@stdiobus/workers-registry 1.4.14 → 1.5.0-beta.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +65 -0
- package/out/dist/workers-registry/acp-registry/index.js +128 -2
- package/out/dist/workers-registry/acp-registry/index.js.map +4 -4
- package/out/dist/workers-registry/acp-worker/index.js +1 -3
- package/out/dist/workers-registry/acp-worker/index.js.map +4 -4
- package/out/dist/workers-registry/index.d.ts +1 -0
- package/out/dist/workers-registry/index.js +6 -0
- package/out/dist/workers-registry/registry-launcher/index.js +131 -0
- package/out/dist/workers-registry/registry-launcher/index.js.map +7 -0
- package/out/tsc/workers-registry/acp-worker/src/index.d.ts +0 -10
- package/out/tsc/workers-registry/registry-launcher/src/auth/auth-manager.d.ts +392 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/cli/cli.property.test.d.ts +22 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/cli/index.d.ts +9 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/cli/login-command.d.ts +32 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/cli/logout-command.d.ts +25 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/cli/setup-command.d.ts +25 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/cli/status-command.d.ts +21 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/errors.d.ts +190 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/flows/agent-auth-flow.d.ts +146 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/flows/callback-server.d.ts +131 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/flows/callback-server.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/flows/index.d.ts +11 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/flows/terminal-auth-flow.d.ts +252 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/flows/terminal-auth-flow.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/index.d.ts +33 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/integration.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/model-credentials/anthropic-api-key.d.ts +154 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/model-credentials/index.d.ts +20 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/model-credentials/model-credentials.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/model-credentials/openai-api-key.d.ts +182 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/model-credentials/types.d.ts +186 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/pkce.d.ts +61 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/pkce.property.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/pkce.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/providers/base-provider.d.ts +138 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/providers/base-provider.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/providers/cognito-provider.d.ts +44 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/providers/concrete-providers.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/providers/entra-provider.d.ts +54 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/providers/github-provider.d.ts +19 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/providers/google-provider.d.ts +19 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/providers/index.d.ts +107 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/providers/index.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/providers/oidc-provider.d.ts +413 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/providers/oidc-provider.property.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/providers/oidc-provider.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/providers/providers.property.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/providers/types.d.ts +28 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/session.d.ts +251 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/session.property.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/session.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/state.d.ts +26 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/state.property.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/state.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/storage/credential-store.d.ts +98 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/storage/credential-store.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/storage/encrypted-file-backend.d.ts +101 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/storage/encrypted-file-backend.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/storage/index.d.ts +12 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/storage/keychain-backend.d.ts +80 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/storage/keychain-backend.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/storage/memory-backend.d.ts +54 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/storage/storage.property.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/storage/types.d.ts +44 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/token-manager.d.ts +171 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/token-manager.property.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/token-manager.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/types.d.ts +369 -0
- package/out/tsc/workers-registry/registry-launcher/src/auth/types.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/config/config.property.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/config/config.test.d.ts +1 -0
- package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/registry/index.d.ts +51 -2
- package/out/tsc/workers-registry/registry-launcher/src/registry/index.property.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/registry/index.test.d.ts +1 -0
- package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/registry/types.d.ts +24 -0
- package/out/tsc/workers-registry/registry-launcher/src/router/message-router.d.ts +770 -0
