@stdiobus/workers-registry 1.4.14 → 1.5.0-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (127) hide show
  1. package/README.md +65 -0
  2. package/out/dist/workers-registry/acp-registry/index.js +128 -2
  3. package/out/dist/workers-registry/acp-registry/index.js.map +4 -4
  4. package/out/dist/workers-registry/acp-worker/index.js +1 -3
  5. package/out/dist/workers-registry/acp-worker/index.js.map +4 -4
  6. package/out/dist/workers-registry/index.d.ts +1 -0
  7. package/out/dist/workers-registry/index.js +6 -0
  8. package/out/dist/workers-registry/registry-launcher/index.js +131 -0
  9. package/out/dist/workers-registry/registry-launcher/index.js.map +7 -0
  10. package/out/tsc/workers-registry/acp-worker/src/index.d.ts +0 -10
  11. package/out/tsc/workers-registry/registry-launcher/src/auth/auth-manager.d.ts +392 -0
  12. package/out/tsc/workers-registry/registry-launcher/src/auth/cli/cli.property.test.d.ts +22 -0
  13. package/out/tsc/workers-registry/registry-launcher/src/auth/cli/index.d.ts +9 -0
  14. package/out/tsc/workers-registry/registry-launcher/src/auth/cli/login-command.d.ts +32 -0
  15. package/out/tsc/workers-registry/registry-launcher/src/auth/cli/logout-command.d.ts +25 -0
  16. package/out/tsc/workers-registry/registry-launcher/src/auth/cli/setup-command.d.ts +25 -0
  17. package/out/tsc/workers-registry/registry-launcher/src/auth/cli/status-command.d.ts +21 -0
  18. package/out/tsc/workers-registry/registry-launcher/src/auth/errors.d.ts +190 -0
  19. package/out/tsc/workers-registry/registry-launcher/src/auth/flows/agent-auth-flow.d.ts +146 -0
  20. package/out/tsc/workers-registry/registry-launcher/src/auth/flows/callback-server.d.ts +131 -0
  21. package/out/tsc/workers-registry/registry-launcher/src/auth/flows/callback-server.test.d.ts +1 -0
  22. package/out/tsc/workers-registry/registry-launcher/src/auth/flows/index.d.ts +11 -0
  23. package/out/tsc/workers-registry/registry-launcher/src/auth/flows/terminal-auth-flow.d.ts +252 -0
  24. package/out/tsc/workers-registry/registry-launcher/src/auth/flows/terminal-auth-flow.test.d.ts +1 -0
  25. package/out/tsc/workers-registry/registry-launcher/src/auth/index.d.ts +33 -0
  26. package/out/tsc/workers-registry/registry-launcher/src/auth/integration.test.d.ts +1 -0
  27. package/out/tsc/workers-registry/registry-launcher/src/auth/model-credentials/anthropic-api-key.d.ts +154 -0
  28. package/out/tsc/workers-registry/registry-launcher/src/auth/model-credentials/index.d.ts +20 -0
  29. package/out/tsc/workers-registry/registry-launcher/src/auth/model-credentials/model-credentials.test.d.ts +1 -0
  30. package/out/tsc/workers-registry/registry-launcher/src/auth/model-credentials/openai-api-key.d.ts +182 -0
  31. package/out/tsc/workers-registry/registry-launcher/src/auth/model-credentials/types.d.ts +186 -0
  32. package/out/tsc/workers-registry/registry-launcher/src/auth/pkce.d.ts +61 -0
  33. package/out/tsc/workers-registry/registry-launcher/src/auth/pkce.property.test.d.ts +1 -0
  34. package/out/tsc/workers-registry/registry-launcher/src/auth/pkce.test.d.ts +1 -0
  35. package/out/tsc/workers-registry/registry-launcher/src/auth/providers/base-provider.d.ts +138 -0
  36. package/out/tsc/workers-registry/registry-launcher/src/auth/providers/base-provider.test.d.ts +1 -0
  37. package/out/tsc/workers-registry/registry-launcher/src/auth/providers/cognito-provider.d.ts +44 -0
  38. package/out/tsc/workers-registry/registry-launcher/src/auth/providers/concrete-providers.test.d.ts +1 -0
  39. package/out/tsc/workers-registry/registry-launcher/src/auth/providers/entra-provider.d.ts +54 -0
  40. package/out/tsc/workers-registry/registry-launcher/src/auth/providers/github-provider.d.ts +19 -0
  41. package/out/tsc/workers-registry/registry-launcher/src/auth/providers/google-provider.d.ts +19 -0
  42. package/out/tsc/workers-registry/registry-launcher/src/auth/providers/index.d.ts +107 -0
  43. package/out/tsc/workers-registry/registry-launcher/src/auth/providers/index.test.d.ts +1 -0
  44. package/out/tsc/workers-registry/registry-launcher/src/auth/providers/oidc-provider.d.ts +413 -0
  45. package/out/tsc/workers-registry/registry-launcher/src/auth/providers/oidc-provider.property.test.d.ts +1 -0
  46. package/out/tsc/workers-registry/registry-launcher/src/auth/providers/oidc-provider.test.d.ts +1 -0
