@valon-technologies/gestalt 0.0.1-alpha.34 → 0.0.1-alpha.36

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@valon-technologies/gestalt",
-  "version": "0.0.1-alpha.34",
+  "version": "0.0.1-alpha.36",
   "description": "TypeScript SDK for Gestalt executable providers",
   "type": "module",
   "repository": {

package/src/api.ts

@@ -7,6 +7,9 @@ export interface Subject {
   id: string;
   credentialSubjectId: string;
   email: string;
+  kind?: string | undefined;
+  displayName?: string | undefined;
+  authSource?: string | undefined;
 }
 
 /**
@@ -169,11 +172,17 @@ export function request(
       id: subject.id ?? "",
       credentialSubjectId: subject.credentialSubjectId ?? "",
       email: subject.email ?? "",
+      kind: subject.kind,
+      displayName: subject.displayName,
+      authSource: subject.authSource,
     },
     agentSubject: {
       id: agentSubject.id ?? "",
       credentialSubjectId: agentSubject.credentialSubjectId ?? "",
       email: agentSubject.email ?? "",
+      kind: agentSubject.kind,
+      displayName: agentSubject.displayName,
+      authSource: agentSubject.authSource,
     },
     credential: {
       mode: credential.mode ?? "",

package/src/authorization.ts

@@ -2,18 +2,30 @@ import { create } from "@bufbuild/protobuf";
 import {
   Code,
   ConnectError,
+  createClient,
+  type Client,
   type ServiceImpl,
 } from "@connectrpc/connect";
+import { EmptySchema } from "@bufbuild/protobuf/wkt";
 
 import {
+  ActionSchema,
+  AddRelationshipRequestSchema,
   AddRelationshipResponseSchema,
+  AuthorizationModelSchema,
+  AuthorizationModelResourceTypeFilterSchema,
   AuthorizationModelRefSchema,
   AuthorizationModelResourceTypeSchema,
+  CheckAccessManyRequestSchema,
   CheckAccessManyResponseSchema,
+  CheckAccessRequestSchema,
   CheckAccessResponseSchema,
   DefaultAccessPolicy as ProtoDefaultAccessPolicy,
+  DeleteRelationshipRequestSchema,
   DeleteRelationshipResponseSchema,
   GetActiveModelRefResponseSchema,
+  ListActiveModelResourceTypesRequestSchema,
+  ListRelationshipsRequestSchema,
   ListActiveModelResourceTypesResponseSchema,
   ListRelationshipsResponseSchema,
   ModelActionSchema,
@@ -24,7 +36,9 @@ import {
   RelationshipTargetType as ProtoRelationshipTargetType,
   RelationshipTupleSchema,
   ResourceSchema,
+  SetActiveModelRequestSchema,
   SetActiveModelResponseSchema,
+  SetAuthorizationStateRequestSchema,
   SetAuthorizationStateResponseSchema,
   SourceLayer as ProtoSourceLayer,
   SubjectSchema,
@@ -32,30 +46,46 @@ import {
   SubjectSetTypeSchema,
   AuthorizationProvider as AuthorizationProviderService,
   type AddRelationshipRequest as ProtoAddRelationshipRequest,
+  type AddRelationshipResponse as ProtoAddRelationshipResponse,
   type AuthorizationModel as ProtoAuthorizationModel,
   type AuthorizationModelResourceType as ProtoAuthorizationModelResourceType,
   type CheckAccessManyRequest as ProtoCheckAccessManyRequest,
+  type CheckAccessManyResponse as ProtoCheckAccessManyResponse,
   type CheckAccessRequest as ProtoCheckAccessRequest,
+  type CheckAccessResponse as ProtoCheckAccessResponse,
   type DeleteRelationshipRequest as ProtoDeleteRelationshipRequest,
+  type DeleteRelationshipResponse as ProtoDeleteRelationshipResponse,
+  type GetActiveModelRefResponse as ProtoGetActiveModelRefResponse,
   type ListActiveModelResourceTypesRequest as ProtoListActiveModelResourceTypesRequest,
+  type ListActiveModelResourceTypesResponse as ProtoListActiveModelResourceTypesResponse,
   type ListRelationshipsRequest as ProtoListRelationshipsRequest,
+  type ListRelationshipsResponse as ProtoListRelationshipsResponse,
   type ModelAllowedTarget as ProtoModelAllowedTarget,
   type Relationship as ProtoRelationship,
   type RelationshipFilter as ProtoRelationshipFilter,
   type RelationshipTarget as ProtoRelationshipTarget,
   type RelationshipTuple as ProtoRelationshipTuple,
+  type SetActiveModelResponse as ProtoSetActiveModelResponse,
   type SetActiveModelRequest as ProtoSetActiveModelRequest,
+  type SetAuthorizationStateResponse as ProtoSetAuthorizationStateResponse,
   type SetAuthorizationStateRequest as ProtoSetAuthorizationStateRequest,
   type SubjectSet as ProtoSubjectSet,
 } from "./internal/gen/v1/authorization_pb.ts";
 import { errorMessage, type MaybePromise } from "./api.ts";
 import { ProviderBase, type ProviderBaseOptions } from "./provider.ts";
 import {
+  dateFromTimestamp,
   jsonObjectFromStruct,
   structFromObject,
   timestampFromDate,
   type JsonObjectInput,
 } from "./protocol.ts";
+import {
+  createHostServiceGrpcTransport,
+  hostServiceMetadataInterceptors,
+  parseHostServiceTarget,
+  requireHostServiceTarget,
+} from "./host-service.ts";
 
