add script to link OPA secrets to agent and validate OPA configuration

Author: iamspathan

package.json

@@ -32,7 +32,8 @@
     "validate:okta": "tsx scripts/validate-okta-config.ts",
     "validate:opa": "tsx scripts/validate-opa-secrets.ts",
     "rollback:okta": "tsx scripts/rollback-okta-config.ts",
-    "bootstrap:opa": "tsx scripts/setup-opa-secrets.ts",
+    "setup:opa": "tsx scripts/setup-opa-secrets.ts",
+    "link:opa": "tsx scripts/link-opa-secrets.ts",
     "typecheck:scripts": "tsc --project scripts/tsconfig.json --noEmit"
   },
   "keywords": [],

packages/agent0/src/agent.ts

@@ -145,11 +145,24 @@ function validateAgentLLMEnv(): AgentLLMConfig {
 
   // Error if neither provider is configured
   if (!hasAnthropicKey && !hasBedrockVars) {
-    console.error('❌ Environment configuration error in .env.agent');
-    console.error('   No LLM provider configured');
-    console.error('   Please configure one LLM provider:');
-    console.error('   - For Anthropic: Set ANTHROPIC_API_KEY and ANTHROPIC_MODEL');
-    console.error('   - For Bedrock: Set AWS_REGION, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, BEDROCK_MODEL_ID');
+    console.error('❌ No LLM credentials configured\n');
+    console.error('   You have two options to configure LLM credentials:\n');
+    console.error('   Option 1: Direct Mode (simple, credentials in .env.agent)');
+    console.error('   ─────────────────────────────────────────────────────────');
+    console.error('   For Anthropic:');
+    console.error('     ANTHROPIC_API_KEY=sk-ant-...');
+    console.error('     ANTHROPIC_MODEL=claude-sonnet-4-20250514\n');
+    console.error('   For AWS Bedrock:');
+    console.error('     AWS_REGION=us-east-1');
+    console.error('     AWS_ACCESS_KEY_ID=AKIA...');
+    console.error('     AWS_SECRET_ACCESS_KEY=...');
+    console.error('     BEDROCK_MODEL_ID=anthropic.claude-3-sonnet-20240229-v1:0\n');
+    console.error('   Option 2: OPA Mode (secure, credentials from Okta PAM)');
+    console.error('   ─────────────────────────────────────────────────────────');
+    console.error('   Requires .env.opa with:');
+    console.error('     OPA_LLM_PROVIDER=anthropic');
+    console.error('     OPA_ANTHROPIC_API_KEY_ORN=orn:okta:pam:{orgId}:secrets:{secretId}\n');
+    console.error('   Run: pnpm run setup:opa (then link secrets to agent)\n');
     process.exit(1);
   }
 
@@ -263,23 +276,18 @@ export function isLLMConfigInitialized(): boolean {
   return llmConfigInitialized;
 }
 
-// Try synchronous initialization at module load (for backwards compatibility)
-// This will only work if env vars are set and OPA is not configured
-// Try synchronous initialization from env vars at module load
-// OPA credentials are fetched per-user-session, so we don't init them here
-try {
-  if (!isOPAConfigured()) {
-    // No OPA configured, must use env vars
-    llmConfig = validateAgentLLMEnv();
-    llmConfigSource = 'env';
-    llmConfigInitialized = true;
-  }
-  // If OPA is configured, credentials will be fetched in getAgentForUserContext()
-} catch {
-  // If env var init fails and OPA is configured, that's fine - will use OPA per-session
-  if (!isOPAConfigured()) {
-    console.error('LLM configuration failed - no env vars configured and OPA not available');
-  }
+// Initialize LLM configuration at module load
+// OPA credentials are fetched per-user-session, env vars are loaded at startup
+if (isOPAConfigured()) {
+  // OPA mode: credentials will be fetched per-user via token exchange
+  console.log('🔐 OPA mode enabled - LLM credentials will be fetched per-user session');
+  llmConfigInitialized = true;
+  llmConfigSource = 'opa';
+} else {
+  // Direct mode: validate and load env vars now
+  llmConfig = validateAgentLLMEnv();
+  llmConfigSource = 'env';
+  llmConfigInitialized = true;
 }
 