  47. package/out/tsc/workers-registry/registry-launcher/src/auth/providers/providers.property.test.d.ts +1 -0
  48. package/out/tsc/workers-registry/registry-launcher/src/auth/providers/types.d.ts +28 -0
  49. package/out/tsc/workers-registry/registry-launcher/src/auth/session.d.ts +251 -0
  50. package/out/tsc/workers-registry/registry-launcher/src/auth/session.property.test.d.ts +1 -0
  51. package/out/tsc/workers-registry/registry-launcher/src/auth/session.test.d.ts +1 -0
  52. package/out/tsc/workers-registry/registry-launcher/src/auth/state.d.ts +26 -0
  53. package/out/tsc/workers-registry/registry-launcher/src/auth/state.property.test.d.ts +1 -0
  54. package/out/tsc/workers-registry/registry-launcher/src/auth/state.test.d.ts +1 -0
  55. package/out/tsc/workers-registry/registry-launcher/src/auth/storage/credential-store.d.ts +98 -0
  56. package/out/tsc/workers-registry/registry-launcher/src/auth/storage/credential-store.test.d.ts +1 -0
  57. package/out/tsc/workers-registry/registry-launcher/src/auth/storage/encrypted-file-backend.d.ts +101 -0
  58. package/out/tsc/workers-registry/registry-launcher/src/auth/storage/encrypted-file-backend.test.d.ts +1 -0
  59. package/out/tsc/workers-registry/registry-launcher/src/auth/storage/index.d.ts +12 -0
  60. package/out/tsc/workers-registry/registry-launcher/src/auth/storage/keychain-backend.d.ts +80 -0
  61. package/out/tsc/workers-registry/registry-launcher/src/auth/storage/keychain-backend.test.d.ts +1 -0
  62. package/out/tsc/workers-registry/registry-launcher/src/auth/storage/memory-backend.d.ts +54 -0
  63. package/out/tsc/workers-registry/registry-launcher/src/auth/storage/storage.property.test.d.ts +1 -0
  64. package/out/tsc/workers-registry/registry-launcher/src/auth/storage/types.d.ts +44 -0
  65. package/out/tsc/workers-registry/registry-launcher/src/auth/token-manager.d.ts +171 -0
  66. package/out/tsc/workers-registry/registry-launcher/src/auth/token-manager.property.test.d.ts +1 -0
  67. package/out/tsc/workers-registry/registry-launcher/src/auth/token-manager.test.d.ts +1 -0
  68. package/out/tsc/workers-registry/registry-launcher/src/auth/types.d.ts +369 -0
  69. package/out/tsc/workers-registry/registry-launcher/src/auth/types.test.d.ts +1 -0
  70. package/out/tsc/workers-registry/registry-launcher/src/config/config.property.test.d.ts +1 -0
  71. package/out/tsc/workers-registry/registry-launcher/src/config/config.test.d.ts +1 -0
  72. package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/registry/index.d.ts +51 -2
  73. package/out/tsc/workers-registry/registry-launcher/src/registry/index.property.test.d.ts +1 -0
  74. package/out/tsc/workers-registry/registry-launcher/src/registry/index.test.d.ts +1 -0
  75. package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/registry/types.d.ts +24 -0
  76. package/out/tsc/workers-registry/registry-launcher/src/router/message-router.d.ts +770 -0
  77. package/out/tsc/workers-registry/registry-launcher/src/router/message-router.property.test.d.ts +1 -0
  78. package/out/tsc/workers-registry/registry-launcher/src/router/message-router.test.d.ts +1 -0
  79. package/out/tsc/workers-registry/registry-launcher/src/runtime/manager.property.test.d.ts +1 -0
  80. package/out/tsc/workers-registry/registry-launcher/src/runtime/manager.test.d.ts +1 -0
  81. package/out/tsc/workers-registry/registry-launcher/src/stream/ndjson-handler.property.test.d.ts +1 -0
  82. package/out/tsc/workers-registry/registry-launcher/src/stream/ndjson-handler.test.d.ts +1 -0
  83. package/out/tsc/workers-registry/registry-launcher/tests/e2e/auth-flow.e2e.test.d.ts +1 -0
  84. package/out/tsc/workers-registry/registry-launcher/tests/e2e/auth-required-flow.e2e.test.d.ts +1 -0
  85. package/out/tsc/workers-registry/registry-launcher/tests/e2e/helpers/api-keys.d.ts +32 -0
  86. package/out/tsc/workers-registry/registry-launcher/tests/e2e/helpers/index.d.ts +17 -0
  87. package/out/tsc/workers-registry/registry-launcher/tests/e2e/helpers/launcher-harness.d.ts +101 -0
  88. package/out/tsc/workers-registry/registry-launcher/tests/e2e/helpers/registry-server.d.ts +46 -0
  89. package/out/tsc/workers-registry/registry-launcher/tests/e2e/production-agent-auth.e2e.test.d.ts +1 -0
