@spinabot/brigade 1.12.0 → 1.14.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +20 -0
- package/convex/logs.d.ts +3 -3
- package/convex/memory.d.ts +21 -21
- package/convex/schema.d.ts +9 -9
- package/convex/skills.d.ts +3 -3
- package/dist/buildstamp.json +1 -1
- package/dist/cli/commands/config-cmd.d.ts +12 -19
- package/dist/cli/commands/config-cmd.d.ts.map +1 -1
- package/dist/cli/commands/config-cmd.js +14 -197
- package/dist/cli/commands/config-cmd.js.map +1 -1
- package/dist/cli/commands/connect.d.ts +6 -0
- package/dist/cli/commands/connect.d.ts.map +1 -1
- package/dist/cli/commands/connect.js +7 -0
- package/dist/cli/commands/connect.js.map +1 -1
- package/dist/cli/commands/doctor.d.ts.map +1 -1
- package/dist/cli/commands/doctor.js +2 -1
- package/dist/cli/commands/doctor.js.map +1 -1
- package/dist/cli/commands/expose.d.ts.map +1 -1
- package/dist/cli/commands/expose.js +22 -3
- package/dist/cli/commands/expose.js.map +1 -1
- package/dist/cli/commands/gateway.d.ts +12 -0
- package/dist/cli/commands/gateway.d.ts.map +1 -1
- package/dist/cli/commands/gateway.js +114 -2
- package/dist/cli/commands/gateway.js.map +1 -1
- package/dist/cli/commands/status.d.ts.map +1 -1
- package/dist/cli/commands/status.js +2 -1
- package/dist/cli/commands/status.js.map +1 -1
- package/dist/cli/program/build-program.d.ts.map +1 -1
- package/dist/cli/program/build-program.js +36 -0
- package/dist/cli/program/build-program.js.map +1 -1
- package/dist/config/io.d.ts +13 -0
- package/dist/config/io.d.ts.map +1 -1
- package/dist/config/io.js.map +1 -1
- package/dist/core/agents-crud-ops.d.ts +15 -0
- package/dist/core/agents-crud-ops.d.ts.map +1 -0
- package/dist/core/agents-crud-ops.js +27 -0
- package/dist/core/agents-crud-ops.js.map +1 -0
- package/dist/core/agents-ops.d.ts +43 -0
- package/dist/core/agents-ops.d.ts.map +1 -0
- package/dist/core/agents-ops.js +117 -0
- package/dist/core/agents-ops.js.map +1 -0
- package/dist/core/channels-ops.d.ts +30 -0
- package/dist/core/channels-ops.d.ts.map +1 -0
- package/dist/core/channels-ops.js +52 -0
- package/dist/core/channels-ops.js.map +1 -0
- package/dist/core/config-ops.d.ts +77 -0
- package/dist/core/config-ops.d.ts.map +1 -0
- package/dist/core/config-ops.js +241 -0
- package/dist/core/config-ops.js.map +1 -0
- package/dist/core/exec-ops.d.ts +48 -0
- package/dist/core/exec-ops.d.ts.map +1 -0
- package/dist/core/exec-ops.js +101 -0
- package/dist/core/exec-ops.js.map +1 -0
- package/dist/core/gateway-auth.d.ts +86 -0
- package/dist/core/gateway-auth.d.ts.map +1 -0
- package/dist/core/gateway-auth.js +156 -0
- package/dist/core/gateway-auth.js.map +1 -0
- package/dist/core/gateway-probe.d.ts +5 -0
- package/dist/core/gateway-probe.d.ts.map +1 -1
- package/dist/core/gateway-probe.js +2 -1
- package/dist/core/gateway-probe.js.map +1 -1
- package/dist/core/gateway-spawn.d.ts.map +1 -1
- package/dist/core/gateway-spawn.js +5 -2
- package/dist/core/gateway-spawn.js.map +1 -1
- package/dist/core/integrations-ops.d.ts +25 -0
- package/dist/core/integrations-ops.d.ts.map +1 -0
- package/dist/core/integrations-ops.js +40 -0
- package/dist/core/integrations-ops.js.map +1 -0
- package/dist/core/memory-ops.d.ts +20 -0
- package/dist/core/memory-ops.d.ts.map +1 -0
- package/dist/core/memory-ops.js +40 -0
- package/dist/core/memory-ops.js.map +1 -0
- package/dist/core/pairing-ops.d.ts +33 -0
- package/dist/core/pairing-ops.d.ts.map +1 -0
- package/dist/core/pairing-ops.js +78 -0
- package/dist/core/pairing-ops.js.map +1 -0
- package/dist/core/provider-ops.d.ts +17 -0
- package/dist/core/provider-ops.d.ts.map +1 -0
- package/dist/core/provider-ops.js +29 -0
- package/dist/core/provider-ops.js.map +1 -0
- package/dist/core/server.d.ts.map +1 -1
- package/dist/core/server.js +112 -1
- package/dist/core/server.js.map +1 -1
- package/dist/core/sessions-ops.d.ts +25 -0
- package/dist/core/sessions-ops.d.ts.map +1 -0
- package/dist/core/sessions-ops.js +77 -0
- package/dist/core/sessions-ops.js.map +1 -0
- package/dist/core/skills-ops.d.ts +14 -0
- package/dist/core/skills-ops.d.ts.map +1 -0
- package/dist/core/skills-ops.js +28 -0
- package/dist/core/skills-ops.js.map +1 -0
- package/dist/core/tunnel/auth-proxy.d.ts +3 -2
- package/dist/core/tunnel/auth-proxy.d.ts.map +1 -1
- package/dist/core/tunnel/auth-proxy.js +8 -34
- package/dist/core/tunnel/auth-proxy.js.map +1 -1
- package/dist/core/tunnel/manager.d.ts +4 -2
- package/dist/core/tunnel/manager.d.ts.map +1 -1
- package/dist/core/tunnel/manager.js +3 -2
- package/dist/core/tunnel/manager.js.map +1 -1
- package/dist/protocol/methods.d.ts +478 -0
- package/dist/protocol/methods.d.ts.map +1 -1
- package/dist/tui/client.d.ts +8 -0
- package/dist/tui/client.d.ts.map +1 -1
- package/dist/tui/client.js +5 -1
- package/dist/tui/client.js.map +1 -1
- package/package.json +1 -1
|
@@ -0,0 +1,101 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Exec-approval operations behind the `exec.*` gateway RPCs — the
|
|
3
|
+
* `brigade exec <list|allow|allow-pattern|remove|deny-test>` surface, reachable
|
|
4
|
+
* from a remote client.
|
|
5
|
+
*
|
|
6
|
+
* OPERATOR-SCOPED, per-agent: manages an agent's bash approval allowlist. NOT
|
|
7
|
+
* session-targeted — the operator manages exec trust for their OWN agents, the
|
|
8
|
+
* same posture as the already-allowlisted `exec-grant-skill` / `exec-allow-all`
|
|
9
|
+
* RPCs. No per-session access guard is needed (and the guard-sweep allowlists
|
|
10
|
+
* these by name for that reason).
|
|
11
|
+
*
|
|
12
|
+
* All structured returns (no console I/O) so the gateway can hand them straight
|
|
13
|
+
* back to a WS client. The underlying primitives in `exec-approvals.ts` are the
|
|
14
|
+
* SAME ones the CLI calls, so `brigade exec allow` and `exec.allow` over the
|
|
15
|
+
* wire behave identically — including the hard-deny safety net.
