Skip to content

feat(coding-agent): auth gateway forward proxy#195

Open
islee23520 wants to merge 3 commits into
code-yeongyu:mainfrom
islee23520:feat/auth-gateway
Open

feat(coding-agent): auth gateway forward proxy#195
islee23520 wants to merge 3 commits into
code-yeongyu:mainfrom
islee23520:feat/auth-gateway

Conversation

@islee23520

@islee23520 islee23520 commented Jul 12, 2026

Copy link
Copy Markdown

Summary

Forward proxy that injects credentials leased from the auth-broker into upstream provider requests, exposing one authenticated endpoint for Anthropic Messages, OpenAI Chat, and Responses/pi protocols:

  • auth-gateway-transport(-auth/-request/-types): loopback transport, bearer auth, authorized-model restriction.
  • auth-gateway-protocol-adapter + anthropic-messages / openai-chat / responses-pi(-adapter/-events): per-protocol adaptation.
  • auth-gateway-provider-runtime: selects broker credentials per call, reports lease outcomes.
  • auth-gateway-observability: redacted health/check diagnostics.
  • auth-gateway-cli: senpi auth-gateway CLI (serve, token, status, check); main registers it.
  • docs/auth-broker-gateway.md + scripts/verify-auth-broker-gateway.mjs: operator docs and verifier.

Stack

Stacked on the credential-broker PR (uses AuthBrokerRemoteStore). This branch includes the provider-parity and credential-broker commits; merge after them, then rebase to drop them.

Evidence

  • npm run check green.
  • gateway + broker-gateway verifier tests: 25 passing.

Summary by cubic

Adds an auth gateway forward proxy that injects broker-leased credentials into upstream requests and exposes one authenticated endpoint for Anthropic Messages, OpenAI Chat, and OpenAI Responses/pi. This centralizes credential use, simplifies client config, and enforces model access.

  • New Features

    • auth-gateway-transport(-auth/-request/-types): loopback transport with bearer auth and authorized-model filtering.
    • auth-gateway-protocol-adapter + per-protocol adapters for Anthropic Messages, OpenAI Chat, and Responses/pi.
    • auth-gateway-provider-runtime: selects broker credentials per call and reports lease outcomes.
    • auth-gateway-observability: redacted health and diagnostics.
    • auth-gateway-cli: senpi auth-gateway {serve,token,status,check}; docs/auth-broker-gateway.md and scripts/verify-auth-broker-gateway.mjs for setup and verification.
  • Migration

    • Requires the credential broker to be running and populated.
    • Start the gateway with senpi auth-gateway serve and set clients to use its single endpoint for the supported protocols.
    • Use senpi auth-gateway token/status/check to manage access and confirm health.
    • Run scripts/verify-auth-broker-gateway.mjs to validate end-to-end configuration.

Written for commit d35fdec. Summary will update on new commits.

Review in cubic

Add 18 API-key providers (alibaba-coding-plan, cursor, deepinfra, firepass,
fugu, gitlab-duo, glm-zcode, kagi, kilo, kimi-code, litellm, lm-studio,
minimax-code(-cn), moonshot, nanogpt, ollama(-cloud), openai-codex-device,
parallel, perplexity, qianfan, qwen-portal, synthetic, tavily, venice, vllm,
zenmux) plus OAuth flows for cursor, gitlab-duo, glm-zcode, google-antigravity,
google-gemini-cli, kilo, kimi-code, openai-codex-device, perplexity, xai, and
the remaining Gajae provider-ID gaps for full /login parity.

The coding-agent provider wiring (model-resolver defaults, provider-display-names,
auth-providers oauth-only set) travels here because model-resolver is exhaustive
over the ai KnownProvider union. Source of truth for keys remains env-api-keys.ts;
parity is enforced by test/api-key-provider-parity.test.ts.
…ackground refresh

Add a loopback credential broker that stores OAuth/API-key credentials in a
SQLite vault and leases them to authorized gateway clients:

- auth-multi-account / credential-selection / in-memory-credential-vault:
  multi-account credential contracts, pooled selection, and an in-memory vault.
- auth-broker + wire-contract: broker service with CAS selection leases,
  redacting wire contract, and a remote store for clients.
- auth-broker-cli + auth-broker-server: `senpi auth-broker` CLI (serve, token,
  login, logout, import, backup, restore, migrate) over a loopback HTTP server.
- auth-broker-refresher: background OAuth refresh loop (5 min skew / 60 s
  cadence) that renews expiring tokens and disables definitive failures.
- model-registry / sdk: wire pooled credential selection and outcome reporting
  into the agent loop; index exports the credential surface; main registers the
  `auth-broker` command.

Stacked on the provider-parity branch (depends on its KnownProvider union).
Add a forward proxy that injects credentials leased from the auth-broker into
upstream provider requests, exposing a single authenticated endpoint for
Anthropic Messages, OpenAI Chat, and Responses/pi protocols:

- auth-gateway-transport(-auth/-request/-types): loopback transport with bearer
  auth, request handling, and authorized-model restriction.
- auth-gateway-protocol-adapter + anthropic-messages / openai-chat /
  responses-pi(-adapter/-events): per-protocol request/response adaptation.
- auth-gateway-provider-runtime: selects broker credentials per call and reports
  lease outcomes.
- auth-gateway-observability: redacted health/check diagnostics.
- auth-gateway-cli: `senpi auth-gateway` CLI (serve, token, status, check);
  main registers the command.
- docs/auth-broker-gateway.md + scripts/verify-auth-broker-gateway.mjs:
  operator docs and a verifier.

Stacked on the credential-broker branch (uses its AuthBrokerRemoteStore).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant