agentlock-shared 0.2.0 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/__tests__/billing.test.d.ts +2 -0
- package/dist/__tests__/billing.test.d.ts.map +1 -0
- package/dist/__tests__/billing.test.js +31 -0
- package/dist/__tests__/billing.test.js.map +1 -0
- package/dist/__tests__/dns-pinning.test.d.ts +2 -0
- package/dist/__tests__/dns-pinning.test.d.ts.map +1 -0
- package/dist/__tests__/dns-pinning.test.js +33 -0
- package/dist/__tests__/dns-pinning.test.js.map +1 -0
- package/dist/__tests__/llm-classifier-cache-store.test.d.ts +2 -0
- package/dist/__tests__/llm-classifier-cache-store.test.d.ts.map +1 -0
- package/dist/__tests__/llm-classifier-cache-store.test.js +65 -0
- package/dist/__tests__/llm-classifier-cache-store.test.js.map +1 -0
- package/dist/__tests__/llm-classifier-cache.test.d.ts +2 -0
- package/dist/__tests__/llm-classifier-cache.test.d.ts.map +1 -0
- package/dist/__tests__/llm-classifier-cache.test.js +44 -0
- package/dist/__tests__/llm-classifier-cache.test.js.map +1 -0
- package/dist/__tests__/llm-classifier.test.d.ts +2 -0
- package/dist/__tests__/llm-classifier.test.d.ts.map +1 -0
- package/dist/__tests__/llm-classifier.test.js +167 -0
- package/dist/__tests__/llm-classifier.test.js.map +1 -0
- package/dist/__tests__/plans-classifier-limits.test.d.ts +2 -0
- package/dist/__tests__/plans-classifier-limits.test.d.ts.map +1 -0
- package/dist/__tests__/plans-classifier-limits.test.js +22 -0
- package/dist/__tests__/plans-classifier-limits.test.js.map +1 -0
- package/dist/__tests__/policy-category-floor.test.d.ts +2 -0
- package/dist/__tests__/policy-category-floor.test.d.ts.map +1 -0
- package/dist/__tests__/policy-category-floor.test.js +46 -0
- package/dist/__tests__/policy-category-floor.test.js.map +1 -0
- package/dist/__tests__/policy-claude-bash.test.d.ts +2 -0
- package/dist/__tests__/policy-claude-bash.test.d.ts.map +1 -0
- package/dist/__tests__/policy-claude-bash.test.js +401 -0
- package/dist/__tests__/policy-claude-bash.test.js.map +1 -0
- package/dist/__tests__/policy-llm-floor.test.d.ts +2 -0
- package/dist/__tests__/policy-llm-floor.test.d.ts.map +1 -0
- package/dist/__tests__/policy-llm-floor.test.js +107 -0
- package/dist/__tests__/policy-llm-floor.test.js.map +1 -0
- package/dist/__tests__/policy-ssh-e2e.test.d.ts +2 -0
- package/dist/__tests__/policy-ssh-e2e.test.d.ts.map +1 -0
- package/dist/__tests__/policy-ssh-e2e.test.js +89 -0
- package/dist/__tests__/policy-ssh-e2e.test.js.map +1 -0
- package/dist/__tests__/policy-ssh-sessions.test.d.ts +2 -0
- package/dist/__tests__/policy-ssh-sessions.test.d.ts.map +1 -0
- package/dist/__tests__/policy-ssh-sessions.test.js +139 -0
- package/dist/__tests__/policy-ssh-sessions.test.js.map +1 -0
- package/dist/__tests__/policy-ssh.test.d.ts +2 -0
- package/dist/__tests__/policy-ssh.test.d.ts.map +1 -0
- package/dist/__tests__/policy-ssh.test.js +180 -0
- package/dist/__tests__/policy-ssh.test.js.map +1 -0
- package/dist/__tests__/policy.test.js +400 -2
- package/dist/__tests__/policy.test.js.map +1 -1
- package/dist/__tests__/redact.test.js +76 -0
- package/dist/__tests__/redact.test.js.map +1 -1
- package/dist/__tests__/signing.test.js +89 -0
- package/dist/__tests__/signing.test.js.map +1 -1
- package/dist/__tests__/ssh-fingerprint.test.d.ts +2 -0
- package/dist/__tests__/ssh-fingerprint.test.d.ts.map +1 -0
- package/dist/__tests__/ssh-fingerprint.test.js +19 -0
- package/dist/__tests__/ssh-fingerprint.test.js.map +1 -0
- package/dist/__tests__/vpn-route.test.d.ts +2 -0
- package/dist/__tests__/vpn-route.test.d.ts.map +1 -0
- package/dist/__tests__/vpn-route.test.js +72 -0
- package/dist/__tests__/vpn-route.test.js.map +1 -0
- package/dist/__tests__/wireguard.test.d.ts +2 -0
- package/dist/__tests__/wireguard.test.d.ts.map +1 -0
- package/dist/__tests__/wireguard.test.js +114 -0
- package/dist/__tests__/wireguard.test.js.map +1 -0
- package/dist/billing.d.ts +12 -0
- package/dist/billing.d.ts.map +1 -0
- package/dist/billing.js +41 -0
- package/dist/billing.js.map +1 -0
- package/dist/crypto.d.ts +5 -0
- package/dist/crypto.d.ts.map +1 -1
- package/dist/crypto.js +80 -23
- package/dist/crypto.js.map +1 -1
- package/dist/dns-pinning.d.ts +28 -0
- package/dist/dns-pinning.d.ts.map +1 -0
- package/dist/dns-pinning.js +113 -0
- package/dist/dns-pinning.js.map +1 -0
- package/dist/index.d.ts +6 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +9 -0
- package/dist/index.js.map +1 -1
- package/dist/llm-classifier-cache-store.d.ts +49 -0
- package/dist/llm-classifier-cache-store.d.ts.map +1 -0
- package/dist/llm-classifier-cache-store.js +63 -0
- package/dist/llm-classifier-cache-store.js.map +1 -0
- package/dist/llm-classifier-cache.d.ts +6 -0
- package/dist/llm-classifier-cache.d.ts.map +1 -0
- package/dist/llm-classifier-cache.js +52 -0
- package/dist/llm-classifier-cache.js.map +1 -0
- package/dist/llm-classifier.d.ts +29 -0
- package/dist/llm-classifier.d.ts.map +1 -0
- package/dist/llm-classifier.js +191 -0
- package/dist/llm-classifier.js.map +1 -0
- package/dist/observability.d.ts +36 -0
- package/dist/observability.d.ts.map +1 -0
- package/dist/observability.js +75 -0
- package/dist/observability.js.map +1 -0
- package/dist/plans.d.ts +17 -0
- package/dist/plans.d.ts.map +1 -1
- package/dist/plans.js +36 -14
- package/dist/plans.js.map +1 -1
- package/dist/policy.d.ts +173 -3
- package/dist/policy.d.ts.map +1 -1
- package/dist/policy.js +910 -42
- package/dist/policy.js.map +1 -1
- package/dist/redact.d.ts.map +1 -1
- package/dist/redact.js +83 -3
- package/dist/redact.js.map +1 -1
- package/dist/regex-safety.d.ts +21 -0
- package/dist/regex-safety.d.ts.map +1 -0
- package/dist/regex-safety.js +49 -0
- package/dist/regex-safety.js.map +1 -0
- package/dist/sanitize.d.ts +31 -0
- package/dist/sanitize.d.ts.map +1 -0
- package/dist/sanitize.js +54 -0
- package/dist/sanitize.js.map +1 -0
- package/dist/schemas.d.ts +202 -10
- package/dist/schemas.d.ts.map +1 -1
- package/dist/schemas.js +91 -1
- package/dist/schemas.js.map +1 -1
- package/dist/signing.d.ts +15 -0
- package/dist/signing.d.ts.map +1 -1
- package/dist/signing.js +53 -4
- package/dist/signing.js.map +1 -1
- package/dist/ssh-fingerprint.d.ts +10 -0
- package/dist/ssh-fingerprint.d.ts.map +1 -0
- package/dist/ssh-fingerprint.js +52 -0
- package/dist/ssh-fingerprint.js.map +1 -0
- package/dist/ssrf.d.ts +36 -0
- package/dist/ssrf.d.ts.map +1 -0
- package/dist/ssrf.js +140 -0
- package/dist/ssrf.js.map +1 -0