  90. package/out/tsc/workers-registry/registry-launcher/tests/e2e/production-api-keys.e2e.test.d.ts +1 -0
  91. package/out/tsc/workers-registry/registry-launcher/tests/e2e/production-auth-required.e2e.test.d.ts +1 -0
  92. package/out/tsc/workers-registry/registry-launcher/tests/e2e/production-cli.e2e.test.d.ts +1 -0
  93. package/out/tsc/workers-registry/registry-launcher/tests/e2e/production-concurrent.e2e.test.d.ts +1 -0
  94. package/out/tsc/workers-registry/registry-launcher/tests/e2e/production-lifecycle.e2e.test.d.ts +1 -0
  95. package/out/tsc/workers-registry/registry-launcher/tests/e2e/production-terminal-auth.e2e.test.d.ts +1 -0
  96. package/out/tsc/workers-registry/registry-launcher/tests/integration/agent-auth.integration.test.d.ts +9 -0
  97. package/out/tsc/workers-registry/registry-launcher/tests/integration/registry-launcher.test.d.ts +1 -0
  98. package/out/tsc/workers-registry/registry-launcher/tests/integration/terminal-auth.integration.test.d.ts +12 -0
  99. package/package.json +15 -11
  100. package/out/tsc/workers-registry/acp-worker/src/registry-launcher/router/message-router.d.ts +0 -199
  101. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher/config/config.property.test.d.ts → registry-launcher/src/auth/auth-manager.property.test.d.ts} +0 -0
  102. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher/config/config.test.d.ts → registry-launcher/src/auth/auth-manager.test.d.ts} +0 -0
  103. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher/registry/index.property.test.d.ts → registry-launcher/src/auth/cli/cli.test.d.ts} +0 -0
  104. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher/registry/index.test.d.ts → registry-launcher/src/auth/cli/login-command.test.d.ts} +0 -0
  105. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher/router/message-router.property.test.d.ts → registry-launcher/src/auth/cli/provider-config.test.d.ts} +0 -0
  106. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher/router/message-router.test.d.ts → registry-launcher/src/auth/cli/setup-command.test.d.ts} +0 -0
  107. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher/runtime/manager.property.test.d.ts → registry-launcher/src/auth/cli/status-command.test.d.ts} +0 -0
  108. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher/runtime/manager.test.d.ts → registry-launcher/src/auth/errors.property.test.d.ts} +0 -0
  109. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher/stream/ndjson-handler.property.test.d.ts → registry-launcher/src/auth/errors.test.d.ts} +0 -0
  110. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher/stream/ndjson-handler.test.d.ts → registry-launcher/src/auth/flows/agent-auth-flow.test.d.ts} +0 -0
  111. /package/out/tsc/workers-registry/{acp-worker/tests/integration/registry-launcher.test.d.ts → registry-launcher/src/auth/flows/callback-server.property.test.d.ts} +0 -0
  112. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/config/api-keys.d.ts +0 -0
  113. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/config/config.d.ts +0 -0
  114. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/config/index.d.ts +0 -0
  115. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/config/types.d.ts +0 -0
  116. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/index.d.ts +0 -0
  117. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/log.d.ts +0 -0
  118. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/log.test.d.ts +0 -0
  119. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/registry/resolver.d.ts +0 -0
  120. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/router/index.d.ts +0 -0
  121. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/runtime/agent-runtime.d.ts +0 -0
  122. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/runtime/index.d.ts +0 -0
  123. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/runtime/manager.d.ts +0 -0
  124. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/runtime/types.d.ts +0 -0
  125. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/stream/index.d.ts +0 -0
  126. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/stream/ndjson-handler.d.ts +0 -0
  127. /package/out/tsc/workers-registry/{acp-worker/src/registry-launcher → registry-launcher/src}/test-utils/index.d.ts +0 -0
@@ -0,0 +1,369 @@
1
+ /**
2
+ * Core type definitions for OAuth 2.1 authentication.
