anyray-connect 0.3.0 → 0.5.1

package/dist/util/verify.js

@@ -0,0 +1,192 @@
+/**
+ * Post-apply smoke test — confirm the connection actually works, with the same
+ * shape of request the configured tool will send, and turn any failure into one
+ * specific next step instead of a cryptic 4xx on the dev's first real request.
+ *
+ * Two paths, because the two modes authenticate differently:
+ *  - org key (placeholder): the gateway key is the bearer; we probe the
+ *    OpenAI-compatible `/v1/chat/completions`. A 2xx means the gateway accepted
+ *    the key and routed upstream end-to-end.
+ *  - seat (subscription): the seat OAuth token lives in the *tool*, not connect,
+ *    so we DON'T need (or want) the secret. We send a sentinel bearer with the
+ *    pass-through headers to `/v1/messages` and read where it lands: if the
+ *    gateway forwards it to Anthropic (which rejects the sentinel as an invalid
+ *    bearer), pass-through is wired and the dev's real seat will work; if it
+ *    comes back a Bedrock/org-provider error, pass-through ISN'T honored. This
+ *    verifies the part connect owns — the gateway routing — without a keychain
+ *    prompt and without ever false-alarming on a stale token (the tool itself
+ *    tells the dev to re-`/login` if their seat lapsed).
+ *
+ * PRIVACY: probe bodies are fixed synthetic "ping"s — no user content; the
+ * sentinel is a literal non-secret string. Responses are read only to classify
+ * status + error type, never logged as content.
+ */
+import { effectiveSubscription, metadataHeaderValue } from '../types.js';
+const VERIFY_TIMEOUT_MS = 12_000;
+/** A deliberately-invalid bearer for the seat-wiring probe. Not a secret; its
+ *  only job is to be rejected by whatever upstream the gateway forwards it to,
+ *  so we can tell Anthropic-passthrough from org-provider routing. */
+const WIRING_SENTINEL = 'anyray-wiring-probe-not-a-real-token';
+/** Smallest valid OpenAI-style body; `anyray-default` lets gateway routing pick
+ *  the real model/provider. `max_tokens: 1` keeps the probe a fraction of a cent. */
+const PLACEHOLDER_PROBE_BODY = {
+    model: 'anyray-default',
+    messages: [{ role: 'user', content: 'ping' }],
+    max_tokens: 1,
+};
+/** Smallest valid Anthropic-style body for the seat-wiring probe. */
+const WIRING_PROBE_BODY = {
+    model: 'claude-3-5-haiku-20241022',
+    max_tokens: 1,
+    messages: [{ role: 'user', content: 'ping' }],
+};
+/** A short, content-free snippet of an error body for the status line. */
+const snippet = (bodyText) => {
+    const oneLine = bodyText.replace(/\s+/g, ' ').trim();
+    return oneLine.length > 160 ? `${oneLine.slice(0, 157)}…` : oneLine;
+};
+/** True when the body looks like the org's Bedrock path answered instead of the
+ *  intended provider — the tell that pass-through didn't happen. */
+const looksLikeOrgProvider = (bodyText) => {
+    const lower = bodyText.toLowerCase();
+    return lower.includes('bedrock') || lower.includes('unsupported model');
+};
+/** Classify the org-key probe (OpenAI-compatible completion). */
+export const classifyPlaceholder = (status, bodyText) => {
+    if (status >= 200 && status < 300) {
+        return {
+            kind: 'ok',
+            detail: 'gateway served a completion with the org key — traffic flows.',
+            remedy: [],
+        };
+    }
+    if (status === 401 || status === 403) {
+        if (looksLikeOrgProvider(bodyText)) {
+            return {
+                kind: 'routed-elsewhere',
+                detail: `gateway routed to the org provider and it rejected the request: ${snippet(bodyText)}`,
+                remedy: [
+                    'The org provider rejected the request — check the gateway’s provider',
+                    'key/config (e.g. the model is enabled for that account).',
+                ],
+            };
+        }
+        return {
+            kind: 'key-rejected',
+            detail: `gateway rejected the key (HTTP ${status}).`,
+            remedy: [
+                'The key was refused — the setup link may be expired; ask your admin for a fresh one.',
+            ],
+        };
+    }
+    return {
+        kind: 'unknown',
+        detail: `gateway responded HTTP ${status}: ${snippet(bodyText)}`,
+        remedy: [],
+    };
+};
+/** Classify the seat-wiring probe (sentinel bearer through the gateway). */
+export const classifySeatWiring = (status, bodyText) => {
+    if (looksLikeOrgProvider(bodyText)) {
+        return {
+            kind: 'routed-elsewhere',
+            detail: 'gateway sent the request to the org provider, not your subscription.',
+            remedy: [
+                'Pass-through isn’t being honored for this gateway — your seat token would',
+                'not be used. Check the gateway is current (subscription pass-through support).',
+            ],
+        };
+    }
+    const lower = bodyText.toLowerCase();
+    // The sentinel reaching Anthropic and being rejected as a bad bearer is the
+    // SUCCESS signal: it proves the gateway forwards seat auth to Anthropic, so
+    // the dev's real (valid) seat token will be honored.