- package/dist/types.d.ts +130 -0
- package/dist/types.d.ts.map +1 -1
- package/dist/wireguard.d.ts +63 -0
- package/dist/wireguard.d.ts.map +1 -0
- package/dist/wireguard.js +226 -0
- package/dist/wireguard.js.map +1 -0
- package/package.json +42 -29
- package/.turbo/turbo-build.log +0 -4
- package/.turbo/turbo-test.log +0 -76
- package/dist/__tests__/content-crypto.test.d.ts +0 -2
- package/dist/__tests__/content-crypto.test.d.ts.map +0 -1
- package/dist/__tests__/content-crypto.test.js +0 -117
- package/dist/__tests__/content-crypto.test.js.map +0 -1
- package/dist/__tests__/signing.test (# Edit conflict 2026-04-01 z3etfmC #).js +0 -51
- package/dist/__tests__/signing.test.js (# Edit conflict 2026-04-01 4rndy9C #).map +0 -1
- package/dist/content-crypto.d.ts +0 -24
- package/dist/content-crypto.d.ts.map +0 -1
- package/dist/content-crypto.js +0 -58
- package/dist/content-crypto.js.map +0 -1
- package/src/__tests__/crypto.test.ts +0 -169
- package/src/__tests__/messaging.test.ts +0 -83
- package/src/__tests__/policy.test.ts +0 -222
- package/src/__tests__/redact.test.ts +0 -41
- package/src/__tests__/signing.test.ts +0 -55
- package/src/crypto.ts +0 -235
- package/src/index.ts +0 -8
- package/src/mcp-catalog.ts +0 -181
- package/src/plans.ts +0 -116
- package/src/policy.ts +0 -216
- package/src/redact.ts +0 -131
- package/src/schemas.ts +0 -121
- package/src/signing.ts +0 -120
- package/src/types.ts +0 -213
- package/test-gateway.mjs +0 -47
- package/tsconfig.json +0 -10
- package/vitest.config.ts +0 -8
package/dist/schemas.d.ts
CHANGED
|
@@ -53,43 +53,92 @@ export declare const PolicyRulesSchema: z.ZodObject<{
|
|
|
53
53
|
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
54
54
|
tool?: string | undefined;
|
|
55
55
|
action_type?: "admin" | "read" | "write" | "financial" | undefined;
|
|
56
|
-
domain?: string | undefined;
|
|
57
56
|
require_two_approvals?: boolean | undefined;
|
|
58
57
|
allowed_approvers?: string[] | undefined;
|
|
58
|
+
domain?: string | undefined;
|
|
59
59
|
}, {
|
|
60
60
|
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
61
61
|
tool?: string | undefined;
|
|
62
62
|
action_type?: "admin" | "read" | "write" | "financial" | undefined;
|
|
63
|
-
domain?: string | undefined;
|
|
64
63
|
require_two_approvals?: boolean | undefined;
|
|
65
64
|
allowed_approvers?: string[] | undefined;
|
|
65
|
+
domain?: string | undefined;
|
|
66
66
|
}>, {
|
|
67
67
|
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
68
68
|
tool?: string | undefined;
|
|
69
69
|
action_type?: "admin" | "read" | "write" | "financial" | undefined;
|
|
70
|
-
domain?: string | undefined;
|
|
71
70
|
require_two_approvals?: boolean | undefined;
|
|
72
71
|
allowed_approvers?: string[] | undefined;
|
|
72
|
+
domain?: string | undefined;
|
|
73
73
|
}, {
|
|
74
74
|
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
75
75
|
tool?: string | undefined;
|
|
76
76
|
action_type?: "admin" | "read" | "write" | "financial" | undefined;
|
|
77
|
-
domain?: string | undefined;
|
|
78
77
|
require_two_approvals?: boolean | undefined;
|
|
79
78
|
allowed_approvers?: string[] | undefined;
|
|
79
|
+
domain?: string | undefined;
|
|
80
80
|
}>, "many">;
|
|
81
81
|
http: z.ZodOptional<z.ZodObject<{
|
|
82
82
|
allowedDomains: z.ZodArray<z.ZodString, "many">;
|
|
83
83
|
allowedMethods: z.ZodArray<z.ZodEnum<["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"]>, "many">;
|
|
84
84
|
blockList: z.ZodArray<z.ZodString, "many">;
|
|
85
|
+
allowAllDomains: z.ZodOptional<z.ZodBoolean>;
|
|
85
86
|
}, "strip", z.ZodTypeAny, {
|
|
86
87
|
allowedDomains: string[];
|
|
87
|
-
allowedMethods: ("GET" | "
|
|
88
|
+
allowedMethods: ("GET" | "HEAD" | "OPTIONS" | "POST" | "PUT" | "DELETE" | "PATCH")[];
|
|
88
89
|
blockList: string[];
|
|
90
|
+
allowAllDomains?: boolean | undefined;
|
|
89
91
|
}, {
|
|
90
92
|
allowedDomains: string[];
|
|
91
|
-
allowedMethods: ("GET" | "
|
|
93
|
+
allowedMethods: ("GET" | "HEAD" | "OPTIONS" | "POST" | "PUT" | "DELETE" | "PATCH")[];
|
|
92
94
|
blockList: string[];
|
|
95
|
+
allowAllDomains?: boolean | undefined;
|
|
96
|
+
}>>;
|
|
97
|
+
ssh: z.ZodOptional<z.ZodObject<{
|
|
98
|
+
allowedHosts: z.ZodArray<z.ZodString, "many">;
|
|
99
|
+
allowedUsers: z.ZodArray<z.ZodString, "many">;
|
|
100
|
+
commandRules: z.ZodArray<z.ZodObject<{
|
|
101
|
+
pattern: z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>;
|
|
102
|
+
decision: z.ZodEnum<["ALLOW", "REQUIRE_APPROVAL", "BLOCK"]>;
|
|
103
|
+
require_two_approvals: z.ZodOptional<z.ZodBoolean>;
|
|
104
|
+
allowed_approvers: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
|
105
|
+
description: z.ZodOptional<z.ZodString>;
|
|
106
|
+
}, "strip", z.ZodTypeAny, {
|
|
107
|
+
pattern: string;
|
|
108
|
+
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
109
|
+
require_two_approvals?: boolean | undefined;
|
|
110
|
+
allowed_approvers?: string[] | undefined;
|
|
111
|
+
description?: string | undefined;
|
|
112
|
+
}, {
|
|
113
|
+
pattern: string;
|
|
114
|
+
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
115
|
+
require_two_approvals?: boolean | undefined;
|
|
116
|
+
allowed_approvers?: string[] | undefined;
|
|
117
|
+
description?: string | undefined;
|
|
118
|
+
}>, "many">;
|
|
119
|
+
defaultDecision: z.ZodDefault<z.ZodEnum<["ALLOW", "REQUIRE_APPROVAL", "BLOCK"]>>;
|
|
120
|
+
}, "strip", z.ZodTypeAny, {
|
|
121
|
+
defaultDecision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
122
|
+
allowedHosts: string[];
|
|
123
|
+
allowedUsers: string[];
|
|
124
|
+
commandRules: {
|
|
125
|
+
pattern: string;
|
|
126
|
+
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
127
|
+
require_two_approvals?: boolean | undefined;
|
|
128
|
+
allowed_approvers?: string[] | undefined;
|
|
129
|
+
description?: string | undefined;
|
|
130
|
+
}[];
|
|
131
|
+
}, {
|
|
132
|
+
allowedHosts: string[];
|
|
133
|
+
allowedUsers: string[];
|
|
134
|
+
commandRules: {
|
|
135
|
+
pattern: string;
|
|
136
|
+
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
137
|
+
require_two_approvals?: boolean | undefined;
|
|
138
|
+
allowed_approvers?: string[] | undefined;
|
|
139
|
+
description?: string | undefined;
|
|
140
|
+
}[];
|
|
141
|
+
defaultDecision?: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK" | undefined;
|
|
93
142
|
}>>;
|
|
94
143
|
limits: z.ZodOptional<z.ZodObject<{
|
|
95
144
|
maxCostPerAction: z.ZodOptional<z.ZodNumber>;
|
|
@@ -101,44 +150,166 @@ export declare const PolicyRulesSchema: z.ZodObject<{