|
|
16
|
+
*/
|
|
17
|
+
import { DEFAULT_AGENT_ID } from "../config/paths.js";
|
|
18
|
+
import { BrigadeApprovalRefusedError, decideApproval, getApprovalsFilePath, listApprovals, recordApproval, removeApproval, } from "./exec-approvals.js";
|
|
19
|
+
function resolveAgentId(agentId) {
|
|
20
|
+
const t = (agentId ?? "").trim();
|
|
21
|
+
return t.length > 0 ? t : DEFAULT_AGENT_ID;
|
|
22
|
+
}
|
|
23
|
+
export function handleExecList(params) {
|
|
24
|
+
const p = (params ?? {});
|
|
25
|
+
const agentId = resolveAgentId(p.agentId);
|
|
26
|
+
const { commands, patterns } = listApprovals(agentId);
|
|
27
|
+
return { agentId, filePath: getApprovalsFilePath(agentId), commands, patterns };
|
|
28
|
+
}
|
|
29
|
+
export function handleExecAllow(params) {
|
|
30
|
+
const p = (params ?? {});
|
|
31
|
+
const agentId = resolveAgentId(p.agentId);
|
|
32
|
+
const cmd = (p.command ?? "").trim();
|
|
33
|
+
if (!cmd)
|
|
34
|
+
return { ok: false, agentId, reason: "command is empty" };
|
|
35
|
+
if (decideApproval(cmd, agentId) === "deny") {
|
|
36
|
+
return { ok: false, agentId, value: cmd, reason: "matches a hard-deny pattern and cannot be allowlisted" };
|
|
37
|
+
}
|
|
38
|
+
try {
|
|
39
|
+
recordApproval(cmd, "exact", agentId);
|
|
40
|
+
}
|
|
41
|
+
catch (err) {
|
|
42
|
+
if (err instanceof BrigadeApprovalRefusedError)
|
|
43
|
+
return { ok: false, agentId, value: cmd, reason: err.message };
|
|
44
|
+
throw err;
|
|
45
|
+
}
|
|
46
|
+
return { ok: true, agentId, kind: "exact", value: cmd };
|
|
47
|
+
}
|
|
48
|
+
export function handleExecAllowPattern(params) {
|
|
49
|
+
const p = (params ?? {});
|
|
50
|
+
const agentId = resolveAgentId(p.agentId);
|
|
51
|
+
const pat = (p.pattern ?? "").trim();
|
|
52
|
+
if (!pat)
|
|
53
|
+
return { ok: false, agentId, reason: "pattern is empty" };
|
|
54
|
+
try {
|
|
55
|
+
new RegExp(pat);
|
|
56
|
+
}
|
|
57
|
+
catch (err) {
|
|
58
|
+
return { ok: false, agentId, value: pat, reason: `invalid regex: ${err.message}` };
|
|
59
|
+
}
|
|
60
|
+
try {
|
|
61
|
+
recordApproval(pat, "pattern", agentId);
|
|
62
|
+
}
|
|
63
|
+
catch (err) {
|
|
64
|
+
if (err instanceof BrigadeApprovalRefusedError)
|
|
65
|
+
return { ok: false, agentId, value: pat, reason: err.message };
|
|
66
|
+
throw err;
|
|
67
|
+
}
|
|
68
|
+
return { ok: true, agentId, kind: "pattern", value: pat };
|
|
69
|
+
}
|
|
70
|
+
export function handleExecRemove(params) {
|
|
71
|
+
const p = (params ?? {});
|
|
72
|
+
const agentId = resolveAgentId(p.agentId);
|
|
73
|
+
const value = (p.value ?? "").trim();
|
|
74
|
+
if (!value)
|
|
75
|
+
return { ok: false, agentId, removedCommands: 0, removedPatterns: 0, reason: "value is empty" };
|
|
76
|
+
let res;
|
|
77
|
+
try {
|
|
78
|
+
res = removeApproval(value, agentId);
|
|
79
|
+
}
|
|
80
|
+
catch (err) {
|
|
81
|
+
if (err instanceof BrigadeApprovalRefusedError) {
|
|
82
|
+
return { ok: false, agentId, removedCommands: 0, removedPatterns: 0, reason: err.message };
|
|
83
|
+
}
|
|
84
|
+
throw err;
|
|
85
|
+
}
|
|
86
|
+
const ok = res.removedCommands > 0 || res.removedPatterns > 0;
|
|
87
|
+
return {
|
|
88
|
+
ok,
|
|
89
|
+
agentId,
|
|
90
|
+
removedCommands: res.removedCommands,
|
|
91
|
+
removedPatterns: res.removedPatterns,
|
|
92
|
+
...(ok ? {} : { reason: `"${value}" not found in commands or patterns` }),
|
|
93
|
+
};
|
|
94
|
+
}
|
|
95
|
+
export function handleExecDenyTest(params) {
|
|
96
|
+
const p = (params ?? {});
|
|
97
|
+
const agentId = resolveAgentId(p.agentId);
|
|
98
|
+
const cmd = (p.command ?? "").trim();
|
|
99
|
+
return { agentId, command: cmd, decision: cmd ? decideApproval(cmd, agentId) : "deny" };
|
|
100
|
+
}
|
|
101
|
+
//# sourceMappingURL=exec-ops.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"exec-ops.js","sourceRoot":"","sources":["../../src/core/exec-ops.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAEN,2BAA2B,EAC3B,cAAc,EACd,oBAAoB,EACpB,aAAa,EACb,cAAc,EACd,cAAc,GACd,MAAM,qBAAqB,CAAC;AAE7B,SAAS,cAAc,CAAC,OAAgB;IACvC,MAAM,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACjC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC;AAC5C,CAAC;AAQD,MAAM,UAAU,cAAc,CAAC,MAAe;IAC7C,MAAM,CAAC,GAAG,CAAC,MAAM,IAAI,EAAE,CAAyB,CAAC;IACjD,MAAM,OAAO,GAAG,cAAc,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IAC1C,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IACtD,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,oBAAoB,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;AACjF,CAAC;AASD,MAAM,UAAU,eAAe,CAAC,MAAe;IAC9C,MAAM,CAAC,GAAG,CAAC,MAAM,IAAI,EAAE,CAA2C,CAAC;IACnE,MAAM,OAAO,GAAG,cAAc,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACrC,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;IACpE,IAAI,cAAc,CAAC,GAAG,EAAE,OAAO,CAAC,KAAK,MAAM,EAAE,CAAC;QAC7C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,uDAAuD,EAAE,CAAC;IAC5G,CAAC;IACD,IAAI,CAAC;QACJ,cAAc,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IACvC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,IAAI,GAAG,YAAY,2BAA2B;YAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC;QAC/G,MAAM,GAAG,CAAC;IACX,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;AACzD,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,MAAe;IACrD,MAAM,CAAC,GAAG,CAAC,MAAM,IAAI,EAAE,CAA2C,CAAC;IACnE,MAAM,OAAO,GAAG,cAAc,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACrC,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;IACpE,IAAI,CAAC;QACJ,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC;IACjB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,kBAAmB,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC;IAC/F,CAAC;IACD,IAAI,CAAC;QACJ,cAAc,CAAC,GAAG,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,IAAI,GAAG,YAAY,2BAA2B;YAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC;QAC/G,MAAM,GAAG,CAAC;IACX,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;AAC3D,CAAC;AASD,MAAM,UAAU,gBAAgB,CAAC,MAAe;IAC/C,MAAM,CAAC,GAAG,CAAC,MAAM,IAAI,EAAE,CAAyC,CAAC;IACjE,MAAM,OAAO,GAAG,cAAc,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IAC1C,MAAM,KAAK,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACrC,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,EAAE,eAAe,EAAE,CAAC,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAC5G,IAAI,GAAyD,CAAC;IAC9D,IAAI,CAAC;QACJ,GAAG,GAAG,cAAc,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IACtC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,IAAI,GAAG,YAAY,2BAA2B,EAAE,CAAC;YAChD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,EAAE,eAAe,EAAE,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC;QAC5F,CAAC;QACD,MAAM,GAAG,CAAC;IACX,CAAC;IACD,MAAM,EAAE,GAAG,GAAG,CAAC,eAAe,GAAG,CAAC,IAAI,GAAG,CAAC,eAAe,GAAG,CAAC,CAAC;IAC9D,OAAO;QACN,EAAE;QACF,OAAO;QACP,eAAe,EAAE,GAAG,CAAC,eAAe;QACpC,eAAe,EAAE,GAAG,CAAC,eAAe;QACpC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,KAAK,qCAAqC,EAAE,CAAC;KACzE,CAAC;AACH,CAAC;AAOD,MAAM,UAAU,kBAAkB,CAAC,MAAe;IACjD,MAAM,CAAC,GAAG,CAAC,MAAM,IAAI,EAAE,CAA2C,CAAC;IACnE,MAAM,OAAO,GAAG,cAAc,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACrC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAC,cAAc,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;AACzF,CAAC"}
|
|
@@ -0,0 +1,86 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Optional, multi-token authentication for the Brigade gateway.
|
|
3
|
+
*
|
|
4
|
+
* The gateway is localhost-only and UNAUTHENTICATED by default: every local
|
|
5
|
+
* connection is the operator and is granted full scope (see the connection
|
|
6
|
+
* handler in `core/server.ts`). That is the right default for a single-user
|
|
7
|
+
* machine. When the operator configures one or more tokens — `gateway.auth`
|
|
8
|
+
* in brigade.json, or the `BRIGADE_GATEWAY_TOKENS` env var — the gateway flips
|
|
9
|
+
* to REQUIRING a valid token on every WebSocket connection, and `brigade
|
|
10
|
+
* expose`'s auth-proxy accepts those same tokens.
