edgegate-mcp 0.7.0 → 0.8.0

package/dist/tools/get_byo_audit.js

@@ -0,0 +1,125 @@
+import { z } from "zod";
+import { EdgeGateError } from "../client.js";
+export const getByoAuditInputSchema = z.object({
+    workspace_id: z.string().uuid(),
+    artifact_id: z
+        .string()
+        .uuid()
+        .optional()
+        .describe("Filter to events referencing this artifact."),
+    run_id: z
+        .string()
+        .uuid()
+        .optional()
+        .describe("Filter to events from this run."),
+    since: z
+        .string()
+        .datetime()
+        .optional()
+        .describe("ISO-8601 timestamp; only include events newer than this."),
+    cursor: z
+        .number()
+        .int()
+        .optional()
+        .describe("Opaque cursor returned by a previous call. Pass it back verbatim to " +
+        "fetch the next page; omit on the first call."),
+    limit: z
+        .number()
+        .int()
+        .min(1)
+        .max(500)
+        .optional()
+        .describe("Page size (1–500, default 100)."),
+});
+export async function getByoAuditHandler(client, input) {
+    try {
+        const page = await client.getByoAudit(input.workspace_id, {
+            artifact_id: input.artifact_id,
+            run_id: input.run_id,
+            since: input.since,
+            cursor: input.cursor,
+            limit: input.limit,
+        });
+        return renderAuditPage(page);
+    }
+    catch (err) {
+        if (err instanceof EdgeGateError) {
+            if (err.status === 402) {
+                return {
+                    isError: true,
+                    content: [
+                        {
+                            type: "text",
+                            text: `BYO storage requires the Enterprise plan. ` +
+                                `Contact sales: https://edgegate.frozo.ai/enterprise.`,
+                        },
+                    ],
+                };
+            }
+            return {
+                isError: true,
+                content: [
+                    { type: "text", text: `EdgeGate returned ${err.status}: ${err.detail}` },
+                ],
+            };
+        }
+        throw err;
+    }
+}
+function truncate(value, max) {
+    if (value.length <= max)
+        return value;
+    return `${value.slice(0, max - 1)}…`;
+}
+function fmt(entry) {
+    const cells = [
+        entry.ts,
+        entry.event_type,
+        entry.outcome,
+        entry.error_code ?? "—",
+        truncate(entry.aws_request_id, 36),
+        truncate(entry.s3_key ?? "—", 48),
+        entry.bytes_read?.toLocaleString() ?? "—",
+        entry.run_id ? truncate(entry.run_id, 8) : "—",
+    ];
+    return `| ${cells.join(" | ")} |`;
+}
+function renderAuditPage(page) {
+    if (page.entries.length === 0) {
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: [
+                        `No BYO storage audit events match these filters.`,
+                        ``,
+                        `If you expected results, check that:`,
+                        `- The workspace actually has BYO storage enabled (Enterprise plan).`,
+                        `- The \`run_id\` / \`artifact_id\` / \`since\` filters aren't too narrow.`,
+                        `- A run that consumed BYO artifacts has actually executed (verify probes ` +
+                            `also appear here, every 6 hours).`,
+                    ].join("\n"),
+                },
+            ],
+        };
+    }
+    const header = `| ts | event_type | outcome | error_code | aws_request_id | s3_key | bytes_read | run_id |`;
+    const sep = `|---|---|---|---|---|---|---|---|`;
+    const rows = page.entries.map(fmt).join("\n");
+    const lines = [
+        `BYO storage audit — ${page.entries.length} event(s)`,
+        ``,
+        header,
+        sep,
+        rows,
+        ``,
+        page.next_cursor === null
+            ? `End of log.`
+            : `Call again with \`cursor: ${page.next_cursor}\` to fetch the next page.`,
+        ``,
+        `Cross-reference \`aws_request_id\` against your own CloudTrail to confirm ` +
+            `EdgeGate's view of each S3 call matches yours.`,
+    ];
+    return { content: [{ type: "text", text: lines.join("\n") }] };
+}
+//# sourceMappingURL=get_byo_audit.js.map

