vijay_admin/sentryagent-idp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Phase 1 P1 — Dockerfile, AGNTCY alignment docs, Node.js SDK

Browse Source 
Three remaining Phase 1 P1 deliverables:

1. Dockerfile — multi-stage build (builder + production), node:18-alpine,
   non-root USER node, .dockerignore excluding secrets and dev artifacts

2. AGNTCY alignment docs (docs/agntcy/) — README and alignment.md mapping
   all 6 AGNTCY domains to AgentIdP features with Phase 2/3 pending items noted

3. Node.js SDK (@sentryagent/idp-sdk) — TypeScript strict, zero any, native
   fetch (Node 18+), TokenManager with 60s auto-refresh, service clients for
   all 14 endpoints (agents, credentials, tokens, audit), AgentIdPError typed
   error hierarchy, full README

All three changes tracked under openspec/changes/ with tasks marked complete.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
SentryAgent.ai Developer
2026-03-28 14:46:53 +00:00
parent d94a8cedc0
commit aa5167835e
34 changed files with 1572 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
.dockerignore Normal file
View File

@@ -0,0 +1,31 @@
# Dependencies
node_modules/
# Compiled output (built inside Docker)
dist/
# Test artifacts
coverage/
tests/
# Environment and secrets — never bake into image
.env
*.pem
# Development workspace
.cto-workspace/
.claude/
vj_notes/
next_steps.md
# Git
.git/
.gitignore
# Editor
.vscode/
.idea/
# Logs
*.log
npm-debug.log*

41
Dockerfile Normal file
View File

@@ -0,0 +1,41 @@
# ─────────────────────────────────────────────────────────────
# Stage 1: builder — compile TypeScript to dist/
# ─────────────────────────────────────────────────────────────
FROM node:18-alpine AS builder
WORKDIR /app
# Copy package files and install all dependencies (including dev)
COPY package.json package-lock.json ./
RUN npm ci
# Copy source and compile
COPY tsconfig.json ./
COPY src/ ./src/
COPY scripts/ ./scripts/
RUN npm run build
# ─────────────────────────────────────────────────────────────
# Stage 2: production — minimal runtime image
# ─────────────────────────────────────────────────────────────
FROM node:18-alpine AS production
WORKDIR /app
# Copy package files and install production dependencies only
COPY package.json package-lock.json ./
RUN npm ci --omit=dev
# Copy compiled output from builder stage
COPY --from=builder /app/dist ./dist
# Copy migration scripts (needed for db:migrate at deploy time)
COPY --from=builder /app/scripts ./scripts
COPY src/db/migrations ./src/db/migrations
# Run as non-root user (built into node:alpine)
USER node
EXPOSE 3000
CMD ["node", "dist/server.js"]

29
docs/agntcy/README.md Normal file
View File

@@ -0,0 +1,29 @@
# AGNTCY Alignment
This folder documents how SentryAgent.ai AgentIdP aligns with the **AGNTCY** open standard for AI agent identity, interoperability, and governance.
## What is AGNTCY?
AGNTCY is an open standard from the **Linux Foundation** that defines how AI agents should be identified, authenticated, and governed — across organisations, platforms, and ecosystems.
The core premise: AI agents are **non-human identities** that need the same rigour as human identities — unique identifiers, authenticated credentials, lifecycle management, and audit trails — but designed from the ground up for autonomous software rather than bolted onto human auth systems.
## Why it matters
Without a standard like AGNTCY, every team building AI agents invents its own identity model. Agents cannot interoperate. There is no portable way to say "this agent is who it claims to be." Governance is impossible at scale.
AGNTCY solves this by defining:
- A universal **agent identity model** (what an agent identity contains)
- A **credential and authentication model** (how agents prove their identity)
- A **lifecycle model** (how agents are provisioned, suspended, and retired)
- An **audit and accountability model** (what must be logged and retained)
## SentryAgent.ai's Position
SentryAgent.ai AgentIdP implements the AGNTCY non-human identity model as a **free, open-source reference implementation** — the first of its kind. Any developer can run it, any AGNTCY-compliant system can interoperate with it.
## Documents
| Document | What it covers |
|----------|----------------|
| [Alignment Mapping](alignment.md) | Feature-by-feature mapping of AgentIdP to the AGNTCY standard |