 export const RelationshipTargetType = {
   UNSPECIFIED: ProtoRelationshipTargetType.UNSPECIFIED,
@@ -253,6 +283,138 @@ export interface ListActiveModelResourceTypesResponse {
   modelId?: string | undefined;
 }
 
+export interface Authorization {
+  checkAccess(request: CheckAccessRequest): Promise<CheckAccessResponse>;
+  checkAccessMany(
+    request: CheckAccessManyRequest,
+  ): Promise<CheckAccessManyResponse>;
+  listRelationships(
+    request: ListRelationshipsRequest,
+  ): Promise<ListRelationshipsResponse>;
+  addRelationship(
+    request: AddRelationshipRequest,
+  ): Promise<AddRelationshipResponse>;
+  deleteRelationship(
+    request: DeleteRelationshipRequest,
+  ): Promise<DeleteRelationshipResponse>;
+  setAuthorizationState(
+    request: SetAuthorizationStateRequest,
+  ): Promise<SetAuthorizationStateResponse>;
+  getActiveModelRef(): Promise<GetActiveModelRefResponse>;
+  setActiveModel(
+    request: SetActiveModelRequest,
+  ): Promise<SetActiveModelResponse>;
+  listActiveModelResourceTypes(
+    request: ListActiveModelResourceTypesRequest,
+  ): Promise<ListActiveModelResourceTypesResponse>;
+}
+
+class AuthorizationImpl implements Authorization {
+  private readonly client: Client<typeof AuthorizationProviderService>;
+
+  constructor(target?: string, relayToken?: string) {
+    const host = target
+      ? { target, token: relayToken?.trim() ?? "" }
+      : requireHostServiceTarget("authorization");
+    const transport = createHostServiceGrpcTransport(
+      parseHostServiceTarget("authorization", host.target),
+      hostServiceMetadataInterceptors(host.token, ""),
+    );
+    this.client = createClient(AuthorizationProviderService, transport);
+  }
+
+  async checkAccess(request: CheckAccessRequest): Promise<CheckAccessResponse> {
+    return checkAccessResponseFromProto(
+      await this.client.checkAccess(checkAccessRequestToProto(request)),
+    );
+  }
+
+  async checkAccessMany(
+    request: CheckAccessManyRequest,
+  ): Promise<CheckAccessManyResponse> {
+    return checkAccessManyResponseFromProto(
+      await this.client.checkAccessMany(checkAccessManyRequestToProto(request)),
+    );
+  }
+
+  async listRelationships(
+    request: ListRelationshipsRequest,
+  ): Promise<ListRelationshipsResponse> {
+    return listRelationshipsResponseFromProto(
+      await this.client.listRelationships(listRelationshipsRequestToProto(request)),
+    );
+  }
+
+  async addRelationship(
+    request: AddRelationshipRequest,
+  ): Promise<AddRelationshipResponse> {
+    return addRelationshipResponseFromProto(
+      await this.client.addRelationship(addRelationshipRequestToProto(request)),
+    );
+  }
+
+  async deleteRelationship(
+    request: DeleteRelationshipRequest,
+  ): Promise<DeleteRelationshipResponse> {
+    return deleteRelationshipResponseFromProto(
+      await this.client.deleteRelationship(deleteRelationshipRequestToProto(request)),
+    );
+  }
+
+  async setAuthorizationState(
+    request: SetAuthorizationStateRequest,
+  ): Promise<SetAuthorizationStateResponse> {
+    return setAuthorizationStateResponseFromProto(
+      await this.client.setAuthorizationState(
+        setAuthorizationStateRequestToProto(request),
+      ),
+    );
+  }
+
+  async getActiveModelRef(): Promise<GetActiveModelRefResponse> {
+    return getActiveModelRefResponseFromProto(
+      await this.client.getActiveModelRef(create(EmptySchema)),
+    );
+  }
+
+  async setActiveModel(
+    request: SetActiveModelRequest,
+  ): Promise<SetActiveModelResponse> {
+    return setActiveModelResponseFromProto(
+      await this.client.setActiveModel(setActiveModelRequestToProto(request)),
+    );
+  }
+
+  async listActiveModelResourceTypes(
+    request: ListActiveModelResourceTypesRequest,
+  ): Promise<ListActiveModelResourceTypesResponse> {
+    return listActiveModelResourceTypesResponseFromProto(
+      await this.client.listActiveModelResourceTypes(
+        listActiveModelResourceTypesRequestToProto(request),
+      ),
+    );
+  }
+}
+
+let sharedAuthorization:
+  | { target: string; token: string; client: Authorization }
+  | undefined;
+
+export function Authorization(): Authorization {
+  const { target, token } = requireHostServiceTarget("authorization");
+  if (
+    sharedAuthorization &&
+    sharedAuthorization.target === target &&
+    sharedAuthorization.token === token
+  ) {
+    return sharedAuthorization.client;
+  }
+
+  const client = new AuthorizationImpl(target, token);
+  sharedAuthorization = { target, token, client };
+  return client;
+}
+
 export interface AuthorizationProviderOptions extends ProviderBaseOptions {
   checkAccess: (request: CheckAccessRequest) => MaybePromise<CheckAccessResponse>;
   checkAccessMany: (
@@ -471,6 +633,30 @@ function checkAccessRequestFromProto(
   };
 }
 
