@zauso-ai/capstan-auth 1.0.0-beta.7 → 1.0.0-beta.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/execution.d.ts +10 -0
- package/dist/execution.d.ts.map +1 -0
- package/dist/execution.js +50 -0
- package/dist/execution.js.map +1 -0
- package/dist/harness-authorizer.d.ts +10 -0
- package/dist/harness-authorizer.d.ts.map +1 -0
- package/dist/harness-authorizer.js +90 -0
- package/dist/harness-authorizer.js.map +1 -0
- package/dist/index.d.ts +8 -2
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +5 -1
- package/dist/index.js.map +1 -1
- package/dist/middleware.d.ts.map +1 -1
- package/dist/middleware.js +141 -6
- package/dist/middleware.js.map +1 -1
- package/dist/oauth.d.ts +10 -1
- package/dist/oauth.d.ts.map +1 -1
- package/dist/oauth.js +34 -5
- package/dist/oauth.js.map +1 -1
- package/dist/permissions.d.ts +12 -22
- package/dist/permissions.d.ts.map +1 -1
- package/dist/permissions.js +91 -33
- package/dist/permissions.js.map +1 -1
- package/dist/runtime-authorizer.d.ts +28 -0
- package/dist/runtime-authorizer.d.ts.map +1 -0
- package/dist/runtime-authorizer.js +136 -0
- package/dist/runtime-authorizer.js.map +1 -0
- package/dist/runtime-grants.d.ts +31 -0
- package/dist/runtime-grants.d.ts.map +1 -0
- package/dist/runtime-grants.js +96 -0
- package/dist/runtime-grants.js.map +1 -0
- package/dist/session.d.ts +3 -3
- package/dist/session.d.ts.map +1 -1
- package/dist/session.js +21 -3
- package/dist/session.js.map +1 -1
- package/dist/types.d.ts +97 -1
- package/dist/types.d.ts.map +1 -1
- package/package.json +1 -1
package/dist/oauth.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth.js","sourceRoot":"","sources":["../src/oauth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;
|
|
1
|
+
{"version":3,"file":"oauth.js","sourceRoot":"","sources":["../src/oauth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AA2C3C,yEAAyE;AAEzE,sCAAsC;AACtC,MAAM,UAAU,cAAc,CAAC,IAG9B;IACC,OAAO;QACL,IAAI,EAAE,QAAQ;QACd,YAAY,EAAE,8CAA8C;QAC5D,QAAQ,EAAE,qCAAqC;QAC/C,WAAW,EAAE,+CAA+C;QAC5D,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,MAAM,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC;KACvC,CAAC;AACJ,CAAC;AAED,sCAAsC;AACtC,MAAM,UAAU,cAAc,CAAC,IAG9B;IACC,OAAO;QACL,IAAI,EAAE,QAAQ;QACd,YAAY,EAAE,0CAA0C;QACxD,QAAQ,EAAE,6CAA6C;QACvD,WAAW,EAAE,6BAA6B;QAC1C,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,MAAM,EAAE,CAAC,YAAY,CAAC;KACvB,CAAC;AACJ,CAAC;AAED,yEAAyE;AAEzE,2DAA2D;AAC3D,SAAS,aAAa;IACpB,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED,yEAAyE;AAEzE,SAAS,YAAY,CAAC,MAAc;IAClC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC1C,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,OAAO,KAAK,CAAC,CAAC;YAAE,SAAS;QAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC3B,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,WAAW,CAClB,IAAY,EACZ,KAAa,EACb,OAAgD;IAEhD,MAAM,KAAK,GAAG,CAAC,GAAG,IAAI,IAAI,KAAK,EAAE,CAAC,CAAC;IACnC,KAAK,CAAC,IAAI,CAAC,QAAQ,OAAO,EAAE,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC;IAC3C,IAAI,OAAO,EAAE,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,UAAU,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5D,IAAI,OAAO,EAAE,QAAQ,KAAK,KAAK;QAAE,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACxD,KAAK,CAAC,IAAI,CAAC,YAAY,OAAO,EAAE,QAAQ,IAAI,KAAK,EAAE,CAAC,CAAC;IACrD,IAAI,OAAO,EAAE,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC1C,IAAI,OAAO,EAAE,MAAM,KAAK,SAAS;QAAE,KAAK,CAAC,IAAI,CAAC,WAAW,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3E,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAWD;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CACjC,MAAmB,EACnB,UAAmC,UAAU,CAAC,KAAK;IAEnD,MAAM,YAAY,GAAG,MAAM,CAAC,YAAY,IAAI,gBAAgB,CAAC;IAC7D,MAAM,eAAe,GAAG,MAAM,CAAC,eAAe,IAAI,qBAAqB,CAAC;IACxE,MAAM,iBAAiB,GAAG,MAAM,CAAC,OAAO,EAAE,UAAU,IAAI,iBAAiB,CAAC;IAC1E,MAAM,qBAAqB,GAAG,MAAM,CAAC,OAAO,EAAE,MAAM,IAAI,MAAM,CAAC,aAAa,CAAC;IAC7E,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IACD,MAAM,aAAa,GAAG,qBAAqB,CAAC;IAC5C,MAAM,WAAW,GAAG,IAAI,GAAG,EAAyB,CAAC;IACrD,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACjC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAC7B,CAAC;IAED,SAAS,KAAK,CAAC,OAAgB,EAAE,YAAoB;QACnD,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAC/C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,qBAAqB,YAAY,EAAE,EAAE,CAAC,EAC9D,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;QACJ,CAAC;QAED,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,WAAW,GAAG,GAAG,GAAG,CAAC,MAAM,GAAG,YAAY,EAAE,CAAC;QAEnD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;QACpD,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC9D,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;QAC3D,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QACvD,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QAClE,YAAY,CAAC,YAAY,CAAC,GAAG,CAC3B,OAAO,EACP,GAAG,YAAY,IAAI,KAAK,EAAE,CAC3B,CAAC;QAEF,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;YACxB,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACP,QAAQ,EAAE,YAAY,CAAC,QAAQ,EAAE;gBACjC,YAAY,EAAE,WAAW,CAAC,eAAe,EAAE,GAAG,YAAY,IAAI,KAAK,EAAE,EAAE;oBACrE,MAAM,EAAE,GAAG;iBACZ,CAAC;aACH;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,UAAU,QAAQ,CAAC,OAAgB;QACtC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,UAAU,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAEjD,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACzB,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAC,EAC5D,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;QACJ,CAAC;QAED,gCAAgC;QAChC,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QACzD,MAAM,OAAO,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;QAC3C,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAEjD,IAAI,CAAC,WAAW,IAAI,WAAW,KAAK,UAAU,EAAE,CAAC;YAC/C,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,EACpD,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;QACJ,CAAC;QAED,mCAAmC;QACnC,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC3C,IAAI,UAAU,KAAK,CAAC,CAAC,EAAE,CAAC;YACtB,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAC,EACtD,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;QACJ,CAAC;QACD,MAAM,YAAY,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;QACrD,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAE/C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,qBAAqB,YAAY,EAAE,EAAE,CAAC,EAC9D,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;QACJ,CAAC;QAED,iCAAiC;QACjC,MAAM,WAAW,GAAG,GAAG,GAAG,CAAC,MAAM,GAAG,YAAY,EAAE,CAAC;QACnD,IAAI,SAA6B,CAAC;QAClC,IAAI,CAAC;YACH,MAAM,aAAa,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC,QAAQ,EAAE;gBACrD,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;oBACnD,MAAM,EAAE,kBAAkB;iBAC3B;gBACD,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,UAAU,EAAE,oBAAoB;oBAChC,IAAI;oBACJ,YAAY,EAAE,WAAW;oBACzB,SAAS,EAAE,QAAQ,CAAC,QAAQ;oBAC5B,aAAa,EAAE,QAAQ,CAAC,YAAY;iBACrC,CAAC,CAAC,QAAQ,EAAE;aACd,CAAC,CAAC;YAEH,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;gBACtB,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,EAClD,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;YACJ,CAAC;YAED,SAAS,GAAG,CAAC,MAAM,aAAa,CAAC,IAAI,EAAE,CAAuB,CAAC;QACjE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,EAClD,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC;YAC5B,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,EAClD,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;QACJ,CAAC;QAED,kBAAkB;QAClB,IAAI,QAAuB,CAAC;QAC5B,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE;gBACvD,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,SAAS,CAAC,YAAY,EAAE;oBACjD,MAAM,EAAE,kBAAkB;iBAC3B;aACF,CAAC,CAAC;YAEH,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC;gBACrB,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAC,EACtD,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;YACJ,CAAC;YAED,QAAQ,GAAG,CAAC,MAAM,YAAY,CAAC,IAAI,EAAE,CAAkB,CAAC;QAC1D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAC,EACtD,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;QACJ,CAAC;QAED,+BAA+B;QAC/B,MAAM,MAAM,GACV,QAAQ,CAAC,GAAG,IAAI,QAAQ,CAAC,EAAE,EAAE,QAAQ,EAAE,IAAI,QAAQ,CAAC,KAAK,IAAI,SAAS,CAAC;QACzE,MAAM,WAAW,GAAsC;YACrD,MAAM,EAAE,GAAG,YAAY,IAAI,MAAM,EAAE;YACnC,GAAG,CAAC,QAAQ,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACvE,CAAC;QACF,IAAI,QAAQ,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;YACjC,WAAW,CAAC,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC;QACrC,CAAC;QACD,MAAM,YAAY,GAAG,WAAW,CAC9B,WAAW,EACX,aAAa,EACb,MAAM,CAAC,OAAO,EAAE,MAAM,KAAK,SAAS;YAClC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE;YACnC,CAAC,CAAC,SAAS,CACd,CAAC;QAEF,uCAAuC;QACvC,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;YACxB,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACP,QAAQ,EAAE,MAAM,CAAC,mBAAmB,IAAI,GAAG;gBAC3C,YAAY,EAAE,WAAW,CAAC,iBAAiB,EAAE,YAAY,EAAE;oBACzD,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,IAAI,EAAE,CAAC;oBACjC,MAAM,EAAE,MAAM;iBACf,CAAC;aACH;SACF,CAAC,CAAC;IACL,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;AAC7B,CAAC"}
|
package/dist/permissions.d.ts
CHANGED
|
@@ -1,34 +1,24 @@
|
|
|
1
|
+
import type { AuthGrant, AuthGrantRequirement } from "./types.js";
|
|
2
|
+
export interface AuthorizationDecision {
|
|
3
|
+
allowed: boolean;
|
|
4
|
+
matchedGrant?: AuthGrant;
|
|
5
|
+
reason?: string;
|
|
6
|
+
}
|
|
7
|
+
export declare function normalizePermissionsToGrants(granted: readonly (string | AuthGrant)[]): AuthGrant[];
|
|
8
|
+
export declare function serializeGrantsToPermissions(grants: readonly AuthGrant[]): string[];
|
|
9
|
+
export declare function authorizeGrant(required: AuthGrantRequirement, granted: readonly (string | AuthGrant)[]): AuthorizationDecision;
|
|
10
|
+
export declare function checkGrant(required: AuthGrantRequirement, granted: readonly (string | AuthGrant)[]): boolean;
|
|
1
11
|
/**
|
|
2
12
|
* Check whether a required permission is satisfied by at least one entry in
|
|
3
|
-
* the
|
|
4
|
-
*
|
|
5
|
-
* Permission strings follow the `resource:action` pattern.
|
|
6
|
-
*
|
|
7
|
-
* Wildcards:
|
|
8
|
-
* - `*:read` — allows `read` on any resource
|
|
9
|
-
* - `ticket:*` — allows any action on `ticket`
|
|
10
|
-
* - `*:*` — full access (superuser)
|
|
11
|
-
*
|
|
12
|
-
* Examples:
|
|
13
|
-
* checkPermission({ resource: "ticket", action: "read" }, ["ticket:read"]) // true
|
|
14
|
-
* checkPermission({ resource: "ticket", action: "write" }, ["*:write"]) // true
|
|
15
|
-
* checkPermission({ resource: "ticket", action: "delete" }, ["ticket:*"]) // true
|
|
16
|
-
* checkPermission({ resource: "ticket", action: "delete" }, ["*:*"]) // true
|
|
13
|
+
* the granted permission / grant set.
|
|
17
14
|
*/
|
|
18
15
|
export declare function checkPermission(required: {
|
|
19
16
|
resource: string;
|
|
20
17
|
action: "read" | "write" | "delete";
|
|
21
|
-
}, granted: string[]): boolean;
|
|
18
|
+
}, granted: readonly (string | AuthGrant)[]): boolean;
|
|
22
19
|
/**
|
|
23
20
|
* Derive a `{ resource, action }` pair from an agent capability mode and
|
|
24
21
|
* an optional resource name.
|
|
25
|
-
*
|
|
26
|
-
* Mapping:
|
|
27
|
-
* - `"read"` → `{ resource, action: "read" }`
|
|
28
|
-
* - `"write"` → `{ resource, action: "write" }`
|
|
29
|
-
* - `"external"` → `{ resource: "external", action: "write" }`
|
|
30
|
-
*
|
|
31
|
-
* When `resource` is omitted the wildcard `"*"` is used.