3
+ *
4
+ * @module types
5
+ */
6
+ /**
7
+ * Supported OAuth/OIDC provider identifiers for user identity.
8
+ *
9
+ * Note: OpenAI and Anthropic are NOT public OAuth IdPs for third-party login.
10
+ * They use API keys instead. See ModelProviderId and model-credentials module.
11
+ *
12
+ * Requirements: 7.1, 7a.1
13
+ */
14
+ export type AuthProviderId = 'google' | 'azure' | 'cognito' | 'github' | 'oidc';
15
+ /**
16
+ * Model API providers that use API keys (NOT OAuth).
17
+ *
18
+ * These providers do not offer public OAuth IdP for third-party login.
19
+ * Use API key authentication instead.
20
+ *
21
+ * Requirements: 7b.1, 7b.2
22
+ */
23
+ export type ModelProviderId = 'openai' | 'anthropic';
24
+ /**
25
+ * Storage backend types.
26
+ */
27
+ export type StorageBackendType = 'keychain' | 'encrypted-file' | 'memory';
28
+ /**
29
+ * Token status for a provider.
30
+ */
31
+ export type TokenStatus = 'authenticated' | 'expired' | 'refresh-failed' | 'not-configured';
32
+ /**
33
+ * Authentication error codes.
34
+ */
35
+ export type AuthErrorCode = 'INVALID_STATE' | 'TIMEOUT' | 'NETWORK_ERROR' | 'INVALID_CREDENTIALS' | 'STORAGE_ERROR' | 'PROVIDER_ERROR' | 'UNSUPPORTED_PROVIDER' | 'CALLBACK_ERROR' | 'TOKEN_REFRESH_FAILED' | 'HEADLESS_ENVIRONMENT';
36
+ /**
37
+ * OAuth token response from provider.
38
+ */
39
+ export interface TokenResponse {
40
+ accessToken: string;
41
+ tokenType: string;
42
+ expiresIn?: number;
43
+ refreshToken?: string;
44
+ scope?: string;
45
+ idToken?: string;
46
+ }
47
+ /**
48
+ * Token injection method for agent requests.
49
+ */
50
+ export interface TokenInjectionMethod {
51
+ type: 'header' | 'query' | 'body';
52
+ key: string;
53
+ format?: string;
54
+ }
55
+ /**
56
+ * Custom provider endpoints (for Cognito/Azure).
57
+ */
58
+ export interface ProviderEndpoints {
59
+ authorizationEndpoint: string;
60
+ tokenEndpoint: string;
61
+ userInfoEndpoint?: string;
62
+ }
63
+ /**
64
+ * Stored credentials in credential store.
65
+ */
66
+ export interface StoredCredentials {
67
+ providerId: AuthProviderId;
68
+ accessToken: string;
69
+ refreshToken?: string;
70
+ expiresAt?: number;
71
+ scope?: string;
72
+ clientId?: string;
73
+ clientSecret?: string;
74
+ customEndpoints?: ProviderEndpoints;
75
+ storedAt: number;
76
+ }
77
+ /**
78
+ * Authorization parameters for building auth URL.
79
+ */
80
+ export interface AuthorizationParams {
81
+ clientId: string;
82
+ redirectUri: string;
83
+ scope: string;
84
+ state: string;
85
+ codeChallenge: string;
86
+ codeChallengeMethod: 'S256';
87
+ responseType: 'code';
88
+ additionalParams?: Record<string, string>;
89
+ }
90
+ /**
91
+ * Successful callback result from OAuth redirect.
