langsmith 0.7.9 → 0.7.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (99) hide show
  1. package/README.md +46 -15
  2. package/dist/_openapi_client/client.cjs +0 -88
  3. package/dist/_openapi_client/client.d.ts +0 -33
  4. package/dist/_openapi_client/client.js +0 -88
  5. package/dist/_openapi_client/internal/headers.d.ts +13 -0
  6. package/dist/_openapi_client/internal/types.d.ts +1 -28
  7. package/dist/_openapi_client/resources/datasets/datasets.d.ts +52 -4
  8. package/dist/_openapi_client/resources/datasets/runs.d.ts +1 -2
  9. package/dist/_openapi_client/resources/index.cjs +1 -23
  10. package/dist/_openapi_client/resources/index.d.ts +0 -11
  11. package/dist/_openapi_client/resources/index.js +0 -11
  12. package/dist/anonymizer/index.cjs +142 -0
  13. package/dist/anonymizer/index.d.ts +45 -0
  14. package/dist/anonymizer/index.js +140 -0
  15. package/dist/client.cjs +26 -1
  16. package/dist/client.d.ts +4 -1
  17. package/dist/client.js +25 -1
  18. package/dist/index.cjs +1 -1
  19. package/dist/index.d.ts +1 -1
  20. package/dist/index.js +1 -1
  21. package/dist/sandbox/client.cjs +5 -8
  22. package/dist/sandbox/client.js +5 -8
  23. package/dist/sandbox/index.cjs +2 -1
  24. package/dist/sandbox/index.d.ts +2 -2
  25. package/dist/sandbox/index.js +1 -1
  26. package/dist/sandbox/mounts.cjs +157 -18
  27. package/dist/sandbox/mounts.d.ts +10 -2
  28. package/dist/sandbox/mounts.js +155 -18
  29. package/dist/sandbox/proxy_config.cjs +19 -44
  30. package/dist/sandbox/proxy_config.d.ts +2 -4
  31. package/dist/sandbox/proxy_config.js +19 -43
  32. package/dist/sandbox/types.d.ts +56 -15
  33. package/dist/utils/constants.cjs +4 -0
  34. package/dist/utils/constants.d.ts +1 -0
  35. package/dist/utils/constants.js +1 -0
  36. package/package.json +2 -2
  37. package/dist/_openapi_client/resources/annotation-queues/annotation-queues.cjs +0 -138
  38. package/dist/_openapi_client/resources/annotation-queues/annotation-queues.d.ts +0 -367
  39. package/dist/_openapi_client/resources/annotation-queues/annotation-queues.js +0 -101
  40. package/dist/_openapi_client/resources/annotation-queues/runs.cjs +0 -46
  41. package/dist/_openapi_client/resources/annotation-queues/runs.d.ts +0 -128
  42. package/dist/_openapi_client/resources/annotation-queues/runs.js +0 -42
  43. package/dist/_openapi_client/resources/commits.cjs +0 -44
  44. package/dist/_openapi_client/resources/commits.d.ts +0 -204
  45. package/dist/_openapi_client/resources/commits.js +0 -40
  46. package/dist/_openapi_client/resources/evaluators.cjs +0 -15
  47. package/dist/_openapi_client/resources/evaluators.d.ts +0 -125
  48. package/dist/_openapi_client/resources/evaluators.js +0 -11
  49. package/dist/_openapi_client/resources/examples/bulk.cjs +0 -24
  50. package/dist/_openapi_client/resources/examples/bulk.d.ts +0 -78
  51. package/dist/_openapi_client/resources/examples/bulk.js +0 -20
  52. package/dist/_openapi_client/resources/examples/examples.cjs +0 -124
  53. package/dist/_openapi_client/resources/examples/examples.d.ts +0 -182
  54. package/dist/_openapi_client/resources/examples/examples.js +0 -87
  55. package/dist/_openapi_client/resources/examples/validate.cjs +0 -21
  56. package/dist/_openapi_client/resources/examples/validate.d.ts +0 -38
  57. package/dist/_openapi_client/resources/examples/validate.js +0 -17
  58. package/dist/_openapi_client/resources/feedback/configs.cjs +0 -24
  59. package/dist/_openapi_client/resources/feedback/configs.d.ts +0 -18
  60. package/dist/_openapi_client/resources/feedback/configs.js +0 -20
  61. package/dist/_openapi_client/resources/feedback/feedback.cjs +0 -98
  62. package/dist/_openapi_client/resources/feedback/feedback.d.ts +0 -275
  63. package/dist/_openapi_client/resources/feedback/feedback.js +0 -61
  64. package/dist/_openapi_client/resources/feedback/tokens.cjs +0 -35
  65. package/dist/_openapi_client/resources/feedback/tokens.d.ts +0 -130
  66. package/dist/_openapi_client/resources/feedback/tokens.js +0 -31
  67. package/dist/_openapi_client/resources/public/datasets.cjs +0 -47
  68. package/dist/_openapi_client/resources/public/datasets.d.ts +0 -152
  69. package/dist/_openapi_client/resources/public/datasets.js +0 -43
  70. package/dist/_openapi_client/resources/public/public.cjs +0 -62
  71. package/dist/_openapi_client/resources/public/public.d.ts +0 -32
  72. package/dist/_openapi_client/resources/public/public.js +0 -25
  73. package/dist/_openapi_client/resources/repos/directories.cjs +0 -40