|
|
32
22
|
*/
|
|
33
23
|
export declare function derivePermission(capability: "read" | "write" | "external", resource?: string): {
|
|
34
24
|
resource: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"permissions.d.ts","sourceRoot":"","sources":["../src/permissions.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"permissions.d.ts","sourceRoot":"","sources":["../src/permissions.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,SAAS,EACT,oBAAoB,EACrB,MAAM,YAAY,CAAC;AAGpB,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,CAAC,EAAE,SAAS,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAgDD,wBAAgB,4BAA4B,CAC1C,OAAO,EAAE,SAAS,CAAC,MAAM,GAAG,SAAS,CAAC,EAAE,GACvC,SAAS,EAAE,CAab;AAED,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,SAAS,SAAS,EAAE,GAAG,MAAM,EAAE,CAEnF;AAED,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,oBAAoB,EAC9B,OAAO,EAAE,SAAS,CAAC,MAAM,GAAG,SAAS,CAAC,EAAE,GACvC,qBAAqB,CA0BvB;AAED,wBAAgB,UAAU,CACxB,QAAQ,EAAE,oBAAoB,EAC9B,OAAO,EAAE,SAAS,CAAC,MAAM,GAAG,SAAS,CAAC,EAAE,GACvC,OAAO,CAET;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,GAAG,OAAO,GAAG,QAAQ,CAAA;CAAE,EACnE,OAAO,EAAE,SAAS,CAAC,MAAM,GAAG,SAAS,CAAC,EAAE,GACvC,OAAO,CAET;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAC9B,UAAU,EAAE,MAAM,GAAG,OAAO,GAAG,UAAU,EACzC,QAAQ,CAAC,EAAE,MAAM,GAChB;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAStC"}
|
package/dist/permissions.js
CHANGED
|
@@ -1,44 +1,102 @@
|
|
|
1
|
+
import { createGrant } from "./runtime-grants.js";
|
|
2
|
+
function isGrantRecord(value) {
|
|
3
|
+
return (typeof value === "object" &&
|
|
4
|
+
value !== null &&
|
|
5
|
+
"resource" in value &&
|
|
6
|
+
"action" in value &&
|
|
7
|
+
typeof value["resource"] === "string" &&
|
|
8
|
+
typeof value["action"] === "string");
|
|
9
|
+
}
|
|
10
|
+
function parsePermission(permission) {
|
|
11
|
+
const sepIndex = permission.indexOf(":");
|
|
12
|
+
if (sepIndex === -1)
|
|
13
|
+
return null;
|
|
14
|
+
return createGrant(permission.slice(0, sepIndex), permission.slice(sepIndex + 1));
|
|
15
|
+
}
|
|
16
|
+
function scopeMatches(required, granted) {
|
|
17
|
+
if (!required || Object.keys(required).length === 0)
|
|
18
|
+
return true;
|
|
19
|
+
if (!granted)
|
|
20
|
+
return false;
|
|
21
|
+
for (const [key, value] of Object.entries(required)) {
|
|
22
|
+
const grantedValue = granted[key];
|
|
23
|
+
if (grantedValue !== "*" && grantedValue !== value) {
|
|
24
|
+
return false;
|
|
25
|
+
}
|
|
26
|
+
}
|
|
27
|
+
return true;
|
|
28
|
+
}
|
|
29
|
+
function resourceMatches(required, granted) {
|
|
30
|
+
return granted === "*" || granted === required;
|
|
31
|
+
}
|
|
32
|
+
function actionMatches(required, granted) {
|
|
33
|
+
return granted === "*" || granted === required;
|
|
34
|
+
}
|
|
35
|
+
function isGrantExpired(grant) {
|
|
36
|
+
if (grant.expiresAt === undefined)
|
|
37
|
+
return false;
|
|
38
|
+
const expiresAt = Date.parse(grant.expiresAt);
|
|
39
|
+
return Number.isFinite(expiresAt) && expiresAt <= Date.now();
|
|
40
|
+
}
|
|
41
|
+
export function normalizePermissionsToGrants(granted) {
|
|
42
|
+
const grants = [];
|
|
43
|
+
for (const entry of granted) {
|
|
44
|
+
if (typeof entry === "string") {
|
|
45
|
+
const parsed = parsePermission(entry);
|
|
46
|
+
if (parsed)
|
|
47
|
+
grants.push(parsed);
|
|
48
|
+
continue;
|
|
49
|
+
}
|
|
50
|
+
if (isGrantRecord(entry)) {
|
|
51
|
+
grants.push(entry);
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
return grants;
|
|
55
|
+
}
|
|
56
|
+
export function serializeGrantsToPermissions(grants) {
|
|
57
|
+
return grants.map((grant) => `${grant.resource}:${grant.action}`);
|
|
58
|
+
}
|
|
59
|
+
export function authorizeGrant(required, granted) {
|
|
60
|
+
const grants = normalizePermissionsToGrants(granted);
|
|
61
|
+
let matchedAllowGrant;
|
|
62
|
+
for (const grant of grants) {
|
|
63
|
+
if (isGrantExpired(grant))
|
|
64
|
+
continue;
|
|
65
|
+
const matches = resourceMatches(required.resource, grant.resource) &&
|
|
66
|
+
actionMatches(required.action, grant.action) &&
|
|
67
|
+
scopeMatches(required.scope, grant.scope);
|
|
68
|
+
if (!matches)
|
|
69
|
+
continue;
|
|
70
|
+
if (grant.effect === "deny") {
|
|
71
|
+
return {
|
|
72
|
+
allowed: false,
|
|
73
|
+
matchedGrant: grant,
|
|
74
|
+
reason: `Grant explicitly denied ${required.resource}:${required.action}`,
|
|
75
|
+
};
|
|
76
|
+
}
|
|
77
|
+
matchedAllowGrant = grant;
|
|
78
|
+
}
|
|
79
|
+
if (matchedAllowGrant) {
|
|
80
|
+
return { allowed: true, matchedGrant: matchedAllowGrant };
|
|
81
|
+
}
|
|
82
|
+
return {
|
|
83
|
+
allowed: false,
|
|
84
|
+
reason: `No grant matched ${required.resource}:${required.action}`,
|
|
85
|
+
};
|
|
86
|
+
}
|
|
87
|
+
export function checkGrant(required, granted) {
|
|
88
|
+
return authorizeGrant(required, granted).allowed;
|
|
89
|
+
}
|
|
1
90
|
/**
|
|
2
91
|
* Check whether a required permission is satisfied by at least one entry in
|
|
3
|
-
* the
|
|
4
|
-
*
|
|
5
|
-
* Permission strings follow the `resource:action` pattern.
|
|
6
|
-
*
|
|
7
|
-
* Wildcards:
|
|
8
|
-
* - `*:read` — allows `read` on any resource
|
|
9
|
-
* - `ticket:*` — allows any action on `ticket`
|
|
10
|
-
* - `*:*` — full access (superuser)
|
|
11
|
-
*
|
|
12
|
-
* Examples:
|
|
13
|
-
* checkPermission({ resource: "ticket", action: "read" }, ["ticket:read"]) // true
|
|
14
|
-
* checkPermission({ resource: "ticket", action: "write" }, ["*:write"]) // true
|
|
15
|
-
* checkPermission({ resource: "ticket", action: "delete" }, ["ticket:*"]) // true
|
|
16
|
-
* checkPermission({ resource: "ticket", action: "delete" }, ["*:*"]) // true
|
|
92
|
+
* the granted permission / grant set.
|
|
17
93
|
*/
|
|
18
94
|
export function checkPermission(required, granted) {
|
|
19
|
-
|
|
20
|
-
const sepIndex = perm.indexOf(":");
|
|
21
|
-
if (sepIndex === -1)
|
|
22
|
-
continue; // malformed entry, skip
|
|
23
|
-
const grantedResource = perm.slice(0, sepIndex);
|
|
24
|
-
const grantedAction = perm.slice(sepIndex + 1);
|
|
25
|
-
const resourceMatch = grantedResource === "*" || grantedResource === required.resource;
|
|
26
|
-
const actionMatch = grantedAction === "*" || grantedAction === required.action;
|
|
27
|
-
if (resourceMatch && actionMatch)
|
|
28
|
-
return true;
|
|
29
|
-
}
|
|
30
|
-
return false;
|
|
95
|
+
return checkGrant(required, granted);
|
|
31
96
|
}
|
|
32
97
|
/**
|
|
33
98
|
* Derive a `{ resource, action }` pair from an agent capability mode and
|
|
34
99
|
* an optional resource name.
|
|
35
|
-
*
|
|
36
|
-
* Mapping:
|
|
37
|
-
* - `"read"` → `{ resource, action: "read" }`
|
|
38
|
-
* - `"write"` → `{ resource, action: "write" }`
|
|
39
|
-
* - `"external"` → `{ resource: "external", action: "write" }`
|
|
40
|
-
*
|
|
41
|
-
* When `resource` is omitted the wildcard `"*"` is used.
