feat(agent-auth): add 1Password integration for credential providers

Author: stainless-app[bot]

.stats.yml

@@ -1,4 +1,4 @@
-configured_endpoints: 91
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/kernel%2Fkernel-714affeb2859c03a71d35708b6704b1750a1712738a130f3363ae67b20d751d9.yml
-openapi_spec_hash: 9d2b9358f0f640ecd1eacd15b70dd361
-config_hash: cc7fdd701d995d4b3456d77041c604cf
+configured_endpoints: 97
+openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/kernel%2Fkernel-7427d4bcaba5cad07910da7a222bdd2650b5280e6b889132ed38d230adafb8a5.yml
+openapi_spec_hash: e8e3dc1ae54666d544d1fc848b25e7cf
+config_hash: b470456b217bb9502f5212311d395a6f

api.md

@@ -300,3 +300,22 @@ Methods:
 - <code title="get /credentials">client.credentials.<a href="./src/resources/credentials.ts">list</a>({ ...params }) -> CredentialsOffsetPagination</code>
 - <code title="delete /credentials/{id_or_name}">client.credentials.<a href="./src/resources/credentials.ts">delete</a>(idOrName) -> void</code>
 - <code title="get /credentials/{id_or_name}/totp-code">client.credentials.<a href="./src/resources/credentials.ts">totpCode</a>(idOrName) -> CredentialTotpCodeResponse</code>
+
+# CredentialProviders
+
+Types:
+
+- <code><a href="./src/resources/credential-providers.ts">CreateCredentialProviderRequest</a></code>
+- <code><a href="./src/resources/credential-providers.ts">CredentialProvider</a></code>
+- <code><a href="./src/resources/credential-providers.ts">CredentialProviderTestResult</a></code>
+- <code><a href="./src/resources/credential-providers.ts">UpdateCredentialProviderRequest</a></code>
+- <code><a href="./src/resources/credential-providers.ts">CredentialProviderListResponse</a></code>
+
+Methods:
+
+- <code title="post /org/credential-providers">client.credentialProviders.<a href="./src/resources/credential-providers.ts">create</a>({ ...params }) -> CredentialProvider</code>
+- <code title="get /org/credential-providers/{id}">client.credentialProviders.<a href="./src/resources/credential-providers.ts">retrieve</a>(id) -> CredentialProvider</code>
+- <code title="patch /org/credential-providers/{id}">client.credentialProviders.<a href="./src/resources/credential-providers.ts">update</a>(id, { ...params }) -> CredentialProvider</code>
+- <code title="get /org/credential-providers">client.credentialProviders.<a href="./src/resources/credential-providers.ts">list</a>() -> CredentialProviderListResponse</code>
+- <code title="delete /org/credential-providers/{id}">client.credentialProviders.<a href="./src/resources/credential-providers.ts">delete</a>(id) -> void</code>
+- <code title="post /org/credential-providers/{id}/test">client.credentialProviders.<a href="./src/resources/credential-providers.ts">test</a>(id) -> CredentialProviderTestResult</code>

src/client.ts

@@ -30,6 +30,16 @@ import {
   BrowserPoolUpdateParams,
   BrowserPools,
 } from './resources/browser-pools';
+import {
+  CreateCredentialProviderRequest,
+  CredentialProvider,
+  CredentialProviderCreateParams,
+  CredentialProviderListResponse,
+  CredentialProviderTestResult,
+  CredentialProviderUpdateParams,
+  CredentialProviders,
+  UpdateCredentialProviderRequest,
+} from './resources/credential-providers';
 import {
   CreateCredentialRequest,
   Credential,
@@ -873,6 +883,7 @@ export class Kernel {
   browserPools: API.BrowserPools = new API.BrowserPools(this);
   agents: API.Agents = new API.Agents(this);
   credentials: API.Credentials = new API.Credentials(this);
+  credentialProviders: API.CredentialProviders = new API.CredentialProviders(this);
 }
 
 Kernel.Deployments = Deployments;
@@ -885,6 +896,7 @@ Kernel.Extensions = Extensions;
 Kernel.BrowserPools = BrowserPools;
 Kernel.Agents = Agents;
 Kernel.Credentials = Credentials;
+Kernel.CredentialProviders = CredentialProviders;
 
 export declare namespace Kernel {
   export type RequestOptions = Opts.RequestOptions;
@@ -996,6 +1008,17 @@ export declare namespace Kernel {
     type CredentialListParams as CredentialListParams,
   };
 