|
|
11
|
+
*
|
|
12
|
+
* MULTIPLE tokens are supported on purpose: hand a distinct token to each
|
|
13
|
+
* client/device, and revoke one without disturbing the others. Any token in
|
|
14
|
+
* the list is equally valid.
|
|
15
|
+
*
|
|
16
|
+
* A token may travel three ways so browsers, CLIs, and WebSocket libraries can
|
|
17
|
+
* all authenticate:
|
|
18
|
+
* - `Authorization: Bearer <token>`
|
|
19
|
+
* - `x-brigade-token: <token>` header
|
|
20
|
+
* - `?token=<token>` query string
|
|
21
|
+
*
|
|
22
|
+
* This module is the single source of truth shared by BOTH the gateway
|
|
23
|
+
* connection gate and the expose auth-proxy, so the two can never drift.
|
|
24
|
+
*/
|
|
25
|
+
import type { IncomingHttpHeaders } from "node:http";
|
|
26
|
+
/** Header carrying a raw token (no `Bearer ` prefix). Brigade-native name. */
|
|
27
|
+
export declare const TOKEN_HEADER = "x-brigade-token";
|
|
28
|
+
/**
|
|
29
|
+
* Constant-time string equality. Returns `false` (never throws) when the
|
|
30
|
+
* candidate is missing or a different length — `timingSafeEqual` itself throws
|
|
31
|
+
* on length mismatch, so we guard that first. The length check is not itself
|
|
32
|
+
* constant-time, but a token's length is not the secret; its bytes are.
|
|
33
|
+
*/
|
|
34
|
+
export declare function tokenMatches(expected: string, provided: string | undefined): boolean;
|
|
35
|
+
/**
|
|
36
|
+
* `true` when `provided` equals ANY token in the list. Every token is compared
|
|
37
|
+
* (no early `break`) so the elapsed time can't reveal which token matched, or
|
|
38
|
+
* how many tokens are configured.
|
|
39
|
+
*/
|
|
40
|
+
export declare function matchesAnyToken(tokens: readonly string[], provided: string | undefined): boolean;
|
|
41
|
+
/** Pull a candidate token from the Authorization header, the token header, or `?token=`. */
|
|
42
|
+
export declare function extractToken(reqUrl: string | undefined, headers: IncomingHttpHeaders): string | undefined;
|
|
43
|
+
/** The auth slice of `gateway` config this module reads. */
|
|
44
|
+
export interface GatewayAuthConfig {
|
|
45
|
+
/** Explicit on/off override. `"none"` forces auth OFF even if tokens exist. */
|
|
46
|
+
mode?: "none" | "token" | "password";
|
|
47
|
+
/** Legacy single token (still honored, merged into the effective list). */
|
|
48
|
+
token?: string;
|
|
49
|
+
/** Multiple valid tokens. Any one authenticates a connection. */
|
|
50
|
+
tokens?: readonly string[];
|
|
51
|
+
password?: string;
|
|
52
|
+
}
|
|
53
|
+
/**
|
|
54
|
+
* Effective token list = `auth.token` (legacy single) ∪ `auth.tokens` ∪
|
|
55
|
+
* `BRIGADE_GATEWAY_TOKENS`, trimmed, blanks dropped, de-duplicated (order
|
|
56
|
+
* preserved). An empty result means the gateway stays unauthenticated.
|
|
57
|
+
*/
|
|
58
|
+
export declare function resolveGatewayTokens(auth: GatewayAuthConfig | undefined, env?: NodeJS.ProcessEnv): string[];
|
|
59
|
+
/**
|
|
60
|
+
* Whether the gateway should ENFORCE a token. Auth is on when there is at
|
|
61
|
+
* least one effective token AND the operator hasn't explicitly set
|
|
62
|
+
* `auth.mode: "none"` (the off-switch). Returns the resolved token list too so
|
|
63
|
+
* callers don't resolve twice.
|
|
64
|
+
*/
|
|
65
|
+
export declare function resolveGatewayAuth(auth: GatewayAuthConfig | undefined, env?: NodeJS.ProcessEnv): {
|
|
66
|
+
required: boolean;
|
|
67
|
+
tokens: string[];
|
|
68
|
+
};
|
|
69
|
+
/** A fresh URL-safe token (192 bits of entropy, base64url, no padding). */
|
|
70
|
+
export declare function generateGatewayToken(): string;
|
|
71
|
+
/** Mask a token for display — first 4 + last 4, the middle elided. */
|
|
72
|
+
export declare function maskToken(token: string): string;
|
|
73
|
+
/**
|
|
74
|
+
* Pick the token a LOCAL client should present to reach an authenticated
|
|
75
|
+
* gateway on this machine. Priority: explicit override (a `--token` flag) →
|
|
76
|
+
* the `BRIGADE_GATEWAY_TOKEN` env var → the first configured token. Returns
|
|
77
|
+
* `undefined` when the gateway is unauthenticated — there is simply nothing to
|
|
78
|
+
* send and the connection works exactly as before.
|
|
79
|
+
*/
|
|
80
|
+
export declare function resolveClientToken(auth: GatewayAuthConfig | undefined, opts?: {
|
|
81
|
+
override?: string;
|
|
82
|
+
env?: NodeJS.ProcessEnv;
|
|
83
|
+
}): string | undefined;
|
|
84
|
+
/** `ws` connection headers carrying the token, if any (empty object otherwise). */
|
|
85
|
+
export declare function clientAuthHeaders(token: string | undefined): Record<string, string>;
|
|
86
|
+
//# sourceMappingURL=gateway-auth.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"gateway-auth.d.ts","sourceRoot":"","sources":["../../src/core/gateway-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAGH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAErD,8EAA8E;AAC9E,eAAO,MAAM,YAAY,oBAAoB,CAAC;AAE9C;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CAMpF;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CAOhG;AAED,4FAA4F;AAC5F,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,EAAE,OAAO,EAAE,mBAAmB,GAAG,MAAM,GAAG,SAAS,CAiBzG;AAWD,4DAA4D;AAC5D,MAAM,WAAW,iBAAiB;IACjC,+EAA+E;IAC/E,IAAI,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,UAAU,CAAC;IACrC,2EAA2E;IAC3E,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,iEAAiE;IACjE,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CACnC,IAAI,EAAE,iBAAiB,GAAG,SAAS,EACnC,GAAG,GAAE,MAAM,CAAC,UAAwB,GAClC,MAAM,EAAE,CAeV;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CACjC,IAAI,EAAE,iBAAiB,GAAG,SAAS,EACnC,GAAG,GAAE,MAAM,CAAC,UAAwB,GAClC;IAAE,QAAQ,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAIzC;AAED,2EAA2E;AAC3E,wBAAgB,oBAAoB,IAAI,MAAM,CAE7C;AAED,sEAAsE;AACtE,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAG/C;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CACjC,IAAI,EAAE,iBAAiB,GAAG,SAAS,EACnC,IAAI,GAAE;IAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAA;CAAO,GACvD,MAAM,GAAG,SAAS,CAOpB;AAED,mFAAmF;AACnF,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAEnF"}
|
|
@@ -0,0 +1,156 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Optional, multi-token authentication for the Brigade gateway.
|
|
3
|
+
*
|
|
4
|
+
* The gateway is localhost-only and UNAUTHENTICATED by default: every local
|
|
5
|
+
* connection is the operator and is granted full scope (see the connection
|
|
6
|
+
* handler in `core/server.ts`). That is the right default for a single-user
|
|
7
|
+
* machine. When the operator configures one or more tokens — `gateway.auth`
|
|
8
|
+
* in brigade.json, or the `BRIGADE_GATEWAY_TOKENS` env var — the gateway flips
|
|
9
|
+
* to REQUIRING a valid token on every WebSocket connection, and `brigade
|
|
10
|
+
* expose`'s auth-proxy accepts those same tokens.
|
|
11
|
+
*
|
|
12
|
+
* MULTIPLE tokens are supported on purpose: hand a distinct token to each
|
|
13
|
+
* client/device, and revoke one without disturbing the others. Any token in
|
|
14
|
+
* the list is equally valid.
|
|
15
|
+
*
|
|
16
|
+
* A token may travel three ways so browsers, CLIs, and WebSocket libraries can
|
|
17
|
+
* all authenticate:
|
|
18
|
+
* - `Authorization: Bearer <token>`
|
|
19
|
+
* - `x-brigade-token: <token>` header
|
|
20
|
+
* - `?token=<token>` query string
|
|
21
|
+
*
|
|
22
|
+
* This module is the single source of truth shared by BOTH the gateway
|
|
23
|
+
* connection gate and the expose auth-proxy, so the two can never drift.