|
|
42
100
|
*/
|
|
43
101
|
export function derivePermission(capability, resource) {
|
|
44
102
|
if (capability === "external") {
|
package/dist/permissions.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"permissions.js","sourceRoot":"","sources":["../src/permissions.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"permissions.js","sourceRoot":"","sources":["../src/permissions.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAQlD,SAAS,aAAa,CAAC,KAAc;IACnC,OAAO,CACL,OAAO,KAAK,KAAK,QAAQ;QACzB,KAAK,KAAK,IAAI;QACd,UAAU,IAAI,KAAK;QACnB,QAAQ,IAAI,KAAK;QACjB,OAAQ,KAAiC,CAAC,UAAU,CAAC,KAAK,QAAQ;QAClE,OAAQ,KAAiC,CAAC,QAAQ,CAAC,KAAK,QAAQ,CACjE,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CAAC,UAAkB;IACzC,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACzC,IAAI,QAAQ,KAAK,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACjC,OAAO,WAAW,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,EAAE,UAAU,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC;AACpF,CAAC;AAED,SAAS,YAAY,CACnB,QAA4C,EAC5C,OAA2C;IAE3C,IAAI,CAAC,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACjE,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpD,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,YAAY,KAAK,GAAG,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;YACnD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,eAAe,CAAC,QAAgB,EAAE,OAAe;IACxD,OAAO,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,QAAQ,CAAC;AACjD,CAAC;AAED,SAAS,aAAa,CAAC,QAAgB,EAAE,OAAe;IACtD,OAAO,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,QAAQ,CAAC;AACjD,CAAC;AAED,SAAS,cAAc,CAAC,KAAgB;IACtC,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAChD,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9C,OAAO,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;AAC/D,CAAC;AAED,MAAM,UAAU,4BAA4B,CAC1C,OAAwC;IAExC,MAAM,MAAM,GAAgB,EAAE,CAAC;IAC/B,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;YACtC,IAAI,MAAM;gBAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAChC,SAAS;QACX,CAAC;QACD,IAAI,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,4BAA4B,CAAC,MAA4B;IACvE,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;AACpE,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,QAA8B,EAC9B,OAAwC;IAExC,MAAM,MAAM,GAAG,4BAA4B,CAAC,OAAO,CAAC,CAAC;IACrD,IAAI,iBAAwC,CAAC;IAC7C,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,cAAc,CAAC,KAAK,CAAC;YAAE,SAAS;QACpC,MAAM,OAAO,GACX,eAAe,CAAC,QAAQ,CAAC,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC;YAClD,aAAa,CAAC,QAAQ,CAAC,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC;YAC5C,YAAY,CAAC,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QAC5C,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,IAAI,KAAK,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC5B,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,YAAY,EAAE,KAAK;gBACnB,MAAM,EAAE,2BAA2B,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,EAAE;aAC1E,CAAC;QACJ,CAAC;QACD,iBAAiB,GAAG,KAAK,CAAC;IAC5B,CAAC;IACD,IAAI,iBAAiB,EAAE,CAAC;QACtB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,iBAAiB,EAAE,CAAC;IAC5D,CAAC;IACD,OAAO;QACL,OAAO,EAAE,KAAK;QACd,MAAM,EAAE,oBAAoB,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,EAAE;KACnE,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,UAAU,CACxB,QAA8B,EAC9B,OAAwC;IAExC,OAAO,cAAc,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,OAAO,CAAC;AACnD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAC7B,QAAmE,EACnE,OAAwC;IAExC,OAAO,UAAU,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;AACvC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAC9B,UAAyC,EACzC,QAAiB;IAEjB,IAAI,UAAU,KAAK,UAAU,EAAE,CAAC;QAC9B,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IACnD,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,QAAQ,IAAI,GAAG;QACzB,MAAM,EAAE,UAAU;KACnB,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
import type { AuthGrant, AuthGrantRequirement } from "./types.js";
|
|
2
|
+
import { type AuthorizationDecision } from "./permissions.js";
|
|
3
|
+
export interface RuntimeGrantScope {
|
|
4
|
+
runId?: string;
|
|
5
|
+
approvalId?: string;
|
|
6
|
+
artifactId?: string;
|
|
7
|
+
taskId?: string;
|
|
8
|
+
summaryId?: string;
|
|
9
|
+
memoryId?: string;
|
|
10
|
+
tool?: string;
|
|
11
|
+
}
|
|
12
|
+
export interface RuntimeGrantAttributes {
|
|
13
|
+
memoryKind?: "session" | "persistent";
|
|
14
|
+
approvalKind?: "tool" | "task";
|
|
15
|
+
}
|
|
16
|
+
export interface RuntimeGrantAuthorizerRequest {
|
|
17
|
+
action: string;
|
|
18
|
+
scope?: RuntimeGrantScope;
|
|
19
|
+
attributes?: RuntimeGrantAttributes;
|
|
20
|
+
}
|
|
21
|
+
export interface RuntimeGrantAuthorizationResult extends AuthorizationDecision {
|
|
22
|
+
matchedRequirement?: AuthGrantRequirement;
|
|
23
|
+
}
|
|
24
|
+
export type RuntimeGrantSupplier = readonly (string | AuthGrant)[] | (() => readonly (string | AuthGrant)[] | Promise<readonly (string | AuthGrant)[]>);
|
|
25
|
+
export declare function deriveRuntimeGrantRequirements(request: RuntimeGrantAuthorizerRequest): AuthGrantRequirement[];
|
|
26
|
+
export declare function authorizeRuntimeAction(request: RuntimeGrantAuthorizerRequest, granted: readonly (string | AuthGrant)[]): RuntimeGrantAuthorizationResult;
|
|
27
|
+
export declare function createRuntimeGrantAuthorizer(supplier: RuntimeGrantSupplier): (request: RuntimeGrantAuthorizerRequest) => Promise<RuntimeGrantAuthorizationResult>;
|
|
28
|
+
//# sourceMappingURL=runtime-authorizer.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"runtime-authorizer.d.ts","sourceRoot":"","sources":["../src/runtime-authorizer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAClE,OAAO,EAAkB,KAAK,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAE9E,MAAM,WAAW,iBAAiB;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,sBAAsB;IACrC,UAAU,CAAC,EAAE,SAAS,GAAG,YAAY,CAAC;IACtC,YAAY,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;CAChC;AAED,MAAM,WAAW,6BAA6B;IAC5C,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,iBAAiB,CAAC;IAC1B,UAAU,CAAC,EAAE,sBAAsB,CAAC;CACrC;AAED,MAAM,WAAW,+BAAgC,SAAQ,qBAAqB;IAC5E,kBAAkB,CAAC,EAAE,oBAAoB,CAAC;CAC3C;AAED,MAAM,MAAM,oBAAoB,GAC5B,SAAS,CAAC,MAAM,GAAG,SAAS,CAAC,EAAE,GAC/B,CAAC,MAAM,SAAS,CAAC,MAAM,GAAG,SAAS,CAAC,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC,MAAM,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC;AA6CvF,wBAAgB,8BAA8B,CAC5C,OAAO,EAAE,6BAA6B,GACrC,oBAAoB,EAAE,CAiExB;AAED,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,6BAA6B,EACtC,OAAO,EAAE,SAAS,CAAC,MAAM,GAAG,SAAS,CAAC,EAAE,GACvC,+BAA+B,CA+BjC;AAWD,wBAAgB,4BAA4B,CAAC,QAAQ,EAAE,oBAAoB,IAC3D,SAAS,6BAA6B,8CAErD"}
|
|
@@ -0,0 +1,136 @@
