api

package
v0.12.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 3, 2026 License: Apache-2.0 Imports: 34 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var ValidScopes = map[string]struct{}{
	"admin":           {},
	"chat":            {},
	"sessions:read":   {},
	"costs:read":      {},
	"agents:read":     {},
	"agents:write":    {},
	"skills:read":     {},
	"skills:write":    {},
	"schedules:read":  {},
	"schedules:write": {},
	"approvals:read":  {},
	"approvals:write": {},
	"tools:read":      {},
	"tools:write":     {},
	"browser:read":    {},
	"browser:write":   {},
	"kv:read":         {},
	"kv:write":        {},
	"health":          {},
}

ValidScopes is the set of scope values accepted by the key management system. Exported so the CLI can share the same allowlist.

Functions

func ValidateKeyInput added in v0.1.0 

func ValidateKeyInput(name string, scopes []string) error

ValidateKeyInput checks that name is within the length limit and every scope is in the ValidScopes allowlist. Returns a user-facing error on failure.

Types

type APIKeyRecord 

type APIKeyRecord struct {
	ID         string     `json:"id"`
	Name       string     `json:"name"`
	Scopes     []string   `json:"scopes"`
	CreatedAt  time.Time  `json:"created_at"`
	LastUsedAt *time.Time `json:"last_used_at,omitempty"`
	Revoked    bool       `json:"revoked"`
}

APIKeyRecord is the public representation returned by the API (no hash exposed).

type Deps 

type Deps struct {
	Dispatcher      *agent.Dispatcher
	Scheduler       *scheduler.Scheduler
	CostTracker     *llm.CostTracker
	Memory          agent.MemoryStore
	Config          *config.Config
	Approvals       *approval.Manager       // nil = approval endpoints return 503
	LifecycleMgr    *tool.LifecycleManager  // nil = tool CRUD endpoints return 503
	BrowserProfiles *browser.ProfileService // nil = browser endpoints return 503
	WebHandler      http.Handler            // nil = no web dashboard served
	MetricsHandler  http.Handler            // nil = no /metrics endpoint
	KeyStore        *KeyStore               // nil = API key CRUD endpoints return 503
	KVStore         kv.Store                // nil = KV endpoints return 503
	ConfigPath      string                  // TOML config path for schedule persistence
	Sessions        *SessionManager         // nil = no session-based auth
	OIDCProvider    *OIDCProvider           // nil = no OIDC endpoints
	PasswordHash    string                  // bcrypt hash for password login
}

Deps holds the application dependencies the API server needs to serve data.

type KeyStore 

type KeyStore struct {
	// contains filtered or unexported fields
}

KeyStore manages API keys persisted in SQLite.

func NewInMemoryKeyStore 

func NewInMemoryKeyStore() (*KeyStore, error)

NewInMemoryKeyStore creates a KeyStore backed by an in-memory SQLite database. Intended for tests.

func NewKeyStore 

func NewKeyStore(dbPath string) (*KeyStore, error)

NewKeyStore opens (or creates) a SQLite DB at dbPath and applies the key schema. WAL mode is used so it can coexist with other connections to the same file.

func (*KeyStore) Create 

func (ks *KeyStore) Create(ctx context.Context, name string, scopes []string) (APIKeyRecord, string, error)

Create inserts a new API key. Returns the record and plaintext key (shown once).

func (*KeyStore) Delete added in v0.1.0 

func (ks *KeyStore) Delete(ctx context.Context, id string) error

Delete permanently removes a revoked key from the store. Returns an error if the key does not exist or is still active (not revoked).

func (*KeyStore) FindActiveByHash 

func (ks *KeyStore) FindActiveByHash(ctx context.Context, tokenHash string) (*storedKey, error)

FindActiveByHash returns the matching active key row for a given token hash, or nil if not found.

func (*KeyStore) HasActiveKey added in v0.1.0 

func (ks *KeyStore) HasActiveKey(ctx context.Context) (bool, error)

