client

package
v0.22.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 28, 2026 License: MIT Imports: 41 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrGroupRoleAssignmentNotFound is returned when a group role assignment is not found.
	ErrGroupRoleAssignmentNotFound = errors.New("group role assignment not found")
)

Functions

func ParseAPIKey added in v0.16.0 

func ParseAPIKey(key string) (prefix string, userID uint, keyID uint, secret string, err error)

ParseAPIKey parses an API key string and extracts its components. Returns prefix, userID, keyID, secret, and an error if the format is invalid.

Types

type AlreadyExistsError added in v0.5.0 

type AlreadyExistsError struct {
	// contains filtered or unexported fields
}

func (*AlreadyExistsError) Error added in v0.5.0 

func (e *AlreadyExistsError) Error() string

type Client 

type Client struct {
	// contains filtered or unexported fields
}

func New 

func New(ctx context.Context, db *db.DB, storageClient kclient.Client, encryptionConfig *encryptionconfig.EncryptionConfiguration, ownerEmails, adminEmails []string, auditLogPersistenceInterval time.Duration, auditLogBatchSize, auditLogRetentionDays int) *Client

func (*Client) ActiveUsersByDate added in v0.7.1 

func (c *Client) ActiveUsersByDate(ctx context.Context, start, end time.Time) ([]types.User, error)

func (*Client) ActivitiesByUser added in v0.7.1 

func (c *Client) ActivitiesByUser(ctx context.Context, userID string, start, end time.Time) ([]types.APIActivity, error)

func (*Client) AddActivityForToday added in v0.7.1 

func (c *Client) AddActivityForToday(ctx context.Context, userID string) error

func (*Client) CleanupExpiredMCPOAuthPendingStates added in v0.17.0 

func (c *Client) CleanupExpiredMCPOAuthPendingStates(ctx context.Context, olderThan time.Duration) error

func (*Client) ClearTempUserCache added in v0.13.0 

func (c *Client) ClearTempUserCache(ctx context.Context) error

ClearTempUserCache removes all cached temporary users from the database.

func (*Client) Close 

func (c *Client) Close() error

func (*Client) CreateAPIKey added in v0.16.0 

func (c *Client) CreateAPIKey(ctx context.Context, userID uint, name, description string, expiresAt *time.Time, mcpServerIDs []string, canAccessSkills bool) (*types.APIKeyCreateResponse, error)

CreateAPIKey generates a new API key for the given user. Returns the full key only once in the response.

func (*Client) CreateGroupRoleAssignment added in v0.15.0 

func (c *Client) CreateGroupRoleAssignment(ctx context.Context, groupName string, role types2.Role, description string) (*types.GroupRoleAssignment, error)

CreateGroupRoleAssignment creates a new group role assignment.

func (*Client) CreateImage added in v0.7.0 

func (c *Client) CreateImage(ctx context.Context, data []byte, mimeType string) (*types.Image, error)

CreateImage stores a new image in the database

func (*Client) CreateMCPOAuthPendingState added in v0.17.0 

func (c *Client) CreateMCPOAuthPendingState(ctx context.Context, userID, mcpID, mcpURL, oauthAuthRequestID, state, verifier string, oauthConf *oauth2.Config) error

func (*Client) CreateRunState added in v0.7.0 

func (c *Client) CreateRunState(ctx context.Context, runState *types.RunState) error

func (*Client) CreateServiceAccountAPIKey added in v0.21.0 

func (c *Client) CreateServiceAccountAPIKey(ctx context.Context, serviceAccountName string, now time.Time) (*types.ServiceAccountAPIKey, error)

func (*Client) CreateTokenRequest added in v0.13.0 

func (c *Client) CreateTokenRequest(ctx context.Context, tr *types.TokenRequest) error

CreateTokenRequest creates a new token request in the database.

func (*Client) DeleteAPIKey added in v0.16.0 

func (c *Client) DeleteAPIKey(ctx context.Context, userID uint, keyID uint) error

DeleteAPIKey removes an API key.

func (*Client) DeleteAPIKeyByID added in v0.16.0 

func (c *Client) DeleteAPIKeyByID(ctx context.Context, keyID uint) error

DeleteAPIKeyByID removes an API key by ID without user filtering (for admin use).