  74. package/dist/_openapi_client/resources/repos/directories.d.ts +0 -72
  75. package/dist/_openapi_client/resources/repos/directories.js +0 -36
  76. package/dist/_openapi_client/resources/repos/repos.cjs +0 -93
  77. package/dist/_openapi_client/resources/repos/repos.d.ts +0 -188
  78. package/dist/_openapi_client/resources/repos/repos.js +0 -56
  79. package/dist/_openapi_client/resources/runs/rules.cjs +0 -9
  80. package/dist/_openapi_client/resources/runs/rules.d.ts +0 -3
  81. package/dist/_openapi_client/resources/runs/rules.js +0 -5
  82. package/dist/_openapi_client/resources/runs/runs.cjs +0 -102
  83. package/dist/_openapi_client/resources/runs/runs.d.ts +0 -542
  84. package/dist/_openapi_client/resources/runs/runs.js +0 -65
  85. package/dist/_openapi_client/resources/sandboxes/boxes.cjs +0 -86
  86. package/dist/_openapi_client/resources/sandboxes/boxes.d.ts +0 -1121
  87. package/dist/_openapi_client/resources/sandboxes/boxes.js +0 -82
  88. package/dist/_openapi_client/resources/sandboxes/sandboxes.cjs +0 -63
  89. package/dist/_openapi_client/resources/sandboxes/sandboxes.d.ts +0 -13
  90. package/dist/_openapi_client/resources/sandboxes/sandboxes.js +0 -26
  91. package/dist/_openapi_client/resources/sandboxes/snapshots.cjs +0 -39
  92. package/dist/_openapi_client/resources/sandboxes/snapshots.d.ts +0 -130
  93. package/dist/_openapi_client/resources/sandboxes/snapshots.js +0 -35
  94. package/dist/_openapi_client/resources/settings.cjs +0 -15
  95. package/dist/_openapi_client/resources/settings.d.ts +0 -18
  96. package/dist/_openapi_client/resources/settings.js +0 -11
  97. package/dist/_openapi_client/resources/workspaces.cjs +0 -35
  98. package/dist/_openapi_client/resources/workspaces.d.ts +0 -84
  99. package/dist/_openapi_client/resources/workspaces.js +0 -31
@@ -29,7 +29,7 @@
29
29
  * @packageDocumentation
30
30
  */
31
31
  Object.defineProperty(exports, "__esModule", { value: true });
32
- exports.LangSmithDataplaneNotConfiguredError = exports.LangSmithCommandTimeoutError = exports.LangSmithSandboxOperationError = exports.LangSmithSandboxNotReadyError = exports.LangSmithSandboxCreationError = exports.LangSmithResourceCreationError = exports.LangSmithQuotaExceededError = exports.LangSmithValidationError = exports.LangSmithResourceNameConflictError = exports.LangSmithResourceAlreadyExistsError = exports.LangSmithResourceInUseError = exports.LangSmithResourceTimeoutError = exports.LangSmithResourceNotFoundError = exports.LangSmithSandboxServerReloadError = exports.LangSmithSandboxConnectionError = exports.LangSmithSandboxAuthenticationError = exports.LangSmithSandboxAPIError = exports.LangSmithSandboxError = exports.s3Mount = exports.mountConfig = exports.gcsMount = exports.workspaceSecret = exports.proxyConfig = exports.opaqueSecret = exports.gcpAuth = exports.awsAuth = exports.CommandHandle = exports.Sandbox = exports.SandboxClient = void 0;
32
+ exports.LangSmithDataplaneNotConfiguredError = exports.LangSmithCommandTimeoutError = exports.LangSmithSandboxOperationError = exports.LangSmithSandboxNotReadyError = exports.LangSmithSandboxCreationError = exports.LangSmithResourceCreationError = exports.LangSmithQuotaExceededError = exports.LangSmithValidationError = exports.LangSmithResourceNameConflictError = exports.LangSmithResourceAlreadyExistsError = exports.LangSmithResourceInUseError = exports.LangSmithResourceTimeoutError = exports.LangSmithResourceNotFoundError = exports.LangSmithSandboxServerReloadError = exports.LangSmithSandboxConnectionError = exports.LangSmithSandboxAuthenticationError = exports.LangSmithSandboxAPIError = exports.LangSmithSandboxError = exports.s3Mount = exports.mountConfig = exports.gitMount = exports.gcsMount = exports.workspaceSecret = exports.proxyConfig = exports.opaqueSecret = exports.gcpAuth = exports.awsAuth = exports.CommandHandle = exports.Sandbox = exports.SandboxClient = void 0;
33
33
  // Main classes
34
34
  var client_js_1 = require("./client.cjs");
35
35
  Object.defineProperty(exports, "SandboxClient", { enumerable: true, get: function () { return client_js_1.SandboxClient; } });
@@ -45,6 +45,7 @@ Object.defineProperty(exports, "proxyConfig", { enumerable: true, get: function
45
45
  Object.defineProperty(exports, "workspaceSecret", { enumerable: true, get: function () { return proxy_config_js_1.workspaceSecret; } });
46
46
  var mounts_js_1 = require("./mounts.cjs");
47
47
  Object.defineProperty(exports, "gcsMount", { enumerable: true, get: function () { return mounts_js_1.gcsMount; } });
