proxyagent 0.6.0__tar.gz → 0.8.0__tar.gz

{proxyagent-0.6.0 → proxyagent-0.8.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: proxyagent
-Version: 0.6.0
+Version: 0.8.0
 Summary: Run any agent (Claude, Codex, custom) on any machine — with no API key on the machine. A secure, self-hosted proxy for models and tools.
 Project-URL: Homepage, https://github.com/teddyoweh/proxyagent
 Author-email: Spawn Labs <teddy@spawnlabs.ai>
@@ -99,13 +99,13 @@ claude -p "ship it"
 ```
 
 ## The dashboard
-`proxyagent serve` ships a real dashboard at `/` (reveal the admin token with
+`proxyagent serve` ships a dashboard at `/` (reveal the admin token with
 `proxyagent admin-token`):
 
-- **Providers** — a branded catalog of every supported provider; **connect/disconnect**
-  with a key right from the UI, see which auth types each supports (api_key / oauth) and
-  whether it's on via env or stored credentials.
-- **Machine tokens** — mint (scoped/TTL), list, revoke.
+- **Access keys** — the credentials you create. Each is a provider + an auth type
+  (Anthropic · API key, Anthropic · Bedrock, OpenAI · Azure, …); pick the type, enter the
+  key/fields, done. Listed with provider logo · auth type · masked key · remove.
+- **Machine tokens** — mint (scoped / TTL / budget), list, revoke.
 - **Model routing** — add/remove model remaps (e.g. `* → mock` for offline).
 - **Activity** — live request log with usage + cost, and headline stats.
 
@@ -178,10 +178,18 @@ is to centralise *all* of them so the machine running the harness holds only a `
 | **Codex** | OpenAI | API key · OAuth (ChatGPT) · Azure |
 | **Gemini CLI** | Google | API key · OAuth · Vertex |
 
-Connect each mode once in the dashboard's **Harnesses** tab. API-key mode is wired today;
-Bedrock / Vertex / OAuth-refresh (the cloud-credential paths enterprises actually use) are
-being built out — the proxy holds the AWS/GCP creds and signs upstream, so the machine needs
-none. The model providers below are the *backends* for model-agnostic harnesses (aider, Cline…).
+Connect each mode in the dashboard's **Harnesses** tab (or `proxyagent provider add … --kind`).
+**API key, OAuth, AWS Bedrock, and Azure are wired today** — for Bedrock the proxy holds the AWS
+credentials and **SigV4-signs** the Claude-on-Bedrock request itself, so the machine needs no
+AWS at all. (Vertex lands next.) The model providers below are the *backends* for model-agnostic
+harnesses (aider, Cline…).
+
+```bash
+# the cloud-credential paths — the machine that runs the harness holds none of these:
+proxyagent provider add anthropic --kind bedrock --key <AWS_SECRET>   # + meta: access_key, region
+proxyagent provider add openai    --kind azure   --key <AZURE_KEY>    # + meta: endpoint
+proxyagent provider add anthropic --kind oauth    --key <OAUTH_TOKEN>
+```
 
 ## Credential pools & failover
 A provider isn't one key — it's a **pool**. Add as many credentials as you want, across

{proxyagent-0.6.0 → proxyagent-0.8.0}/README.md

@@ -67,13 +67,13 @@ claude -p "ship it"
 ```
 
 ## The dashboard
-`proxyagent serve` ships a real dashboard at `/` (reveal the admin token with
+`proxyagent serve` ships a dashboard at `/` (reveal the admin token with
 `proxyagent admin-token`):
 
-- **Providers** — a branded catalog of every supported provider; **connect/disconnect**
-  with a key right from the UI, see which auth types each supports (api_key / oauth) and
-  whether it's on via env or stored credentials.
-- **Machine tokens** — mint (scoped/TTL), list, revoke.
+- **Access keys** — the credentials you create. Each is a provider + an auth type
+  (Anthropic · API key, Anthropic · Bedrock, OpenAI · Azure, …); pick the type, enter the
+  key/fields, done. Listed with provider logo · auth type · masked key · remove.
+- **Machine tokens** — mint (scoped / TTL / budget), list, revoke.
 - **Model routing** — add/remove model remaps (e.g. `* → mock` for offline).
 - **Activity** — live request log with usage + cost, and headline stats.
 
@@ -146,10 +146,18 @@ is to centralise *all* of them so the machine running the harness holds only a `
 | **Codex** | OpenAI | API key · OAuth (ChatGPT) · Azure |
 | **Gemini CLI** | Google | API key · OAuth · Vertex |
 
-Connect each mode once in the dashboard's **Harnesses** tab. API-key mode is wired today;
-Bedrock / Vertex / OAuth-refresh (the cloud-credential paths enterprises actually use) are
-being built out — the proxy holds the AWS/GCP creds and signs upstream, so the machine needs
-none. The model providers below are the *backends* for model-agnostic harnesses (aider, Cline…).
+Connect each mode in the dashboard's **Harnesses** tab (or `proxyagent provider add … --kind`).
+**API key, OAuth, AWS Bedrock, and Azure are wired today** — for Bedrock the proxy holds the AWS
+credentials and **SigV4-signs** the Claude-on-Bedrock request itself, so the machine needs no
+AWS at all. (Vertex lands next.) The model providers below are the *backends* for model-agnostic
+harnesses (aider, Cline…).
+
+```bash
+# the cloud-credential paths — the machine that runs the harness holds none of these:
+proxyagent provider add anthropic --kind bedrock --key <AWS_SECRET>   # + meta: access_key, region
+proxyagent provider add openai    --kind azure   --key <AZURE_KEY>    # + meta: endpoint
+proxyagent provider add anthropic --kind oauth    --key <OAUTH_TOKEN>
+```
 
