PyPI - proxyagent - Versions diffs - 0.5.1__tar.gz → 0.7.0__tar.gz - Mend

proxyagent 0.5.1tar.gz → 0.7.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

{proxyagent-0.5.1 → proxyagent-0.7.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: proxyagent
-Version: 0.5.1
+Version: 0.7.0
 Summary: Run any agent (Claude, Codex, custom) on any machine — with no API key on the machine. A secure, self-hosted proxy for models and tools.
 Project-URL: Homepage, https://github.com/teddyoweh/proxyagent
 Author-email: Spawn Labs <teddy@spawnlabs.ai>
@@ -178,10 +178,30 @@ is to centralise *all* of them so the machine running the harness holds only a `
 | **Codex** | OpenAI | API key · OAuth (ChatGPT) · Azure |
 | **Gemini CLI** | Google | API key · OAuth · Vertex |
-Connect each mode once in the dashboard's **Harnesses** tab. API-key mode is wired today;
-Bedrock / Vertex / OAuth-refresh (the cloud-credential paths enterprises actually use) are
-being built out — the proxy holds the AWS/GCP creds and signs upstream, so the machine needs
-none. The model providers below are the *backends* for model-agnostic harnesses (aider, Cline…).
+Connect each mode in the dashboard's **Harnesses** tab (or `proxyagent provider add … --kind`).
+**API key, OAuth, AWS Bedrock, and Azure are wired today** — for Bedrock the proxy holds the AWS
+credentials and **SigV4-signs** the Claude-on-Bedrock request itself, so the machine needs no
+AWS at all. (Vertex lands next.) The model providers below are the *backends* for model-agnostic
+harnesses (aider, Cline…).
+```bash
+# the cloud-credential paths — the machine that runs the harness holds none of these:
+proxyagent provider add anthropic --kind bedrock --key <AWS_SECRET>   # + meta: access_key, region
+proxyagent provider add openai    --kind azure   --key <AZURE_KEY>    # + meta: endpoint
+proxyagent provider add anthropic --kind oauth    --key <OAUTH_TOKEN>
+```
+## Credential pools & failover
+A provider isn't one key — it's a **pool**. Add as many credentials as you want, across
+auth types (several API keys, OAuth tokens, …); each is managed individually in the
+dashboard. The proxy rotates through the pool, **failing over** to the next credential on
+any `429` / `5xx` — so a rate-limited or dead key never takes you down.
+```bash
+proxyagent provider add anthropic --key sk-ant-aaa        # additive — builds the pool
+proxyagent provider add anthropic --key sk-ant-bbb
+proxyagent provider add anthropic --key <oauth> --kind oauth
+```
 ## Per-token budgets
 Cap what any token can spend; once its summed cost crosses the cap, the proxy returns **402**.

{proxyagent-0.5.1 → proxyagent-0.7.0}/README.md RENAMED Viewed

@@ -146,10 +146,30 @@ is to centralise *all* of them so the machine running the harness holds only a `
 | **Codex** | OpenAI | API key · OAuth (ChatGPT) · Azure |
 | **Gemini CLI** | Google | API key · OAuth · Vertex |
-Connect each mode once in the dashboard's **Harnesses** tab. API-key mode is wired today;
-Bedrock / Vertex / OAuth-refresh (the cloud-credential paths enterprises actually use) are
-being built out — the proxy holds the AWS/GCP creds and signs upstream, so the machine needs
-none. The model providers below are the *backends* for model-agnostic harnesses (aider, Cline…).
+Connect each mode in the dashboard's **Harnesses** tab (or `proxyagent provider add … --kind`).
+**API key, OAuth, AWS Bedrock, and Azure are wired today** — for Bedrock the proxy holds the AWS
+credentials and **SigV4-signs** the Claude-on-Bedrock request itself, so the machine needs no
+AWS at all. (Vertex lands next.) The model providers below are the *backends* for model-agnostic
+harnesses (aider, Cline…).
+```bash
+# the cloud-credential paths — the machine that runs the harness holds none of these:
+proxyagent provider add anthropic --kind bedrock --key <AWS_SECRET>   # + meta: access_key, region
+proxyagent provider add openai    --kind azure   --key <AZURE_KEY>    # + meta: endpoint
+proxyagent provider add anthropic --kind oauth    --key <OAUTH_TOKEN>
+```
+## Credential pools & failover
+A provider isn't one key — it's a **pool**. Add as many credentials as you want, across
+auth types (several API keys, OAuth tokens, …); each is managed individually in the
+dashboard. The proxy rotates through the pool, **failing over** to the next credential on
+any `429` / `5xx` — so a rate-limited or dead key never takes you down.
+```bash
+proxyagent provider add anthropic --key sk-ant-aaa        # additive — builds the pool
+proxyagent provider add anthropic --key sk-ant-bbb
+proxyagent provider add anthropic --key <oauth> --kind oauth
+```
 ## Per-token budgets
 Cap what any token can spend; once its summed cost crosses the cap, the proxy returns **402**.