92
+ */
93
+ export interface CallbackSuccess {
94
+ success: true;
95
+ code: string;
96
+ state: string;
97
+ }
98
+ /**
99
+ * Error callback result from OAuth redirect.
100
+ */
101
+ export interface CallbackErrorResult {
102
+ success: false;
103
+ error: string;
104
+ errorDescription?: string;
105
+ state?: string;
106
+ }
107
+ /**
108
+ * Callback result from OAuth redirect (discriminated union).
109
+ * OAuth error redirects may not include 'code', only 'error'.
110
+ */
111
+ export type CallbackResult = CallbackSuccess | CallbackErrorResult;
112
+ /**
113
+ * Agent auth flow options.
114
+ */
115
+ export interface AgentAuthOptions {
116
+ timeoutMs?: number;
117
+ scopes?: string[];
118
+ clientId?: string;
119
+ }
120
+ /**
121
+ * Authentication error with details.
122
+ */
123
+ export interface AuthError {
124
+ code: AuthErrorCode;
125
+ message: string;
126
+ details?: Record<string, unknown>;
127
+ }
128
+ /**
129
+ * Successful authentication result.
130
+ */
131
+ export interface AuthResultSuccess {
132
+ success: true;
133
+ providerId: AuthProviderId;
134
+ }
135
+ /**
136
+ * Failed authentication result.
137
+ */
138
+ export interface AuthResultFailure {
139
+ success: false;
140
+ providerId: AuthProviderId;
141
+ error: AuthError;
142
+ }
143
+ /**
144
+ * Authentication result (discriminated union).
145
+ */
146
+ export type AuthResult = AuthResultSuccess | AuthResultFailure;
147
+ /**
148
+ * Auth status for display.
149
+ */
150
+ export interface AuthStatusEntry {
151
+ providerId: AuthProviderId;
152
+ status: TokenStatus;
153
+ expiresAt?: number;
154
+ scope?: string;
155
+ lastRefresh?: number;
156
+ }
157
+ /**
158
+ * Map of provider IDs to their auth status.
159
+ */
160
+ export type AuthStatusMap = Map<AuthProviderId, AuthStatusEntry>;
161
+ /**
162
+ * Provider configuration.
163
+ */
164
+ export interface ProviderConfig {
165
+ clientId: string;
166
+ clientSecret?: string;
167
+ authorizationEndpoint: string;
168
+ tokenEndpoint: string;
169
+ defaultScopes: string[];
170
+ tokenInjection: TokenInjectionMethod;
171
+ }
172
+ /**
173
+ * Authentication method types.
174
+ * Used for method precedence selection.
175
+ */
176
+ export type AuthMethodType = 'oauth2' | 'api-key';
177
+ /**
178
+ * Valid authentication method types for runtime validation.
179
+ */
180
+ export declare const VALID_AUTH_METHOD_TYPES: readonly AuthMethodType[];
181
+ /**
182
+ * Type guard to check if a value is a valid AuthMethodType.
183
+ * @param value - The value to check
184
+ * @returns True if the value is a valid AuthMethodType
185
+ */
186
+ export declare function isValidAuthMethodType(value: unknown): value is AuthMethodType;
187
+ /**
188
+ * Configuration for authentication method precedence.
189
+ *
190
+ * Defines the order in which authentication methods are attempted.
191
+ * Default precedence: oauth2 > api-key (OAuth preferred when available)
192
+ *
193
+ * Requirements: 3.1, 10.3
194
+ */
195
+ export interface AuthMethodPrecedenceConfig {
196
+ /**
197
+ * Ordered list of authentication methods by preference.
198
+ * First method in the list has highest priority.
199
+ * Default: ['oauth2', 'api-key']
200
+ */
201
+ methodPrecedence: AuthMethodType[];
202
+ /**
203
+ * Whether to fail fast when an unsupported method is encountered.
204
+ * If true, throws an error immediately.
205
+ * If false, skips the unsupported method and tries the next one.
206
+ * Default: true
207
+ */
208
+ failFastOnUnsupported: boolean;
209
+ /**
210
+ * Whether to fail fast when provider ID is ambiguous.
211
+ * Ambiguity occurs when multiple providers could match an agent.
212
+ * If true, throws an error immediately.