package/dist/tools/get_byo_audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"get_byo_audit.js","sourceRoot":"","sources":["../../src/tools/get_byo_audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAkB,aAAa,EAAE,MAAM,cAAc,CAAC;AAI7D,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7C,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;IAC/B,WAAW,EAAE,CAAC;SACX,MAAM,EAAE;SACR,IAAI,EAAE;SACN,QAAQ,EAAE;SACV,QAAQ,CAAC,6CAA6C,CAAC;IAC1D,MAAM,EAAE,CAAC;SACN,MAAM,EAAE;SACR,IAAI,EAAE;SACN,QAAQ,EAAE;SACV,QAAQ,CAAC,iCAAiC,CAAC;IAC9C,KAAK,EAAE,CAAC;SACL,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,QAAQ,EAAE;SACV,QAAQ,CAAC,0DAA0D,CAAC;IACvE,MAAM,EAAE,CAAC;SACN,MAAM,EAAE;SACR,GAAG,EAAE;SACL,QAAQ,EAAE;SACV,QAAQ,CACP,sEAAsE;QACpE,8CAA8C,CACjD;IACH,KAAK,EAAE,CAAC;SACL,MAAM,EAAE;SACR,GAAG,EAAE;SACL,GAAG,CAAC,CAAC,CAAC;SACN,GAAG,CAAC,GAAG,CAAC;SACR,QAAQ,EAAE;SACV,QAAQ,CAAC,iCAAiC,CAAC;CAC/C,CAAC,CAAC;AAIH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,MAAsB,EACtB,KAAuB;IAEvB,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,YAAY,EAAE;YACxD,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,KAAK,EAAE,KAAK,CAAC,KAAK;SACnB,CAAC,CAAC;QACH,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,aAAa,EAAE,CAAC;YACjC,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACvB,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAM;4BACZ,IAAI,EACF,4CAA4C;gCAC5C,sDAAsD;yBACzD;qBACF;iBACF,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE;oBACP,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,qBAAqB,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,MAAM,EAAE,EAAE;iBACzE;aACF,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,QAAQ,CAAC,KAAa,EAAE,GAAW;IAC1C,IAAI,KAAK,CAAC,MAAM,IAAI,GAAG;QAAE,OAAO,KAAK,CAAC;IACtC,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC;AACvC,CAAC;AAED,SAAS,GAAG,CAAC,KAAoB;IAC/B,MAAM,KAAK,GAAG;QACZ,KAAK,CAAC,EAAE;QACR,KAAK,CAAC,UAAU;QAChB,KAAK,CAAC,OAAO;QACb,KAAK,CAAC,UAAU,IAAI,GAAG;QACvB,QAAQ,CAAC,KAAK,CAAC,cAAc,EAAE,EAAE,CAAC;QAClC,QAAQ,CAAC,KAAK,CAAC,MAAM,IAAI,GAAG,EAAE,EAAE,CAAC;QACjC,KAAK,CAAC,UAAU,EAAE,cAAc,EAAE,IAAI,GAAG;QACzC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG;KAC/C,CAAC;IACF,OAAO,KAAK,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;AACpC,CAAC;AAED,SAAS,eAAe,CAAC,IAAkB;IACzC,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,OAAO;YACL,OAAO,EAAE;gBACP;oBACE,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE;wBACJ,kDAAkD;wBAClD,EAAE;wBACF,sCAAsC;wBACtC,qEAAqE;wBACrE,2EAA2E;wBAC3E,2EAA2E;4BACzE,mCAAmC;qBACtC,CAAC,IAAI,CAAC,IAAI,CAAC;iBACb;aACF;SACF,CAAC;IACJ,CAAC;IACD,MAAM,MAAM,GAAG,4FAA4F,CAAC;IAC5G,MAAM,GAAG,GAAG,mCAAmC,CAAC;IAChD,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC9C,MAAM,KAAK,GAAG;QACZ,uBAAuB,IAAI,CAAC,OAAO,CAAC,MAAM,WAAW;QACrD,EAAE;QACF,MAAM;QACN,GAAG;QACH,IAAI;QACJ,EAAE;QACF,IAAI,CAAC,WAAW,KAAK,IAAI;YACvB,CAAC,CAAC,aAAa;YACf,CAAC,CAAC,6BAA6B,IAAI,CAAC,WAAW,4BAA4B;QAC7E,EAAE;QACF,4EAA4E;YAC1E,gDAAgD;KACnD,CAAC;IACF,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;AACjE,CAAC"}

package/dist/tools/get_report.d.ts

@@ -5,8 +5,8 @@ export declare const getReportInputSchema: z.ZodObject<{
     workspace_id: z.ZodString;
     limit: z.ZodDefault<z.ZodNumber>;
 }, "strip", z.ZodTypeAny, {
-    workspace_id: string;
     limit: number;
+    workspace_id: string;
 }, {
     workspace_id: string;
     limit?: number | undefined;