|
|
|
1
|
+
import { authorizeGrant } from "./permissions.js";
|
|
2
|
+
function parseRuntimeAction(action) {
|
|
3
|
+
const separator = action.indexOf(":");
|
|
4
|
+
if (separator === -1) {
|
|
5
|
+
return { resource: action, action: "read" };
|
|
6
|
+
}
|
|
7
|
+
return {
|
|
8
|
+
resource: action.slice(0, separator),
|
|
9
|
+
action: action.slice(separator + 1),
|
|
10
|
+
};
|
|
11
|
+
}
|
|
12
|
+
function normalizedScope(scope) {
|
|
13
|
+
if (!scope) {
|
|
14
|
+
return undefined;
|
|
15
|
+
}
|
|
16
|
+
const entries = Object.entries(scope).filter((entry) => typeof entry[1] === "string" && entry[1].trim().length > 0);
|
|
17
|
+
if (entries.length === 0) {
|
|
18
|
+
return undefined;
|
|
19
|
+
}
|
|
20
|
+
return Object.fromEntries(entries);
|
|
21
|
+
}
|
|
22
|
+
function requirement(resource, action, scope) {
|
|
23
|
+
const nextScope = normalizedScope(scope);
|
|
24
|
+
return {
|
|
25
|
+
resource,
|
|
26
|
+
action,
|
|
27
|
+
...(nextScope ? { scope: nextScope } : {}),
|
|
28
|
+
};
|
|
29
|
+
}
|
|
30
|
+
function runScope(scope) {
|
|
31
|
+
return scope?.runId ? { runId: scope.runId } : undefined;
|
|
32
|
+
}
|
|
33
|
+
export function deriveRuntimeGrantRequirements(request) {
|
|
34
|
+
const parsed = parseRuntimeAction(request.action);
|
|
35
|
+
const scope = request.scope;
|
|
36
|
+
const fallbackRunScope = runScope(scope);
|
|
37
|
+
switch (request.action) {
|
|
38
|
+
case "checkpoint:read":
|
|
39
|
+
return [
|
|
40
|
+
requirement("checkpoint", "read", scope),
|
|
41
|
+
requirement("run", "read", fallbackRunScope),
|
|
42
|
+
];
|
|
43
|
+
case "artifact:read":
|
|
44
|
+
return [
|
|
45
|
+
requirement("artifact", "read", scope),
|
|
46
|
+
requirement("run", "read", fallbackRunScope),
|
|
47
|
+
];
|
|
48
|
+
case "event:read":
|
|
49
|
+
return [
|
|
50
|
+
requirement("event", "read", scope),
|
|
51
|
+
requirement("run", "read", fallbackRunScope),
|
|
52
|
+
];
|
|
53
|
+
case "task:read":
|
|
54
|
+
return [
|
|
55
|
+
requirement("task", "read", scope),
|
|
56
|
+
requirement("run", "read", fallbackRunScope),
|
|
57
|
+
];
|
|
58
|
+
case "context:read":
|
|
59
|
+
return [
|
|
60
|
+
requirement("context", "read", scope),
|
|
61
|
+
requirement("run", "read", fallbackRunScope),
|
|
62
|
+
];
|
|
63
|
+
case "summary:read":
|
|
64
|
+
return [
|
|
65
|
+
requirement("summary", "read", scope),
|
|
66
|
+
requirement("context", "read", fallbackRunScope),
|
|
67
|
+
requirement("run", "read", fallbackRunScope),
|
|
68
|
+
];
|
|
69
|
+
case "memory:read":
|
|
70
|
+
return [
|
|
71
|
+
requirement("memory", "read", scope),
|
|
72
|
+
...(request.attributes?.memoryKind === "session" && fallbackRunScope
|
|
73
|
+
? [
|
|
74
|
+
requirement("context", "read", fallbackRunScope),
|
|
75
|
+
requirement("run", "read", fallbackRunScope),
|
|
76
|
+
]
|
|
77
|
+
: []),
|
|
78
|
+
];
|
|
79
|
+
case "approval:read":
|
|
80
|
+
return [
|
|
81
|
+
requirement("approval", "read", scope),
|
|
82
|
+
requirement("approval", "manage", scope),
|
|
83
|
+
];
|
|
84
|
+
case "approval:approve":
|
|
85
|
+
return [
|
|
86
|
+
requirement("approval", "approve", scope),
|
|
87
|
+
requirement("approval", "manage", scope),
|
|
88
|
+
];
|
|
89
|
+
case "approval:deny":
|
|
90
|
+
return [
|
|
91
|
+
requirement("approval", "deny", scope),
|
|
92
|
+
requirement("approval", "manage", scope),
|
|
93
|
+
];
|
|
94
|
+
default:
|
|
95
|
+
return [requirement(parsed.resource, parsed.action, scope)];
|
|
96
|
+
}
|
|
97
|
+
}
|
|
98
|
+
export function authorizeRuntimeAction(request, granted) {
|
|
99
|
+
const requirements = deriveRuntimeGrantRequirements(request);
|
|
100
|
+
let denied;
|
|
101
|
+
for (const current of requirements) {
|
|
102
|
+
const decision = authorizeGrant(current, granted);
|
|
103
|
+
if (decision.allowed) {
|
|
104
|
+
return {
|
|
105
|
+
...decision,
|
|
106
|
+
matchedRequirement: current,
|
|
107
|
+
};
|
|
108
|
+
}
|
|
109
|
+
if (decision.matchedGrant?.effect === "deny") {
|
|
110
|
+
denied = {
|
|
111
|
+
...decision,
|
|
112
|
+
matchedRequirement: current,
|
|
113
|
+
};
|
|
114
|
+
break;
|
|
115
|
+
}
|
|
116
|
+
}
|
|
117
|
+
if (denied) {
|
|
118
|
+
return denied;
|
|
119
|
+
}
|
|
120
|
+
const matchedRequirement = requirements[0];
|
|
121
|
+
return {
|
|
122
|
+
allowed: false,
|
|
123
|
+
reason: `No grant matched ${request.action}`,
|
|
124
|
+
...(matchedRequirement ? { matchedRequirement } : {}),
|
|
125
|
+
};
|
|
126
|
+
}
|
|
127
|
+
async function resolveRuntimeGrants(supplier) {
|
|
128
|
+
if (typeof supplier === "function") {
|
|
129
|
+
return supplier();
|
|
130
|
+
}
|
|
131
|
+
return supplier;
|
|
132
|
+
}
|
|
133
|
+
export function createRuntimeGrantAuthorizer(supplier) {
|
|
134
|
+
return async (request) => authorizeRuntimeAction(request, await resolveRuntimeGrants(supplier));
|
|
135
|
+
}
|
|
136
|
+
//# sourceMappingURL=runtime-authorizer.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"runtime-authorizer.js","sourceRoot":"","sources":["../src/runtime-authorizer.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAA8B,MAAM,kBAAkB,CAAC;AA+B9E,SAAS,kBAAkB,CAAC,MAAc;IACxC,MAAM,SAAS,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,SAAS,KAAK,CAAC,CAAC,EAAE,CAAC;QACrB,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;IAC9C,CAAC;IACD,OAAO;QACL,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC;QACpC,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC;KACpC,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CACtB,KAAoC;IAEpC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,MAAM,CAC1C,CAAC,KAAK,EAA6B,EAAE,CAAC,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CACjG,CAAC;IACF,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,WAAW,CAClB,QAAgB,EAChB,MAAc,EACd,KAAyB;IAEzB,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IACzC,OAAO;QACL,QAAQ;QACR,MAAM;QACN,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC3C,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ,CAAC,KAAoC;IACpD,OAAO,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,8BAA8B,CAC5C,OAAsC;IAEtC,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC5B,MAAM,gBAAgB,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAEzC,QAAQ,OAAO,CAAC,MAAM,EAAE,CAAC;QACvB,KAAK,iBAAiB;YACpB,OAAO;gBACL,WAAW,CAAC,YAAY,EAAE,MAAM,EAAE,KAAK,CAAC;gBACxC,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,gBAAgB,CAAC;aAC7C,CAAC;QACJ,KAAK,eAAe;YAClB,OAAO;gBACL,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,KAAK,CAAC;gBACtC,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,gBAAgB,CAAC;aAC7C,CAAC;QACJ,KAAK,YAAY;YACf,OAAO;gBACL,