agentnode-sdk 0.12.0__tar.gz → 0.13.0__tar.gz

{agentnode_sdk-0.12.0 → agentnode_sdk-0.13.0}/CHANGELOG.md

@@ -1,5 +1,81 @@
 # Changelog
 
+## 0.13.0 — Credential vault for LLM providers
+
+### Added
+
+- **OS-keychain credential storage:** `agentnode auth set openai|anthropic|openrouter`
+  now stores the key in the OS keychain (Windows Credential Manager, macOS
+  Keychain, Linux Secret Service). `credentials.json` keeps only non-secret
+  metadata for keychain-backed entries. If no keychain is available (e.g.
+  headless Linux/CI), storage falls back to the plaintext file (0600) — and
+  says so honestly.
+- **The LLM runtime now reads stored credentials:** `_auto_detect_llm` falls
+  back to the credential store when no env var is set — `agentnode auth set
+  openai` is finally picked up by host agents AND the sandboxed-agent LLM
+  broker (the key still never enters the sandbox container).
+- `agentnode auth test <provider>` — validates the effective key via a free
+  provider endpoint (no completion call, no cost). Exit codes: 0 valid,
+  1 rejected, 2 not configured, 3 indeterminate (network errors are never
+  reported as "invalid").
+- `agentnode auth set <provider> --from-env ENV_VAR` — import an existing
+  environment key into the store.
+- `llm.default_provider` config key — which stored credential to try first
+  (`openai`, `anthropic`, `openrouter`). OpenRouter bindings pin the
+  namespaced default model (`openai/gpt-4o-mini`).
+
+### Changed
+
+- `agentnode auth status` now leads with an LLM-provider section showing the
+  storage backend and the EFFECTIVE source per provider — including an
+  explicit "env var X — overrides stored credential" callout when an
+  environment variable shadows a stored key.
+- `agentnode auth list` shows a storage column (OS keychain / plaintext file).
+- Environment variables (and `~/.agentnode/.env`) always override stored
+  credentials — explicit/CI intent wins.
+
+### Hardened
+
+- Keys are never printed (masked last-4 only), never logged (provider/backend
+  errors are reported by type, never message), never echoed from provider
+  responses, and never enter the sandbox container, audit records, manifests,
+  or lockfiles. `auth test` never accepts a key as a CLI argument.
+- Keychain access is probed once per process with a timeout — a locked or
+  hanging Secret Service degrades cleanly to file storage instead of blocking.
+
+### Upgrade Notes
+
+- New dependency: `keyring>=24` (pure Python, installed automatically).
+- Honest scope of the OS keychain: it protects against other local users and
+  accidental file exposure; it does NOT protect against programs running as
+  the same user. The fallback is a plaintext file (0600) when no keychain is
+  available — neither mode is "encrypted at rest by AgentNode".
+- Existing plaintext credentials keep working unchanged. Nothing migrates on
+  read; a credential moves into the keychain the next time you `auth set` it.
+- No breaking changes.
+
+## 0.12.1 — agent_sandbox config fix
+
+### Fixed
+
+- **`agent_sandbox` config section was stripped during `load_config()`.** The
+  config loader rebuilt the file from defaults and silently dropped a
+  hand-written `agent_sandbox` section, so the documented
+  `agent_sandbox.enabled: true` config path never took effect (only the
+  `AGENTNODE_AGENT_SANDBOX` env var worked), and the host LLM ceiling
+  (`agent_sandbox.llm.*`) never reached policy resolution. Both now survive
+  loading; the nested `llm` ceiling is passed through verbatim.
+- **`agentnode config set agent_sandbox.enabled true|false` now works** (the
+  key was missing from the allowed-keys whitelist) and stores a **real
+  boolean** — previously a stored string `"false"` would have been truthy,
+  i.e. read as enabled.
+
+### Upgrade Notes
+
+- No breaking changes. No behavior change unless you use the `agent_sandbox`
+  config path; the env var `AGENTNODE_AGENT_SANDBOX` behaves exactly as
+  before. The agent sandbox remains **default OFF**.
+
 ## 0.12.0 — Sandboxed community agents (flag-gated)
 
