@vellumai/credential-executor 0.5.4 → 0.5.6

package/Dockerfile

@@ -49,6 +49,9 @@ COPY --from=builder --chown=ces:ces /app /app
 # when no PVC volume is mounted (e.g., direct docker run)
 RUN mkdir -p /ces-data && chown ces:ces /ces-data
 
+# Pre-create /ces-security for credential key storage (keys.enc, store.key)
+RUN mkdir -p /ces-security && chown ces:ces /ces-security
+
 USER ces
 
 EXPOSE 8090

package/node_modules/@vellumai/ces-contracts/src/index.ts

@@ -145,3 +145,4 @@ export * from "./handles.js";
 export * from "./grants.js";
 export * from "./rpc.js";
 export * from "./rendering.js";
+export * from "./trust-rules.js";

package/node_modules/@vellumai/ces-contracts/src/trust-rules.ts

@@ -0,0 +1,42 @@
+/**
+ * Trust rule types shared between the assistant daemon and the gateway.
+ *
+ * These are extracted from `assistant/src/permissions/types.ts` and
+ * `assistant/src/permissions/trust-store.ts` so that both packages can
+ * reference a single canonical definition.
+ */
+
+// ---------------------------------------------------------------------------
+// Trust decision
+// ---------------------------------------------------------------------------
+
+/** The possible decisions a trust rule can make. */
+export type TrustDecision = "allow" | "deny" | "ask";
+
+// ---------------------------------------------------------------------------
+// Trust rule
+// ---------------------------------------------------------------------------
+
+export interface TrustRule {
+  id: string;
+  tool: string;
+  pattern: string;
+  scope: string;
+  decision: TrustDecision;
+  priority: number;
+  createdAt: number;
+  executionTarget?: string;
+  allowHighRisk?: boolean;
+}
+
+// ---------------------------------------------------------------------------
+// Trust file (on-disk shape)
+// ---------------------------------------------------------------------------
+
+/** Shape of the `trust.json` file persisted to disk. */
+export interface TrustFileData {
+  version: number;
+  rules: TrustRule[];
+  /** Set to true when the user explicitly accepts the starter approval bundle. */
+  starterBundleAccepted?: boolean;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/credential-executor",
-  "version": "0.5.4",
+  "version": "0.5.6",
   "type": "module",
   "exports": {
     ".": "./src/index.ts"

