@stdiobus/workers-registry 1.4.14 → 1.5.0-beta.2

package/out/tsc/workers-registry/acp-worker/src/index.d.ts

@@ -1,14 +1,4 @@
-export type { Platform, BinaryTarget, BinaryDistribution, NpxDistribution, UvxDistribution, Distribution, RegistryAgent, Registry, SpawnCommand, } from './registry-launcher/registry/types.js';
-export type { RegistryIndex, IRegistryIndex, } from './registry-launcher/registry/index.js';
 export { ACPAgent } from './agent.js';
-export { PlatformNotSupportedError, NoDistributionError, getCurrentPlatform, resolve, resolveBinary, resolveNpx, resolveUvx, } from './registry-launcher/registry/resolver.js';
-export { AgentRuntimeManager } from './registry-launcher/runtime/manager.js';
-export { AgentRuntimeImpl } from './registry-launcher/runtime/agent-runtime.js';
-export type { RuntimeState, AgentRuntime } from './registry-launcher/runtime/types.js';
-export { NDJSONHandler, INDJSONHandler, ErrorCallback, MessageCallback, } from './registry-launcher/stream/ndjson-handler.js';
-export { MessageRouter, createErrorResponse, ErrorResponse, RoutingErrorCodes, transformMessage, extractAgentId, extractId, WriteCallback, } from './registry-launcher/router/message-router.js';
-export { loadConfig } from './registry-launcher/config/config.js';
-export type { DEFAULT_CONFIG, LauncherConfig, } from './registry-launcher/config/types.js';
 export { MCPManager, MCPConnection, MCPFactories } from './mcp/manager.js';
 export type { MCPServerConfig, MCPContent, MCPImageContent, MCPBlobResourceContents, MCPEmbeddedResource, MCPResource, MCPTextContent, MCPResourceContents, MCPTextResourceContents, MCPTool, MCPToolCallResult, MCPResourceReadResult, } from './mcp/types.js';
 export { canReadFile, canWriteFile, FileReadResult, FileWriteResult, readFile, canUseTerminal, TerminalResult, writeFile, executeCommand, startCommand, } from './acp/client-capabilities.js';