|
|
24
|
+
*/
|
|
25
|
+
import { randomBytes, timingSafeEqual } from "node:crypto";
|
|
26
|
+
/** Header carrying a raw token (no `Bearer ` prefix). Brigade-native name. */
|
|
27
|
+
export const TOKEN_HEADER = "x-brigade-token";
|
|
28
|
+
/**
|
|
29
|
+
* Constant-time string equality. Returns `false` (never throws) when the
|
|
30
|
+
* candidate is missing or a different length — `timingSafeEqual` itself throws
|
|
31
|
+
* on length mismatch, so we guard that first. The length check is not itself
|
|
32
|
+
* constant-time, but a token's length is not the secret; its bytes are.
|
|
33
|
+
*/
|
|
34
|
+
export function tokenMatches(expected, provided) {
|
|
35
|
+
if (!provided)
|
|
36
|
+
return false;
|
|
37
|
+
const a = Buffer.from(expected, "utf8");
|
|
38
|
+
const b = Buffer.from(provided, "utf8");
|
|
39
|
+
if (a.length !== b.length)
|
|
40
|
+
return false;
|
|
41
|
+
return timingSafeEqual(a, b);
|
|
42
|
+
}
|
|
43
|
+
/**
|
|
44
|
+
* `true` when `provided` equals ANY token in the list. Every token is compared
|
|
45
|
+
* (no early `break`) so the elapsed time can't reveal which token matched, or
|
|
46
|
+
* how many tokens are configured.
|
|
47
|
+
*/
|
|
48
|
+
export function matchesAnyToken(tokens, provided) {
|
|
49
|
+
if (!provided)
|
|
50
|
+
return false;
|
|
51
|
+
let ok = false;
|
|
52
|
+
for (const t of tokens) {
|
|
53
|
+
if (tokenMatches(t, provided))
|
|
54
|
+
ok = true;
|
|
55
|
+
}
|
|
56
|
+
return ok;
|
|
57
|
+
}
|
|
58
|
+
/** Pull a candidate token from the Authorization header, the token header, or `?token=`. */
|
|
59
|
+
export function extractToken(reqUrl, headers) {
|
|
60
|
+
const auth = headers["authorization"];
|
|
61
|
+
if (typeof auth === "string" && auth.toLowerCase().startsWith("bearer ")) {
|
|
62
|
+
const t = auth.slice(7).trim();
|
|
63
|
+
if (t.length > 0)
|
|
64
|
+
return t;
|
|
65
|
+
}
|
|
66
|
+
const hdr = headers[TOKEN_HEADER];
|
|
67
|
+
if (typeof hdr === "string" && hdr.length > 0)
|
|
68
|
+
return hdr;
|
|
69
|
+
if (Array.isArray(hdr) && hdr.length > 0 && hdr[0])
|
|
70
|
+
return hdr[0];
|
|
71
|
+
if (reqUrl) {
|
|
72
|
+
const qIdx = reqUrl.indexOf("?");
|
|
73
|
+
if (qIdx >= 0) {
|
|
74
|
+
const t = new URLSearchParams(reqUrl.slice(qIdx + 1)).get("token");
|
|
75
|
+
if (t)
|
|
76
|
+
return t;
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
return undefined;
|
|
80
|
+
}
|
|
81
|
+
/** Split a `BRIGADE_GATEWAY_TOKENS` value on commas and/or whitespace. */
|
|
82
|
+
function splitEnvTokens(raw) {
|
|
83
|
+
if (!raw)
|
|
84
|
+
return [];
|
|
85
|
+
return raw
|
|
86
|
+
.split(/[\s,]+/)
|
|
87
|
+
.map((s) => s.trim())
|
|
88
|
+
.filter((s) => s.length > 0);
|
|
89
|
+
}
|
|
90
|
+
/**
|
|
91
|
+
* Effective token list = `auth.token` (legacy single) ∪ `auth.tokens` ∪
|
|
92
|
+
* `BRIGADE_GATEWAY_TOKENS`, trimmed, blanks dropped, de-duplicated (order
|
|
93
|
+
* preserved). An empty result means the gateway stays unauthenticated.
|
|
94
|
+
*/
|
|
95
|
+
export function resolveGatewayTokens(auth, env = process.env) {
|
|
96
|
+
const out = [];
|
|
97
|
+
const seen = new Set();
|
|
98
|
+
const push = (t) => {
|
|
99
|
+
if (typeof t !== "string")
|
|
100
|
+
return;
|
|
101
|
+
const v = t.trim();
|
|
102
|
+
if (v.length > 0 && !seen.has(v)) {
|
|
103
|
+
seen.add(v);
|
|
104
|
+
out.push(v);
|
|
105
|
+
}
|
|
106
|
+
};
|
|
107
|
+
push(auth?.token);
|
|
108
|
+
for (const t of auth?.tokens ?? [])
|
|
109
|
+
push(t);
|
|
110
|
+
for (const t of splitEnvTokens(env.BRIGADE_GATEWAY_TOKENS))
|
|
111
|
+
push(t);
|
|
112
|
+
return out;
|
|
113
|
+
}
|
|
114
|
+
/**
|
|
115
|
+
* Whether the gateway should ENFORCE a token. Auth is on when there is at
|
|
116
|
+
* least one effective token AND the operator hasn't explicitly set
|
|
117
|
+
* `auth.mode: "none"` (the off-switch). Returns the resolved token list too so
|
|
118
|
+
* callers don't resolve twice.
|
|
119
|
+
*/
|
|
120
|
+
export function resolveGatewayAuth(auth, env = process.env) {
|
|
121
|
+
const tokens = resolveGatewayTokens(auth, env);
|
|
122
|
+
const required = tokens.length > 0 && auth?.mode !== "none";
|
|
123
|
+
return { required, tokens };
|
|
124
|
+
}
|
|
125
|
+
/** A fresh URL-safe token (192 bits of entropy, base64url, no padding). */
|
|
126
|
+
export function generateGatewayToken() {
|
|
127
|
+
return randomBytes(24).toString("base64url");
|
|
128
|
+
}
|
|
129
|
+
/** Mask a token for display — first 4 + last 4, the middle elided. */
|
|
130
|
+
export function maskToken(token) {
|
|
131
|
+
if (token.length <= 8)
|
|
132
|
+
return "*".repeat(Math.max(token.length, 1));
|
|
133
|
+
return `${token.slice(0, 4)}…${token.slice(-4)}`;
|
|
134
|
+
}
|
|
135
|
+
/**
|
|
136
|
+
* Pick the token a LOCAL client should present to reach an authenticated
|
|
137
|
+
* gateway on this machine. Priority: explicit override (a `--token` flag) →
|
|
138
|
+
* the `BRIGADE_GATEWAY_TOKEN` env var → the first configured token. Returns
|
|
139
|
+
* `undefined` when the gateway is unauthenticated — there is simply nothing to
|
|
140
|
+
* send and the connection works exactly as before.