- package/out/tsc/workers-registry/registry-launcher/src/router/message-router.property.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/router/message-router.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/runtime/manager.property.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/runtime/manager.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/stream/ndjson-handler.property.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/src/stream/ndjson-handler.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/tests/e2e/auth-flow.e2e.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/tests/e2e/auth-required-flow.e2e.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/tests/e2e/helpers/api-keys.d.ts +32 -0
- package/out/tsc/workers-registry/registry-launcher/tests/e2e/helpers/index.d.ts +17 -0
- package/out/tsc/workers-registry/registry-launcher/tests/e2e/helpers/launcher-harness.d.ts +101 -0
- package/out/tsc/workers-registry/registry-launcher/tests/e2e/helpers/registry-server.d.ts +46 -0
- package/out/tsc/workers-registry/registry-launcher/tests/e2e/production-agent-auth.e2e.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/tests/e2e/production-api-keys.e2e.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/tests/e2e/production-auth-required.e2e.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/tests/e2e/production-cli.e2e.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/tests/e2e/production-concurrent.e2e.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/tests/e2e/production-lifecycle.e2e.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/tests/e2e/production-terminal-auth.e2e.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/tests/integration/agent-auth.integration.test.d.ts +9 -0
- package/out/tsc/workers-registry/registry-launcher/tests/integration/registry-launcher.test.d.ts +1 -0
- package/out/tsc/workers-registry/registry-launcher/tests/integration/terminal-auth.integration.test.d.ts +12 -0
- package/package.json +15 -11
- package/out/tsc/workers-registry/acp-worker/src/registry-launcher/router/message-router.d.ts +0 -199
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher/config/config.property.test.d.ts → registry-launcher/src/auth/auth-manager.property.test.d.ts} +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher/config/config.test.d.ts → registry-launcher/src/auth/auth-manager.test.d.ts} +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher/registry/index.property.test.d.ts → registry-launcher/src/auth/cli/cli.test.d.ts} +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher/registry/index.test.d.ts → registry-launcher/src/auth/cli/login-command.test.d.ts} +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher/router/message-router.property.test.d.ts → registry-launcher/src/auth/cli/provider-config.test.d.ts} +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher/router/message-router.test.d.ts → registry-launcher/src/auth/cli/setup-command.test.d.ts} +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher/runtime/manager.property.test.d.ts → registry-launcher/src/auth/cli/status-command.test.d.ts} +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher/runtime/manager.test.d.ts → registry-launcher/src/auth/errors.property.test.d.ts} +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher/stream/ndjson-handler.property.test.d.ts → registry-launcher/src/auth/errors.test.d.ts} +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher/stream/ndjson-handler.test.d.ts → registry-launcher/src/auth/flows/agent-auth-flow.test.d.ts} +0 -0
- /package/out/tsc/workers-registry/{acp-worker/tests/integration/registry-launcher.test.d.ts → registry-launcher/src/auth/flows/callback-server.property.test.d.ts} +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/config/api-keys.d.ts +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/config/config.d.ts +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/config/index.d.ts +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/config/types.d.ts +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/index.d.ts +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/log.d.ts +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/log.test.d.ts +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/registry/resolver.d.ts +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/router/index.d.ts +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/runtime/agent-runtime.d.ts +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/runtime/index.d.ts +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/runtime/manager.d.ts +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/runtime/types.d.ts +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/stream/index.d.ts +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/stream/ndjson-handler.d.ts +0 -0
- /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/test-utils/index.d.ts +0 -0
|
@@ -0,0 +1,369 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Core type definitions for OAuth 2.1 authentication.
|
|
3
|
+
*
|
|
4
|
+
* @module types
|
|
5
|
+
*/
|
|
6
|
+
/**
|
|
7
|
+
* Supported OAuth/OIDC provider identifiers for user identity.
|
|
8
|
+
*
|
|
9
|
+
* Note: OpenAI and Anthropic are NOT public OAuth IdPs for third-party login.
|
|
10
|
+
* They use API keys instead. See ModelProviderId and model-credentials module.
|
|
11
|
+
*
|
|
12
|
+
* Requirements: 7.1, 7a.1
|
|
13
|
+
*/
|
|
14
|
+
export type AuthProviderId = 'google' | 'azure' | 'cognito' | 'github' | 'oidc';
|
|
15
|
+
/**
|
|
16
|
+
* Model API providers that use API keys (NOT OAuth).
|
|
17
|
+
*
|
|
18
|
+
* These providers do not offer public OAuth IdP for third-party login.
|
|
19
|
+
* Use API key authentication instead.
|
|
20
|
+
*
|
|
21
|
+
* Requirements: 7b.1, 7b.2
|
|
22
|
+
*/
|
|
23
|
+
export type ModelProviderId = 'openai' | 'anthropic';
|
|
24
|
+
/**
|
|
25
|
+
* Storage backend types.
|
|
26
|
+
*/
|
|
27
|
+
export type StorageBackendType = 'keychain' | 'encrypted-file' | 'memory';
|
|
28
|
+
/**
|
|
29
|
+
* Token status for a provider.
|
|
30
|
+
*/
|
|
31
|
+
export type TokenStatus = 'authenticated' | 'expired' | 'refresh-failed' | 'not-configured';
|
|
32
|
+
/**
|
|
33
|
+
* Authentication error codes.