{proxyagent-0.5.1 → proxyagent-0.7.0}/proxyagent/__init__.py RENAMED Viewed

@@ -16,7 +16,7 @@ from typing import Optional
 from .harness import run  # noqa: F401  (the headline SDK call)
-__version__ = "0.5.1"
+__version__ = "0.7.0"
 __all__ = ["run", "serve", "create_app", "Config", "Admin", "__version__"]

{proxyagent-0.5.1 → proxyagent-0.7.0}/proxyagent/config.py RENAMED Viewed

@@ -101,7 +101,7 @@ AUTH_LABELS = {"api_key": "API key", "oauth": "OAuth", "bedrock": "AWS Bedrock",
                "vertex": "Google Vertex", "azure": "Azure"}
 # Auth modes that are fully wired today (just a key swap). Others are surfaced in the
 # UI as "available" and built out (Bedrock SigV4 / Vertex token / OAuth refresh).
-AUTH_READY = {"api_key"}
+AUTH_READY = {"api_key", "oauth", "bedrock", "azure"}
 @dataclass

{proxyagent-0.5.1 → proxyagent-0.7.0}/proxyagent/providers.py RENAMED Viewed

@@ -12,23 +12,67 @@ import json
 import httpx
-from . import pricing
+from . import pricing, signers
 from .config import Config, PROVIDERS
 from .store import Store, now_ms
+FAILOVER_STATUS = {429, 500, 502, 503, 504, 529}
+def _headers_for(provider, secret: str, kind: str) -> dict:
+    if kind != "api_key":  # oauth / bearer
+        return {"Authorization": f"Bearer {secret}", **provider.extra_headers}
+    if provider.auth_style == "x-api-key":
+        return {"x-api-key": secret, **provider.extra_headers}
+    return {"Authorization": f"Bearer {secret}", **provider.extra_headers}
+def resolve_candidates(provider, store: Store | None) -> list[dict]:
+    """Every usable auth header-set for a provider, in rotation order: the stored pool
+    (api_key then oauth creds), then the env key as a last resort. The forwarder tries
+    them in turn, rotating past any that 429/5xx — that's the failover."""
+    out: list[dict] = []
+    if store:
+        for c in store.get_credentials(provider.name, kind="api_key"):
+            out.append(_headers_for(provider, c["secret"], "api_key"))
+        for c in store.get_credentials(provider.name, kind="oauth"):
+            out.append(_headers_for(provider, c["secret"], "oauth"))
+    if provider.key:
+        out.append(provider.auth_headers())
+    return out
 def resolve_auth(provider, store: Store | None) -> tuple[dict, bool]:
-    """Auth headers for an upstream call. A stored credential (proxy_agent_keys) wins
-    over the env key; returns ({}, False) when nothing is configured."""
-    cred = store.get_credential(provider.name) if store else None
-    if cred:
-        secret, kind = cred["secret"], cred["kind"]
-        if kind == "oauth":
-            return {"Authorization": f"Bearer {secret}", **provider.extra_headers}, True
-        if provider.auth_style == "x-api-key":
-            return {"x-api-key": secret, **provider.extra_headers}, True
-        return {"Authorization": f"Bearer {secret}", **provider.extra_headers}, True
-    headers = provider.auth_headers()
-    return headers, bool(headers)
+    cands = resolve_candidates(provider, store)
+    return (cands[0], True) if cands else ({}, False)
+def build_plans(provider, store: Store | None, body: dict) -> list[tuple]:
+    """Every way to fulfil this request, in rotation order, as (url, headers, body_bytes).
+    Each credential kind maps to its own upstream + signing: api_key/oauth → the provider
+    endpoint; azure → a custom deployment URL; bedrock → SigV4-signed Claude-on-Bedrock."""
+    plans: list[tuple] = []
+    raw = json.dumps(body).encode("utf-8")
+    JSON = {"content-type": "application/json"}
+    if store:
+        for c in store.get_credentials(provider.name):
+            kind, meta = c["kind"], (c.get("meta") or {})
+            if kind == "api_key":
+                plans.append((provider.endpoint, {**JSON, **_headers_for(provider, c["secret"], "api_key")}, raw))
+            elif kind == "oauth":
+                plans.append((provider.endpoint, {**JSON, "Authorization": f"Bearer {c['secret']}", **provider.extra_headers}, raw))
+            elif kind == "azure":
+                ep = (meta.get("endpoint") or "").rstrip("/")
+                if ep:
+                    plans.append((ep, {**JSON, "api-key": c["secret"]}, raw))
+            elif kind == "bedrock":
+                try:
+                    plans.append(signers.bedrock_plan(c, body))
+                except Exception:  # noqa: BLE001 — skip a malformed bedrock cred
+                    pass
+    if provider.key:
+        plans.append((provider.endpoint, {**JSON, **provider.auth_headers()}, raw))
+    return plans
 def scope_allows(scope: list[str], provider: str, model: str) -> bool:
@@ -70,14 +114,11 @@ async def forward(
             return 200, {"content-type": "text/event-stream"}, _mock_stream(provider.shape, payload), None
         return 200, {"content-type": "application/json"}, payload, None
-    auth, ok = resolve_auth(provider, store)
-    if not ok:
+    plans = build_plans(provider, store, body)
+    if not plans:
         return 502, {}, {"error": f"provider '{provider_name}' not configured on the proxy "
                                   f"(set {provider.key_env} or `proxyagent provider add {provider_name}`)"}, None
-    url = provider.endpoint
-    headers = {"content-type": "application/json", **auth}
     def _log(status, ptok, ctok, err=None):
         store.log_request(
             token_id=token["id"], token_label=token.get("label"), provider=provider_name,
@@ -93,36 +134,47 @@ async def forward(
             status = 200
             try:
                 async with httpx.AsyncClient(timeout=config.request_timeout) as client:
-                    async with client.stream("POST", url, headers=headers, json=body) as resp:
-                        status = resp.status_code
-                        async for chunk in resp.aiter_raw():
-                            # Best-effort usage capture from the final SSE event.
-                            text = chunk.decode("utf-8", "ignore")
-                            if '"output_tokens"' in text or '"completion_tokens"' in text:
-                                try:
-                                    for line in text.splitlines():
-                                        if line.startswith("data:"):
-                                            d = json.loads(line[5:].strip())
-                                            usage = d.get("usage") or (d.get("message") or {}).get("usage") or {}
-                                            ptok = usage.get("input_tokens") or usage.get("prompt_tokens") or ptok
-                                            ctok = usage.get("output_tokens") or usage.get("completion_tokens") or ctok
-                                except Exception:
-                                    pass
-                            yield chunk
+                    for i, (url, headers, raw) in enumerate(plans):
+                        async with client.stream("POST", url, headers=headers, content=raw) as resp:
+                            status = resp.status_code
+                            if status in FAILOVER_STATUS and i < len(plans) - 1:
+                                await resp.aread()  # drain + rotate to the next credential
+                                continue
+                            async for chunk in resp.aiter_raw():
+                                text = chunk.decode("utf-8", "ignore")
+                                if '"output_tokens"' in text or '"completion_tokens"' in text:
+                                    try:
+                                        for line in text.splitlines():
+                                            if line.startswith("data:"):
+                                                d = json.loads(line[5:].strip())
+                                                usage = d.get("usage") or (d.get("message") or {}).get("usage") or {}
+                                                ptok = usage.get("input_tokens") or usage.get("prompt_tokens") or ptok
+                                                ctok = usage.get("output_tokens") or usage.get("completion_tokens") or ctok
+                                    except Exception:
+                                        pass
+                                yield chunk
+                            break
             finally:
                 _log(status, ptok, ctok)
         return 200, {"content-type": "text/event-stream"}, _gen(), None
-    # Non-streaming.
+    # Non-streaming, with credential failover across the pool.
+    last_status, last_payload = 502, {"error": "all credentials failed"}
     async with httpx.AsyncClient(timeout=config.request_timeout) as client:
-        resp = await client.post(url, headers=headers, json=body)
-    try:
-        payload = resp.json()
-    except Exception:
-        payload = {"error": resp.text}
-    ptok, ctok = _extract_usage(provider.shape, payload if isinstance(payload, dict) else {})
-    _log(resp.status_code, ptok, ctok, None if resp.is_success else str(payload)[:300])
-    return resp.status_code, {"content-type": "application/json"}, payload, None
+        for i, (url, headers, raw) in enumerate(plans):
+            resp = await client.post(url, headers=headers, content=raw)
+            if resp.status_code in FAILOVER_STATUS and i < len(plans) - 1:
+                last_status = resp.status_code
+                continue
+            try:
+                payload = resp.json()
+            except Exception:
+                payload = {"error": resp.text}
+            ptok, ctok = _extract_usage(provider.shape, payload if isinstance(payload, dict) else {})
+            _log(resp.status_code, ptok, ctok, None if resp.is_success else str(payload)[:300])
+            return resp.status_code, {"content-type": "application/json"}, payload, None
+    _log(last_status, None, None, "all credentials failed")
+    return last_status, {"content-type": "application/json"}, last_payload, None
 # ------------------------------------------------------------------ #