213
+ * If false, uses the first matching provider.
214
+ * Default: true
215
+ */
216
+ failFastOnAmbiguous: boolean;
217
+ }
218
+ /**
219
+ * Default authentication method precedence configuration.
220
+ *
221
+ * OAuth2 is preferred over API keys when both are available.
222
+ * This aligns with Requirement 10.3: prefer OAuth credentials.
223
+ */
224
+ export declare const DEFAULT_AUTH_METHOD_PRECEDENCE: AuthMethodPrecedenceConfig;
225
+ /**
226
+ * Extended launcher config with auth settings.
227
+ */
228
+ export interface AuthConfig {
229
+ /** Default auth timeout in seconds */
230
+ authTimeoutSec: number;
231
+ /** Proactive token refresh threshold in seconds */
232
+ tokenRefreshThresholdSec: number;
233
+ /** Preferred storage backend */
234
+ preferredStorageBackend?: StorageBackendType;
235
+ /**
236
+ * Authentication method precedence configuration.
237
+ * Controls which auth method is preferred when multiple are available.
238
+ * Default: oauth2 > api-key
239
+ */
240
+ methodPrecedence?: Partial<AuthMethodPrecedenceConfig>;
241
+ }
242
+ /**
243
+ * ACP protocol auth method advertisement.
244
+ */
245
+ export interface AcpAuthMethod {
246
+ id: string;
247
+ type: 'oauth2' | 'api-key';
248
+ providerId?: AuthProviderId;
249
+ }
250
+ /**
251
+ * Valid provider IDs for runtime validation.
252
+ *
253
+ * Note: OpenAI and Anthropic are NOT included - they use API keys, not OAuth.
254
+ * See model-credentials module for API key handling.
255
+ */
256
+ export declare const VALID_PROVIDER_IDS: readonly AuthProviderId[];
257
+ /**
258
+ * Valid storage backend types for runtime validation.
259
+ */
260
+ export declare const VALID_STORAGE_BACKENDS: readonly StorageBackendType[];
261
+ /**
262
+ * Valid token status values for runtime validation.
263
+ */
264
+ export declare const VALID_TOKEN_STATUSES: readonly TokenStatus[];
265
+ /**
266
+ * Valid auth error codes for runtime validation.
267
+ */
268
+ export declare const VALID_ERROR_CODES: readonly AuthErrorCode[];
269
+ /**
270
+ * Type guard to check if a value is a valid AuthProviderId.
271
+ * @param value - The value to check
272
+ * @returns True if the value is a valid AuthProviderId
273
+ */
274
+ export declare function isValidProviderId(value: unknown): value is AuthProviderId;
275
+ /**
276
+ * Type guard to check if a value is a valid StorageBackendType.
277
+ * @param value - The value to check
278
+ * @returns True if the value is a valid StorageBackendType
279
+ */
280
+ export declare function isValidStorageBackend(value: unknown): value is StorageBackendType;
281
+ /**
282
+ * Type guard to check if a value is a valid TokenStatus.
283
+ * @param value - The value to check
284
+ * @returns True if the value is a valid TokenStatus
285
+ */
286
+ export declare function isValidTokenStatus(value: unknown): value is TokenStatus;
287
+ /**
288
+ * Type guard to check if a value is a valid AuthErrorCode.
289
+ * @param value - The value to check
290
+ * @returns True if the value is a valid AuthErrorCode
291
+ */
292
+ export declare function isValidErrorCode(value: unknown): value is AuthErrorCode;
293
+ /**
294
+ * Explicit mapping from authMethod.id to AuthProviderId.
295
+ *
296
+ * This mapping table provides a secure, explicit translation from
297
+ * ACP authMethod identifiers to internal provider IDs.
298
+ *
299
+ * SECURITY: No substring or heuristic matching is used.
300
+ * Only exact matches in this table are accepted.
301
+ *
302
+ * Note: OpenAI and Anthropic are NOT included - they use API keys, not OAuth.
303
+ * See model-credentials module for API key handling.
304
+ *
305
+ * Requirements: 7.1, 13.4
306
+ */
307
+ export declare const AUTH_METHOD_ID_TO_PROVIDER_ID: Readonly<Record<string, AuthProviderId>>;
308
+ /**
309
+ * Valid authMethod.id values for runtime validation.
