npm - @slashfi/agents-sdk - Versions diffs - 0.90.1 → 0.90.4 - Mend

@slashfi/agents-sdk 0.90.1 → 0.90.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/dist/adk.js +61 -11
package/dist/adk.js.map +1 -1
package/dist/cjs/config-store.js +227 -33
package/dist/cjs/config-store.js.map +1 -1
package/dist/cjs/define-config.js.map +1 -1
package/dist/cjs/registry-consumer.js +10 -1
package/dist/cjs/registry-consumer.js.map +1 -1
package/dist/config-store.d.ts +36 -0
package/dist/config-store.d.ts.map +1 -1
package/dist/config-store.js +227 -33
package/dist/config-store.js.map +1 -1
package/dist/define-config.d.ts +4 -0
package/dist/define-config.d.ts.map +1 -1
package/dist/define-config.js.map +1 -1
package/dist/registry-consumer.d.ts.map +1 -1
package/dist/registry-consumer.js +10 -1
package/dist/registry-consumer.js.map +1 -1
package/package.json +1 -1
package/src/adk.ts +61 -13
package/src/config-store.test.ts +350 -0
package/src/config-store.ts +316 -36
package/src/consumer.test.ts +54 -0
package/src/define-config.ts +1 -0
package/src/registry-consumer.ts +10 -1

package/dist/cjs/config-store.js CHANGED Viewed

@@ -238,7 +238,7 @@ function renderCredentialForm(name, fields, error) {
       <div class="field">
         <label for="${esc(f.name)}">${esc(f.label)}</label>
         ${f.description ? `<p class="desc">${esc(f.description)}</p>` : ""}
-        <input id="${esc(f.name)}" name="${esc(f.name)}" type="${f.secret ? "password" : "text"}" required autocomplete="off" spellcheck="false" />
+        <input id="${esc(f.name)}" name="${esc(f.name)}" type="${f.secret ? "password" : "text"}" ${f.optional ? "" : "required"} autocomplete="off" spellcheck="false" />
       </div>`)
         .join("");
     const errorHtml = error ? `<div class="error">${esc(error)}</div>` : "";
@@ -480,6 +480,159 @@ function createAdk(fs, options = {}) {
             });
         };
     }
+    /**
+     * Call-time credential lookup: stored ref config first, then the host
+     * `resolveCredentials` callback. Does not persist resolved values.
+     */
+    async function resolveCallCredential(ctx, field) {
+        const stored = await readRefSecret(ctx.name, field);
+        if (stored)
+            return stored;
+        return makeTryResolve(ctx)(field);
+    }
+    const CALL_BEARER_FIELDS = ["access_token", "api_key", "token"];
+    function isBearerAuthField(field) {
+        return CALL_BEARER_FIELDS.includes(field);
+    }
+    /** Legacy cache entries may omit `outbound`; these are never call-time creds. */
+    const LEGACY_CONNECT_ONLY_FIELDS = new Set([
+        "client_id",
+        "client_secret",
+        "refresh_token",
+    ]);
+    function isCallOutboundAuthField(field, info) {
+        if (info.outbound === false)
+            return false;
+        if (info.outbound === true)
+            return true;
+        return !LEGACY_CONNECT_ONLY_FIELDS.has(field);
+    }
+    function readRegistryDeclaredAuthFields(security) {
+        if (!security || typeof security !== "object")
+            return undefined;
+        const raw = security.authFields;
+        if (!raw || typeof raw !== "object" || Array.isArray(raw))
+            return undefined;
+        const out = {};
+        for (const [field, meta] of Object.entries(raw)) {
+            if (!meta || typeof meta !== "object" || Array.isArray(meta))
+                continue;
+            const m = meta;
+            if (typeof m.required !== "boolean" || typeof m.automated !== "boolean") {
+                continue;
+            }
+            out[field] = { required: m.required, automated: m.automated };
+            if (typeof m.outbound === "boolean") {
+                out[field].outbound = m.outbound;
+            }
+        }
+        return Object.keys(out).length > 0 ? out : undefined;
+    }
+    async function mergeRegistryDeclaredAuthFields(fields, declared, canResolve, configKeys, refConfig) {
+        if (!declared)
+            return fields;
+        const next = {};
+        for (const [field, meta] of Object.entries(declared)) {
+            next[field] = {
+                required: meta.required,
+                automated: meta.automated,
+                present: configKeys.includes(field) || hasCredentialField(refConfig, field),
+                resolvable: await canResolve(field),
+                ...(meta.format && { format: meta.format }),
+                ...(meta.parts && { parts: meta.parts }),
+                ...(meta.outbound === false && { outbound: false }),
+            };
+        }
+        return next;
+    }
+    function bearerFieldSatisfied(accessToken, refConfig, field) {
+        if (accessToken)
+            return true;
+        return hasCredentialField(refConfig, field);
+    }
+    function fallbackCallAuthFields() {
+        return {
+            access_token: { required: true, automated: true },
+            api_key: { required: false, automated: true },
+            token: { required: false, automated: true },
+        };
+    }
+    function headerFieldSatisfied(headers, field) {
+        const wanted = normalizeCredentialKey(field);
+        return Object.keys(headers).some((key) => normalizeCredentialKey(key) === wanted);
+    }
+    function resolveHeaderNameForField(field, refConfig) {
+        const wanted = normalizeCredentialKey(field);
+        const configHeaders = refConfig.headers;
+        if (configHeaders &&
+            typeof configHeaders === "object" &&
+            !Array.isArray(configHeaders)) {
+            for (const key of Object.keys(configHeaders)) {
+                if (normalizeCredentialKey(key) === wanted)
+                    return key;
+            }
+        }
+        // x_api_key → X-API-KEY (registry codegen declares the canonical name;
+        // env-resolved keys use the normalized storage field name).