{proxyagent-0.5.1 → proxyagent-0.7.0}/proxyagent/server.py RENAMED Viewed

@@ -35,9 +35,10 @@ class TokenBody(BaseModel):
 class ProviderBody(BaseModel):
     provider: str
     secret: str
-    kind: str = "api_key"            # api_key | oauth
+    kind: str = "api_key"            # api_key | oauth | bedrock | azure | vertex
     label: str | None = None
     refresh: str | None = None
+    meta: dict | None = None         # bedrock: {access_key, region}; azure: {endpoint}
 def create_app(config: Config | None = None) -> FastAPI:
@@ -204,7 +205,7 @@ def create_app(config: Config | None = None) -> FastAPI:
         if body.provider not in PROVIDERS:
             raise HTTPException(400, f"unknown provider; known: {list(PROVIDERS)}")
         cid = store.add_credential(body.provider, body.secret, kind=body.kind,
-                                   label=body.label, refresh=body.refresh)
+                                   label=body.label, refresh=body.refresh, meta=body.meta)
         return {"id": cid, "provider": body.provider, "kind": body.kind,
                 "stored": "encrypted" if crypto.encryption_available() else "plaintext"}
@@ -227,19 +228,28 @@ def create_app(config: Config | None = None) -> FastAPI:
     async def harnesses(authorization: str | None = Header(None),
                         x_admin_token: str | None = Header(None)):
         require_admin(authorization, x_admin_token)
-        stored = {c["provider"] for c in store.list_credentials() if c["active"]}
+        kinds_by_prov: dict[str, set] = {}
+        for c in store.list_credentials():
+            if c["active"]:
+                kinds_by_prov.setdefault(c["provider"], set()).add(c["kind"])
         out = []
         for name, h in HARNESSES.items():
             prov = PROVIDERS.get(h["provider"])
-            configured = bool(prov and prov.key) or h["provider"] in stored
+            have = kinds_by_prov.get(h["provider"], set())
+            env_key = bool(prov and prov.key)
+            def _conn(m):
+                if m == "api_key":
+                    return env_key or "api_key" in have
+                return m in have
             out.append({
                 "name": name, "label": h["label"], "provider": h["provider"],
                 "color": h["color"], "install": h["install"],
                 "auth": [{"mode": m, "label": AUTH_LABELS.get(m, m),
-                          "ready": m in AUTH_READY,
-                          "connected": m == "api_key" and configured}
+                          "ready": m in AUTH_READY, "connected": _conn(m)}
                          for m in h["auth"]],
-                "configured": configured,
+                "configured": env_key or bool(have),
             })
         return {"harnesses": out}
@@ -247,18 +257,21 @@ def create_app(config: Config | None = None) -> FastAPI:
     async def catalog(authorization: str | None = Header(None),
                       x_admin_token: str | None = Header(None)):
         require_admin(authorization, x_admin_token)
-        stored = {c["provider"]: c for c in store.list_credentials() if c["active"]}
+        pool: dict[str, list] = {}
+        for c in store.list_credentials():
+            if c["active"]:
+                pool.setdefault(c["provider"], []).append(c)
         out = []
         for name, prov in PROVIDERS.items():
             meta = CATALOG.get(name, {})
-            cred = stored.get(name)
+            creds = pool.get(name, [])
             out.append({
                 "name": name, "label": meta.get("label", name.title()),
                 "kinds": meta.get("kinds", ["api_key"]), "color": meta.get("color", "#888"),
                 "models": meta.get("models", []), "shape": prov.shape,
-                "via_env": bool(prov.key), "via_store": bool(cred),
-                "cred_id": cred["id"] if cred else None,
-                "cred_kind": cred["kind"] if cred else None,
+                "via_env": bool(prov.key), "via_store": bool(creds),
+                "creds": [{"id": c["id"], "kind": c["kind"], "masked": c.get("masked"),
+                           "label": c.get("label")} for c in creds],
                 "endpoint": prov.endpoint,
             })
         return {"providers": out, "encryption": crypto.encryption_available()}