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC;gBACnC,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,gBAAgB,CAAC;aAC7C,CAAC;QACJ,KAAK,WAAW;YACd,OAAO;gBACL,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC;gBAClC,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,gBAAgB,CAAC;aAC7C,CAAC;QACJ,KAAK,cAAc;YACjB,OAAO;gBACL,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC;gBACrC,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,gBAAgB,CAAC;aAC7C,CAAC;QACJ,KAAK,cAAc;YACjB,OAAO;gBACL,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC;gBACrC,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,gBAAgB,CAAC;gBAChD,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,gBAAgB,CAAC;aAC7C,CAAC;QACJ,KAAK,aAAa;YAChB,OAAO;gBACL,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,CAAC;gBACpC,GAAG,CAAC,OAAO,CAAC,UAAU,EAAE,UAAU,KAAK,SAAS,IAAI,gBAAgB;oBAClE,CAAC,CAAC;wBACE,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,gBAAgB,CAAC;wBAChD,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,gBAAgB,CAAC;qBAC7C;oBACH,CAAC,CAAC,EAAE,CAAC;aACR,CAAC;QACJ,KAAK,eAAe;YAClB,OAAO;gBACL,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,KAAK,CAAC;gBACtC,WAAW,CAAC,UAAU,EAAE,QAAQ,EAAE,KAAK,CAAC;aACzC,CAAC;QACJ,KAAK,kBAAkB;YACrB,OAAO;gBACL,WAAW,CAAC,UAAU,EAAE,SAAS,EAAE,KAAK,CAAC;gBACzC,WAAW,CAAC,UAAU,EAAE,QAAQ,EAAE,KAAK,CAAC;aACzC,CAAC;QACJ,KAAK,eAAe;YAClB,OAAO;gBACL,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,KAAK,CAAC;gBACtC,WAAW,CAAC,UAAU,EAAE,QAAQ,EAAE,KAAK,CAAC;aACzC,CAAC;QACJ;YACE,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;IAChE,CAAC;AACH,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,OAAsC,EACtC,OAAwC;IAExC,MAAM,YAAY,GAAG,8BAA8B,CAAC,OAAO,CAAC,CAAC;IAC7D,IAAI,MAAmD,CAAC;IAExD,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;QACnC,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAClD,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACrB,OAAO;gBACL,GAAG,QAAQ;gBACX,kBAAkB,EAAE,OAAO;aAC5B,CAAC;QACJ,CAAC;QACD,IAAI,QAAQ,CAAC,YAAY,EAAE,MAAM,KAAK,MAAM,EAAE,CAAC;YAC7C,MAAM,GAAG;gBACP,GAAG,QAAQ;gBACX,kBAAkB,EAAE,OAAO;aAC5B,CAAC;YACF,MAAM;QACR,CAAC;IACH,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,kBAAkB,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;IAC3C,OAAO;QACL,OAAO,EAAE,KAAK;QACd,MAAM,EAAE,oBAAoB,OAAO,CAAC,MAAM,EAAE;QAC5C,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACtD,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,QAA8B;IAE9B,IAAI,OAAO,QAAQ,KAAK,UAAU,EAAE,CAAC;QACnC,OAAO,QAAQ,EAAE,CAAC;IACpB,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,4BAA4B,CAAC,QAA8B;IACzE,OAAO,KAAK,EAAE,OAAsC,EAAE,EAAE,CACtD,sBAAsB,CAAC,OAAO,EAAE,MAAM,oBAAoB,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC1E,CAAC"}
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
import type { AuthGrant } from "./types.js";
|
|
2
|
+
export declare function createGrant(resource: string, action: string, options?: {
|
|
3
|
+
scope?: Record<string, string>;
|
|
4
|
+
expiresAt?: string;
|
|
5
|
+
constraints?: Record<string, unknown>;
|
|
6
|
+
effect?: "allow" | "deny";
|
|
7
|
+
}): AuthGrant;
|
|
8
|
+
export declare function grantRunActions(runId: string, actions?: readonly string[]): AuthGrant[];
|
|
9
|
+
export declare function grantApprovalActions(actions?: readonly string[], options?: {
|
|
10
|
+
approvalId?: string;
|
|
11
|
+
runId?: string;
|
|
12
|
+
tool?: string;
|
|
13
|
+
}): AuthGrant[];
|
|
14
|
+
export declare function grantApprovalCollectionActions(actions?: readonly string[], options?: {
|
|
15
|
+
runId?: string;
|
|
16
|
+
}): AuthGrant[];
|
|
17
|
+
export declare function grantArtifactActions(runId: string, actions?: readonly string[], artifactId?: string): AuthGrant[];
|
|
18
|
+
export declare function grantCheckpointActions(runId: string, actions?: readonly string[]): AuthGrant[];
|
|
19
|
+
export declare function grantRunCollectionActions(actions?: readonly string[]): AuthGrant[];
|
|
20
|
+
export declare function grantEventActions(runId: string, actions?: readonly string[]): AuthGrant[];
|
|
21
|
+
export declare function grantEventCollectionActions(actions?: readonly string[]): AuthGrant[];
|
|
22
|
+
export declare function grantTaskActions(runId: string, actions?: readonly string[], taskId?: string): AuthGrant[];
|
|
23
|
+
export declare function grantSummaryActions(runId: string, actions?: readonly string[], summaryId?: string): AuthGrant[];
|
|
24
|
+
export declare function grantSummaryCollectionActions(actions?: readonly string[]): AuthGrant[];
|
|
25
|
+
export declare function grantMemoryActions(actions?: readonly string[], options?: {
|
|
26
|
+
runId?: string;
|
|
27
|
+
memoryId?: string;
|
|
28
|
+
}): AuthGrant[];
|
|
29
|
+
export declare function grantContextActions(runId: string, actions?: readonly string[]): AuthGrant[];
|
|
30
|
+
export declare function grantRuntimePathsActions(actions?: readonly string[]): AuthGrant[];
|
|
31
|
+
//# sourceMappingURL=runtime-grants.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"runtime-grants.d.ts","sourceRoot":"","sources":["../src/runtime-grants.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAE5C,wBAAgB,WAAW,CACzB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IACR,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACtC,MAAM,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;CAC3B,GACA,SAAS,CAOX;AAED,wBAAgB,eAAe,CAC7B,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,SAAS,MAAM,EAA0C,GACjE,SAAS,EAAE,CAMb;AAED,wBAAgB,oBAAoB,CAClC,OAAO,GAAE,SAAS,MAAM,EAA0C,EAClE,OAAO,CAAC,EAAE;IACR,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,GACA,SAAS,EAAE,CAUb;AAED,wBAAgB,8BAA8B,CAC5C,OAAO,GAAE,SAAS,MAAM,EAAa,EACrC,OAAO,CAAC,EAAE;IACR,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,GACA,SAAS,EAAE,CAMb;AAED,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,SAAS,MAAM,EAAa,EACrC,UAAU,CAAC,EAAE,MAAM,GAClB,SAAS,EAAE,CAQb;AAED,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,SAAS,MAAM,EAAa,GACpC,SAAS,EAAE,CAMb;AAED,wBAAgB,yBAAyB,CACvC,OAAO,GAAE,SAAS,MAAM,EAAsB,GAC7C,SAAS,EAAE,CAEb;AAED,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,SAAS,MAAM,EAAa,GACpC,SAAS,EAAE,CAMb;AAED,wBAAgB,2BAA2B,CACzC,OAAO,GAAE,SAAS,MAAM,EAAa,GACpC,SAAS,EAAE,CAEb;AAED,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,SAAS,MAAM,EAAa,EACrC,MAAM,CAAC,EAAE,MAAM,GACd,SAAS,EAAE,CAQb;AAED,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,SAAS,MAAM,EAAa,EACrC,SAAS,CAAC,EAAE,MAAM,GACjB,SAAS,EAAE,CAQb;AAED,wBAAgB,6BAA6B,CAC3C,OAAO,GAAE,SAAS,MAAM,EAAa,GACpC,SAAS,EAAE,CAEb;AAED,wBAAgB,kBAAkB,CAChC,OAAO,GAAE,SAAS,MAAM,EAAa,EACrC,OAAO,CAAC,EAAE;IACR,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GACA,SAAS,EAAE,CASb;AAED,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,SAAS,MAAM,EAAa,GACpC,SAAS,EAAE,CAMb;AAED,wBAAgB,wBAAwB,CACtC,OAAO,GAAE,SAAS,MAAM,EAAa,GACpC,SAAS,EAAE,CAEb"}