|
|
34
|
+
*/
|
|
35
|
+
export type AuthErrorCode = 'INVALID_STATE' | 'TIMEOUT' | 'NETWORK_ERROR' | 'INVALID_CREDENTIALS' | 'STORAGE_ERROR' | 'PROVIDER_ERROR' | 'UNSUPPORTED_PROVIDER' | 'CALLBACK_ERROR' | 'TOKEN_REFRESH_FAILED' | 'HEADLESS_ENVIRONMENT';
|
|
36
|
+
/**
|
|
37
|
+
* OAuth token response from provider.
|
|
38
|
+
*/
|
|
39
|
+
export interface TokenResponse {
|
|
40
|
+
accessToken: string;
|
|
41
|
+
tokenType: string;
|
|
42
|
+
expiresIn?: number;
|
|
43
|
+
refreshToken?: string;
|
|
44
|
+
scope?: string;
|
|
45
|
+
idToken?: string;
|
|
46
|
+
}
|
|
47
|
+
/**
|
|
48
|
+
* Token injection method for agent requests.
|
|
49
|
+
*/
|
|
50
|
+
export interface TokenInjectionMethod {
|
|
51
|
+
type: 'header' | 'query' | 'body';
|
|
52
|
+
key: string;
|
|
53
|
+
format?: string;
|
|
54
|
+
}
|
|
55
|
+
/**
|
|
56
|
+
* Custom provider endpoints (for Cognito/Azure).
|
|
57
|
+
*/
|
|
58
|
+
export interface ProviderEndpoints {
|
|
59
|
+
authorizationEndpoint: string;
|
|
60
|
+
tokenEndpoint: string;
|
|
61
|
+
userInfoEndpoint?: string;
|
|
62
|
+
}
|
|
63
|
+
/**
|
|
64
|
+
* Stored credentials in credential store.
|
|
65
|
+
*/
|
|
66
|
+
export interface StoredCredentials {
|
|
67
|
+
providerId: AuthProviderId;
|
|
68
|
+
accessToken: string;
|
|
69
|
+
refreshToken?: string;
|
|
70
|
+
expiresAt?: number;
|
|
71
|
+
scope?: string;
|
|
72
|
+
clientId?: string;
|
|
73
|
+
clientSecret?: string;
|
|
74
|
+
customEndpoints?: ProviderEndpoints;
|
|
75
|
+
storedAt: number;
|
|
76
|
+
}
|
|
77
|
+
/**
|
|
78
|
+
* Authorization parameters for building auth URL.
|
|
79
|
+
*/
|
|
80
|
+
export interface AuthorizationParams {
|
|
81
|
+
clientId: string;
|
|
82
|
+
redirectUri: string;
|
|
83
|
+
scope: string;
|
|
84
|
+
state: string;
|
|
85
|
+
codeChallenge: string;
|
|
86
|
+
codeChallengeMethod: 'S256';
|
|
87
|
+
responseType: 'code';
|
|
88
|
+
additionalParams?: Record<string, string>;
|
|
89
|
+
}
|
|
90
|
+
/**
|
|
91
|
+
* Successful callback result from OAuth redirect.
|
|
92
|
+
*/
|
|
93
|
+
export interface CallbackSuccess {
|
|
94
|
+
success: true;
|
|
95
|
+
code: string;
|
|
96
|
+
state: string;
|
|
97
|
+
}
|
|
98
|
+
/**
|
|
99
|
+
* Error callback result from OAuth redirect.
|
|
100
|
+
*/
|
|
101
|
+
export interface CallbackErrorResult {
|
|
102
|
+
success: false;
|
|
103
|
+
error: string;
|
|
104
|
+
errorDescription?: string;
|
|
105
|
+
state?: string;
|
|
106
|
+
}
|
|
107
|
+
/**
|
|
108
|
+
* Callback result from OAuth redirect (discriminated union).
|
|
109
|
+
* OAuth error redirects may not include 'code', only 'error'.
|
|
110
|
+
*/
|
|
111
|
+
export type CallbackResult = CallbackSuccess | CallbackErrorResult;
|
|
112
|
+
/**
|
|
113
|
+
* Agent auth flow options.
|
|
114
|
+
*/
|
|
115
|
+
export interface AgentAuthOptions {
|
|
116
|
+
timeoutMs?: number;
|
|
117
|
+
scopes?: string[];
|
|
118
|
+
clientId?: string;
|
|
119
|
+
}
|
|
120
|
+
/**
|
|
121
|
+
* Authentication error with details.