 ## Credential pools & failover
 A provider isn't one key — it's a **pool**. Add as many credentials as you want, across

{proxyagent-0.6.0 → proxyagent-0.8.0}/proxyagent/__init__.py

@@ -16,7 +16,7 @@ from typing import Optional
 
 from .harness import run  # noqa: F401  (the headline SDK call)
 
-__version__ = "0.6.0"
+__version__ = "0.8.0"
 __all__ = ["run", "serve", "create_app", "Config", "Admin", "__version__"]
 
 

{proxyagent-0.6.0 → proxyagent-0.8.0}/proxyagent/config.py

@@ -101,7 +101,7 @@ AUTH_LABELS = {"api_key": "API key", "oauth": "OAuth", "bedrock": "AWS Bedrock",
                "vertex": "Google Vertex", "azure": "Azure"}
 # Auth modes that are fully wired today (just a key swap). Others are surfaced in the
 # UI as "available" and built out (Bedrock SigV4 / Vertex token / OAuth refresh).
-AUTH_READY = {"api_key"}
+AUTH_READY = {"api_key", "oauth", "bedrock", "azure"}
 
 
 @dataclass

{proxyagent-0.6.0 → proxyagent-0.8.0}/proxyagent/providers.py

@@ -12,7 +12,7 @@ import json
 
 import httpx
 
-from . import pricing
+from . import pricing, signers
 from .config import Config, PROVIDERS
 from .store import Store, now_ms
 
@@ -47,6 +47,34 @@ def resolve_auth(provider, store: Store | None) -> tuple[dict, bool]:
     return (cands[0], True) if cands else ({}, False)
 
 
+def build_plans(provider, store: Store | None, body: dict) -> list[tuple]:
+    """Every way to fulfil this request, in rotation order, as (url, headers, body_bytes).
+    Each credential kind maps to its own upstream + signing: api_key/oauth → the provider
+    endpoint; azure → a custom deployment URL; bedrock → SigV4-signed Claude-on-Bedrock."""
+    plans: list[tuple] = []
+    raw = json.dumps(body).encode("utf-8")
+    JSON = {"content-type": "application/json"}
+    if store:
+        for c in store.get_credentials(provider.name):
+            kind, meta = c["kind"], (c.get("meta") or {})
+            if kind == "api_key":
+                plans.append((provider.endpoint, {**JSON, **_headers_for(provider, c["secret"], "api_key")}, raw))
+            elif kind == "oauth":
+                plans.append((provider.endpoint, {**JSON, "Authorization": f"Bearer {c['secret']}", **provider.extra_headers}, raw))
+            elif kind == "azure":
+                ep = (meta.get("endpoint") or "").rstrip("/")
+                if ep:
+                    plans.append((ep, {**JSON, "api-key": c["secret"]}, raw))
+            elif kind == "bedrock":
+                try:
+                    plans.append(signers.bedrock_plan(c, body))
+                except Exception:  # noqa: BLE001 — skip a malformed bedrock cred
+                    pass
+    if provider.key:
+        plans.append((provider.endpoint, {**JSON, **provider.auth_headers()}, raw))
+    return plans
+
+
 def scope_allows(scope: list[str], provider: str, model: str) -> bool:
     """A scope entry is a glob over 'provider:model', e.g. 'anthropic:claude-*', or '*'."""
     target = f"{provider}:{model or '*'}"
@@ -86,14 +114,12 @@ async def forward(
             return 200, {"content-type": "text/event-stream"}, _mock_stream(provider.shape, payload), None
         return 200, {"content-type": "application/json"}, payload, None
 
-    candidates = resolve_candidates(provider, store)
-    if not candidates:
+    plans = build_plans(provider, store, body)
+    if not plans:
         return 502, {}, {"error": f"provider '{provider_name}' not configured on the proxy "
                                   f"(set {provider.key_env} or `proxyagent provider add {provider_name}`)"}, None
 
-    url = provider.endpoint
-
-    def _log(status, ptok, ctok, err=None, attempt=0):
+    def _log(status, ptok, ctok, err=None):
         store.log_request(
             token_id=token["id"], token_label=token.get("label"), provider=provider_name,
             model=model, status=status, prompt_tokens=ptok, completion_tokens=ctok,
@@ -108,12 +134,10 @@ async def forward(
             status = 200
             try:
                 async with httpx.AsyncClient(timeout=config.request_timeout) as client:
-                    for i, auth in enumerate(candidates):
-                        async with client.stream(
-                            "POST", url, headers={"content-type": "application/json", **auth}, json=body
-                        ) as resp:
+                    for i, (url, headers, raw) in enumerate(plans):
+                        async with client.stream("POST", url, headers=headers, content=raw) as resp:
                             status = resp.status_code
-                            if status in FAILOVER_STATUS and i < len(candidates) - 1:
+                            if status in FAILOVER_STATUS and i < len(plans) - 1:
                                 await resp.aread()  # drain + rotate to the next credential
                                 continue
                             async for chunk in resp.aiter_raw():
@@ -134,12 +158,12 @@ async def forward(
                 _log(status, ptok, ctok)
         return 200, {"content-type": "text/event-stream"}, _gen(), None
 
-    # Non-streaming, with credential failover.
+    # Non-streaming, with credential failover across the pool.
     last_status, last_payload = 502, {"error": "all credentials failed"}
     async with httpx.AsyncClient(timeout=config.request_timeout) as client:
-        for i, auth in enumerate(candidates):
-            resp = await client.post(url, headers={"content-type": "application/json", **auth}, json=body)
-            if resp.status_code in FAILOVER_STATUS and i < len(candidates) - 1:
+        for i, (url, headers, raw) in enumerate(plans):
+            resp = await client.post(url, headers=headers, content=raw)
+            if resp.status_code in FAILOVER_STATUS and i < len(plans) - 1:
                 last_status = resp.status_code
                 continue
             try:

{proxyagent-0.6.0 → proxyagent-0.8.0}/proxyagent/server.py

@@ -35,9 +35,10 @@ class TokenBody(BaseModel):
 class ProviderBody(BaseModel):
     provider: str
     secret: str
-    kind: str = "api_key"            # api_key | oauth
+    kind: str = "api_key"            # api_key | oauth | bedrock | azure | vertex
     label: str | None = None
     refresh: str | None = None
+    meta: dict | None = None         # bedrock: {access_key, region}; azure: {endpoint}
 
 
 def create_app(config: Config | None = None) -> FastAPI:
@@ -204,7 +205,7 @@ def create_app(config: Config | None = None) -> FastAPI:
         if body.provider not in PROVIDERS:
             raise HTTPException(400, f"unknown provider; known: {list(PROVIDERS)}")
         cid = store.add_credential(body.provider, body.secret, kind=body.kind,
-                                   label=body.label, refresh=body.refresh)
+                                   label=body.label, refresh=body.refresh, meta=body.meta)
         return {"id": cid, "provider": body.provider, "kind": body.kind,
                 "stored": "encrypted" if crypto.encryption_available() else "plaintext"}
 
@@ -227,19 +228,28 @@ def create_app(config: Config | None = None) -> FastAPI:
     async def harnesses(authorization: str | None = Header(None),
                         x_admin_token: str | None = Header(None)):
         require_admin(authorization, x_admin_token)
-        stored = {c["provider"] for c in store.list_credentials() if c["active"]}
+        kinds_by_prov: dict[str, set] = {}
+        for c in store.list_credentials():
+            if c["active"]:
+                kinds_by_prov.setdefault(c["provider"], set()).add(c["kind"])
         out = []
         for name, h in HARNESSES.items():
             prov = PROVIDERS.get(h["provider"])
-            configured = bool(prov and prov.key) or h["provider"] in stored
+            have = kinds_by_prov.get(h["provider"], set())
+            env_key = bool(prov and prov.key)
+
+            def _conn(m):
+                if m == "api_key":
+                    return env_key or "api_key" in have
+                return m in have
+
             out.append({
                 "name": name, "label": h["label"], "provider": h["provider"],
                 "color": h["color"], "install": h["install"],
                 "auth": [{"mode": m, "label": AUTH_LABELS.get(m, m),
-                          "ready": m in AUTH_READY,
-                          "connected": m == "api_key" and configured}
+                          "ready": m in AUTH_READY, "connected": _conn(m)}
                          for m in h["auth"]],
-                "configured": configured,
+                "configured": env_key or bool(have),
             })
         return {"harnesses": out}
 

proxyagent-0.8.0/proxyagent/signers.py

@@ -0,0 +1,88 @@
+"""Request signers for the cloud auth modes — so the proxy holds the cloud credentials
+and the machine running the harness holds none.
+
+  * AWS SigV4 (Bedrock) — full signature, no boto3 dependency.
+  * Azure OpenAI — api-key header to a custom deployment endpoint.
+
+Vertex (GCP service-account → access token) lands next.
+"""
+
+from __future__ import annotations
+
+import datetime
+import hashlib
+import hmac
+import json
+from urllib.parse import quote
+
+
+def _sign(key: bytes, msg: str) -> bytes:
+    return hmac.new(key, msg.encode("utf-8"), hashlib.sha256).digest()
+
+
+def sigv4_headers(*, method: str, host: str, path: str, region: str, service: str,
+                  access_key: str, secret_key: str, body: bytes,
+                  session_token: str | None = None,
+                  content_type: str = "application/json", now: datetime.datetime | None = None) -> dict:
+    """AWS Signature Version 4 headers for a request. `path` must already be URI-encoded."""
+    now = now or datetime.datetime.now(datetime.timezone.utc)
+    amzdate = now.strftime("%Y%m%dT%H%M%SZ")
+    datestamp = now.strftime("%Y%m%d")
+    payload_hash = hashlib.sha256(body).hexdigest()
+
+    hdrs = {"content-type": content_type, "host": host, "x-amz-date": amzdate}
+    if session_token:
+        hdrs["x-amz-security-token"] = session_token
+    signed_headers = ";".join(sorted(hdrs))
+    canonical_headers = "".join(f"{k}:{hdrs[k]}\n" for k in sorted(hdrs))
+    canonical_request = f"{method}\n{path}\n\n{canonical_headers}\n{signed_headers}\n{payload_hash}"
+
+    scope = f"{datestamp}/{region}/{service}/aws4_request"
+    string_to_sign = (f"AWS4-HMAC-SHA256\n{amzdate}\n{scope}\n"
+                      f"{hashlib.sha256(canonical_request.encode()).hexdigest()}")
+    k_date = _sign(("AWS4" + secret_key).encode("utf-8"), datestamp)
+    k_region = _sign(k_date, region)
+    k_service = _sign(k_region, service)
+    k_signing = _sign(k_service, "aws4_request")
+    signature = hmac.new(k_signing, string_to_sign.encode("utf-8"), hashlib.sha256).hexdigest()
+
+    auth = (f"AWS4-HMAC-SHA256 Credential={access_key}/{scope}, "
+            f"SignedHeaders={signed_headers}, Signature={signature}")
+    out = {"Authorization": auth, "x-amz-date": amzdate, "content-type": content_type}
+    if session_token:
+        out["x-amz-security-token"] = session_token
+    return out
+
+
+# Map a few common Anthropic model ids → their Bedrock ids (best-effort; pass a bedrock id directly to skip).
+def bedrock_model_id(model: str) -> str:
+    if model.startswith("anthropic.") or ":" in model:
+        return model
+    table = {
+        "claude-opus-4": "anthropic.claude-opus-4-20250514-v1:0",
+        "claude-sonnet-4-5": "anthropic.claude-sonnet-4-5-20250929-v1:0",
+        "claude-sonnet-4": "anthropic.claude-sonnet-4-20250514-v1:0",
+        "claude-3-5-sonnet": "anthropic.claude-3-5-sonnet-20241022-v2:0",
+        "claude-3-5-haiku": "anthropic.claude-3-5-haiku-20241022-v1:0",
+    }
+    for prefix, bid in table.items():
+        if model.startswith(prefix):
+            return bid
+    return model
+
+
+def bedrock_plan(cred: dict, body: dict):
+    """(url, headers, body_bytes) for a Claude-on-Bedrock invoke, SigV4-signed here."""
+    meta = cred.get("meta") or {}
+    region = meta.get("region", "us-east-1")
+    model_id = bedrock_model_id(body.get("model", ""))
+    payload = {k: v for k, v in body.items() if k != "model"}
+    payload["anthropic_version"] = "bedrock-2023-05-31"
+    raw = json.dumps(payload).encode("utf-8")
+    host = f"bedrock-runtime.{region}.amazonaws.com"
+    path = f"/model/{quote(model_id, safe='')}/invoke"
+    headers = sigv4_headers(
+        method="POST", host=host, path=path, region=region, service="bedrock",
+        access_key=meta.get("access_key", ""), secret_key=cred.get("secret", ""),
+        body=raw, session_token=meta.get("session_token"))
+    return f"https://{host}{path}", headers, raw

