open-agents-ai 0.186.71 → 0.186.72
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +23 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -2304,6 +2304,29 @@ Both paths enforce:
|
|
|
2304
2304
|
|
|
2305
2305
|
libp2p relay uses GossipSub discovery + NATS (wss://demo.nats.io:8443) for peer announcement. Direct streams via invoke/1.1.0 protocol with payment negotiation (x402). The tunnel fallback uses debounced restarts with exponential cooldown.
|
|
2306
2306
|
|
|
2307
|
+
### Ollama Endpoint Security
|
|
2308
|
+
|
|
2309
|
+
Three independent layers prevent remote peers from accessing destructive Ollama endpoints:
|
|
2310
|
+
|
|
2311
|
+
| Endpoint | Default | `--full` | Sponsor Mode |
|
|
2312
|
+
|----------|---------|----------|-------------|
|
|
2313
|
+
| `/api/chat` (inference) | ALLOWED | ALLOWED | ALLOWED |
|
|
2314
|
+
| `/api/tags` (list models) | ALLOWED | ALLOWED | ALLOWED |
|
|
2315
|
+
| `/v1/chat/completions` | ALLOWED | ALLOWED | ALLOWED |
|
|
2316
|
+
| `/api/pull` (download model) | **BLOCKED** | ALLOWED | **BLOCKED** |
|
|
2317
|
+
| `/api/delete` (delete model) | **BLOCKED** | ALLOWED | **BLOCKED** |
|
|
2318
|
+
| `/api/push` (upload model) | **BLOCKED** | ALLOWED | **BLOCKED** |
|
|
2319
|
+
| `/api/create` (create model) | **BLOCKED** | ALLOWED | **BLOCKED** |
|
|
2320
|
+
| `/api/copy` (copy model) | **BLOCKED** | ALLOWED | **BLOCKED** |
|
|
2321
|
+
|
|
2322
|
+
**Defense-in-depth:**
|
|
2323
|
+
1. **COHERE handler** — Only ever calls `/api/tags` + `/api/chat`. No code path to destructive endpoints.
|
|
2324
|
+
2. **Expose capability handler** — Only forwards inference requests. Auth validated before processing.
|
|
2325
|
+
3. **Expose reverse proxy** — Hardcoded path blocklist returns 403 for all model management endpoints.
|
|
2326
|
+
4. **Sponsor mode** — Whitelist of 6 read-only/inference endpoints only, overrides `--full`.
|
|
2327
|
+
|
|
2328
|
+
The `--full` flag is required to grant remote peers model management access. Sponsor mode always blocks destructive operations regardless of flags. Tool definitions are now forwarded through all relay paths (v0.186.68+).
|
|
2329
|
+
|
|
2307
2330
|
</details>
|
|
2308
2331
|
|
|
2309
2332
|
|
package/package.json
CHANGED