175
docs/agntcy/alignment.md Normal file
View File

@@ -0,0 +1,175 @@
# AGNTCY Alignment Mapping
This document maps each AGNTCY standard concept to the corresponding AgentIdP implementation. It is the authoritative reference for AGNTCY compliance claims.
---
## AGNTCY Core Concepts
AGNTCY defines five foundational concepts for AI agent identity:
| AGNTCY Concept | Description |
|----------------|-------------|
| **Non-Human Identity** | Agents are first-class identities — not service accounts, not user proxies |
| **Agent Registry** | Authoritative directory of registered agent identities with stable, immutable IDs |
| **Credential Management** | Secure issuance, rotation, and revocation of agent credentials |
| **Authentication** | Standardised protocol for agents to prove their identity |
| **Lifecycle Management** | Defined states for agent provisioning, suspension, and retirement |
| **Audit and Accountability** | Immutable event log of all agent actions for governance and compliance |
---
## Implementation Mapping
### Non-Human Identity
AGNTCY requires agents to be treated as first-class identities with their own identity model — not mapped onto human user accounts.
| AGNTCY Requirement | AgentIdP Implementation | Status |
|--------------------|------------------------|--------|
| Unique, immutable agent identifier | `agentId` (UUID, system-assigned at registration, never changes) | ✅ Implemented |
| Human-readable stable name | `email` field — unique email-format identifier per agent | ✅ Implemented |
| Identity metadata | `agentType`, `version`, `capabilities`, `owner`, `deploymentEnv` fields | ✅ Implemented |
| Capability declaration | `capabilities` array — `resource:action` strings declaring agent permissions | ✅ Implemented |
| Identity separate from human users | Agents have their own registry, credential model, and token flow — no user accounts | ✅ Implemented |
**API endpoints:** `POST /api/v1/agents`, `GET /api/v1/agents/{agentId}`
---
### Agent Registry
AGNTCY requires a centralised, queryable registry of agent identities.
| AGNTCY Requirement | AgentIdP Implementation | Status |
|--------------------|------------------------|--------|
| Register new agent identity | `POST /api/v1/agents` | ✅ Implemented |
| Retrieve agent by stable ID | `GET /api/v1/agents/{agentId}` | ✅ Implemented |
| List and filter registered agents | `GET /api/v1/agents?owner=&agentType=&status=` | ✅ Implemented |
| Update agent metadata | `PATCH /api/v1/agents/{agentId}` | ✅ Implemented |
| Soft-delete retired agents (record retained) | `DELETE /api/v1/agents/{agentId}` → status: `decommissioned`, record persisted | ✅ Implemented |
| Enforce uniqueness of agent identity | `email` unique constraint — `409 AGENT_ALREADY_EXISTS` on duplicate | ✅ Implemented |
---
### Credential Management
AGNTCY requires secure credential issuance with rotation and revocation support.
| AGNTCY Requirement | AgentIdP Implementation | Status |
|--------------------|------------------------|--------|
| Issue agent credentials | `POST /api/v1/agents/{agentId}/credentials` — generates `client_id` + `client_secret` | ✅ Implemented |
| Secret never stored in plaintext | `client_secret` stored as bcrypt hash; plaintext returned once only | ✅ Implemented |
| Multiple active credentials per agent | An agent can hold multiple active credentials simultaneously | ✅ Implemented |
| Credential rotation | `POST /api/v1/agents/{agentId}/credentials/{credentialId}/rotate` | ✅ Implemented |
| Credential revocation | `DELETE /api/v1/agents/{agentId}/credentials/{credentialId}` | ✅ Implemented |
| Credential lifecycle tracking | `status` field: `active` / `revoked`; `revokedAt` timestamp | ✅ Implemented |
| Optional credential expiry | `expiresAt` field on credential generation | ✅ Implemented |
---
### Authentication
AGNTCY requires a standardised, interoperable authentication protocol for agents.
| AGNTCY Requirement | AgentIdP Implementation | Status |
|--------------------|------------------------|--------|
| Standardised auth protocol | OAuth 2.0 Client Credentials grant (RFC 6749 §4.4) | ✅ Implemented |
| Signed, verifiable tokens | RS256 JWT access tokens — any party with the public key can verify | ✅ Implemented |
| Token introspection | `POST /api/v1/token/introspect` — RFC 7662 compliant | ✅ Implemented |
| Token revocation | `POST /api/v1/token/revoke` — RFC 7009 compliant | ✅ Implemented |
| Scope-based access control | `agents:read`, `agents:write`, `tokens:read`, `audit:read` scopes | ✅ Implemented |
| Token lifetime enforcement | 1-hour JWT expiry, enforced at verification | ✅ Implemented |
| Revocation durability | Revocations persisted to PostgreSQL + Redis | ✅ Implemented |
**Token claims align with AGNTCY identity model:**
| JWT Claim | AGNTCY Meaning |
|-----------|----------------|
| `sub` | The agent's stable `agentId` — the AGNTCY non-human identity reference |
| `client_id` | The credential that authenticated this token request |
| `scope` | Declared capabilities granted for this token |
| `jti` | Unique token ID — enables precise revocation |
---
### Lifecycle Management
AGNTCY defines a mandatory lifecycle for agent identities.
| AGNTCY State | AgentIdP Status | Behaviour |
|-------------|-----------------|-----------|
| Provisioned / Active | `active` | Agent can authenticate and obtain tokens |
| Suspended | `suspended` | Agent cannot obtain new tokens; existing tokens expire naturally |
| Decommissioned / Retired | `decommissioned` | Permanent — all credentials revoked, agent cannot authenticate, record retained |
| AGNTCY Requirement | AgentIdP Implementation | Status |
|--------------------|------------------------|--------|
| Defined lifecycle states | `status` enum: `active`, `suspended`, `decommissioned` | ✅ Implemented |
| Irreversible decommission | `decommissioned` status cannot be reversed via API | ✅ Implemented |
| Credential cascade on decommission | All active credentials revoked when agent is decommissioned | ✅ Implemented |
| State transitions audited | Every status change writes an `agent.suspended`, `agent.reactivated`, or `agent.decommissioned` audit event | ✅ Implemented |
---
### Audit and Accountability
AGNTCY requires an immutable, queryable audit log of all significant agent actions.
| AGNTCY Requirement | AgentIdP Implementation | Status |
|--------------------|------------------------|--------|
| Immutable audit log | `audit_events` table — append-only, no API delete/update | ✅ Implemented |
| Automatic event capture | 12 event types captured automatically across all services | ✅ Implemented |
| Query and filter audit events | `GET /api/v1/audit` with filters: `agentId`, `action`, `outcome`, `fromDate`, `toDate` | ✅ Implemented |
| Retrieve individual event | `GET /api/v1/audit/{eventId}` | ✅ Implemented |
| Event retention | 90-day retention enforced at query layer (free tier) | ✅ Implemented |
| Auth failure logging | `auth.failed` event on every failed `POST /token` attempt | ✅ Implemented |
**Audited events (12 total):**
| Event | Trigger |
|-------|---------|
| `agent.created` | New agent registered |
| `agent.updated` | Agent metadata changed |
| `agent.suspended` | Agent suspended |
| `agent.reactivated` | Agent reactivated from suspended |
| `agent.decommissioned` | Agent permanently decommissioned |
| `token.issued` | Access token issued |
| `token.revoked` | Access token revoked |
| `token.introspected` | Token introspection called |
| `credential.generated` | New credentials generated |
| `credential.rotated` | Credential rotated |
| `credential.revoked` | Credential revoked |
| `auth.failed` | Authentication attempt failed |
---
## Compliance Status Summary
| AGNTCY Domain | Phase 1 Status | Notes |
|---------------|----------------|-------|
| Non-Human Identity | ✅ Fully implemented | Immutable IDs, typed metadata, capability declarations |
| Agent Registry | ✅ Fully implemented | Full CRUD, pagination, soft-delete |
| Credential Management | ✅ Fully implemented | Generate, rotate, revoke, bcrypt storage |
| Authentication | ✅ Fully implemented | OAuth 2.0 CC, RS256 JWT, introspect, revoke, scopes |
| Lifecycle Management | ✅ Fully implemented | active / suspended / decommissioned with cascades |
| Audit and Accountability | ✅ Fully implemented | 12 event types, immutable, queryable, 90-day retention |
| Federation | 🔲 Phase 2 | Cross-system agent identity federation |
| W3C DIDs | 🔲 Phase 3 | Decentralised identifier support |
| Policy Engine | 🔲 Phase 2 | OPA-based capability enforcement |
| Secret Management | 🔲 Phase 2 | HashiCorp Vault integration |
---
## Interoperability
An agent registered in AgentIdP can be identified by any AGNTCY-compliant system using its `agentId` (UUID). The JWT access token carries the `sub` claim (= `agentId`), making the agent's identity verifiable by any party that holds the AgentIdP RS256 public key.
To verify an AgentIdP token in an external system:
1. Obtain the AgentIdP RS256 public key (`JWT_PUBLIC_KEY` from the server operator)
2. Verify the JWT signature using RS256
3. The `sub` claim is the agent's stable AGNTCY-aligned identity reference
4. The `scope` claim declares the agent's authorised capabilities for this token
This is the same verification model used across all OAuth 2.0 / OIDC systems — purpose-built for machine-to-machine interoperability.

