feat(coding-agent): auth gateway forward proxy#195
Open
islee23520 wants to merge 3 commits into
Open
Conversation
Add 18 API-key providers (alibaba-coding-plan, cursor, deepinfra, firepass, fugu, gitlab-duo, glm-zcode, kagi, kilo, kimi-code, litellm, lm-studio, minimax-code(-cn), moonshot, nanogpt, ollama(-cloud), openai-codex-device, parallel, perplexity, qianfan, qwen-portal, synthetic, tavily, venice, vllm, zenmux) plus OAuth flows for cursor, gitlab-duo, glm-zcode, google-antigravity, google-gemini-cli, kilo, kimi-code, openai-codex-device, perplexity, xai, and the remaining Gajae provider-ID gaps for full /login parity. The coding-agent provider wiring (model-resolver defaults, provider-display-names, auth-providers oauth-only set) travels here because model-resolver is exhaustive over the ai KnownProvider union. Source of truth for keys remains env-api-keys.ts; parity is enforced by test/api-key-provider-parity.test.ts.
…ackground refresh Add a loopback credential broker that stores OAuth/API-key credentials in a SQLite vault and leases them to authorized gateway clients: - auth-multi-account / credential-selection / in-memory-credential-vault: multi-account credential contracts, pooled selection, and an in-memory vault. - auth-broker + wire-contract: broker service with CAS selection leases, redacting wire contract, and a remote store for clients. - auth-broker-cli + auth-broker-server: `senpi auth-broker` CLI (serve, token, login, logout, import, backup, restore, migrate) over a loopback HTTP server. - auth-broker-refresher: background OAuth refresh loop (5 min skew / 60 s cadence) that renews expiring tokens and disables definitive failures. - model-registry / sdk: wire pooled credential selection and outcome reporting into the agent loop; index exports the credential surface; main registers the `auth-broker` command. Stacked on the provider-parity branch (depends on its KnownProvider union).
Add a forward proxy that injects credentials leased from the auth-broker into upstream provider requests, exposing a single authenticated endpoint for Anthropic Messages, OpenAI Chat, and Responses/pi protocols: - auth-gateway-transport(-auth/-request/-types): loopback transport with bearer auth, request handling, and authorized-model restriction. - auth-gateway-protocol-adapter + anthropic-messages / openai-chat / responses-pi(-adapter/-events): per-protocol request/response adaptation. - auth-gateway-provider-runtime: selects broker credentials per call and reports lease outcomes. - auth-gateway-observability: redacted health/check diagnostics. - auth-gateway-cli: `senpi auth-gateway` CLI (serve, token, status, check); main registers the command. - docs/auth-broker-gateway.md + scripts/verify-auth-broker-gateway.mjs: operator docs and a verifier. Stacked on the credential-broker branch (uses its AuthBrokerRemoteStore).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Forward proxy that injects credentials leased from the auth-broker into upstream provider requests, exposing one authenticated endpoint for Anthropic Messages, OpenAI Chat, and Responses/pi protocols:
auth-gateway-transport(-auth/-request/-types): loopback transport, bearer auth, authorized-model restriction.auth-gateway-protocol-adapter+ anthropic-messages / openai-chat / responses-pi(-adapter/-events): per-protocol adaptation.auth-gateway-provider-runtime: selects broker credentials per call, reports lease outcomes.auth-gateway-observability: redacted health/check diagnostics.auth-gateway-cli:senpi auth-gatewayCLI (serve, token, status, check);mainregisters it.docs/auth-broker-gateway.md+scripts/verify-auth-broker-gateway.mjs: operator docs and verifier.Stack
Stacked on the credential-broker PR (uses
AuthBrokerRemoteStore). This branch includes the provider-parity and credential-broker commits; merge after them, then rebase to drop them.Evidence
npm run checkgreen.Summary by cubic
Adds an auth gateway forward proxy that injects broker-leased credentials into upstream requests and exposes one authenticated endpoint for Anthropic Messages, OpenAI Chat, and OpenAI Responses/pi. This centralizes credential use, simplifies client config, and enforces model access.
New Features
auth-gateway-transport(-auth/-request/-types): loopback transport with bearer auth and authorized-model filtering.auth-gateway-protocol-adapter+ per-protocol adapters for Anthropic Messages, OpenAI Chat, and Responses/pi.auth-gateway-provider-runtime: selects broker credentials per call and reports lease outcomes.auth-gateway-observability: redacted health and diagnostics.auth-gateway-cli:senpi auth-gateway {serve,token,status,check};docs/auth-broker-gateway.mdandscripts/verify-auth-broker-gateway.mjsfor setup and verification.Migration
senpi auth-gateway serveand set clients to use its single endpoint for the supported protocols.senpi auth-gateway token/status/checkto manage access and confirm health.scripts/verify-auth-broker-gateway.mjsto validate end-to-end configuration.Written for commit d35fdec. Summary will update on new commits.