+function checkAccessRequestToProto(value: CheckAccessRequest) {
+  return create(CheckAccessRequestSchema, {
+    subject: subjectToProto(value.subject),
+    action: value.action
+      ? create(ActionSchema, {
+          name: value.action.name ?? "",
+          properties: value.action.properties === undefined
+            ? undefined
+            : structFromObject(value.action.properties),
+        })
+      : undefined,
+    resource: resourceToProto(value.resource),
+  });
+}
+
+function checkAccessResponseFromProto(
+  value: ProtoCheckAccessResponse,
+): CheckAccessResponse {
+  return {
+    allowed: value.allowed,
+    modelId: value.modelId,
+  };
+}
+
 function checkAccessResponseToProto(value: CheckAccessResponse | undefined) {
   if (!value) {
     throw new ConnectError(
@@ -492,6 +678,20 @@ function checkAccessManyRequestFromProto(
   };
 }
 
+function checkAccessManyRequestToProto(value: CheckAccessManyRequest) {
+  return create(CheckAccessManyRequestSchema, {
+    requests: (value.requests ?? []).map(checkAccessRequestToProto),
+  });
+}
+
+function checkAccessManyResponseFromProto(
+  value: ProtoCheckAccessManyResponse,
+): CheckAccessManyResponse {
+  return {
+    decisions: value.decisions.map(checkAccessResponseFromProto),
+  };
+}
+
 function checkAccessManyResponseToProto(
   value: CheckAccessManyResponse | undefined,
 ) {
@@ -516,6 +716,25 @@ function listRelationshipsRequestFromProto(
   };
 }
 
+function listRelationshipsRequestToProto(
+  value: ListRelationshipsRequest,
+) {
+  return create(ListRelationshipsRequestSchema, {
+    filter: relationshipFilterToProto(value.filter),
+    pageSize: value.pageSize ?? 0,
+    pageToken: value.pageToken ?? "",
+  });
+}
+
+function listRelationshipsResponseFromProto(
+  value: ProtoListRelationshipsResponse,
+): ListRelationshipsResponse {
+  return {
+    relationships: value.relationships.map(relationshipFromProtoRequired),
+    nextPageToken: value.nextPageToken,
+  };
+}
+
 function listRelationshipsResponseToProto(
   value: ListRelationshipsResponse | undefined,
 ) {
@@ -539,6 +758,20 @@ function addRelationshipRequestFromProto(
   };
 }
 
+function addRelationshipRequestToProto(value: AddRelationshipRequest) {
+  return create(AddRelationshipRequestSchema, {
+    relationship: relationshipToProto(value.relationship),
+  });
+}
+
+function addRelationshipResponseFromProto(
+  value: ProtoAddRelationshipResponse,
+): AddRelationshipResponse {
+  return {
+    relationship: relationshipFromProto(value.relationship),
+  };
+}
+
 function addRelationshipResponseToProto(
   value: AddRelationshipResponse | undefined,
 ) {
@@ -563,6 +796,18 @@ function deleteRelationshipRequestFromProto(
   };
 }
 