2
openspec/changes/agntcy-alignment-docs/.openspec.yaml Normal file
View File

@@ -0,0 +1,2 @@
schema: spec-driven
created: 2026-03-28

13
openspec/changes/agntcy-alignment-docs/design.md Normal file
View File

@@ -0,0 +1,13 @@
## Context
AGNTCY is the Linux Foundation open standard for AI agent identity, interoperability, and governance. AgentIdP implements the non-human identity model defined by AGNTCY. This document makes that alignment explicit and verifiable.
## Goals
- Engineers and architects can verify AGNTCY compliance without reading the full standard
- The mapping is explicit: each AGNTCY concept is matched to a specific AgentIdP API feature
- Both compliant and pending/out-of-scope items are documented honestly
## Folder: docs/agntcy/
Separate from developers/ and devops/ — this is a standards alignment reference, not a how-to guide.
## Open Questions
*(none)*

11
openspec/changes/agntcy-alignment-docs/proposal.md Normal file
View File

@@ -0,0 +1,11 @@
## Why
AGNTCY alignment documentation is a Phase 1 P1 deliverable. SentryAgent.ai positions itself as AGNTCY-compliant, but there is no document explaining what AGNTCY is, how AgentIdP maps to its model, and what that means for developers and operators adopting the platform.
## What Changes
- New `docs/agntcy/` folder
- `alignment.md` — formal mapping of AgentIdP concepts to AGNTCY standard concepts
- `README.md` — entry point explaining what AGNTCY is and why it matters
## What Does Not Change
- No source code changes
- No API changes

4
openspec/changes/agntcy-alignment-docs/specs/alignment/spec.md Normal file
View File

@@ -0,0 +1,4 @@
## ADDED Requirements
### Requirement: AGNTCY alignment docs exist at docs/agntcy/
The system SHALL provide documentation in `docs/agntcy/` explaining the AGNTCY standard and how AgentIdP implements its non-human identity model, with explicit feature-by-feature mapping.

17
openspec/changes/agntcy-alignment-docs/tasks.md Normal file
View File

@@ -0,0 +1,17 @@
## 1. docs/agntcy/README.md
- [x] 1.1 Write intro: what AGNTCY is (Linux Foundation, AI agent interoperability standard)
- [x] 1.2 Write why it matters: standardised agent identity, cross-system interoperability
- [x] 1.3 Link to alignment.md
## 2. docs/agntcy/alignment.md
- [x] 2.1 Write AGNTCY core concepts section: non-human identity, agent registry, credential management, lifecycle, audit
- [x] 2.2 Write AgentIdP implementation mapping table: each AGNTCY concept → AgentIdP feature → API endpoint
- [x] 2.3 Write compliance status section: what is implemented (Phase 1), what is pending (Phase 2+)
- [x] 2.4 Write interoperability section: how AgentIdP-registered agents can be identified by other AGNTCY-compliant systems
## 3. QA
- [x] 3.1 Verify all API endpoints referenced in the mapping table exist
- [x] 3.2 Verify compliance status is honest — no overclaiming

2
openspec/changes/dockerfile/.openspec.yaml Normal file
View File

@@ -0,0 +1,2 @@
schema: spec-driven
created: 2026-03-28

13
openspec/changes/dockerfile/design.md Normal file
View File

@@ -0,0 +1,13 @@
## Context
Node.js 18+, TypeScript compiled to `dist/`. Production image must be minimal, non-root, and use the compiled output only.
## Decisions
- Multi-stage build: `builder` stage compiles TypeScript; `production` stage copies `dist/` only
- Base image: `node:18-alpine` — minimal footprint
- Non-root user: `node` user (built into node alpine image)
- No dev dependencies in production image — only `npm ci --omit=dev`
- Health check: `wget` on `localhost:3000/health` — but no `/health` endpoint exists yet, so omit health check from Dockerfile; it is set in docker-compose.yml via pg_isready/redis-cli patterns
- `.dockerignore` excludes: `node_modules`, `dist`, `coverage`, `tests`, `.env`, `*.pem`, `vj_notes`, `.cto-workspace`, `.claude`
## Open Questions
*(none)*

11
openspec/changes/dockerfile/proposal.md Normal file
View File

@@ -0,0 +1,11 @@
## Why
The `docker-compose.yml` `app` service references a `Dockerfile` that does not exist. Docker containerisation is a Phase 1 P1 item. Without it, the full docker-compose stack cannot start and the DevOps deployment path is incomplete.
## What Changes
- New `Dockerfile` at project root — multi-stage build (builder + production)
- New `.dockerignore` — excludes `node_modules`, `dist`, test files, `.env`
- `docker-compose.yml` `app` service becomes fully functional
## What Does Not Change
- No source code changes
- No dependency changes

7
openspec/changes/dockerfile/specs/container/spec.md Normal file
View File

@@ -0,0 +1,7 @@
## ADDED Requirements
### Requirement: Dockerfile exists at project root
The system SHALL provide a multi-stage `Dockerfile` that builds the TypeScript source and produces a minimal production image running as a non-root user.
### Requirement: .dockerignore exists at project root
The system SHALL provide a `.dockerignore` that excludes development artifacts, secrets, and test files from the Docker build context.

14
openspec/changes/dockerfile/tasks.md Normal file
View File

@@ -0,0 +1,14 @@
## 1. Dockerfile
- [x] 1.1 Write multi-stage Dockerfile: builder stage (node:18-alpine, npm ci, npm run build)
- [x] 1.2 Write production stage: node:18-alpine, npm ci --omit=dev, copy dist/, USER node
- [x] 1.3 Set EXPOSE 3000, CMD ["node", "dist/server.js"]
## 2. .dockerignore
- [x] 2.1 Write .dockerignore excluding: node_modules, dist, coverage, tests, .env, *.pem, vj_notes, .cto-workspace, .claude, next_steps.md
## 3. QA
- [x] 3.1 Verify Dockerfile build stages are correct and complete
- [x] 3.2 Verify .dockerignore covers all sensitive/unnecessary files

2
openspec/changes/nodejs-sdk/.openspec.yaml Normal file
View File

@@ -0,0 +1,2 @@
schema: spec-driven
created: 2026-03-28

39
openspec/changes/nodejs-sdk/design.md Normal file
View File

@@ -0,0 +1,39 @@
## Context
The SDK wraps the AgentIdP REST API. It must handle authentication transparently — caller provides `clientId` + `clientSecret`, SDK manages token acquisition and refresh automatically.
## Architecture
- Single entrypoint: `sdk/src/index.ts` exports `AgentIdPClient` and all types
- `AgentIdPClient` constructor takes `{ baseUrl, clientId, clientSecret }`
- Internal `TokenManager` handles token acquisition, caching, and refresh (re-issues when expired)
- Four service classes: `AgentRegistryClient`, `CredentialClient`, `TokenClient`, `AuditClient`
- `AgentIdPClient` composes all four
- HTTP: native `fetch` (Node 18+ built-in) — no axios dependency
- Types: re-exported from `sdk/src/types.ts` — mirrors the main app types
## Standards
- TypeScript strict mode, zero `any`
- DRY: shared `request()` helper handles auth header, JSON parse, error mapping
- All errors are typed `AgentIdPError` with `code` and `message`
- JSDoc on all public methods
## Package structure
```
sdk/
src/
index.ts — exports AgentIdPClient + all types
client.ts — AgentIdPClient (composes all services)
token-manager.ts — token acquisition and refresh
services/
agents.ts — AgentRegistryClient
credentials.ts — CredentialClient
token.ts — TokenClient
audit.ts — AuditClient
types.ts — all request/response types
errors.ts — AgentIdPError class
package.json
tsconfig.json
README.md
```
## Open Questions
*(none)*