package/out/tsc/workers-registry/registry-launcher/src/auth/auth-manager.d.ts

@@ -0,0 +1,392 @@
+/**
+ * Main orchestrator for OAuth authentication and model credentials.
+ *
+ * Coordinates providers, flows, storage, and token management.
+ * Clearly separates user identity (OAuth/OIDC) from upstream model credentials (API keys).
+ *
+ * Requirements: 3.1, 4.1, 7b.3, 10.3, 11.4
+ *
+ * @module auth-manager
+ */
+import type { AgentApiKeys } from '../config/api-keys.js';
+import type { ICredentialStore } from './storage/types.js';
+import type { ITokenManager } from './token-manager.js';
+import type { IAuthProvider } from './providers/types.js';
+import type { AuthProviderId, AuthResult, AuthStatusMap, AgentAuthOptions, AuthMethodType, AuthMethodPrecedenceConfig } from './types.js';
+import type { ModelProviderId, ModelCredentialResult, ModelCredentialStatusMap } from './model-credentials/index.js';
+import type { IModelCredentialStorage } from './model-credentials/openai-api-key.js';
+/**
+ * Marker token used to indicate client credentials are configured but not authenticated.
+ * This token should NEVER be sent in actual requests.
+ */
+export declare const CLIENT_CREDENTIALS_MARKER = "__CLIENT_CREDENTIALS_CONFIGURED__";
+/**
+ * Check if a token is the client credentials marker (not a real token).
+ * @param token - The token to check
+ * @returns True if the token is the marker
+ */
+export declare function isMarkerToken(token: string | null | undefined): boolean;
+/**
+ * Options for creating an AuthManager.
+ */
+export interface AuthManagerOptions {
+    /** Credential store for persisting OAuth credentials */
+    credentialStore: ICredentialStore;
+    /** Token manager for token lifecycle management */
+    tokenManager: ITokenManager;
+    /** Legacy API keys from api-keys.json */
+    legacyApiKeys: Record<string, AgentApiKeys>;
+    /** Optional custom provider resolver (for testing) */
+    providerResolver?: (providerId: AuthProviderId) => IAuthProvider;
+    /**
+     * Authentication method precedence configuration.
+     * Controls which auth method is preferred when multiple are available.
+     * Default: oauth2 > api-key (OAuth preferred when available)
+     *
+     * Requirements: 3.1, 10.3
+     */
+    methodPrecedence?: Partial<AuthMethodPrecedenceConfig>;
+    /**
+     * Optional model credential storage for API key management.
+     * When provided, enables getModelCredential() and related methods.
+     *
+     * Requirements: 7b.3, 7b.4
+     */
+    modelCredentialStorage?: IModelCredentialStorage;
+}
+/**
+ * Result of authentication method selection.
+ */
+export interface AuthMethodSelectionResult {
+    /** The selected authentication method type */
+    methodType: AuthMethodType;
+    /** The provider ID to use (for oauth2) */
+    providerId?: AuthProviderId;
+    /** Whether a valid credential was found */
+    hasCredential: boolean;
+    /** Error message if selection failed */
+    error?: string;
+}
+/**
+ * Error thrown when authentication method selection fails.
+ */
+export declare class AuthMethodSelectionError extends Error {
+    readonly code: 'UNSUPPORTED_METHOD' | 'AMBIGUOUS_PROVIDER' | 'NO_CREDENTIALS';
+    readonly details?: Record<string, unknown> | undefined;
+    constructor(message: string, code: 'UNSUPPORTED_METHOD' | 'AMBIGUOUS_PROVIDER' | 'NO_CREDENTIALS', details?: Record<string, unknown> | undefined);
+}
+/**
+ * Main orchestrator for OAuth authentication and model credentials.
+ * Coordinates providers, flows, storage, and token management.
+ *
+ * This class clearly separates:
+ * - User identity (OAuth/OIDC): getTokenForAgent(), authenticateAgent()
+ * - Model API access (API Keys): getModelCredential(), injectModelAuth()
+ *
+ * Responsibilities:
+ * - Orchestrate agent auth flow (browser-based OAuth 2.1 with PKCE)
+ * - Orchestrate terminal auth flow (interactive CLI setup)
+ * - Manage credential precedence (OAuth over legacy api-keys.json)
+ * - Inject authentication into agent requests
+ * - Report authentication status
+ * - Handle logout operations
+ * - Manage model API credentials (OpenAI, Anthropic)
+ *
+ * Method Precedence Strategy (Requirements 3.1, 10.3):
+ * - Default precedence: oauth2 > api-key (OAuth preferred when available)
+ * - Configurable via AuthConfig.methodPrecedence
+ * - Fail-fast on unsupported or ambiguous providerId (configurable)
+ *
+ * Requirements: 3.1, 4.1, 7b.3, 10.3, 11.4
+ */
+export declare class AuthManager {
+    private readonly credentialStore;
+    private readonly tokenManager;
+    private readonly legacyApiKeys;
+    private readonly providerResolver;
+    private readonly methodPrecedenceConfig;
+    /**
+     * Model credential handlers for API key management.
+     * These are separate from OAuth providers - they handle API keys for model providers.
+     *
+     * Requirements: 7b.3
+     */
+    private readonly openAIHandler?;
+    private readonly anthropicHandler?;
+    /**
+     * Tracks in-flight authentication flows per provider.
+     * Used to implement single-flight pattern: concurrent auth requests for the same
+     * provider share the same Promise and receive the same result.
+     *
+     * Requirements: 3.1, 6.5
+     */
+    private readonly inFlightAuthFlows;
+    /**
+     * Create a new AuthManager.
+     *
+     * @param options - Configuration options
+     */
+    constructor(options: AuthManagerOptions);
+    /**
+     * Create a new AuthManager (legacy constructor signature).
+     *