package/dist/tools/register_byo_artifact.d.ts

@@ -0,0 +1,27 @@
+import { z } from "zod";
+import { EdgeGateClient } from "../client.js";
+import type { ToolResult } from "./setup_workspace.js";
+export declare const registerByoArtifactInputSchema: z.ZodObject<{
+    workspace_id: z.ZodString;
+    s3_uri: z.ZodString;
+    expected_sha256: z.ZodOptional<z.ZodString>;
+    expected_size: z.ZodOptional<z.ZodNumber>;
+    kind: z.ZodOptional<z.ZodString>;
+    original_filename: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    workspace_id: string;
+    s3_uri: string;
+    expected_sha256?: string | undefined;
+    expected_size?: number | undefined;
+    kind?: string | undefined;
+    original_filename?: string | undefined;
+}, {
+    workspace_id: string;
+    s3_uri: string;
+    expected_sha256?: string | undefined;
+    expected_size?: number | undefined;
+    kind?: string | undefined;
+    original_filename?: string | undefined;
+}>;
+export type RegisterByoArtifactInput = z.infer<typeof registerByoArtifactInputSchema>;
+export declare function registerByoArtifactHandler(client: EdgeGateClient, input: RegisterByoArtifactInput): Promise<ToolResult>;

package/dist/tools/register_byo_artifact.js

@@ -0,0 +1,122 @@
+import { z } from "zod";
+import { EdgeGateError } from "../client.js";
+export const registerByoArtifactInputSchema = z.object({
+    workspace_id: z.string().uuid(),
+    s3_uri: z
+        .string()
+        .regex(/^s3:\/\/[a-z0-9][a-z0-9\-.]{1,253}\/.+$/)
+        .describe("Full S3 URI of the object in your registered bucket, e.g. " +
+        "s3://my-bucket/models/mobilenet-v2.onnx. Must live in the same " +
+        "bucket the grant was registered with."),
+    expected_sha256: z
+        .string()
+        .regex(/^[a-f0-9]{64}$/)
+        .optional()
+        .describe("Optional SHA-256 of the object (hex). If supplied, downstream cells " +
+        "will fail with BYO_INTEGRITY_MISMATCH when the actual bytes don't " +
+        "match — a strong guarantee that you ran what you thought you ran."),
+    expected_size: z
+        .number()
+        .int()
+        .positive()
+        .optional()
+        .describe("Optional size in bytes. EdgeGate cross-checks against the HeadObject " +
+        "response and rejects the registration if they disagree — protects " +
+        "against stale pointers when an object was overwritten in S3."),
+    kind: z
+        .string()
+        .optional()
+        .describe("Artifact kind. Defaults to 'model'."),
+    original_filename: z
+        .string()
+        .optional()
+        .describe("Optional display filename for run reports."),
+});
+export async function registerByoArtifactHandler(client, input) {
+    try {
+        const artifact = await client.registerByoArtifact(input.workspace_id, {
+            s3_uri: input.s3_uri,
+            expected_sha256: input.expected_sha256,
+            expected_size: input.expected_size,
+            kind: input.kind,
+            original_filename: input.original_filename,
+        });
+        return renderArtifact(artifact);
+    }
+    catch (err) {
+        if (err instanceof EdgeGateError) {
+            if (err.status === 402) {
+                return {
+                    isError: true,
+                    content: [
+                        {
+                            type: "text",
+                            text: `BYO storage requires the Enterprise plan. ` +
+                                `Contact sales: https://edgegate.frozo.ai/enterprise.`,
+                        },
+                    ],
+                };
+            }
+            if (err.status === 400) {
+                return {
+                    isError: true,
+                    content: [
+                        {
+                            type: "text",
+                            text: [
+                                `EdgeGate rejected the BYO artifact registration:`,
+                                ``,
+                                `\`${err.detail}\``,
+                                ``,
+                                `Most common causes:`,
+                                `- **No active grant** — register one with \`edgegate_register_byo_bucket\` first.`,
+                                `- **Bucket mismatch** — the s3_uri's bucket is not the one this workspace ` +
+                                    `registered. Cross-bucket pointers are not allowed.`,
+                                `- **BYO_OBJECT_NOT_FOUND** — the s3_uri's key doesn't exist in the bucket. ` +
+                                    `Double-check the path; HeadObject is case-sensitive.`,
+                                `- **BYO_OBJECT_ACCESS_DENIED** — the IAM role lacks \`s3:GetObject\` ` +
+                                    `on this specific key (a bucket-policy or resource-condition denial).`,
+                                `- **Size mismatch** — the \`expected_size\` you supplied doesn't match the ` +
+                                    `actual object. Drop it (or update it) and retry.`,
+                            ].join("\n"),
+                        },
+                    ],
+                };
+            }
+            return {
+                isError: true,
+                content: [
+                    { type: "text", text: `EdgeGate returned ${err.status}: ${err.detail}` },
+                ],
+            };
+        }
+        throw err;
+    }
+}
+function renderArtifact(artifact) {
+    return {
+        content: [
+            {
+                type: "text",
+                text: [
+                    `Registered BYO artifact — bytes never left your AWS account.`,
+                    ``,
+                    `- artifact_id: \`${artifact.id}\``,
+                    `- storage: \`${artifact.storage_url}\``,
+                    `- kind: ${artifact.kind}`,
+                    `- size: ${artifact.size_bytes.toLocaleString()} bytes`,
+                    `- sha256: \`${artifact.sha256}\``,
+                    artifact.original_filename
+                        ? `- filename: \`${artifact.original_filename}\``
+                        : `- filename: (none)`,
+                    ``,
+                    `Pass this \`artifact_id\` to \`edgegate_create_pipeline\` (in \`model_matrix\`) ` +
+                        `or \`edgegate_run_gate\` (as \`model_artifact_id\`) to run it. ` +
+                        `When a cell needs the model, EdgeGate's worker will AssumeRole into your ` +
+                        `account and GetObject directly from S3.`,
+                ].join("\n"),
+            },
+        ],
+    };
+}
+//# sourceMappingURL=register_byo_artifact.js.map