48
+ Object.defineProperty(exports, "gitMount", { enumerable: true, get: function () { return mounts_js_1.gitMount; } });
48
49
  Object.defineProperty(exports, "mountConfig", { enumerable: true, get: function () { return mounts_js_1.mountConfig; } });
49
50
  Object.defineProperty(exports, "s3Mount", { enumerable: true, get: function () { return mounts_js_1.s3Mount; } });
50
51
  // Errors
@@ -31,6 +31,6 @@ export { SandboxClient } from "./client.js";
31
31
  export { Sandbox } from "./sandbox.js";
32
32
  export { CommandHandle } from "./command_handle.js";
33
33
  export { awsAuth, gcpAuth, opaqueSecret, proxyConfig, workspaceSecret, } from "./proxy_config.js";
34
- export { gcsMount, mountConfig, s3Mount } from "./mounts.js";
35
- export type { ExecutionResult, OutputChunk, WsMessage, WsRunOptions, ResourceStatus, Snapshot, SandboxData, SandboxClientConfig, RunOptions, CreateSandboxOptions, SandboxAccessControl, SandboxAwsAuthRule, SandboxGcpAuthRule, SandboxMountConfig, SandboxProxyConfig, SandboxProxyRule, SandboxProxySecret, SandboxMount, MountCacheConfig, GCSMountConfig, GCSMountSpec, S3MountConfig, S3MountSpec, CreateSnapshotOptions, CreateDockerfileSnapshotOptions, CaptureSnapshotOptions, ListSnapshotsOptions, WaitForSnapshotOptions, StartSandboxOptions, UpdateSandboxOptions, WaitForSandboxOptions, } from "./types.js";
34
+ export { gcsMount, gitMount, mountConfig, s3Mount } from "./mounts.js";
35
+ export type { ExecutionResult, OutputChunk, WsMessage, WsRunOptions, ResourceStatus, Snapshot, SandboxData, SandboxClientConfig, RunOptions, CreateSandboxOptions, SandboxAccessControl, SandboxAwsAuthRule, SandboxAwsMountAuthConfig, SandboxGcpAuthRule, SandboxGcpMountAuthConfig, SandboxMountAuth, SandboxMountAuthConfig, SandboxMountConfig, SandboxProxyConfig, SandboxProxyRule, SandboxProxySecret, SandboxMount, MountCacheConfig, GCSMountConfig, GCSMountSpec, GitMountConfig, GitMountRefSpec, GitMountSpec, S3MountConfig, S3MountSpec, CreateSnapshotOptions, CreateDockerfileSnapshotOptions, CaptureSnapshotOptions, ListSnapshotsOptions, WaitForSnapshotOptions, StartSandboxOptions, UpdateSandboxOptions, WaitForSandboxOptions, } from "./types.js";
36
36
  export { LangSmithSandboxError, LangSmithSandboxAPIError, LangSmithSandboxAuthenticationError, LangSmithSandboxConnectionError, LangSmithSandboxServerReloadError, LangSmithResourceNotFoundError, LangSmithResourceTimeoutError, LangSmithResourceInUseError, LangSmithResourceAlreadyExistsError, LangSmithResourceNameConflictError, LangSmithValidationError, LangSmithQuotaExceededError, LangSmithResourceCreationError, LangSmithSandboxCreationError, LangSmithSandboxNotReadyError, LangSmithSandboxOperationError, LangSmithCommandTimeoutError, LangSmithDataplaneNotConfiguredError, } from "./errors.js";
@@ -32,7 +32,7 @@ export { SandboxClient } from "./client.js";
32
32
  export { Sandbox } from "./sandbox.js";
33
33
  export { CommandHandle } from "./command_handle.js";
34
34
  export { awsAuth, gcpAuth, opaqueSecret, proxyConfig, workspaceSecret, } from "./proxy_config.js";
35
- export { gcsMount, mountConfig, s3Mount } from "./mounts.js";
35
+ export { gcsMount, gitMount, mountConfig, s3Mount } from "./mounts.js";
36
36
  // Errors
37
37
  export {
38
38
  // Base and connection errors
@@ -1,15 +1,74 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
3
  exports.s3Mount = s3Mount;
4
+ exports.gitMount = gitMount;
4
5
  exports.gcsMount = gcsMount;
5
6
  exports.mountConfig = mountConfig;
6
- const proxy_config_js_1 = require("./proxy_config.cjs");
7
+ exports.validateMountConfigProxyConfig = validateMountConfigProxyConfig;
7
8
  function requireNonEmptyString(value, field) {
8
9
  if (typeof value !== "string" || value.trim() === "") {
9
10
  throw new Error(`${field} must be a non-empty string`);
10
11
  }
11
12
  return value.trim();
12
13
  }
14
+ function copyMountSecret(secret, field) {
15
+ if (secret === null || typeof secret !== "object" || Array.isArray(secret)) {
16
+ throw new Error(`${field} must be a sandbox secret`);
17
+ }
18
+ const candidate = secret;
19
+ if (candidate.type !== "workspace_secret" && candidate.type !== "opaque") {
20
+ throw new Error(`${field} must use workspace_secret or opaque`);
21
+ }
22
+ if (typeof candidate.value !== "string" || candidate.value.trim() === "") {
23
+ throw new Error(`${field}.value must be a non-empty string`);
24
+ }
25
+ return {
26
+ type: candidate.type,
27
+ value: candidate.value,
28
+ };
29
+ }
30
+ function requireGitRemoteUrl(remoteUrl) {
31