 // ============================================================================
@@ -373,15 +381,12 @@ function buildAgentConfig(): Omit<AgentConfig, 'idToken' | 'userContext'> | null
 }
 
 export async function getAgentForUserContext(idToken: string, userContext: UserContext): Promise<Agent> {
-  // Try OPA token exchange for credential retrieval (per-user-session)
+  // OPA mode: fetch credentials via token exchange (per-user-session)
   if (isOPAConfigured()) {
-    console.log('\n🔐 OPA secret management detected, fetching credentials via token exchange...');
-
     try {
       const opaCredentials = await fetchLLMCredentialsFromOPA(idToken);
 
       if (opaCredentials) {
-        // Build config from OPA credentials
         const baseConfig = {
           mcpServerUrl: process.env.MCP_SERVER_URL || '',
           name: 'agent0',
@@ -412,7 +417,6 @@ export async function getAgentForUserContext(idToken: string, userContext: UserC
         }
 
         llmConfigSource = 'opa';
-        console.log('✅ Agent configured with OPA credentials');
         return new Agent(agentConfig);
       }
     } catch (error: any) {

scripts/bootstrap-okta-tenant.js

@@ -5,7 +5,7 @@ import ora from 'ora';
 import * as path from 'path';
 import { OktaAPIClient } from './lib/okta-api.js';
 import { generateRSAKeyPair, savePrivateKey } from './lib/key-generator.js';
-import { generateAgent0AppEnv, generateAgent0AgentEnv, generateTodo0AppEnv, generateTodo0McpEnv, writeEnvFile, writeConfigReport, } from './lib/env-writer.js';
+import { generateAgent0AppEnv, generateAgent0AgentEnv, generateTodo0AppEnv, generateTodo0McpEnv, generateOpaEnvStub, writeEnvFile, writeConfigReport, } from './lib/env-writer.js';
 import { loadRollbackState, updateRollbackState, } from './lib/state-manager.js';
 import { AgentIdentityAPIClient, convertPublicKeyToJWK, constructAuthServerORN, } from './lib/agent-identity-api.js';
 /**
@@ -300,9 +300,9 @@ async function bootstrap() {
             const connection = await agentClient.createConnection(agentIdentityId, {
                 connectionType: 'IDENTITY_ASSERTION_CUSTOM_AS',
                 authorizationServer: {
-                    orn: authServerOrn,
-                    resourceIndicator: config.mcpAudience,
+                    orn: authServerOrn
                 },
+                resourceIndicator: config.mcpAudience,
                 scopeCondition: 'INCLUDE_ONLY',
                 scopes: mcpScopes,
             });
@@ -378,8 +378,126 @@ async function bootstrap() {
         else {
             spinner.succeed(`Trusted origins configured (${createdOrigins.length} created, ${origins.length - createdOrigins.length} already existed)`);
         }
-        // Step 13: Generate Configuration Files
-        console.log(chalk.bold('\n📋 Step 13: Generating Configuration Files'));
+        // Step 13: Configure LLM Credentials
+        console.log(chalk.bold('\n📋 Step 13: Configure LLM Credentials'));
+        const llmModeAnswer = await prompts({
+            type: 'select',
+            name: 'mode',
+            message: 'How would you like to configure LLM credentials?',
+            choices: [
+                {
+                    title: 'Environment Variables (Simple)',
+                    value: 'env',
+                    description: 'Store API key in .env.agent file',
+                },
+                {
+                    title: 'Okta Privileged Access (Secure)',
+                    value: 'opa',
+                    description: 'Fetch credentials from OPA vault per user session',
+                },
+                {
+                    title: 'Skip (Manual Setup)',
+                    value: 'skip',
+                    description: 'Configure .env.agent or .env.opa later',
+                },
+            ],
+            initial: 0,
+        });
+        let llmConfig = { provider: 'skip' };
+        if (llmModeAnswer.mode === 'env') {
+            // Direct environment variable mode
+            const providerAnswer = await prompts({
+                type: 'select',
+                name: 'provider',
+                message: 'Which LLM provider?',
+                choices: [
+                    { title: 'Anthropic (Claude)', value: 'anthropic' },
+                    { title: 'AWS Bedrock', value: 'bedrock' },
+                ],
+            });
+            if (providerAnswer.provider === 'anthropic') {
+                const anthropicAnswers = await prompts([
+                    {
+                        type: 'password',
+                        name: 'apiKey',
+                        message: 'Anthropic API Key:',
+                        validate: (v) => (v && v.startsWith('sk-ant-')) || 'API key must start with sk-ant-',
+                    },
+                    {
+                        type: 'text',
+                        name: 'model',
+                        message: 'Model ID:',
+                        initial: 'claude-sonnet-4-20250514',
+                    },
+                ]);
+                llmConfig = {
+                    provider: 'anthropic',
+                    apiKey: anthropicAnswers.apiKey,
+                    model: anthropicAnswers.model,
+                };
+            }
+            else if (providerAnswer.provider === 'bedrock') {
+                const bedrockAnswers = await prompts([
+                    {
+                        type: 'text',