package/dist/tools/register_byo_artifact.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"register_byo_artifact.js","sourceRoot":"","sources":["../../src/tools/register_byo_artifact.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAkB,aAAa,EAAE,MAAM,cAAc,CAAC;AAI7D,MAAM,CAAC,MAAM,8BAA8B,GAAG,CAAC,CAAC,MAAM,CAAC;IACrD,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;IAC/B,MAAM,EAAE,CAAC;SACN,MAAM,EAAE;SACR,KAAK,CAAC,yCAAyC,CAAC;SAChD,QAAQ,CACP,4DAA4D;QAC1D,iEAAiE;QACjE,uCAAuC,CAC1C;IACH,eAAe,EAAE,CAAC;SACf,MAAM,EAAE;SACR,KAAK,CAAC,gBAAgB,CAAC;SACvB,QAAQ,EAAE;SACV,QAAQ,CACP,sEAAsE;QACpE,oEAAoE;QACpE,mEAAmE,CACtE;IACH,aAAa,EAAE,CAAC;SACb,MAAM,EAAE;SACR,GAAG,EAAE;SACL,QAAQ,EAAE;SACV,QAAQ,EAAE;SACV,QAAQ,CACP,uEAAuE;QACrE,oEAAoE;QACpE,8DAA8D,CACjE;IACH,IAAI,EAAE,CAAC;SACJ,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,QAAQ,CAAC,qCAAqC,CAAC;IAClD,iBAAiB,EAAE,CAAC;SACjB,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,QAAQ,CAAC,4CAA4C,CAAC;CAC1D,CAAC,CAAC;AAIH,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,MAAsB,EACtB,KAA+B;IAE/B,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,KAAK,CAAC,YAAY,EAAE;YACpE,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,eAAe,EAAE,KAAK,CAAC,eAAe;YACtC,aAAa,EAAE,KAAK,CAAC,aAAa;YAClC,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;SAC3C,CAAC,CAAC;QACH,OAAO,cAAc,CAAC,QAAQ,CAAC,CAAC;IAClC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,aAAa,EAAE,CAAC;YACjC,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACvB,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAM;4BACZ,IAAI,EACF,4CAA4C;gCAC5C,sDAAsD;yBACzD;qBACF;iBACF,CAAC;YACJ,CAAC;YACD,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACvB,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAM;4BACZ,IAAI,EAAE;gCACJ,kDAAkD;gCAClD,EAAE;gCACF,KAAK,GAAG,CAAC,MAAM,IAAI;gCACnB,EAAE;gCACF,qBAAqB;gCACrB,mFAAmF;gCACnF,4EAA4E;oCAC1E,oDAAoD;gCACtD,6EAA6E;oCAC3E,sDAAsD;gCACxD,uEAAuE;oCACrE,sEAAsE;gCACxE,6EAA6E;oCAC3E,kDAAkD;6BACrD,CAAC,IAAI,CAAC,IAAI,CAAC;yBACb;qBACF;iBACF,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE;oBACP,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,qBAAqB,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,MAAM,EAAE,EAAE;iBACzE;aACF,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,QAA0B;IAChD,OAAO;QACL,OAAO,EAAE;YACP;gBACE,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE;oBACJ,8DAA8D;oBAC9D,EAAE;oBACF,oBAAoB,QAAQ,CAAC,EAAE,IAAI;oBACnC,gBAAgB,QAAQ,CAAC,WAAW,IAAI;oBACxC,WAAW,QAAQ,CAAC,IAAI,EAAE;oBAC1B,WAAW,QAAQ,CAAC,UAAU,CAAC,cAAc,EAAE,QAAQ;oBACvD,eAAe,QAAQ,CAAC,MAAM,IAAI;oBAClC,QAAQ,CAAC,iBAAiB;wBACxB,CAAC,CAAC,iBAAiB,QAAQ,CAAC,iBAAiB,IAAI;wBACjD,CAAC,CAAC,oBAAoB;oBACxB,EAAE;oBACF,kFAAkF;wBAChF,iEAAiE;wBACjE,2EAA2E;wBAC3E,yCAAyC;iBAC5C,CAAC,IAAI,CAAC,IAAI,CAAC;aACb;SACF;KACF,CAAC;AACJ,CAAC"}