HasActiveKey reports whether at least one non-revoked key exists in the store.

func (*KeyStore) List 

func (ks *KeyStore) List(ctx context.Context) ([]APIKeyRecord, error)

List returns all key records ordered by creation date descending.

func (*KeyStore) Revoke 

func (ks *KeyStore) Revoke(ctx context.Context, id string) error

Revoke marks a key as revoked. Returns an error if the key does not exist or is already revoked.

func (*KeyStore) Rotate 

func (ks *KeyStore) Rotate(ctx context.Context, id string) (APIKeyRecord, string, error)

Rotate revokes the existing key and creates a replacement with the same name and scopes. Returns the new record and plaintext key.

func (*KeyStore) TouchLastUsed 

func (ks *KeyStore) TouchLastUsed(ctx context.Context, id string)

TouchLastUsed updates last_used_at for the given key ID (best-effort, non-fatal).

type OIDCProvider added in v0.12.0 

type OIDCProvider struct {
	// contains filtered or unexported fields
}

OIDCProvider wraps the OIDC discovery provider and OAuth2 config.

func NewOIDCProvider added in v0.12.0 

func NewOIDCProvider(ctx context.Context, issuer, clientID, clientSecret, redirectURL string, scopes, allowedEmails []string, sessions *SessionManager, logger *slog.Logger) (*OIDCProvider, error)

NewOIDCProvider creates an OIDCProvider by performing OIDC discovery.

func (*OIDCProvider) HandleCallback added in v0.12.0 

func (op *OIDCProvider) HandleCallback(w http.ResponseWriter, r *http.Request)

HandleCallback completes the OIDC authorization code flow.

func (*OIDCProvider) HandleLogin added in v0.12.0 

func (op *OIDCProvider) HandleLogin(w http.ResponseWriter, r *http.Request)

HandleLogin starts the OIDC authorization code flow with PKCE and nonce.

type Server 

type Server struct {
	// contains filtered or unexported fields
}

Server is the external REST API server.

func New 

func New(cfg config.APIConfig, deps Deps, logger *slog.Logger) *Server

New creates a new API server. The server is not started until Run is called.

func (*Server) HTTPHandler added in v0.11.0 

func (s *Server) HTTPHandler() http.Handler

HTTPHandler returns the server's HTTP handler for use in tests.

func (*Server) RequireScope 

func (s *Server) RequireScope(scope string, next http.HandlerFunc) http.HandlerFunc

RequireScope returns middleware that checks for a valid API key with the required scope. Use this to wrap individual route handlers.

func (*Server) Run 

func (s *Server) Run(ctx context.Context) error

Run starts the server and blocks until ctx is cancelled. It performs a graceful shutdown with a 5-second deadline.

type Session added in v0.12.0 

type Session struct {
	Email     string   `json:"email"`
	Scopes    []string `json:"scopes"`
	ExpiresAt int64    `json:"exp"` // Unix timestamp
}

Session represents a dashboard login session stored in an encrypted cookie.

type SessionManager added in v0.12.0 

type SessionManager struct {
	// contains filtered or unexported fields
}

SessionManager handles AES-256-GCM encrypted session cookies.

func NewSessionManager added in v0.12.0 

func NewSessionManager(hexKey string, maxAge time.Duration, secure bool) (*SessionManager, error)

NewSessionManager creates a SessionManager from a hex-encoded AES key (≥32 bytes).

func (*SessionManager) Clear added in v0.12.0 

func (sm *SessionManager) Clear(w http.ResponseWriter)

Clear removes the session cookie.

func (*SessionManager) Create added in v0.12.0 

func (sm *SessionManager) Create(w http.ResponseWriter, s Session) error

Create encrypts the session and sets it as an HttpOnly cookie.

func (*SessionManager) Read added in v0.12.0 

func (sm *SessionManager) Read(r *http.Request) (*Session, error)

Read decrypts and validates the session cookie from the request.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.