|
|
122
|
+
*/
|
|
123
|
+
export interface AuthError {
|
|
124
|
+
code: AuthErrorCode;
|
|
125
|
+
message: string;
|
|
126
|
+
details?: Record<string, unknown>;
|
|
127
|
+
}
|
|
128
|
+
/**
|
|
129
|
+
* Successful authentication result.
|
|
130
|
+
*/
|
|
131
|
+
export interface AuthResultSuccess {
|
|
132
|
+
success: true;
|
|
133
|
+
providerId: AuthProviderId;
|
|
134
|
+
}
|
|
135
|
+
/**
|
|
136
|
+
* Failed authentication result.
|
|
137
|
+
*/
|
|
138
|
+
export interface AuthResultFailure {
|
|
139
|
+
success: false;
|
|
140
|
+
providerId: AuthProviderId;
|
|
141
|
+
error: AuthError;
|
|
142
|
+
}
|
|
143
|
+
/**
|
|
144
|
+
* Authentication result (discriminated union).
|
|
145
|
+
*/
|
|
146
|
+
export type AuthResult = AuthResultSuccess | AuthResultFailure;
|
|
147
|
+
/**
|
|
148
|
+
* Auth status for display.
|
|
149
|
+
*/
|
|
150
|
+
export interface AuthStatusEntry {
|
|
151
|
+
providerId: AuthProviderId;
|
|
152
|
+
status: TokenStatus;
|
|
153
|
+
expiresAt?: number;
|
|
154
|
+
scope?: string;
|
|
155
|
+
lastRefresh?: number;
|
|
156
|
+
}
|
|
157
|
+
/**
|
|
158
|
+
* Map of provider IDs to their auth status.
|
|
159
|
+
*/
|
|
160
|
+
export type AuthStatusMap = Map<AuthProviderId, AuthStatusEntry>;
|
|
161
|
+
/**
|
|
162
|
+
* Provider configuration.
|
|
163
|
+
*/
|
|
164
|
+
export interface ProviderConfig {
|
|
165
|
+
clientId: string;
|
|
166
|
+
clientSecret?: string;
|
|
167
|
+
authorizationEndpoint: string;
|
|
168
|
+
tokenEndpoint: string;
|
|
169
|
+
defaultScopes: string[];
|
|
170
|
+
tokenInjection: TokenInjectionMethod;
|
|
171
|
+
}
|
|
172
|
+
/**
|
|
173
|
+
* Authentication method types.
|
|
174
|
+
* Used for method precedence selection.
|
|
175
|
+
*/
|
|
176
|
+
export type AuthMethodType = 'oauth2' | 'api-key';
|
|
177
|
+
/**
|
|
178
|
+
* Valid authentication method types for runtime validation.
|
|
179
|
+
*/
|
|
180
|
+
export declare const VALID_AUTH_METHOD_TYPES: readonly AuthMethodType[];
|
|
181
|
+
/**
|
|
182
|
+
* Type guard to check if a value is a valid AuthMethodType.
|
|
183
|
+
* @param value - The value to check
|
|
184
|
+
* @returns True if the value is a valid AuthMethodType
|
|
185
|
+
*/
|
|
186
|
+
export declare function isValidAuthMethodType(value: unknown): value is AuthMethodType;
|
|
187
|
+
/**
|
|
188
|
+
* Configuration for authentication method precedence.
|
|
189
|
+
*
|
|
190
|
+
* Defines the order in which authentication methods are attempted.
|
|
191
|
+
* Default precedence: oauth2 > api-key (OAuth preferred when available)
|
|
192
|
+
*
|
|
193
|
+
* Requirements: 3.1, 10.3
|
|
194
|
+
*/
|
|
195
|
+
export interface AuthMethodPrecedenceConfig {
|
|
196
|
+
/**
|
|
197
|
+
* Ordered list of authentication methods by preference.
|
|
198
|
+
* First method in the list has highest priority.
|
|
199
|
+
* Default: ['oauth2', 'api-key']
|
|
200
|
+
*/
|
|
201
|
+
methodPrecedence: AuthMethodType[];
|
|
202
|
+
/**
|
|
203
|
+
* Whether to fail fast when an unsupported method is encountered.
|
|
204
|
+
* If true, throws an error immediately.
|
|
205
|
+
* If false, skips the unsupported method and tries the next one.
|
|
206
|
+
* Default: true
|
|
207
|
+
*/
|
|
208
|
+
failFastOnUnsupported: boolean;
|
|
209
|
+
/**
|
|
210
|
+
* Whether to fail fast when provider ID is ambiguous.