+        return field
+            .split("_")
+            .filter(Boolean)
+            .map((part) => part.toUpperCase())
+            .join("-");
+    }
+    /**
+     * Supplement call-time credentials from `resolveCredentials` when they
+     * are not already present in consumer-config. Stored values and config
+     * headers win — this only fills gaps. Walks cached `authFields` as the
+     * source of truth (registry-declared when auth-status has run).
+     */
+    async function resolveAllCallCredentials(opts) {
+        if (!options.resolveCredentials) {
+            return {
+                accessToken: opts.accessToken,
+                resolvedHeaders: opts.resolvedHeaders,
+            };
+        }
+        let accessToken = opts.accessToken;
+        let resolvedHeaders = opts.resolvedHeaders;
+        const { ctx, refConfig } = opts;
+        const cache = await readRegistryCache();
+        const authFields = cache.refs[ctx.name]?.authFields ?? fallbackCallAuthFields();
+        for (const [field, info] of Object.entries(authFields)) {
+            if (!isCallOutboundAuthField(field, info))
+                continue;
+            if (!info.required && !info.automated)
+                continue;
+            if (isBearerAuthField(field)) {
+                if (bearerFieldSatisfied(accessToken, refConfig, field))
+                    continue;
+                const value = await resolveCallCredential(ctx, field);
+                if (value)
+                    accessToken = accessToken ?? value;
+                continue;
+            }
+            if (hasCredentialField(refConfig, field))
+                continue;
+            if (resolvedHeaders && headerFieldSatisfied(resolvedHeaders, field)) {
+                continue;
+            }
+            const value = await resolveCallCredential(ctx, field);
+            if (!value)
+                continue;
+            resolvedHeaders = resolvedHeaders ?? {};
+            if (!headerFieldSatisfied(resolvedHeaders, field)) {
+                resolvedHeaders[resolveHeaderNameForField(field, refConfig)] = value;
+            }
+        }
+        if (!accessToken) {
+            const username = await resolveCallCredential(ctx, "username");
+            const password = await resolveCallCredential(ctx, "password");
+            if (username && password) {
+                accessToken = btoa(`${username}:${password}`);
+            }
+        }
+        return { accessToken, resolvedHeaders };
+    }
     /**
      * Resolve OAuth client credentials (client_id + client_secret) for a
      * ref. Walks: `resolveCredentials` callback → per-ref VCS storage.