|
|
|
101
150
|
maxActionsPerHour?: number | undefined;
|
|
102
151
|
maxCostPerAction?: number | undefined;
|
|
103
152
|
}>>;
|
|
153
|
+
allowHighRiskAutoApproval: z.ZodOptional<z.ZodObject<{
|
|
154
|
+
financial: z.ZodOptional<z.ZodBoolean>;
|
|
155
|
+
admin: z.ZodOptional<z.ZodBoolean>;
|
|
156
|
+
}, "strip", z.ZodTypeAny, {
|
|
157
|
+
admin?: boolean | undefined;
|
|
158
|
+
financial?: boolean | undefined;
|
|
159
|
+
}, {
|
|
160
|
+
admin?: boolean | undefined;
|
|
161
|
+
financial?: boolean | undefined;
|
|
162
|
+
}>>;
|
|
163
|
+
vpnRoutes: z.ZodOptional<z.ZodArray<z.ZodObject<{
|
|
164
|
+
domainPattern: z.ZodString;
|
|
165
|
+
vpnCredentialId: z.ZodString;
|
|
166
|
+
}, "strip", z.ZodTypeAny, {
|
|
167
|
+
domainPattern: string;
|
|
168
|
+
vpnCredentialId: string;
|
|
169
|
+
}, {
|
|
170
|
+
domainPattern: string;
|
|
171
|
+
vpnCredentialId: string;
|
|
172
|
+
}>, "many">>;
|
|
173
|
+
claudeBash: z.ZodOptional<z.ZodObject<{
|
|
174
|
+
rules: z.ZodArray<z.ZodObject<{
|
|
175
|
+
pattern: z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>;
|
|
176
|
+
decision: z.ZodEnum<["ALLOW", "REQUIRE_APPROVAL", "BLOCK"]>;
|
|
177
|
+
description: z.ZodOptional<z.ZodString>;
|
|
178
|
+
require_two_approvals: z.ZodOptional<z.ZodBoolean>;
|
|
179
|
+
allowed_approvers: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
|
180
|
+
}, "strip", z.ZodTypeAny, {
|
|
181
|
+
pattern: string;
|
|
182
|
+
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
183
|
+
require_two_approvals?: boolean | undefined;
|
|
184
|
+
allowed_approvers?: string[] | undefined;
|
|
185
|
+
description?: string | undefined;
|
|
186
|
+
}, {
|
|
187
|
+
pattern: string;
|
|
188
|
+
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
189
|
+
require_two_approvals?: boolean | undefined;
|
|
190
|
+
allowed_approvers?: string[] | undefined;
|
|
191
|
+
description?: string | undefined;
|
|
192
|
+
}>, "many">;
|
|
193
|
+
defaultDecision: z.ZodOptional<z.ZodEnum<["ALLOW", "REQUIRE_APPROVAL", "BLOCK"]>>;
|
|
194
|
+
}, "strip", z.ZodTypeAny, {
|
|
195
|
+
rules: {
|
|
196
|
+
pattern: string;
|
|
197
|
+
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
198
|
+
require_two_approvals?: boolean | undefined;
|
|
199
|
+
allowed_approvers?: string[] | undefined;
|
|
200
|
+
description?: string | undefined;
|
|
201
|
+
}[];
|
|
202
|
+
defaultDecision?: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK" | undefined;
|
|
203
|
+
}, {
|
|
204
|
+
rules: {
|
|
205
|
+
pattern: string;
|
|
206
|
+
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
207
|
+
require_two_approvals?: boolean | undefined;
|
|
208
|
+
allowed_approvers?: string[] | undefined;
|
|
209
|
+
description?: string | undefined;
|
|
210
|
+
}[];
|
|
211
|
+
defaultDecision?: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK" | undefined;
|
|
212
|
+
}>>;
|
|
104
213
|
}, "strip", z.ZodTypeAny, {
|
|
105
214
|
defaultMode: "allow" | "require_approval" | "block";
|
|
106
215
|
rules: {
|
|
107
216
|
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
108
217
|
tool?: string | undefined;
|
|
109
218
|
action_type?: "admin" | "read" | "write" | "financial" | undefined;
|
|
110
|
-
domain?: string | undefined;
|
|
111
219
|
require_two_approvals?: boolean | undefined;
|
|
112
220
|
allowed_approvers?: string[] | undefined;
|
|
221
|
+
domain?: string | undefined;
|
|
113
222
|
}[];
|
|
114
223
|
http?: {
|
|
115
224
|
allowedDomains: string[];
|
|
116
|
-
allowedMethods: ("GET" | "
|
|
225
|
+
allowedMethods: ("GET" | "HEAD" | "OPTIONS" | "POST" | "PUT" | "DELETE" | "PATCH")[];
|
|
117
226
|
blockList: string[];
|
|
227
|
+
allowAllDomains?: boolean | undefined;
|
|
228
|
+
} | undefined;
|
|
229
|
+
claudeBash?: {
|
|
230
|
+
rules: {
|
|
231
|
+
pattern: string;
|
|
232
|
+
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
233
|
+
require_two_approvals?: boolean | undefined;
|
|
234
|
+
allowed_approvers?: string[] | undefined;
|
|
235
|
+
description?: string | undefined;
|
|
236
|
+
}[];
|
|
237
|
+
defaultDecision?: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK" | undefined;
|
|
238
|
+
} | undefined;
|
|
239
|
+
ssh?: {
|
|
240
|
+
defaultDecision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
241
|
+
allowedHosts: string[];
|
|
242
|
+
allowedUsers: string[];
|
|
243
|
+
commandRules: {
|
|
244
|
+
pattern: string;
|
|
245
|
+
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
246
|
+
require_two_approvals?: boolean | undefined;
|
|
247
|
+
allowed_approvers?: string[] | undefined;
|
|
248
|
+
description?: string | undefined;
|
|
249
|
+
}[];
|
|
118
250
|
} | undefined;
|
|
251
|
+
vpnRoutes?: {
|
|
252
|
+
domainPattern: string;
|
|
253
|
+
vpnCredentialId: string;
|
|
254
|
+
}[] | undefined;
|
|
119
255
|
limits?: {
|
|
120
256
|
maxActionsPerHour?: number | undefined;
|
|
121
257
|
maxCostPerAction?: number | undefined;
|
|
122
258
|
} | undefined;
|
|
259
|
+
allowHighRiskAutoApproval?: {
|
|
260
|
+
admin?: boolean | undefined;
|
|
261
|
+
financial?: boolean | undefined;
|
|
262
|
+
} | undefined;
|
|
123
263
|
}, {
|
|
124
264
|
defaultMode: "allow" | "require_approval" | "block";
|
|
125
265
|
rules: {
|
|
126
266
|
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
127
267
|
tool?: string | undefined;
|
|
128
268
|
action_type?: "admin" | "read" | "write" | "financial" | undefined;
|
|
129
|
-
domain?: string | undefined;
|
|
130
269
|
require_two_approvals?: boolean | undefined;
|
|
131
270
|
allowed_approvers?: string[] | undefined;
|
|
271
|
+
domain?: string | undefined;
|
|
132
272
|
}[];
|
|
133
273
|
http?: {
|
|
134
274
|
allowedDomains: string[];
|
|
135
|
-
allowedMethods: ("GET" | "
|
|
275
|
+
allowedMethods: ("GET" | "HEAD" | "OPTIONS" | "POST" | "PUT" | "DELETE" | "PATCH")[];
|
|
136
276
|
blockList: string[];
|
|
277
|
+
allowAllDomains?: boolean | undefined;
|
|
278
|
+
} | undefined;
|
|
279
|
+
claudeBash?: {
|
|
280
|
+
rules: {
|
|
281
|
+
pattern: string;
|
|
282
|
+
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
283
|
+
require_two_approvals?: boolean | undefined;
|
|
284
|
+
allowed_approvers?: string[] | undefined;
|
|
285
|
+
description?: string | undefined;
|
|
286
|
+
}[];
|
|
287
|
+
defaultDecision?: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK" | undefined;
|
|
288
|
+
} | undefined;
|
|
289
|
+
ssh?: {
|
|
290
|
+
allowedHosts: string[];
|
|
291
|
+
allowedUsers: string[];
|