package/src/http/credential-routes.ts

@@ -0,0 +1,203 @@
+/**
+ * Credential CRUD HTTP endpoints for the CES managed service.
+ *
+ * Exposes credential management over HTTP so the assistant and gateway
+ * can access credentials via the network instead of reading keys.enc
+ * directly from a shared volume.
+ *
+ * Endpoints:
+ * - `GET  /v1/credentials`           — list credential account names
+ * - `GET  /v1/credentials/:account`  — get a credential value
+ * - `POST /v1/credentials/:account`  — set a credential value
+ * - `DELETE /v1/credentials/:account` — delete a credential
+ *
+ * Auth: All endpoints require a `CES_SERVICE_TOKEN` bearer token in the
+ * `Authorization` header. Both the CES and its callers share this token
+ * via the environment.
+ */
+
+import { timingSafeEqual } from "node:crypto";
+
+import type { SecureKeyBackend } from "@vellumai/credential-storage";
+
+// ---------------------------------------------------------------------------
+// Auth
+// ---------------------------------------------------------------------------
+
+/**
+ * Validate the Authorization header against the configured service token.
+ * Returns an error Response if auth fails, or null if auth succeeds.
+ */
+function checkAuth(req: Request, serviceToken: string): Response | null {
+  const authHeader = req.headers.get("authorization");
+  if (!authHeader) {
+    return new Response(
+      JSON.stringify({ error: "Missing Authorization header" }),
+      { status: 401, headers: { "Content-Type": "application/json" } },
+    );
+  }
+
+  const parts = authHeader.split(" ");
+  if (parts.length !== 2 || parts[0]!.toLowerCase() !== "bearer") {
+    return new Response(
+      JSON.stringify({ error: "Invalid Authorization header format. Expected: Bearer <token>" }),
+      { status: 401, headers: { "Content-Type": "application/json" } },
+    );
+  }
+
+  const provided = Buffer.from(parts[1]!);
+  const expected = Buffer.from(serviceToken);
+  if (provided.length !== expected.length || !timingSafeEqual(provided, expected)) {
+    return new Response(
+      JSON.stringify({ error: "Invalid service token" }),
+      { status: 403, headers: { "Content-Type": "application/json" } },
+    );
+  }
+
+  return null;
+}
+
+// ---------------------------------------------------------------------------
+// Route handler
+// ---------------------------------------------------------------------------
+
+export interface CredentialRouteDeps {
+  /** The secure key backend to wrap. */
+  backend: SecureKeyBackend;
+  /** Service token for authenticating requests. */
+  serviceToken: string;
+}
+
+const CREDENTIAL_PATH_PREFIX = "/v1/credentials";
+
+/**
+ * Try to handle a credential CRUD request. Returns a Response if the
+ * request matches a credential route, or null if it doesn't match
+ * (allowing the caller to fall through to other routes).
+ */
+export async function handleCredentialRoute(
+  req: Request,
+  deps: CredentialRouteDeps,
+): Promise<Response | null> {
+  const url = new URL(req.url);
+  const { pathname } = url;
+
+  // Only handle /v1/credentials paths
+  if (!pathname.startsWith(CREDENTIAL_PATH_PREFIX)) {
+    return null;
+  }
+
+  // Auth check
+  const authError = checkAuth(req, deps.serviceToken);
+  if (authError) return authError;
+
+  const { backend } = deps;
+
+  // Extract account from path: /v1/credentials/:account
+  const accountSegment = pathname.slice(CREDENTIAL_PATH_PREFIX.length);
+
+  // GET /v1/credentials — list all credential account names
+  if (accountSegment === "" || accountSegment === "/") {
+    if (req.method !== "GET") {
+      return new Response(
+        JSON.stringify({ error: "Method not allowed" }),
+        { status: 405, headers: { "Content-Type": "application/json" } },
+      );
+    }
+
+    const accounts = await backend.list();
+    return new Response(
+      JSON.stringify({ accounts }),
+      { status: 200, headers: { "Content-Type": "application/json" } },
+    );
+  }
+
+  // Remaining routes require /:account
+  if (!accountSegment.startsWith("/")) {
+    return null; // Not a credential route
+  }
+
+  const account = decodeURIComponent(accountSegment.slice(1));
+  if (!account) {
+    return new Response(
+      JSON.stringify({ error: "Account name is required" }),
+      { status: 400, headers: { "Content-Type": "application/json" } },
+    );
+  }
+
+  switch (req.method) {
+    // GET /v1/credentials/:account — get credential value
+    case "GET": {
+      const value = await backend.get(account);
+      if (value === undefined) {
+        return new Response(
+          JSON.stringify({ error: "Credential not found", account }),
+          { status: 404, headers: { "Content-Type": "application/json" } },
+        );
+      }
+      return new Response(
+        JSON.stringify({ account, value }),
+        { status: 200, headers: { "Content-Type": "application/json" } },
+      );
+    }
+
+    // POST /v1/credentials/:account — set credential value
+    case "POST": {
+      let body: { value?: string };
+      try {
+        body = await req.json();
+      } catch {
+        return new Response(
+          JSON.stringify({ error: "Invalid JSON body" }),
+          { status: 400, headers: { "Content-Type": "application/json" } },
+        );
+      }
+
+      if (typeof body.value !== "string") {
+        return new Response(
+          JSON.stringify({ error: "Body must contain a 'value' string field" }),
+          { status: 400, headers: { "Content-Type": "application/json" } },
+        );
+      }
+
+      const ok = await backend.set(account, body.value);
+      if (!ok) {
+        return new Response(
+          JSON.stringify({ error: "Failed to set credential", account }),
+          { status: 500, headers: { "Content-Type": "application/json" } },
+        );
+      }
+      return new Response(
+        JSON.stringify({ ok: true, account }),
+        { status: 200, headers: { "Content-Type": "application/json" } },
+      );
+    }
+
+    // DELETE /v1/credentials/:account — delete credential
+    case "DELETE": {
+      const result = await backend.delete(account);
+      if (result === "not-found") {
+        return new Response(
+          JSON.stringify({ error: "Credential not found", account }),
+          { status: 404, headers: { "Content-Type": "application/json" } },
+        );
+      }
+      if (result === "error") {
+        return new Response(
+          JSON.stringify({ error: "Failed to delete credential", account }),
+          { status: 500, headers: { "Content-Type": "application/json" } },
+        );
+      }
+      return new Response(
+        JSON.stringify({ ok: true, account }),
+        { status: 200, headers: { "Content-Type": "application/json" } },
+      );
+    }
+
+    default:
+      return new Response(
+        JSON.stringify({ error: "Method not allowed" }),
+        { status: 405, headers: { "Content-Type": "application/json" } },
+      );
+  }
+}