func (*Client) DeleteAllServiceAccountAPIKeys added in v0.21.0 

func (c *Client) DeleteAllServiceAccountAPIKeys(ctx context.Context, serviceAccountName string) error

func (*Client) DeleteDeviceScan added in v0.22.0 

func (c *Client) DeleteDeviceScan(ctx context.Context, id uint) error

DeleteDeviceScan removes a scan and its child rows. Idempotent: returns nil when no scan with that id exists.

func (*Client) DeleteExpiredServiceAccountAPIKeys added in v0.21.0 

func (c *Client) DeleteExpiredServiceAccountAPIKeys(ctx context.Context, serviceAccountName string, now time.Time) error

func (*Client) DeleteGroupRoleAssignment added in v0.15.0 

func (c *Client) DeleteGroupRoleAssignment(ctx context.Context, groupName string) error

DeleteGroupRoleAssignment deletes a group role assignment by group name.

func (*Client) DeleteImage added in v0.7.0 

func (c *Client) DeleteImage(ctx context.Context, id string) error

DeleteImage removes an image from the database

func (*Client) DeleteMCPOAuthPendingState added in v0.17.0 

func (c *Client) DeleteMCPOAuthPendingState(ctx context.Context, hashedState string) error

func (*Client) DeleteMCPOAuthTokenForAllUsers added in v0.8.0 

func (c *Client) DeleteMCPOAuthTokenForAllUsers(ctx context.Context, mcpID string) error

func (*Client) DeleteMCPOAuthTokenForURL added in v0.15.0 

func (c *Client) DeleteMCPOAuthTokenForURL(ctx context.Context, userID, mcpID, mcpURL string) error

func (*Client) DeleteMCPOAuthTokens added in v0.15.0 

func (c *Client) DeleteMCPOAuthTokens(ctx context.Context, userID, mcpID string) error

func (*Client) DeleteRunState added in v0.7.0 

func (c *Client) DeleteRunState(ctx context.Context, namespace, name string) error

func (*Client) DeleteServiceAccountAPIKeyByID added in v0.21.0 

func (c *Client) DeleteServiceAccountAPIKeyByID(ctx context.Context, id uint) error

func (*Client) DeleteSessionsForUser added in v0.8.0 

func (c *Client) DeleteSessionsForUser(ctx context.Context, storageClient kclient.Client, identities []types.Identity, sessionID string) error

func (*Client) DeleteUser added in v0.5.0 

func (c *Client) DeleteUser(ctx context.Context, userID string) (*types.User, error)

func (*Client) EncryptIdentities added in v0.8.0 

func (c *Client) EncryptIdentities(ctx context.Context, force bool) error

EncryptIdentities will pull all identities out of the database and ensure they are encrypted.

func (*Client) EncryptUsers added in v0.13.0 

func (c *Client) EncryptUsers(ctx context.Context, force bool) error

EncryptUsers will pull all users out of the database and ensure they are encrypted.

func (*Client) EnsureIdentity 

func (c *Client) EnsureIdentity(ctx context.Context, id *types.Identity, timezone string) (*types.User, error)

EnsureIdentity ensures that the given identity exists in the database, and returns the user associated with it.

func (*Client) EnsureIdentityWithRole added in v0.5.0 

func (c *Client) EnsureIdentityWithRole(ctx context.Context, id *types.Identity, timezone string, role types2.Role) (*types.User, error)

EnsureIdentityWithRole ensures the given identity exists in the database with the at least the given role, and returns the user associated with it. If the user already exists with a superset of the given role, it will not be updated.

func (*Client) FindIdentitiesForUser added in v0.8.0 

func (c *Client) FindIdentitiesForUser(ctx context.Context, userID uint) ([]types.Identity, error)

FindIdentitiesForUser finds all identities for the given user.

func (*Client) GetAPIKey added in v0.16.0 

func (c *Client) GetAPIKey(ctx context.Context, userID uint, keyID uint) (*types.APIKey, error)

GetAPIKey retrieves a single API key by ID.

func (*Client) GetAPIKeyByID added in v0.16.0 

func (c *Client) GetAPIKeyByID(ctx context.Context, keyID uint) (*types.APIKey, error)

GetAPIKeyByID retrieves an API key by ID without user filtering (for admin use).

func (*Client) GetAuditLogFilterOptions added in v0.8.0 

func (c *Client) GetAuditLogFilterOptions(ctx context.Context, option string, opts MCPAuditLogOptions, exclude ...any) ([]string, error)

func (*Client) GetDeviceClientFleetSummary added in v0.22.0 

func (c *Client) GetDeviceClientFleetSummary(ctx context.Context, name string) (*DeviceClientFleetSummary, error)