|
292
|
+
commandRules: {
|
|
293
|
+
pattern: string;
|
|
294
|
+
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
295
|
+
require_two_approvals?: boolean | undefined;
|
|
296
|
+
allowed_approvers?: string[] | undefined;
|
|
297
|
+
description?: string | undefined;
|
|
298
|
+
}[];
|
|
299
|
+
defaultDecision?: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK" | undefined;
|
|
137
300
|
} | undefined;
|
|
301
|
+
vpnRoutes?: {
|
|
302
|
+
domainPattern: string;
|
|
303
|
+
vpnCredentialId: string;
|
|
304
|
+
}[] | undefined;
|
|
138
305
|
limits?: {
|
|
139
306
|
maxActionsPerHour?: number | undefined;
|
|
140
307
|
maxCostPerAction?: number | undefined;
|
|
141
308
|
} | undefined;
|
|
309
|
+
allowHighRiskAutoApproval?: {
|
|
310
|
+
admin?: boolean | undefined;
|
|
311
|
+
financial?: boolean | undefined;
|
|
312
|
+
} | undefined;
|
|
142
313
|
}>;
|
|
143
314
|
export declare const ApproveRequestSchema: z.ZodObject<{
|
|
144
315
|
action: z.ZodEnum<["approve", "deny"]>;
|
|
@@ -186,4 +357,25 @@ export declare const AgentSendMessageSchema: z.ZodObject<{
|
|
|
186
357
|
thread_id: string;
|
|
187
358
|
metadata?: Record<string, unknown> | undefined;
|
|
188
359
|
}>;
|
|
360
|
+
/**
|
|
361
|
+
* Schema for an agent creating a brand-new thread (Flow A of the gateway
|
|
362
|
+
* messages endpoint). Unlike AgentSendMessageSchema this has an optional
|
|
363
|
+
* `subject` for the thread title and no thread_id.
|
|
364
|
+
*/
|
|
365
|
+
export declare const AgentCreateThreadSchema: z.ZodObject<{
|
|
366
|
+
create_thread: z.ZodLiteral<true>;
|
|
367
|
+
content: z.ZodString;
|
|
368
|
+
subject: z.ZodOptional<z.ZodString>;
|
|
369
|
+
metadata: z.ZodOptional<z.ZodEffects<z.ZodRecord<z.ZodString, z.ZodUnknown>, Record<string, unknown>, Record<string, unknown>>>;
|
|
370
|
+
}, "strip", z.ZodTypeAny, {
|
|
371
|
+
content: string;
|
|
372
|
+
create_thread: true;
|
|
373
|
+
metadata?: Record<string, unknown> | undefined;
|
|
374
|
+
subject?: string | undefined;
|
|
375
|
+
}, {
|
|
376
|
+
content: string;
|
|
377
|
+
create_thread: true;
|
|
378
|
+
metadata?: Record<string, unknown> | undefined;
|
|
379
|
+
subject?: string | undefined;
|
|
380
|
+
}>;
|
|
189
381
|
//# sourceMappingURL=schemas.d.ts.map
|
package/dist/schemas.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"schemas.d.ts","sourceRoot":"","sources":["../src/schemas.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;
|
|
1
|
+
{"version":3,"file":"schemas.d.ts","sourceRoot":"","sources":["../src/schemas.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAUxB;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,yEA8B1B,CAAC;AAEJ,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;EASnC,CAAC;AAEH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;EAK9B,CAAC;AAIH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAkH5B,CAAC;AAEH,eAAO,MAAM,oBAAoB;;;;IAI/B,kEAAkE;;;;;;;;;;;;EAElE,CAAC;AAKH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;EAQ5B,CAAC;AAEH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;EAOjC,CAAC;AAEH;;;;GAIG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;EAQlC,CAAC"}
|
package/dist/schemas.js
CHANGED
|
@@ -1,7 +1,9 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.AgentSendMessageSchema = exports.SendMessageSchema = exports.ApproveRequestSchema = exports.PolicyRulesSchema = exports.RegisterAgentSchema = exports.AgentActionRequestSchema = exports.WebhookUrlSchema = void 0;
|
|
3
|
+
exports.AgentCreateThreadSchema = exports.AgentSendMessageSchema = exports.SendMessageSchema = exports.ApproveRequestSchema = exports.PolicyRulesSchema = exports.RegisterAgentSchema = exports.AgentActionRequestSchema = exports.WebhookUrlSchema = void 0;
|
|
4
4
|
const zod_1 = require("zod");
|
|
5
|
+
const regex_safety_js_1 = require("./regex-safety.js");
|
|
6
|
+
const policy_js_1 = require("./policy.js");
|
|
5
7
|
/** Max payload size: 64KB when serialized */
|
|
6
8
|
const MAX_PAYLOAD_SIZE = 65_536;
|
|
7
9
|
/** Maximum length for webhook URLs (standard URL length limit) */
|
|
@@ -67,6 +69,29 @@ exports.PolicyRulesSchema = zod_1.z.object({
|
|
|
67
69
|
allowedDomains: zod_1.z.array(zod_1.z.string().min(1).max(253).regex(DOMAIN_RE, 'Invalid domain format')),
|
|
68
70
|
allowedMethods: zod_1.z.array(zod_1.z.enum(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'])),
|
|
69
71
|
blockList: zod_1.z.array(zod_1.z.string().min(1).max(253).regex(DOMAIN_RE, 'Invalid domain format')),
|
|
72
|
+
allowAllDomains: zod_1.z.boolean().optional(),
|
|
73
|
+
})
|
|
74
|
+
.optional(),
|
|
75
|
+
ssh: zod_1.z
|
|
76
|
+
.object({
|
|
77
|
+
allowedHosts: zod_1.z.array(zod_1.z.string().min(1).max(253)).max(100),
|
|
78
|
+
allowedUsers: zod_1.z.array(zod_1.z.string().min(1).max(64).regex(/^[a-zA-Z0-9_\-.]+$/, 'Invalid SSH username')).max(50),
|
|
79
|
+
commandRules: zod_1.z
|
|
80
|
+
.array(zod_1.z.object({
|
|
81
|
+
pattern: zod_1.z.string().min(1).max(500).refine((p) => !(0, regex_safety_js_1.isLikelyRedos)(p), { message: 'Pattern rejected: looks like it could cause catastrophic regex backtracking (ReDoS). Simplify nested quantifiers or alternations.' }).refine((p) => { try {
|
|
82
|
+
(0, policy_js_1.compileSshPattern)(p);
|
|
83
|
+
return true;
|
|
84
|
+
}
|
|
85
|
+
catch {
|
|
86
|
+
return false;
|
|
87
|
+
} }, { message: 'Invalid pattern (must be a glob like "systemctl restart *" or a valid regex)' }),
|
|
88
|
+
decision: zod_1.z.enum(['ALLOW', 'REQUIRE_APPROVAL', 'BLOCK']),
|
|
89
|
+
require_two_approvals: zod_1.z.boolean().optional(),
|
|
90
|
+
allowed_approvers: zod_1.z.array(zod_1.z.string().uuid()).optional(),
|
|
91
|
+
description: zod_1.z.string().max(200).optional(),
|
|
92
|
+
}))
|
|
93
|
+
.max(200),
|
|
94
|
+
defaultDecision: zod_1.z.enum(['ALLOW', 'REQUIRE_APPROVAL', 'BLOCK']).default('REQUIRE_APPROVAL'),
|
|
70
95
|
})
|
|
71
96
|
.optional(),
|
|
72
97
|
limits: zod_1.z
|
|
@@ -75,6 +100,60 @@ exports.PolicyRulesSchema = zod_1.z.object({
|
|
|
75
100
|
maxActionsPerHour: zod_1.z.number().nonnegative().optional(),
|
|
76
101
|
})
|
|
77
102
|
.optional(),
|
|
103
|
+
allowHighRiskAutoApproval: zod_1.z
|
|
104
|
+
.object({
|
|
105
|
+
financial: zod_1.z.boolean().optional(),
|
|
106
|
+
admin: zod_1.z.boolean().optional(),
|
|
107
|
+
})
|
|
108
|
+
.optional(),
|
|
109
|
+
// Domain→VPN routing table. Each entry pins traffic to a specific VPN
|
|
110
|
+
// credential when the tool's target hostname matches `domainPattern`.