13
openspec/changes/nodejs-sdk/proposal.md Normal file
View File

@@ -0,0 +1,13 @@
## Why
Bedroom developers currently must write raw HTTP calls to use AgentIdP. A Node.js SDK removes that friction — developers install one package and get a fully typed, auto-authenticating client. This is a Phase 1 P1 deliverable and a core developer experience improvement.
## What Changes
- New `sdk/` directory at project root containing a self-contained TypeScript npm package
- `AgentIdPClient` class: handles auth, token refresh, and exposes typed methods for all 14 endpoints
- Covers all four services: AgentRegistry, Credentials, Token, AuditLog
- Full TypeScript types — zero `any`, strict mode
- Published as `@sentryagent/idp-sdk` (package name)
## What Does Not Change
- No API changes
- No changes to the main application source

7
openspec/changes/nodejs-sdk/specs/client/spec.md Normal file
View File

@@ -0,0 +1,7 @@
## ADDED Requirements
### Requirement: AgentIdPClient class exists and handles auth transparently
The SDK SHALL provide an `AgentIdPClient` class that accepts `baseUrl`, `clientId`, and `clientSecret` in its constructor and manages token acquisition and refresh automatically. Callers never handle tokens directly.
### Requirement: TokenManager caches and refreshes tokens
The SDK SHALL cache the access token in memory and re-issue it via `POST /token` when it is expired or within 60 seconds of expiry. Token refresh is transparent to the caller.

7
openspec/changes/nodejs-sdk/specs/services/spec.md Normal file
View File

@@ -0,0 +1,7 @@
## ADDED Requirements
### Requirement: All 14 endpoints are wrapped as typed SDK methods
The SDK SHALL expose typed methods for all 14 AgentIdP endpoints across four service namespaces: `agents` (5 methods), `credentials` (4 methods), `token` (3 methods), `audit` (2 methods).
### Requirement: All errors are typed AgentIdPError instances
The SDK SHALL throw `AgentIdPError` with `code`, `message`, `httpStatus`, and optional `details` for all API errors. Never throw raw fetch errors.

4
openspec/changes/nodejs-sdk/specs/types/spec.md Normal file
View File

@@ -0,0 +1,4 @@
## ADDED Requirements
### Requirement: Full TypeScript types exported from sdk package
The SDK SHALL export TypeScript interfaces for all request bodies, response shapes, and error types. Zero `any` types. All types derived from the OpenAPI specs.

35
openspec/changes/nodejs-sdk/tasks.md Normal file
View File

@@ -0,0 +1,35 @@
## 1. Package Setup
- [x] 1.1 Create `sdk/` directory and `sdk/src/` subdirectories
- [x] 1.2 Write `sdk/package.json` — name: @sentryagent/idp-sdk, main, types, scripts (build, test)
- [x] 1.3 Write `sdk/tsconfig.json` — strict mode, target ES2020, declaration: true
- [x] 1.4 Write `sdk/README.md` — installation, quick example, full API reference
## 2. Types
- [x] 2.1 Write `sdk/src/types.ts` — all request/response interfaces for all 14 endpoints
- [x] 2.2 Write `sdk/src/errors.ts` — AgentIdPError class with code, message, httpStatus, details
## 3. Core Client
- [x] 3.1 Write `sdk/src/token-manager.ts` — TokenManager: acquires, caches, refreshes tokens; re-issues when exp - 60s
- [x] 3.2 Write `sdk/src/request.ts` — shared request() helper: sets Authorization header, parses JSON, maps errors to AgentIdPError
## 4. Service Clients
- [x] 4.1 Write `sdk/src/services/agents.ts` — AgentRegistryClient: registerAgent, listAgents, getAgent, updateAgent, decommissionAgent
- [x] 4.2 Write `sdk/src/services/credentials.ts` — CredentialClient: generateCredential, listCredentials, rotateCredential, revokeCredential
- [x] 4.3 Write `sdk/src/services/token.ts` — TokenClient: introspectToken, revokeToken (issueToken handled by TokenManager)
- [x] 4.4 Write `sdk/src/services/audit.ts` — AuditClient: queryAuditLog, getAuditEvent
## 5. Main Entry Point
- [x] 5.1 Write `sdk/src/client.ts` — AgentIdPClient: composes all service clients, exposes agents, credentials, token, audit namespaces
- [x] 5.2 Write `sdk/src/index.ts` — exports AgentIdPClient and all public types
## 6. QA
- [x] 6.1 Verify TypeScript compiles with zero errors (npm run build in sdk/)
- [x] 6.2 Verify zero `any` types across all SDK files
- [x] 6.3 Verify all 14 endpoints have corresponding SDK methods
- [x] 6.4 Verify AgentIdPError is thrown (not raw errors) for all failure paths