|
|
@@ -0,0 +1,96 @@
|
|
|
1
|
+
export function createGrant(resource, action, options) {
|
|
2
|
+
const grant = { resource, action };
|
|
3
|
+
if (options?.scope !== undefined)
|
|
4
|
+
grant.scope = options.scope;
|
|
5
|
+
if (options?.expiresAt !== undefined)
|
|
6
|
+
grant.expiresAt = options.expiresAt;
|
|
7
|
+
if (options?.constraints !== undefined)
|
|
8
|
+
grant.constraints = options.constraints;
|
|
9
|
+
if (options?.effect !== undefined)
|
|
10
|
+
grant.effect = options.effect;
|
|
11
|
+
return grant;
|
|
12
|
+
}
|
|
13
|
+
export function grantRunActions(runId, actions = ["read", "pause", "cancel", "resume"]) {
|
|
14
|
+
return actions.map((action) => createGrant("run", action, {
|
|
15
|
+
scope: { runId },
|
|
16
|
+
}));
|
|
17
|
+
}
|
|
18
|
+
export function grantApprovalActions(actions = ["read", "approve", "deny", "manage"], options) {
|
|
19
|
+
const scope = {};
|
|
20
|
+
if (options?.approvalId !== undefined)
|
|
21
|
+
scope.approvalId = options.approvalId;
|
|
22
|
+
if (options?.runId !== undefined)
|
|
23
|
+
scope.runId = options.runId;
|
|
24
|
+
if (options?.tool !== undefined)
|
|
25
|
+
scope.tool = options.tool;
|
|
26
|
+
return actions.map((action) => createGrant("approval", action, {
|
|
27
|
+
...(Object.keys(scope).length > 0 ? { scope } : {}),
|
|
28
|
+
}));
|
|
29
|
+
}
|
|
30
|
+
export function grantApprovalCollectionActions(actions = ["list"], options) {
|
|
31
|
+
return actions.map((action) => createGrant("approval", action, {
|
|
32
|
+
...(options?.runId ? { scope: { runId: options.runId } } : {}),
|
|
33
|
+
}));
|
|
34
|
+
}
|
|
35
|
+
export function grantArtifactActions(runId, actions = ["read"], artifactId) {
|
|
36
|
+
const scope = { runId };
|
|
37
|
+
if (artifactId !== undefined)
|
|
38
|
+
scope.artifactId = artifactId;
|
|
39
|
+
return actions.map((action) => createGrant("artifact", action, {
|
|
40
|
+
scope,
|
|
41
|
+
}));
|
|
42
|
+
}
|
|
43
|
+
export function grantCheckpointActions(runId, actions = ["read"]) {
|
|
44
|
+
return actions.map((action) => createGrant("checkpoint", action, {
|
|
45
|
+
scope: { runId },
|
|
46
|
+
}));
|
|
47
|
+
}
|
|
48
|
+
export function grantRunCollectionActions(actions = ["start", "list"]) {
|
|
49
|
+
return actions.map((action) => createGrant("run", action));
|
|
50
|
+
}
|
|
51
|
+
export function grantEventActions(runId, actions = ["read"]) {
|
|
52
|
+
return actions.map((action) => createGrant("event", action, {
|
|
53
|
+
scope: { runId },
|
|
54
|
+
}));
|
|
55
|
+
}
|
|
56
|
+
export function grantEventCollectionActions(actions = ["list"]) {
|
|
57
|
+
return actions.map((action) => createGrant("event", action));
|
|
58
|
+
}
|
|
59
|
+
export function grantTaskActions(runId, actions = ["read"], taskId) {
|
|
60
|
+
const scope = { runId };
|
|
61
|
+
if (taskId !== undefined)
|
|
62
|
+
scope.taskId = taskId;
|
|
63
|
+
return actions.map((action) => createGrant("task", action, {
|
|
64
|
+
scope,
|
|
65
|
+
}));
|
|
66
|
+
}
|
|
67
|
+
export function grantSummaryActions(runId, actions = ["read"], summaryId) {
|
|
68
|
+
const scope = { runId };
|
|
69
|
+
if (summaryId !== undefined)
|
|
70
|
+
scope.summaryId = summaryId;
|
|
71
|
+
return actions.map((action) => createGrant("summary", action, {
|
|
72
|
+
scope,
|
|
73
|
+
}));
|
|
74
|
+
}
|
|
75
|
+
export function grantSummaryCollectionActions(actions = ["list"]) {
|
|
76
|
+
return actions.map((action) => createGrant("summary", action));
|
|
77
|
+
}
|
|
78
|
+
export function grantMemoryActions(actions = ["read"], options) {
|
|
79
|
+
const scope = {};
|
|
80
|
+
if (options?.runId !== undefined)
|
|
81
|
+
scope.runId = options.runId;
|
|
82
|
+
if (options?.memoryId !== undefined)
|
|
83
|
+
scope.memoryId = options.memoryId;
|
|
84
|
+
return actions.map((action) => createGrant("memory", action, {
|
|
85
|
+
...(Object.keys(scope).length > 0 ? { scope } : {}),
|
|
86
|
+
}));
|
|
87
|
+
}
|
|
88
|
+
export function grantContextActions(runId, actions = ["read"]) {
|
|
89
|
+
return actions.map((action) => createGrant("context", action, {
|
|
90
|
+
scope: { runId },
|
|
91
|
+
}));
|
|
92
|
+
}
|
|
93
|
+
export function grantRuntimePathsActions(actions = ["read"]) {
|
|
94
|
+
return actions.map((action) => createGrant("runtime_paths", action));
|
|
95
|
+
}
|
|
96
|
+
//# sourceMappingURL=runtime-grants.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"runtime-grants.js","sourceRoot":"","sources":["../src/runtime-grants.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,WAAW,CACzB,QAAgB,EAChB,MAAc,EACd,OAKC;IAED,MAAM,KAAK,GAAc,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;IAC9C,IAAI,OAAO,EAAE,KAAK,KAAK,SAAS;QAAE,KAAK,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC9D,IAAI,OAAO,EAAE,SAAS,KAAK,SAAS;QAAE,KAAK,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;IAC1E,IAAI,OAAO,EAAE,WAAW,KAAK,SAAS;QAAE,KAAK,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;IAChF,IAAI,OAAO,EAAE,MAAM,KAAK,SAAS;QAAE,KAAK,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IACjE,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,KAAa,EACb,UAA6B,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,CAAC;IAElE,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAC5B,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE;QACzB,KAAK,EAAE,EAAE,KAAK,EAAE;KACjB,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,UAA6B,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,EAClE,OAIC;IAED,MAAM,KAAK,GAA2B,EAAE,CAAC;IACzC,IAAI,OAAO,EAAE,UAAU,KAAK,SAAS;QAAE,KAAK,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAC7E,IAAI,OAAO,EAAE,KAAK,KAAK,SAAS;QAAE,KAAK,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC9D,IAAI,OAAO,EAAE,IAAI,KAAK,SAAS;QAAE,KAAK,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAC3D,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAC5B,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE;QAC9B,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACpD,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,8BAA8B,CAC5C,UAA6B,CAAC,MAAM,CAAC,EACrC,OAEC;IAED,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAC5B,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE;QAC9B,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC/D,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,KAAa,EACb,UAA6B,CAAC,MAAM,CAAC,EACrC,UAAmB;IAEnB,MAAM,KAAK,GAA2B,EAAE,KAAK,EAAE,CAAC;IAChD,IAAI,UAAU,KAAK,SAAS;QAAE,KAAK,CAAC,UAAU,GAAG,UAAU,CAAC;IAC5D,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAC5B,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE;QAC9B,KAAK;KACN,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,KAAa,EACb,UAA6B,CAAC,MAAM,CAAC;IAErC,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAC5B,WAAW,CAAC,YAAY,EAAE,MAAM,EAAE;QAChC,KAAK,EAAE,EAAE,KAAK,EAAE;KACjB,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,UAA6B,CAAC,OAAO,EAAE,MAAM,CAAC;IAE9C,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,KAAa,EACb,UAA6B,CAAC,MAAM,CAAC;IAErC,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAC5B,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE;QAC3B,KAAK,EAAE,EAAE,KAAK,EAAE;KACjB,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,2BAA2B,CACzC,UAA6B,CAAC,MAAM,CAAC;IAErC,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;AAC/D,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC9B,KAAa,EACb,UAA6B,CAAC,MAAM,CAAC,EACrC,MAAe;IAEf,MAAM,KAAK,GAA2B,EAAE,KAAK,EAAE,CAAC;IAChD,IAAI,MAAM,KAAK,SAAS;QAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC;IAChD,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAC5B,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE;QAC1B,KAAK;KACN,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,KAAa,EACb,UAA6B,CAAC,MAAM,CAAC,EACrC,SAAkB;IAElB,MAAM,KAAK,GAA2B,EAAE,KAAK,EAAE,CAAC;IAChD,IAAI,SAAS,KAAK,SAAS;QAAE,KAAK,CAAC,SAAS,GAAG,SAAS,CAAC;IACzD,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAC5B,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE;QAC7B,KAAK;KACN,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,6BAA6B,CAC3C,UAA6B,CAAC,MAAM,CAAC;IAErC,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,WAAW,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC;AACjE,CAAC;AAED,MAAM,UAAU,kBAAkB,CAChC,UAA6B,CAAC,MAAM,CAAC,EACrC,OAGC;IAED,MAAM,KAAK,GAA2B,EAAE,CAAC;IACzC,IAAI,OAAO,EAAE,KAAK,KAAK,SAAS;QAAE,KAAK,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC9D,IAAI,OAAO,EAAE,QAAQ,KAAK,SAAS;QAAE,KAAK,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IACvE,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAC5B,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE;QAC5B,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACpD,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,KAAa,EACb,UAA6B,CAAC,MAAM,CAAC;IAErC,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAC5B,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE;QAC7B,KAAK,EAAE,EAAE,KAAK,EAAE;KACjB,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,wBAAwB,CACtC,UAA6B,CAAC,MAAM,CAAC;IAErC,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,WAAW,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC,CAAC;AACvE,CAAC"}
|
package/dist/session.d.ts
CHANGED
|
@@ -1,15 +1,15 @@
|
|
|
1
|
-
import type { SessionPayload } from "./types.js";
|
|
1
|
+
import type { SessionPayload, SessionSigningOptions, SessionVerificationOptions } from "./types.js";
|
|
2
2
|
/**
|
|
3
3
|
* Create a signed JWT containing the given session data.
|
|
4
4
|
*
|
|
5
5
|
* `maxAge` defaults to `"7d"` (7 days) when omitted.
|
|
6
6
|
*/
|
|
7
|
-
export declare function signSession(payload: Omit<SessionPayload, "iat" | "exp">, secret: string,
|
|
7
|
+
export declare function signSession(payload: Omit<SessionPayload, "iat" | "exp">, secret: string, maxAgeOrOptions?: string | SessionSigningOptions): string;
|
|
8
8
|
/**
|
|
9
9
|
* Verify a JWT's HMAC-SHA256 signature and expiration.
|
|
10
10
|
*
|
|
11
11
|
* Returns the decoded payload on success, or `null` when the token is
|
|
12
12
|
* invalid, tampered with, or expired.
|
|
13
13
|
*/
|
|
14
|
-
export declare function verifySession(token: string, secret: string): SessionPayload | null;
|
|
14
|
+
export declare function verifySession(token: string, secret: string, options?: SessionVerificationOptions): SessionPayload | null;
|
|
15
15
|
//# sourceMappingURL=session.d.ts.map
|
package/dist/session.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../src/session.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,
|
|
1
|
+
{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../src/session.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,cAAc,EACd,qBAAqB,EACrB,0BAA0B,EAC3B,MAAM,YAAY,CAAC;AA+DpB;;;;GAIG;AACH,wBAAgB,WAAW,CACzB,OAAO,EAAE,IAAI,CAAC,cAAc,EAAE,KAAK,GAAG,KAAK,CAAC,EAC5C,MAAM,EAAE,MAAM,EACd,eAAe,CAAC,EAAE,MAAM,GAAG,qBAAqB,GAC/C,MAAM,CAiBR;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAC3B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,0BAA0B,GACnC,cAAc,GAAG,IAAI,CA0CvB"}
|
package/dist/session.js
CHANGED
|
@@ -48,11 +48,16 @@ function sign(payload, secret) {
|
|
|
48
48
|
*
|
|
49
49
|
* `maxAge` defaults to `"7d"` (7 days) when omitted.
|
|
50
50
|
*/
|
|
51
|
-
export function signSession(payload, secret,
|
|
51
|
+
export function signSession(payload, secret, maxAgeOrOptions) {
|
|
52
52
|
const nowSeconds = Math.floor(Date.now() / 1000);
|
|
53
|
-
const
|
|
53
|
+
const options = typeof maxAgeOrOptions === "string"
|
|
54
|
+
? { maxAge: maxAgeOrOptions }
|
|
55
|
+
: (maxAgeOrOptions ?? {});
|
|
56
|
+
const ttl = parseDuration(options.maxAge ?? "7d");
|
|
54
57
|
const full = {
|
|
55
58
|
...payload,
|
|
59
|
+
...(options.issuer !== undefined ? { iss: options.issuer } : {}),
|
|
60
|
+
...(options.audience !== undefined ? { aud: options.audience } : {}),
|
|
56
61
|
iat: nowSeconds,
|
|
57
62
|
exp: nowSeconds + ttl,
|
|
58
63
|
};
|
|
@@ -64,7 +69,7 @@ export function signSession(payload, secret, maxAge) {
|
|
|
64
69
|
* Returns the decoded payload on success, or `null` when the token is
|
|
65
70
|
* invalid, tampered with, or expired.
|
|
66
71
|
*/
|
|
67
|
-
export function verifySession(token, secret) {
|
|
72
|
+
export function verifySession(token, secret, options) {
|
|
68
73
|
const parts = token.split(".");
|
|
69
74
|
if (parts.length !== 3)
|
|
70
75
|
return null;
|
|
@@ -86,6 +91,19 @@ export function verifySession(token, secret) {
|
|
|
86
91
|
const now = Math.floor(Date.now() / 1000);
|
|
87
92
|
if (typeof payload.exp !== "number" || payload.exp <= now)
|
|
88
93
|
return null;
|
|
94
|
+
if (options?.issuer !== undefined && payload.iss !== options.issuer) {
|
|
95
|
+
return null;
|
|
96
|
+
}
|
|
97
|
+
if (options?.audience !== undefined) {
|
|
98
|
+
const audiences = Array.isArray(payload.aud)
|
|
99
|
+
? payload.aud
|
|
100
|
+
: payload.aud !== undefined
|
|
101
|
+
? [payload.aud]
|
|
102
|
+
: [];
|
|
103
|
+
if (!audiences.includes(options.audience)) {
|
|
104
|
+
return null;
|
|
105
|
+
}
|
|
106
|
+
}
|
|
89
107
|
return payload;
|
|
90
108
|
}
|
|
91
109
|
catch {
|