|
|
111
|
+
// Patterns may be a literal hostname or `*.<suffix>` for wildcard sub-
|
|
112
|
+
// domain matches. Capped at 50 entries to keep evaluation cheap and to
|
|
113
|
+
// force users toward broad patterns rather than a row per endpoint.
|
|
114
|
+
vpnRoutes: zod_1.z
|
|
115
|
+
.array(zod_1.z.object({
|
|
116
|
+
domainPattern: zod_1.z
|
|
117
|
+
.string()
|
|
118
|
+
.min(1)
|
|
119
|
+
.max(253)
|
|
120
|
+
.regex(/^(\*\.)?([a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?\.)*[a-zA-Z]{2,}$/, 'Invalid domain pattern — use a hostname like "corp.example" or "*.corp.example"'),
|
|
121
|
+
vpnCredentialId: zod_1.z.string().uuid(),
|
|
122
|
+
}))
|
|
123
|
+
.max(50)
|
|
124
|
+
.optional(),
|
|
125
|
+
claudeBash: zod_1.z
|
|
126
|
+
.object({
|
|
127
|
+
rules: zod_1.z
|
|
128
|
+
.array(zod_1.z.object({
|
|
129
|
+
pattern: zod_1.z
|
|
130
|
+
.string()
|
|
131
|
+
.min(1)
|
|
132
|
+
.max(500)
|
|
133
|
+
.refine((p) => !(0, regex_safety_js_1.isLikelyRedos)(p), {
|
|
134
|
+
message: 'Pattern rejected: looks like it could cause catastrophic regex backtracking. Simplify nested quantifiers or alternations.',
|
|
135
|
+
})
|
|
136
|
+
.refine((p) => {
|
|
137
|
+
try {
|
|
138
|
+
(0, policy_js_1.compileClaudeBashPattern)(p);
|
|
139
|
+
return true;
|
|
140
|
+
}
|
|
141
|
+
catch {
|
|
142
|
+
return false;
|
|
143
|
+
}
|
|
144
|
+
}, { message: 'Invalid pattern (use a literal prefix like "grep /home/" or wrap a regex in /.../)' }),
|
|
145
|
+
decision: zod_1.z.enum(['ALLOW', 'REQUIRE_APPROVAL', 'BLOCK']),
|
|
146
|
+
description: zod_1.z.string().max(200).optional(),
|
|
147
|
+
// Per-rule overrides for the surrounding permission.claude_code
|
|
148
|
+
// rule's two-person and approver-allowlist settings. Match the
|
|
149
|
+
// shape on ssh.commandRules so admins learn one set of fields.
|
|
150
|
+
require_two_approvals: zod_1.z.boolean().optional(),
|
|
151
|
+
allowed_approvers: zod_1.z.array(zod_1.z.string().uuid()).optional(),
|
|
152
|
+
}))
|
|
153
|
+
.max(200),
|
|
154
|
+
defaultDecision: zod_1.z.enum(['ALLOW', 'REQUIRE_APPROVAL', 'BLOCK']).optional(),
|
|
155
|
+
})
|
|
156
|
+
.optional(),
|
|
78
157
|
});
|
|
79
158
|
exports.ApproveRequestSchema = zod_1.z.object({
|
|
80
159
|
action: zod_1.z.enum(['approve', 'deny']),
|
|
@@ -96,4 +175,15 @@ exports.AgentSendMessageSchema = zod_1.z.object({
|
|
|
96
175
|
thread_id: zod_1.z.string().uuid(),
|
|
97
176
|
metadata: zod_1.z.record(zod_1.z.unknown()).refine((val) => JSON.stringify(val).length <= MAX_METADATA_SIZE, { message: `Metadata exceeds maximum size of ${MAX_METADATA_SIZE} bytes` }).optional(),
|
|
98
177
|
});
|
|
178
|
+
/**
|
|
179
|
+
* Schema for an agent creating a brand-new thread (Flow A of the gateway
|
|
180
|
+
* messages endpoint). Unlike AgentSendMessageSchema this has an optional
|
|
181
|
+
* `subject` for the thread title and no thread_id.
|
|
182
|
+
*/
|
|
183
|
+
exports.AgentCreateThreadSchema = zod_1.z.object({
|
|
184
|
+
create_thread: zod_1.z.literal(true),
|
|
185
|
+
content: zod_1.z.string().min(1).max(4096),
|
|
186
|
+
subject: zod_1.z.string().max(200).optional(),
|
|
187
|
+
metadata: zod_1.z.record(zod_1.z.unknown()).refine((val) => JSON.stringify(val).length <= MAX_METADATA_SIZE, { message: `Metadata exceeds maximum size of ${MAX_METADATA_SIZE} bytes` }).optional(),
|
|
188
|
+
});
|
|
99
189
|
//# sourceMappingURL=schemas.js.map
|
package/dist/schemas.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"schemas.js","sourceRoot":"","sources":["../src/schemas.ts"],"names":[],"mappings":";;;AAAA,6BAAwB;
|
|
1
|
+
{"version":3,"file":"schemas.js","sourceRoot":"","sources":["../src/schemas.ts"],"names":[],"mappings":";;;AAAA,6BAAwB;AACxB,uDAAkD;AAClD,2CAA0E;AAE1E,6CAA6C;AAC7C,MAAM,gBAAgB,GAAG,MAAM,CAAC;AAEhC,kEAAkE;AAClE,MAAM,sBAAsB,GAAG,IAAI,CAAC;AAEpC;;;;GAIG;AACU,QAAA,gBAAgB,GAAG,OAAC;KAC9B,MAAM,EAAE;KACR,GAAG,CAAC,sBAAsB,EAAE,uCAAuC,sBAAsB,cAAc,CAAC;KACxG,MAAM,CACL,CAAC,GAAG,EAAE,EAAE;IACN,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC;IACtC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC,EACD,EAAE,OAAO,EAAE,uCAAuC,EAAE,CACrD;KACA,MAAM,CACL,CAAC,GAAG,EAAE,EAAE;IACN,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;QACjC,MAAM,eAAe,GAAG;YACtB,QAAQ,EAAE,OAAO,EAAE,4BAA4B;YAC/C,aAAa,EAAE,aAAa,EAAE,MAAM;YACpC,cAAc,EAAE,WAAW,EAAE,cAAc;SAC5C,CAAC;QACF,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC,EACD,EAAE,OAAO,EAAE,yDAAyD,EAAE,CACvE,CAAC;AAES,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;IAC5D,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,qBAAqB,EAAE,0EAA0E,CAAC;IACzI,OAAO,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,MAAM,CACnC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,gBAAgB,EACvD,EAAE,OAAO,EAAE,mCAAmC,gBAAgB,QAAQ,EAAE,CACzE;IACD,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IAC/C,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;CACnD,CAAC,CAAC;AAEU,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;IAChC,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC;IACnF,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC;IAC9B,aAAa,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;CAC/C,CAAC,CAAC;AAEH,MAAM,SAAS,GAAG,kEAAkE,CAAC;AAExE,QAAA,iBAAiB,GAAG,OAAC,CAAC,MAAM,CAAC;IACxC,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,kBAAkB,EAAE,OAAO,CAAC,CAAC;IAC3D,KAAK,EAAE,OAAC,CAAC,KAAK,CACZ,OAAC,CAAC,MAAM,CAAC;QACP,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE;QACvE,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,qBAAqB,EAAE,0EAA0E,CAAC,CAAC,QAAQ,EAAE;QAC7I,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,SAAS,EAAE,uBAAuB,CAAC,CAAC,QAAQ,EAAE;QACvE,QAAQ,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,kBAAkB,EAAE,OAAO,CAAC,CAAC;QACxD,qBAAqB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;QAC7C,iBAAiB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE;KACzD,