GetDeviceClientFleetSummary returns the aggregate for a single client name, or gorm.ErrRecordNotFound when that name never appears on any device's latest scan.

func (*Client) GetDeviceScan added in v0.22.0 

func (c *Client) GetDeviceScan(ctx context.Context, id uint) (*types.DeviceScan, error)

GetDeviceScan loads a single scan with all children preloaded.

func (*Client) GetDeviceScanStats added in v0.22.0 

func (c *Client) GetDeviceScanStats(ctx context.Context, opts DeviceScanStatsOptions) (*DeviceScanStatsResult, error)

GetDeviceScanStats returns the dashboard rollup for a window: the distinct device count and three ranked breakdowns (clients, MCP servers, skills) computed over each device's latest scan in the window. Returns every group; the caller picks any top-N.

func (*Client) GetExplicitRoleEmails added in v0.13.0 

func (c *Client) GetExplicitRoleEmails() map[string]types2.Role

GetExplicitRoleEmails returns a copy of all emails with explicit roles. Used by setup endpoints to list Owner and Admin emails.

func (*Client) GetGroupRoleAssignment added in v0.15.0 

func (c *Client) GetGroupRoleAssignment(ctx context.Context, groupName string) (*types.GroupRoleAssignment, error)

GetGroupRoleAssignment returns a specific group role assignment by group name.

func (*Client) GetGroupRoleAssignmentsForGroups added in v0.15.0 

func (c *Client) GetGroupRoleAssignmentsForGroups(ctx context.Context, groupNames []string) ([]types.GroupRoleAssignment, error)

GetGroupRoleAssignmentsForGroups retrieves all role assignments for the given group names. This is used during role resolution to find all roles assigned to a user's groups.

func (*Client) GetImage added in v0.7.0 

func (c *Client) GetImage(ctx context.Context, id string) (*types.Image, error)

GetImage retrieves an image by its ID

func (*Client) GetMCPAuditLog added in v0.15.1 

func (c *Client) GetMCPAuditLog(ctx context.Context, id uint, withRequestAndResponse bool) (*types.MCPAuditLog, error)

GetMCPAuditLog retrieves a single MCP audit log by ID

func (*Client) GetMCPAuditLogs added in v0.8.0 

func (c *Client) GetMCPAuditLogs(ctx context.Context, opts MCPAuditLogOptions) ([]types.MCPAuditLog, int64, error)

GetMCPAuditLogs retrieves MCP audit logs with optional filters

func (*Client) GetMCPOAuthPendingState added in v0.17.0 

func (c *Client) GetMCPOAuthPendingState(ctx context.Context, state string) (*types.MCPOAuthPendingState, error)

func (*Client) GetMCPOAuthToken added in v0.8.0 

func (c *Client) GetMCPOAuthToken(ctx context.Context, userID, mcpID, url string) (*types.MCPOAuthToken, error)

func (*Client) GetMCPServerDetail added in v0.22.0 

func (c *Client) GetMCPServerDetail(ctx context.Context, configHash string) (*types.MCPServerDetail, error)

GetMCPServerDetail returns the aggregated row keyed by config_hash plus the union of EnvKeys / HeaderKeys observed across the canonical rows. The aggregation is unbounded (all-time, all latest scans per device). Args is pulled from a canonical row (constant within a hash group, but JSONB has no MAX() in Postgres so it can't be selected with the GROUP BY).

func (*Client) GetMCPUsageStats added in v0.8.0 

func (c *Client) GetMCPUsageStats(ctx context.Context, opts MCPUsageStatsOptions) (types.MCPUsageStatsList, error)

GetMCPUsageStats retrieves usage statistics for MCP servers

func (*Client) GetMessagePolicyViolation added in v0.19.0 

func (c *Client) GetMessagePolicyViolation(ctx context.Context, id uint) (*types.MessagePolicyViolation, error)

GetMessagePolicyViolation retrieves a single policy violation by ID and decrypts it.

func (*Client) GetMessagePolicyViolationFilterOptions added in v0.19.0 

func (c *Client) GetMessagePolicyViolationFilterOptions(ctx context.Context, option string, opts MessagePolicyViolationOptions) ([]string, error)

GetMessagePolicyViolationFilterOptions returns distinct values for a given filter field.

func (*Client) GetMessagePolicyViolationStats added in v0.19.0 

func (c *Client) GetMessagePolicyViolationStats(ctx context.Context, opts MessagePolicyViolationOptions) (*MessagePolicyViolationStats, error)