package/dist/tools/register_byo_bucket.d.ts

@@ -0,0 +1,24 @@
+import { z } from "zod";
+import { EdgeGateClient } from "../client.js";
+import type { ToolResult } from "./setup_workspace.js";
+export declare const registerByoBucketInputSchema: z.ZodObject<{
+    workspace_id: z.ZodString;
+    role_arn: z.ZodString;
+    bucket: z.ZodString;
+    region: z.ZodString;
+    kms_key_id: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    workspace_id: string;
+    role_arn: string;
+    bucket: string;
+    region: string;
+    kms_key_id?: string | undefined;
+}, {
+    workspace_id: string;
+    role_arn: string;
+    bucket: string;
+    region: string;
+    kms_key_id?: string | undefined;
+}>;
+export type RegisterByoBucketInput = z.infer<typeof registerByoBucketInputSchema>;
+export declare function registerByoBucketHandler(client: EdgeGateClient, input: RegisterByoBucketInput): Promise<ToolResult>;

package/dist/tools/register_byo_bucket.js

@@ -0,0 +1,143 @@
+import { z } from "zod";
+import { EdgeGateError } from "../client.js";
+export const registerByoBucketInputSchema = z.object({
+    workspace_id: z.string().uuid(),
+    role_arn: z
+        .string()
+        .regex(/^arn:aws:iam::\d{12}:role\/.+$/)
+        .describe("ARN of the IAM role EdgeGate's workers will assume to read your bucket. " +
+        "Created by the EdgeGate CloudFormation launch stack (or your equivalent " +
+        "Terraform module). Format: arn:aws:iam::<account-id>:role/<name>."),
+    bucket: z
+        .string()
+        .min(3)
+        .max(255)
+        .regex(/^[a-z0-9][a-z0-9\-.]{1,253}$/)
+        .describe("S3 bucket name (not the URI — just the bucket name)."),
+    region: z
+        .string()
+        .min(4)
+        .max(64)
+        .describe("AWS region the bucket lives in, e.g. us-east-1."),
+    kms_key_id: z
+        .string()
+        .max(2048)
+        .optional()
+        .describe("Optional KMS key ARN if the bucket uses SSE-KMS. The IAM role must " +
+        "have kms:Decrypt on this key."),
+});
+export async function registerByoBucketHandler(client, input) {
+    try {
+        const grant = await client.registerByoGrant(input.workspace_id, {
+            role_arn: input.role_arn,
+            bucket: input.bucket,
+            region: input.region,
+            kms_key_id: input.kms_key_id,
+        });
+        return successText(grant);
+    }
+    catch (err) {
+        if (err instanceof EdgeGateError) {
+            if (err.status === 402) {
+                return {
+                    isError: true,
+                    content: [
+                        {
+                            type: "text",
+                            text: [
+                                `BYO storage requires the **Enterprise plan**.`,
+                                ``,
+                                `Reach out to sales at https://edgegate.frozo.ai/enterprise ` +
+                                    `to enable BYO storage on this workspace. ` +
+                                    `Once enabled, re-run \`edgegate_register_byo_bucket\` with the ` +
+                                    `same role + bucket details.`,
+                            ].join("\n"),
+                        },
+                    ],
+                };
+            }
+            if (err.status === 409) {
+                // Do NOT auto-rotate — the existing grant may belong to a different
+                // role_arn the customer doesn't want overwritten by accident.
+                return {
+                    isError: true,
+                    content: [
+                        {
+                            type: "text",
+                            text: [