+ if (typeof remoteUrl !== "string" || remoteUrl === "") {
32
+ throw new Error("remoteUrl must be a non-empty string");
33
+ }
34
+ if (remoteUrl.trim() !== remoteUrl ||
35
+ /\s/u.test(remoteUrl) ||
36
+ remoteUrl.includes(String.fromCharCode(0))) {
37
+ throw new Error("remoteUrl must not contain whitespace or NUL bytes");
38
+ }
39
+ let parsed;
40
+ try {
41
+ parsed = new URL(remoteUrl);
42
+ }
43
+ catch {
44
+ throw new Error("remoteUrl must be an absolute HTTPS URL");
45
+ }
46
+ if (parsed.protocol !== "https:" || parsed.host === "") {
47
+ throw new Error("remoteUrl must be an absolute HTTPS URL");
48
+ }
49
+ if (parsed.username !== "" || parsed.password !== "") {
50
+ throw new Error("remoteUrl must not include embedded credentials");
51
+ }
52
+ if (parsed.pathname === "" || parsed.pathname === "/") {
53
+ throw new Error("remoteUrl must include a repository path");
54
+ }
55
+ if (parsed.search !== "" || parsed.hash !== "") {
56
+ throw new Error("remoteUrl must not include query or fragment");
57
+ }
58
+ return remoteUrl;
59
+ }
60
+ function copyGitRef(ref) {
61
+ if (ref === null || typeof ref !== "object" || Array.isArray(ref)) {
62
+ throw new Error("ref must be an object");
63
+ }
64
+ if (ref.type !== "branch" && ref.type !== "tag") {
65
+ throw new Error("ref.type must be branch or tag");
66
+ }
67
+ return {
68
+ type: ref.type,
69
+ name: requireNonEmptyString(ref.name, "ref.name"),
70
+ };
71
+ }
13
72
  function s3Mount({ id, mountPath, bucket, region = "us-east-1", prefix, endpointUrl = "https://s3.amazonaws.com", pathStyle = false, readOnly, cache, }) {
14
73
  const mount = {
15
74
  id: requireNonEmptyString(id, "id"),
@@ -33,6 +92,26 @@ function s3Mount({ id, mountPath, bucket, region = "us-east-1", prefix, endpoint
33
92
  }
34
93
  return mount;
35
94
  }
95
+ function gitMount({ id, mountPath, remoteUrl, ref, refreshIntervalSeconds, }) {
96
+ const mount = {
97
+ id: requireNonEmptyString(id, "id"),
98
+ type: "git",
99
+ mount_path: requireNonEmptyString(mountPath, "mountPath"),
100
+ git: {
101
+ remote_url: requireGitRemoteUrl(remoteUrl),
102
+ },
103
+ };
104
+ if (ref !== undefined) {
105
+ mount.git.ref = copyGitRef(ref);
106
+ }
107
+ if (refreshIntervalSeconds !== undefined) {
108
+ if (refreshIntervalSeconds < 1) {
109
+ throw new Error("refreshIntervalSeconds must be at least 1");
110
+ }
111
+ mount.git.refresh_interval_seconds = refreshIntervalSeconds;
112
+ }
113
+ return mount;
114
+ }
36
115
  function gcsMount({ id, mountPath, bucket, prefix, readOnly, cache, }) {
37
116
  const mount = {
38
117
  id: requireNonEmptyString(id, "id"),
@@ -61,35 +140,80 @@ function normalizeMounts(mounts) {
61
140
  if (mount === null || typeof mount !== "object" || Array.isArray(mount)) {
62
141
  throw new Error("mounts must be a non-empty array of mount objects");
63
142
  }
64
- if (mount.type !== "s3" && mount.type !== "gcs") {
65
- throw new Error("mountConfig only supports s3 and gcs mounts");
143
+ if (mount.type !== "s3" && mount.type !== "gcs" && mount.type !== "git") {
144
+ throw new Error("mountConfig only supports s3, gcs, and git mounts");
66
145
  }
146
+ rejectProviderCredentialsInMount(mount);
67
147
  return mount;
68
148
  });
69
149
  }
70
- function normalizeAuthRules(auth) {
150
+ const FORBIDDEN_MOUNT_CREDENTIAL_FIELDS = new Set([
151
+ "access_key_id",
152
+ "secret_access_key",
153
+ "session_token",
154
+ "service_account_json",
155
+ "access_token",
156
+ "refresh_token",
157
+ "credentials",
158
+ "credential",
159
+ ]);
160
+ function rejectProviderCredentialsInMount(value) {
161
+ if (Array.isArray(value)) {
162
+ for (const child of value) {
163
+ rejectProviderCredentialsInMount(child);
164
+ }
165
+ return;
166
+ }
167
+ if (value !== null && typeof value === "object") {
168
+ for (const [key, child] of Object.entries(value)) {
169
+ if (FORBIDDEN_MOUNT_CREDENTIAL_FIELDS.has(key)) {
170
+ throw new Error("provider credentials must be supplied in mountConfig.auth, not individual mount specs");
171
+ }
172
+ rejectProviderCredentialsInMount(child);
173
+ }
174
+ }
175
+ }
176
+ function normalizeMountAuth(auth) {
71
177
  if (!Array.isArray(auth)) {
72
- throw new Error("auth must be an array of provider auth rules");
178
+ throw new Error("auth must be an array of provider auth blocks");
73
179
  }
74
180
  const byProvider = {};
75
- for (const rule of auth) {
76
- if (rule === null || typeof rule !== "object" || Array.isArray(rule)) {
77
- throw new Error("auth must be an array of provider auth rules");