|
|
211
|
+
* Ambiguity occurs when multiple providers could match an agent.
|
|
212
|
+
* If true, throws an error immediately.
|
|
213
|
+
* If false, uses the first matching provider.
|
|
214
|
+
* Default: true
|
|
215
|
+
*/
|
|
216
|
+
failFastOnAmbiguous: boolean;
|
|
217
|
+
}
|
|
218
|
+
/**
|
|
219
|
+
* Default authentication method precedence configuration.
|
|
220
|
+
*
|
|
221
|
+
* OAuth2 is preferred over API keys when both are available.
|
|
222
|
+
* This aligns with Requirement 10.3: prefer OAuth credentials.
|
|
223
|
+
*/
|
|
224
|
+
export declare const DEFAULT_AUTH_METHOD_PRECEDENCE: AuthMethodPrecedenceConfig;
|
|
225
|
+
/**
|
|
226
|
+
* Extended launcher config with auth settings.
|
|
227
|
+
*/
|
|
228
|
+
export interface AuthConfig {
|
|
229
|
+
/** Default auth timeout in seconds */
|
|
230
|
+
authTimeoutSec: number;
|
|
231
|
+
/** Proactive token refresh threshold in seconds */
|
|
232
|
+
tokenRefreshThresholdSec: number;
|
|
233
|
+
/** Preferred storage backend */
|
|
234
|
+
preferredStorageBackend?: StorageBackendType;
|
|
235
|
+
/**
|
|
236
|
+
* Authentication method precedence configuration.
|
|
237
|
+
* Controls which auth method is preferred when multiple are available.
|
|
238
|
+
* Default: oauth2 > api-key
|
|
239
|
+
*/
|
|
240
|
+
methodPrecedence?: Partial<AuthMethodPrecedenceConfig>;
|
|
241
|
+
}
|
|
242
|
+
/**
|
|
243
|
+
* ACP protocol auth method advertisement.
|
|
244
|
+
*/
|
|
245
|
+
export interface AcpAuthMethod {
|
|
246
|
+
id: string;
|
|
247
|
+
type: 'oauth2' | 'api-key';
|
|
248
|
+
providerId?: AuthProviderId;
|
|
249
|
+
}
|
|
250
|
+
/**
|
|
251
|
+
* Valid provider IDs for runtime validation.
|
|
252
|
+
*
|
|
253
|
+
* Note: OpenAI and Anthropic are NOT included - they use API keys, not OAuth.
|
|
254
|
+
* See model-credentials module for API key handling.
|
|
255
|
+
*/
|
|
256
|
+
export declare const VALID_PROVIDER_IDS: readonly AuthProviderId[];
|
|
257
|
+
/**
|
|
258
|
+
* Valid storage backend types for runtime validation.
|
|
259
|
+
*/
|
|
260
|
+
export declare const VALID_STORAGE_BACKENDS: readonly StorageBackendType[];
|
|
261
|
+
/**
|
|
262
|
+
* Valid token status values for runtime validation.
|
|
263
|
+
*/
|
|
264
|
+
export declare const VALID_TOKEN_STATUSES: readonly TokenStatus[];
|
|
265
|
+
/**
|
|
266
|
+
* Valid auth error codes for runtime validation.
|
|
267
|
+
*/
|
|
268
|
+
export declare const VALID_ERROR_CODES: readonly AuthErrorCode[];
|
|
269
|
+
/**
|
|
270
|
+
* Type guard to check if a value is a valid AuthProviderId.
|
|
271
|
+
* @param value - The value to check
|
|
272
|
+
* @returns True if the value is a valid AuthProviderId
|
|
273
|
+
*/
|
|
274
|
+
export declare function isValidProviderId(value: unknown): value is AuthProviderId;
|
|
275
|
+
/**
|
|
276
|
+
* Type guard to check if a value is a valid StorageBackendType.
|
|
277
|
+
* @param value - The value to check
|
|
278
|
+
* @returns True if the value is a valid StorageBackendType
|
|
279
|
+
*/
|
|
280
|
+
export declare function isValidStorageBackend(value: unknown): value is StorageBackendType;
|
|
281
|
+
/**
|
|
282
|
+
* Type guard to check if a value is a valid TokenStatus.