310
+ */
311
+ export declare const VALID_AUTH_METHOD_IDS: readonly string[];
312
+ /**
313
+ * Error thrown when an unknown authMethod.id is encountered.
314
+ *
315
+ * Requirements: 13.4
316
+ */
317
+ export declare class UnknownAuthMethodIdError extends Error {
318
+ readonly code: "UNSUPPORTED_PROVIDER";
319
+ readonly unknownMethodId: string;
320
+ readonly supportedMethodIds: readonly string[];
321
+ readonly supportedProviders: readonly AuthProviderId[];
322
+ constructor(unknownMethodId: string);
323
+ }
324
+ /**
325
+ * Type guard to check if a value is a valid authMethod.id.
326
+ *
327
+ * @param value - The value to check
328
+ * @returns True if the value is a valid authMethod.id
329
+ */
330
+ export declare function isValidAuthMethodId(value: unknown): value is string;
331
+ /**
332
+ * Resolves an authMethod.id to its corresponding AuthProviderId.
333
+ *
334
+ * This function uses explicit mapping only - no substring matching,
335
+ * no heuristics, no fuzzy matching. This is a security requirement
336
+ * to prevent provider confusion attacks.
337
+ *
338
+ * @param authMethodId - The authMethod.id to resolve
339
+ * @returns The corresponding AuthProviderId
340
+ * @throws UnknownAuthMethodIdError if the authMethod.id is not recognized
341
+ *
342
+ * Requirements: 7.1, 13.4
343
+ *
344
+ * @example
345
+ * ```typescript
346
+ * // Valid mappings
347
+ * resolveAuthMethodIdToProviderId('oauth2-openai'); // returns 'openai'
348
+ * resolveAuthMethodIdToProviderId('oauth2-github'); // returns 'github'
349
+ * resolveAuthMethodIdToProviderId('github'); // returns 'github' (direct)
350
+ *
351
+ * // Invalid - throws UnknownAuthMethodIdError
352
+ * resolveAuthMethodIdToProviderId('oauth2-unknown');
353
+ * resolveAuthMethodIdToProviderId('openai-oauth2'); // wrong format
354
+ * resolveAuthMethodIdToProviderId('OPENAI'); // case sensitive
355
+ * ```
356
+ */
357
+ export declare function resolveAuthMethodIdToProviderId(authMethodId: string): AuthProviderId;
358
+ /**
359
+ * Safely resolves an authMethod.id to its corresponding AuthProviderId.
360
+ *
361
+ * Unlike `resolveAuthMethodIdToProviderId`, this function returns null
362
+ * instead of throwing an error for unknown method IDs.
363
+ *
364
+ * @param authMethodId - The authMethod.id to resolve
365
+ * @returns The corresponding AuthProviderId, or null if not recognized
366
+ *
367
+ * Requirements: 7.1, 13.4
368
+ */
369
+ export declare function tryResolveAuthMethodIdToProviderId(authMethodId: string): AuthProviderId | null;
@@ -6,8 +6,8 @@
6
6
  *
7
7
  * @module registry/index
8
8
  */
9
- import { Registry, RegistryAgent, SpawnCommand } from './types.js';
10
- export type { Platform, BinaryDistribution, BinaryTarget, NpxDistribution, UvxDistribution, Distribution, RegistryAgent, Registry, SpawnCommand, McpServerConfig, } from './types.js';
9
+ import { AgentAuthMethod, Registry, RegistryAgent, SpawnCommand } from './types.js';
10
+ export type { Platform, BinaryDistribution, BinaryTarget, NpxDistribution, UvxDistribution, Distribution, RegistryAgent, Registry, SpawnCommand, McpServerConfig, AgentAuthMethod, } from './types.js';
11
11
  export { PlatformNotSupportedError, NoDistributionError, getCurrentPlatform, resolve } from './resolver.js';
12
12
  /**
13
13
  * Error thrown when registry fetch fails.
@@ -30,6 +30,19 @@ export declare class AgentNotFoundError extends Error {
30
30
  readonly agentId: string;
31
31
  constructor(agentId: string);
32
32
  }
33
+ /**
34
+ * Cached auth requirements for an agent.