proxyagent-0.7.0/proxyagent/signers.py ADDED Viewed

@@ -0,0 +1,88 @@
+"""Request signers for the cloud auth modes — so the proxy holds the cloud credentials
+and the machine running the harness holds none.
+  * AWS SigV4 (Bedrock) — full signature, no boto3 dependency.
+  * Azure OpenAI — api-key header to a custom deployment endpoint.
+Vertex (GCP service-account → access token) lands next.
+"""
+from __future__ import annotations
+import datetime
+import hashlib
+import hmac
+import json
+from urllib.parse import quote
+def _sign(key: bytes, msg: str) -> bytes:
+    return hmac.new(key, msg.encode("utf-8"), hashlib.sha256).digest()
+def sigv4_headers(*, method: str, host: str, path: str, region: str, service: str,
+                  access_key: str, secret_key: str, body: bytes,
+                  session_token: str | None = None,
+                  content_type: str = "application/json", now: datetime.datetime | None = None) -> dict:
+    """AWS Signature Version 4 headers for a request. `path` must already be URI-encoded."""
+    now = now or datetime.datetime.now(datetime.timezone.utc)
+    amzdate = now.strftime("%Y%m%dT%H%M%SZ")
+    datestamp = now.strftime("%Y%m%d")
+    payload_hash = hashlib.sha256(body).hexdigest()
+    hdrs = {"content-type": content_type, "host": host, "x-amz-date": amzdate}
+    if session_token:
+        hdrs["x-amz-security-token"] = session_token
+    signed_headers = ";".join(sorted(hdrs))
+    canonical_headers = "".join(f"{k}:{hdrs[k]}\n" for k in sorted(hdrs))
+    canonical_request = f"{method}\n{path}\n\n{canonical_headers}\n{signed_headers}\n{payload_hash}"
+    scope = f"{datestamp}/{region}/{service}/aws4_request"
+    string_to_sign = (f"AWS4-HMAC-SHA256\n{amzdate}\n{scope}\n"
+                      f"{hashlib.sha256(canonical_request.encode()).hexdigest()}")
+    k_date = _sign(("AWS4" + secret_key).encode("utf-8"), datestamp)
+    k_region = _sign(k_date, region)
+    k_service = _sign(k_region, service)
+    k_signing = _sign(k_service, "aws4_request")
+    signature = hmac.new(k_signing, string_to_sign.encode("utf-8"), hashlib.sha256).hexdigest()
+    auth = (f"AWS4-HMAC-SHA256 Credential={access_key}/{scope}, "
+            f"SignedHeaders={signed_headers}, Signature={signature}")
+    out = {"Authorization": auth, "x-amz-date": amzdate, "content-type": content_type}
+    if session_token:
+        out["x-amz-security-token"] = session_token
+    return out
+# Map a few common Anthropic model ids → their Bedrock ids (best-effort; pass a bedrock id directly to skip).
+def bedrock_model_id(model: str) -> str:
+    if model.startswith("anthropic.") or ":" in model:
+        return model
+    table = {
+        "claude-opus-4": "anthropic.claude-opus-4-20250514-v1:0",
+        "claude-sonnet-4-5": "anthropic.claude-sonnet-4-5-20250929-v1:0",
+        "claude-sonnet-4": "anthropic.claude-sonnet-4-20250514-v1:0",
+        "claude-3-5-sonnet": "anthropic.claude-3-5-sonnet-20241022-v2:0",
+        "claude-3-5-haiku": "anthropic.claude-3-5-haiku-20241022-v1:0",
+    }
+    for prefix, bid in table.items():
+        if model.startswith(prefix):
+            return bid
+    return model
+def bedrock_plan(cred: dict, body: dict):
+    """(url, headers, body_bytes) for a Claude-on-Bedrock invoke, SigV4-signed here."""
+    meta = cred.get("meta") or {}
+    region = meta.get("region", "us-east-1")
+    model_id = bedrock_model_id(body.get("model", ""))
+    payload = {k: v for k, v in body.items() if k != "model"}
+    payload["anthropic_version"] = "bedrock-2023-05-31"
+    raw = json.dumps(payload).encode("utf-8")
+    host = f"bedrock-runtime.{region}.amazonaws.com"
+    path = f"/model/{quote(model_id, safe='')}/invoke"
+    headers = sigv4_headers(
+        method="POST", host=host, path=path, region=region, service="bedrock",
+        access_key=meta.get("access_key", ""), secret_key=cred.get("secret", ""),
+        body=raw, session_token=meta.get("session_token"))
+    return f"https://{host}{path}", headers, raw