+                                `This workspace already has a BYO storage grant registered.`,
+                                ``,
+                                `Two safe paths forward:`,
+                                `1. Inspect the existing grant with \`edgegate_check_byo_bucket\` ` +
+                                    `to confirm it's the one you intended.`,
+                                `2. If you want to replace it: \`edgegate_disconnect_byo_bucket\` ` +
+                                    `first (will 409 if artifacts still reference it), then re-run ` +
+                                    `\`edgegate_register_byo_bucket\` with the new role/bucket.`,
+                                ``,
+                                `External-ID rotation (without replacing the grant) is available ` +
+                                    `via the dashboard at ` +
+                                    `https://edgegate.frozo.ai/workspace/${input.workspace_id}/settings#byo-storage.`,
+                            ].join("\n"),
+                        },
+                    ],
+                };
+            }
+            return {
+                isError: true,
+                content: [
+                    {
+                        type: "text",
+                        text: `EdgeGate returned ${err.status}: ${err.detail}`,
+                    },
+                ],
+            };
+        }
+        throw err;
+    }
+}
+function roleArnTail(roleArn) {
+    // arn:aws:iam::123456789012:role/edgegate-byo-storage-prod
+    // Render the trailing role name + last 4 of the account id so the user can
+    // confirm at a glance that they registered the right role.
+    const parts = roleArn.split(":");
+    if (parts.length < 6)
+        return roleArn;
+    const account = parts[4];
+    const roleName = parts.slice(5).join(":").replace(/^role\//, "");
+    const acctTail = account.length > 4 ? `…${account.slice(-4)}` : account;
+    return `${roleName} (acct ${acctTail})`;
+}
+function successText(grant) {
+    return {
+        content: [
+            {
+                type: "text",
+                text: [
+                    `Registered BYO storage grant for this workspace.`,
+                    ``,
+                    `- role: \`${roleArnTail(grant.role_arn)}\``,
+                    `- bucket: \`${grant.bucket}\` (${grant.region})`,
+                    grant.kms_key_id
+                        ? `- kms key: \`${grant.kms_key_id}\``
+                        : `- kms key: (none — SSE-S3 or no encryption)`,
+                    `- status: **${grant.status}**`,
+                    `- external_id: \`${grant.external_id}\``,
+                    ``,
+                    `**Action required if you haven't already:** add this External ID to ` +
+                        `your IAM role's trust policy under \`Condition.StringEquals.sts:ExternalId\`. ` +
+                        `Without it, AssumeRole will fail with BYO_ASSUME_ROLE_FAILED.`,
+                    ``,
+                    grant.status === "active"
+                        ? `The readiness probe just passed. You can register your first artifact ` +
+                            `with \`edgegate_register_byo_artifact\`.`
+                        : grant.last_verify_error
+                            ? `The readiness probe FAILED: \`${grant.last_verify_error}\`. Fix the ` +
+                                `IAM/bucket/KMS configuration, then re-probe with ` +
+                                `\`edgegate_check_byo_bucket\`.`
+                            : `Probe outcome pending — run \`edgegate_check_byo_bucket\` to verify.`,
+                ].join("\n"),
+            },
+        ],
+    };
+}
+//# sourceMappingURL=register_byo_bucket.js.map