+     * @param credentialStore - Credential store for persisting OAuth credentials
+     * @param tokenManager - Token manager for token lifecycle management
+     * @param legacyApiKeys - Legacy API keys from api-keys.json
+     */
+    constructor(credentialStore: ICredentialStore, tokenManager: ITokenManager, legacyApiKeys: Record<string, AgentApiKeys>);
+    /**
+     * Type guard to check if the argument is AuthManagerOptions.
+     */
+    private isAuthManagerOptions;
+    /**
+     * Authenticate with a provider using agent auth flow.
+     *
+     * Initiates the OAuth 2.1 Authorization Code flow with PKCE.
+     * Opens the system browser for user authentication.
+     *
+     * Implements single-flight pattern: if an auth flow is already in progress
+     * for the same provider, subsequent callers wait for and share the same result.
+     * This prevents multiple simultaneous browser flows for the same provider.
+     *
+     * Requirement 3.1: Initiate OAuth 2.1 Authorization Code flow with PKCE
+     * Requirement 6.5: Concurrent auth requests share the same flow
+     *
+     * @param providerId - The provider to authenticate with
+     * @param options - Optional flow configuration
+     * @returns Authentication result indicating success or failure
+     */
+    authenticateAgent(providerId: AuthProviderId, options?: AgentAuthOptions): Promise<AuthResult>;
+    /**
+     * Execute the actual OAuth authentication flow.
+     *
+     * This is the internal implementation that performs the browser-based
+     * OAuth 2.1 Authorization Code flow with PKCE.
+     *
+     * @param providerId - The provider to authenticate with
+     * @param options - Optional flow configuration
+     * @returns Authentication result indicating success or failure
+     */
+    private executeAuthFlow;
+    /**
+     * Run interactive terminal setup for a provider.
+     *
+     * Starts the Setup_Wizard interactive flow for configuring
+     * OAuth credentials in headless environments.
+     *
+     * Requirement 4.1: Start Setup_Wizard interactive flow
+     *
+     * @param providerId - The provider to set up
+     * @returns Authentication result indicating success or failure
+     */
+    setupTerminal(providerId: AuthProviderId): Promise<AuthResult>;
+    /**
+     * Validate credentials collected during terminal auth flow.
+     *
+     * Note: Terminal auth flow stores client credentials for later use.
+     * The actual token exchange happens when the credentials are used.
+     * This validation ensures the credentials are properly formatted.
+     *
+     * @param providerId - The provider to validate against
+     * @param credentials - The collected credentials
+     * @returns Validation result with status indicator
+     */
+    private validateTerminalCredentials;
+    /**
+     * Get access token for an agent, preferring OAuth over legacy.
+     *
+     * Requirement 10.3: Prefer OAuth credentials over legacy api-keys.json
+     *
+     * Security: When providerId is specified, ONLY that provider is used.
+     * No fallback to other providers to prevent credential confusion.
+     *
+     * @param agentId - The agent identifier
+     * @param providerId - Optional provider to get token from (strict binding when specified)
+     * @returns Access token or null if not available
+     */
+    getTokenForAgent(agentId: string, providerId?: AuthProviderId): Promise<string | null>;
+    /**
+     * Inject authentication into an agent request.
+     *
+     * Requirement 11.4: Inject access token according to provider's token injection method
+     *
+     * Security: Uses strict provider binding based on agent ID to prevent
+     * credential confusion between different services.
+     *
+     * @param agentId - The agent identifier
+     * @param request - The request object to inject auth into
+     * @returns The request object with authentication injected
+     */
+    injectAuth(agentId: string, request: object): Promise<object>;
+    /**
+     * Validate token injection configuration.
+     * Prevents header injection attacks and unsafe configurations.
+     *
+     * @param injection - The injection configuration to validate
+     * @returns Error message if invalid, null if valid
+     */
+    private validateInjectionConfig;
+    /**
+     * Apply token injection to a request object.
+     *
+     * @param request - The request object
+     * @param token - The access token
+     * @param injection - The injection method
+     * @returns The modified request object, or null if injection failed
+     */
+    private applyTokenInjection;
+    /**
+     * Get authentication status for all providers.
+     *
+     * @returns Map of provider IDs to their authentication status
+     */
+    getStatus(): Promise<AuthStatusMap>;
+    /**
+     * Logout from a specific provider or all providers.
+     *
+     * Note: This clears OAuth credentials only. Legacy API keys from api-keys.json
+     * are managed separately and are not affected by logout.
+     *
+     * @param providerId - Optional provider to logout from (all OAuth providers if not specified)
+     * @throws Error if an invalid provider ID is specified
+     */
+    logout(providerId?: AuthProviderId): Promise<void>;
+    /**
+     * Check if re-authentication is required for a provider.
+     *
+     * @param providerId - The provider to check
+     * @returns True if re-authentication is required
+     */
+    requiresReauth(providerId: AuthProviderId): Promise<boolean>;
+    /**
