npm - agent-tool-forge - Versions diffs - 0.4.5 → 0.4.6 - Mend

agent-tool-forge 0.4.5 → 0.4.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/lib/auth.d.ts CHANGED Viewed

@@ -6,9 +6,11 @@ export interface AuthResult {
 }
 export interface AuthConfig {
-  mode?: 'trust' | 'verify';
+  mode?: 'trust' | 'verify' | 'none';
   signingKey?: string;
   claimsPath?: string;
+  adminToken?: string | null;
+  metricsToken?: string | null;
 }
 export interface Authenticator {
@@ -22,4 +24,9 @@ export interface AdminAuthResult {
   error: string | null;
 }
-export function authenticateAdmin(req: object, adminKey: string): AdminAuthResult;
+export function authenticateAdmin(req: object, adminKey: string | null): AdminAuthResult;
+export function resolveSecret(
+  value: string | null | undefined,
+  env?: Record<string, string>
+): string | null;

package/lib/auth.js CHANGED Viewed

@@ -130,6 +130,21 @@ export function authenticateAdmin(req, adminKey) {
   return { authenticated: true, error: null };
 }
+/**
+ * Resolve a secret value, expanding ${VAR} references against the given env object.
+ * @param {string|null|undefined} value
+ * @param {Record<string, string>} [env]
+ * @returns {string|null}
+ */
+export function resolveSecret(value, env = {}) {
+  if (typeof value !== 'string' || !value) return null;
+  const e = env ?? {};
+  if (value.startsWith('${') && value.endsWith('}')) {
+    return e[value.slice(2, -1)] ?? null;
+  }
+  return value;
+}
 // ── Helpers ──────────────────────────────────────────────────────────────────
 function base64UrlDecode(str) {

package/lib/config-schema.js CHANGED Viewed

@@ -6,7 +6,7 @@
  */
 export const CONFIG_DEFAULTS = {
-  auth: { mode: 'trust', signingKey: null, claimsPath: 'sub' },
+  auth: { mode: 'trust', signingKey: null, claimsPath: 'sub', adminToken: null, metricsToken: null },
   defaultModel: 'claude-sonnet-4-6',
   defaultHitlLevel: 'cautious',
   allowUserModelSelect: false,
@@ -47,7 +47,7 @@ export const CONFIG_DEFAULTS = {
   }
 };
-const VALID_AUTH_MODES = ['verify', 'trust'];
+const VALID_AUTH_MODES = ['verify', 'trust', 'none'];
 const VALID_HITL_LEVELS = ['autonomous', 'cautious', 'standard', 'paranoid'];
 const VALID_STORE_TYPES = ['sqlite', 'redis', 'postgres'];
 const VALID_DB_TYPES = ['sqlite', 'postgres'];

package/lib/forge-service.js CHANGED Viewed

@@ -28,7 +28,7 @@ import { getDb } from './db.js';
 import { createMcpServer } from './mcp-server.js';
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
 import { mergeDefaults } from './config-schema.js';
-import { createAuth } from './auth.js';
+import { createAuth, resolveSecret, authenticateAdmin } from './auth.js';
 import { makePromptStore } from './prompt-store.js';
 import { makePreferenceStore } from './preference-store.js';
 import { makeConversationStore } from './conversation-store.js';
@@ -200,6 +200,53 @@ function serveWidgetFile(req, res, widgetDir, errorFn) {
   }
 }
+/**
+ * Determine the auth tier for a given request path.
+ * 0 = open, 1 = app (JWT), 2 = admin (Bearer token), 3 = scrape (metrics token)
+ * @param {string} path — normalized sidecarPath
+ * @returns {0|1|2|3}
+ */
+function getRouteTier(path) {
+  if (path === '/health') return 0;
+  if (path.startsWith('/forge-admin/') || path.startsWith('/agent-api/evals/')) return 2;
+  if (path === '/metrics') return 3;
+  return 1; // widget, mcp, agent-api/* → app tier
+}
+/**
+ * Apply tier-based auth to a request.
+ * @param {import('http').IncomingMessage} req
+ * @param {object} ctx — sidecar context
+ * @param {0|1|2|3} tier
+ * @returns {{ ok: boolean, status?: number, error?: string, userId?: string, claims?: object }}
+ */
+function applyRouteAuth(req, ctx, tier) {
+  const { config, env, auth } = ctx;
+  if (config?.auth?.mode === 'none') return { ok: true };
+  if (tier === 0) return { ok: true };
+  if (tier === 2) {
+    const token = resolveSecret(config?.auth?.adminToken, env)
+               ?? resolveSecret(config?.adminKey, env);
+    if (!token) return { ok: false, status: 503, error: 'Admin credentials not configured' };
+    const r = authenticateAdmin(req, token);
+    return r.authenticated ? { ok: true } : { ok: false, status: 401, error: r.error };
+  }
+  if (tier === 3) {
+    const token = resolveSecret(config?.auth?.metricsToken, env);
+    if (!token) return { ok: true }; // open when metricsToken not set
+    const r = authenticateAdmin(req, token);
+    return r.authenticated ? { ok: true } : { ok: false, status: 401, error: r.error };
+  }
+  // tier 1 — JWT
+  const r = auth.authenticate(req);
+  return r.authenticated
+    ? { ok: true, userId: r.userId, claims: r.claims }
+    : { ok: false, status: 401, error: r.error };
+}
 /**
  * Create an HTTP request handler for all sidecar routes.
  *
@@ -219,23 +266,31 @@ export function createSidecarRouter(ctx, options = {}) {
   return async (req, res) => {
     const url = new URL(req.url, 'http://localhost');
+    // ── Normalise /agent-api/v1/* → /agent-api/* ──────────────────────────
+    const sidecarPath = url.pathname.startsWith('/agent-api/v1/')
+      ? '/agent-api/' + url.pathname.slice('/agent-api/v1/'.length)
+      : url.pathname;
+    // ── Auth gate ──────────────────────────────────────────────────────────
+    const tier = getRouteTier(sidecarPath);
+    const authCheck = applyRouteAuth(req, ctx, tier);
+    if (!authCheck.ok) {
+      if (authCheck.status === 401) res.setHeader('WWW-Authenticate', 'Bearer');
+      return sendJson(res, authCheck.status, { error: authCheck.error });
+    }
     // ── /mcp route (optional) ──────────────────────────────────────────────
-    if (mcpHandler && url.pathname.startsWith('/mcp')) {
+    if (mcpHandler && sidecarPath.startsWith('/mcp')) {
       return mcpHandler(req, res);
     }
     // ── /health ────────────────────────────────────────────────────────────
-    if (req.method === 'GET' && url.pathname === '/health') {
+    if (req.method === 'GET' && sidecarPath === '/health') {
       sendJson(res, 200, { status: 'ok' });
       return;
     }
     // ── Sidecar API routes ─────────────────────────────────────────────────
-    // Normalise /agent-api/v1/* → /agent-api/* so versioned paths hit
-    // the same handlers without a proxy rewrite rule.
-    const sidecarPath = url.pathname.startsWith('/agent-api/v1/')
-      ? '/agent-api/' + url.pathname.slice('/agent-api/v1/'.length)
-      : url.pathname;
     if (sidecarPath === '/agent-api/chat' && req.method === 'POST') {
       return handleChat(req, res, ctx);

package/lib/handlers/admin.js CHANGED Viewed

@@ -4,13 +4,12 @@
  * PUT /forge-admin/config/:section — update a config section
  * GET /forge-admin/config          — read current effective config
  *
- * Protected by adminKey (Bearer token).
+ * Protected by router-level admin auth (tier 2 — see forge-service.js).
  * Runtime overlay: in-memory Map merged on top of file config.
  * NOT written back to forge.config.json.
  */
 import { readFileSync, writeFileSync, renameSync } from 'fs';
-import { authenticateAdmin } from '../auth.js';
 import { readBody, sendJson } from '../http-utils.js';
 const VALID_SECTIONS = ['model', 'hitl', 'permissions', 'conversation'];
@@ -24,18 +23,6 @@ const runtimeOverlay = new Map();
 export async function handleAdminConfig(req, res, ctx) {
   const url = new URL(req.url, 'http://localhost');
-  // Admin auth
-  const adminKey = ctx.config.adminKey;
-  if (!adminKey) {
-    sendJson(res, 503, { error: 'No adminKey configured' });
-    return;
-  }
-  const authResult = authenticateAdmin(req, adminKey);
-  if (!authResult.authenticated) {
-    sendJson(res, 403, { error: authResult.error ?? 'Forbidden' });
-    return;
-  }
   if (req.method === 'GET') {
     return handleAdminConfigGet(req, res, ctx);
   }

package/lib/handlers/agents.js CHANGED Viewed

@@ -1,7 +1,7 @@
 /**
  * Admin Agent API — CRUD for multi-agent registry.
  *
- * All routes require adminKey (Bearer token).
+ * All routes protected by router-level admin auth (tier 2 — see forge-service.js).
  *
  * Routes:
  *   GET    /forge-admin/agents              — list all agents
@@ -12,7 +12,6 @@
  *   POST   /forge-admin/agents/:agentId/set-default — set default
  */
-import { authenticateAdmin } from '../auth.js';
 import { readBody, sendJson } from '../http-utils.js';
 const AGENT_ID_RE = /^[a-z0-9_-]{1,64}$/;
@@ -24,20 +23,7 @@ const VALID_HITL_LEVELS = new Set(['autonomous', 'cautious', 'standard', 'parano
  * @param {object} ctx — { config, agentRegistry }
  */
 export async function handleAgents(req, res, ctx) {
-  const { config, agentRegistry } = ctx;
-  // Admin auth
-  const adminKey = config.adminKey;
-  if (!adminKey) {
-    sendJson(res, 503, { error: 'No adminKey configured' });
-    return;
-  }
-  const authResult = authenticateAdmin(req, adminKey);
-  if (!authResult.authenticated) {
-    res.setHeader('WWW-Authenticate', 'Bearer');
-    sendJson(res, 401, { error: 'Unauthorized' });
-    return;
-  }
+  const { agentRegistry } = ctx;
   if (!agentRegistry) {
     sendJson(res, 501, { error: 'Agent registry not initialized' });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "agent-tool-forge",
-  "version": "0.4.5",
+  "version": "0.4.6",
   "description": "Production LLM agent sidecar + Claude Code skill library for building, testing, and running tool-calling agents.",
   "keywords": [
     "llm",