196
sdk/README.md Normal file
View File

@@ -0,0 +1,196 @@
# @sentryagent/idp-sdk
Node.js SDK for the [SentryAgent.ai AgentIdP](https://sentryagent.ai) — the open-source Identity Provider for AI agents.
Handles token acquisition and caching automatically. Covers all 14 AgentIdP API endpoints.
---
## Requirements
- Node.js 18 or later (uses native `fetch`)
- A running AgentIdP server
- A registered agent with a valid `clientId` and `clientSecret`
---
## Installation
```bash
npm install @sentryagent/idp-sdk
```
---
## Quick start
```typescript
import { AgentIdPClient } from '@sentryagent/idp-sdk';
const client = new AgentIdPClient({
baseUrl: 'http://localhost:3000',
clientId: 'your-agent-id', // the agent's agentId (UUID)
clientSecret: 'your-client-secret',
});
// List agents — token is acquired and cached automatically
const { data: agents } = await client.agents.listAgents();
console.log(agents);
```
---
## Configuration
```typescript
const client = new AgentIdPClient({
baseUrl: 'http://localhost:3000',
clientId: 'a1b2c3d4-e5f6-7890-abcd-ef1234567890',
clientSecret: 'your-client-secret',
// Optional: restrict scopes. Defaults to all four scopes.
scopes: ['agents:read', 'tokens:read'],
});
```
| Option | Required | Description |
|--------|----------|-------------|
| `baseUrl` | Yes | Base URL of the AgentIdP server |
| `clientId` | Yes | The agent's `agentId` (UUID) |
| `clientSecret` | Yes | The credential secret |
| `scopes` | No | OAuth 2.0 scopes to request. Defaults to all four. |
---
## Token management
The SDK fetches and caches access tokens automatically. A new token is requested when the cached token is within 60 seconds of expiry.
```typescript
// Force a fresh token on the next request (e.g. after rotating credentials)
client.clearTokenCache();
```
---
## Agent Registry
```typescript
// Register a new agent
const agent = await client.agents.registerAgent({
email: 'classifier-v2@myorg.ai',
agentType: 'classifier',
version: '2.0.0',
capabilities: ['text-classification', 'sentiment-analysis'],
owner: 'platform-team',
deploymentEnv: 'production',
});
console.log(agent.agentId); // UUID assigned by AgentIdP
// List agents
const { data, total } = await client.agents.listAgents({ status: 'active', limit: 20 });
// Get a single agent
const agent = await client.agents.getAgent('a1b2c3d4-...');
// Update an agent
const updated = await client.agents.updateAgent('a1b2c3d4-...', {
version: '2.1.0',
capabilities: ['text-classification', 'sentiment-analysis', 'intent-detection'],
});
// Decommission (irreversible)
await client.agents.decommissionAgent('a1b2c3d4-...');
```
---
## Credentials
```typescript
// Generate a credential — clientSecret shown once, store it securely
const cred = await client.credentials.generateCredential('a1b2c3d4-...');
console.log(cred.clientSecret); // only available here
// List credentials
const { data: creds } = await client.credentials.listCredentials('a1b2c3d4-...');
// Rotate — same credentialId, new secret, old secret immediately invalid
const rotated = await client.credentials.rotateCredential('a1b2c3d4-...', 'cred-uuid');
console.log(rotated.clientSecret); // new secret — store immediately
// Revoke
await client.credentials.revokeCredential('a1b2c3d4-...', 'cred-uuid');
```
---
## Token operations
```typescript
// Introspect — check whether a token is active
const result = await client.tokens.introspectToken(someToken);
if (result.active) {
console.log('Token is valid, expires at', result.exp);
} else {
console.log('Token is expired or revoked');
}
// Revoke — immediately invalidates the token
await client.tokens.revokeToken(someToken);
```
---
## Audit log
```typescript
// Query audit events
const { data: events } = await client.audit.queryAuditLog({
agentId: 'a1b2c3d4-...',
action: 'token.issued',
outcome: 'success',
fromDate: '2026-03-01T00:00:00Z',
toDate: '2026-03-31T23:59:59Z',
limit: 50,
});
// Get a single event
const event = await client.audit.getAuditEvent('event-uuid');
```
---
## Error handling
All API errors are thrown as `AgentIdPError`:
```typescript
import { AgentIdPClient, AgentIdPError } from '@sentryagent/idp-sdk';
try {
await client.agents.getAgent('non-existent-id');
} catch (err) {
if (err instanceof AgentIdPError) {
console.error(err.code); // e.g. 'AgentNotFoundError'
console.error(err.httpStatus); // e.g. 404
console.error(err.message); // human-readable description
}
}
```
---
## Available scopes
| Scope | What it allows |
|-------|----------------|
| `agents:read` | Read agent records |
| `agents:write` | Create, update, decommission agents |
| `tokens:read` | Introspect tokens |
| `audit:read` | Query audit logs |
---
## License
Apache 2.0 — see [LICENSE](../LICENSE) in the repository root.

22
sdk/package.json Normal file
View File

@@ -0,0 +1,22 @@
{
"name": "@sentryagent/idp-sdk",
"version": "1.0.0",
"description": "Node.js SDK for SentryAgent.ai AgentIdP — typed client for agent identity management",
"main": "dist/index.js",
"types": "dist/index.d.ts",
"scripts": {
"build": "tsc",
"prepublishOnly": "npm run build"
},
"files": [
"dist/"
],
"keywords": ["sentryagent", "agentidp", "agntcy", "ai-agent", "identity"],
"license": "MIT",
"engines": {
"node": ">=18.0.0"
},
"devDependencies": {
"typescript": "^5.4.5"
}
}

66
sdk/src/client.ts Normal file
View File

@@ -0,0 +1,66 @@
import { TokenManager } from './token-manager.js';
import { AgentRegistryClient } from './services/agents.js';
import { CredentialClient } from './services/credentials.js';
import { TokenClient } from './services/token.js';
import { AuditClient } from './services/audit.js';
import type { AgentIdPClientConfig, OAuthScope } from './types.js';
/**
* Top-level client for the SentryAgent.ai AgentIdP API.
*
* Composes all service clients under a single entry point.
* Handles token acquisition and caching automatically via TokenManager.
*
* @example
* ```typescript
* const client = new AgentIdPClient({
* baseUrl: 'http://localhost:3000',
* clientId: 'your-agent-id',
* clientSecret: 'your-client-secret',
* });
*
* const agents = await client.agents.listAgents();
* ```
*/
export class AgentIdPClient {
/** Agent Registry operations: register, list, get, update, decommission. */
readonly agents: AgentRegistryClient;
/** Credential operations: generate, list, rotate, revoke. */
readonly credentials: CredentialClient;
/** Token operations: introspect, revoke. */
readonly tokens: TokenClient;
/** Audit log operations: query, get event. */
readonly audit: AuditClient;
private readonly tokenManager: TokenManager;
constructor(config: AgentIdPClientConfig) {
const defaultScopes: OAuthScope[] = ['agents:read', 'agents:write', 'tokens:read', 'audit:read'];
const scopes = (config.scopes ?? defaultScopes).join(' ');
this.tokenManager = new TokenManager(
config.baseUrl,
config.clientId,
config.clientSecret,
scopes,
);
const getToken = () => this.tokenManager.getToken();
this.agents = new AgentRegistryClient(config.baseUrl, getToken);
this.credentials = new CredentialClient(config.baseUrl, getToken);
this.tokens = new TokenClient(config.baseUrl, getToken);
this.audit = new AuditClient(config.baseUrl, getToken);
}
/**
* Clear the cached access token. The next API call will request a new token.
* Use this after rotating credentials or when you suspect the token is stale.
*/
clearTokenCache(): void {
this.tokenManager.clearCache();
}
}