{proxyagent-0.6.0 → proxyagent-0.8.0}/proxyagent/ui/index.html

@@ -12,42 +12,33 @@
   header{position:sticky;top:0;z-index:10;display:flex;align-items:center;justify-content:space-between;padding:16px 28px;background:rgba(8,9,11,.72);backdrop-filter:blur(14px)}
   .brand{display:flex;align-items:center;gap:10px;font-weight:650;font-size:16px}
   .logo{width:27px;height:27px;border-radius:8px;background:linear-gradient(135deg,#34d39e,#3b82f6);display:grid;place-items:center;color:#04130d;font-weight:800}
-  main{max-width:1140px;margin:0 auto;padding:8px 28px 60px}
+  main{max-width:1040px;margin:0 auto;padding:8px 28px 60px}
   .stats{display:grid;grid-template-columns:repeat(auto-fit,minmax(150px,1fr));gap:14px;margin-bottom:26px}
   .card{background:var(--panel);border-radius:18px;padding:20px}
   .stat .n{font-size:31px;font-weight:700;letter-spacing:-.02em}.stat .l{color:var(--dim);font-size:11px;text-transform:uppercase;letter-spacing:.09em;margin-top:6px}
   .tabs{display:flex;gap:6px;margin-bottom:20px}
   .tab{padding:8px 15px;color:var(--dim);cursor:pointer;font-weight:560;border-radius:10px}
-  .tab:hover{color:var(--txt);background:var(--panel)}
-  .tab.on{color:var(--txt);background:var(--panel)}
-  .grid{display:grid;grid-template-columns:repeat(auto-fill,minmax(258px,1fr));gap:16px}
-  .prov{background:var(--panel);border-radius:18px;padding:18px;transition:background .15s,transform .15s}
-  .prov:hover{background:#1a1d23}
-  .prov .top{display:flex;align-items:center;gap:13px}
-  .tile{width:42px;height:42px;border-radius:12px;display:grid;place-items:center;flex:none;font-weight:800;font-size:18px;overflow:hidden}
-  .tile img{width:23px;height:23px;display:block}.tile .fbm{display:none}.tile.fb img{display:none}.tile.fb .fbm{display:flex;align-items:center;justify-content:center}
-  .prov h3{margin:0;font-size:15px;font-weight:640}.prov .ep{color:var(--dim);font-size:11.5px;margin-top:1px}
-  .badges{display:flex;gap:6px;flex-wrap:wrap;margin:13px 0}
+  .tab:hover,.tab.on{color:var(--txt);background:var(--panel)}
+  .tile{width:38px;height:38px;border-radius:11px;display:grid;place-items:center;flex:none;font-weight:800;font-size:16px;overflow:hidden}
+  .tile img{width:21px;height:21px;display:block}.tile .fbm{display:none}.tile.fb img{display:none}.tile.fb .fbm{display:flex;align-items:center;justify-content:center}
   .badge{font-size:10.5px;padding:3px 9px;border-radius:8px;background:var(--soft);color:var(--dim);text-transform:uppercase;letter-spacing:.04em}
   .badge.on{background:rgba(52,211,158,.14);color:var(--grn)}
-  .models{color:var(--dim);font-size:11.5px;margin:8px 0 13px;min-height:16px}
-  input,select{font:inherit;border-radius:11px;border:none;background:var(--panel2);color:var(--txt);padding:9px 12px;outline:none;box-shadow:inset 0 0 0 1px transparent}
-  input:focus,select:focus{box-shadow:inset 0 0 0 1px rgba(52,211,158,.45)}
-  input::placeholder{color:#5a606b}
-  button{font:inherit;background:var(--grn);color:#04130d;border:none;border-radius:11px;padding:9px 14px;font-weight:660;cursor:pointer}button:hover{filter:brightness(1.07)}
+  input,select{font:inherit;border-radius:11px;border:none;background:var(--panel2);color:var(--txt);padding:10px 12px;outline:none;box-shadow:inset 0 0 0 1px transparent}
+  input:focus,select:focus{box-shadow:inset 0 0 0 1px rgba(52,211,158,.45)}input::placeholder{color:#5a606b}
+  button{font:inherit;background:var(--grn);color:#04130d;border:none;border-radius:11px;padding:10px 15px;font-weight:660;cursor:pointer}button:hover{filter:brightness(1.07)}
   button.ghost{background:var(--soft);color:var(--dim)}button.ghost:hover{color:var(--txt)}
   button.danger{background:rgba(246,120,138,.12);color:var(--red)}button.danger:hover{background:rgba(246,120,138,.2)}
   button.sm{padding:7px 12px;font-size:12.5px;border-radius:9px}
   .row{display:flex;gap:9px;flex-wrap:wrap;align-items:center}
-  .connect{margin-top:4px;display:none;gap:9px;flex-direction:column}.connect.open{display:flex}
-  table{width:100%;border-collapse:collapse}td,th{text-align:left;padding:11px 12px;font-size:13px}
+  table{width:100%;border-collapse:collapse}td,th{text-align:left;padding:11px 12px;font-size:13px;vertical-align:middle}
   thead th{color:var(--dim);font-weight:520;font-size:11px;text-transform:uppercase;letter-spacing:.06em}
   tbody tr{transition:background .12s}tbody tr:hover{background:#1a1d23}
   .pill{padding:3px 10px;border-radius:8px;font-size:11px}.pill.ok{background:rgba(52,211,158,.13);color:var(--grn)}.pill.no{background:rgba(246,120,138,.13);color:var(--red)}
   .gate{max-width:430px;margin:100px auto;text-align:center}.gate input{width:100%;margin:14px 0}
   .tok{background:var(--panel2);padding:13px;border-radius:12px;word-break:break-all;margin-top:13px;font-size:13px}
-  .hide{display:none}.muted{color:var(--dim)}.h{display:flex;justify-content:space-between;align-items:center;margin:0 0 12px}
+  .hide{display:none}.muted{color:var(--dim)}.h{display:flex;justify-content:space-between;align-items:center;margin:0 0 14px}
   h2{font-size:13px;text-transform:uppercase;letter-spacing:.08em;color:var(--dim);margin:0}
+  .empty{text-align:center;color:var(--dim);padding:46px}
 </style>
 </head>
 <body>
@@ -66,28 +57,30 @@
   </header>
   <main>
     <div class="stats">
+      <div class="card stat"><div class="n" id="s_keys">0</div><div class="l">Access keys</div></div>
       <div class="card stat"><div class="n" id="s_req">0</div><div class="l">Requests</div></div>
-      <div class="card stat"><div class="n" id="s_tok">0</div><div class="l">Tokens (in/out)</div></div>
+      <div class="card stat"><div class="n" id="s_tok">0/0</div><div class="l">Tokens (in/out)</div></div>
       <div class="card stat"><div class="n" id="s_cost" style="color:var(--grn)">$0</div><div class="l">Cost</div></div>
-      <div class="card stat"><div class="n" id="s_prov">0</div><div class="l">Providers connected</div></div>
     </div>
 