package/dist/tools/register_byo_bucket.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"register_byo_bucket.js","sourceRoot":"","sources":["../../src/tools/register_byo_bucket.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAkB,aAAa,EAAE,MAAM,cAAc,CAAC;AAI7D,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC;IACnD,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;IAC/B,QAAQ,EAAE,CAAC;SACR,MAAM,EAAE;SACR,KAAK,CAAC,gCAAgC,CAAC;SACvC,QAAQ,CACP,0EAA0E;QACxE,0EAA0E;QAC1E,mEAAmE,CACtE;IACH,MAAM,EAAE,CAAC;SACN,MAAM,EAAE;SACR,GAAG,CAAC,CAAC,CAAC;SACN,GAAG,CAAC,GAAG,CAAC;SACR,KAAK,CAAC,8BAA8B,CAAC;SACrC,QAAQ,CAAC,sDAAsD,CAAC;IACnE,MAAM,EAAE,CAAC;SACN,MAAM,EAAE;SACR,GAAG,CAAC,CAAC,CAAC;SACN,GAAG,CAAC,EAAE,CAAC;SACP,QAAQ,CAAC,iDAAiD,CAAC;IAC9D,UAAU,EAAE,CAAC;SACV,MAAM,EAAE;SACR,GAAG,CAAC,IAAI,CAAC;SACT,QAAQ,EAAE;SACV,QAAQ,CACP,qEAAqE;QACnE,+BAA+B,CAClC;CACJ,CAAC,CAAC;AAIH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,MAAsB,EACtB,KAA6B;IAE7B,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,KAAK,CAAC,YAAY,EAAE;YAC9D,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU,EAAE,KAAK,CAAC,UAAU;SAC7B,CAAC,CAAC;QACH,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC;IAC5B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,aAAa,EAAE,CAAC;YACjC,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACvB,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAM;4BACZ,IAAI,EAAE;gCACJ,+CAA+C;gCAC/C,EAAE;gCACF,6DAA6D;oCAC3D,2CAA2C;oCAC3C,iEAAiE;oCACjE,6BAA6B;6BAChC,CAAC,IAAI,CAAC,IAAI,CAAC;yBACb;qBACF;iBACF,CAAC;YACJ,CAAC;YACD,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACvB,oEAAoE;gBACpE,8DAA8D;gBAC9D,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAM;4BACZ,IAAI,EAAE;gCACJ,4DAA4D;gCAC5D,EAAE;gCACF,yBAAyB;gCACzB,mEAAmE;oCACjE,uCAAuC;gCACzC,mEAAmE;oCACjE,gEAAgE;oCAChE,4DAA4D;gCAC9D,EAAE;gCACF,kEAAkE;oCAChE,uBAAuB;oCACvB,uCAAuC,KAAK,CAAC,YAAY,wBAAwB;6BACpF,CAAC,IAAI,CAAC,IAAI,CAAC;yBACb;qBACF;iBACF,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE;oBACP;wBACE,IAAI,EAAE,MAAM;wBACZ,IAAI,EAAE,qBAAqB,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,MAAM,EAAE;qBACvD;iBACF;aACF,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,OAAe;IAClC,2DAA2D;IAC3D,2EAA2E;IAC3E,2DAA2D;IAC3D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACjC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,OAAO,CAAC;IACrC,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACzB,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;IACjE,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;IACxE,OAAO,GAAG,QAAQ,UAAU,QAAQ,GAAG,CAAC;AAC1C,CAAC;AAED,SAAS,WAAW,CAAC,KAAe;IAClC,OAAO;QACL,OAAO,EAAE;YACP;gBACE,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE;oBACJ,kDAAkD;oBAClD,EAAE;oBACF,aAAa,WAAW,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI;oBAC5C,eAAe,KAAK,CAAC,MAAM,OAAO,KAAK,CAAC,MAAM,GAAG;oBACjD,KAAK,CAAC,UAAU;wBACd,CAAC,CAAC,gBAAgB,KAAK,CAAC,UAAU,IAAI;wBACtC,CAAC,CAAC,6CAA6C;oBACjD,eAAe,KAAK,CAAC,MAAM,IAAI;oBAC/B,oBAAoB,KAAK,CAAC,WAAW,IAAI;oBACzC,EAAE;oBACF,sEAAsE;wBACpE,gFAAgF;wBAChF,+DAA+D;oBACjE,EAAE;oBACF,KAAK,CAAC,MAAM,KAAK,QAAQ;wBACvB,CAAC,CAAC,wEAAwE;4BACxE,0CAA0C;wBAC5C,CAAC,CAAC,KAAK,CAAC,iBAAiB;4BACvB,CAAC,CAAC,iCAAiC,KAAK,CAAC,iBAAiB,cAAc;gCACtE,mDAAmD;gCACnD,gCAAgC;4BAClC,CAAC,CAAC,sEAAsE;iBAC7E,CAAC,IAAI,CAAC,IAAI,CAAC;aACb;SACF;KACF,CAAC;AACJ,CAAC"}