|
|
283
|
+
* @param value - The value to check
|
|
284
|
+
* @returns True if the value is a valid TokenStatus
|
|
285
|
+
*/
|
|
286
|
+
export declare function isValidTokenStatus(value: unknown): value is TokenStatus;
|
|
287
|
+
/**
|
|
288
|
+
* Type guard to check if a value is a valid AuthErrorCode.
|
|
289
|
+
* @param value - The value to check
|
|
290
|
+
* @returns True if the value is a valid AuthErrorCode
|
|
291
|
+
*/
|
|
292
|
+
export declare function isValidErrorCode(value: unknown): value is AuthErrorCode;
|
|
293
|
+
/**
|
|
294
|
+
* Explicit mapping from authMethod.id to AuthProviderId.
|
|
295
|
+
*
|
|
296
|
+
* This mapping table provides a secure, explicit translation from
|
|
297
|
+
* ACP authMethod identifiers to internal provider IDs.
|
|
298
|
+
*
|
|
299
|
+
* SECURITY: No substring or heuristic matching is used.
|
|
300
|
+
* Only exact matches in this table are accepted.
|
|
301
|
+
*
|
|
302
|
+
* Note: OpenAI and Anthropic are NOT included - they use API keys, not OAuth.
|
|
303
|
+
* See model-credentials module for API key handling.
|
|
304
|
+
*
|
|
305
|
+
* Requirements: 7.1, 13.4
|
|
306
|
+
*/
|
|
307
|
+
export declare const AUTH_METHOD_ID_TO_PROVIDER_ID: Readonly<Record<string, AuthProviderId>>;
|
|
308
|
+
/**
|
|
309
|
+
* Valid authMethod.id values for runtime validation.
|
|
310
|
+
*/
|
|
311
|
+
export declare const VALID_AUTH_METHOD_IDS: readonly string[];
|
|
312
|
+
/**
|
|
313
|
+
* Error thrown when an unknown authMethod.id is encountered.
|
|
314
|
+
*
|
|
315
|
+
* Requirements: 13.4
|
|
316
|
+
*/
|
|
317
|
+
export declare class UnknownAuthMethodIdError extends Error {
|
|
318
|
+
readonly code: "UNSUPPORTED_PROVIDER";
|
|
319
|
+
readonly unknownMethodId: string;
|
|
320
|
+
readonly supportedMethodIds: readonly string[];
|
|
321
|
+
readonly supportedProviders: readonly AuthProviderId[];
|
|
322
|
+
constructor(unknownMethodId: string);
|
|
323
|
+
}
|
|
324
|
+
/**
|
|
325
|
+
* Type guard to check if a value is a valid authMethod.id.
|
|
326
|
+
*
|
|
327
|
+
* @param value - The value to check
|
|
328
|
+
* @returns True if the value is a valid authMethod.id
|
|
329
|
+
*/
|
|
330
|
+
export declare function isValidAuthMethodId(value: unknown): value is string;
|
|
331
|
+
/**
|
|
332
|
+
* Resolves an authMethod.id to its corresponding AuthProviderId.
|
|
333
|
+
*
|
|
334
|
+
* This function uses explicit mapping only - no substring matching,
|
|
335
|
+
* no heuristics, no fuzzy matching. This is a security requirement
|
|
336
|
+
* to prevent provider confusion attacks.
|
|
337
|
+
*
|
|
338
|
+
* @param authMethodId - The authMethod.id to resolve
|
|
339
|
+
* @returns The corresponding AuthProviderId
|
|
340
|
+
* @throws UnknownAuthMethodIdError if the authMethod.id is not recognized
|
|
341
|
+
*
|
|
342
|
+
* Requirements: 7.1, 13.4
|
|
343
|
+
*
|
|
344
|
+
* @example
|
|
345
|
+
* ```typescript
|
|
346
|
+
* // Valid mappings
|
|
347
|
+
* resolveAuthMethodIdToProviderId('oauth2-openai'); // returns 'openai'
|
|
348
|
+
* resolveAuthMethodIdToProviderId('oauth2-github'); // returns 'github'
|
|
349
|
+
* resolveAuthMethodIdToProviderId('github'); // returns 'github' (direct)
|
|
350
|
+
*
|
|
351
|
+
* // Invalid - throws UnknownAuthMethodIdError
|
|
352
|
+
* resolveAuthMethodIdToProviderId('oauth2-unknown');
|
|
353
|
+
* resolveAuthMethodIdToProviderId('openai-oauth2'); // wrong format
|
|
354
|
+
* resolveAuthMethodIdToProviderId('OPENAI'); // case sensitive
|
|
355
|
+
* ```
|
|
356
|
+
*/
|
|
357
|
+
export declare function resolveAuthMethodIdToProviderId(authMethodId: string): AuthProviderId;
|
|
358
|
+
/**
|
|
359
|
+
* Safely resolves an authMethod.id to its corresponding AuthProviderId.