GetMessagePolicyViolationStats returns aggregated statistics for policy violations.

func (*Client) GetMessagePolicyViolations added in v0.19.0 

func (c *Client) GetMessagePolicyViolations(ctx context.Context, opts MessagePolicyViolationOptions) ([]types.MessagePolicyViolation, int64, error)

GetMessagePolicyViolations retrieves policy violations with optional filters.

func (*Client) GetProperty added in v0.13.0 

func (c *Client) GetProperty(ctx context.Context, key string) (types.Property, error)

func (*Client) GetSkillDetail added in v0.22.0 

func (c *Client) GetSkillDetail(ctx context.Context, name string) (*types.SkillDetail, error)

GetSkillDetail returns the full per-skill payload for the dashboard drill-down: aggregated counts plus representative Description / HasScripts / GitRemoteURL / Files from one canonical row in the latest-scan-per-device subset. The aggregation is unbounded (all-time, all latest scans per device), matching the per-hash MCP detail's semantics.

func (*Client) GetTempUserCache added in v0.13.0 

func (c *Client) GetTempUserCache(ctx context.Context) *types.TempSetupUser

GetTempUserCache retrieves the cached temporary user, if one exists. Returns nil if no user is cached.

func (*Client) GetUserGroupMemberships added in v0.15.0 

func (c *Client) GetUserGroupMemberships(ctx context.Context, userIDs []uint) (map[uint][]string, error)

GetUserGroupMemberships fetches group memberships for multiple users in a single query. Returns a map of userID to slice of groupIDs.

func (*Client) GetUsersInGroup added in v0.15.0 

func (c *Client) GetUsersInGroup(ctx context.Context, groupName string) ([]types.User, error)

GetUsersInGroup returns all users who are members of the given group. This is used to find users affected by GroupRoleAssignment changes.

func (*Client) HasExplicitRole added in v0.12.0 

func (c *Client) HasExplicitRole(email string) types2.Role

func (*Client) InsertDeviceScan added in v0.22.0 

func (c *Client) InsertDeviceScan(ctx context.Context, scan *types.DeviceScan) error

InsertDeviceScan persists a device scan envelope and all its children in a single GORM cascading insert. Each call creates a fresh row — duplicate submissions are not deduped at this layer.

func (*Client) InsertTokenUsage added in v0.8.0 

func (c *Client) InsertTokenUsage(ctx context.Context, activity *types.RunTokenActivity) error

func (*Client) ListAPIKeys added in v0.16.0 

func (c *Client) ListAPIKeys(ctx context.Context, userID uint) ([]types.APIKey, error)

ListAPIKeys returns all API keys for a user (without the secrets).

func (*Client) ListAllAPIKeys added in v0.16.0 

func (c *Client) ListAllAPIKeys(ctx context.Context) ([]types.APIKey, error)

ListAllAPIKeys returns all API keys in the system (for admin use).

func (*Client) ListAuthGroups added in v0.9.0 

func (c *Client) ListAuthGroups(ctx context.Context, authProviderURL, authProviderNamespace, authProviderName, nameFilter string) ([]types.Group, error)

ListAuthGroups lists the auth provider groups for the given auth provider.

It supports fuzzy finding group names using on the given nameFilter. It queries the auth provider for "live" group search from the auth provider, then combines the results with cached groups from the database. This allows admins to discover groups that authenticated users belong to for auth providers limited group search capabilities.

func (*Client) ListDeviceClientFleetSummaries added in v0.22.0 

func (c *Client) ListDeviceClientFleetSummaries(ctx context.Context, opts DeviceClientFleetListOptions) ([]DeviceClientFleetSummary, int64, error)

ListDeviceClientFleetSummaries returns one row per distinct client name observed in device_scan_clients on each device's all-time latest scan, paginated after applying the selected sort order. Each row lists distinct submitters, skills with metadata, and MCP servers (by config_hash) attributed to that client on those scans. Optional Name filters distinct names by case-insensitive substring match.

func (*Client) ListDeviceScans added in v0.22.0 

func (c *Client) ListDeviceScans(ctx context.Context, opts DeviceScanListOptions) ([]types.DeviceScan, int64, error)

ListDeviceScans returns scan envelopes ordered newest first. MCP servers, skills, and plugins are preloaded; files are not — DeviceScanFile.Content can be large and isn't needed for the list.