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,OAAO,EAAE,uCAAuC,EAAE,CAAC,CAC9F,CAAC,GAAG,CAAC,GAAG,CAAC;IACV,IAAI,EAAE,OAAC;SACJ,MAAM,CAAC;QACN,cAAc,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,SAAS,EAAE,uBAAuB,CAAC,CAAC;QAC7F,cAAc,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC;QAC7F,SAAS,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,SAAS,EAAE,uBAAuB,CAAC,CAAC;QACxF,eAAe,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;KACxC,CAAC;SACD,QAAQ,EAAE;IACb,GAAG,EAAE,OAAC;SACH,MAAM,CAAC;QACN,YAAY,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;QAC1D,YAAY,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,oBAAoB,EAAE,sBAAsB,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5G,YAAY,EAAE,OAAC;aACZ,KAAK,CACJ,OAAC,CAAC,MAAM,CAAC;YACP,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,MAAM,CACxC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAA,+BAAa,EAAC,CAAC,CAAC,EACxB,EAAE,OAAO,EAAE,mIAAmI,EAAE,CACjJ,CAAC,MAAM,CACN,CAAC,CAAC,EAAE,EAAE,GAAG,IAAI,CAAC;gBAAC,IAAA,6BAAiB,EAAC,CAAC,CAAC,CAAC;gBAAC,OAAO,IAAI,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC;gBAAC,OAAO,KAAK,CAAC;YAAC,CAAC,CAAC,CAAC,EAC7E,EAAE,OAAO,EAAE,8EAA8E,EAAE,CAC5F;YACD,QAAQ,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,kBAAkB,EAAE,OAAO,CAAC,CAAC;YACxD,qBAAqB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;YAC7C,iBAAiB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE;YACxD,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;SAC5C,CAAC,CACH;aACA,GAAG,CAAC,GAAG,CAAC;QACX,eAAe,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,kBAAkB,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC;KAC5F,CAAC;SACD,QAAQ,EAAE;IACb,MAAM,EAAE,OAAC;SACN,MAAM,CAAC;QACN,gBAAgB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;QACrD,iBAAiB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;KACvD,CAAC;SACD,QAAQ,EAAE;IACb,yBAAyB,EAAE,OAAC;SACzB,MAAM,CAAC;QACN,SAAS,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;QACjC,KAAK,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;KAC9B,CAAC;SACD,QAAQ,EAAE;IACb,sEAAsE;IACtE,sEAAsE;IACtE,uEAAuE;IACvE,uEAAuE;IACvE,oEAAoE;IACpE,SAAS,EAAE,OAAC;SACT,KAAK,CACJ,OAAC,CAAC,MAAM,CAAC;QACP,aAAa,EAAE,OAAC;aACb,MAAM,EAAE;aACR,GAAG,CAAC,CAAC,CAAC;aACN,GAAG,CAAC,GAAG,CAAC;aACR,KAAK,CACJ,kEAAkE,EAClE,iFAAiF,CAClF;QACH,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;KACnC,CAAC,CACH;SACA,GAAG,CAAC,EAAE,CAAC;SACP,QAAQ,EAAE;IACb,UAAU,EAAE,OAAC;SACV,MAAM,CAAC;QACN,KAAK,EAAE,OAAC;aACL,KAAK,CACJ,OAAC,CAAC,MAAM,CAAC;YACP,OAAO,EAAE,OAAC;iBACP,MAAM,EAAE;iBACR,GAAG,CAAC,CAAC,CAAC;iBACN,GAAG,CAAC,GAAG,CAAC;iBACR,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAA,+BAAa,EAAC,CAAC,CAAC,EAAE;gBAChC,OAAO,EACL,2HAA2H;aAC9H,CAAC;iBACD,MAAM,CACL,CAAC,CAAC,EAAE,EAAE;gBACJ,IAAI,CAAC;oBACH,IAAA,oCAAwB,EAAC,CAAC,CAAC,CAAC;oBAC5B,OAAO,IAAI,CAAC;gBACd,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC,EACD,EAAE,OAAO,EAAE,oFAAoF,EAAE,CAClG;YACH,QAAQ,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,kBAAkB,EAAE,OAAO,CAAC,CAAC;YACxD,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;YAC3C,gEAAgE;YAChE,+DAA+D;YAC/D,+DAA+D;YAC/D,qBAAqB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;YAC7C,iBAAiB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE;SACzD,CAAC,CACH;aACA,GAAG,CAAC,GAAG,CAAC;QACX,eAAe,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,kBAAkB,EAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE;KAC3E,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAC;AAEU,QAAA,oBAAoB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3C,MAAM,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IACnC,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE;IACvC,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE;IAC9C,kEAAkE;IAClE,mBAAmB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE;CAClD,CAAC,CAAC;AAEH,2EAA2E;AAC3E,MAAM,iBAAiB,GAAG,KAAK,CAAC;AAEnB,QAAA,iBAAiB,GAAG,OAAC,CAAC,MAAM,CAAC;IACxC,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;IACpC,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE;IACvC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAC5C,QAAQ,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,MAAM,CACpC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,iBAAiB,EACxD,EAAE,OAAO,EAAE,oCAAoC,iBAAiB,QAAQ,EAAE,CAC3E,CAAC,QAAQ,EAAE;CACb,CAAC,CAAC;AAEU,QAAA,sBAAsB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7C,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;IACpC,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;IAC5B,QAAQ,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,MAAM,CACpC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,iBAAiB,EACxD,EAAE,OAAO,EAAE,oCAAoC,iBAAiB,QAAQ,EAAE,CAC3E,CAAC,QAAQ,EAAE;CACb,CAAC,CAAC;AAEH;;;;GAIG;AACU,QAAA,uBAAuB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9C,aAAa,EAAE,OAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IAC9B,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;IACpC,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IACvC,QAAQ,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,MAAM,CACpC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,iBAAiB,EACxD,EAAE,OAAO,EAAE,oCAAoC,iBAAiB,QAAQ,EAAE,CAC3E,CAAC,QAAQ,EAAE;CACb,CAAC,CAAC"}
|
package/dist/signing.d.ts
CHANGED
|
@@ -1,8 +1,21 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Supported signature-scheme version. v1 is the original Ed25519 over
|
|
3
|
+
* `${canonicalStringify(body)}:${timestamp}:${nonce}`. Future versions
|
|
4
|
+
* (e.g. v2 switching to a hash-chained nonce or a different canonicalisation)
|
|
5
|
+
* bump this number; `verifyRequest` must then dispatch on the header value.
|
|
6
|
+
*
|
|
7
|
+
* The header is OPTIONAL for backward-compat with agents that don't send it;
|
|
8
|
+
* an absent header is treated as v1. New clients should set it explicitly so
|
|
9
|
+
* a future v2 rollout can leave v1 traffic alone during the transition.