|
|
141
|
+
*/
|
|
142
|
+
export function resolveClientToken(auth, opts = {}) {
|
|
143
|
+
const override = opts.override?.trim();
|
|
144
|
+
if (override)
|
|
145
|
+
return override;
|
|
146
|
+
const env = opts.env ?? process.env;
|
|
147
|
+
const single = env.BRIGADE_GATEWAY_TOKEN?.trim();
|
|
148
|
+
if (single)
|
|
149
|
+
return single;
|
|
150
|
+
return resolveGatewayTokens(auth, env)[0];
|
|
151
|
+
}
|
|
152
|
+
/** `ws` connection headers carrying the token, if any (empty object otherwise). */
|
|
153
|
+
export function clientAuthHeaders(token) {
|
|
154
|
+
return token ? { [TOKEN_HEADER]: token } : {};
|
|
155
|
+
}
|
|
156
|
+
//# sourceMappingURL=gateway-auth.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"gateway-auth.js","sourceRoot":"","sources":["../../src/core/gateway-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAG3D,8EAA8E;AAC9E,MAAM,CAAC,MAAM,YAAY,GAAG,iBAAiB,CAAC;AAE9C;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,QAAgB,EAAE,QAA4B;IAC1E,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5B,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACxC,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACxC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,OAAO,eAAe,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AAC9B,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,MAAyB,EAAE,QAA4B;IACtF,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5B,IAAI,EAAE,GAAG,KAAK,CAAC;IACf,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACxB,IAAI,YAAY,CAAC,CAAC,EAAE,QAAQ,CAAC;YAAE,EAAE,GAAG,IAAI,CAAC;IAC1C,CAAC;IACD,OAAO,EAAE,CAAC;AACX,CAAC;AAED,4FAA4F;AAC5F,MAAM,UAAU,YAAY,CAAC,MAA0B,EAAE,OAA4B;IACpF,MAAM,IAAI,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;IACtC,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC1E,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC/B,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,CAAC,CAAC;IAC5B,CAAC;IACD,MAAM,GAAG,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IAClC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC;IAC1D,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC;QAAE,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;IAClE,IAAI,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,IAAI,IAAI,CAAC,EAAE,CAAC;YACf,MAAM,CAAC,GAAG,IAAI,eAAe,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YACnE,IAAI,CAAC;gBAAE,OAAO,CAAC,CAAC;QACjB,CAAC;IACF,CAAC;IACD,OAAO,SAAS,CAAC;AAClB,CAAC;AAED,0EAA0E;AAC1E,SAAS,cAAc,CAAC,GAAuB;IAC9C,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,CAAC;IACpB,OAAO,GAAG;SACR,KAAK,CAAC,QAAQ,CAAC;SACf,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AAC/B,CAAC;AAaD;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CACnC,IAAmC,EACnC,MAAyB,OAAO,CAAC,GAAG;IAEpC,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,IAAI,GAAG,CAAC,CAAqB,EAAQ,EAAE;QAC5C,IAAI,OAAO,CAAC,KAAK,QAAQ;YAAE,OAAO;QAClC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QACnB,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAClC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACZ,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACb,CAAC;IACF,CAAC,CAAC;IACF,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAClB,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,MAAM,IAAI,EAAE;QAAE,IAAI,CAAC,CAAC,CAAC,CAAC;IAC5C,KAAK,MAAM,CAAC,IAAI,cAAc,CAAC,GAAG,CAAC,sBAAsB,CAAC;QAAE,IAAI,CAAC,CAAC,CAAC,CAAC;IACpE,OAAO,GAAG,CAAC;AACZ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CACjC,IAAmC,EACnC,MAAyB,OAAO,CAAC,GAAG;IAEpC,MAAM,MAAM,GAAG,oBAAoB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC/C,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,EAAE,IAAI,KAAK,MAAM,CAAC;IAC5D,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;AAC7B,CAAC;AAED,2EAA2E;AAC3E,MAAM,UAAU,oBAAoB;IACnC,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC9C,CAAC;AAED,sEAAsE;AACtE,MAAM,UAAU,SAAS,CAAC,KAAa;IACtC,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC;QAAE,OAAO,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC;IACpE,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AAClD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CACjC,IAAmC,EACnC,OAAuD,EAAE;IAEzD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC;IACvC,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC;IACpC,MAAM,MAAM,GAAG,GAAG,CAAC,qBAAqB,EAAE,IAAI,EAAE,CAAC;IACjD,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,OAAO,oBAAoB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AAC3C,CAAC;AAED,mFAAmF;AACnF,MAAM,UAAU,iBAAiB,CAAC,KAAyB;IAC1D,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,YAAY,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AAC/C,CAAC"}
|
|
@@ -109,6 +109,11 @@ export interface GatewayProbeOptions {
|
|
|
109
109
|
port?: number;
|
|
110
110
|
/** Total wallclock budget. Default 1500ms — enough for a local boot, fast enough to keep `brigade status` snappy. */
|
|
111
111
|
timeoutMs?: number;
|
|
112
|
+
/** Token for an authenticated gateway. Omit when unauthenticated (default).
|
|
113
|
+
* A missing/wrong token against an authed gateway surfaces as
|
|
114
|
+
* `errorKind: "auth"` (the handshake 401), which callers report as
|
|
115
|
+
* "up, but the token was rejected" rather than "down". */
|
|
116
|
+
token?: string;
|
|
112
117
|
}
|
|
113
118
|
/**
|
|
114
119
|
* Open a WebSocket to the gateway and read its state-on-connect frame.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"gateway-probe.d.ts","sourceRoot":"","sources":["../../src/core/gateway-probe.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAUH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;
|
|
1
|
+
{"version":3,"file":"gateway-probe.d.ts","sourceRoot":"","sources":["../../src/core/gateway-probe.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAUH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AAG3D,eAAO,MAAM,gBAAgB,QAAwC,CAAC;AAEtE;;;;;;;;;;GAUG;AACH,eAAO,MAAM,sBAAsB,QAA8C,CAAC;AAElF;;;;;;GAMG;AACH,eAAO,MAAM,0BAA0B,QAAS,CAAC;AAEjD,qEAAqE;AACrE,MAAM,WAAW,gBAAgB;IAC/B,qDAAqD;IACrD,EAAE,EAAE,MAAM,CAAC;IACX,8DAA8D;IAC9D,GAAG,EAAE,MAAM,CAAC;IACZ,mEAAmE;IACnE,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,IAAI,CAAC,CAwBxD;AAED;;;;;GAKG;AACH;yEACyE;AACzE,wBAAsB,aAAa,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,SAAS,CAAC,CAYhG;AAED,wBAAgB,iBAAiB,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,gBAAgB,GAAG,SAAS,CAkBrF;AAED,8DAA8D;AAC9D,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,IAAI,CAAC,CAoBxD;AAED;;;;GAIG;AACH,MAAM,MAAM,uBAAuB;AACjC,2DAA2D;AACzD,SAAS;AACX,gDAAgD;GAC9C,SAAS;AACX,kDAAkD;GAChD,KAAK;AACP,8EAA8E;GAC5E,MAAM;AACR,gCAAgC;GAC9B,KAAK;AACP,2CAA2C;GACzC,SAAS;AACX,8DAA8D;GAC5D,OAAO,CAAC;AAEZ,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,OAAO,CAAC;IACnB,GAAG,EAAE,MAAM,CAAC;IACZ,wEAAwE;IACxE,KAAK,CAAC,EAAE,oBAAoB,CAAC;IAC7B,6CAA6C;IAC7C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,SAAS,CAAC,EAAE,uBAAuB,CAAC;IACpC,yEAAyE;IACzE,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,OAAO,GAAG,uBAAuB,CAa1E;AAED,MAAM,WAAW,mBAAmB;IAClC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,qHAAqH;IACrH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;+DAG2D;IAC3D,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAMD;;;;GAIG;AACH,wBAAsB,YAAY,CAAC,IAAI,GAAE,mBAAwB,GAAG,OAAO,CAAC,kBAAkB,CAAC,CA0D9F;AAED;;;;GAIG;AACH,wBAAsB,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC,CAclD;AAED;;;;GAIG;AACH,wBAAsB,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC,CAoBlD;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAQrE;AAED;8DAC8D;AAC9D,wBAAsB,OAAO,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAYhF;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAOnD"}
|
|
@@ -23,6 +23,7 @@ import * as path from "node:path";
|
|
|
23
23
|
import { WebSocket } from "ws";
|
|
24
24
|
import { BRIGADE_DIR } from "./config.js";
|
|
25
25
|
import { tryGetRuntimeContext } from "../storage/runtime-context.js";
|
|
26
|
+
import { clientAuthHeaders } from "./gateway-auth.js";
|
|
26
27
|
export const GATEWAY_PID_PATH = path.join(BRIGADE_DIR, "gateway.pid");
|
|
27
28
|
/**
|
|
28
29
|
* Out-of-process supervisor heartbeat. The gateway writes the file every
|
|
@@ -176,7 +177,7 @@ export async function probeGateway(opts = {}) {
|
|
|
176
177
|
const start = Date.now();
|
|
177
178
|
return await new Promise((resolve) => {
|
|
178
179
|
let settled = false;
|
|
179
|
-
const ws = new WebSocket(url, { handshakeTimeout: timeoutMs });
|
|
180
|
+
const ws = new WebSocket(url, { handshakeTimeout: timeoutMs, headers: clientAuthHeaders(opts.token) });
|
|
180
181
|
const finish = (result) => {
|
|
181
182
|
if (settled)
|
|
182
183
|
return;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"gateway-probe.js","sourceRoot":"","sources":["../../src/core/gateway-probe.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC;AAC5C,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AAE/B,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;
|
|
1
|
+