{proxyagent-0.5.1 → proxyagent-0.7.0}/proxyagent/store.py RENAMED Viewed

@@ -27,7 +27,7 @@ CREATE TABLE IF NOT EXISTS proxy_agent_tokens (
 CREATE TABLE IF NOT EXISTS proxy_agent_keys (
     id TEXT PRIMARY KEY, provider TEXT NOT NULL, kind TEXT NOT NULL DEFAULT 'api_key',
     secret TEXT NOT NULL, refresh TEXT, expires_ms BIGINT, label TEXT,
-    created_ms BIGINT, meta_json TEXT, active INTEGER NOT NULL DEFAULT 1
+    created_ms BIGINT, meta_json TEXT, active INTEGER NOT NULL DEFAULT 1, masked TEXT
 );
 CREATE TABLE IF NOT EXISTS proxy_agent_calls (
     id TEXT PRIMARY KEY, ts_ms BIGINT, token_id TEXT, token_label TEXT,
@@ -48,10 +48,12 @@ class Store:
         self.db.executescript(_SCHEMA)
         self.backend = "postgres" if self.db.pg else "sqlite"
         # migrate older DBs created before budget_usd existed
-        try:
-            self.db.execute("ALTER TABLE proxy_agent_tokens ADD COLUMN budget_usd DOUBLE PRECISION")
-        except Exception:
-            pass
+        for stmt in ("ALTER TABLE proxy_agent_tokens ADD COLUMN budget_usd DOUBLE PRECISION",
+                     "ALTER TABLE proxy_agent_keys ADD COLUMN masked TEXT"):
+            try:
+                self.db.execute(stmt)
+            except Exception:
+                pass
     # -- machine tokens ---------------------------------------------------- #
@@ -98,40 +100,55 @@ class Store:
     # -- provider credentials (proxy_agent_keys) --------------------------- #
     def add_credential(self, provider, secret, *, kind="api_key", refresh=None,
-                       expires_ms=None, label=None, meta=None, replace=True):
+                       expires_ms=None, label=None, meta=None, replace=False):
+        """Add a credential to a provider's POOL. A provider can hold many credentials
+        across auth types (several api_keys, oauth tokens, bedrock, vertex…). replace=True
+        swaps out other creds of the SAME kind; default keeps them (for failover/rotation)."""
         cid = "key_" + uuid.uuid4().hex[:12]
-        # replace=True (default, the UI "connect"): swap the key. replace=False adds an
-        # ADDITIONAL active key to the provider's pool for failover/rotation.
         if replace:
-            self.db.execute("UPDATE proxy_agent_keys SET active=0 WHERE provider=?", (provider,))
+            self.db.execute("UPDATE proxy_agent_keys SET active=0 WHERE provider=? AND kind=?",
+                            (provider, kind))
         self.db.execute(
             """INSERT INTO proxy_agent_keys
-               (id, provider, kind, secret, refresh, expires_ms, label, created_ms, meta_json, active)
-               VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, 1)""",
+               (id, provider, kind, secret, refresh, expires_ms, label, created_ms, meta_json, active, masked)
+               VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, 1, ?)""",
             (cid, provider, kind, crypto.encrypt(secret),
              crypto.encrypt(refresh) if refresh else None, expires_ms, label, now_ms(),
-             json.dumps(meta or {})),
+             json.dumps(meta or {}), mask(secret)),
         )
         return cid
-    def get_credential(self, provider):
-        """Active credential for a provider, decrypted. None → fall back to env."""
-        r = self.db.fetchone(
-            "SELECT * FROM proxy_agent_keys WHERE provider=? AND active=1 ORDER BY created_ms DESC",
-            (provider,))
-        if not r:
-            return None
+    def _decrypt_row(self, r):
         r = dict(r)
         r["secret"] = crypto.decrypt(r["secret"])
         if r.get("refresh"):
             r["refresh"] = crypto.decrypt(r["refresh"])
+        if r.get("meta_json"):
+            try:
+                r["meta"] = json.loads(r["meta_json"])
+            except Exception:
+                r["meta"] = {}
         return r
+    def get_credential(self, provider, kind=None):
+        """Most-recent active credential (optionally of a kind), decrypted."""
+        creds = self.get_credentials(provider, kind=kind)
+        return creds[-1] if creds else None
+    def get_credentials(self, provider, kind=None):
+        """The provider's whole active pool, decrypted, oldest→newest (rotation order)."""
+        q = "SELECT * FROM proxy_agent_keys WHERE provider=? AND active=1"
+        args = [provider]
+        if kind:
+            q += " AND kind=?"
+            args.append(kind)
+        return [self._decrypt_row(r) for r in self.db.fetchall(q + " ORDER BY created_ms", tuple(args))]
     def list_credentials(self):
         rows = self.db.fetchall("SELECT * FROM proxy_agent_keys ORDER BY created_ms DESC")
         # never return the secret material
         return [{"id": r["id"], "provider": r["provider"], "kind": r["kind"],
-                 "label": r["label"], "active": bool(r["active"]),
+                 "label": r["label"], "active": bool(r["active"]), "masked": r.get("masked"),
                  "created_ms": r["created_ms"]} for r in rows]
     def remove_credential(self, cid):