package/src/managed-main.ts

@@ -57,6 +57,8 @@ import { materializeManagedToken } from "./materializers/managed-platform.js";
 import { HandleType, parseHandle } from "@vellumai/ces-contracts";
 import { buildLazyGetters, type ApiKeyRef } from "./managed-lazy-getters.js";
 import { MANAGED_LOCAL_STATIC_REJECTION_ERROR } from "./managed-errors.js";
+import { createLocalSecureKeyBackend } from "./materializers/local-secure-key-backend.js";
+import { handleCredentialRoute, type CredentialRouteDeps } from "./http/credential-routes.js";
 
 // ---------------------------------------------------------------------------
 // Logging (managed always logs to stderr)
@@ -127,9 +129,14 @@ function buildHandlers(sessionIdRef: SessionIdRef, apiKeyRef: ApiKeyRef): RpcHan
   }
 
   // -- Workspace root for command execution cwd ------------------------------
-  const assistantDataMount =
-    process.env["CES_ASSISTANT_DATA_MOUNT"] ?? "/assistant-data-ro";
-  const mountedVellumRoot = join(assistantDataMount, ".vellum");
+  // Prefer WORKSPACE_DIR when set (new Docker layout mounts workspace at
+  // /workspace). Fall back to the legacy path derived from the assistant
+  // data mount for backwards compatibility.
+  const defaultWorkspaceDir = process.env["WORKSPACE_DIR"] ?? (() => {
+    const assistantDataMount =
+      process.env["CES_ASSISTANT_DATA_MOUNT"] ?? "/assistant-data-ro";
+    return join(join(assistantDataMount, ".vellum"), "workspace");
+  })();
 
   // -- Build handler registry ------------------------------------------------
   // NOTE: local_static credential handles are NOT supported in managed mode.
@@ -241,7 +248,7 @@ function buildHandlers(sessionIdRef: SessionIdRef, apiKeyRef: ApiKeyRef): RpcHan
       cesMode: "managed",
       egressHooks: buildCesEgressHooks(),
     },
-    defaultWorkspaceDir: join(mountedVellumRoot, "workspace"),
+    defaultWorkspaceDir,
   });
 
   // Register manage_secure_command_tool handler
@@ -324,10 +331,14 @@ function buildHandlers(sessionIdRef: SessionIdRef, apiKeyRef: ApiKeyRef): RpcHan
 
 let rpcConnected = false;
 
-function startHealthServer(port: number, signal: AbortSignal): ReturnType<typeof Bun.serve> {
+function startHealthServer(
+  port: number,
+  signal: AbortSignal,
+  credentialDeps: CredentialRouteDeps | null,
+): ReturnType<typeof Bun.serve> {
   const server = Bun.serve({
     port,
-    fetch(req) {
+    async fetch(req) {
       const url = new URL(req.url);
       if (url.pathname === "/healthz") {
         return new Response(
@@ -350,6 +361,13 @@ function startHealthServer(port: number, signal: AbortSignal): ReturnType<typeof
           },
         );
       }
+
+      // Credential CRUD routes (only if service token is configured)
+      if (credentialDeps) {
+        const credentialResponse = await handleCredentialRoute(req, credentialDeps);
+        if (credentialResponse) return credentialResponse;
+      }
+
       return new Response("Not Found", { status: 404 });
     },
   });
@@ -480,9 +498,29 @@ async function main(): Promise<void> {
   process.on("SIGTERM", shutdown);
   process.on("SIGINT", shutdown);
 