181
+ for (const block of auth) {
182
+ if (block === null || typeof block !== "object" || Array.isArray(block)) {
183
+ throw new Error("auth must be an array of provider auth blocks");
78
184
  }
79
- const provider = rule.type;
185
+ const provider = block.type;
80
186
  if (provider !== "aws" && provider !== "gcp") {
81
- throw new Error("mountConfig auth only supports aws and gcp rules");
187
+ throw new Error("mountConfig auth only supports aws and gcp blocks");
82
188
  }
83
189
  if (byProvider[provider] !== undefined) {
84
190
  throw new Error(`duplicate ${provider} auth rule in mountConfig`);
85
191
  }
86
- byProvider[provider] = rule;
192
+ if (provider === "aws") {
193
+ const aws = block.aws;
194
+ if (aws === undefined) {
195
+ throw new Error("aws mount auth must include an aws block");
196
+ }
197
+ byProvider.aws = {
198
+ access_key_id: copyMountSecret(aws.access_key_id, "accessKeyId"),
199
+ secret_access_key: copyMountSecret(aws.secret_access_key, "secretAccessKey"),
200
+ };
201
+ }
202
+ else {
203
+ const gcp = block.gcp;
204
+ if (gcp === undefined) {
205
+ throw new Error("gcp mount auth must include a gcp block");
206
+ }
207
+ byProvider.gcp = {
208
+ service_account_json: copyMountSecret(gcp.service_account_json, "serviceAccountJson"),
209
+ };
210
+ }
87
211
  }
88
212
  return byProvider;
89
213
  }
90
- function mountConfig({ auth, mounts, }) {
214
+ function mountConfig({ auth = [], mounts, }) {
91
215
  const normalizedMounts = normalizeMounts(mounts);
92
- const authByProvider = normalizeAuthRules(auth);
216
+ const authByProvider = normalizeMountAuth(auth);
93
217
  const mountProviders = new Set(normalizedMounts.map((mount) => mount.type));
94
218
  if (mountProviders.has("s3") && authByProvider.aws === undefined) {
95
219
  throw new Error("s3 mounts require aws auth in mountConfig");
@@ -104,11 +228,26 @@ function mountConfig({ auth, mounts, }) {
104
228
  throw new Error("gcp auth requires at least one gcs mount in mountConfig");
105
229
  }
106
230
  return {
231
+ auth: authByProvider,
107
232
  mounts: normalizedMounts,
108
- proxyConfig: (0, proxy_config_js_1.proxyConfig)({
109
- rules: ["aws", "gcp"]
110
- .map((provider) => authByProvider[provider])
111
- .filter((rule) => rule !== undefined),
112
- }),
113
233
  };
114
234
  }
235
+ function validateMountConfigProxyConfig(mountConfig, proxyConfig) {
236
+ if (proxyConfig === undefined) {
237
+ return;
238
+ }
239
+ const rules = proxyConfig.rules ?? [];
240
+ if (!Array.isArray(rules)) {
241
+ throw new Error("proxyConfig rules must be an array");
242
+ }
243
+ for (const rule of rules) {
244
+ if (rule === null || typeof rule !== "object" || Array.isArray(rule)) {
245
+ continue;
246
+ }
247
+ const ruleType = rule.type;
248
+ if ((ruleType === "aws" || ruleType === "gcp") &&
249
+ mountConfig.auth[ruleType] !== undefined) {
250
+ throw new Error(`${ruleType} auth cannot be provided in both mountConfig and proxyConfig`);
251
+ }
252
+ }
253
+ }
@@ -1,4 +1,4 @@
1
- import type { GCSMountSpec, MountCacheConfig, S3MountSpec, SandboxMount, SandboxMountConfig, SandboxProxyRule } from "./types.js";
1
+ import type { GCSMountSpec, GitMountRefSpec, GitMountSpec, MountCacheConfig, S3MountSpec, SandboxMount, SandboxMountAuth, SandboxMountConfig, SandboxProxyConfig } from "./types.js";
2
2
  export declare function s3Mount({ id, mountPath, bucket, region, prefix, endpointUrl, pathStyle, readOnly, cache, }: {
3
3
  id: string;
4
4
  mountPath: string;
@@ -10,6 +10,13 @@ export declare function s3Mount({ id, mountPath, bucket, region, prefix, endpoin
10
10
  readOnly?: boolean;
11
11
  cache?: MountCacheConfig;
12
12
  }): S3MountSpec;
13
+ export declare function gitMount({ id, mountPath, remoteUrl, ref, refreshIntervalSeconds, }: {
14
+ id: string;
15
+ mountPath: string;
16
+ remoteUrl: string;
17
+ ref?: GitMountRefSpec;
18
+ refreshIntervalSeconds?: number;
19
+ }): GitMountSpec;
13
20
  export declare function gcsMount({ id, mountPath, bucket, prefix, readOnly, cache, }: {
14
21
  id: string;
15
22
  mountPath: string;
@@ -19,6 +26,7 @@ export declare function gcsMount({ id, mountPath, bucket, prefix, readOnly, cach
19
26
  cache?: MountCacheConfig;
20
27
  }): GCSMountSpec;
21
28
  export declare function mountConfig({ auth, mounts, }: {
22
- auth: SandboxProxyRule[];
29
+ auth?: SandboxMountAuth[];
23
30
  mounts: SandboxMount[];
24
31
  }): SandboxMountConfig;
32
+ export declare function validateMountConfigProxyConfig(mountConfig: SandboxMountConfig, proxyConfig: SandboxProxyConfig | undefined): void;