{proxyagent-0.5.1 → proxyagent-0.7.0}/proxyagent/ui/index.html RENAMED Viewed

@@ -181,37 +181,47 @@ async function renderHarnesses(){
       ${h.configured?'<span class="pill ok">ready</span>':'<span class="pill no">connect a key</span>'}</div>
       <div class="badges">${chips}</div>
       <div class="models mono" style="font-size:11px">${h.install}</div>
-      <div class="row"><button class="sm" onclick="openConnect('h_${h.name}')">Connect API key</button></div>
-      <div class="connect" id="c_h_${h.name}">
-        <input id="k_h_${h.name}" type="password" placeholder="${h.provider} API key"/>
-        <div class="row"><button class="sm" onclick="connectHarness('${h.name}','${h.provider}')">Save</button><button class="ghost sm" onclick="openConnect('h_${h.name}')">Cancel</button></div>
-      </div></div>`}).join("");
+      <div class="row"><button class="sm" onclick="openConnect('h_${h.name}')">+ Connect auth</button></div>
+      <div class="connect" id="c_h_${h.name}">${connectForm('h_'+h.name, h.auth.map(a=>a.mode), h.provider)}</div></div>`}).join("");
 }
-async function connectHarness(name,provider){const key=document.getElementById("k_h_"+name).value.trim();if(!key)return;
-  await api("/admin/providers",{method:"POST",body:JSON.stringify({provider,secret:key,kind:"api_key"})});renderHarnesses();refreshProviders()}
 async function refreshProviders(){
   const d=await(await api("/admin/catalog")).json();const g=document.getElementById("provgrid");
   let connected=0;
-  g.innerHTML=d.providers.map(p=>{const on=p.via_env||p.via_store;if(on)connected++;
-    const how=p.via_store?`stored ${p.cred_kind}`:(p.via_env?"env":"");
+  g.innerHTML=d.providers.map(p=>{const creds=p.creds||[];const on=p.via_env||creds.length;if(on)connected++;
+    const credrows=creds.map(c=>`<div class="row" style="justify-content:space-between;gap:6px"><span class="badge on">${c.kind} · ${c.masked||""}</span><button class="danger sm" onclick="disconnect('${c.id}')">remove</button></div>`).join("");
     return `<div class="prov"><div class="top">${logo(p.name,p.color)}<div style="flex:1"><h3>${p.label}</h3><div class="ep">${p.shape} · ${p.name}</div></div>
       ${on?'<span class="pill ok">on</span>':'<span class="pill no">off</span>'}</div>
-      <div class="badges">${p.kinds.map(k=>`<span class="badge">${k}</span>`).join("")}${on?`<span class="badge on">${how}</span>`:""}</div>
-      <div class="models">${(p.models||[]).slice(0,2).join(" · ")}</div>
-      <div class="row">${p.via_store?`<button class="danger sm" onclick="disconnect('${p.cred_id}')">Disconnect</button>`:`<button class="sm" onclick="openConnect('${p.name}')">${p.via_env?"Override key":"Connect"}</button>`}</div>
-      <div class="connect" id="c_${p.name}">
-        <input id="k_${p.name}" type="password" placeholder="${p.name} API key${p.kinds.includes('oauth')?' / OAuth token':''}"/>
-        <div class="row">${p.kinds.length>1?`<select id="kind_${p.name}">${p.kinds.map(k=>`<option value="${k}">${k}</option>`).join("")}</select>`:`<input id="kind_${p.name}" type="hidden" value="api_key"/>`}
-          <button class="sm" onclick="connect('${p.name}')">Save</button><button class="ghost sm" onclick="openConnect('${p.name}')">Cancel</button></div>
-      </div></div>`}).join("");
+      <div class="badges">${p.kinds.map(k=>`<span class="badge">${k}</span>`).join("")}${p.via_env?'<span class="badge on">env</span>':''}</div>
+      <div style="display:flex;flex-direction:column;gap:6px;margin:6px 0 11px">${credrows||'<span class="muted" style="font-size:11.5px">No keys yet</span>'}</div>
+      <div class="row"><button class="sm" onclick="openConnect('${p.name}')">+ Add credential</button></div>
+      <div class="connect" id="c_${p.name}">${connectForm(p.name,p.kinds,p.name)}</div></div>`}).join("");
   document.getElementById("s_prov").textContent=connected;
-  document.getElementById("enc2")&&0;
 }
 function openConnect(n){document.getElementById("c_"+n).classList.toggle("open")}
-async function connect(n){const key=document.getElementById("k_"+n).value.trim();if(!key)return;
-  const kindEl=document.getElementById("kind_"+n);const kind=kindEl?kindEl.value:"api_key";
-  await api("/admin/providers",{method:"POST",body:JSON.stringify({provider:n,secret:key,kind})});refreshProviders()}
-async function disconnect(id){await api("/admin/providers/"+id,{method:"DELETE"});refreshProviders()}
+function fieldsFor(uid,kind){
+  if(kind==="bedrock")return `<input id="f1_${uid}" placeholder="AWS access key id"/><input id="f2_${uid}" type="password" placeholder="AWS secret access key"/><input id="f3_${uid}" placeholder="region (default us-east-1)"/>`;
+  if(kind==="azure")return `<input id="f1_${uid}" placeholder="Azure endpoint URL (…/chat/completions?api-version=…)"/><input id="f2_${uid}" type="password" placeholder="api-key"/>`;
+  if(kind==="vertex")return `<span class="muted" style="font-size:12px">Vertex (service-account JSON) — coming next.</span>`;
+  return `<input id="f1_${uid}" type="password" placeholder="${kind==='oauth'?'OAuth access token':'API key'}"/>`;
+}
+function onKind(uid){document.getElementById("ff_"+uid).innerHTML=fieldsFor(uid,document.getElementById("kind_"+uid).value)}
+function connectForm(uid,kinds,provider){
+  return `<select id="kind_${uid}" onchange="onKind('${uid}')">${kinds.map(k=>`<option value="${k}">${k}</option>`).join("")}</select>
+    <div id="ff_${uid}">${fieldsFor(uid,kinds[0])}</div>
+    <div class="row"><button class="sm" onclick="submitCred('${uid}','${provider}')">Add credential</button><button class="ghost sm" onclick="openConnect('${uid}')">Cancel</button></div>`;
+}
+async function submitCred(uid,provider){
+  const kind=document.getElementById("kind_"+uid).value,g=id=>{const e=document.getElementById(id);return e?e.value.trim():""};
+  let secret,meta={};
+  if(kind==="bedrock"){secret=g("f2_"+uid);meta={access_key:g("f1_"+uid),region:g("f3_"+uid)||"us-east-1"}}
+  else if(kind==="azure"){secret=g("f2_"+uid);meta={endpoint:g("f1_"+uid)}}
+  else if(kind==="vertex"){return}
+  else{secret=g("f1_"+uid)}
+  if(!secret)return;
+  await api("/admin/providers",{method:"POST",body:JSON.stringify({provider,secret,kind,meta})});
+  renderHarnesses();refreshProviders();
+}
+async function disconnect(id){await api("/admin/providers/"+id,{method:"DELETE"});renderHarnesses();refreshProviders()}
 async function refreshTokens(){const d=await(await api("/admin/tokens")).json();
   document.getElementById("toks").innerHTML=d.tokens.map(t=>`<tr><td class="mono">${t.id}</td><td>${t.label||""}</td><td class="mono">${t.masked||""}</td><td class="mono">${(t.scope||[]).join(", ")}</td><td class="mono">${t.budget_usd?('$'+(t.spent_usd||0).toFixed(4)+' / $'+(+t.budget_usd).toFixed(2)):'—'}</td><td>${t.revoked?'<span class="pill no">revoked</span>':'<span class="pill ok">active</span>'}</td><td>${t.revoked?"":`<button class="danger sm" onclick="revokeTok('${t.id}')">revoke</button>`}</td></tr>`).join("")}