 ### Added

{agentnode_sdk-0.12.0 → agentnode_sdk-0.13.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: agentnode-sdk
-Version: 0.12.0
+Version: 0.13.0
 Summary: Python SDK for AgentNode — the open upgrade and discovery infrastructure for AI agents.
 Project-URL: Homepage, https://agentnode.net
 Project-URL: Repository, https://github.com/agentnode-ai/agentnode
@@ -16,6 +16,7 @@ Classifier: Topic :: Software Development :: Libraries
 Requires-Python: >=3.10
 Requires-Dist: cryptography>=41.0
 Requires-Dist: httpx>=0.25
+Requires-Dist: keyring>=24
 Requires-Dist: mcp>=1.0.0
 Requires-Dist: pyyaml>=6.0
 Provides-Extra: dev

{agentnode_sdk-0.12.0 → agentnode_sdk-0.13.0}/agentnode_sdk/__init__.py

@@ -38,7 +38,7 @@ from agentnode_sdk.runtime import AgentNodeRuntime
 Client = AgentNodeClient
 ToolError = AgentNodeToolError
 
-__version__ = "0.12.0"
+__version__ = "0.13.0"
 __all__ = [
     "AgentNode",
     "AsyncAgentNode",

agentnode_sdk-0.13.0/agentnode_sdk/cli/auth.py

@@ -0,0 +1,243 @@
+"""agentnode auth — credential management CLI.
+
+Secrets are entered via getpass (never argv, never echoed) and only ever
+shown masked (last 4 chars). Storage labels are honest: "OS keychain" or
+"plaintext file" — never "encrypted"."""
+from __future__ import annotations
+
+import getpass
+import os
+import sys
+
+from agentnode_sdk.credential_store import (
+    LLM_PROVIDER_ENV,
+    has_credential,
+    list_credentials,
+    load_credentials,
+    remove_credential,
+    set_credential,
+)
+from agentnode_sdk.installer import read_lockfile
+from agentnode_sdk.cli.output import bold, dim, section
+
+
+def _masked(token: str) -> str:
+    """Only ever show the last 4 chars of a secret."""
+    return "..." + token[-4:] if len(token) >= 8 else "..."
+
+
+def _storage_short(storage: str) -> str:
+    return "OS keychain" if storage == "keyring" else "plaintext file"
+
+
+def _llm_effective_source(provider: str) -> tuple[str | None, str]:
+    """(effective key or None, human-readable source) for an LLM provider.
+
+    Mirrors the runtime's resolution: env (incl. ~/.agentnode/.env) overrides
+    the stored credential. Uses metadata only for the stored check here —
+    the real keychain read happens in ``auth test``."""
+    from agentnode_sdk.runtimes.agent_runner import _load_agentnode_env
+    _load_agentnode_env()
+
+    env_var = LLM_PROVIDER_ENV[provider]
+    env_key = os.environ.get(env_var) or None
+    meta = load_credentials().get("providers", {}).get(provider)
+    stored = isinstance(meta, dict)
+    storage = (meta or {}).get("storage", "file")
+
+    if env_key and stored:
+        return env_key, f"env var {env_var} — overrides stored credential"
+    if env_key:
+        return env_key, f"env var {env_var}"
+    if stored:
+        return None, _storage_short(storage)
+    return None, "not configured"
+
+
+def _resolve_auth_type(provider: str) -> str:
+    """Read auth_type from lockfile connector entry. Falls back to 'api_key'.
+
+    If multiple installed connectors share a provider with different auth
+    types, this returns the first match — may need disambiguation later.
+    """
+    lock = read_lockfile()
+    for _slug, info in lock.get("packages", {}).items():
+        connector = info.get("connector")
+        if isinstance(connector, dict) and connector.get("provider", "").lower() == provider:
+            return connector.get("auth_type", "api_key")
+    return "api_key"
+
+
+def cmd_auth_set(provider: str, from_env: str | None = None) -> int:
+    provider = provider.lower().strip()
+    if not provider:
+        print("  Error: provider name required.", file=sys.stderr)
+        return 1
+    if from_env:
+        # Import an existing env key (also honors ~/.agentnode/.env). A flag,
+        # not a prompt — keeps piped-stdin flows intact.
+        from agentnode_sdk.runtimes.agent_runner import _load_agentnode_env
+        _load_agentnode_env()
+        token = (os.environ.get(from_env) or "").strip()
+        if not token:
+            print(f"  Error: environment variable {from_env} is not set.", file=sys.stderr)
+            return 1
+    else:
+        try:
+            token = getpass.getpass(f"  Enter access token for {provider}: ")
+        except (KeyboardInterrupt, EOFError):
+            print("\n  Cancelled.")
+            return 130
+        token = token.strip()
+        if not token:
+            print("  Error: no token provided.", file=sys.stderr)
+            return 1
+    auth_type = _resolve_auth_type(provider)
+    storage = set_credential(provider, token, auth_type=auth_type)
+    if storage == "keyring":
+        where = "OS keychain"
+    else:
+        where = "plaintext file (0600) — OS keychain unavailable on this system"
+    print(f"\n  Credential stored for {provider} ({_masked(token)}) — storage: {where}.\n")
+    return 0
+
+
+def cmd_auth_list() -> int:
+    creds = list_credentials()
+    if not creds:
+        print("\n  No credentials configured.")
+        print(dim("  Run `agentnode auth set <provider>` to store a credential.\n"))
+        return 0
+    print()
+    print(section("Credentials"))
+    print(f"  {'Provider':<14}{'Auth type':<13}{'Storage':<16}{'Stored'}")
+    print(f"  {'--------':<14}{'--------':<13}{'-------':<16}{'------'}")
+    for provider, info in sorted(creds.items()):
+        stored = info.get("stored_at", "")[:10]
+        auth_type = info.get("auth_type", "unknown")
+        storage = _storage_short(info.get("storage", "file"))
+        print(f"  {provider:<14}{auth_type:<13}{storage:<16}{stored}")
+    print(f"\n  {len(creds)} credential(s) configured.\n")
+    return 0
+
+
+def cmd_auth_remove(provider: str) -> int:
+    provider = provider.lower().strip()
+    if remove_credential(provider):
+        print(f"\n  Removed credential for {provider}.\n")
+        return 0
+    print(f"\n  No credential found for {provider}.\n")
+    return 1
+
+
+def cmd_auth_status() -> int:
+    # --- LLM providers (host runtime / sandbox broker) -----------------------
+    print()
+    print(section("LLM Providers"))
+    print(f"  {'Provider':<14}{'Status':<16}{'Effective source'}")
+    print(f"  {'--------':<14}{'------':<16}{'----------------'}")
+    for provider in sorted(LLM_PROVIDER_ENV):
+        key, source = _llm_effective_source(provider)
+        configured = key is not None or source not in ("not configured",)
+        status = "configured" if configured else "missing"
+        print(f"  {provider:<14}{status:<16}{source}")
+    print(dim("  Env vars always override stored credentials. "
+              "Test a key: agentnode auth test <provider>"))
+
+    # --- connector packages (unchanged) --------------------------------------
+    lock = read_lockfile()
+    pkgs = lock.get("packages", {})
+
+    # Collect provider → list of slugs
+    provider_packages: dict[str, list[str]] = {}
+    for slug, info in pkgs.items():
+        connector = info.get("connector")
+        if isinstance(connector, dict) and connector.get("provider"):