     <div class="tabs">
-      <div class="tab on" data-t="harnesses" onclick="tab('harnesses')">Harnesses</div>
-      <div class="tab" data-t="providers" onclick="tab('providers')">Model endpoints</div>
+      <div class="tab on" data-t="keys" onclick="tab('keys')">Access keys</div>
       <div class="tab" data-t="tokens" onclick="tab('tokens')">Machine tokens</div>
       <div class="tab" data-t="models" onclick="tab('models')">Model routing</div>
       <div class="tab" data-t="activity" onclick="tab('activity')">Activity</div>
     </div>
 
-    <section id="t_harnesses">
-      <p class="muted" style="margin:0 0 14px">The agents you run. Connect each auth method once — the machine running the harness then holds only a <code>pa_</code> token.</p>
-      <div class="grid" id="harngrid"></div>
-    </section>
-
-    <section id="t_providers" class="hide">
-      <p class="muted" style="margin:0 0 14px">Raw model backends for model-agnostic harnesses (aider, Cline, Codex pointed elsewhere…).</p>
-      <div class="grid" id="provgrid"></div>
+    <section id="t_keys">
+      <div class="h"><h2>Access keys</h2><button onclick="openCreate()">+ Create access key</button></div>
+      <div class="card hide" id="createForm" style="margin-bottom:16px">
+        <div class="row" style="margin-bottom:11px">
+          <select id="cf_provider" onchange="onProvider()" style="flex:1"></select>
+          <select id="kind_cf" onchange="onKind('cf')" style="width:140px"></select>
+        </div>
+        <div id="ff_cf"></div>
+        <div class="row" style="margin-top:11px"><button onclick="createKey()">Create access key</button><button class="ghost" onclick="openCreate()">Cancel</button></div>
+      </div>
+      <div id="keylist"></div>
     </section>
 
     <section id="t_tokens" class="hide">
@@ -109,8 +102,7 @@
       <div class="card" style="margin-bottom:16px">
         <div class="h"><h2>Remap a model</h2></div>
         <div class="row">
-          <input id="al_match" placeholder="match: * or gpt-4o"/>
-          <span class="muted">→</span>
+          <input id="al_match" placeholder="match: * or gpt-4o"/><span class="muted">→</span>
           <input id="al_target" placeholder="target: mock or anthropic:claude-sonnet-4-5" style="flex:1"/>
           <button onclick="setAlias()">Map</button>
         </div>
@@ -132,32 +124,43 @@ async function api(p,o={}){const r=await fetch(p,{...o,headers:{...H(),...(o.hea
 function val(id){return document.getElementById(id).value.trim()}
 function saveAdmin(){const v=document.getElementById("admintok").value.trim();if(v){localStorage.setItem("pa_admin",v);boot()}}
 function logout(){localStorage.removeItem("pa_admin");document.getElementById("app").classList.add("hide");document.getElementById("gate").classList.remove("hide")}
-function tab(t){document.querySelectorAll(".tab").forEach(e=>e.classList.toggle("on",e.dataset.t===t));["harnesses","providers","tokens","models","activity"].forEach(s=>document.getElementById("t_"+s).classList.toggle("hide",s!==t))}
+function tab(t){document.querySelectorAll(".tab").forEach(e=>e.classList.toggle("on",e.dataset.t===t));["keys","tokens","models","activity"].forEach(s=>document.getElementById("t_"+s).classList.toggle("hide",s!==t))}
 