{"version":3,"file":"gateway-probe.js","sourceRoot":"","sources":["../../src/core/gateway-probe.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC;AAC5C,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AAE/B,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AAErE,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAEtD,MAAM,CAAC,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;AAEtE;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,mBAAmB,CAAC,CAAC;AAElF;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAG,MAAM,CAAC;AAYjD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB;IACtC,MAAM,OAAO,GAAqB;QAChC,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE;QACd,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC;KAC9C,CAAC;IAEF,mEAAmE;IACnE,iEAAiE;IACjE,MAAM,IAAI,GAAG,oBAAoB,EAAE,CAAC;IACpC,IAAI,IAAI,EAAE,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC5B,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QACpD,CAAC;QAAC,MAAM,CAAC;YACP,+DAA+D;YAC/D,yDAAyD;QAC3D,CAAC;QACD,OAAO;IACT,CAAC;IAED,MAAM,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,sBAAsB,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/E,MAAM,GAAG,GAAG,GAAG,sBAAsB,MAAM,CAAC;IAC5C,MAAM,OAAO,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC,CAAC;IAC9D,MAAM,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE,sBAAsB,CAAC,CAAC;AACpD,CAAC;AAED;;;;;GAKG;AACH;yEACyE;AACzE,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,YAAqB;IACvD,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,oBAAoB,EAAE,CAAC;QACpC,IAAI,IAAI,EAAE,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,OAAO,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAiC,CAAC;YACrF,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,SAAS,CAAC;YACnB,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,iBAAiB,CAAC,YAAY,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,YAAqB;IACrD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,IAAI,sBAAsB,EAAE,MAAM,CAAC,CAAC;QAC5E,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA8B,CAAC;QAC5D,IACE,OAAO,MAAM,CAAC,EAAE,KAAK,QAAQ;YAC7B,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;YAC9B,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ;YACnC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAC1B,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC;YAC3B,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAChC,CAAC;YACD,OAAO,MAA0B,CAAC;QACpC,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,8DAA8D;AAC9D,MAAM,CAAC,KAAK,UAAU,kBAAkB;IACtC,2EAA2E;IAC3E,0EAA0E;IAC1E,MAAM,IAAI,GAAG,oBAAoB,EAAE,CAAC;IACpC,IAAI,IAAI,EAAE,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC5B,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,mEAAmE;QACrE,CAAC;QACD,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;IAC/C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;AACH,CAAC;AAoCD;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,GAAY;IAC/C,MAAM,GAAG,GAAG,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IACnF,4EAA4E;IAC5E,yCAAyC;IACzC,IAAI,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC;QAAE,OAAO,SAAS,CAAC;IACnD,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,aAAa,CAAC;QAAE,OAAO,KAAK,CAAC;IACxG,IAAI,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,aAAa,CAAC;QAAE,OAAO,SAAS,CAAC;IAClF,IAAI,GAAG,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7G,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,CAAC,4BAA4B,CAAC;QAAE,OAAO,MAAM,CAAC;IAC9D,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC;QAAE,OAAO,SAAS,CAAC;IAC1G,OAAO,OAAO,CAAC;AACjB,CAAC;AAcD,MAAM,kBAAkB,GAAG,IAAI,CAAC;AAChC,MAAM,YAAY,GAAG,WAAW,CAAC;AACjC,MAAM,YAAY,GAAG,IAAI,CAAC;AAE1B;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,OAA4B,EAAE;IAC/D,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,YAAY,CAAC;IACvC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,YAAY,CAAC;IACvC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,kBAAkB,CAAC;IACvD,MAAM,GAAG,GAAG,QAAQ,IAAI,IAAI,IAAI,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,OAAO,MAAM,IAAI,OAAO,CAAqB,CAAC,OAAO,EAAE,EAAE;QACvD,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,MAAM,EAAE,GAAG,IAAI,SAAS,CAAC,GAAG,EAAE,EAAE,gBAAgB,EAAE,SAAS,EAAE,OAAO,EAAE,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACvG,MAAM,MAAM,GAAG,CAAC,MAA0B,EAAQ,EAAE;YAClD,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,IAAI,CAAC;gBACH,EAAE,CAAC,kBAAkB,EAAE,CAAC;gBACxB,sEAAsE;gBACtE,+DAA+D;gBAC/D,kEAAkE;gBAClE,mEAAmE;gBACnE,uEAAuE;gBACvE,uEAAuE;gBACvE,yDAAyD;gBACzD,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;gBACzB,EAAE,CAAC,KAAK,EAAE,CAAC;YACb,CAAC;YAAC,MAAM,CAAC;gBACP,6DAA6D;YAC/D,CAAC;YACD,OAAO,CAAC,MAAM,CAAC,CAAC;QAClB,CAAC,CAAC;QACF,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,MAAM,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,mBAAmB,SAAS,IAAI,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC,CAAC;QACnG,CAAC,EAAE,SAAS,CAAC,CAAC;QACd,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACrB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,SAAS,EAAE,oBAAoB,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC9F,CAAC,CAAC,CAAC;QACH,EAAE,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,IAAI,EAAE,EAAE;YACxB,qEAAqE;YACrE,qEAAqE;YACrE,mEAAmE;YACnE,oBAAoB;YACpB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;gBAC7E,IAAI,MAAM,EAAE,IAAI,KAAK,OAAO,IAAI,MAAM,EAAE,KAAK,KAAK,OAAO,IAAI,MAAM,EAAE,OAAO,EAAE,CAAC;oBAC7E,MAAM,CAAC;wBACL,SAAS,EAAE,IAAI;wBACf,GAAG;wBACH,KAAK,EAAE,MAAM,CAAC,OAA+B;wBAC7C,KAAK,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;qBAC1B,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,gEAAgE;YAClE,CAAC;YACD,MAAM,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY;IAChC,6DAA6D;IAC7D,MAAM,IAAI,GAAG,oBAAoB,EAAE,CAAC;IACpC,IAAI,IAAI,EAAE,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC5B,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACP,sEAAsE;QACxE,CAAC;QACD,OAAO;IACT,CAAC;IAED,MAAM,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzE,MAAM,OAAO,CAAC,SAAS,CAAC,gBAAgB,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,CAAC;AACzE,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY;IAChC,6DAA6D;IAC7D,iEAAiE;IACjE,MAAM,IAAI,GAAG,oBAAoB,EAAE,CAAC;IACpC,IAAI,IAAI,EAAE,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC5B,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACvC,CAAC;QAAC,MAAM,CAAC;YACP,qEAAqE;QACvE,CAAC;QACD,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAC,YAAqB;IAC/C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,IAAI,gBAAgB,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7E,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QACxB,OAAO,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;IAC5D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;8DAC8D;AAC9D,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,YAAqB;IACjD,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,oBAAoB,EAAE,CAAC;QACpC,IAAI,IAAI,EAAE,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,OAAO,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;YAC7C,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,SAAS,CAAC;YACnB,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,WAAW,CAAC,YAAY,CAAC,CAAC;AACnC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,GAAW;IACxC,IAAI,CAAC;QACH,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACrB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAQ,GAA6B,CAAC,IAAI,KAAK,OAAO,CAAC;IACzD,CAAC;AACH,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"gateway-spawn.d.ts","sourceRoot":"","sources":["../../src/core/gateway-spawn.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAaH,MAAM,WAAW,oBAAoB;IACpC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,0EAA0E;IAC1E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,0EAA0E;IAC1E,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;CACrC;AAED,MAAM,WAAW,mBAAmB;IACnC,sEAAsE;IACtE,cAAc,EAAE,OAAO,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACb;AAmED;;;;;;;;GAQG;AACH,wBAAsB,oBAAoB,CAAC,IAAI,GAAE,oBAAyB,GAAG,OAAO,CAAC,mBAAmB,CAAC,
|
|
1
|
+
{"version":3,"file":"gateway-spawn.d.ts","sourceRoot":"","sources":["../../src/core/gateway-spawn.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAaH,MAAM,WAAW,oBAAoB;IACpC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,0EAA0E;IAC1E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,0EAA0E;IAC1E,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;CACrC;AAED,MAAM,WAAW,mBAAmB;IACnC,sEAAsE;IACtE,cAAc,EAAE,OAAO,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACb;AAmED;;;;;;;;GAQG;AACH,wBAAsB,oBAAoB,CAAC,IAAI,GAAE,oBAAyB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAwExG"}
|
|
@@ -96,7 +96,10 @@ export async function ensureGatewayRunning(opts = {}) {
|
|
|
96
96
|
const port = opts.port ?? (Number(process.env.BRIGADE_PORT) || DEFAULT_PORT);
|
|
97
97
|
const timeoutMs = opts.spawnTimeoutMs ?? DEFAULT_SPAWN_TIMEOUT_MS;
|
|
98
98
|
const existing = await probeGateway({ host, port, timeoutMs: PROBE_TIMEOUT_MS });
|
|
99
|
-
|
|
99
|
+
// An authenticated gateway answers our token-less liveness probe with a 401
|
|
100
|
+
// (errorKind "auth") — that still proves a gateway is listening, so treat it
|
|
101
|
+
// as already-running instead of spawning a duplicate onto the held port.
