options.encryptionKey
-          ) {
-            resolvedHeaders[k] = await decryptSecret(
-              v.slice(SECRET_PREFIX.length),
-              options.encryptionKey,
-            );
-          } else if (typeof v === "string") {
+          if (typeof v !== "string") continue;
+          if (v.startsWith(SECRET_PREFIX)) {
+            // Encrypted header value. Refuse to forward the ciphertext
+            // verbatim — that historically leaked literal `secret:...`
+            // strings as outbound HTTP headers, which upstreams rejected
+            // with opaque 401s. Hard-fail with a clear message so the
+            // misconfiguration surfaces instead of silently breaking auth.
+            if (!options.encryptionKey) {
+              throw new AdkError({
+                code: "encryption_key_missing",
+                message: `ref.call(${name}): header "${k}" is encrypted (secret:...) but this Adk instance was constructed without an encryptionKey, so the ciphertext cannot be resolved.`,
+                hint: "Pass `encryptionKey` when constructing the Adk (createAdk/createAdkForUser/createAdkForTenant), or strip the encrypted header from the ref config.",
+                details: { ref: name, header: k },
+              });
+            }
+            try {
+              resolvedHeaders[k] = await decryptSecret(
+                v.slice(SECRET_PREFIX.length),
+                options.encryptionKey,
+              );
+            } catch (err) {
+              throw new AdkError({
+                code: "encryption_key_mismatch",
+                message: `ref.call(${name}): failed to decrypt header "${k}". The configured encryptionKey does not match the key used to encrypt this value.`,
+                hint: "Re-encrypt the ref's headers with the current encryptionKey, or restore the previous key. Decrypting an unrelated value would have leaked ciphertext as a header before this fix.",
+                details: { ref: name, header: k, cause: (err as Error)?.message },
+              });
+            }
+          } else {
             resolvedHeaders[k] = v;
           }
         }
@@ -2226,9 +2265,28 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
         const securityExt = security as {
           dynamicRegistration?: boolean;
           discoveryUrl?: string;
+          flows?: Record<string, unknown>;
         };
         const hasRegistration = !!securityExt.dynamicRegistration;
 
+        // `access_token.automated` decides whether `isRefAuthComplete`
+        // requires the token to be present in `entry.config`. It should
+        // be `true` ONLY when the SDK can mint the token with no user
+        // action — i.e. a pure machine-to-machine flow like
+        // `clientCredentials`. For `authorizationCode` / `implicit` /
+        // `password` (and the "no flows declared" fallback), the user
+        // must complete the OAuth consent step before the token lands
+        // in config, so treat it as a normal user-supplied required
+        // field. Without this, cached-authFields callers think the ref
+        // is "connected" the moment `ref.add` runs, even though the
+        // user never consented.
+        const declaredFlows = securityExt.flows
+          ? Object.keys(securityExt.flows)
+          : [];
+        const accessTokenAutomated =
+          declaredFlows.length > 0 &&
+          declaredFlows.every((f) => f === "clientCredentials");
+
         let oauthMetadata:
           | import("./mcp-client.js").OAuthServerMetadata
           | null = null;
@@ -2258,7 +2316,7 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
         }
         fields.access_token = {
           required: true,
-          automated: true,
+          automated: accessTokenAutomated,
           present: configKeys.includes("access_token"),
           resolvable: false,
         };