71
sdk/src/errors.ts Normal file
View File

@@ -0,0 +1,71 @@
/**
* Error types for the SentryAgent.ai AgentIdP SDK.
*/
/** Standard error response shape from the AgentIdP API. */
interface ApiErrorBody {
code: string;
message: string;
details?: Record<string, unknown>;
}
/** OAuth 2.0 error response shape from the token endpoint. */
interface OAuth2ErrorBody {
error: string;
error_description: string;
}
/**
* Typed error thrown by the AgentIdP SDK for all API failures.
* Never throws raw fetch errors or untyped exceptions.
*/
export class AgentIdPError extends Error {
/** Machine-readable error code from the API (e.g. AGENT_NOT_FOUND). */
readonly code: string;
/** HTTP status code of the failed response. */
readonly httpStatus: number;
/** Optional structured details from the API error response. */
readonly details?: Record<string, unknown>;
constructor(code: string, message: string, httpStatus: number, details?: Record<string, unknown>) {
super(message);
this.name = 'AgentIdPError';
this.code = code;
this.httpStatus = httpStatus;
this.details = details;
}
/**
* Creates an AgentIdPError from a standard API error response body.
* Accepts unknown to allow callers to pass raw parsed JSON without pre-casting.
*
* @param body - Parsed API error response (or unknown).
* @param httpStatus - HTTP status code.
* @returns AgentIdPError instance.
*/
static fromApiError(body: unknown, httpStatus: number): AgentIdPError {
if (
typeof body === 'object' &&
body !== null &&
'code' in body &&
'message' in body &&
typeof (body as ApiErrorBody).code === 'string' &&
typeof (body as ApiErrorBody).message === 'string'
) {
const typed = body as ApiErrorBody;
return new AgentIdPError(typed.code, typed.message, httpStatus, typed.details);
}
return new AgentIdPError('UNKNOWN_ERROR', String(body), httpStatus);
}
/**
* Creates an AgentIdPError from an OAuth 2.0 error response body.
*
* @param body - Parsed OAuth2 error response.
* @param httpStatus - HTTP status code.
* @returns AgentIdPError instance.
*/
static fromOAuth2Error(body: OAuth2ErrorBody, httpStatus: number): AgentIdPError {
return new AgentIdPError(body.error, body.error_description, httpStatus);
}
}

35
sdk/src/index.ts Normal file
View File

@@ -0,0 +1,35 @@
export { AgentIdPClient } from './client.js';
export { AgentIdPError } from './errors.js';
export { TokenManager } from './token-manager.js';
export type {
// Config
AgentIdPClientConfig,
// Enums / union types
AgentType,
AgentStatus,
DeploymentEnv,
CredentialStatus,
OAuthScope,
AuditAction,
AuditOutcome,
// Agent Registry
Agent,
RegisterAgentRequest,
UpdateAgentRequest,
ListAgentsParams,
PaginatedAgents,
// Credentials
Credential,
CredentialWithSecret,
GenerateCredentialRequest,
ListCredentialsParams,
PaginatedCredentials,
// Tokens
TokenResponse,
IntrospectResponse,
// Audit
AuditEvent,
QueryAuditLogParams,
PaginatedAuditEvents,
} from './types.js';

72
sdk/src/request.ts Normal file
View File

@@ -0,0 +1,72 @@
import { AgentIdPError } from './errors.js';
type HttpMethod = 'GET' | 'POST' | 'PATCH' | 'DELETE';
interface RequestOptions {
method: HttpMethod;
path: string;
token: string;
body?: unknown;
query?: Record<string, string | number | boolean | undefined>;
}
/**
* Shared HTTP request helper for all AgentIdP API calls.
* Sets Authorization header, serialises JSON body, parses response,
* and maps API error shapes to AgentIdPError.
*/
export async function request<T>(baseUrl: string, opts: RequestOptions): Promise<T> {
const url = new URL(opts.path, baseUrl);
if (opts.query) {
for (const [key, value] of Object.entries(opts.query)) {
if (value !== undefined) {
url.searchParams.set(key, String(value));
}
}
}
const headers: Record<string, string> = {
Authorization: `Bearer ${opts.token}`,
Accept: 'application/json',
};
let bodyPayload: string | undefined;
if (opts.body !== undefined) {
headers['Content-Type'] = 'application/json';
bodyPayload = JSON.stringify(opts.body);
}
let response: Response;
try {
response = await fetch(url.toString(), {
method: opts.method,
headers,
body: bodyPayload,
});
} catch (err) {
throw new AgentIdPError(
'NETWORK_ERROR',
`Network error: ${err instanceof Error ? err.message : String(err)}`,
0,
);
}
if (response.status === 204) {
return undefined as unknown as T;
}
let data: unknown;
const contentType = response.headers.get('content-type') ?? '';
if (contentType.includes('application/json')) {
data = await response.json();
} else {
data = await response.text();
}
if (!response.ok) {
throw AgentIdPError.fromApiError(data, response.status);
}
return data as T;
}

90
sdk/src/services/agents.ts Normal file
View File

@@ -0,0 +1,90 @@
import { request } from '../request.js';
import type {
Agent,
RegisterAgentRequest,
UpdateAgentRequest,
ListAgentsParams,
PaginatedAgents,
} from '../types.js';
/**
* Client for the Agent Registry service.
* Covers all agent CRUD operations: register, list, get, update, decommission.
*/
export class AgentRegistryClient {
constructor(
private readonly baseUrl: string,
private readonly getToken: () => Promise<string>,
) {}
/**
* Register a new AI agent.
* Returns the created agent record including its agentId and agentSecret.
*/
async registerAgent(params: RegisterAgentRequest): Promise<Agent> {
const token = await this.getToken();
return request<Agent>(this.baseUrl, {
method: 'POST',
path: '/api/v1/agents',
token,
body: params,
});
}
/**
* List all registered agents with optional filters and pagination.
*/
async listAgents(params: ListAgentsParams = {}): Promise<PaginatedAgents> {
const token = await this.getToken();
return request<PaginatedAgents>(this.baseUrl, {
method: 'GET',
path: '/api/v1/agents',
token,
query: {
status: params.status,
agentType: params.agentType,
page: params.page,
limit: params.limit,
},
});
}
/**
* Get a single agent by its agentId.
*/
async getAgent(agentId: string): Promise<Agent> {
const token = await this.getToken();
return request<Agent>(this.baseUrl, {
method: 'GET',
path: `/api/v1/agents/${agentId}`,
token,
});
}
/**
* Update mutable fields on an existing agent (name, description, capabilities, metadata).
* Returns the updated agent record.
*/
async updateAgent(agentId: string, params: UpdateAgentRequest): Promise<Agent> {
const token = await this.getToken();
return request<Agent>(this.baseUrl, {
method: 'PATCH',
path: `/api/v1/agents/${agentId}`,
token,
body: params,
});
}
/**
* Decommission an agent. This is irreversible — the agent can no longer
* authenticate or obtain tokens after decommission.
*/
async decommissionAgent(agentId: string): Promise<void> {
const token = await this.getToken();
return request<void>(this.baseUrl, {
method: 'DELETE',
path: `/api/v1/agents/${agentId}`,
token,
});
}
}

48
sdk/src/services/audit.ts Normal file
View File

@@ -0,0 +1,48 @@
import { request } from '../request.js';
import type { AuditEvent, QueryAuditLogParams, PaginatedAuditEvents } from '../types.js';
/**
* Client for the Audit Log service.
* Covers querying the audit event list and fetching individual events.
*/
export class AuditClient {
constructor(
private readonly baseUrl: string,
private readonly getToken: () => Promise<string>,
) {}
/**
* Query audit log events with optional filters and pagination.
* Events are retained for 90 days. Requires `audit:read` scope.
*/
async queryAuditLog(params: QueryAuditLogParams = {}): Promise<PaginatedAuditEvents> {
const token = await this.getToken();
return request<PaginatedAuditEvents>(this.baseUrl, {
method: 'GET',
path: '/api/v1/audit',
token,
query: {
agentId: params.agentId,
action: params.action,
outcome: params.outcome,
fromDate: params.fromDate,
toDate: params.toDate,
page: params.page,
limit: params.limit,
},
});
}
/**
* Get a single audit event by its eventId.
* Requires `audit:read` scope.
*/
async getAuditEvent(eventId: string): Promise<AuditEvent> {
const token = await this.getToken();
return request<AuditEvent>(this.baseUrl, {
method: 'GET',
path: `/api/v1/audit/${eventId}`,
token,
});
}
}