+     * Get the provider for a given agent ID.
+     *
+     * Maps agent IDs to their OAuth providers based on keyword matching.
+     *
+     * WARNING: This is a heuristic-based mapping using keyword matching.
+     * Agent IDs with ambiguous names (e.g., containing multiple provider keywords)
+     * may be mapped to unexpected providers. For production use, consider
+     * implementing explicit agent-to-provider configuration.
+     *
+     * @param agentId - The agent identifier
+     * @returns The provider ID or undefined if not mapped
+     */
+    getProviderForAgent(agentId: string): AuthProviderId | undefined;
+    /**
+     * Get API key credential for a model provider.
+     *
+     * This method is for retrieving API keys for upstream model providers
+     * (OpenAI, Anthropic). These providers do NOT offer public OAuth IdP
+     * for third-party login - they use API keys instead.
+     *
+     * This is clearly separated from getTokenForAgent() which handles
+     * OAuth tokens for user identity providers.
+     *
+     * Requirements: 7b.1, 7b.3
+     *
+     * @param providerId - The model provider ID ('openai' or 'anthropic')
+     * @returns The model credential result with API key if found
+     */
+    getModelCredential(providerId: ModelProviderId): Promise<ModelCredentialResult>;
+    /**
+     * Check if a model credential is configured for a provider.
+     *
+     * Requirements: 7b.3
+     *
+     * @param providerId - The model provider ID ('openai' or 'anthropic')
+     * @returns True if an API key is configured for the provider
+     */
+    hasModelCredential(providerId: ModelProviderId): Promise<boolean>;
+    /**
+     * Get the status of all model credentials.
+     *
+     * Requirements: 7b.3
+     *
+     * @returns Map of model provider IDs to their credential status
+     */
+    getModelCredentialStatus(): Promise<ModelCredentialStatusMap>;
+    /**
+     * Inject model API key into a request.
+     *
+     * This method injects API keys for model providers (OpenAI, Anthropic)
+     * according to their documented injection method:
+     * - OpenAI: Authorization header with Bearer token
+     * - Anthropic: x-api-key header with raw key
+     *
+     * This is clearly separated from injectAuth() which handles OAuth tokens.
+     *
+     * Requirements: 7b.3, 7b.5
+     *
+     * @param providerId - The model provider ID ('openai' or 'anthropic')
+     * @param request - The request object to inject auth into
+     * @returns The request object with API key injected, or original if not available
+     */
+    injectModelAuth(providerId: ModelProviderId, request: object): Promise<object>;
+    /**
+     * Get the model provider for a given agent ID.
+     *
+     * Maps agent IDs to their model providers based on keyword matching.
+     * This is separate from getProviderForAgent() which maps to OAuth providers.
+     *
+     * Requirements: 7b.3
+     *
+     * @param agentId - The agent identifier
+     * @returns The model provider ID or undefined if not mapped
+     */
+    getModelProviderForAgent(agentId: string): ModelProviderId | undefined;
+    /**
+     * Get the appropriate model credential handler for a provider.
+     *
+     * @param providerId - The model provider ID
+     * @returns The handler or undefined if not available
+     */
+    private getModelCredentialHandler;
+    /**
+     * Select the best authentication method for an agent based on precedence configuration.
+     *
+     * Method Precedence Strategy (Requirements 3.1, 10.3):
+     * - Default precedence: oauth2 > api-key (OAuth preferred when available)
+     * - Iterates through methods in precedence order
+     * - Returns the first method with available credentials
+     * - Fail-fast on unsupported or ambiguous providerId (configurable)
+     *
+     * @param agentId - The agent identifier
+     * @param availableMethods - Optional list of methods the agent supports (from authMethods)
+     * @param providerId - Optional explicit provider ID (strict binding when specified)
+     * @returns Selection result with method type, provider, and credential availability
+     * @throws AuthMethodSelectionError if fail-fast is enabled and an error occurs
+     */
+    selectAuthMethod(agentId: string, availableMethods?: AuthMethodType[], providerId?: AuthProviderId): Promise<AuthMethodSelectionResult>;
+    /**
+     * Try a specific authentication method for an agent.
+     *
+     * @param agentId - The agent identifier
+     * @param methodType - The authentication method to try
+     * @param providerId - Optional explicit provider ID
+     * @returns Selection result for this method
+     */
+    private tryAuthMethod;
+    /**
+     * Check if an agent ID has ambiguous provider mapping.
+     *
+     * Ambiguity occurs when multiple provider keywords match the agent ID.
+     * For example, "azure-openai-agent" matches both "azure" and "openai".
+     *
+     * @param agentId - The agent identifier
+     * @returns Ambiguity check result
+     */
+    private checkProviderAmbiguity;
+    /**
+     * Get the current method precedence configuration.
+     *
+     * @returns The current method precedence configuration
+     */
+    getMethodPrecedenceConfig(): AuthMethodPrecedenceConfig;
+}
+/**
+ * Create an AuthManager with the given options.
+ *
+ * @param options - Configuration options
+ * @returns A new AuthManager instance
+ */
+export declare function createAuthManager(options: AuthManagerOptions): AuthManager;