func (*Client) ListGroupIDsForUser added in v0.9.0 

func (c *Client) ListGroupIDsForUser(ctx context.Context, userID uint) ([]string, error)

ListGroupIDsForUser lists the group IDs that the given user is a member of. This can include groups from multiple auth providers.

func (*Client) ListGroupRoleAssignments added in v0.15.0 

func (c *Client) ListGroupRoleAssignments(ctx context.Context) ([]types.GroupRoleAssignment, error)

ListGroupRoleAssignments returns all group role assignments from the database.

func (*Client) ListMCPServerOccurrences added in v0.22.0 

func (c *Client) ListMCPServerOccurrences(ctx context.Context, configHash string, limit, offset int) ([]types.MCPServerOccurrence, int64, error)

ListMCPServerOccurrences returns one row per (device, observation) for the given config_hash, drawn from the all-time latest scan of every device. Sorted scanned_at DESC, paginated.

func (*Client) ListServiceAccountAPIKeys added in v0.21.0 

func (c *Client) ListServiceAccountAPIKeys(ctx context.Context, serviceAccountName string) ([]types.ServiceAccountAPIKey, error)

func (*Client) ListSkillOccurrences added in v0.22.0 

func (c *Client) ListSkillOccurrences(ctx context.Context, name string, limit, offset int) ([]types.SkillOccurrence, int64, error)

ListSkillOccurrences returns one row per (device, observation) for the given skill name, drawn from the all-time latest scan of every device. Sorted scanned_at DESC, paginated.

func (*Client) ListSkillStats added in v0.22.0 

func (c *Client) ListSkillStats(ctx context.Context, opts SkillStatListOptions) ([]types.SkillStat, int64, error)

ListSkillStats returns one row per distinct skill name observed in the latest scan of any device within the requested window. Paginated, sortable, optional name LIKE filter.

func (*Client) LogMCPAuditEntry added in v0.10.0 

func (c *Client) LogMCPAuditEntry(entry types.MCPAuditLog)

func (*Client) LogMessagePolicyViolation added in v0.19.0 

func (c *Client) LogMessagePolicyViolation(ctx context.Context, v *types.MessagePolicyViolation) error

LogMessagePolicyViolation encrypts sensitive fields and inserts a violation record.

func (*Client) NewAuthToken added in v0.8.0 

func (c *Client) NewAuthToken(
	ctx context.Context,
	authProviderNamespace,
	authProviderName string,
	authProviderUserID string,
	userID uint,
	tr *types.TokenRequest,
) (*types.AuthToken, error)

func (*Client) RemainingTokenUsageForUser added in v0.8.0 

func (c *Client) RemainingTokenUsageForUser(ctx context.Context, userID string, period time.Duration, promptTokenLimit, completionTokenLimit int) (*types.RemainingTokenUsage, error)

func (*Client) RemoveIdentity added in v0.5.0 

func (c *Client) RemoveIdentity(ctx context.Context, id *types.Identity) error

RemoveIdentity deletes an identity from the database. The identity is deleted using UserID if set, otherwise ProviderUsername. The method is idempotent and ignores not-found errors, returning only unexpected errors.

func (*Client) RemoveIdentityAndUser added in v0.9.0 

func (c *Client) RemoveIdentityAndUser(ctx context.Context, id *types.Identity) (uint, error)

RemoveIdentityAndUser deletes an identity and the associated user from the database. The identity and user are deleted using UserID if set, otherwise ProviderUsername. The method is idempotent and ignores not-found errors, returning only unexpected errors.

func (*Client) ReplaceMCPOAuthToken added in v0.8.0 

func (c *Client) ReplaceMCPOAuthToken(ctx context.Context, userID, mcpID, url, oauthAuthRequestID string, oauthConf *oauth2.Config, token *oauth2.Token) error

func (*Client) ResolveUserEffectiveRole added in v0.15.0 

func (c *Client) ResolveUserEffectiveRole(ctx context.Context, user *types.User, authGroupIDs []string) (types2.Role, error)

ResolveUserEffectiveRole computes the effective role for a user by combining: 1. Individual role from users table 2. Group-based roles from GroupRoleAssignments Returns the highest base role plus orthogonal add-on roles (if present).

func (*Client) ResolveUserEffectiveRolesBulk added in v0.15.0 

func (c *Client) ResolveUserEffectiveRolesBulk(ctx context.Context, users []types.User, userGroupMemberships map[uint][]string) (map[uint]types2.Role, error)