+  export {
+    CredentialProviders as CredentialProviders,
+    type CreateCredentialProviderRequest as CreateCredentialProviderRequest,
+    type CredentialProvider as CredentialProvider,
+    type CredentialProviderTestResult as CredentialProviderTestResult,
+    type UpdateCredentialProviderRequest as UpdateCredentialProviderRequest,
+    type CredentialProviderListResponse as CredentialProviderListResponse,
+    type CredentialProviderCreateParams as CredentialProviderCreateParams,
+    type CredentialProviderUpdateParams as CredentialProviderUpdateParams,
+  };
+
   export type AppAction = API.AppAction;
   export type BrowserExtension = API.BrowserExtension;
   export type BrowserProfile = API.BrowserProfile;

src/resources/credential-providers.ts

@@ -0,0 +1,265 @@
+// File generated from our OpenAPI spec by Stainless. See CONTRIBUTING.md for details.
+
+import { APIResource } from '../core/resource';
+import { APIPromise } from '../core/api-promise';
+import { buildHeaders } from '../internal/headers';
+import { RequestOptions } from '../internal/request-options';
+import { path } from '../internal/utils/path';
+
+export class CredentialProviders extends APIResource {
+  /**
+   * Configure an external credential provider (e.g., 1Password) for automatic
+   * credential lookup.
+   *
+   * @example
+   * ```ts
+   * const credentialProvider =
+   *   await client.credentialProviders.create({
+   *     token: 'ops_eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...',
+   *     provider_type: 'onepassword',
+   *   });
+   * ```
+   */
+  create(body: CredentialProviderCreateParams, options?: RequestOptions): APIPromise<CredentialProvider> {
+    return this._client.post('/org/credential-providers', { body, ...options });
+  }
+
+  /**
+   * Retrieve a credential provider by its ID.
+   *
+   * @example
+   * ```ts
+   * const credentialProvider =
+   *   await client.credentialProviders.retrieve('id');
+   * ```
+   */
+  retrieve(id: string, options?: RequestOptions): APIPromise<CredentialProvider> {
+    return this._client.get(path`/org/credential-providers/${id}`, options);
+  }
+
+  /**
+   * Update a credential provider's configuration.
+   *
+   * @example
+   * ```ts
+   * const credentialProvider =
+   *   await client.credentialProviders.update('id');
+   * ```
+   */
+  update(
+    id: string,
+    body: CredentialProviderUpdateParams,
+    options?: RequestOptions,
+  ): APIPromise<CredentialProvider> {
+    return this._client.patch(path`/org/credential-providers/${id}`, { body, ...options });
+  }
+
+  /**
+   * List external credential providers configured for the organization.
+   *
+   * @example
+   * ```ts
+   * const credentialProviders =
+   *   await client.credentialProviders.list();
+   * ```
+   */
+  list(options?: RequestOptions): APIPromise<CredentialProviderListResponse> {
+    return this._client.get('/org/credential-providers', options);
+  }
+
+  /**
+   * Delete a credential provider by its ID.
+   *
+   * @example
+   * ```ts
+   * await client.credentialProviders.delete('id');
+   * ```
+   */
+  delete(id: string, options?: RequestOptions): APIPromise<void> {
+    return this._client.delete(path`/org/credential-providers/${id}`, {
+      ...options,
+      headers: buildHeaders([{ Accept: '*/*' }, options?.headers]),
+    });
+  }
+
+  /**
+   * Validate the credential provider's token and list accessible vaults.
+   *
+   * @example
+   * ```ts
+   * const credentialProviderTestResult =
+   *   await client.credentialProviders.test('id');
+   * ```
+   */
+  test(id: string, options?: RequestOptions): APIPromise<CredentialProviderTestResult> {
+    return this._client.post(path`/org/credential-providers/${id}/test`, options);
+  }
+}
+
+/**
+ * Request to create an external credential provider
+ */
+export interface CreateCredentialProviderRequest {
+  /**
+   * Service account token for the provider (e.g., 1Password service account token)
+   */
+  token: string;
+
+  /**