@@ -1,10 +1,67 @@
1
- import { proxyConfig } from "./proxy_config.js";
2
1
  function requireNonEmptyString(value, field) {
3
2
  if (typeof value !== "string" || value.trim() === "") {
4
3
  throw new Error(`${field} must be a non-empty string`);
5
4
  }
6
5
  return value.trim();
7
6
  }
7
+ function copyMountSecret(secret, field) {
8
+ if (secret === null || typeof secret !== "object" || Array.isArray(secret)) {
9
+ throw new Error(`${field} must be a sandbox secret`);
10
+ }
11
+ const candidate = secret;
12
+ if (candidate.type !== "workspace_secret" && candidate.type !== "opaque") {
13
+ throw new Error(`${field} must use workspace_secret or opaque`);
14
+ }
15
+ if (typeof candidate.value !== "string" || candidate.value.trim() === "") {
16
+ throw new Error(`${field}.value must be a non-empty string`);
17
+ }
18
+ return {
19
+ type: candidate.type,
20
+ value: candidate.value,
21
+ };
22
+ }
23
+ function requireGitRemoteUrl(remoteUrl) {
24
+ if (typeof remoteUrl !== "string" || remoteUrl === "") {
25
+ throw new Error("remoteUrl must be a non-empty string");
26
+ }
27
+ if (remoteUrl.trim() !== remoteUrl ||
28
+ /\s/u.test(remoteUrl) ||
29
+ remoteUrl.includes(String.fromCharCode(0))) {
30
+ throw new Error("remoteUrl must not contain whitespace or NUL bytes");
31
+ }
32
+ let parsed;
33
+ try {
34
+ parsed = new URL(remoteUrl);
35
+ }
36
+ catch {
37
+ throw new Error("remoteUrl must be an absolute HTTPS URL");
38
+ }
39
+ if (parsed.protocol !== "https:" || parsed.host === "") {
40
+ throw new Error("remoteUrl must be an absolute HTTPS URL");
41
+ }
42
+ if (parsed.username !== "" || parsed.password !== "") {
43
+ throw new Error("remoteUrl must not include embedded credentials");
44
+ }
45
+ if (parsed.pathname === "" || parsed.pathname === "/") {
46
+ throw new Error("remoteUrl must include a repository path");
47
+ }
48
+ if (parsed.search !== "" || parsed.hash !== "") {
49
+ throw new Error("remoteUrl must not include query or fragment");
50
+ }
51
+ return remoteUrl;
52
+ }
53
+ function copyGitRef(ref) {
54
+ if (ref === null || typeof ref !== "object" || Array.isArray(ref)) {
55
+ throw new Error("ref must be an object");
56
+ }
57
+ if (ref.type !== "branch" && ref.type !== "tag") {
58
+ throw new Error("ref.type must be branch or tag");
59
+ }
60
+ return {
61
+ type: ref.type,
62
+ name: requireNonEmptyString(ref.name, "ref.name"),
63
+ };
64
+ }
8
65
  export function s3Mount({ id, mountPath, bucket, region = "us-east-1", prefix, endpointUrl = "https://s3.amazonaws.com", pathStyle = false, readOnly, cache, }) {
9
66
  const mount = {
10
67
  id: requireNonEmptyString(id, "id"),
@@ -28,6 +85,26 @@ export function s3Mount({ id, mountPath, bucket, region = "us-east-1", prefix, e
28
85
  }
29
86
  return mount;
30
87
  }
88
+ export function gitMount({ id, mountPath, remoteUrl, ref, refreshIntervalSeconds, }) {
89
+ const mount = {
90
+ id: requireNonEmptyString(id, "id"),
91
+ type: "git",
92
+ mount_path: requireNonEmptyString(mountPath, "mountPath"),
93
+ git: {
94
+ remote_url: requireGitRemoteUrl(remoteUrl),
95
+ },
96
+ };
97
+ if (ref !== undefined) {
98
+ mount.git.ref = copyGitRef(ref);
99
+ }
100
+ if (refreshIntervalSeconds !== undefined) {
101
+ if (refreshIntervalSeconds < 1) {
102
+ throw new Error("refreshIntervalSeconds must be at least 1");
103
+ }
104
+ mount.git.refresh_interval_seconds = refreshIntervalSeconds;
105
+ }
106
+ return mount;
107
+ }
31
108
  export function gcsMount({ id, mountPath, bucket, prefix, readOnly, cache, }) {
32
109
  const mount = {
33
110
  id: requireNonEmptyString(id, "id"),
@@ -56,35 +133,80 @@ function normalizeMounts(mounts) {
56
133
  if (mount === null || typeof mount !== "object" || Array.isArray(mount)) {
57
134
  throw new Error("mounts must be a non-empty array of mount objects");
58
135
  }
59
- if (mount.type !== "s3" && mount.type !== "gcs") {
60
- throw new Error("mountConfig only supports s3 and gcs mounts");
136
+ if (mount.type !== "s3" && mount.type !== "gcs" && mount.type !== "git") {
137
+ throw new Error("mountConfig only supports s3, gcs, and git mounts");
61
138
  }
139
+ rejectProviderCredentialsInMount(mount);
62
140
  return mount;
63
141
  });
64
142
  }
65
- function normalizeAuthRules(auth) {
143
+ const FORBIDDEN_MOUNT_CREDENTIAL_FIELDS = new Set([
144
+ "access_key_id",
145
+ "secret_access_key",
146
+ "session_token",
147
+ "service_account_json",
148
+ "access_token",
149
+ "refresh_token",
150
+ "credentials",
151