|
|
360
|
+
*
|
|
361
|
+
* Unlike `resolveAuthMethodIdToProviderId`, this function returns null
|
|
362
|
+
* instead of throwing an error for unknown method IDs.
|
|
363
|
+
*
|
|
364
|
+
* @param authMethodId - The authMethod.id to resolve
|
|
365
|
+
* @returns The corresponding AuthProviderId, or null if not recognized
|
|
366
|
+
*
|
|
367
|
+
* Requirements: 7.1, 13.4
|
|
368
|
+
*/
|
|
369
|
+
export declare function tryResolveAuthMethodIdToProviderId(authMethodId: string): AuthProviderId | null;
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export {};
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export {};
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export {};
|
|
@@ -6,8 +6,8 @@
|
|
|
6
6
|
*
|
|
7
7
|
* @module registry/index
|
|
8
8
|
*/
|
|
9
|
-
import { Registry, RegistryAgent, SpawnCommand } from './types.js';
|
|
10
|
-
export type { Platform, BinaryDistribution, BinaryTarget, NpxDistribution, UvxDistribution, Distribution, RegistryAgent, Registry, SpawnCommand, McpServerConfig, } from './types.js';
|
|
9
|
+
import { AgentAuthMethod, Registry, RegistryAgent, SpawnCommand } from './types.js';
|
|
10
|
+
export type { Platform, BinaryDistribution, BinaryTarget, NpxDistribution, UvxDistribution, Distribution, RegistryAgent, Registry, SpawnCommand, McpServerConfig, AgentAuthMethod, } from './types.js';
|
|
11
11
|
export { PlatformNotSupportedError, NoDistributionError, getCurrentPlatform, resolve } from './resolver.js';
|
|
12
12
|
/**
|
|
13
13
|
* Error thrown when registry fetch fails.
|
|
@@ -30,6 +30,19 @@ export declare class AgentNotFoundError extends Error {
|
|
|
30
30
|
readonly agentId: string;
|
|
31
31
|
constructor(agentId: string);
|
|
32
32
|
}
|
|
33
|
+
/**
|
|
34
|
+
* Cached auth requirements for an agent.
|
|
35
|
+
*
|
|
36
|
+
* Requirements: 11.2, 11.3
|
|
37
|
+
*/
|
|
38
|
+
export interface AgentAuthRequirements {
|
|
39
|
+
/** Whether authentication is required */
|
|
40
|
+
authRequired: boolean;
|
|
41
|
+
/** Authentication methods supported/required by the agent */
|
|
42
|
+
authMethods: AgentAuthMethod[];
|
|
43
|
+
/** Primary OAuth provider ID (first oauth2 method's providerId) */
|
|
44
|
+
primaryOAuthProviderId?: string;
|
|
45
|
+
}
|
|
33
46
|
/**
|
|
34
47
|
* Interface for the RegistryIndex.
|
|
35
48
|
*/
|
|
@@ -51,6 +64,18 @@ export interface IRegistryIndex {
|
|
|
51
64
|
* @throws PlatformNotSupportedError if binary distribution doesn't support current platform
|
|
52
65
|
*/
|
|
53
66
|
resolve(agentId: string): SpawnCommand;
|
|
67
|
+
/**
|
|
68
|
+
* Get auth requirements for an agent.
|
|
69
|
+
*
|
|
70
|
+
* Checks the agent definition in the registry for `authRequired` or `authMethods` fields.
|
|
71
|
+
* Results are cached per agent for efficient repeated lookups.
|
|
72
|
+
*
|
|
73
|
+
* Requirements: 11.2, 11.3
|
|
74
|
+
*
|
|
75
|
+
* @param agentId - Agent ID to query
|
|
76
|
+
* @returns Auth requirements or undefined if agent not found
|
|
77
|
+
*/
|
|
78
|
+
getAuthRequirements(agentId: string): AgentAuthRequirements | undefined;
|
|
54
79
|
}
|
|
55
80
|
/**
|
|
56
81
|
* Parse and validate registry JSON data.
