npm - la-machina-engine - Versions diffs - 0.14.0 → 0.15.0 - Mend

la-machina-engine 0.14.0 → 0.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.cjs CHANGED Viewed

@@ -1271,6 +1271,13 @@ var ApiEndpointSchema = import_zod.z.object({
   inputSchema: import_zod.z.unknown().optional(),
   outputHint: import_zod.z.string().optional()
 }).strict();
+var HEADER_NAME_RE = /^[!#$%&'*+\-.0-9A-Z^_`a-z|~]+$/;
+var RESERVED_HEADER_NAMES = /* @__PURE__ */ new Set([
+  "authorization",
+  "cookie",
+  "set-cookie",
+  "proxy-authorization"
+]);
 var ApiServiceSchema = import_zod.z.object({
   name: import_zod.z.string().min(1),
   description: import_zod.z.string().optional(),
@@ -1282,8 +1289,39 @@ var ApiServiceSchema = import_zod.z.object({
   allowedMethods: import_zod.z.array(ApiHttpMethodEnum).optional(),
   defaultHeaders: import_zod.z.record(import_zod.z.string(), import_zod.z.string()).optional(),
   maxBodyBytes: import_zod.z.number().int().positive().optional(),
-  endpoints: import_zod.z.array(ApiEndpointSchema).optional()
-}).strict();
+  endpoints: import_zod.z.array(ApiEndpointSchema).optional(),
+  secretHeaders: import_zod.z.record(import_zod.z.string(), import_zod.z.string().min(1)).optional()
+}).strict().superRefine((svc, ctx) => {
+  if (svc.secretHeaders === void 0) return;
+  const lowerDefault = /* @__PURE__ */ new Set();
+  for (const k of Object.keys(svc.defaultHeaders ?? {})) lowerDefault.add(k.toLowerCase());
+  for (const headerName of Object.keys(svc.secretHeaders)) {
+    if (!HEADER_NAME_RE.test(headerName)) {
+      ctx.addIssue({
+        code: "custom",
+        message: `secretHeaders key "${headerName}" is not a valid HTTP header name (RFC 7230 token charset)`,
+        path: ["secretHeaders", headerName]
+      });
+      continue;
+    }
+    const lower = headerName.toLowerCase();
+    if (RESERVED_HEADER_NAMES.has(lower)) {
+      ctx.addIssue({
+        code: "custom",
+        message: `secretHeaders key "${headerName}" is reserved \u2014 primary \`auth\` owns ${headerName}`,
+        path: ["secretHeaders", headerName]
+      });
+      continue;
+    }
+    if (lowerDefault.has(lower)) {
+      ctx.addIssue({
+        code: "custom",
+        message: `secretHeaders key "${headerName}" collides with defaultHeaders (case-insensitive). Move the secret-bearing version to secretHeaders only.`,
+        path: ["secretHeaders", headerName]
+      });
+    }
+  }
+});
 var ApiCatalogModeEnum = import_zod.z.enum(["eager", "lazy", "auto"]);
 var ApiConfigResolved = import_zod.z.object({
   services: import_zod.z.array(ApiServiceSchema),
@@ -8380,6 +8418,12 @@ function createApiCallTool(opts) {
         `createApiCallTool: service "${svc.name}" uses custom auth (id: ${svc.auth.id}) but no resolveAuth was supplied`
       );
     }
+    const hasSecretHeaders = svc.secretHeaders !== void 0 && Object.keys(svc.secretHeaders).length > 0;
+    if (hasSecretHeaders && opts.resolveAuth === void 0) {
+      throw new Error(
+        `createApiCallTool: service "${svc.name}" declares secretHeaders but no resolveAuth was supplied (the resolver is required to look up the secret values)`
+      );
+    }
   }
   const fetchFn = opts.fetch ?? globalThis.fetch.bind(globalThis);
   const maxResponseBytes = opts.maxResponseBytes ?? DEFAULT_MAX_RESPONSE_BYTES;
@@ -8444,13 +8488,20 @@ function createApiCallTool(opts) {
           return errResult(`ERR_API_BODY_TOO_LARGE: exceeds ${cap} bytes`);
         }
       }
+      const secretHeaderRefs = svc.secretHeaders !== void 0 && Object.keys(svc.secretHeaders).length > 0 ? svc.secretHeaders : void 0;
       let authHeaders;
       try {
         authHeaders = await resolveAuth({
           auth: svc.auth ?? { type: "none" },
           env: opts.env,
           resolver: opts.resolveAuth,
-          ctx: { serviceName: svc.name, method: input.method, path: input.path }
+          ctx: {
+            serviceName: svc.name,
+            method: input.method,
+            path: input.path,
+            ...secretHeaderRefs !== void 0 ? { secretHeaderRefs } : {}
+          },
+          forceResolve: secretHeaderRefs !== void 0
         });
       } catch (err) {
         const raw2 = err instanceof Error ? err.message : String(err);
@@ -8559,22 +8610,27 @@ function sanitizeHeaders(user, auth) {
   return out;
 }
 async function resolveAuth(args) {
-  const { auth, env, resolver, ctx } = args;
+  const { auth, env, resolver, ctx, forceResolve } = args;
+  let primary;
   switch (auth.type) {
     case "none":
-      return {};
+      primary = {};
+      break;
     case "bearer": {
       const token = envLookup(env, auth.tokenRef);
-      return { Authorization: `Bearer ${token}` };
+      primary = { Authorization: `Bearer ${token}` };
+      break;
     }
     case "header": {
       const value = envLookup(env, auth.valueRef);
-      return { [auth.name]: value };
+      primary = { [auth.name]: value };
+      break;
     }
     case "basic": {
       const u = envLookup(env, auth.userRef);
       const p = envLookup(env, auth.passRef);
-      return { Authorization: `Basic ${base64(`${u}:${p}`)}` };
+      primary = { Authorization: `Basic ${base64(`${u}:${p}`)}` };
+      break;
     }
     case "custom":
       if (resolver === void 0) {
@@ -8582,6 +8638,14 @@ async function resolveAuth(args) {
       }
       return resolver(auth, ctx);
   }
+  if (forceResolve === true) {
+    if (resolver === void 0) {
+      throw new Error("secretHeaders require a resolveAuth callback (host did not supply one)");
+    }
+    const extra = await resolver(auth, ctx);
+    return { ...primary, ...extra };
+  }
+  return primary;
 }
 function envLookup(env, ref) {
   if (env === void 0 || env[ref] === void 0) {