package/out/tsc/workers-registry/registry-launcher/src/auth/cli/cli.property.test.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Property-based tests for CLI commands.
+ *
+ * Feature: oauth-authentication
+ * Properties 20-22: Logout Credential Removal, Selective Logout Isolation,
+ *                   CLI Exit Code Success
+ *
+ * @module cli/cli.property.test
+ */
+import * as fc from 'fast-check';
+import { Readable } from 'stream';
+import type { AuthProviderId, StoredCredentials } from '../types.js';
+/**
+ * Create a mock readable stream with predefined input.
+ * Exported for potential use in other tests.
+ */
+export declare function createMockInput(lines: string[]): Readable;
+/**
+ * Arbitrary generator for stored credentials.
+ * Exported for potential use in other tests.
+ */
+export declare const storedCredentialsArb: (providerId: AuthProviderId) => fc.Arbitrary<StoredCredentials>;

package/out/tsc/workers-registry/registry-launcher/src/auth/cli/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * CLI command exports.
+ *
+ * @module cli
+ */
+export { runSetupCommand } from './setup-command.js';
+export { runStatusCommand } from './status-command.js';
+export { runLogoutCommand } from './logout-command.js';
+export { runLoginCommand } from './login-command.js';

package/out/tsc/workers-registry/registry-launcher/src/auth/cli/login-command.d.ts