+function deleteRelationshipRequestToProto(value: DeleteRelationshipRequest) {
+  return create(DeleteRelationshipRequestSchema, {
+    relationshipTuple: relationshipTupleToProto(value.relationshipTuple),
+  });
+}
+
+function deleteRelationshipResponseFromProto(
+  _value: ProtoDeleteRelationshipResponse,
+): DeleteRelationshipResponse {
+  return {};
+}
+
 function setAuthorizationStateRequestFromProto(
   value: ProtoSetAuthorizationStateRequest,
 ): SetAuthorizationStateRequest {
@@ -572,6 +817,23 @@ function setAuthorizationStateRequestFromProto(
   };
 }
 
+function setAuthorizationStateRequestToProto(
+  value: SetAuthorizationStateRequest,
+) {
+  return create(SetAuthorizationStateRequestSchema, {
+    model: authorizationModelToProto(value.model),
+    relationships: (value.relationships ?? []).map(relationshipToProtoRequired),
+  });
+}
+
+function setAuthorizationStateResponseFromProto(
+  value: ProtoSetAuthorizationStateResponse,
+): SetAuthorizationStateResponse {
+  return {
+    activeModel: authorizationModelRefFromProto(value.activeModel),
+  };
+}
+
 function setAuthorizationStateResponseToProto(
   value: SetAuthorizationStateResponse | undefined,
 ) {
@@ -588,6 +850,14 @@ function setAuthorizationStateResponseToProto(
   });
 }
 
+function getActiveModelRefResponseFromProto(
+  value: ProtoGetActiveModelRefResponse,
+): GetActiveModelRefResponse {
+  return {
+    model: authorizationModelRefFromProto(value.model),
+  };
+}
+
 function getActiveModelRefResponseToProto(
   value: GetActiveModelRefResponse | undefined,
 ) {
@@ -610,6 +880,20 @@ function setActiveModelRequestFromProto(
   };
 }
 
+function setActiveModelRequestToProto(value: SetActiveModelRequest) {
+  return create(SetActiveModelRequestSchema, {
+    model: authorizationModelToProto(value.model),
+  });
+}
+
+function setActiveModelResponseFromProto(
+  value: ProtoSetActiveModelResponse,
+): SetActiveModelResponse {
+  return {
+    model: authorizationModelRefFromProto(value.model),
+  };
+}
+
 function setActiveModelResponseToProto(value: SetActiveModelResponse | undefined) {
   if (!value) {
     throw new ConnectError(
@@ -637,6 +921,31 @@ function listActiveModelResourceTypesRequestFromProto(
   };
 }
 
+function listActiveModelResourceTypesRequestToProto(
+  value: ListActiveModelResourceTypesRequest,
+) {
+  return create(ListActiveModelResourceTypesRequestSchema, {
+    filter: value.filter
+      ? create(AuthorizationModelResourceTypeFilterSchema, {
+          name: value.filter.name ?? "",
+          sourceLayer: value.filter.sourceLayer ?? SourceLayer.UNSPECIFIED,
+        })
+      : undefined,
+    pageSize: value.pageSize ?? 0,
+    pageToken: value.pageToken ?? "",
+  });
+}
+
+function listActiveModelResourceTypesResponseFromProto(
+  value: ProtoListActiveModelResourceTypesResponse,
+): ListActiveModelResourceTypesResponse {
+  return {
+    resourceTypes: value.resourceTypes.map(authorizationModelResourceTypeFromProto),
+    nextPageToken: value.nextPageToken,
+    modelId: value.modelId,
+  };
+}
+
 function listActiveModelResourceTypesResponseToProto(
   value: ListActiveModelResourceTypesResponse | undefined,
 ) {
@@ -720,6 +1029,21 @@ function relationshipFilterFromProto(
   };
 }
 
+function relationshipFilterToProto(value: RelationshipFilter | undefined) {
+  if (!value) {
+    return undefined;
+  }
+  return {
+    target: relationshipTargetToProto(value.target),
+    relation: value.relation ?? "",
+    resource: resourceToProto(value.resource),
+    targetType: value.targetType ?? RelationshipTargetType.UNSPECIFIED,
+    targetEntityType: value.targetEntityType ?? "",
+    resourceType: value.resourceType ?? "",
+    sourceLayer: value.sourceLayer ?? SourceLayer.UNSPECIFIED,
+  };
+}
+
 function relationshipFromProto(
   value: ProtoRelationship | undefined,
 ): Relationship | undefined {
@@ -848,6 +1172,19 @@ function authorizationModelFromProto(
   };
 }
 
