Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion aws-encryption.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- credentials
- credentials.obot.obot.ai
- runstates.obot.obot.ai
- users.obot.obot.ai
- identities.obot.obot.ai
Expand Down
2 changes: 1 addition & 1 deletion azure-encryption.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- credentials
- credentials.obot.obot.ai
- runstates.obot.obot.ai
- users.obot.obot.ai
- identities.obot.obot.ai
Expand Down
2 changes: 1 addition & 1 deletion chart/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ spec:
apiVersion: apiserver.config.k8s.io/v1
resources:
- resources:
- credentials
- credentials.obot.obot.ai
- runstates.obot.obot.ai
- users.obot.obot.ai
- identities.obot.obot.ai
Expand Down
2 changes: 1 addition & 1 deletion gcp-encryption.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- credentials
- credentials.obot.obot.ai
- runstates.obot.obot.ai
- users.obot.obot.ai
- identities.obot.obot.ai
Expand Down
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ require (
github.com/containerd/errdefs v1.0.0
github.com/docker/go-connections v0.6.0
github.com/fatih/color v1.18.0
github.com/glebarez/sqlite v1.11.0
github.com/go-git/go-billy/v5 v5.8.0
github.com/go-git/go-git/v5 v5.17.0
github.com/gobwas/glob v0.2.3
Expand All @@ -36,7 +37,7 @@ require (
github.com/gptscript-ai/chat-completion-client v0.0.0-20250224164718-139cb4507b1d
github.com/gptscript-ai/cmd v0.0.0-20250530150401-bc71fddf8070
github.com/gptscript-ai/go-gptscript v0.9.9-0.20260205140523-98f64d42d2ee
github.com/gptscript-ai/gptscript v0.9.10-0.20260507143209-6761bb8f98e8
github.com/gptscript-ai/gptscript v0.9.10-0.20260522151821-b374bab0897c
github.com/jackc/pgx/v5 v5.9.1
github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de
github.com/moby/moby/api v1.52.0-alpha.1
Expand Down Expand Up @@ -185,7 +186,6 @@ require (
github.com/fxamacker/cbor/v2 v2.9.0 // indirect
github.com/getkin/kin-openapi v0.132.0 // indirect
github.com/glebarez/go-sqlite v1.22.0 // indirect
github.com/glebarez/sqlite v1.11.0 // indirect
github.com/go-errors/errors v1.4.2 // indirect
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
github.com/go-gorp/gorp/v3 v3.1.0 // indirect
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -470,8 +470,8 @@ github.com/gptscript-ai/cmd v0.0.0-20250530150401-bc71fddf8070 h1:xm5ZZFraWFwxyE
github.com/gptscript-ai/cmd v0.0.0-20250530150401-bc71fddf8070/go.mod h1:DJAo1xTht1LDkNYFNydVjTHd576TC7MlpsVRl3oloVw=
github.com/gptscript-ai/go-gptscript v0.9.9-0.20260205140523-98f64d42d2ee h1:8+510/jOqfLZ7l3c25TMtkKn33PQBEzuNiIt4XbJ7DY=
github.com/gptscript-ai/go-gptscript v0.9.9-0.20260205140523-98f64d42d2ee/go.mod h1:8JGZNO+x4tkTrkT1q5PMrVCKY2AcnS/Ru8WCNvzLYIg=
github.com/gptscript-ai/gptscript v0.9.10-0.20260507143209-6761bb8f98e8 h1:3umvmDb2cWxAfFlcw8iQpVtiU0FgsJ0WDuej2QHXJQY=
github.com/gptscript-ai/gptscript v0.9.10-0.20260507143209-6761bb8f98e8/go.mod h1:uAs+TqMwCcTY+CftVfK89M4X7GYkjYZKGmL1v4sJ5wc=
github.com/gptscript-ai/gptscript v0.9.10-0.20260522151821-b374bab0897c h1:6FvlvAi5CcCTXfREkhAnpE8RuC9IJpP+rJjIIVk2hb4=
github.com/gptscript-ai/gptscript v0.9.10-0.20260522151821-b374bab0897c/go.mod h1:uAs+TqMwCcTY+CftVfK89M4X7GYkjYZKGmL1v4sJ5wc=
github.com/gptscript-ai/tui v0.0.0-20250419050840-5e79e16786c9 h1:wQC8sKyeGA50WnCEG+Jo5FNRIkuX3HX8d3ubyWCCoI8=
github.com/gptscript-ai/tui v0.0.0-20250419050840-5e79e16786c9/go.mod h1:iwHxuueg2paOak7zIg0ESBWx7A0wIHGopAratbgaPNY=
github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA=
Expand Down
8 changes: 8 additions & 0 deletions pkg/api/authz/authz.go
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,14 @@ var (
// API Key authentication webhook (called by nanobot shim)
// This endpoint validates the API key passed in the header
"POST /api/api-keys/auth",