|
|
102
|
+
if (existing.reachable || existing.errorKind === "auth")
|
|
100
103
|
return { alreadyRunning: true, host, port };
|
|
101
104
|
opts.onStatus?.("starting Brigade service…");
|
|
102
105
|
const child = spawnDetachedGateway(host, port);
|
|
@@ -133,7 +136,7 @@ export async function ensureGatewayRunning(opts = {}) {
|
|
|
133
136
|
}
|
|
134
137
|
await sleep(SPAWN_POLL_INTERVAL_MS);
|
|
135
138
|
const probe = await probeGateway({ host, port, timeoutMs: PROBE_TIMEOUT_MS });
|
|
136
|
-
if (probe.reachable)
|
|
139
|
+
if (probe.reachable || probe.errorKind === "auth")
|
|
137
140
|
return { alreadyRunning: false, host, port };
|
|
138
141
|
lastError = probe.error;
|
|
139
142
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"gateway-spawn.js","sourceRoot":"","sources":["../../src/core/gateway-spawn.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAqB,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,OAAO,MAAM,cAAc,CAAC;AAEnC,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,sBAAsB,GAAG,GAAG,CAAC;AACnC,MAAM,wBAAwB,GAAG,MAAM,CAAC;AACxC,8EAA8E;AAC9E,MAAM,gBAAgB,GAAG,IAAI,CAAC;AAkB9B,SAAS,KAAK,CAAC,EAAU;IACxB,OAAO,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;AAC9C,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAS,uBAAuB,CAAC,IAAY,EAAE,IAAY;IAC1D,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,EAAE,IAAI,EAAE,CAAC;IAChE,IAAI,QAAQ,EAAE,CAAC;QACd,IAAI,CAAC;YACJ,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAY,CAAC;YAC/C,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,MAAM,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;gBACjF,MAAM,GAAG,GAAW,MAAM,CAAC,CAAC,CAAC,CAAC;gBAC9B,MAAM,IAAI,GAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;gBAClE,+DAA+D;gBAC/D,+DAA+D;gBAC/D,iEAAiE;gBACjE,+DAA+D;gBAC/D,gEAAgE;gBAChE,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;YAC5B,CAAC;QACF,CAAC;QAAC,MAAM,CAAC;YACR,4DAA4D;QAC7D,CAAC;IACF,CAAC;IACD,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACpC,IAAI,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CACd,oEAAoE;YACnE,mEAAmE;YACnE,sCAAsC,CACvC,CAAC;IACH,CAAC;IACD,OAAO;QACN,GAAG,EAAE,OAAO,CAAC,QAAQ;QACrB,IAAI,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC;KAClF,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,IAAY,EAAE,IAAY;IACvD,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,uBAAuB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC1D,OAAO,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE;QACvB,6DAA6D;QAC7D,qEAAqE;QACrE,sDAAsD;QACtD,QAAQ,EAAE,IAAI;QACd,KAAK,EAAE,QAAQ;QACf,WAAW,EAAE,IAAI;QACjB,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,YAAY,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE;KACnD,CAAC,CAAC;IACH,2EAA2E;IAC3E,0EAA0E;IAC1E,+DAA+D;AAChE,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,OAA6B,EAAE;IACzE,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,WAAW,CAAC;IACtC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,YAAY,CAAC,CAAC;IAC7E,MAAM,SAAS,GAAG,IAAI,CAAC,cAAc,IAAI,wBAAwB,CAAC;IAElE,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,gBAAgB,EAAE,CAAC,CAAC;IACjF,IAAI,QAAQ,CAAC,SAAS;QAAE,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;
|
|
1
|
+
{"version":3,"file":"gateway-spawn.js","sourceRoot":"","sources":["../../src/core/gateway-spawn.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAqB,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,OAAO,MAAM,cAAc,CAAC;AAEnC,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,sBAAsB,GAAG,GAAG,CAAC;AACnC,MAAM,wBAAwB,GAAG,MAAM,CAAC;AACxC,8EAA8E;AAC9E,MAAM,gBAAgB,GAAG,IAAI,CAAC;AAkB9B,SAAS,KAAK,CAAC,EAAU;IACxB,OAAO,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;AAC9C,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAS,uBAAuB,CAAC,IAAY,EAAE,IAAY;IAC1D,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,EAAE,IAAI,EAAE,CAAC;IAChE,IAAI,QAAQ,EAAE,CAAC;QACd,IAAI,CAAC;YACJ,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAY,CAAC;YAC/C,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,MAAM,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;gBACjF,MAAM,GAAG,GAAW,MAAM,CAAC,CAAC,CAAC,CAAC;gBAC9B,MAAM,IAAI,GAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;gBAClE,+DAA+D;gBAC/D,+DAA+D;gBAC/D,iEAAiE;gBACjE,+DAA+D;gBAC/D,gEAAgE;gBAChE,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;YAC5B,CAAC;QACF,CAAC;QAAC,MAAM,CAAC;YACR,4DAA4D;QAC7D,CAAC;IACF,CAAC;IACD,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACpC,IAAI,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CACd,oEAAoE;YACnE,mEAAmE;YACnE,sCAAsC,CACvC,CAAC;IACH,CAAC;IACD,OAAO;QACN,GAAG,EAAE,OAAO,CAAC,QAAQ;QACrB,IAAI,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC;KAClF,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,IAAY,EAAE,IAAY;IACvD,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,uBAAuB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC1D,OAAO,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE;QACvB,6DAA6D;QAC7D,qEAAqE;QACrE,sDAAsD;QACtD,QAAQ,EAAE,IAAI;QACd,KAAK,EAAE,QAAQ;QACf,WAAW,EAAE,IAAI;QACjB,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,YAAY,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE;KACnD,CAAC,CAAC;IACH,2EAA2E;IAC3E,0EAA0E;IAC1E,+DAA+D;AAChE,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,OAA6B,EAAE;IACzE,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,WAAW,CAAC;IACtC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,YAAY,CAAC,CAAC;IAC7E,MAAM,SAAS,GAAG,IAAI,CAAC,cAAc,IAAI,wBAAwB,CAAC;IAElE,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,gBAAgB,EAAE,CAAC,CAAC;IACjF,4EAA4E;IAC5E,6EAA6E;IAC7E,yEAAyE;IACzE,IAAI,QAAQ,CAAC,SAAS,IAAI,QAAQ,CAAC,SAAS,KAAK,MAAM;QAAE,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IAErG,IAAI,CAAC,QAAQ,EAAE,CAAC,2BAA2B,CAAC,CAAC;IAC7C,MAAM,KAAK,GAAG,oBAAoB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAE/C,wEAAwE;IACxE,0EAA0E;IAC1E,uEAAuE;IACvE,yEAAyE;IACzE,6EAA6E;IAC7E,0EAA0E;IAC1E,2EAA2E;IAC3E,IAAI,UAA6B,CAAC;IAClC,IAAI,SAA6E,CAAC;IAClF,MAAM,OAAO,GAAG,CAAC,GAAU,EAAQ,EAAE;QACpC,UAAU,GAAG,GAAG,CAAC;IAClB,CAAC,CAAC;IACF,MAAM,MAAM,GAAG,CAAC,IAAmB,EAAE,MAA6B,EAAQ,EAAE;QAC3E,SAAS,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IAC9B,CAAC,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC7B,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAE3B,IAAI,CAAC;QACJ,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QACxC,IAAI,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC;QAC/B,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;YAC9B,IAAI,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,KAAK,CACd,uCAAuC,UAAU,CAAC,OAAO,IAAI;oBAC5D,8CAA8C,CAC/C,CAAC;YACH,CAAC;YACD,IAAI,SAAS,EAAE,CAAC;gBACf,MAAM,MAAM,GACX,SAAS,CAAC,IAAI,IAAI,IAAI,CAAC,CAAC,CAAC,aAAa,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,UAAU,SAAS,CAAC,MAAM,EAAE,CAAC;gBACvF,MAAM,IAAI,KAAK,CACd,qDAAqD,MAAM,KAAK;oBAC/D,oDAAoD;oBACpD,qDAAqD,CACtD,CAAC;YACH,CAAC;YACD,MAAM,KAAK,CAAC,sBAAsB,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,gBAAgB,EAAE,CAAC,CAAC;YAC9E,IAAI,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,SAAS,KAAK,MAAM;gBAAE,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;YAChG,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC;QACzB,CAAC;QACD,MAAM,IAAI,KAAK,CACd,iDAAiD,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG;YAC/E,CAAC,SAAS,CAAC,CAAC,CAAC,iBAAiB,SAAS,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAChD,2DAA2D,CAC5D,CAAC;IACH,CAAC;YAAS,CAAC;QACV,sEAAsE;QACtE,uEAAuE;QACvE,yEAAyE;QACzE,KAAK,CAAC,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACvC,KAAK,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACrC,mEAAmE;QACnE,mEAAmE;QACnE,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAC5B,KAAK,CAAC,KAAK,EAAE,CAAC;IACf,CAAC;AACF,CAAC"}
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Integration control behind the `composio` and `oauth` gateway RPCs — the
|
|
3
|
+
* Composio connector (1,000+ apps) and the DIY OAuth-2 authorize flow, reachable
|
|
4
|
+
* from a remote client.