package/dist/types.d.ts

@@ -269,3 +269,88 @@ export interface PromptPackCreateBody {
     version: string;
     content: PromptPackContent;
 }
+/**
+ * Workspace's customer-owned S3 bucket grant. Returned by every grant
+ * endpoint (register / get / verify / rotate-external-id).
+ *
+ * `external_id` is shown in EVERY response — it's the value the customer
+ * has to paste into their IAM role trust policy's `sts:ExternalId`
+ * condition. We don't treat it like a secret because the trust policy
+ * already pins our AWS account as the only principal that can use it.
+ *
+ * `status` semantics: "active" = last probe passed; "failed" = last probe
+ * raised (with `last_verify_error` populated); "revoked" = grant was
+ * explicitly deleted (404 on /grants thereafter).
+ */
+export interface ByoGrant {
+    id: UUID;
+    workspace_id: UUID;
+    role_arn: string;
+    external_id: UUID;
+    bucket: string;
+    region: string;
+    kms_key_id: string | null;
+    status: "active" | "revoked" | "failed";
+    last_verified_at: string | null;
+    last_verify_error: string | null;
+    created_at: string;
+    updated_at: string;
+}
+/**
+ * Request body for POST /v1/workspaces/{ws}/artifacts/byo.
+ * Registers an existing S3 URI in the customer's grant-registered bucket
+ * as an Artifact pointer. EdgeGate does NOT upload bytes — it HeadObjects
+ * the URI to confirm existence + capture size/etag.
+ */
+export interface ByoArtifactRegisterRequest {
+    s3_uri: string;
+    expected_sha256?: string;
+    expected_size?: number;
+    kind?: string;
+    original_filename?: string;
+}
+/**
+ * One row from the workspace's append-only `byo_storage_audit` table.
+ * `aws_request_id` is the join key for cross-referencing the customer's
+ * own CloudTrail. Nullable fields are by design for events that don't
+ * produce them (verify_probe has no run_id/artifact_id, etc.).
+ */
+export interface ByoAuditEntry {
+    id: number;
+    event_type: string;
+    aws_request_id: string;
+    role_arn: string;
+    bucket: string;
+    s3_key: string | null;
+    bytes_read: number | null;
+    worker_hostname: string | null;
+    outcome: string;
+    error_code: string | null;
+    artifact_id: UUID | null;
+    run_id: UUID | null;
+    ts: string;
+}
+/**
+ * Paginated audit-log page. `next_cursor === null` means the response
+ * contained the last page. Pass the value back as the `cursor` query
+ * param to fetch the next page.
+ */
+export interface ByoAuditPage {
+    entries: ByoAuditEntry[];
+    next_cursor: number | null;
+}
+/**
+ * Returned by POST /artifacts and POST /artifacts/byo. Mirrors the
+ * backend `ArtifactResponse` schema. `storage_url` for BYO artifacts is
+ * `byo-s3://{bucket}/{key}` rather than the managed `s3://...` form.
+ */
+export interface ArtifactResponse {
+    id: UUID;
+    kind: string;
+    sha256: string;
+    size_bytes: number;
+    original_filename: string | null;
+    storage_url: string;
+    created_at: string;
+    expires_at: string | null;
+}

package/dist/version.d.ts

@@ -1,2 +1,2 @@
-export declare const VERSION = "0.7.0";
-export declare const USER_AGENT = "edgegate-mcp/0.7.0";
+export declare const VERSION = "0.8.0";
+export declare const USER_AGENT = "edgegate-mcp/0.8.0";

package/dist/version.js

@@ -1,3 +1,3 @@
-export const VERSION = "0.7.0";
+export const VERSION = "0.8.0";
 export const USER_AGENT = `edgegate-mcp/${VERSION}`;
 //# sourceMappingURL=version.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "edgegate-mcp",
-  "version": "0.7.0",
+  "version": "0.8.0",
   "description": "MCP server for EdgeGate — set up edge-AI regression gates from Claude Code, Cursor, or Claude Desktop.",
   "license": "MIT",
   "type": "module",

package/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "edgegate",
-  "version": "0.7.0",
+  "version": "0.8.0",
   "description": "Edge-AI regression gates from Claude Code — set up CI, run benchmarks, compare runs, export reports, and fetch audit bundles from any prompt.",
   "author": "Frozo / EdgeGate",
   "homepage": "https://edgegate.frozo.ai",
@@ -29,6 +29,7 @@
     "skills/edgegate-connect-huggingface.md",
     "skills/edgegate-connect-qaihub.md",
     "skills/edgegate-workspace-setup.md",
-    "skills/edgegate-members.md"
+    "skills/edgegate-members.md",
+    "skills/edgegate-byo-storage.md"
   ]
 }