@@ -0,0 +1,32 @@
+import type { AuthProviderId } from '../types.js';
+/**
+ * Options for the login command.
+ */
+export interface LoginCommandOptions {
+    /** Custom output stream (for testing) */
+    output?: NodeJS.WritableStream;
+    /** Custom timeout in milliseconds (default: 5 minutes) */
+    timeoutMs?: number;
+}
+/**
+ * Run the login command.
+ *
+ * Starts the browser-based OAuth 2.1 Authorization Code flow with PKCE
+ * for the specified provider.
+ *
+ * All output goes to stderr to comply with NDJSON protocol requirements.
+ *
+ * Requirement 3.1: WHEN an agent requires OAuth authentication with `type: "agent"`,
+ * THE Auth_Module SHALL initiate the OAuth 2.1 Authorization Code flow with PKCE.
+ *
+ * Requirement 3.2: WHEN initiating the authorization flow, THE Auth_Module SHALL
+ * open the system default browser to the provider's authorization URL.
+ *
+ * Requirement 9.5: THE Registry_Launcher SHALL exit with code 0 after successfully
+ * completing any auth CLI command.
+ *
+ * @param providerId - The provider to authenticate with
+ * @param options - Command options
+ * @returns Exit code (0 for success, 1 for failure)
+ */
+export declare function runLoginCommand(providerId: AuthProviderId, options?: LoginCommandOptions): Promise<number>;

package/out/tsc/workers-registry/registry-launcher/src/auth/cli/logout-command.d.ts

@@ -0,0 +1,25 @@
+import type { AuthProviderId } from '../types.js';
+/**
+ * Options for the logout command.
+ */
+export interface LogoutCommandOptions {
+    /** Custom output stream (for testing) */
+    output?: NodeJS.WritableStream;
+}
+/**
+ * Run the logout command.
+ *
+ * Removes stored credentials from the Credential_Store.
+ * All output goes to stderr to comply with NDJSON protocol requirements.
+ *
+ * Requirement 9.3: WHEN the `--logout` flag is provided, THE Registry_Launcher
+ * SHALL remove all stored credentials from the Credential_Store.
+ *
+ * Requirement 9.4: WHEN the `--logout` flag is provided with a provider name,
+ * THE Registry_Launcher SHALL remove only the credentials for that specific provider.
+ *
+ * @param providerId - Optional provider to logout from (all if not specified)
+ * @param options - Command options
+ * @returns Exit code (0 for success, 1 for failure)
+ */
+export declare function runLogoutCommand(providerId?: AuthProviderId, options?: LogoutCommandOptions): Promise<number>;

package/out/tsc/workers-registry/registry-launcher/src/auth/cli/setup-command.d.ts

@@ -0,0 +1,25 @@
+import type { AuthProviderId } from '../types.js';
+/**
+ * Options for the setup command.
+ */
+export interface SetupCommandOptions {
+    /** Optional pre-selected provider (skips provider selection) */
+    providerId?: AuthProviderId;
+    /** Custom input stream (for testing) */
+    input?: NodeJS.ReadableStream;
+    /** Custom output stream (for testing) */
+    output?: NodeJS.WritableStream;
+}
+/**
+ * Run the setup command.
+ *
+ * Starts the interactive Setup_Wizard for configuring OAuth credentials.
+ * All output goes to stderr to comply with NDJSON protocol requirements.
+ *
+ * Requirement 9.1: WHEN the `--setup` flag is provided, THE Registry_Launcher
+ * SHALL start the interactive authentication Setup_Wizard.
+ *
+ * @param options - Command options
+ * @returns Exit code (0 for success, 1 for failure)
+ */
+export declare function runSetupCommand(options?: SetupCommandOptions): Promise<number>;

package/out/tsc/workers-registry/registry-launcher/src/auth/cli/status-command.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Options for the status command.
+ */
+export interface StatusCommandOptions {
+    /** Custom output stream (for testing) */
+    output?: NodeJS.WritableStream;
+}
+/**
+ * Run the auth-status command.
+ *
+ * Displays the current authentication status for all configured providers.
+ * All output goes to stderr to comply with NDJSON protocol requirements.
+ *
+ * Requirement 9.2: WHEN the `--auth-status` flag is provided, THE Registry_Launcher
+ * SHALL display the current authentication status for all configured providers
+ * (authenticated, expired, not configured).
+ *
+ * @param options - Command options
+ * @returns Exit code (0 for success)
+ */
+export declare function runStatusCommand(options?: StatusCommandOptions): Promise<number>;