+            provider = connector["provider"].lower().strip()
+            provider_packages.setdefault(provider, []).append(slug)
+
+    if not provider_packages:
+        print("\n  No installed packages require connector credentials.\n")
+        return 0
+
+    print()
+    print(section("Credential Status"))
+    print(f"  {'Provider':<14}{'Status':<16}{'Used by'}")
+    print(f"  {'--------':<14}{'------':<16}{'------'}")
+    missing: list[str] = []
+    for provider in sorted(provider_packages):
+        configured = has_credential(provider)
+        status = "configured" if configured else "missing"
+        slugs = ", ".join(sorted(provider_packages[provider]))
+        print(f"  {provider:<14}{status:<16}{slugs}")
+        if not configured:
+            missing.append(provider)
+
+    if missing:
+        print()
+        print(dim("  Fix missing:"))
+        for p in missing:
+            print(dim(f"    agentnode auth set {p}"))
+    print()
+    return 0
+
+
+# Free, cost-less validation endpoints (no completion call, no charge).
+# anthropic REQUIRES the anthropic-version header (a 400 without it would be
+# misread as a bad key); openrouter's /models is UNAUTHENTICATED (validates
+# nothing) — /auth/key is the correct probe.
+_TEST_REQUESTS = {
+    "openai": lambda key: (
+        "https://api.openai.com/v1/models",
+        {"Authorization": f"Bearer {key}"},
+    ),
+    "anthropic": lambda key: (
+        "https://api.anthropic.com/v1/models",
+        {"x-api-key": key, "anthropic-version": "2023-06-01"},
+    ),
+    "openrouter": lambda key: (
+        "https://openrouter.ai/api/v1/auth/key",
+        {"Authorization": f"Bearer {key}"},
+    ),
+}
+
+
+def cmd_auth_test(provider: str) -> int:
+    """Validate the EFFECTIVE key for an LLM provider (env beats vault) via a
+    free endpoint. Exit codes: 0 valid / 1 rejected (401/403) / 2 not
+    configured or unsupported / 3 indeterminate (network/5xx — never reported
+    as invalid). Never prints the key (masked last-4 only) and never echoes
+    the provider's response body (it can contain key fragments)."""
+    provider = provider.lower().strip()
+    if provider not in _TEST_REQUESTS:
+        supported = ", ".join(sorted(_TEST_REQUESTS))
+        print(f"  auth test supports: {supported}", file=sys.stderr)
+        return 2
+
+    key, source = _llm_effective_source(provider)
+    if key is None:
+        # No env override — resolve the stored credential (real keychain read).
+        from agentnode_sdk.credential_store import get_llm_api_key
+        key = get_llm_api_key(provider)
+    if not key:
+        print(f"\n  {provider}: not configured. Run `agentnode auth set {provider}`.\n")
+        return 2
+
+    url, headers = _TEST_REQUESTS[provider](key)
+    import httpx
+    try:
+        resp = httpx.get(url, headers=headers, timeout=10.0)
+    except Exception:
+        print(f"\n  {provider} ({_masked(key)}, {source}): could not reach the "
+              "provider — key validity unknown.\n")
+        return 3
+    if resp.status_code == 200:
+        print(f"\n  {provider} ({_masked(key)}, {source}): key is valid.\n")
+        return 0
+    if resp.status_code in (401, 403):
+        print(f"\n  {provider} ({_masked(key)}, {source}): key was rejected by "
+              f"the provider (HTTP {resp.status_code}).\n")
+        return 1
+    print(f"\n  {provider} ({_masked(key)}, {source}): unexpected provider "
+          f"response (HTTP {resp.status_code}) — key validity unknown.\n")
+    return 3