|
|
@@ -72,6 +97,12 @@ export declare class RegistryIndex implements IRegistryIndex {
|
|
|
72
97
|
private registry;
|
|
73
98
|
/** Map of agent ID to agent entry for fast lookup */
|
|
74
99
|
private agentMap;
|
|
100
|
+
/**
|
|
101
|
+
* Cache of auth requirements per agent.
|
|
102
|
+
*
|
|
103
|
+
* Requirements: 11.2, 11.3
|
|
104
|
+
*/
|
|
105
|
+
private authRequirementsCache;
|
|
75
106
|
/**
|
|
76
107
|
* Create a new RegistryIndex.
|
|
77
108
|
*
|
|
@@ -106,6 +137,24 @@ export declare class RegistryIndex implements IRegistryIndex {
|
|
|
106
137
|
* @returns The parsed registry or null if not yet fetched
|
|
107
138
|
*/
|
|
108
139
|
getRegistry(): Registry | null;
|
|
140
|
+
/**
|
|
141
|
+
* Get auth requirements for an agent.
|
|
142
|
+
*
|
|
143
|
+
* Checks the agent definition in the registry for `authRequired` or `authMethods` fields.
|
|
144
|
+
* Results are cached per agent for efficient repeated lookups.
|
|
145
|
+
*
|
|
146
|
+
* Requirements: 11.2, 11.3
|
|
147
|
+
*
|
|
148
|
+
* @param agentId - Agent ID to query
|
|
149
|
+
* @returns Auth requirements or undefined if agent not found
|
|
150
|
+
*/
|
|
151
|
+
getAuthRequirements(agentId: string): AgentAuthRequirements | undefined;
|
|
152
|
+
/**
|
|
153
|
+
* Clear the auth requirements cache for a specific agent or all agents.
|
|
154
|
+
*
|
|
155
|
+
* @param agentId - Optional agent ID to clear. If not provided, clears all cached requirements.
|
|
156
|
+
*/
|
|
157
|
+
clearAuthRequirementsCache(agentId?: string): void;
|
|
109
158
|
/**
|
|
110
159
|
* Merge custom agents into the registry.
|
|
111
160
|
*
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export {};
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export {};
|
|
@@ -74,6 +74,18 @@ export interface McpServerConfig {
|
|
|
74
74
|
/** Optional environment variables */
|
|
75
75
|
env?: Record<string, string>;
|
|
76
76
|
}
|
|
77
|
+
/**
|
|
78
|
+
* Authentication method configuration for an agent.
|
|
79
|
+
* Specifies how the agent requires authentication.
|
|
80
|
+
*/
|
|
81
|
+
export interface AgentAuthMethod {
|
|
82
|
+
/** Authentication method identifier (e.g., 'oauth2-openai', 'api-key') */
|
|
83
|
+
id: string;
|
|
84
|
+
/** Authentication type: 'oauth2' for OAuth 2.1, 'api-key' for API key */
|
|
85
|
+
type: 'oauth2' | 'api-key';
|
|
86
|
+
/** OAuth provider identifier (required for oauth2 type) */
|
|
87
|
+
providerId?: string;
|
|
88
|
+
}
|
|
77
89
|
/**
|
|
78
90
|
* Agent entry in the ACP Registry.
|
|
79
91
|
*/
|
|
@@ -98,6 +110,18 @@ export interface RegistryAgent {
|
|
|
98
110
|
distribution: Distribution;
|
|
99
111
|
/** MCP servers to connect when creating a session */
|
|
100
112
|
mcpServers?: McpServerConfig[];
|
|
113
|
+
/**
|
|
114
|
+
* Whether authentication is required for this agent.
|
|
115
|
+
* If true, the agent requires authentication before use.
|
|
116
|
+
* Requirements: 11.2, 11.3
|
|
117
|
+
*/
|
|
118
|
+
authRequired?: boolean;
|
|
119
|
+
/**
|
|
120
|
+
* Authentication methods supported/required by this agent.
|
|
121
|
+
* Specifies OAuth providers or API key requirements.
|
|
122
|
+
* Requirements: 11.2, 11.3
|
|
123
|
+
*/
|
|
124
|
+
authMethods?: AgentAuthMethod[];
|
|
101
125
|
}
|
|
102
126
|
/**
|
|
103
127
|
* Parsed ACP Registry structure.
|