83
sdk/src/services/credentials.ts Normal file
View File

@@ -0,0 +1,83 @@
import { request } from '../request.js';
import type {
Credential,
CredentialWithSecret,
GenerateCredentialRequest,
ListCredentialsParams,
PaginatedCredentials,
} from '../types.js';
/**
* Client for the Credential Management service.
* Covers generate, list, rotate, and revoke operations for agent credentials.
*/
export class CredentialClient {
constructor(
private readonly baseUrl: string,
private readonly getToken: () => Promise<string>,
) {}
/**
* Generate a new credential for an agent.
* The `clientSecret` in the response is shown ONCE — store it securely immediately.
*/
async generateCredential(
agentId: string,
params: GenerateCredentialRequest = {},
): Promise<CredentialWithSecret> {
const token = await this.getToken();
return request<CredentialWithSecret>(this.baseUrl, {
method: 'POST',
path: `/api/v1/agents/${agentId}/credentials`,
token,
body: Object.keys(params).length > 0 ? params : undefined,
});
}
/**
* List all credentials for an agent with optional pagination.
* Secrets are never returned in list responses.
*/
async listCredentials(
agentId: string,
params: ListCredentialsParams = {},
): Promise<PaginatedCredentials> {
const token = await this.getToken();
return request<PaginatedCredentials>(this.baseUrl, {
method: 'GET',
path: `/api/v1/agents/${agentId}/credentials`,
token,
query: {
page: params.page,
limit: params.limit,
},
});
}
/**
* Rotate a credential. The same credentialId is retained but a new secret is issued.
* The old secret is immediately invalidated upon rotation.
* The new `clientSecret` is shown ONCE — store it securely immediately.
*/
async rotateCredential(agentId: string, credentialId: string): Promise<CredentialWithSecret> {
const token = await this.getToken();
return request<CredentialWithSecret>(this.baseUrl, {
method: 'POST',
path: `/api/v1/agents/${agentId}/credentials/${credentialId}/rotate`,
token,
});
}
/**
* Revoke a credential. Any tokens previously issued with this credential
* remain valid until they expire — use token revocation to invalidate them immediately.
*/
async revokeCredential(agentId: string, credentialId: string): Promise<Credential> {
const token = await this.getToken();
return request<Credential>(this.baseUrl, {
method: 'DELETE',
path: `/api/v1/agents/${agentId}/credentials/${credentialId}`,
token,
});
}
}

80
sdk/src/services/token.ts Normal file
View File

@@ -0,0 +1,80 @@
import { request } from '../request.js';
import { AgentIdPError } from '../errors.js';
import type { IntrospectResponse } from '../types.js';
/**
* Client for OAuth 2.0 token operations (introspect and revoke).
* Token issuance is handled separately by TokenManager.
*/
export class TokenClient {
constructor(
private readonly baseUrl: string,
private readonly getToken: () => Promise<string>,
) {}
/**
* Introspect a token to check whether it is currently active.
* Always returns 200 — check the `active` field to determine validity.
* Requires a Bearer token with `tokens:read` scope.
*/
async introspectToken(tokenToCheck: string): Promise<IntrospectResponse> {
const token = await this.getToken();
const body = new URLSearchParams({ token: tokenToCheck });
let response: Response;
try {
response = await fetch(new URL('/api/v1/token/introspect', this.baseUrl).toString(), {
method: 'POST',
headers: {
Authorization: `Bearer ${token}`,
'Content-Type': 'application/x-www-form-urlencoded',
},
body: body.toString(),
});
} catch (err) {
throw new AgentIdPError(
'NETWORK_ERROR',
`Network error: ${err instanceof Error ? err.message : String(err)}`,
0,
);
}
const data: unknown = await response.json();
if (!response.ok) {
throw AgentIdPError.fromApiError(data, response.status);
}
return data as IntrospectResponse;
}
/**
* Revoke a token immediately. Idempotent — revoking an already-revoked
* or expired token is not an error (RFC 7009).
*/
async revokeToken(tokenToRevoke: string): Promise<void> {
const token = await this.getToken();
const body = new URLSearchParams({ token: tokenToRevoke });
let response: Response;
try {
response = await fetch(new URL('/api/v1/token/revoke', this.baseUrl).toString(), {
method: 'POST',
headers: {
Authorization: `Bearer ${token}`,
'Content-Type': 'application/x-www-form-urlencoded',
},
body: body.toString(),
});
} catch (err) {
throw new AgentIdPError(
'NETWORK_ERROR',
`Network error: ${err instanceof Error ? err.message : String(err)}`,
0,
);
}
if (!response.ok) {
const data: unknown = await response.json();
throw AgentIdPError.fromApiError(data, response.status);
}
}
}

97
sdk/src/token-manager.ts Normal file
View File

@@ -0,0 +1,97 @@
/**
* TokenManager — handles OAuth 2.0 token acquisition, caching, and refresh.
* Tokens are re-issued automatically when expired or within 60 seconds of expiry.
*/
import { AgentIdPError } from './errors.js';
import { TokenResponse } from './types.js';
/** Seconds before expiry at which a token refresh is triggered. */
const REFRESH_BUFFER_SECONDS = 60;
interface CachedToken {
accessToken: string;
expiresAt: number; // Unix seconds
}
/**
* Manages token acquisition and caching for the AgentIdP SDK.
* Callers request a token via `getToken()` — the manager handles issuance and refresh transparently.
*/
export class TokenManager {
private cached: CachedToken | null = null;
/**
* @param baseUrl - AgentIdP API base URL.
* @param clientId - The agent's clientId (agentId UUID).
* @param clientSecret - The agent's clientSecret.
* @param scopes - Space-separated OAuth 2.0 scopes to request.
*/
constructor(
private readonly baseUrl: string,
private readonly clientId: string,
private readonly clientSecret: string,
private readonly scopes: string,
) {}
/**
* Returns a valid access token.
* Acquires a new token if none is cached or the cached token is near expiry.
*
* @returns A valid JWT access token string.
* @throws AgentIdPError if token acquisition fails.
*/
async getToken(): Promise<string> {
const now = Math.floor(Date.now() / 1000);
if (this.cached && this.cached.expiresAt - now > REFRESH_BUFFER_SECONDS) {
return this.cached.accessToken;
}
const token = await this.issueToken();
this.cached = {
accessToken: token.access_token,
expiresAt: now + token.expires_in,
};
return this.cached.accessToken;
}
/**
* Calls POST /token to issue a new access token.
*
* @returns TokenResponse from the API.
* @throws AgentIdPError on authentication failure or API error.
*/
private async issueToken(): Promise<TokenResponse> {
const body = new URLSearchParams({
grant_type: 'client_credentials',
client_id: this.clientId,
client_secret: this.clientSecret,
scope: this.scopes,
});
const response = await fetch(`${this.baseUrl}/api/v1/token`, {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: body.toString(),
});
const data = (await response.json()) as Record<string, unknown>;
if (!response.ok) {
const errorBody = data as { error: string; error_description: string };
throw AgentIdPError.fromOAuth2Error(
{ error: String(errorBody.error ?? 'unknown_error'), error_description: String(errorBody.error_description ?? 'Token request failed.') },
response.status,
);
}
return data as unknown as TokenResponse;
}
/** Clears the cached token, forcing re-acquisition on next getToken() call. */
clearCache(): void {
this.cached = null;
}
}