ResolveUserEffectiveRolesBulk computes effective roles for multiple users efficiently. It performs a single database query to fetch all group role assignments for all users' groups. Returns a map of userID to their effective role.

func (*Client) RetireOtherServiceAccountAPIKeys added in v0.21.0 

func (c *Client) RetireOtherServiceAccountAPIKeys(ctx context.Context, serviceAccountName string, activeID uint, retireAfter time.Time) error

func (*Client) RunState added in v0.7.0 

func (c *Client) RunState(ctx context.Context, namespace, name string) (*types.RunState, error)

func (*Client) SetProperty added in v0.13.0 

func (c *Client) SetProperty(ctx context.Context, key, value string) (types.Property, error)

func (*Client) SetTempUserCache added in v0.13.0 

func (c *Client) SetTempUserCache(ctx context.Context, user *types.User, authProviderName, authProviderNamespace string) error

SetTempUserCache stores a temporary user in the database for the bootstrap setup flow. Returns an error if a user is already cached.

func (*Client) TokenUsageByUser added in v0.8.0 

func (c *Client) TokenUsageByUser(ctx context.Context, start, end time.Time, includePersonalTokenUsage bool) ([]types.RunTokenActivity, error)

func (*Client) TokenUsageForUser added in v0.8.0 

func (c *Client) TokenUsageForUser(ctx context.Context, userID string, start, end time.Time) ([]types.RunTokenActivity, error)

func (*Client) TokenUsageSeriesInRange added in v0.17.0 

func (c *Client) TokenUsageSeriesInRange(ctx context.Context, start, end time.Time) ([]types.RunTokenActivity, error)

TokenUsageSeriesInRange returns all individual token usage records in the time range for all users. Personal token usage is excluded. Results are ordered by created_at descending. The range is [start, end] inclusive so that the requested end time is the last moment included.

func (*Client) TotalTokenUsageForUser added in v0.8.0 

func (c *Client) TotalTokenUsageForUser(ctx context.Context, userID string, start, end time.Time, includePersonalTokenUsage bool) (types.RunTokenActivity, error)

func (*Client) UpdateAPIKeyLastUsed added in v0.16.0 

func (c *Client) UpdateAPIKeyLastUsed(ctx context.Context, key *types.APIKey) error

UpdateAPIKeyLastUsed updates the last_used_at timestamp for an API key if more than a minute has elapsed since the previous timestamp.

func (*Client) UpdateGroupRoleAssignment added in v0.15.0 

func (c *Client) UpdateGroupRoleAssignment(ctx context.Context, groupName string, role types2.Role, description string) (*types.GroupRoleAssignment, error)

UpdateGroupRoleAssignment updates an existing group role assignment.

func (*Client) UpdateProfileIfNeeded added in v0.8.0 

func (c *Client) UpdateProfileIfNeeded(ctx context.Context, user *types.User, authProviderName, authProviderNamespace, authProviderURL string) error

func (*Client) UpdateRunState added in v0.7.0 

func (c *Client) UpdateRunState(ctx context.Context, runState *types.RunState) error

func (*Client) UpdateUser added in v0.5.0 

func (c *Client) UpdateUser(ctx context.Context, actingUserCanChangeRole bool, updatedUser *types.User, userID string) (*types.User, error)

func (*Client) UpdateUserInternalStatus added in v0.8.0 

func (c *Client) UpdateUserInternalStatus(ctx context.Context, userID string, internal bool) error

func (*Client) User 

func (c *Client) User(ctx context.Context, username string) (*types.User, error)

func (*Client) UserByID 

func (c *Client) UserByID(ctx context.Context, id string) (*types.User, error)

func (*Client) UserByIDIncludeDeleted added in v0.9.0 

func (c *Client) UserByIDIncludeDeleted(ctx context.Context, id string) (*types.User, error)

UserByIDIncludeDeleted returns a user by ID including soft-deleted users (for audit purposes)

func (*Client) UserFromToken added in v0.8.0 

func (c *Client) UserFromToken(ctx context.Context, token string) (*types.User, string, string, string, []string, error)

func (*Client) UserInfoByID added in v0.16.0 

func (c *Client) UserInfoByID(ctx context.Context, userID uint) (kuser.Info, error)

UserInfoByID returns a user.Info object for the given user ID, suitable for use with ACR helper methods. This fetches the user and their group memberships from the database.