-// ---- provider logos (inline, brand-tinted) ----
+// logos: real brand marks via the Simple Icons CDN, tinted; fall back to a drawn mark offline.
 const MARK={
   anthropic:'<path d="M9.6 3 3 21h4.1l1.2-3.5h5.9L15.4 21H20L13.4 3H9.6Zm-.4 10.5 1.9-5.4 2 5.4H9.2Z"/>',
   openai:'<path d="M12 2.6c1.9 0 3.5 1.3 4 3a4.2 4.2 0 0 1 2.3 6.8 4.2 4.2 0 0 1-4 5.8 4.2 4.2 0 0 1-8.6-1A4.2 4.2 0 0 1 5.7 12 4.2 4.2 0 0 1 8 5.5a4.2 4.2 0 0 1 4-2.9Zm0 4.6a4.8 4.8 0 1 0 0 9.6 4.8 4.8 0 0 0 0-9.6Z"/>',
   gemini:'<path d="M12 2c.4 4.6 3.4 7.6 8 8-4.6.4-7.6 3.4-8 8-.4-4.6-3.4-7.6-8-8 4.6-.4 7.6-3.4 8-8Z"/>',
-  groq:'<path d="M12 3a6 6 0 1 0 4.2 10.3l-2-2A3.2 3.2 0 1 1 12 6.2c.9 0 1.6.3 2.2.8L16.3 5A6 6 0 0 0 12 3Zm2 7v3.3h2.6V10H14Z"/>',
-  openrouter:'<path d="M3 8h6l3 4 3-4h6M3 16h6l3-4M21 8l-3 8h-3" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>',
-  mistral:'<g><rect x="3" y="4" width="3.4" height="3.4"/><rect x="17.6" y="4" width="3.4" height="3.4"/><rect x="7.3" y="8.3" width="3.4" height="3.4"/><rect x="13.3" y="8.3" width="3.4" height="3.4"/><rect x="3" y="12.6" width="3.4" height="3.4"/><rect x="17.6" y="12.6" width="3.4" height="3.4"/><rect x="3" y="16.9" width="18" height="3.1"/></g>',
-  deepseek:'<path d="M4 9c3 0 4 2 7 2s4-3 8-2c-1 4-5 7-9 7-3 0-6-2-6-5 0-1 0-2 0-2Zm12 1.5a1 1 0 1 0 0 2 1 1 0 0 0 0-2Z"/>',
   xai:'<path d="M4 4h3.2l4 5.6L15.8 4H19l-6 8 6.2 8h-3.2l-4.4-6L7 20H4l6.4-8.4L4 4Z"/>',
-  together:'<path d="M8 5a3.5 3.5 0 1 1 0 7 3.5 3.5 0 0 1 0-7Zm8 7a3.5 3.5 0 1 1 0 7 3.5 3.5 0 0 1 0-7ZM10.5 12.5l3-1.5" fill="none" stroke="currentColor" stroke-width="2"/>',
 };
-// real brand logos via the Simple Icons CDN, tinted to the brand colour; falls back to
-// the drawn mark / letter if a slug is missing or the CDN is unreachable (offline).
 const SLUG={anthropic:"anthropic",openai:"openai",gemini:"googlegemini",groq:"groq",mistral:"mistralai",deepseek:"deepseek",xai:"x"};
-function logo(name,color){
-  const mark=MARK[name]?`<svg viewBox="0 0 24 24" width="22" height="22" fill="currentColor">${MARK[name]}</svg>`:`<b>${(name[0]||"?").toUpperCase()}</b>`;
-  const inner=SLUG[name]
-    ?`<img src="https://cdn.simpleicons.org/${SLUG[name]}/${color.replace("#","")}" alt="${name}" onerror="this.closest('.tile').classList.add('fb')"/><span class="fbm">${mark}</span>`
-    :`<span class="fbm" style="display:flex">${mark}</span>`;
-  return `<div class="tile" style="background:${hexa(color,.14)};color:${color}">${inner}</div>`;
-}
 function hexa(h,a){const n=h.replace("#","");const x=parseInt(n.length===3?n.split("").map(c=>c+c).join(""):n,16);return `rgba(${(x>>16)&255},${(x>>8)&255},${x&255},${a})`}
+function logo(name,color){color=color||"#888";
+  const mark=MARK[name]?`<svg viewBox="0 0 24 24" width="21" height="21" fill="currentColor">${MARK[name]}</svg>`:`<b>${(name[0]||"?").toUpperCase()}</b>`;
+  const inner=SLUG[name]?`<img src="https://cdn.simpleicons.org/${SLUG[name]}/${color.replace("#","")}" alt="${name}" onerror="this.closest('.tile').classList.add('fb')"/><span class="fbm">${mark}</span>`:`<span class="fbm" style="display:flex">${mark}</span>`;
+  return `<div class="tile" style="background:${hexa(color,.14)};color:${color}">${inner}</div>`}
 