{proxyagent-0.5.1 → proxyagent-0.7.0}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "proxyagent"
-version = "0.5.1"
+version = "0.7.0"
 description = "Run any agent (Claude, Codex, custom) on any machine — with no API key on the machine. A secure, self-hosted proxy for models and tools."
 readme = "README.md"
 requires-python = ">=3.10"

{proxyagent-0.5.1 → proxyagent-0.7.0}/tests/test_proxy.py RENAMED Viewed

@@ -188,3 +188,51 @@ def test_harness_catalog():
     cc = next(x for x in h if x["name"] == "claude-code")
     assert {a["mode"] for a in cc["auth"]} == {"api_key", "oauth", "bedrock", "vertex"}
     assert any(a["mode"] == "api_key" and a["ready"] for a in cc["auth"])
+def test_credential_pool_and_failover_order():
+    from proxyagent.providers import resolve_candidates
+    s = Store(":memory:")
+    s.add_credential("openai", "sk-1", kind="api_key")     # additive by default →
+    s.add_credential("openai", "sk-2", kind="api_key")     # a pool of two keys
+    creds = s.get_credentials("openai", kind="api_key")
+    assert [c["secret"] for c in creds] == ["sk-1", "sk-2"]   # oldest→newest rotation order
+    cands = resolve_candidates(PROVIDERS["openai"], s)
+    assert cands[0]["Authorization"] == "Bearer sk-1"
+    assert cands[1]["Authorization"] == "Bearer sk-2"        # failover tries #2 next
+    listed = s.list_credentials()
+    assert len(listed) == 2 and all("secret" not in c and c["masked"] for c in listed)
+def test_sigv4_structure_and_determinism():
+    import datetime, re
+    from proxyagent.signers import sigv4_headers
+    now = datetime.datetime(2015, 8, 30, 12, 36, 0, tzinfo=datetime.timezone.utc)
+    kw = dict(method="POST", host="bedrock-runtime.us-east-1.amazonaws.com", path="/model/x/invoke",
+              region="us-east-1", service="bedrock", access_key="AKIDEXAMPLE",
+              secret_key="wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", body=b'{"a":1}', now=now)
+    h1, h2 = sigv4_headers(**kw), sigv4_headers(**kw)
+    assert h1 == h2                                  # deterministic at a fixed time
+    a = h1["Authorization"]
+    assert a.startswith("AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20150830/us-east-1/bedrock/aws4_request")
+    assert "SignedHeaders=content-type;host;x-amz-date" in a
+    assert re.search(r"Signature=[0-9a-f]{64}$", a) and h1["x-amz-date"] == "20150830T123600Z"
+def test_bedrock_plan_and_build_plans():
+    from proxyagent.signers import bedrock_plan
+    from proxyagent.providers import build_plans
+    url, headers, raw = bedrock_plan(
+        {"secret": "sk", "meta": {"access_key": "AKID", "region": "us-west-2"}},
+        {"model": "claude-sonnet-4-5", "max_tokens": 10, "messages": []})
+    assert url.startswith("https://bedrock-runtime.us-west-2.amazonaws.com/model/") and url.endswith("/invoke")
+    import json
+    b = json.loads(raw)
+    assert b["anthropic_version"] == "bedrock-2023-05-31" and "model" not in b
+    assert headers["Authorization"].startswith("AWS4-HMAC-SHA256")
+    # a provider can mix api_key + bedrock in its pool; both become plans
+    s = Store(":memory:")
+    s.add_credential("anthropic", "sk-1", kind="api_key")
+    s.add_credential("anthropic", "awssecret", kind="bedrock", meta={"access_key": "AKID", "region": "us-east-1"})
+    plans = build_plans(PROVIDERS["anthropic"], s, {"model": "claude-sonnet-4-5", "messages": []})
+    assert len(plans) == 2 and plans[0][0].endswith("/v1/messages") and "bedrock-runtime" in plans[1][0]