feat: Phase 1 P1 — Dockerfile, AGNTCY alignment docs, Node.js SDK

Three remaining Phase 1 P1 deliverables: 1. Dockerfile — multi-stage build (builder + production), node:18-alpine, non-root USER node, .dockerignore excluding secrets and dev artifacts 2. AGNTCY alignment docs (docs/agntcy/) — README and alignment.md mapping all 6 AGNTCY domains to AgentIdP features with Phase 2/3 pending items noted 3. Node.js SDK (@sentryagent/idp-sdk) — TypeScript strict, zero any, native fetch (Node 18+), TokenManager with 60s auto-refresh, service clients for all 14 endpoints (agents, credentials, tokens, audit), AgentIdPError typed error hierarchy, full README All three changes tracked under openspec/changes/ with tasks marked complete. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-28 14:46:53 +00:00
parent d94a8cedc0
commit aa5167835e
34 changed files with 1572 additions and 0 deletions
--- a/sdk/src/services/token.ts
+++ b/sdk/src/services/token.ts
@@ -0,0 +1,80 @@
+import { request } from '../request.js';
+import { AgentIdPError } from '../errors.js';
+import type { IntrospectResponse } from '../types.js';
+
+/**
+ * Client for OAuth 2.0 token operations (introspect and revoke).
+ * Token issuance is handled separately by TokenManager.
+ */
+export class TokenClient {
+  constructor(
+    private readonly baseUrl: string,
+    private readonly getToken: () => Promise<string>,
+  ) {}
+
+  /**
+   * Introspect a token to check whether it is currently active.
+   * Always returns 200 — check the `active` field to determine validity.
+   * Requires a Bearer token with `tokens:read` scope.
+   */
+  async introspectToken(tokenToCheck: string): Promise<IntrospectResponse> {
+    const token = await this.getToken();
+    const body = new URLSearchParams({ token: tokenToCheck });
+
+    let response: Response;
+    try {
+      response = await fetch(new URL('/api/v1/token/introspect', this.baseUrl).toString(), {
+        method: 'POST',
+        headers: {
+          Authorization: `Bearer ${token}`,
+          'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        body: body.toString(),
+      });
+    } catch (err) {
+      throw new AgentIdPError(
+        'NETWORK_ERROR',
+        `Network error: ${err instanceof Error ? err.message : String(err)}`,
+        0,
+      );
+    }
+
+    const data: unknown = await response.json();
+    if (!response.ok) {
+      throw AgentIdPError.fromApiError(data, response.status);
+    }
+    return data as IntrospectResponse;
+  }
+
+  /**
+   * Revoke a token immediately. Idempotent — revoking an already-revoked
+   * or expired token is not an error (RFC 7009).
+   */
+  async revokeToken(tokenToRevoke: string): Promise<void> {
+    const token = await this.getToken();
+    const body = new URLSearchParams({ token: tokenToRevoke });
+
+    let response: Response;
+    try {
+      response = await fetch(new URL('/api/v1/token/revoke', this.baseUrl).toString(), {
+        method: 'POST',
+        headers: {
+          Authorization: `Bearer ${token}`,
+          'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        body: body.toString(),
+      });
+    } catch (err) {
+      throw new AgentIdPError(
+        'NETWORK_ERROR',
+        `Network error: ${err instanceof Error ? err.message : String(err)}`,
+        0,
+      );
+    }
+
+    if (!response.ok) {
+      const data: unknown = await response.json();
+      throw AgentIdPError.fromApiError(data, response.status);
+    }
+  }
+}