+ "credential",
152
+ ]);
153
+ function rejectProviderCredentialsInMount(value) {
154
+ if (Array.isArray(value)) {
155
+ for (const child of value) {
156
+ rejectProviderCredentialsInMount(child);
157
+ }
158
+ return;
159
+ }
160
+ if (value !== null && typeof value === "object") {
161
+ for (const [key, child] of Object.entries(value)) {
162
+ if (FORBIDDEN_MOUNT_CREDENTIAL_FIELDS.has(key)) {
163
+ throw new Error("provider credentials must be supplied in mountConfig.auth, not individual mount specs");
164
+ }
165
+ rejectProviderCredentialsInMount(child);
166
+ }
167
+ }
168
+ }
169
+ function normalizeMountAuth(auth) {
66
170
  if (!Array.isArray(auth)) {
67
- throw new Error("auth must be an array of provider auth rules");
171
+ throw new Error("auth must be an array of provider auth blocks");
68
172
  }
69
173
  const byProvider = {};
70
- for (const rule of auth) {
71
- if (rule === null || typeof rule !== "object" || Array.isArray(rule)) {
72
- throw new Error("auth must be an array of provider auth rules");
174
+ for (const block of auth) {
175
+ if (block === null || typeof block !== "object" || Array.isArray(block)) {
176
+ throw new Error("auth must be an array of provider auth blocks");
73
177
  }
74
- const provider = rule.type;
178
+ const provider = block.type;
75
179
  if (provider !== "aws" && provider !== "gcp") {
76
- throw new Error("mountConfig auth only supports aws and gcp rules");
180
+ throw new Error("mountConfig auth only supports aws and gcp blocks");
77
181
  }
78
182
  if (byProvider[provider] !== undefined) {
79
183
  throw new Error(`duplicate ${provider} auth rule in mountConfig`);
80
184
  }
81
- byProvider[provider] = rule;
185
+ if (provider === "aws") {
186
+ const aws = block.aws;
187
+ if (aws === undefined) {
188
+ throw new Error("aws mount auth must include an aws block");
189
+ }
190
+ byProvider.aws = {
191
+ access_key_id: copyMountSecret(aws.access_key_id, "accessKeyId"),
192
+ secret_access_key: copyMountSecret(aws.secret_access_key, "secretAccessKey"),
193
+ };
194
+ }
195
+ else {
196
+ const gcp = block.gcp;
197
+ if (gcp === undefined) {
198
+ throw new Error("gcp mount auth must include a gcp block");
199
+ }
200
+ byProvider.gcp = {
201
+ service_account_json: copyMountSecret(gcp.service_account_json, "serviceAccountJson"),
202
+ };
203
+ }
82
204
  }
83
205
  return byProvider;
84
206
  }
85
- export function mountConfig({ auth, mounts, }) {
207
+ export function mountConfig({ auth = [], mounts, }) {
86
208
  const normalizedMounts = normalizeMounts(mounts);
87
- const authByProvider = normalizeAuthRules(auth);
209
+ const authByProvider = normalizeMountAuth(auth);
88
210
  const mountProviders = new Set(normalizedMounts.map((mount) => mount.type));
89
211
  if (mountProviders.has("s3") && authByProvider.aws === undefined) {
90
212
  throw new Error("s3 mounts require aws auth in mountConfig");
@@ -99,11 +221,26 @@ export function mountConfig({ auth, mounts, }) {
99
221
  throw new Error("gcp auth requires at least one gcs mount in mountConfig");
100
222
  }
101
223
  return {
224
+ auth: authByProvider,
102
225
  mounts: normalizedMounts,
103
- proxyConfig: proxyConfig({
104
- rules: ["aws", "gcp"]
105
- .map((provider) => authByProvider[provider])
106
- .filter((rule) => rule !== undefined),
107
- }),
108
226
  };
109
227
  }
228
+ export function validateMountConfigProxyConfig(mountConfig, proxyConfig) {
229
+ if (proxyConfig === undefined) {
230
+ return;
231
+ }
232
+ const rules = proxyConfig.rules ?? [];
233
+ if (!Array.isArray(rules)) {
234
+ throw new Error("proxyConfig rules must be an array");
235
+ }
236
+ for (const rule of rules) {
237
+ if (rule === null || typeof rule !== "object" || Array.isArray(rule)) {
238
+ continue;
239
+ }
240
+ const ruleType = rule.type;
241
+ if ((ruleType === "aws" || ruleType === "gcp") &&
242
+ mountConfig.auth[ruleType] !== undefined) {
243
+ throw new Error(`${ruleType} auth cannot be provided in both mountConfig and proxyConfig`);
244
+ }
245
+ }
246
+ }
@@ -3,14 +3,8 @@ Object.defineProperty(exports, "__esModule", { value: true });
3
3
  exports.workspaceSecret = workspaceSecret;
4
4
  exports.opaqueSecret = opaqueSecret;
5
5
  exports.proxyConfig = proxyConfig;
6
- exports.mergeProxyConfigs = mergeProxyConfigs;
7
6
  exports.awsAuth = awsAuth;
8
7
  exports.gcpAuth = gcpAuth;
9
- const DEFAULT_GCP_AUTH_MATCH_HOSTS = [
10
- "storage.googleapis.com",
11
- "www.googleapis.com",
12
- ];
13
- const PROVIDER_RULE_TYPES = new Set(["aws", "gcp"]);
14
8