@@ -766,11 +919,15 @@ function createAdk(fs, options = {}) {
                 return r;
             found = true;
             const existing = typeof r === "string" ? { url: r } : { ...r };
-            mutate(existing);
             return existing;
         });
         if (!found)
             return false;
+        for (const r of registries) {
+            if (typeof r !== "string" && (registryDisplayName(r) === nameOrUrl || registryUrl(r) === nameOrUrl)) {
+                await mutate(r);
+            }
+        }
         await writeConfig({ ...config, registries });
         return true;
     }
@@ -865,6 +1022,7 @@ function createAdk(fs, options = {}) {
             return;
         const hasUsableAuth = entry.auth && entry.auth.type !== "none"
             ? (entry.auth.type === "bearer" && !!entry.auth.token) ||
+                (entry.auth.type === "basic" && !!entry.auth.username) ||
                 (entry.auth.type === "api-key" && !!entry.auth.key)
             : false;
         if (hasUsableAuth)
@@ -898,6 +1056,7 @@ function createAdk(fs, options = {}) {
             let authRequirement;
             const hasUsableAuth = entry.auth && entry.auth.type !== "none"
                 ? (entry.auth.type === "bearer" && !!entry.auth.token) ||
+                    (entry.auth.type === "basic" && !!entry.auth.username) ||
                     (entry.auth.type === "api-key" && !!entry.auth.key)
                 : false;
             if (!hasUsableAuth) {
@@ -994,6 +1153,7 @@ function createAdk(fs, options = {}) {
                 if (typeof r !== "string" && r.authRequirement) {
                     const hasUsableAuth = r.auth && r.auth.type !== "none"
                         ? (r.auth.type === "bearer" && !!r.auth.token) ||
+                            (r.auth.type === "basic" && !!r.auth.username) ||
                             (r.auth.type === "api-key" && !!r.auth.key)
                         : false;
                     if (!hasUsableAuth) {
@@ -1030,23 +1190,29 @@ function createAdk(fs, options = {}) {
                 });
         },
         async auth(nameOrUrl, credential) {
-            // Encrypt the secret value up-front so the write path is uniform;
-            // `buildConsumer` decrypts on the read side via `decryptConfigSecrets`.
-            const protectedValue = "token" in credential
-                ? await protectSecret(credential.token)
-                : await protectSecret(credential.apiKey);
-            const updated = await updateRegistryEntry(nameOrUrl, (existing) => {
+            // Encrypt secret values before writing. `buildConsumer` decrypts on the
+            // read side via `decryptConfigSecrets`.
+            const updated = await updateRegistryEntry(nameOrUrl, async (existing) => {
                 if ("token" in credential) {
                     existing.auth = {
                         type: "bearer",
-                        token: protectedValue,
+                        token: await protectSecret(credential.token),
                         ...(credential.tokenUrl && { tokenUrl: credential.tokenUrl }),
                     };
                 }
+                else if ("username" in credential) {
+                    existing.auth = {
+                        type: "basic",
+                        username: await protectSecret(credential.username),
+                        ...(credential.password && {
+                            password: await protectSecret(credential.password),
+                        }),
+                    };
+                }
                 else {
                     existing.auth = {
                         type: "api-key",
-                        key: protectedValue,
+                        key: await protectSecret(credential.apiKey),
                         ...(credential.header && { header: credential.header }),
                     };
                 }
@@ -1097,6 +1263,7 @@ function createAdk(fs, options = {}) {
             // Already authenticated — nothing to do (unless forced above).
             const hasUsableAuth = target.auth && target.auth.type !== "none"
                 ? (target.auth.type === "bearer" && !!target.auth.token) ||
+                    (target.auth.type === "basic" && !!target.auth.username) ||
                     (target.auth.type === "api-key" && !!target.auth.key)
                 : false;
             if (hasUsableAuth && !target.authRequirement) {
@@ -1528,7 +1695,7 @@ function createAdk(fs, options = {}) {
             const entry = findRef(config.refs ?? [], name);
             if (!entry)
                 throw new Error(`Ref "${name}" not found`);
-            const accessToken = (await readRefSecret(name, "access_token")) ??
+            let accessToken = (await readRefSecret(name, "access_token")) ??
                 (await readRefSecret(name, "api_key")) ??
                 (await readRefSecret(name, "token"));
             // Resolve custom headers from config (e.g. { "X-API-Key": "secret:..." })
@@ -1575,6 +1742,16 @@ function createAdk(fs, options = {}) {
                     }
                 }
             }
+            if (options.resolveCredentials) {
+                const supplemented = await resolveAllCallCredentials({
+                    ctx: { name, entry, security: null },
+                    refConfig,
+                    accessToken,
+                    resolvedHeaders,
+                });
+                accessToken = supplemented.accessToken;
+                resolvedHeaders = supplemented.resolvedHeaders;
+            }
             const doCall = async (token) => {
                 // Direct MCP only for redirect/proxy agents with an MCP upstream.
                 // API-mode agents must go through the registry (it does REST translation).