+    if (status === 401 ||
+        lower.includes('authentication_error') ||
+        lower.includes('invalid bearer') ||
+        lower.includes('"provider":"anthropic"')) {
+        return {
+            kind: 'ok',
+            detail: 'gateway passes your sign-in through to Anthropic — your Claude seat will be used.',
+            remedy: [],
+        };
+    }
+    if (status >= 200 && status < 300) {
+        return {
+            kind: 'ok',
+            detail: 'gateway pass-through reached the provider — your seat will be used.',
+            remedy: [],
+        };
+    }
+    return {
+        kind: 'unknown',
+        detail: `seat-wiring probe got HTTP ${status}: ${snippet(bodyText)}`,
+        remedy: [],
+    };
+};
+const probe = async (url, headers, body, timeoutMs) => {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    try {
+        const res = await fetch(url, {
+            method: 'POST',
+            headers: { 'content-type': 'application/json', ...headers },
+            body: JSON.stringify(body),
+            signal: controller.signal,
+        });
+        return { status: res.status, bodyText: await res.text() };
+    }
+    finally {
+        clearTimeout(timer);
+    }
+};
+const unreachable = (timeoutMs, error) => {
+    const reason = error instanceof Error && error.name === 'AbortError'
+        ? `no response within ${timeoutMs}ms`
+        : error instanceof Error
+            ? error.message
+            : String(error);
+    return {
+        kind: 'unreachable',
+        detail: `could not reach the gateway to verify (${reason}).`,
+        remedy: [
+            'Your config was still written — re-run the curl below once the gateway is reachable.',
+        ],
+    };
+};
+/**
+ * Probe the gateway with the auth the Anthropic-family tool will use and return
+ * a classified verdict. Never throws — a transport failure becomes `unreachable`
+ * (the config was still written; the dev can re-test by hand). Anthropic is the
+ * representative family: its org path and its seat-passthrough path are exactly
+ * what this smoke test distinguishes.