|
|
5
|
+
*
|
|
6
|
+
* Both reuse the owner-scoped tools (ctx-free execute; owner-gating is a session
|
|
7
|
+
* wrapper). Operator-scoped (allowlisted in the guard-sweep). Action-based,
|
|
8
|
+
* mirroring the tools 1:1.
|
|
9
|
+
*
|
|
10
|
+
* REMOTE NOTES:
|
|
11
|
+
* - `composio` is fully remote-capable: Composio HOSTS the OAuth callback, so
|
|
12
|
+
* `connect` returns a click-link the operator opens anywhere and the gateway
|
|
13
|
+
* just polls `status` — no gateway loopback involved.
|
|
14
|
+
* - `oauth` is the DIY loopback flow: `start` opens a 127.0.0.1 listener ON THE
|
|
15
|
+
* GATEWAY HOST with a loopback redirect_uri, so the round-trip only completes
|
|
16
|
+
* when the operator's browser can reach the GATEWAY's loopback (local to the
|
|
17
|
+
* gateway, or tunneled). A pure-remote browser would hit its OWN loopback.
|
|
18
|
+
* `status`/`token` work remotely. For remote app integrations prefer
|
|
19
|
+
* `composio`.
|
|
20
|
+
*/
|
|
21
|
+
/** `composio` — Composio connector: set-key/apps/connect/status/search/execute/disconnect/refresh. */
|
|
22
|
+
export declare function handleComposio(params: unknown): Promise<unknown>;
|
|
23
|
+
/** `oauth` — DIY OAuth-2 authorize: start/await/cancel/status/token (see loopback caveat above). */
|
|
24
|
+
export declare function handleOauth(params: unknown): Promise<unknown>;
|
|
25
|
+
//# sourceMappingURL=integrations-ops.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"integrations-ops.d.ts","sourceRoot":"","sources":["../../src/core/integrations-ops.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAMH,sGAAsG;AACtG,wBAAsB,cAAc,CAAC,MAAM,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAMtE;AAED,oGAAoG;AACpG,wBAAsB,WAAW,CAAC,MAAM,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAMnE"}
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Integration control behind the `composio` and `oauth` gateway RPCs — the
|
|
3
|
+
* Composio connector (1,000+ apps) and the DIY OAuth-2 authorize flow, reachable
|
|
4
|
+
* from a remote client.
|
|
5
|
+
*
|
|
6
|
+
* Both reuse the owner-scoped tools (ctx-free execute; owner-gating is a session
|
|
7
|
+
* wrapper). Operator-scoped (allowlisted in the guard-sweep). Action-based,
|
|
8
|
+
* mirroring the tools 1:1.
|
|
9
|
+
*
|
|
10
|
+
* REMOTE NOTES:
|
|
11
|
+
* - `composio` is fully remote-capable: Composio HOSTS the OAuth callback, so
|
|
12
|
+
* `connect` returns a click-link the operator opens anywhere and the gateway
|
|
13
|
+
* just polls `status` — no gateway loopback involved.
|
|
14
|
+
* - `oauth` is the DIY loopback flow: `start` opens a 127.0.0.1 listener ON THE
|
|
15
|
+
* GATEWAY HOST with a loopback redirect_uri, so the round-trip only completes
|
|
16
|
+
* when the operator's browser can reach the GATEWAY's loopback (local to the
|
|
17
|
+
* gateway, or tunneled). A pure-remote browser would hit its OWN loopback.
|
|
18
|
+
* `status`/`token` work remotely. For remote app integrations prefer
|
|
19
|
+
* `composio`.
|
|
20
|
+
*/
|
|
21
|
+
import { DEFAULT_AGENT_ID } from "../agents/routing/session-key.js";
|
|
22
|
+
import { makeComposioTool } from "../agents/tools/composio-tool.js";
|
|
23
|
+
import { makeOAuthAuthorizeTool } from "../agents/tools/oauth-authorize-tool.js";
|
|
24
|
+
/** `composio` — Composio connector: set-key/apps/connect/status/search/execute/disconnect/refresh. */
|
|
25
|
+
export async function handleComposio(params) {
|
|
26
|
+
const p = (params ?? {});
|
|
27
|
+
const agentId = (p.agentId ?? "").trim() || DEFAULT_AGENT_ID;
|
|
28
|
+
const tool = makeComposioTool({ agentId });
|
|
29
|
+
const res = await tool.execute("gateway", params);
|
|
30
|
+
return res.details;
|
|
31
|
+
}
|
|
32
|
+
/** `oauth` — DIY OAuth-2 authorize: start/await/cancel/status/token (see loopback caveat above). */
|
|
33
|
+
export async function handleOauth(params) {
|
|
34
|
+
const p = (params ?? {});
|
|
35
|
+
const agentId = (p.agentId ?? "").trim() || DEFAULT_AGENT_ID;
|
|
36
|
+
const tool = makeOAuthAuthorizeTool({ agentId });
|
|
37
|
+
const res = await tool.execute("gateway", params);
|
|
38
|
+
return res.details;
|
|
39
|
+
}
|
|
40
|
+
//# sourceMappingURL=integrations-ops.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"integrations-ops.js","sourceRoot":"","sources":["../../src/core/integrations-ops.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AACpE,OAAO,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AACpE,OAAO,EAAE,sBAAsB,EAAE,MAAM,yCAAyC,CAAC;AAEjF,sGAAsG;AACtG,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,MAAe;IACnD,MAAM,CAAC,GAAG,CAAC,MAAM,IAAI,EAAE,CAAyB,CAAC;IACjD,MAAM,OAAO,GAAG,CAAC,CAAC,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,gBAAgB,CAAC;IAC7D,MAAM,IAAI,GAAG,gBAAgB,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,MAAe,CAAC,CAAC;IAC3D,OAAO,GAAG,CAAC,OAAO,CAAC;AACpB,CAAC;AAED,oGAAoG;AACpG,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,MAAe;IAChD,MAAM,CAAC,GAAG,CAAC,MAAM,IAAI,EAAE,CAAyB,CAAC;IACjD,MAAM,OAAO,GAAG,CAAC,CAAC,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,gBAAgB,CAAC;IAC7D,MAAM,IAAI,GAAG,sBAAsB,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;IACjD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,MAAe,CAAC,CAAC;IAC3D,OAAO,GAAG,CAAC,OAAO,CAAC;AACpB,CAAC"}
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Memory (Tideline) write + governance behind the `memory.*` gateway RPCs — the
|
|
3
|
+
* write_memory + manage_memory surface, reachable from a remote client.
|
|
4
|
+
*
|
|
5
|
+
* Memory lives in `facts.jsonl` (a store, NOT brigade.json), so `config.set`
|
|
6
|
+
* cannot reach it — these RPCs are the only typed remote path to MUTATE memory.
|
|
7
|
+
* READ is already covered by the `memory-query` (list/search/inspect/stats) and
|
|
8
|
+
* `memory-graph` RPCs.
|
|
9
|
+
*
|
|
10
|
+
* OPERATOR-SCOPED: operates on the OWNER origin over the agent's workspace,
|
|
11
|
+
* exactly like the tools (filesystem AND Convex modes). Reuses the SAME
|
|
12
|
+
* write_memory / manage_memory tool logic — their `execute()` is pure (owner-
|
|
13
|
+
* gating is a session wrapper, not inside execute), so invoking them with an
|
|
14
|
+
* owner scope from the gateway is correct and byte-identical to a turn.
|
|
15
|
+
*/
|
|
16
|
+
/** `memory.write` — persist a durable fact. Params mirror the write_memory tool. */
|
|
17
|
+
export declare function handleMemoryWrite(params: unknown): Promise<unknown>;
|
|
18
|
+
/** `memory.manage` — dream/purge/inspect/export/retention/vault/retract/restore/relink. */
|
|
19
|
+
export declare function handleMemoryManage(params: unknown): Promise<unknown>;
|
|
20
|
+
//# sourceMappingURL=memory-ops.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"memory-ops.d.ts","sourceRoot":"","sources":["../../src/core/memory-ops.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAYH,oFAAoF;AACpF,wBAAsB,iBAAiB,CAAC,MAAM,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAMzE;AAED,2FAA2F;AAC3F,wBAAsB,kBAAkB,CAAC,MAAM,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAM1E"}
|