@@ -1686,7 +1863,7 @@ function createAdk(fs, options = {}) {
             async function canResolve(field, oauthMetadata) {
                 return (await tryResolveField(field, oauthMetadata)) !== null;
             }
-            const fields = {};
+            let fields = {};
             if (security.type === "oauth2") {
                 const securityExt = security;
                 const hasRegistration = !!securityExt.dynamicRegistration;
@@ -1720,6 +1897,7 @@ function createAdk(fs, options = {}) {
                     automated: hasRegistration,
                     present: configKeys.includes("client_id"),
                     resolvable: await canResolve("client_id", oauthMetadata),
+                    outbound: false,
                 };
                 if (needsSecret) {
                     fields.client_secret = {
@@ -1727,13 +1905,14 @@ function createAdk(fs, options = {}) {
                         automated: hasRegistration,
                         present: configKeys.includes("client_secret"),
                         resolvable: await canResolve("client_secret", oauthMetadata),
+                        outbound: false,
                     };
                 }
                 fields.access_token = {
                     required: true,
                     automated: accessTokenAutomated,
                     present: configKeys.includes("access_token"),
-                    resolvable: false,
+                    resolvable: await canResolve("access_token"),
                 };
             }
             else if (security.type === "apiKey") {
@@ -1776,11 +1955,23 @@ function createAdk(fs, options = {}) {
                 }
             }
             else if (security.type === "http") {
+                const httpSec = security;
+                const isBasic = httpSec.scheme === "basic";
                 fields.token = {
                     required: true,
                     automated: false,
                     present: configKeys.includes("token"),
-                    resolvable: await canResolve("token"),
+                    resolvable: isBasic
+                        ? (await canResolve("username")) &&
+                            (await tryResolveField("password")) !== null
+                        : await canResolve("token"),
+                    ...(isBasic && {
+                        format: "basic",
+                        parts: [
+                            { name: "username", label: "Username", secret: false },
+                            { name: "password", label: "Password", secret: true, optional: true },
+                        ],
+                    }),
                 };
             }
             else if (security.type === "form") {
@@ -1799,7 +1990,8 @@ function createAdk(fs, options = {}) {
                     resolvable: await canResolve("access_token"),
                 };
             }
-            const complete = Object.values(fields).every((f) => !f.required || f.present || f.resolvable);
+            fields = await mergeRegistryDeclaredAuthFields(fields, readRegistryDeclaredAuthFields(security), canResolve, configKeys, (entry.config ?? {}));
+            const complete = Object.values(fields).every((f) => !f.required || f.automated || f.present || f.resolvable);
             // Persist the slim {required, automated} per-field shape into the
             // registry cache so `isRefAuthComplete` can answer subsequent
             // host-side "is this ref ready?" checks without re-fetching the
@@ -1811,6 +2003,9 @@ function createAdk(fs, options = {}) {
                 authFields[field] = {
                     required: info.required,
                     automated: info.automated,
+                    ...(info.format && { format: info.format }),
+                    ...(info.parts && { parts: info.parts }),
+                    ...(info.outbound === false && { outbound: false }),
                 };
             }
             await upsertRegistryCacheAuthFields(name, entry.ref, authFields);
@@ -1908,24 +2103,23 @@ function createAdk(fs, options = {}) {
                 const isBasic = httpSec.scheme === "basic";
                 if (isBasic) {
                     const username = opts?.credentials?.["username"] ?? (await tryResolve("username"));
-                    const password = opts?.credentials?.["password"] ?? (await tryResolve("password"));
-                    if (!username || !password) {
-                        const missingFields = [];
-                        if (!username)
-                            missingFields.push({
-                                name: "username",
-                                label: "Username",
-                                secret: false,
-                            });
-                        if (!password)
-                            missingFields.push({
-                                name: "password",
-                                label: "Password",
-                                secret: true,
-                            });
-                        return { type: "http", complete: false, fields: missingFields };
+                    const password = opts?.credentials?.["password"] ?? (await tryResolve("password")) ?? "";
+                    const hasUsername = username !== undefined && username !== null && username !== "";
+                    if (!hasUsername) {
+                        return {
+                            type: "http",
+                            complete: false,
+                            fields: [
+                                {
+                                    name: "username",
+                                    label: "Username",
+                                    secret: false,
+                                },
+                            ],
+                        };
                     }
-                    // Store as base64 encoded basic auth token
+                    // Store as base64 encoded basic auth token. Password may be blank
+                    // for APIs that use the Basic username slot as an API key.
                     const token = btoa(`${username}:${password}`);
                     await storeRefSecret(name, "token", token);
                     return { type: "http", complete: true };
@@ -2101,7 +2295,7 @@ function createAdk(fs, options = {}) {
                             const credentials = {};
                             for (const field of result.fields) {
                                 const val = params.get(field.name);
-                                if (val)
+                                if (val !== null)
                                     credentials[field.name] = val;
                             }
                             try {