+   * Type of credential provider
+   */
+  provider_type: 'onepassword';
+
+  /**
+   * How long to cache credential lists (default 300 seconds)
+   */
+  cache_ttl_seconds?: number;
+}
+
+/**
+ * An external credential provider (e.g., 1Password) for automatic credential
+ * lookup
+ */
+export interface CredentialProvider {
+  /**
+   * Unique identifier for the credential provider
+   */
+  id: string;
+
+  /**
+   * When the credential provider was created
+   */
+  created_at: string;
+
+  /**
+   * Whether the provider is enabled for credential lookups
+   */
+  enabled: boolean;
+
+  /**
+   * Priority order for credential lookups (lower numbers are checked first)
+   */
+  priority: number;
+
+  /**
+   * Type of credential provider
+   */
+  provider_type: 'onepassword';
+
+  /**
+   * When the credential provider was last updated
+   */
+  updated_at: string;
+}
+
+/**
+ * Result of testing a credential provider connection
+ */
+export interface CredentialProviderTestResult {
+  /**
+   * Whether the connection test was successful
+   */
+  success: boolean;
+
+  /**
+   * List of vaults accessible by the service account
+   */
+  vaults: Array<CredentialProviderTestResult.Vault>;
+
+  /**
+   * Error message if the test failed
+   */
+  error?: string;
+}
+
+export namespace CredentialProviderTestResult {
+  export interface Vault {
+    /**
+     * Vault ID
+     */
+    id: string;
+
+    /**
+     * Vault name
+     */
+    name: string;
+  }
+}
+
+/**
+ * Request to update a credential provider
+ */
+export interface UpdateCredentialProviderRequest {
+  /**
+   * New service account token (to rotate credentials)
+   */
+  token?: string;
+
+  /**
+   * How long to cache credential lists
+   */
+  cache_ttl_seconds?: number;
+
+  /**
+   * Whether the provider is enabled for credential lookups
+   */
+  enabled?: boolean;
+
+  /**
+   * Priority order for credential lookups (lower numbers are checked first)
+   */
+  priority?: number;
+}
+
+export type CredentialProviderListResponse = Array<CredentialProvider>;
+
+export interface CredentialProviderCreateParams {
+  /**
+   * Service account token for the provider (e.g., 1Password service account token)
+   */
+  token: string;
+
+  /**
+   * Type of credential provider
+   */
+  provider_type: 'onepassword';
+
+  /**
+   * How long to cache credential lists (default 300 seconds)
+   */
+  cache_ttl_seconds?: number;
+}
+
+export interface CredentialProviderUpdateParams {
+  /**
+   * New service account token (to rotate credentials)
+   */
+  token?: string;
+
+  /**
+   * How long to cache credential lists
+   */
+  cache_ttl_seconds?: number;
+
+  /**
+   * Whether the provider is enabled for credential lookups
+   */
+  enabled?: boolean;
+
+  /**
+   * Priority order for credential lookups (lower numbers are checked first)
+   */
+  priority?: number;
+}
+
+export declare namespace CredentialProviders {
+  export {
+    type CreateCredentialProviderRequest as CreateCredentialProviderRequest,
+    type CredentialProvider as CredentialProvider,
+    type CredentialProviderTestResult as CredentialProviderTestResult,
+    type UpdateCredentialProviderRequest as UpdateCredentialProviderRequest,
+    type CredentialProviderListResponse as CredentialProviderListResponse,
+    type CredentialProviderCreateParams as CredentialProviderCreateParams,
+    type CredentialProviderUpdateParams as CredentialProviderUpdateParams,
+  };
+}

src/resources/index.ts

@@ -35,6 +35,16 @@ export {
   type BrowserLoadExtensionsParams,
   type BrowserListResponsesOffsetPagination,
 } from './browsers/browsers';
+export {
+  CredentialProviders,
+  type CreateCredentialProviderRequest,
+  type CredentialProvider,
+  type CredentialProviderTestResult,
+  type UpdateCredentialProviderRequest,
+  type CredentialProviderListResponse,
+  type CredentialProviderCreateParams,
+  type CredentialProviderUpdateParams,
+} from './credential-providers';
 export {
   Credentials,
   type CreateCredentialRequest,