|
|
10
|
+
*/
|
|
11
|
+
export declare const SIGNATURE_VERSION_CURRENT: "1";
|
|
12
|
+
export type SignatureVersion = '1';
|
|
1
13
|
export interface SignedHeaders {
|
|
2
14
|
'x-agent-id': string;
|
|
3
15
|
'x-timestamp': string;
|
|
4
16
|
'x-signature': string;
|
|
5
17
|
'x-nonce'?: string;
|
|
18
|
+
'x-signature-version'?: SignatureVersion;
|
|
6
19
|
}
|
|
7
20
|
export interface KeyPair {
|
|
8
21
|
publicKey: string;
|
|
@@ -16,8 +29,10 @@ export declare function verifyRequest(body: Record<string, unknown>, headers: {
|
|
|
16
29
|
'x-timestamp'?: string;
|
|
17
30
|
'x-signature'?: string;
|
|
18
31
|
'x-nonce'?: string;
|
|
32
|
+
'x-signature-version'?: string;
|
|
19
33
|
}, publicKeyBase64: string, maxSkewMs?: number): {
|
|
20
34
|
agentId: string;
|
|
21
35
|
nonce: string;
|
|
36
|
+
version: SignatureVersion;
|
|
22
37
|
};
|
|
23
38
|
//# sourceMappingURL=signing.d.ts.map
|
package/dist/signing.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"signing.d.ts","sourceRoot":"","sources":["../src/signing.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"signing.d.ts","sourceRoot":"","sources":["../src/signing.ts"],"names":[],"mappings":"AAGA;;;;;;;;;GASG;AACH,eAAO,MAAM,yBAAyB,EAAG,GAAY,CAAC;AACtD,MAAM,MAAM,gBAAgB,GAAG,GAAG,CAAC;AAEnC,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,qBAAqB,CAAC,EAAE,gBAAgB,CAAC;CAC1C;AAED,MAAM,WAAW,OAAO;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,wBAAgB,eAAe,IAAI,OAAO,CAMzC;AAoCD,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAEvE;AAED,wBAAgB,WAAW,CACzB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,OAAO,EAAE,MAAM,EACf,gBAAgB,EAAE,MAAM,GACvB,aAAa,CAqBf;AAID,wBAAgB,aAAa,CAC3B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,OAAO,EAAE;IACP,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAChC,EACD,eAAe,EAAE,MAAM,EACvB,SAAS,SAAgB,GACxB;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,gBAAgB,CAAA;CAAE,CA4D/D"}
|
package/dist/signing.js
CHANGED
|
@@ -3,12 +3,24 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
3
3
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
4
|
};
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
+
exports.SIGNATURE_VERSION_CURRENT = void 0;
|
|
6
7
|
exports.generateKeypair = generateKeypair;
|
|
7
8
|
exports.canonicalStringify = canonicalStringify;
|
|
8
9
|
exports.signRequest = signRequest;
|
|
9
10
|
exports.verifyRequest = verifyRequest;
|
|
10
11
|
const tweetnacl_1 = __importDefault(require("tweetnacl"));
|
|
11
12
|
const tweetnacl_util_1 = require("tweetnacl-util");
|
|
13
|
+
/**
|
|
14
|
+
* Supported signature-scheme version. v1 is the original Ed25519 over
|
|
15
|
+
* `${canonicalStringify(body)}:${timestamp}:${nonce}`. Future versions
|
|
16
|
+
* (e.g. v2 switching to a hash-chained nonce or a different canonicalisation)
|
|
17
|
+
* bump this number; `verifyRequest` must then dispatch on the header value.
|
|
18
|
+
*
|
|
19
|
+
* The header is OPTIONAL for backward-compat with agents that don't send it;
|
|
20
|
+
* an absent header is treated as v1. New clients should set it explicitly so
|
|
21
|
+
* a future v2 rollout can leave v1 traffic alone during the transition.
|
|
22
|
+
*/
|
|
23
|
+
exports.SIGNATURE_VERSION_CURRENT = '1';
|
|
12
24
|
function generateKeypair() {
|
|
13
25
|
const pair = tweetnacl_1.default.sign.keyPair();
|
|
14
26
|
return {
|
|
@@ -60,7 +72,12 @@ function signRequest(body, agentId, privateKeyBase64) {
|
|
|
60
72
|
const timestamp = Date.now().toString();
|
|
61
73
|
const nonce = (0, tweetnacl_util_1.encodeBase64)(tweetnacl_1.default.randomBytes(16));
|
|
62
74
|
const canonical = canonicalStringify(body);
|
|
63
|
-
|
|
75
|
+
// Bind the signature-scheme version into the signed material so an on-path
|
|
76
|
+
// attacker cannot strip `x-signature-version` to force a future v2-signed
|
|
77
|
+
// request to verify under v1 rules (cross-version downgrade). Without this,
|
|
78
|
+
// adding a v2 scheme later becomes a breaking change for every deployed
|
|
79
|
+
// agent — fixing it at the moment the version header is introduced is free.
|
|
80
|
+
const message = (0, tweetnacl_util_1.decodeUTF8)(`${canonical}:${timestamp}:${nonce}:${exports.SIGNATURE_VERSION_CURRENT}`);
|
|
64
81
|
const privateKey = (0, tweetnacl_util_1.decodeBase64)(privateKeyBase64);
|
|
65
82
|
const signature = tweetnacl_1.default.sign.detached(message, privateKey);
|
|
66
83
|
return {
|
|
@@ -68,29 +85,61 @@ function signRequest(body, agentId, privateKeyBase64) {
|
|
|
68
85
|
'x-timestamp': timestamp,
|
|
69
86
|
'x-signature': (0, tweetnacl_util_1.encodeBase64)(signature),
|
|
70
87
|
'x-nonce': nonce,
|
|
88
|
+
'x-signature-version': exports.SIGNATURE_VERSION_CURRENT,
|
|
71
89
|
};
|
|
72
90
|
}
|
|
91
|
+
const SUPPORTED_SIGNATURE_VERSIONS = new Set(['1']);
|
|
73
92
|
function verifyRequest(body, headers, publicKeyBase64, maxSkewMs = 5 * 60 * 1000) {
|
|
74
93
|
const agentId = headers['x-agent-id'];
|
|
75
94
|
const timestamp = headers['x-timestamp'];
|
|
76
95
|
const signatureB64 = headers['x-signature'];
|
|
77
96
|
const nonce = headers['x-nonce'];
|
|
97
|
+
// Optional for backward compat. Absent = treat as v1 so existing agents
|
|
98
|
+
// keep working. A future breaking change bumps SIGNATURE_VERSION_CURRENT
|
|
99
|
+
// and adds a new branch below; v1 traffic continues to verify until we
|
|
100
|
+
// decide to hard-retire it.
|
|
101
|
+
const version = headers['x-signature-version'] ?? '1';
|
|
78
102
|
if (!agentId || !timestamp || !signatureB64 || !nonce) {
|
|
79
103
|
throw new Error('Missing required signature headers');
|
|
80
104
|
}
|
|
105
|
+
if (!SUPPORTED_SIGNATURE_VERSIONS.has(version)) {
|
|
106
|
+
throw new Error(`Unsupported signature version: ${version}`);
|
|
107
|
+
}
|
|
81
108
|
const ts = parseInt(timestamp, 10);
|
|
109
|
+
// A non-numeric timestamp parses to NaN, and `Math.abs(now - NaN) > skew`
|
|
110
|
+
// is false — which would silently skip the freshness check. Reject it.
|
|
111
|
+
if (!Number.isFinite(ts)) {
|
|
112
|
+
throw new Error('Invalid timestamp');
|
|
113
|
+
}
|
|
82
114
|
const now = Date.now();
|
|
83
115
|
if (Math.abs(now - ts) > maxSkewMs) {
|
|
84
116
|
throw new Error(`Timestamp skew too large: ${Math.abs(now - ts)}ms`);
|
|
85
117
|
}
|
|
86
118
|
const canonical = canonicalStringify(body);
|
|
87
|
-
|
|
119
|
+
// Mirror the version binding in signRequest. A stripped `x-signature-version`
|
|
120
|
+
// header defaults to `'1'` here, so the pre-image bytes match only when the
|
|
121
|
+
// signer also used v1. Any future v2 scheme binds `'2'` into its message,
|
|
122
|
+
// making version-downgrade attempts flip the verify result to false.