217
sdk/src/types.ts Normal file
View File

@@ -0,0 +1,217 @@
/**
* TypeScript types for the SentryAgent.ai AgentIdP SDK.
* All request and response shapes derived from the AgentIdP OpenAPI 3.0 specs.
*/
// ─────────────────────────────────────────────────────────────────────────────
// Shared enums
// ─────────────────────────────────────────────────────────────────────────────
/** Functional classification of an AI agent. */
export type AgentType =
| 'screener'
| 'classifier'
| 'orchestrator'
| 'extractor'
| 'summarizer'
| 'router'
| 'monitor'
| 'custom';
/** Lifecycle status of an AI agent. */
export type AgentStatus = 'active' | 'suspended' | 'decommissioned';
/** Target deployment environment. */
export type DeploymentEnv = 'development' | 'staging' | 'production';
/** Lifecycle status of a credential. */
export type CredentialStatus = 'active' | 'revoked';
/** OAuth 2.0 scopes supported by AgentIdP. */
export type OAuthScope = 'agents:read' | 'agents:write' | 'tokens:read' | 'audit:read';
/** Audit event action types. */
export type AuditAction =
| 'agent.created'
| 'agent.updated'
| 'agent.decommissioned'
| 'agent.suspended'
| 'agent.reactivated'
| 'token.issued'
| 'token.revoked'
| 'token.introspected'
| 'credential.generated'
| 'credential.rotated'
| 'credential.revoked'
| 'auth.failed';
/** Outcome of an audited action. */
export type AuditOutcome = 'success' | 'failure';
// ─────────────────────────────────────────────────────────────────────────────
// Agent Registry
// ─────────────────────────────────────────────────────────────────────────────
/** A registered AI agent identity. */
export interface Agent {
agentId: string;
email: string;
agentType: AgentType;
version: string;
capabilities: string[];
owner: string;
deploymentEnv: DeploymentEnv;
status: AgentStatus;
createdAt: string;
updatedAt: string;
}
/** Request body for registering a new agent. */
export interface RegisterAgentRequest {
email: string;
agentType: AgentType;
version: string;
capabilities: string[];
owner: string;
deploymentEnv: DeploymentEnv;
}
/** Request body for updating agent metadata (all fields optional). */
export interface UpdateAgentRequest {
agentType?: AgentType;
version?: string;
capabilities?: string[];
owner?: string;
deploymentEnv?: DeploymentEnv;
status?: AgentStatus;
}
/** Query parameters for listing agents. */
export interface ListAgentsParams {
page?: number;
limit?: number;
owner?: string;
agentType?: AgentType;
status?: AgentStatus;
}
/** Paginated list of agents. */
export interface PaginatedAgents {
data: Agent[];
total: number;
page: number;
limit: number;
}
// ─────────────────────────────────────────────────────────────────────────────
// Credential Management
// ─────────────────────────────────────────────────────────────────────────────
/** A credential record (clientSecret never included). */
export interface Credential {
credentialId: string;
clientId: string;
status: CredentialStatus;
createdAt: string;
expiresAt: string | null;
revokedAt: string | null;
}
/** A credential record with the plain-text secret — returned once only on create/rotate. */
export interface CredentialWithSecret extends Credential {
clientSecret: string;
}
/** Optional request body for generating or rotating a credential. */
export interface GenerateCredentialRequest {
expiresAt?: string;
}
/** Query parameters for listing credentials. */
export interface ListCredentialsParams {
page?: number;
limit?: number;
status?: CredentialStatus;
}
/** Paginated list of credentials. */
export interface PaginatedCredentials {
data: Credential[];
total: number;
page: number;
limit: number;
}
// ─────────────────────────────────────────────────────────────────────────────
// OAuth 2.0 Tokens
// ─────────────────────────────────────────────────────────────────────────────
/** OAuth 2.0 access token response. */
export interface TokenResponse {
access_token: string;
token_type: 'Bearer';
expires_in: number;
scope: string;
}
/** Token introspection response (RFC 7662). */
export interface IntrospectResponse {
active: boolean;
sub?: string;
client_id?: string;
scope?: string;
token_type?: string;
iat?: number;
exp?: number;
}
// ─────────────────────────────────────────────────────────────────────────────
// Audit Log
// ─────────────────────────────────────────────────────────────────────────────
/** An immutable audit event record. */
export interface AuditEvent {
eventId: string;
agentId: string;
action: AuditAction;
outcome: AuditOutcome;
ipAddress: string;
userAgent: string;
metadata: Record<string, unknown>;
timestamp: string;
}
/** Query parameters for the audit log. */
export interface QueryAuditLogParams {
page?: number;
limit?: number;
agentId?: string;
action?: AuditAction;
outcome?: AuditOutcome;
fromDate?: string;
toDate?: string;
}
/** Paginated list of audit events. */
export interface PaginatedAuditEvents {
data: AuditEvent[];
total: number;
page: number;
limit: number;
}
// ─────────────────────────────────────────────────────────────────────────────
// SDK Config
// ─────────────────────────────────────────────────────────────────────────────
/** Configuration for AgentIdPClient. */
export interface AgentIdPClientConfig {
/** Base URL of the AgentIdP server, e.g. http://localhost:3000/api/v1 */
baseUrl: string;
/** The agent's clientId (agentId UUID). */
clientId: string;
/** The agent's clientSecret. */
clientSecret: string;
/** OAuth 2.0 scopes to request. Defaults to all scopes. */
scopes?: OAuthScope[];
}

18
sdk/tsconfig.json Normal file
View File

@@ -0,0 +1,18 @@
{
"compilerOptions": {
"target": "ES2020",
"module": "commonjs",
"lib": ["ES2020"],
"outDir": "./dist",
"rootDir": "./src",
"strict": true,
"declaration": true,
"declarationMap": true,
"sourceMap": true,
"esModuleInterop": true,
"skipLibCheck": true,
"forceConsistentCasingInFileNames": true
},
"include": ["src/**/*"],
"exclude": ["node_modules", "dist"]
}