+  // Set up credential CRUD routes if a service token is configured.
+  // The assistant and gateway use CES_SERVICE_TOKEN to authenticate
+  // credential management requests over HTTP.
+  const serviceToken = process.env["CES_SERVICE_TOKEN"] ?? "";
+  let credentialDeps: CredentialRouteDeps | null = null;
+
+  if (serviceToken) {
+    const assistantDataMount =
+      process.env["CES_ASSISTANT_DATA_MOUNT"] ?? "/assistant-data-ro";
+    const vellumRoot = join(assistantDataMount, ".vellum");
+    const backend = createLocalSecureKeyBackend(vellumRoot);
+    credentialDeps = { backend, serviceToken };
+    log("Credential CRUD routes enabled (CES_SERVICE_TOKEN configured)");
+  } else {
+    warn(
+      "CES_SERVICE_TOKEN not set — credential CRUD HTTP routes are disabled. " +
+        "Set CES_SERVICE_TOKEN to enable credential management over HTTP.",
+    );
+  }
+
   // Start health server on dedicated port
   const healthPort = getHealthPort();
-  const healthServer = startHealthServer(healthPort, controller.signal);
+  const healthServer = startHealthServer(healthPort, controller.signal, credentialDeps);
   log(`Health server listening on port ${healthPort}`);
 
   // Wait for exactly one assistant connection on the bootstrap socket

package/src/materializers/local-secure-key-backend.ts

@@ -86,15 +86,34 @@ type StoreFile = StoreFileV1 | StoreFileV2;
 // ---------------------------------------------------------------------------
 
 const STORE_KEY_FILENAME = "store.key";
+const KEYS_ENC_FILENAME = "keys.enc";
+
+// ---------------------------------------------------------------------------
+// Security directory resolution
+// ---------------------------------------------------------------------------
+
+/**
+ * Resolve the directory containing `keys.enc` and `store.key`.
+ *
+ * When `CREDENTIAL_SECURITY_DIR` is set, files are read from (and written to)
+ * that directory directly. This allows Docker deployments to mount a separate
+ * CES-only security volume.
+ *
+ * When the env var is unset, falls back to `<vellumRoot>/protected/` for
+ * backwards compatibility.
+ */
+function resolveSecurityDir(vellumRoot: string): string {
+  return process.env.CREDENTIAL_SECURITY_DIR || join(vellumRoot, "protected");
+}
 
 /**
- * Read the v2 store key file from `<vellumRoot>/protected/store.key`.
+ * Read the v2 store key file from the security directory.
  * Returns the raw 32-byte key buffer, or null if the file is missing,
  * wrong size, or unreadable.
  */
 function readStoreKey(vellumRoot: string): Buffer | null {
   try {
-    const keyPath = join(vellumRoot, "protected", STORE_KEY_FILENAME);
+    const keyPath = join(resolveSecurityDir(vellumRoot), STORE_KEY_FILENAME);
     if (!existsSync(keyPath)) return null;
     const buf = readFileSync(keyPath);
     if (buf.length !== KEY_LENGTH) return null;
@@ -211,9 +230,9 @@ function readStore(storePath: string): StoreFile | null {
 /**
  * Create a SecureKeyBackend backed by the assistant's encrypted key store.
  *
- * Supports `get` and `set` operations. `set` is needed for persisting
- * refreshed OAuth tokens. `delete` remains unsupported (returns "error")
- * because CES never needs to remove keys.
+ * Supports `get`, `set`, and `delete` operations. `set` is needed for
+ * persisting refreshed OAuth tokens. `delete` removes a key from the
+ * encrypted store.
  *
  * @param vellumRoot - The Vellum root directory (e.g. `~/.vellum`).
  * @param options.entropyOverride - If provided, used instead of local
@@ -230,7 +249,7 @@ export function createLocalSecureKeyBackend(
   vellumRoot: string,
   options?: { entropyOverride?: string; entropyGetter?: () => string | undefined },
 ): SecureKeyBackend {
-  const storePath = join(vellumRoot, "protected", "keys.enc");
+  const storePath = join(resolveSecurityDir(vellumRoot), KEYS_ENC_FILENAME);
   const staticEntropy = options?.entropyOverride;
   const entropyGetter = options?.entropyGetter;
 
@@ -291,9 +310,19 @@ export function createLocalSecureKeyBackend(
       }
     },
 
-    // CES never deletes keys — only reads and writes (for token refresh).
-    async delete(_key: string): Promise<SecureKeyDeleteResult> {
-      return "error";
+    async delete(key: string): Promise<SecureKeyDeleteResult> {
+      try {
+        const store = readStore(storePath);
+        if (!store) return "error";
+
+        if (!(key in store.entries)) return "not-found";
+
+        delete store.entries[key];
+        writeStore(store, storePath);
+        return "deleted";
+      } catch {
+        return "error";
+      }
     },
 
     async list(): Promise<string[]> {