Documentation
¶
Index ¶
- Constants
- type A2AConfig
- type AuthIdentity
- type AuthMode
- type IdentityAuthorizer
- type RequestAuthorizer
- type ResourceAuthorizer
- type Server
- func (s *Server) EventBus() eventbus.Bus
- func (s *Server) Handler() http.Handler
- func (s *Server) SetA2AConfig(config *A2AConfig)
- func (s *Server) SetEventBus(bus eventbus.Bus)
- func (s *Server) SetMemoryBackends(registry *agentruntime.PersistentMemoryBackendRegistry)
- func (s *Server) UIBasePath() string
- type ServerOptions
- type Stores
Constants ¶
const ( CRDConflictOff = "off" CRDConflictWarn = "warn" CRDConflictReject = "reject" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type A2AConfig ¶ added in v0.17.0
type A2AConfig struct {
PublicBaseURL string
ProtocolVersion string
StreamingEnabled bool
AuthSchemes []string
Registry *a2a.Registry
RateLimitRPM int
MaxConcurrentSubscribe int
}
A2AConfig holds server-side A2A configuration.
type AuthIdentity ¶
type AuthIdentity struct {
Name string // token name (bearer) or username (session)
Role string
Method string // "bearer", "session", "none"
A2AAgentSystems []string
AuthDisabled bool // true when no auth is configured instance-wide
}
AuthIdentity carries the authenticated caller's identity through the request context for audit logging and downstream authorization.
func AuthIdentityFromRequest ¶
func AuthIdentityFromRequest(r *http.Request) (AuthIdentity, bool)
AuthIdentityFromRequest extracts the authenticated identity from the request context, if present.
type IdentityAuthorizer ¶ added in v0.4.0
type IdentityAuthorizer interface {
RequestAuthorizer
AuthorizeWithIdentity(r *http.Request, requiredRole string) (allowed bool, statusCode int, message string, identity AuthIdentity)
}
IdentityAuthorizer is an optional extension implemented by authorizers that can also return the authenticated principal identity.
type RequestAuthorizer ¶
type RequestAuthorizer interface {
Authorize(r *http.Request, requiredRole string) (allowed bool, statusCode int, message string)
}
RequestAuthorizer evaluates API authorization for one request+required role.
func NewAPIKeyAuthorizer ¶
func NewAPIKeyAuthorizer(key string) RequestAuthorizer
NewAPIKeyAuthorizer returns an authorizer that validates a single API key as an admin bearer token. When key is empty, auth is disabled (all requests pass). This is intended for the --api-key CLI flag.
type ResourceAuthorizer ¶
type ResourceAuthorizer interface {
AuthorizeResource(r *http.Request, method, resourceType, namespace, name string) (allowed bool, statusCode int, message string)
}
ResourceAuthorizer is an optional extension point for fine-grained access control beyond the built-in role check. A custom authorization layer can implement this interface to enforce per-namespace, per-resource-type, or per-user policies. Nil by default (all access permitted after the role check passes).
The method, resourceType, namespace, and name describe the operation. resourceType is the API resource kind (e.g. "Agent", "Secret", "Task"). The namespace and name may be empty for list/create operations.
Returning (true, 0, "") allows the request. Returning (false, statusCode, message) rejects it.
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
Server exposes CRUD endpoints for control plane resources.
func NewServerWithOptions ¶
func NewServerWithOptions(stores Stores, runtime *agentruntime.Manager, logger *log.Logger, opts ServerOptions) *Server
func (*Server) SetA2AConfig ¶ added in v0.17.0
SetA2AConfig configures A2A protocol support on this server.
func (*Server) SetEventBus ¶
func (*Server) SetMemoryBackends ¶
func (s *Server) SetMemoryBackends(registry *agentruntime.PersistentMemoryBackendRegistry)
SetMemoryBackends configures the registry used to serve memory entry queries.
func (*Server) UIBasePath ¶
UIBasePath returns the normalized base path for the web console.
type ServerOptions ¶
type ServerOptions struct {
Authorizer RequestAuthorizer
ResourceAuthorizer ResourceAuthorizer // optional authorization hook
Extensions agentruntime.Extensions
AuthMode AuthMode
SessionTTL time.Duration
UIBasePath string // URL path prefix for the web console (default "/")
TrustedProxies string // comma-separated CIDRs whose forwarding headers are trusted
ContainerResourceCeiling resources.ContainerResourceCeiling
CRDConflictPolicy string // "off", "warn" (default), or "reject"
}
ServerOptions configures optional extension points.
type Stores ¶
type Stores struct {
Agents *store.AgentStore
AgentSystems *store.AgentSystemStore
ModelEPs *store.ModelEndpointStore
Tools *store.ToolStore
Secrets *store.SecretStore
SealedSecrets *store.SealedSecretStore
SealingKeys *store.SealingKeyStore
Memories *store.MemoryStore
ContextAdapters *store.ContextAdapterStore
Policies *store.AgentPolicyStore
AgentRoles *store.AgentRoleStore
ToolPerms *store.ToolPermissionStore
ToolApprovals *store.ToolApprovalStore
TaskApprovals *store.TaskApprovalStore
Tasks *store.TaskStore
TaskSchedules *store.TaskScheduleStore
TaskWebhooks *store.TaskWebhookStore
WebhookDedupe *store.WebhookDedupeStore
Workers *store.WorkerStore
McpServers *store.McpServerStore
EvalDatasets *store.EvalDatasetStore
EvalRuns *store.EvalRunStore
LocalAdmins *store.LocalAdminStore
APITokens *store.APITokenStore
AuthSessions *store.AuthSessionStore
}
Stores groups typed state stores used by the API server.
Source Files
¶
- a2a.go
- auth_admin_handlers.go
- auth_context.go
- auth_handlers.go
- auth_mode.go
- auth_native_authorizer.go
- auth_ratelimit.go
- authz.go
- context_adapters.go
- cors.go
- crd_conflict.go
- eval_api.go
- events.go
- filters.go
- namespace.go
- preconditions.go
- sealed_secret_api.go
- server.go
- status_updates.go
- task_observability.go
- task_webhook_api.go
- watch.go