+// the auth-type fields (the "provider" is essentially the auth type)
+function fieldsFor(uid,kind){
+  if(kind==="bedrock")return `<div class="row"><input id="f1_${uid}" placeholder="AWS access key id" style="flex:1"/><input id="f3_${uid}" placeholder="region (us-east-1)" style="width:150px"/></div><input id="f2_${uid}" type="password" placeholder="AWS secret access key" style="width:100%;margin-top:8px"/>`;
+  if(kind==="azure")return `<input id="f1_${uid}" placeholder="Azure endpoint URL (…/chat/completions?api-version=…)" style="width:100%"/><input id="f2_${uid}" type="password" placeholder="api-key" style="width:100%;margin-top:8px"/>`;
+  if(kind==="vertex")return `<span class="muted" style="font-size:12px">Vertex (service-account JSON) — coming next.</span>`;
+  return `<input id="f1_${uid}" type="password" placeholder="${kind==='oauth'?'OAuth access token':'API key'}" style="width:100%"/>`;
+}
+function onKind(uid){document.getElementById("ff_"+uid).innerHTML=fieldsFor(uid,document.getElementById("kind_"+uid).value)}
+async function submitCred(uid,provider){
+  const kind=document.getElementById("kind_"+uid).value,g=id=>{const e=document.getElementById(id);return e?e.value.trim():""};
+  let secret,meta={};
+  if(kind==="bedrock"){secret=g("f2_"+uid);meta={access_key:g("f1_"+uid),region:g("f3_"+uid)||"us-east-1"}}
+  else if(kind==="azure"){secret=g("f2_"+uid);meta={endpoint:g("f1_"+uid)}}
+  else if(kind==="vertex"){return}
+  else{secret=g("f1_"+uid)}
+  if(!secret)return;
+  await api("/admin/providers",{method:"POST",body:JSON.stringify({provider,secret,kind,meta})});refreshKeys();
+}
+async function disconnect(id){await api("/admin/providers/"+id,{method:"DELETE"});refreshKeys()}
+
+let CATALOG=[];
 async function boot(){
   try{
     const u=await(await api("/admin/usage")).json();
@@ -167,50 +170,21 @@ async function boot(){
     document.getElementById("s_cost").textContent="$"+(u.usage.cost_usd||0).toFixed(4);
     document.getElementById("badge_backend").textContent=u.backend;
     document.getElementById("enc").textContent=u.encryption?"🔒 encrypted at rest":"⚠ encryption off";
-    renderHarnesses();refreshProviders();refreshTokens();refreshAliases();refreshLogs();
+    refreshKeys();refreshTokens();refreshAliases();refreshLogs();
   }catch(e){document.getElementById("gateerr").textContent="Invalid admin token."}
 }
-async function renderHarnesses(){
-  const d=await(await api("/admin/harnesses")).json();
-  document.getElementById("harngrid").innerHTML=d.harnesses.map(h=>{
-    const chips=h.auth.map(a=>{
-      const cls=a.connected?"badge on":(a.ready?"badge":"badge");
-      const tag=a.connected?"✓ connected":(a.ready?"connect":"soon");
-      return `<span class="${cls}" title="${a.ready?'available now':'coming soon'}">${a.label} · ${tag}</span>`}).join("");
-    return `<div class="prov"><div class="top">${logo(h.provider,h.color)}<div style="flex:1"><h3>${h.label}</h3><div class="ep">runs on ${h.provider}</div></div>
-      ${h.configured?'<span class="pill ok">ready</span>':'<span class="pill no">connect a key</span>'}</div>
-      <div class="badges">${chips}</div>
-      <div class="models mono" style="font-size:11px">${h.install}</div>
-      <div class="row"><button class="sm" onclick="openConnect('h_${h.name}')">Connect API key</button></div>
-      <div class="connect" id="c_h_${h.name}">
-        <input id="k_h_${h.name}" type="password" placeholder="${h.provider} API key"/>
-        <div class="row"><button class="sm" onclick="connectHarness('${h.name}','${h.provider}')">Save</button><button class="ghost sm" onclick="openConnect('h_${h.name}')">Cancel</button></div>
-      </div></div>`}).join("");
-}
-async function connectHarness(name,provider){const key=document.getElementById("k_h_"+name).value.trim();if(!key)return;
-  await api("/admin/providers",{method:"POST",body:JSON.stringify({provider,secret:key,kind:"api_key"})});renderHarnesses();refreshProviders()}
-async function refreshProviders(){
-  const d=await(await api("/admin/catalog")).json();const g=document.getElementById("provgrid");
-  let connected=0;
-  g.innerHTML=d.providers.map(p=>{const creds=p.creds||[];const on=p.via_env||creds.length;if(on)connected++;
-    const credrows=creds.map(c=>`<div class="row" style="justify-content:space-between;gap:6px"><span class="badge on">${c.kind} · ${c.masked||""}</span><button class="danger sm" onclick="disconnect('${c.id}')">remove</button></div>`).join("");
-    return `<div class="prov"><div class="top">${logo(p.name,p.color)}<div style="flex:1"><h3>${p.label}</h3><div class="ep">${p.shape} · ${p.name}</div></div>
-      ${on?'<span class="pill ok">on</span>':'<span class="pill no">off</span>'}</div>
-      <div class="badges">${p.kinds.map(k=>`<span class="badge">${k}</span>`).join("")}${p.via_env?'<span class="badge on">env</span>':''}</div>
-      <div style="display:flex;flex-direction:column;gap:6px;margin:6px 0 11px">${credrows||'<span class="muted" style="font-size:11.5px">No keys yet</span>'}</div>
-      <div class="row"><button class="sm" onclick="openConnect('${p.name}')">+ Add credential</button></div>
-      <div class="connect" id="c_${p.name}">
-        ${p.kinds.length>1?`<select id="kind_${p.name}">${p.kinds.map(k=>`<option value="${k}">${k}</option>`).join("")}</select>`:`<input id="kind_${p.name}" type="hidden" value="api_key"/>`}
-        <input id="k_${p.name}" type="password" placeholder="${p.name} key / token"/>
-        <div class="row"><button class="sm" onclick="connect('${p.name}')">Add</button><button class="ghost sm" onclick="openConnect('${p.name}')">Cancel</button></div>
-      </div></div>`}).join("");
-  document.getElementById("s_prov").textContent=connected;
+async function refreshKeys(){
+  const d=await(await api("/admin/catalog")).json();CATALOG=d.providers;
+  const keys=[];d.providers.forEach(p=>{(p.creds||[]).forEach(c=>keys.push({...c,provider:p.name,plabel:p.label,color:p.color}));if(p.via_env)keys.push({provider:p.name,plabel:p.label,color:p.color,kind:"api_key",masked:"env",id:null})});
+  document.getElementById("s_keys").textContent=keys.length;
+  document.getElementById("keylist").innerHTML=keys.length
+    ?`<div class="card"><table><thead><tr><th></th><th>Provider</th><th>Auth type</th><th>Key</th><th></th></tr></thead><tbody>${keys.map(k=>`<tr><td style="width:50px">${logo(k.provider,k.color)}</td><td>${k.plabel}</td><td><span class="badge on">${k.kind}</span></td><td class="mono">${k.masked||""}</td><td>${k.id?`<button class="danger sm" onclick="disconnect('${k.id}')">remove</button>`:'<span class="muted" style="font-size:11px">from env</span>'}</td></tr>`).join("")}</tbody></table></div>`
+    :`<div class="card empty">No access keys yet.<br/><span style="font-size:12.5px">Click <b style="color:var(--txt)">+ Create access key</b> to add one.</span></div>`;
+  const ps=document.getElementById("cf_provider");if(ps&&!ps.dataset.init){ps.dataset.init="1";ps.innerHTML=CATALOG.map(p=>`<option value="${p.name}">${p.label}</option>`).join("");onProvider()}
 }
-function openConnect(n){document.getElementById("c_"+n).classList.toggle("open")}
-async function connect(n){const key=document.getElementById("k_"+n).value.trim();if(!key)return;
-  const kindEl=document.getElementById("kind_"+n);const kind=kindEl?kindEl.value:"api_key";
-  await api("/admin/providers",{method:"POST",body:JSON.stringify({provider:n,secret:key,kind})});refreshProviders()}
-async function disconnect(id){await api("/admin/providers/"+id,{method:"DELETE"});refreshProviders()}
+function onProvider(){const p=CATALOG.find(x=>x.name===val("cf_provider"))||{};const ks=document.getElementById("kind_cf");ks.innerHTML=(p.kinds||["api_key"]).map(k=>`<option value="${k}">${k}</option>`).join("");onKind("cf")}
+function openCreate(){document.getElementById("createForm").classList.toggle("hide")}
+async function createKey(){await submitCred("cf",val("cf_provider"));document.getElementById("createForm").classList.add("hide")}
 
 async function refreshTokens(){const d=await(await api("/admin/tokens")).json();
   document.getElementById("toks").innerHTML=d.tokens.map(t=>`<tr><td class="mono">${t.id}</td><td>${t.label||""}</td><td class="mono">${t.masked||""}</td><td class="mono">${(t.scope||[]).join(", ")}</td><td class="mono">${t.budget_usd?('$'+(t.spent_usd||0).toFixed(4)+' / $'+(+t.budget_usd).toFixed(2)):'—'}</td><td>${t.revoked?'<span class="pill no">revoked</span>':'<span class="pill ok">active</span>'}</td><td>${t.revoked?"":`<button class="danger sm" onclick="revokeTok('${t.id}')">revoke</button>`}</td></tr>`).join("")}

{proxyagent-0.6.0 → proxyagent-0.8.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "proxyagent"
-version = "0.6.0"
+version = "0.8.0"
 description = "Run any agent (Claude, Codex, custom) on any machine — with no API key on the machine. A secure, self-hosted proxy for models and tools."
 readme = "README.md"
 requires-python = ">=3.10"

{proxyagent-0.6.0 → proxyagent-0.8.0}/tests/test_proxy.py

@@ -202,3 +202,37 @@ def test_credential_pool_and_failover_order():
     assert cands[1]["Authorization"] == "Bearer sk-2"        # failover tries #2 next
     listed = s.list_credentials()
     assert len(listed) == 2 and all("secret" not in c and c["masked"] for c in listed)
+
+
+def test_sigv4_structure_and_determinism():
+    import datetime, re
+    from proxyagent.signers import sigv4_headers
+    now = datetime.datetime(2015, 8, 30, 12, 36, 0, tzinfo=datetime.timezone.utc)
+    kw = dict(method="POST", host="bedrock-runtime.us-east-1.amazonaws.com", path="/model/x/invoke",
+              region="us-east-1", service="bedrock", access_key="AKIDEXAMPLE",
+              secret_key="wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", body=b'{"a":1}', now=now)
+    h1, h2 = sigv4_headers(**kw), sigv4_headers(**kw)
+    assert h1 == h2                                  # deterministic at a fixed time
+    a = h1["Authorization"]
+    assert a.startswith("AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20150830/us-east-1/bedrock/aws4_request")
+    assert "SignedHeaders=content-type;host;x-amz-date" in a
+    assert re.search(r"Signature=[0-9a-f]{64}$", a) and h1["x-amz-date"] == "20150830T123600Z"
+
+
+def test_bedrock_plan_and_build_plans():
+    from proxyagent.signers import bedrock_plan
+    from proxyagent.providers import build_plans
+    url, headers, raw = bedrock_plan(
+        {"secret": "sk", "meta": {"access_key": "AKID", "region": "us-west-2"}},
+        {"model": "claude-sonnet-4-5", "max_tokens": 10, "messages": []})
+    assert url.startswith("https://bedrock-runtime.us-west-2.amazonaws.com/model/") and url.endswith("/invoke")
+    import json
+    b = json.loads(raw)
+    assert b["anthropic_version"] == "bedrock-2023-05-31" and "model" not in b
+    assert headers["Authorization"].startswith("AWS4-HMAC-SHA256")
+    # a provider can mix api_key + bedrock in its pool; both become plans
+    s = Store(":memory:")
+    s.add_credential("anthropic", "sk-1", kind="api_key")
+    s.add_credential("anthropic", "awssecret", kind="bedrock", meta={"access_key": "AKID", "region": "us-east-1"})
+    plans = build_plans(PROVIDERS["anthropic"], s, {"model": "claude-sonnet-4-5", "messages": []})
+    assert len(plans) == 2 and plans[0][0].endswith("/v1/messages") and "bedrock-runtime" in plans[1][0]