// Since these are temporary and only the credstore token is allowed to access,
// then auth is handled in the handler.
"GET /api/credentials/tool.gpt",
"POST /api/credentials/store",
"POST /api/credentials/get",
"POST /api/credentials/list",
"POST /api/credentials/erase",
Comment thread
thedadams marked this conversation as resolved.
},

types.GroupBasic: {
Expand Down
14 changes: 7 additions & 7 deletions pkg/api/handlers/auditlogexport.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,23 +4,23 @@ import (
"errors"
"fmt"

"github.com/gptscript-ai/go-gptscript"
"github.com/obot-platform/obot/apiclient/types"
"github.com/obot-platform/obot/pkg/api"
"github.com/obot-platform/obot/pkg/auditlogexport"
gateway "github.com/obot-platform/obot/pkg/gateway/client"
v1 "github.com/obot-platform/obot/pkg/storage/apis/obot.obot.ai/v1"
"github.com/obot-platform/obot/pkg/system"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
kclient "sigs.k8s.io/controller-runtime/pkg/client"
)

type AuditLogExportHandler struct {
credProvider *auditlogexport.GPTScriptCredentialProvider
credProvider *auditlogexport.CredentialProvider
}

func NewAuditLogExportHandler(gptClient *gptscript.GPTScript) *AuditLogExportHandler {
func NewAuditLogExportHandler(gatewayClient *gateway.Client) *AuditLogExportHandler {
return &AuditLogExportHandler{
credProvider: auditlogexport.NewGPTScriptCredentialProvider(gptClient),
credProvider: auditlogexport.NewCredentialProvider(gatewayClient),
}
}

Expand Down Expand Up @@ -282,9 +282,9 @@ func (h *AuditLogExportHandler) ConfigureStorageCredentials(req api.Context) err
// GetStorageCredentials gets the storage provider credentials
func (h *AuditLogExportHandler) GetStorageCredentials(req api.Context) error {
storageConfig, err := h.credProvider.GetStorageConfig(req.Context())
if err != nil && !errors.As(err, &gptscript.ErrNotFound{}) {
if err != nil && !errors.As(err, &gateway.CredentialNotFoundError{}) {
return fmt.Errorf("failed to get storage credentials: %w", err)
} else if errors.As(err, &gptscript.ErrNotFound{}) {
} else if errors.As(err, &gateway.CredentialNotFoundError{}) {
return types.NewErrNotFound("storage credentials not found")
}

Expand Down Expand Up @@ -347,7 +347,7 @@ func (h *AuditLogExportHandler) TestStorageCredentials(req api.Context) error {
// when using test credentials, if user doesn't provide secret, use the existing secret
var existingStorageConfig types.StorageConfig
storageConfig, err := h.credProvider.GetStorageConfig(req.Context())
if err != nil && !errors.As(err, &gptscript.ErrNotFound{}) {
if err != nil && !errors.As(err, &gateway.CredentialNotFoundError{}) {
return fmt.Errorf("failed to get storage credentials: %w", err)
} else if err == nil {
existingStorageConfig = *storageConfig
Expand Down
42 changes: 21 additions & 21 deletions pkg/api/handlers/authprovider.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,12 @@ import (
"errors"
"fmt"

"github.com/gptscript-ai/go-gptscript"
"github.com/obot-platform/obot/apiclient/types"
"github.com/obot-platform/obot/pkg/api"
"github.com/obot-platform/obot/pkg/api/handlers/providers"
gateway "github.com/obot-platform/obot/pkg/gateway/client"
"github.com/obot-platform/obot/pkg/gateway/server/dispatcher"
gatewaytypes "github.com/obot-platform/obot/pkg/gateway/types"
v1 "github.com/obot-platform/obot/pkg/storage/apis/obot.obot.ai/v1"
"github.com/obot-platform/obot/pkg/system"
"github.com/tidwall/gjson"
Expand Down Expand Up @@ -54,11 +55,11 @@ func (ap *AuthProviderHandler) ByID(req api.Context) error {
return err
}
if len(aps.RequiredConfigurationParameters) > 0 {
cred, err := req.GPTClient.RevealCredential(req.Context(), []string{string(ref.UID), system.GenericAuthProviderCredentialContext}, ref.Name)
if err != nil && !errors.As(err, &gptscript.ErrNotFound{}) {
cred, err := req.GatewayClient.RevealCredential(req.Context(), []string{string(ref.UID), system.GenericAuthProviderCredentialContext}, ref.Name)
if err != nil && !errors.As(err, &gateway.CredentialNotFoundError{}) {
return fmt.Errorf("failed to reveal credential for auth provider %q: %w", ref.Name, err)
} else if err == nil {
credEnvVars = cred.Env
credEnvVars = cred.Secrets
}
}
}
Expand Down Expand Up @@ -97,7 +98,7 @@ func (ap *AuthProviderHandler) listAuthProviders(req api.Context) ([]types.AuthP
}
credCtxs = append(credCtxs, system.GenericAuthProviderCredentialContext)