+ */
+export const verifyConnection = async (target, opts = {}) => {
+    const timeoutMs = opts.timeoutMs ?? VERIFY_TIMEOUT_MS;
+    const meta = metadataHeaderValue(target.metadata);
+    try {
+        if (effectiveSubscription(target, 'anthropic')) {
+            const headers = {
+                Authorization: `Bearer ${WIRING_SENTINEL}`,
+                'anthropic-version': '2023-06-01',
+                'anthropic-beta': 'oauth-2025-04-20',
+                'x-anyray-auth-mode': 'passthrough',
+                'x-anyray-provider': 'anthropic',
+            };
+            if (meta)
+                headers['x-anyray-metadata'] = meta;
+            const { status, bodyText } = await probe(`${target.anthropicBaseUrl}/v1/messages`, headers, WIRING_PROBE_BODY, timeoutMs);
+            return classifySeatWiring(status, bodyText);
+        }
+        const key = target.clientKey ?? target.placeholderKey;
+        const headers = { Authorization: `Bearer ${key}` };
+        if (meta)
+            headers['x-anyray-metadata'] = meta;
+        const { status, bodyText } = await probe(`${target.openaiBaseUrl}/chat/completions`, headers, PLACEHOLDER_PROBE_BODY, timeoutMs);
+        return classifyPlaceholder(status, bodyText);
+    }
+    catch (error) {
+        return unreachable(timeoutMs, error);
+    }
+};
+//# sourceMappingURL=verify.js.map

package/dist/util/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../../src/util/verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAGzE,MAAM,iBAAiB,GAAG,MAAM,CAAC;AAEjC;;sEAEsE;AACtE,MAAM,eAAe,GAAG,sCAAsC,CAAC;AAE/D;qFACqF;AACrF,MAAM,sBAAsB,GAAG;IAC7B,KAAK,EAAE,gBAAgB;IACvB,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;IAC7C,UAAU,EAAE,CAAC;CACd,CAAC;AAEF,qEAAqE;AACrE,MAAM,iBAAiB,GAAG;IACxB,KAAK,EAAE,2BAA2B;IAClC,UAAU,EAAE,CAAC;IACb,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;CAC9C,CAAC;AA2BF,0EAA0E;AAC1E,MAAM,OAAO,GAAG,CAAC,QAAgB,EAAU,EAAE;IAC3C,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACrD,OAAO,OAAO,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC;AACtE,CAAC,CAAC;AAEF;oEACoE;AACpE,MAAM,oBAAoB,GAAG,CAAC,QAAgB,EAAW,EAAE;IACzD,MAAM,KAAK,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IACrC,OAAO,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC;AAC1E,CAAC,CAAC;AAEF,iEAAiE;AACjE,MAAM,CAAC,MAAM,mBAAmB,GAAG,CACjC,MAAc,EACd,QAAgB,EACD,EAAE;IACjB,IAAI,MAAM,IAAI,GAAG,IAAI,MAAM,GAAG,GAAG,EAAE,CAAC;QAClC,OAAO;YACL,IAAI,EAAE,IAAI;YACV,MAAM,EAAE,+DAA+D;YACvE,MAAM,EAAE,EAAE;SACX,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,KAAK,GAAG,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACrC,IAAI,oBAAoB,CAAC,QAAQ,CAAC,EAAE,CAAC;YACnC,OAAO;gBACL,IAAI,EAAE,kBAAkB;gBACxB,MAAM,EAAE,mEAAmE,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAC9F,MAAM,EAAE;oBACN,sEAAsE;oBACtE,0DAA0D;iBAC3D;aACF,CAAC;QACJ,CAAC;QACD,OAAO;YACL,IAAI,EAAE,cAAc;YACpB,MAAM,EAAE,kCAAkC,MAAM,IAAI;YACpD,MAAM,EAAE;gBACN,sFAAsF;aACvF;SACF,CAAC;IACJ,CAAC;IACD,OAAO;QACL,IAAI,EAAE,SAAS;QACf,MAAM,EAAE,0BAA0B,MAAM,KAAK,OAAO,CAAC,QAAQ,CAAC,EAAE;QAChE,MAAM,EAAE,EAAE;KACX,CAAC;AACJ,CAAC,CAAC;AAEF,4EAA4E;AAC5E,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAChC,MAAc,EACd,QAAgB,EACD,EAAE;IACjB,IAAI,oBAAoB,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnC,OAAO;YACL,IAAI,EAAE,kBAAkB;YACxB,MAAM,EAAE,