func (*Client) Users added in v0.5.0 

func (c *Client) Users(ctx context.Context, query types.UserQuery) ([]types.User, error)

func (*Client) UsersIncludeDeleted added in v0.9.0 

func (c *Client) UsersIncludeDeleted(ctx context.Context, query types.UserQuery) ([]types.User, error)

UsersIncludeDeleted returns all users including soft-deleted ones (for audit purposes)

func (*Client) ValidateAPIKey added in v0.16.0 

func (c *Client) ValidateAPIKey(ctx context.Context, key string) (*types.APIKey, error)

ValidateAPIKey validates an API key and returns the associated APIKey record. The key format is: ok1-<user_id>-<key_id>-<secret> Lookup is done by key ID, then bcrypt is used to verify the secret. Cache hits return a previously validated key without touching the database. On cache misses, last_used_at is updated only if more than a minute has elapsed.

func (*Client) ValidateStorageServiceAccountToken added in v0.21.0 

func (c *Client) ValidateStorageServiceAccountToken(ctx context.Context, token string) (*types.ServiceAccountAPIKey, error)

type DeviceClientFleetListOptions added in v0.22.0 

type DeviceClientFleetListOptions struct {
	// Name, when non-empty after trimming, restricts distinct client names to
	// those matching as a case-insensitive substring (LIKE/ILIKE %Name%).
	Name string
	// SortBy is name | mcp_server_count | skill_count | user_count.
	SortBy string
	// SortOrder is asc | desc.
	SortOrder string
	// Limit is the max number of client rows to return; 0 means no limit.
	Limit int
	// Offset skips that many client names in the selected sort order.
	Offset int
}

DeviceClientFleetListOptions configures ListDeviceClientFleetSummaries.

type DeviceClientFleetSkill added in v0.22.0 

type DeviceClientFleetSkill struct {
	Name        string
	Description string
	HasScripts  bool
	Files       int
}

DeviceClientFleetSkill is gateway-layer skill metadata for client summaries.

type DeviceClientFleetSummary added in v0.22.0 

type DeviceClientFleetSummary struct {
	Name       string
	Users      []string
	Skills     []DeviceClientFleetSkill
	MCPServers []types.MCPServerStat
}

DeviceClientFleetSummary is the gateway-layer aggregate for one client name; callers map it to apiclient types.

type DeviceScanListOptions added in v0.22.0 

type DeviceScanListOptions struct {
	SubmittedBy   []string
	DeviceID      []string
	Limit         int
	Offset        int
	GroupByDevice bool
}

DeviceScanListOptions filters the scan-envelope list endpoint. SubmittedBy and DeviceID are multi-value; either narrows the result.

type DeviceScanStatsOptions added in v0.22.0 

type DeviceScanStatsOptions struct {
	StartTime time.Time
	EndTime   time.Time
}

DeviceScanStatsOptions bounds the dashboard rollup. Zero-valued times are treated as unbounded; callers normally pass a recent window (e.g. last 60 days).

type DeviceScanStatsResult added in v0.22.0 

type DeviceScanStatsResult struct {
	StartTime      time.Time
	EndTime        time.Time
	DeviceCount    int64
	UserCount      int64
	Clients        []types.ClientStat
	MCPServers     []types.MCPServerStat
	Skills         []types.SkillStat
	ScanTimestamps []time.Time
}

DeviceScanStatsResult is the dashboard rollup payload.

type ExplicitRoleError added in v0.12.0 

type ExplicitRoleError struct {
	// contains filtered or unexported fields
}

func (*ExplicitRoleError) Error added in v0.12.0 

func (e *ExplicitRoleError) Error() string

type FetchUserGroupsError added in v0.15.0 

type FetchUserGroupsError struct {
	ProviderUserID string
	Message        string
}

FetchUserGroupsError represents an error that occurs when fetching user groups from the auth provider. This error indicates a configuration issue with the auth provider that requires administrator intervention.