|
|
123
|
+
const messageBound = (0, tweetnacl_util_1.decodeUTF8)(`${canonical}:${timestamp}:${nonce}:${version}`);
|
|
88
124
|
const signature = (0, tweetnacl_util_1.decodeBase64)(signatureB64);
|
|
89
125
|
const publicKey = (0, tweetnacl_util_1.decodeBase64)(publicKeyBase64);
|
|
90
|
-
|
|
126
|
+
let valid = tweetnacl_1.default.sign.detached.verify(messageBound, signature, publicKey);
|
|
127
|
+
// Transitional legacy fallback: pre-version-binding agents sign the
|
|
128
|
+
// unbound pre-image (`canonical:timestamp:nonce`) and send no version
|
|
129
|
+
// header. Accept those signatures so the binding rollout doesn't force
|
|
130
|
+
// every deployed agent to redeploy simultaneously. The fallback only
|
|
131
|
+
// engages when the caller did NOT send `x-signature-version`, so it
|
|
132
|
+
// closes only the "client upgrades are lagging" gap, not a
|
|
133
|
+
// header-strip downgrade. Remove this branch before introducing v2 —
|
|
134
|
+
// by then every client must send the header for the binding to be
|
|
135
|
+
// meaningful.
|
|
136
|
+
if (!valid && headers['x-signature-version'] === undefined) {
|
|
137
|
+
const messageLegacy = (0, tweetnacl_util_1.decodeUTF8)(`${canonical}:${timestamp}:${nonce}`);
|
|
138
|
+
valid = tweetnacl_1.default.sign.detached.verify(messageLegacy, signature, publicKey);
|
|
139
|
+
}
|
|
91
140
|
if (!valid) {
|
|
92
141
|
throw new Error('Invalid signature');
|
|
93
142
|
}
|
|
94
|
-
return { agentId, nonce };
|
|
143
|
+
return { agentId, nonce, version: version };
|
|
95
144
|
}
|
|
96
145
|
//# sourceMappingURL=signing.js.map
|
package/dist/signing.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"signing.js","sourceRoot":"","sources":["../src/signing.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"signing.js","sourceRoot":"","sources":["../src/signing.ts"],"names":[],"mappings":";;;;;;AA6BA,0CAMC;AAoCD,gDAEC;AAED,kCAyBC;AAID,sCAuEC;AA/KD,0DAA6B;AAC7B,mDAAwE;AAExE;;;;;;;;;GASG;AACU,QAAA,yBAAyB,GAAG,GAAY,CAAC;AAgBtD,SAAgB,eAAe;IAC7B,MAAM,IAAI,GAAG,mBAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;IACjC,OAAO;QACL,SAAS,EAAE,IAAA,6BAAY,EAAC,IAAI,CAAC,SAAS,CAAC;QACvC,UAAU,EAAE,IAAA,6BAAY,EAAC,IAAI,CAAC,SAAS,CAAC;KACzC,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,eAAe,CAAC,GAAY;IACnC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IACxC,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IAChC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,2DAA2D;QAC3D,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,OAAO,MAAM,CAAC;QACzC,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IACD,IAAI,OAAO,GAAG,KAAK,SAAS,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IACpF,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;IACvE,CAAC;IACD,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,GAAa,CAAC,CAAC,IAAI,EAAE,CAAC;QACjD,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;YACvB,MAAM,CAAC,GAAG,eAAe,CAAE,GAA+B,CAAC,CAAC,CAAC,CAAC,CAAC;YAC/D,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;gBACpB,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;QACD,OAAO,IAAI,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;IAChC,CAAC;IACD,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,SAAgB,kBAAkB,CAAC,GAA4B;IAC7D,OAAO,eAAe,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;AACtC,CAAC;AAED,SAAgB,WAAW,CACzB,IAA6B,EAC7B,OAAe,EACf,gBAAwB;IAExB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IACxC,MAAM,KAAK,GAAG,IAAA,6BAAY,EAAC,mBAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;IAC3C,2EAA2E;IAC3E,0EAA0E;IAC1E,4EAA4E;IAC5E,wEAAwE;IACxE,4EAA4E;IAC5E,MAAM,OAAO,GAAG,IAAA,2BAAU,EAAC,GAAG,SAAS,IAAI,SAAS,IAAI,KAAK,IAAI,iCAAyB,EAAE,CAAC,CAAC;IAE9F,MAAM,UAAU,GAAG,IAAA,6BAAY,EAAC,gBAAgB,CAAC,CAAC;IAClD,MAAM,SAAS,GAAG,mBAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IAE1D,OAAO;QACL,YAAY,EAAE,OAAO;QACrB,aAAa,EAAE,SAAS;QACxB,aAAa,EAAE,IAAA,6BAAY,EAAC,SAAS,CAAC;QACtC,SAAS,EAAE,KAAK;QAChB,qBAAqB,EAAE,iCAAyB;KACjD,CAAC;AACJ,CAAC;AAED,MAAM,4BAA4B,GAAG,IAAI,GAAG,CAAS,CAAC,GAAG,CAAC,CAAC,CAAC;AAE5D,SAAgB,aAAa,CAC3B,IAA6B,EAC7B,OAMC,EACD,eAAuB,EACvB,SAAS,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI;IAEzB,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACtC,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IACzC,MAAM,YAAY,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IAC5C,MAAM,KAAK,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;IACjC,wEAAwE;IACxE,yEAAyE;IACzE,uEAAuE;IACvE,4BAA4B;IAC5B,MAAM,OAAO,GAAG,OAAO,CAAC,qBAAqB,CAAC,IAAI,GAAG,CAAC;IAEtD,IAAI,CAAC,OAAO,IAAI,CAAC,SAAS,IAAI,CAAC,YAAY,IAAI,CAAC,KAAK,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IAED,IAAI,CAAC,4BAA4B,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,kCAAkC,OAAO,EAAE,CAAC,CAAC;IAC/D,CAAC;IAED,MAAM,EAAE,GAAG,QAAQ,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;IACnC,0EAA0E;IAC1E,uEAAuE;IACvE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;IACvC,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,EAAE,CAAC,GAAG,SAAS,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,6BAA6B,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,SAAS,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;IAC3C,8EAA8E;IAC9E,4EAA4E;IAC5E,0EAA0E;IAC1E,qEAAqE;IACrE,MAAM,YAAY,GAAG,IAAA,2BAAU,EAAC,GAAG,SAAS,IAAI,SAAS,IAAI,KAAK,IAAI,OAAO,EAAE,CAAC,CAAC;IACjF,MAAM,SAAS,GAAG,IAAA,6BAAY,EAAC,YAAY,CAAC,CAAC;IAC7C,MAAM,SAAS,GAAG,IAAA,6BAAY,EAAC,eAAe,CAAC,CAAC;IAEhD,IAAI,KAAK,GAAG,mBAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;IAE1E,oEAAoE;IACpE,sEAAsE;IACtE,uEAAuE;IACvE,qEAAqE;IACrE,oEAAoE;IACpE,2DAA2D;IAC3D,qEAAqE;IACrE,kEAAkE;IAClE,cAAc;IACd,IAAI,CAAC,KAAK,IAAI,OAAO,CAAC,qBAAqB,CAAC,KAAK,SAAS,EAAE,CAAC;QAC3D,MAAM,aAAa,GAAG,IAAA,2BAAU,EAAC,GAAG,SAAS,IAAI,SAAS,IAAI,KAAK,EAAE,CAAC,CAAC;QACvE,KAAK,GAAG,mBAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,aAAa,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;IACzE,CAAC;IAED,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;IACvC,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,OAA2B,EAAE,CAAC;AAClE,CAAC"}
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Normalize an SSH host-key fingerprint to canonical lowercase SHA-256 hex.
|
|
3
|
+
*
|
|
4
|
+
* Accepted input forms:
|
|
5
|
+
* - 64-char hex digest
|
|
6
|
+
* - OpenSSH-style `SHA256:<base64>`
|
|
7
|
+
* - bare base64 / url-safe base64 (43/44 chars, optional padding)
|
|
8
|
+
*/
|
|
9
|
+
export declare function normalizeSshHostKeyFingerprint(fp: string): string;
|
|
10
|
+
//# sourceMappingURL=ssh-fingerprint.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ssh-fingerprint.d.ts","sourceRoot":"","sources":["../src/ssh-fingerprint.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,wBAAgB,8BAA8B,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,CAyBjE"}
|