creds, err := req.GPTClient.ListCredentials(req.Context(), gptscript.ListCredentialsOptions{
creds, err := req.GatewayClient.ListCredentials(req.Context(), gateway.ListCredentialsOptions{
CredentialContexts: credCtxs,
})
if err != nil {
Expand All @@ -106,7 +107,7 @@ func (ap *AuthProviderHandler) listAuthProviders(req api.Context) ([]types.AuthP

credMap := make(map[string]map[string]string, len(creds))
for _, cred := range creds {
credMap[cred.Context+cred.ToolName] = cred.Env
credMap[cred.Context+cred.Name] = cred.Secrets
}

resp := make([]types.AuthProvider, 0, len(refList.Items))
Expand Down Expand Up @@ -157,12 +158,12 @@ func (ap *AuthProviderHandler) Configure(req api.Context) error {
envVars[providers.CookieSecretEnvVar] = cookieSecret

// Allow for updating credentials. The only way to update a credential is to delete the existing one and recreate it.
cred, err := req.GPTClient.RevealCredential(req.Context(), []string{string(ref.UID), system.GenericAuthProviderCredentialContext}, ref.Name)
cred, err := req.GatewayClient.RevealCredential(req.Context(), []string{string(ref.UID), system.GenericAuthProviderCredentialContext}, ref.Name)
if err != nil {
if !errors.As(err, &gptscript.ErrNotFound{}) {
if !errors.As(err, &gateway.CredentialNotFoundError{}) {
return fmt.Errorf("failed to find credential: %w", err)
}
} else if err = req.GPTClient.DeleteCredential(req.Context(), cred.Context, ref.Name); err != nil {
} else if _, err = req.GatewayClient.DeleteCredential(req.Context(), cred.Context, ref.Name); err != nil {
return fmt.Errorf("failed to remove existing credential: %w", err)
}

Expand All @@ -172,11 +173,10 @@ func (ap *AuthProviderHandler) Configure(req api.Context) error {
}
}

if err := req.GPTClient.CreateCredential(req.Context(), gptscript.Credential{
Context: string(ref.UID),
ToolName: ref.Name,
Type: gptscript.CredentialTypeTool,
Env: envVars,
if err := req.GatewayClient.UpsertCredential(req.Context(), gatewaytypes.Credential{
Context: string(ref.UID),
Name: ref.Name,
Secrets: envVars,
}); err != nil {
return fmt.Errorf("failed to create credential for auth provider %q: %w", ref.Name, err)
}
Expand All @@ -191,7 +191,7 @@ func (ap *AuthProviderHandler) Configure(req api.Context) error {
}
if configuredProvider != "" && configuredProvider != ref.Name {
// Delete the credential we just configured
_ = req.GPTClient.DeleteCredential(req.Context(), string(ref.UID), ref.Name)
_, _ = req.GatewayClient.DeleteCredential(req.Context(), string(ref.UID), ref.Name)
return types.NewErrBadRequest(
"only one authentication provider can be configured at a time. Please deconfigure %q first",
configuredProvider,
Expand Down Expand Up @@ -219,12 +219,12 @@ func (ap *AuthProviderHandler) Deconfigure(req api.Context) error {
return types.NewErrBadRequest("%q is not an auth provider", ref.Name)
}

cred, err := req.GPTClient.RevealCredential(req.Context(), []string{string(ref.UID), system.GenericAuthProviderCredentialContext}, ref.Name)
cred, err := req.GatewayClient.RevealCredential(req.Context(), []string{string(ref.UID), system.GenericAuthProviderCredentialContext}, ref.Name)
if err != nil {
if !errors.As(err, &gptscript.ErrNotFound{}) {
if !errors.As(err, &gateway.CredentialNotFoundError{}) {
return fmt.Errorf("failed to find credential: %w", err)
}
} else if err = req.GPTClient.DeleteCredential(req.Context(), cred.Context, ref.Name); err != nil {
} else if _, err = req.GatewayClient.DeleteCredential(req.Context(), cred.Context, ref.Name); err != nil {
return fmt.Errorf("failed to remove existing credential: %w", err)
}