package/src/encrypted-headers.test.ts

@@ -0,0 +1,150 @@
+import { describe, expect, test } from "bun:test";
+import type { FsStore } from "./agent-definitions/config";
+import { createAdk } from "./index";
+import { encryptSecret } from "./crypto";
+
+function memFs(initial: Record<string, unknown>): FsStore {
+  const files = new Map<string, string>([
+    ["consumer-config.json", JSON.stringify(initial)],
+  ]);
+  return {
+    async readFile(p) {
+      return files.get(p) ?? null;
+    },
+    async writeFile(p, c) {
+      files.set(p, c);
+    },
+  };
+}
+
+describe("ref.call: encrypted config.headers", () => {
+  const KEY = "test-encryption-key-1234567890";
+
+  test("forwards plaintext _headers when encryptionKey decrypts", async () => {
+    const encApi = `secret:${await encryptSecret("DD_API_KEY_REAL", KEY)}`;
+    const encApp = `secret:${await encryptSecret("DD_APP_KEY_REAL", KEY)}`;
+
+    const captured: Array<{ body: string }> = [];
+    const fetchSpy: typeof fetch = async (_url, init) => {
+      captured.push({ body: String((init as RequestInit | undefined)?.body) });
+      return new Response(
+        JSON.stringify({
+          jsonrpc: "2.0",
+          id: "1",
+          result: { content: [{ type: "text", text: JSON.stringify({ ok: true }) }] },
+        }),
+        { status: 200, headers: { "content-type": "application/json" } },
+      );
+    };
+
+    const adk = createAdk(
+      memFs({
+        registries: [{ name: "test", url: "https://example.com" }],
+        refs: [{
+          ref: "datadog",
+          scheme: "registry",
+          mode: "api",
+          sourceRegistry: { agentPath: "datadog", url: "https://example.com" },
+          config: { headers: { "DD-API-KEY": encApi, "DD-APPLICATION-KEY": encApp } },
+        }],
+      }),
+      { fetch: fetchSpy, encryptionKey: KEY },
+    );
+
+    await adk.ref.call("datadog", "some_tool", { foo: "bar" });
+
+    expect(captured.length).toBe(1);
+    const body = JSON.parse(captured[0].body);
+    const params = body.params.arguments.request.params;
+    expect(params._headers).toEqual({
+      "DD-API-KEY": "DD_API_KEY_REAL",
+      "DD-APPLICATION-KEY": "DD_APP_KEY_REAL",
+    });
+  });
+
+  test("hard-fails when secret: header present but encryptionKey is missing", async () => {
+    const encApi = `secret:${await encryptSecret("x", KEY)}`;
+
+    const fetchSpy: typeof fetch = async () =>
+      new Response("", { status: 200 });
+
+    const adk = createAdk(
+      memFs({
+        registries: [{ name: "test", url: "https://example.com" }],
+        refs: [{
+          ref: "datadog",
+          scheme: "registry",
+          mode: "api",
+          sourceRegistry: { agentPath: "datadog", url: "https://example.com" },
+          config: { headers: { "DD-API-KEY": encApi } },
+        }],
+      }),
+      { fetch: fetchSpy /* no encryptionKey */ },
+    );
+
+    await expect(
+      adk.ref.call("datadog", "some_tool", {}),
+    ).rejects.toThrow(/encryption_key_missing|encryptionKey/);
+  });
+
+  test("hard-fails when encryptionKey is present but cannot decrypt the value", async () => {
+    const encApi = `secret:${await encryptSecret("x", KEY)}`;
+
+    const fetchSpy: typeof fetch = async () =>
+      new Response("", { status: 200 });
+
+    const adk = createAdk(
+      memFs({
+        registries: [{ name: "test", url: "https://example.com" }],
+        refs: [{
+          ref: "datadog",
+          scheme: "registry",
+          mode: "api",
+          sourceRegistry: { agentPath: "datadog", url: "https://example.com" },
+          config: { headers: { "DD-API-KEY": encApi } },
+        }],
+      }),
+      { fetch: fetchSpy, encryptionKey: "a-different-wrong-key" },
+    );
+
+    await expect(
+      adk.ref.call("datadog", "some_tool", {}),
+    ).rejects.toThrow(/encryption_key_mismatch|decrypt/);
+  });
+
+  test("plaintext header values are still forwarded as-is", async () => {
+    const captured: Array<{ body: string }> = [];
+    const fetchSpy: typeof fetch = async (_url, init) => {
+      captured.push({ body: String((init as RequestInit | undefined)?.body) });
+      return new Response(
+        JSON.stringify({
+          jsonrpc: "2.0",
+          id: "1",
+          result: { content: [{ type: "text", text: JSON.stringify({ ok: true }) }] },
+        }),
+        { status: 200, headers: { "content-type": "application/json" } },
+      );
+    };
+
+    const adk = createAdk(
+      memFs({
+        registries: [{ name: "test", url: "https://example.com" }],
+        refs: [{
+          ref: "weather",
+          scheme: "registry",
+          mode: "api",
+          sourceRegistry: { agentPath: "weather", url: "https://example.com" },
+          config: { headers: { "X-API-Key": "plain-value" } },
+        }],
+      }),
+      { fetch: fetchSpy /* no encryptionKey needed for plaintext */ },
+    );
+
+    await adk.ref.call("weather", "some_tool", {});
+
+    expect(captured.length).toBe(1);
+    const body = JSON.parse(captured[0].body);
+    const params = body.params.arguments.request.params;
+    expect(params._headers).toEqual({ "X-API-Key": "plain-value" });
+  });
+});

package/src/registry-consumer.ts

@@ -1002,7 +1002,14 @@ export async function createRegistryConsumer(
         );
       }
 
-      return callTool(registry, ref.ref, tool, params);
+      // Forward resolved per-ref headers as `_headers` so the registry
+      // injects them on the outbound REST call. Without this the
+      // `auth.headers` declared by the ref are silently dropped for
+      // registry-routed (`mode: "api"`) refs.
+      const paramsWithHeaders = resolvedHeaders
+        ? { ...params, _headers: resolvedHeaders }
+        : params;
+      return callTool(registry, ref.ref, tool, paramsWithHeaders);
     },
 
     discover(registryUrl: string) {