  function requireNonEmptyString(value, field) {
15
9
  if (typeof value !== "string" || value.trim() === "") {
16
10
  throw new Error(`${field} must be a non-empty string`);
@@ -34,9 +28,20 @@ function requireProxyRules(rules) {
34
28
  if (rule === null || typeof rule !== "object" || Array.isArray(rule)) {
35
29
  throw new Error("rules must be an array of proxy rule objects");
36
30
  }
31
+ validateProxyProviderRule(rule);
37
32
  return rule;
38
33
  });
39
34
  }
35
+ function validateProxyProviderRule(rule) {
36
+ if (rule.type !== "gcp") {
37
+ return;
38
+ }
39
+ const gcp = rule.gcp;
40
+ if (gcp === undefined || gcp.scopes === undefined) {
41
+ throw new Error("gcp proxy auth rules require scopes");
42
+ }
43
+ requireNonEmptyStringArray(gcp.scopes, "scopes");
44
+ }
40
45
  /** Reference a LangSmith workspace secret in a sandbox proxy configuration. */
41
46
  function workspaceSecret(name) {
42
47
  const normalized = requireNonEmptyString(name, "name");
@@ -73,38 +78,6 @@ function proxyConfig({ rules, noProxy, accessControl, } = {}) {
73
78
  }
74
79
  return config;
75
80
  }
76
- function providerRuleTypes(config) {
77
- const providers = new Set();
78
- for (const rule of config.rules ?? []) {
79
- if (rule === null || typeof rule !== "object" || Array.isArray(rule)) {
80
- continue;
81
- }
82
- const ruleType = rule.type;
83
- if (typeof ruleType === "string" && PROVIDER_RULE_TYPES.has(ruleType)) {
84
- providers.add(ruleType);
85
- }
86
- }
87
- return providers;
88
- }
89
- function mergeProxyConfigs(generatedConfig, explicitConfig) {
90
- if (generatedConfig === undefined) {
91
- return explicitConfig;
92
- }
93
- if (explicitConfig === undefined) {
94
- return generatedConfig;
95
- }
96
- const generatedProviders = providerRuleTypes(generatedConfig);
97
- for (const provider of providerRuleTypes(explicitConfig)) {
98
- if (generatedProviders.has(provider)) {
99
- throw new Error(`${provider} auth cannot be provided in both mountConfig and proxyConfig`);
100
- }
101
- }
102
- return {
103
- ...generatedConfig,
104
- ...explicitConfig,
105
- rules: [...(generatedConfig.rules ?? []), ...(explicitConfig.rules ?? [])],
106
- };
107
- }
108
81
  /** Build a sandbox proxy rule that signs AWS HTTPS requests with SigV4. */
109
82
  function awsAuth({ accessKeyId, secretAccessKey, name = "aws", enabled = true, }) {
110
83
  return {
@@ -118,15 +91,17 @@ function awsAuth({ accessKeyId, secretAccessKey, name = "aws", enabled = true, }
118
91
  };
119
92
  }
120
93
  /** Build a sandbox proxy rule that injects GCP OAuth bearer auth. */
121
- function gcpAuth({ serviceAccountJson, scopes, matchHosts = DEFAULT_GCP_AUTH_MATCH_HOSTS, name = "gcp", enabled = true, }) {
94
+ function gcpAuth({ serviceAccountJson, scopes, name = "gcp", enabled = true, }) {
95
+ const gcp = {
96
+ service_account_json: serviceAccountJson,
97
+ };
98
+ if (scopes !== undefined) {
99
+ gcp.scopes = requireNonEmptyStringArray(scopes, "scopes");
100
+ }
122
101
  return {
123
102
  name: requireNonEmptyString(name, "name"),
124
103
  type: "gcp",
125
104
  enabled,
126
- match_hosts: requireNonEmptyStringArray(matchHosts, "matchHosts"),
127
- gcp: {
128
- service_account_json: serviceAccountJson,
129
- scopes: requireNonEmptyStringArray(scopes, "scopes"),
130
- },
105
+ gcp,
131
106
  };
132
107
  }
@@ -9,7 +9,6 @@ export declare function proxyConfig({ rules, noProxy, accessControl, }?: {
9
9
  noProxy?: string[];
10
10
  accessControl?: SandboxAccessControl;
11
11
  }): SandboxProxyConfig;
12
- export declare function mergeProxyConfigs(generatedConfig: SandboxProxyConfig | undefined, explicitConfig: SandboxProxyConfig | undefined): SandboxProxyConfig | undefined;
13
12
  /** Build a sandbox proxy rule that signs AWS HTTPS requests with SigV4. */
14
13
  export declare function awsAuth({ accessKeyId, secretAccessKey, name, enabled, }: {
15
14
  accessKeyId: SandboxProxySecret;
@@ -18,10 +17,9 @@ export declare function awsAuth({ accessKeyId, secretAccessKey, name, enabled, }
18
17
  enabled?: boolean;
19
18
  }): SandboxAwsAuthRule;
20
19
  /** Build a sandbox proxy rule that injects GCP OAuth bearer auth. */
21
- export declare function gcpAuth({ serviceAccountJson, scopes, matchHosts, name, enabled, }: {
20
+ export declare function gcpAuth({ serviceAccountJson, scopes, name, enabled, }: {
22
21
  serviceAccountJson: SandboxProxySecret;
23
- scopes: string[];
24
- matchHosts?: string[];
22
+ scopes?: string[];
25
23
  name?: string;
26
24
  enabled?: boolean;
27
25
  }): SandboxGcpAuthRule;