Expand Down Expand Up @@ -280,11 +280,11 @@ func (ap *AuthProviderHandler) Reveal(req api.Context) error {
return types.NewErrBadRequest("%q is not an auth provider", ref.Name)
}

cred, err := req.GPTClient.RevealCredential(req.Context(), []string{string(ref.UID), system.GenericAuthProviderCredentialContext}, ref.Name)
if err != nil && !errors.As(err, &gptscript.ErrNotFound{}) {
cred, err := req.GatewayClient.RevealCredential(req.Context(), []string{string(ref.UID), system.GenericAuthProviderCredentialContext}, ref.Name)
if err != nil && !errors.As(err, &gateway.CredentialNotFoundError{}) {
return fmt.Errorf("failed to reveal credential for auth provider %q: %w", ref.Name, err)
} else if err == nil {
return req.Write(cred.Env)
return req.Write(cred.Secrets)
}

return types.NewErrNotFound("no credential found for %q", ref.Name)
Expand Down
16 changes: 8 additions & 8 deletions pkg/api/handlers/availablemodels.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@ import (
"github.com/obot-platform/obot/pkg/api/handlers/providers"

openai "github.com/gptscript-ai/chat-completion-client"
"github.com/gptscript-ai/go-gptscript"
"github.com/obot-platform/obot/apiclient/types"
"github.com/obot-platform/obot/pkg/api"
gateway "github.com/obot-platform/obot/pkg/gateway/client"
"github.com/obot-platform/obot/pkg/gateway/server/dispatcher"
v1 "github.com/obot-platform/obot/pkg/storage/apis/obot.obot.ai/v1"
"github.com/obot-platform/obot/pkg/system"
Expand Down Expand Up @@ -44,7 +44,7 @@ func (a *AvailableModelsHandler) List(req api.Context) error {
credCtxs = append(credCtxs, string(ref.UID))
}

creds, err := req.GPTClient.ListCredentials(req.Context(), gptscript.ListCredentialsOptions{
creds, err := req.GatewayClient.ListCredentials(req.Context(), gateway.ListCredentialsOptions{
CredentialContexts: credCtxs,
})
if err != nil {
Expand All @@ -53,7 +53,7 @@ func (a *AvailableModelsHandler) List(req api.Context) error {

credMap := make(map[string]map[string]string, len(creds))
for _, cred := range creds {
credMap[cred.Context+cred.ToolName] = cred.Env
credMap[cred.Context+cred.Name] = cred.Secrets
}

var oModels openai.ModelsList
Expand All @@ -67,7 +67,7 @@ func (a *AvailableModelsHandler) List(req api.Context) error {
continue
}

m, err := a.dispatcher.ModelsForProvider(req.Context(), req.GPTClient, modelProvider.Namespace, modelProvider.Name)
m, err := a.dispatcher.ModelsForProvider(req.Context(), modelProvider.Namespace, modelProvider.Name)
if err != nil {
return err
}
Expand Down Expand Up @@ -104,11 +104,11 @@ func (a *AvailableModelsHandler) ListForModelProvider(req api.Context) error {
var credEnvVars map[string]string
if modelProviderReference.Status.Tool != nil {
if len(modelProvider.RequiredConfigurationParameters) > 0 {
cred, err := req.GPTClient.RevealCredential(req.Context(), credCtxs, modelProviderReference.Name)
if err != nil && !errors.As(err, &gptscript.ErrNotFound{}) {
cred, err := req.GatewayClient.RevealCredential(req.Context(), credCtxs, modelProviderReference.Name)
if err != nil && !errors.As(err, &gateway.CredentialNotFoundError{}) {
return fmt.Errorf("failed to reveal credential for model provider %q: %w", modelProviderReference.Name, err)
} else if err == nil {
credEnvVars = cred.Env
credEnvVars = cred.Secrets
}
}
}
Expand All @@ -121,7 +121,7 @@ func (a *AvailableModelsHandler) ListForModelProvider(req api.Context) error {
return types.NewErrBadRequest("model provider %s is not configured, missing configuration parameters: %s", modelProviderReference.Name, strings.Join(modelProvider.MissingConfigurationParameters, ", "))
}

oModels, err := a.dispatcher.ModelsForProvider(req.Context(), req.GPTClient, modelProviderReference.Namespace, modelProviderReference.Name)
oModels, err := a.dispatcher.ModelsForProvider(req.Context(), modelProviderReference.Namespace, modelProviderReference.Name)
if err != nil {
return err
}
Expand Down
Loading
Loading