func (*FetchUserGroupsError) Error added in v0.15.0 

func (e *FetchUserGroupsError) Error() string

type LastAdminError added in v0.5.0 

type LastAdminError struct{}

func (*LastAdminError) Error added in v0.5.0 

func (e *LastAdminError) Error() string

type LastOwnerError added in v0.13.0 

type LastOwnerError struct{}

func (*LastOwnerError) Error added in v0.13.0 

func (e *LastOwnerError) Error() string

type LogoutAllErr added in v0.8.0 

type LogoutAllErr struct{}

func (LogoutAllErr) Error added in v0.8.0 

func (e LogoutAllErr) Error() string

type MCPAuditLogOptions added in v0.8.0 

type MCPAuditLogOptions struct {
	WithRequestAndResponse    bool
	PowerUserWorkspaceID      []string // Support filtering by workspace ID(s)
	OwnServerMCPIDs           []string // MCPIDs for user's own servers (union with PowerUserWorkspaceID)
	UserID                    []string
	MCPID                     []string
	MCPServerDisplayName      []string
	MCPServerCatalogEntryName []string
	CallType                  []string
	CallIdentifier            []string
	SessionID                 []string
	ClientName                []string
	ClientVersion             []string
	ResponseStatus            []string
	ClientIP                  []string
	ProcessingTimeMin         int64
	ProcessingTimeMax         int64
	Query                     string // Search term for text search across multiple fields
	StartTime                 time.Time
	EndTime                   time.Time
	Limit                     int
	Offset                    int
	SortBy                    string // Field to sort by (e.g., "created_at", "user_id", "call_type")
	SortOrder                 string // Sort order: "asc" or "desc"
}

MCPAuditLogOptions represents options for querying MCP audit logs

type MCPUsageStatsOptions added in v0.8.0 

type MCPUsageStatsOptions struct {
	MCPID                      string
	PowerUserWorkspaceID       []string // Workspace filtering support (same as audit logs)
	OwnServerMCPIDs            []string // MCPIDs for user's own servers (union with PowerUserWorkspaceID)
	UserIDs                    []string
	MCPServerDisplayNames      []string
	MCPServerCatalogEntryNames []string
	StartTime                  time.Time
	EndTime                    time.Time
}

MCPUsageStatsOptions represents options for querying MCP usage statistics

type MessagePolicyViolationDirectionCounts added in v0.19.0 

type MessagePolicyViolationDirectionCounts struct {
	UserMessage int64 `json:"userMessage"`
	ToolCalls   int64 `json:"toolCalls"`
}

type MessagePolicyViolationOptions added in v0.19.0 

type MessagePolicyViolationOptions struct {
	UserID      []string
	PolicyID    []string
	Direction   []string
	ProjectID   []string
	ThreadID    []string
	Query       string
	StartTime   time.Time
	EndTime     time.Time
	Limit       int
	Offset      int
	SortBy      string
	SortOrder   string
	TimeGroupBy string // "user" or "policy" (default)
}

MessagePolicyViolationOptions represents options for querying policy violations.

type MessagePolicyViolationPolicyCount added in v0.19.0 

type MessagePolicyViolationPolicyCount struct {
	PolicyID   string `json:"policyID"`
	PolicyName string `json:"policyName"`
	Count      int64  `json:"count"`
}

type MessagePolicyViolationStats added in v0.19.0 

type MessagePolicyViolationStats struct {
	ByTime      []MessagePolicyViolationTimeBucket    `json:"byTime"`
	ByPolicy    []MessagePolicyViolationPolicyCount   `json:"byPolicy"`
	ByUser      []MessagePolicyViolationUserCount     `json:"byUser"`
	ByDirection MessagePolicyViolationDirectionCounts `json:"byDirection"`
}

MessagePolicyViolationStats holds the aggregated stats returned by GetMessagePolicyViolationStats.

type MessagePolicyViolationTimeBucket added in v0.19.0 

type MessagePolicyViolationTimeBucket struct {
	Time     time.Time `json:"time"`
	Category string    `json:"category"`
	Count    int64     `json:"count"`
}

type MessagePolicyViolationUserCount added in v0.19.0 

type MessagePolicyViolationUserCount struct {
	UserID string `json:"userID"`
	Count  int64  `json:"count"`
}

type SkillStatListOptions added in v0.22.0 

type SkillStatListOptions struct {
	StartTime time.Time
	EndTime   time.Time
	Name      string // case-insensitive LIKE match against skill name
	SortBy    string // name | device_count | user_count | observation_count
	SortOrder string // asc | desc
	Limit     int
	Offset    int
}

SkillStatListOptions filters and orders the paginated skill stats list. The time window applies to the parent device_scans (only scans inside the window are candidates for "latest per device" selection). Zero-valued bounds are treated as unbounded.

type UserDecorator 

type UserDecorator struct {
	// contains filtered or unexported fields
}

func NewUserDecorator 

func NewUserDecorator(next authenticator.Request, client *Client) *UserDecorator

func (UserDecorator) AuthenticateRequest 

func (u UserDecorator) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.