35
+ *
36
+ * Requirements: 11.2, 11.3
37
+ */
38
+ export interface AgentAuthRequirements {
39
+ /** Whether authentication is required */
40
+ authRequired: boolean;
41
+ /** Authentication methods supported/required by the agent */
42
+ authMethods: AgentAuthMethod[];
43
+ /** Primary OAuth provider ID (first oauth2 method's providerId) */
44
+ primaryOAuthProviderId?: string;
45
+ }
33
46
  /**
34
47
  * Interface for the RegistryIndex.
35
48
  */
@@ -51,6 +64,18 @@ export interface IRegistryIndex {
51
64
  * @throws PlatformNotSupportedError if binary distribution doesn't support current platform
52
65
  */
53
66
  resolve(agentId: string): SpawnCommand;
67
+ /**
68
+ * Get auth requirements for an agent.
69
+ *
70
+ * Checks the agent definition in the registry for `authRequired` or `authMethods` fields.
71
+ * Results are cached per agent for efficient repeated lookups.
72
+ *
73
+ * Requirements: 11.2, 11.3
74
+ *
75
+ * @param agentId - Agent ID to query
76
+ * @returns Auth requirements or undefined if agent not found
77
+ */
78
+ getAuthRequirements(agentId: string): AgentAuthRequirements | undefined;
54
79
  }
55
80
  /**
56
81
  * Parse and validate registry JSON data.
@@ -72,6 +97,12 @@ export declare class RegistryIndex implements IRegistryIndex {
72
97
  private registry;
73
98
  /** Map of agent ID to agent entry for fast lookup */
74
99
  private agentMap;
100
+ /**
101
+ * Cache of auth requirements per agent.
102
+ *
103
+ * Requirements: 11.2, 11.3
104
+ */
105
+ private authRequirementsCache;
75
106
  /**
76
107
  * Create a new RegistryIndex.
77
108
  *
@@ -106,6 +137,24 @@ export declare class RegistryIndex implements IRegistryIndex {
106
137
  * @returns The parsed registry or null if not yet fetched
107
138
  */
108
139
  getRegistry(): Registry | null;
140
+ /**
141
+ * Get auth requirements for an agent.
142
+ *
143
+ * Checks the agent definition in the registry for `authRequired` or `authMethods` fields.
144
+ * Results are cached per agent for efficient repeated lookups.
145
+ *
146
+ * Requirements: 11.2, 11.3
147
+ *
148
+ * @param agentId - Agent ID to query
149
+ * @returns Auth requirements or undefined if agent not found
150
+ */
151
+ getAuthRequirements(agentId: string): AgentAuthRequirements | undefined;
152
+ /**
153
+ * Clear the auth requirements cache for a specific agent or all agents.
154
+ *
155
+ * @param agentId - Optional agent ID to clear. If not provided, clears all cached requirements.
156
+ */
157
+ clearAuthRequirementsCache(agentId?: string): void;
109
158
  /**
110
159
  * Merge custom agents into the registry.
111
160
  *
@@ -74,6 +74,18 @@ export interface McpServerConfig {
74
74
  /** Optional environment variables */
75
75
  env?: Record<string, string>;
76
76
  }
77
+ /**
78
+ * Authentication method configuration for an agent.
79
+ * Specifies how the agent requires authentication.
80
+ */
81
+ export interface AgentAuthMethod {
82
+ /** Authentication method identifier (e.g., 'oauth2-openai', 'api-key') */
83
+ id: string;
84
+ /** Authentication type: 'oauth2' for OAuth 2.1, 'api-key' for API key */
85
+ type: 'oauth2' | 'api-key';
86
+ /** OAuth provider identifier (required for oauth2 type) */
87
+ providerId?: string;
88
+ }
77
89
  /**
78
90
  * Agent entry in the ACP Registry.
79
91
  */
@@ -98,6 +110,18 @@ export interface RegistryAgent {
98
110
  distribution: Distribution;
99
111
  /** MCP servers to connect when creating a session */
100
112
  mcpServers?: McpServerConfig[];
113
+ /**
114
+ * Whether authentication is required for this agent.
115
+ * If true, the agent requires authentication before use.
116
+ * Requirements: 11.2, 11.3
117
+ */
118
+ authRequired?: boolean;
119
+ /**
120
+ * Authentication methods supported/required by this agent.
121
+ * Specifies OAuth providers or API key requirements.
122
+ * Requirements: 11.2, 11.3
123
+ */
124
+ authMethods?: AgentAuthMethod[];
101
125
  }
102
126
  /**
103
127
  * Parsed ACP Registry structure.