sEAAsE;YAC9E,MAAM,EAAE;gBACN,2EAA2E;gBAC3E,gFAAgF;aACjF;SACF,CAAC;IACJ,CAAC;IACD,MAAM,KAAK,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IACrC,4EAA4E;IAC5E,4EAA4E;IAC5E,qDAAqD;IACrD,IACE,MAAM,KAAK,GAAG;QACd,KAAK,CAAC,QAAQ,CAAC,sBAAsB,CAAC;QACtC,KAAK,CAAC,QAAQ,CAAC,gBAAgB,CAAC;QAChC,KAAK,CAAC,QAAQ,CAAC,wBAAwB,CAAC,EACxC,CAAC;QACD,OAAO;YACL,IAAI,EAAE,IAAI;YACV,MAAM,EACJ,mFAAmF;YACrF,MAAM,EAAE,EAAE;SACX,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,IAAI,GAAG,IAAI,MAAM,GAAG,GAAG,EAAE,CAAC;QAClC,OAAO;YACL,IAAI,EAAE,IAAI;YACV,MAAM,EAAE,qEAAqE;YAC7E,MAAM,EAAE,EAAE;SACX,CAAC;IACJ,CAAC;IACD,OAAO;QACL,IAAI,EAAE,SAAS;QACf,MAAM,EAAE,8BAA8B,MAAM,KAAK,OAAO,CAAC,QAAQ,CAAC,EAAE;QACpE,MAAM,EAAE,EAAE;KACX,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,KAAK,GAAG,KAAK,EACjB,GAAW,EACX,OAA+B,EAC/B,IAAa,EACb,SAAiB,EACK,EAAE;IACxB,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;IAC9D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAC3B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAAG,OAAO,EAAE;YAC3D,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;YAC1B,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B,CAAC,CAAC;QACH,OAAO,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC;IAC5D,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,WAAW,GAAG,CAAC,SAAiB,EAAE,KAAc,EAAiB,EAAE;IACvE,MAAM,MAAM,GACV,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY;QACnD,CAAC,CAAC,sBAAsB,SAAS,IAAI;QACrC,CAAC,CAAC,KAAK,YAAY,KAAK;YACtB,CAAC,CAAC,KAAK,CAAC,OAAO;YACf,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACtB,OAAO;QACL,IAAI,EAAE,aAAa;QACnB,MAAM,EAAE,0CAA0C,MAAM,IAAI;QAC5D,MAAM,EAAE;YACN,sFAAsF;SACvF;KACF,CAAC;AACJ,CAAC,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,KAAK,EACnC,MAAqB,EACrB,OAAsB,EAAE,EACA,EAAE;IAC1B,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,iBAAiB,CAAC;IACtD,MAAM,IAAI,GAAG,mBAAmB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAClD,IAAI,CAAC;QACH,IAAI,qBAAqB,CAAC,MAAM,EAAE,WAAW,CAAC,EAAE,CAAC;YAC/C,MAAM,OAAO,GAA2B;gBACtC,aAAa,EAAE,UAAU,eAAe,EAAE;gBAC1C,mBAAmB,EAAE,YAAY;gBACjC,gBAAgB,EAAE,kBAAkB;gBACpC,oBAAoB,EAAE,aAAa;gBACnC,mBAAmB,EAAE,WAAW;aACjC,CAAC;YACF,IAAI,IAAI;gBAAE,OAAO,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC;YAC9C,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,KAAK,CACtC,GAAG,MAAM,CAAC,gBAAgB,cAAc,EACxC,OAAO,EACP,iBAAiB,EACjB,SAAS,CACV,CAAC;YACF,OAAO,kBAAkB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,cAAc,CAAC;QACtD,MAAM,OAAO,GAA2B,EAAE,aAAa,EAAE,UAAU,GAAG,EAAE,EAAE,CAAC;QAC3E,IAAI,IAAI;YAAE,OAAO,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC;QAC9C,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,KAAK,CACtC,GAAG,MAAM,CAAC,aAAa,mBAAmB,EAC1C,OAAO,EACP,sBAAsB,EACtB,SAAS,CACV,CAAC;QACF,OAAO,mBAAmB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC/C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,WAAW,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IACvC,CAAC;AACH,CAAC,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "anyray-connect",
-  "version": "0.3.0",
+  "version": "0.5.1",
   "description": "Anyray connect — points local coding tools (Claude Code, Cursor, Windsurf, SDKs) at the Anyray gateway by writing their base URL + a placeholder key. The gateway stays the brain; this is just the on-ramp.",
   "type": "module",
   "bin": {