Module auth_generator 

Dynamic credential generator — produces short-lived auth tokens at call time.

Generators run where secrets live: on the proxy server in proxy mode, on the local machine in local mode. Signing keys never enter the sandbox.

Two generator types:

• command: runs an external command, captures stdout
• script: writes an inline script to a temp file, runs via interpreter

Results are cached per (provider, agent_sub) with configurable TTL.

Structs

AuthCache

TTL-based credential cache, keyed by (provider_name, agent_sub, token_fingerprint).

GenContext

Context for expanding ${VAR} placeholders in generator args/env.

GeneratedCredential

Result of running a generator — primary token + optional extra injections.

Enums

AuthGenError

Functions

generate

Generate a credential by running the provider’s auth_generator.

token_fingerprint

SHA-256 of token, truncated to 16 hex chars. Empty input → empty fingerprint (intentional — sentinel for “no inbound bearer” so all the no-bearer paths share one cache slot per (provider, sub)).