Skip to content

πŸ¦₯ v0.1.13 – Agent Auth & User Resolver System
Compare
Choose a tag to compare
@KodyKendall KodyKendall released this 16 Jul 00:54
· 17 commits to main since this release
v0.1.13
d8af482

πŸ¦₯ LlamaBot Rails v0.1.13 – Agent Auth & User Resolver System

This release introduces a flexible agent authentication system that seamlessly bridges Devise sessions and agent token workflows. It enables secure, transparent agent execution inside Rails apps β€” with full override capability.

✨ New in v0.1.13

πŸ” Pluggable user_resolver, current_user_resolver, and sign_in_method

Developers can now customize how user context is loaded and set for LlamaBot agent requests:

# config/initializers/llamabot.rb

# How to resolve a User from an agent token payload
LlamabotRails.user_resolver = ->(user_id) {
  User.find_by(id: user_id)
}

# How to resolve the current user from Rack env
LlamabotRails.current_user_resolver = ->(env) {
  env["warden"]&.user
}

# How to sign a user into the session manually
LlamabotRails.sign_in_method = ->(env, user) {
  env["warden"]&.set_user(user)
}

By default, the gem tries to auto-detect Devise and use its default_scope. If Devise is missing, it emits a helpful log message and returns nil, allowing you to override as needed.

πŸ›‘οΈ Unified Agent + User Auth Flow

Includes the new LlamaBotRails::AgentAuth module, which:

  • Adds authenticate_user_or_agent! β€” guards both browser and agent flows
  • Automatically aliases all Devise authenticate_#{scope}! methods to use the new flow
  • Gracefully falls back if Devise isn't installed
  • Rejects agent access to controller actions unless explicitly whitelisted via llama_bot_allow
class PagesController < ApplicationController
  include LlamaBotRails::AgentAuth

  llama_bot_allow :update  # safe opt-in to allow agents to use #update
end

This allows agents to securely call into Rails routes only if:

  • They present a valid LlamaBot token, and
  • The action is explicitly allowlisted

πŸ’‘ Use Cases Enabled

  • Custom authentication flows (e.g., JWT, API keys, session-less agents)
  • Shared sessions between agent and browser users
  • Safe development of agent endpoints without exposing the full app
  • Drop-in Rails integrations for teams not using Devise

🧠 Upgrade Tip

This release deprecates direct use of authenticate_user! for agent-bound routes. All future versions will standardize on authenticate_user_or_agent!.

For Devise apps, this works automatically. For non-Devise apps, override the resolvers in your initializer.

Assets 2
Loading