Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuthIdentity ¶
type AuthIdentity struct {
Name string // token name (bearer) or username (session)
Role string
Method string // "bearer", "session", "none"
}
AuthIdentity carries the authenticated caller's identity through the request context for audit logging and downstream authorization.
func AuthIdentityFromRequest ¶
func AuthIdentityFromRequest(r *http.Request) (AuthIdentity, bool)
AuthIdentityFromRequest extracts the authenticated identity from the request context, if present.
type IdentityAuthorizer ¶ added in v0.4.0
type IdentityAuthorizer interface {
RequestAuthorizer
AuthorizeWithIdentity(r *http.Request, requiredRole string) (allowed bool, statusCode int, message string, identity AuthIdentity)
}
IdentityAuthorizer is an optional extension implemented by authorizers that can also return the authenticated principal identity.
type RequestAuthorizer ¶
type RequestAuthorizer interface {
Authorize(r *http.Request, requiredRole string) (allowed bool, statusCode int, message string)
}
RequestAuthorizer evaluates API authorization for one request+required role.
func NewAPIKeyAuthorizer ¶
func NewAPIKeyAuthorizer(key string) RequestAuthorizer
NewAPIKeyAuthorizer returns an authorizer that validates a single API key as an admin bearer token. When key is empty, auth is disabled (all requests pass). This is intended for the --api-key CLI flag.
type ResourceAuthorizer ¶
type ResourceAuthorizer interface {
AuthorizeResource(r *http.Request, method, resourceType, namespace, name string) (allowed bool, statusCode int, message string)
}
ResourceAuthorizer is an optional extension point for fine-grained access control beyond the built-in role check. A custom authorization layer can implement this interface to enforce per-namespace, per-resource-type, or per-user policies. Nil by default (all access permitted after the role check passes).
The method, resourceType, namespace, and name describe the operation. resourceType is the API resource kind (e.g. "Agent", "Secret", "Task"). The namespace and name may be empty for list/create operations.
Returning (true, 0, "") allows the request. Returning (false, statusCode, message) rejects it.
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
Server exposes CRUD endpoints for control plane resources.
func NewServerWithOptions ¶
func NewServerWithOptions(stores Stores, runtime *agentruntime.Manager, logger *log.Logger, opts ServerOptions) *Server
func (*Server) SetEventBus ¶
func (*Server) SetMemoryBackends ¶
func (s *Server) SetMemoryBackends(registry *agentruntime.PersistentMemoryBackendRegistry)
SetMemoryBackends configures the registry used to serve memory entry queries.
func (*Server) UIBasePath ¶
UIBasePath returns the normalized base path for the web console.
type ServerOptions ¶
type ServerOptions struct {
Authorizer RequestAuthorizer
ResourceAuthorizer ResourceAuthorizer // optional authorization hook
Extensions agentruntime.Extensions
AuthMode AuthMode
SessionTTL time.Duration
UIBasePath string // URL path prefix for the web console (default "/")
}
ServerOptions configures optional extension points.
type Stores ¶
type Stores struct {
Agents *store.AgentStore
AgentSystems *store.AgentSystemStore
ModelEPs *store.ModelEndpointStore
Tools *store.ToolStore
Secrets *store.SecretStore
Memories *store.MemoryStore
Policies *store.AgentPolicyStore
AgentRoles *store.AgentRoleStore
ToolPerms *store.ToolPermissionStore
ToolApprovals *store.ToolApprovalStore
Tasks *store.TaskStore
TaskSchedules *store.TaskScheduleStore
TaskWebhooks *store.TaskWebhookStore
WebhookDedupe *store.WebhookDedupeStore
Workers *store.WorkerStore
McpServers *store.McpServerStore
LocalAdmins *store.LocalAdminStore
APITokens *store.APITokenStore
AuthSessions *store.AuthSessionStore
}
Stores groups typed state stores used by the API server.
Source Files