{agentnode_sdk-0.12.0 → agentnode_sdk-0.13.0}/agentnode_sdk/cli/main.py

@@ -63,10 +63,14 @@ def main(argv: list[str] | None = None) -> int:
     auth_sub = auth_parser.add_subparsers(dest="auth_action")
     auth_set_p = auth_sub.add_parser("set", help="Store a credential for a provider")
     auth_set_p.add_argument("provider")
+    auth_set_p.add_argument("--from-env", default=None, metavar="ENV_VAR",
+                            help="Import the key from this environment variable instead of prompting")
     auth_sub.add_parser("list", help="Show configured credentials")
     auth_rm_p = auth_sub.add_parser("remove", help="Remove a stored credential")
     auth_rm_p.add_argument("provider")
     auth_sub.add_parser("status", help="Check credential status for installed packages")
+    auth_test_p = auth_sub.add_parser("test", help="Validate a stored LLM key via a free provider endpoint")
+    auth_test_p.add_argument("provider")
 
     # config
     config_parser = sub.add_parser("config", help="View or modify settings")
@@ -270,15 +274,18 @@ def main(argv: list[str] | None = None) -> int:
         if args.command == "auth":
             from agentnode_sdk.cli.auth import (
                 cmd_auth_set, cmd_auth_list, cmd_auth_remove, cmd_auth_status,
+                cmd_auth_test,
             )
             if args.auth_action == "set":
-                return cmd_auth_set(args.provider)
+                return cmd_auth_set(args.provider, from_env=args.from_env)
             if args.auth_action == "list":
                 return cmd_auth_list()
             if args.auth_action == "remove":
                 return cmd_auth_remove(args.provider)
             if args.auth_action == "status":
                 return cmd_auth_status()
+            if args.auth_action == "test":
+                return cmd_auth_test(args.provider)
             return cmd_auth_list()
         if args.command == "config":
             if args.config_action == "list":

{agentnode_sdk-0.12.0 → agentnode_sdk-0.13.0}/agentnode_sdk/config.py

@@ -41,6 +41,12 @@ DEFAULTS: dict[str, Any] = {
         "compute": "allow",
         "unknown": "prompt",
     },
+    "agent_sandbox": {
+        "enabled": False,
+    },
+    "llm": {
+        "default_provider": "openai",
+    },
 }
 
 VALID_VALUES: dict[str, tuple[str, ...]] = {
@@ -61,6 +67,8 @@ VALID_VALUES: dict[str, tuple[str, ...]] = {
     "guard.read": ("allow", "prompt", "deny"),
     "guard.compute": ("allow", "prompt", "deny"),
     "guard.unknown": ("allow", "prompt", "deny"),
+    "agent_sandbox.enabled": ("true", "false"),
+    "llm.default_provider": ("openai", "anthropic", "openrouter"),
 }
 
 
@@ -82,6 +90,8 @@ CONFIG_DESCRIPTIONS: dict[str, str] = {
     "guard.read": "Guard policy for tools that read data",
     "guard.compute": "Guard policy for tools that perform computation",
     "guard.unknown": "Guard policy for tools with unknown action type",
+    "agent_sandbox.enabled": "Route community (verified/unverified) agents through the container sandbox",
+    "llm.default_provider": "Which stored LLM credential to try first (vault resolution order)",
 }
 
 
@@ -138,6 +148,18 @@ def _merge_defaults(data: dict) -> dict[str, Any]:
         for extra_key in ("rate_limits", "agent_overrides", "tool_overrides"):
             if extra_key in data["guard"]:
                 cfg["guard"][extra_key] = data["guard"][extra_key]
+    if isinstance(data.get("agent_sandbox"), dict):
+        if "enabled" in data["agent_sandbox"]:
+            cfg["agent_sandbox"]["enabled"] = data["agent_sandbox"]["enabled"]
+        # The nested llm ceiling (max_calls/max_input_chars/max_output_chars/
+        # allowed_models/enabled) holds ints/lists — pass it through verbatim,
+        # like the guard extra keys above.
+        if isinstance(data["agent_sandbox"].get("llm"), dict):
+            cfg["agent_sandbox"]["llm"] = data["agent_sandbox"]["llm"]
+    if isinstance(data.get("llm"), dict):
+        for k in ("default_provider",):
+            if k in data["llm"]:
+                cfg["llm"][k] = data["llm"][k]
     return cfg
 
 
@@ -201,7 +223,7 @@ def set_value(cfg: dict[str, Any], key: str, value: str) -> dict[str, Any]:
             f"Allowed: {', '.join(allowed)}"
         )
 
-    bool_keys = ("credentials.require_before_auto_install",)
+    bool_keys = ("credentials.require_before_auto_install", "agent_sandbox.enabled")
     actual_value: Any = value.lower() == "true" if key in bool_keys else value.lower()
 
     parts = key.split(".")