+function authorizationModelToProto(value: AuthorizationModel | undefined) {
+  if (!value) {
+    return undefined;
+  }
+  return create(AuthorizationModelSchema, {
+    id: value.id ?? "",
+    version: value.version ?? "",
+    resourceTypes: (value.resourceTypes ?? []).map(
+      authorizationModelResourceTypeToProto,
+    ),
+  });
+}
+
 function authorizationModelResourceTypeFromProto(
   value: ProtoAuthorizationModelResourceType,
 ): AuthorizationModelResourceType {
@@ -935,6 +1272,19 @@ function modelAllowedTargetToProto(value: ModelAllowedTarget) {
   return create(ModelAllowedTargetSchema);
 }
 
+function authorizationModelRefFromProto(
+  value: ProtoGetActiveModelRefResponse["model"] | undefined,
+): AuthorizationModelRef | undefined {
+  if (!value) {
+    return undefined;
+  }
+  return {
+    id: value.id,
+    version: value.version,
+    createdAt: value.createdAt ? dateFromTimestamp(value.createdAt) : undefined,
+  };
+}
+
 function authorizationModelRefToProto(value: AuthorizationModelRef) {
   return create(AuthorizationModelRefSchema, {
     id: value.id ?? "",

package/src/index.ts

@@ -110,6 +110,7 @@ export {
   type RuntimeLogWriterOptions,
 } from "./runtime-log-host.ts";
 export {
+  Authorization,
   AuthorizationProvider,
   DefaultAccessPolicy,
   RelationshipTargetType,
@@ -119,6 +120,7 @@ export {
   isAuthorizationProvider,
   type AddRelationshipRequest,
   type AddRelationshipResponse,
+  type Authorization as AuthorizationClient,
   type AuthorizationAction,
   type AuthorizationModel,
   type AuthorizationModelRef,

package/src/runtime.ts

@@ -75,7 +75,7 @@ import {
 } from "./internal/gen/v1/runtime_pb.ts";
 import { S3 as S3Service } from "./internal/gen/v1/s3_pb.ts";
 import { WorkflowProvider as WorkflowProviderService } from "./internal/gen/v1/workflow_pb.ts";
-import { errorMessage, type OperationResult, type Request } from "./api.ts";
+import { errorMessage, parseSubjectId, type OperationResult, type Request } from "./api.ts";
 import {
   AgentProvider,
   createAgentProviderService,
@@ -835,11 +835,13 @@ function providerRequest(
       id: subject?.id ?? "",
       credentialSubjectId: subject?.credentialSubjectId ?? "",
       email: subject?.email ?? "",
+      kind: subjectKind(subject?.id ?? ""),
     },
     agentSubject: {
       id: agentSubject?.id ?? "",
       credentialSubjectId: agentSubject?.credentialSubjectId ?? "",
       email: agentSubject?.email ?? "",
+      kind: subjectKind(agentSubject?.id ?? ""),
     },
     credential: {
       mode: credential?.mode ?? "",
@@ -864,6 +866,10 @@ function providerRequest(
   };
 }
 
+function subjectKind(subjectID: string): string {
+  return parseSubjectId(subjectID)?.kind ?? "";
+}
+
 function providerRequestToolRefs(
   requestContext?: ProtoRequestContext,
 ): AgentToolRef[] {

package/src/workflow.ts

@@ -1766,11 +1766,11 @@ export function evaluateWorkflowValue(ctx: WorkflowEvalContext, input: WorkflowV
 }
 
 export function renderWorkflowTemplate(ctx: WorkflowEvalContext, template: string): string {
-  return template.replace(/\$\$\{/g, "\u0000{").replace(/\$\{([^{}]+)\}/g, (_match, expr: string) => {
+  return template.replace(/\$\$\{\{/g, "\u0000{{").replace(/\$\{\{([^{}]+)\}\}/g, (_match, expr: string) => {
     const resolved = templateExpressionValue(ctx, expr.trim());
     if (!resolved.ok) throw new WorkflowValueError(`template expression "${expr.trim()}" did not resolve`);
     return renderTemplateValue(resolved.value);
-  }).replace(/\u0000\{/g, "${");
+  }).replace(/\u0000\{\{/g, "${{");
 }
 
 export function pathValue(value: unknown, path: string): { value: unknown; ok: boolean } {