+                        name: 'region',
+                        message: 'AWS Region:',
+                        initial: 'us-east-1',
+                    },
+                    {
+                        type: 'password',
+                        name: 'accessKeyId',
+                        message: 'AWS Access Key ID:',
+                        validate: (v) => !!v || 'Required',
+                    },
+                    {
+                        type: 'password',
+                        name: 'secretAccessKey',
+                        message: 'AWS Secret Access Key:',
+                        validate: (v) => !!v || 'Required',
+                    },
+                    {
+                        type: 'password',
+                        name: 'sessionToken',
+                        message: 'AWS Session Token (optional, press Enter to skip):',
+                    },
+                    {
+                        type: 'text',
+                        name: 'modelId',
+                        message: 'Bedrock Model ID:',
+                        initial: 'anthropic.claude-3-sonnet-20240229-v1:0',
+                    },
+                ]);
+                llmConfig = {
+                    provider: 'bedrock',
+                    region: bedrockAnswers.region,
+                    accessKeyId: bedrockAnswers.accessKeyId,
+                    secretAccessKey: bedrockAnswers.secretAccessKey,
+                    sessionToken: bedrockAnswers.sessionToken || undefined,
+                    modelId: bedrockAnswers.modelId,
+                };
+            }
+        }
+        else if (llmModeAnswer.mode === 'opa') {
+            // OPA mode - ask which provider they'll use
+            const opaProviderAnswer = await prompts({
+                type: 'select',
+                name: 'llmProvider',
+                message: 'Which LLM provider will you store in OPA?',
+                choices: [
+                    { title: 'Anthropic (Claude)', value: 'anthropic' },
+                    { title: 'AWS Bedrock', value: 'bedrock' },
+                ],
+            });
+            llmConfig = {
+                provider: 'opa',
+                llmProvider: opaProviderAnswer.llmProvider,
+            };
+        }
+        // Store LLM config for env generation
+        bootstrapConfig.llmConfig = llmConfig;
+        // Step 14: Generate Configuration Files
+        console.log(chalk.bold('\n📋 Step 14: Generating Configuration Files'));
         spinner = ora('Writing .env files...').start();
         const agent0AppEnv = generateAgent0AppEnv(bootstrapConfig);
         writeEnvFile('packages/agent0/.env.app', agent0AppEnv);
@@ -389,16 +507,35 @@ async function bootstrap() {
         writeEnvFile('packages/todo0/.env.app', todo0AppEnv);
         const todo0McpEnv = generateTodo0McpEnv(bootstrapConfig);
         writeEnvFile('packages/todo0/.env.mcp', todo0McpEnv);
+        // Generate .env.opa stub if OPA mode selected
+        if (llmConfig.provider === 'opa') {
+            const opaEnvStub = generateOpaEnvStub(llmConfig.llmProvider);
+            writeEnvFile('packages/agent0/.env.opa', opaEnvStub);
+        }
         writeConfigReport(bootstrapConfig);
         spinner.succeed('Configuration files generated');
         // Success!
         console.log(chalk.bold.green('\n✅ Bootstrap Complete!\n'));
-        console.log('Next steps:');
-        console.log(`  1. ${chalk.cyan('pnpm install')} - Install dependencies`);
-        console.log(`  2. ${chalk.cyan('pnpm run bootstrap')} - Bootstrap database`);
-        console.log(`  3. ${chalk.cyan('pnpm run start:todo0')} - Start REST API`);
-        console.log(`  4. ${chalk.cyan('pnpm run start:mcp')} - Start MCP Server`);
-        console.log(`  5. ${chalk.cyan('pnpm run start:agent0')} - Start Agent`);
+        if (llmConfig.provider === 'opa') {
+            // OPA mode - show OPA-specific next steps
+            console.log(chalk.bold('Next steps for OPA mode:\n'));
+            console.log(`  ${chalk.cyan('1.')} ${chalk.white('pnpm install')} - Install dependencies`);
+            console.log(`  ${chalk.cyan('2.')} ${chalk.white('pnpm run bootstrap')} - Bootstrap database`);
+            console.log(`  ${chalk.cyan('3.')} ${chalk.yellow('pnpm run setup:opa')} - Create secrets in OPA vault`);
+            console.log(`  ${chalk.cyan('4.')} ${chalk.yellow('pnpm run link:opa')} - Connect agent to OPA secrets`);
+            console.log(`  ${chalk.cyan('5.')} ${chalk.white('pnpm run dev')} - Start all services`);
+            console.log(chalk.gray('\n  Note: Steps 3-4 configure OPA secret management'));
+        }
+        else {
+            // Direct mode or skip - show standard next steps
+            console.log('Next steps:');
+            console.log(`  1. ${chalk.cyan('pnpm install')} - Install dependencies`);
+            console.log(`  2. ${chalk.cyan('pnpm run bootstrap')} - Bootstrap database`);
+            console.log(`  3. ${chalk.cyan('pnpm run dev')} - Start all services`);
+            if (llmConfig.provider === 'skip') {
+                console.log(chalk.yellow('\n  ⚠️  Remember to configure LLM credentials in .env.agent'));
+            }
+        }
         console.log(`\n  Optional: ${chalk.cyan('pnpm run validate:okta')} - Validate configuration`);
         console.log(`\n📄 See ${chalk.cyan('okta-config-report.md')} for detailed configuration\n`);
     }