feat: parse PEM bundle in GenerateCertificate and add --private-key flag

cmd/start.go

@@ -2,13 +2,21 @@ package cmd
 
 import (
 	"context"
+	"crypto/ecdsa"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
 	"fmt"
+	"net/http"
 	"os"
 	"os/signal"
 	"runtime/debug"
+	"strings"
+	"sync"
 	"syscall"
 	"time"
 
+	"github.com/agentuity/go-common/gravity/provider"
 	_logger "github.com/agentuity/go-common/logger"
 	cnet "github.com/agentuity/go-common/network"
 	csys "github.com/agentuity/go-common/sys"
@@ -56,20 +64,48 @@ var rootCmd = &cobra.Command{
 		localPort, _ := flags.GetInt("port")
 		orgID, _ := flags.GetString("org-id")
 		projectID, _ := flags.GetString("project-id")
-		token, _ := flags.GetString("token")
+		maybePrivateKey, _ := flags.GetString("private-key")
 		endpointID, _ := flags.GetString("endpoint-id")
 		gravityUrl, _ := flags.GetString("url")
 		healthCheck, _ := flags.GetBool("health-check")
+		token, _ := flags.GetString("token")
+
+		if token != "" {
+			logger.Fatal("The --token flag is no longer supported. Please update your Agentuity CLI to the latest version.")
+		}
 
 		ipv4addr, err := utils.GetPrivateIPv4()
 		if err != nil {
 			logger.Fatal("failed to get private IPv4: %v", err)
 		}
 
+		privateKeyPEM, err := loadPrivateKeyPEM(maybePrivateKey)
+		if err != nil {
+			logger.Fatal("failed to load private key: %v", err)
+		}
+
+		block, _ := pem.Decode(privateKeyPEM)
+		if block == nil {
+			logger.Fatal("no PEM block found in --private-key")
+		}
+		key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+		if err != nil {
+			// Try SEC 1/EC format as fallback
+			key, err = x509.ParseECPrivateKey(block.Bytes)
+			if err != nil {
+				logger.Fatal("failed to parse private key: %v (pem length: %d)", err, len(privateKeyPEM))
+			}
+		}
+		privateKey, ok := key.(*ecdsa.PrivateKey)
+		if !ok {
+			logger.Fatal("private key is not an ECDSA key")
+		}
+
 		agent := stack.AgentMetadata{
 			OrgID:      orgID,
 			ProjectID:  projectID,
 			InstanceID: endpointID,
+			PrivateKey: privateKey,
 		}
 
 		ipv6Address := cnet.NewIPv6Address(cnet.GetRegion(""), cnet.NetworkHadron, agent.OrgID, agent.InstanceID, ipv4addr)
@@ -83,32 +119,42 @@ var rootCmd = &cobra.Command{
 			IPv6Addr:  ipv6Address.String(),
 			LocalPort: localPort,
 			ProxyPort: proxyPort,
-			Token:     token,
 			URL:       gravityUrl,
 			Version:   version,
 		}
 
-		provResp, err := stack.ProvisionGravity(ctx, logger, agent, urls)
-		if err != nil {
-			logger.Fatal("failed to provision gravity: %v", err)
-		}
-		tlsConfig, err := stack.GenerateCertificate(ctx, logger, provResp)
-		if err != nil {
-			logger.Fatal("failed to generate certificate: %v", err)
-		}
-		server, err := stack.StartServer(ctx, logger, tlsConfig, urls)
-		if err != nil {
-			logger.Fatal("failed to start server: %v", err)
-		}
-
 		netStack, linkEP, err := stack.CreateNetworkStack(logger, urls)
 		if err != nil {
 			logger.Fatal("failed to create network stack: %v", err)
 		}
 		defer netStack.Close()
 		defer linkEP.Close()
 
-		provider, client, err := stack.CreateNetworkProvider(ctx, logger, linkEP, provResp, urls, agent)
+		var server *http.Server
+		var serverMu sync.Mutex
+		provider, client, err := stack.CreateNetworkProvider(ctx, logger, linkEP, urls, agent, func(c *provider.Configuration) error {
+			serverMu.Lock()
+			oldServer := server
+			server = nil
+			serverMu.Unlock()
+			if oldServer != nil {
+				if err := oldServer.Shutdown(ctx); err != nil {
+					logger.Error("failed to shutdown server: %v", err)
+				}
+			}
+			tlsConfig, err := stack.GenerateCertificate(ctx, logger, c.MachineCertBundle)
+			if err != nil {
+				return fmt.Errorf("failed to generate certificate: %w", err)
+			}
+			newServer, err := stack.StartServer(ctx, logger, tlsConfig, urls)
+			if err != nil {
+				return fmt.Errorf("failed to start server: %w", err)
+			}
+			serverMu.Lock()
+			server = newServer
+			serverMu.Unlock()
+			return nil
+		})
 		if err != nil {
 			logger.Fatal("failed to create network provider: %v", err)
 		}
@@ -161,8 +207,14 @@ var rootCmd = &cobra.Command{
 
 		shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 10*time.Second)
 		defer shutdownCancel()
-		if err := server.Shutdown(shutdownCtx); err != nil {
-			logger.Error("error shutting down proxy server: %v", err)
+		serverMu.Lock()
+		serverToShutdown := server
+		server = nil
+		serverMu.Unlock()
+		if serverToShutdown != nil {
+			if err := serverToShutdown.Shutdown(shutdownCtx); err != nil {
+				logger.Error("error shutting down proxy server: %v", err)
+			}
 		}
 	},
 }
@@ -202,12 +254,52 @@ func init() {
 	rootCmd.Flags().IntP("port", "p", 3500, "Local port for the proxy")
 	rootCmd.Flags().StringP("org-id", "o", os.Getenv("AGENTUITY_CLOUD_ORG_ID"), "Organization ID")
 	rootCmd.Flags().StringP("project-id", "i", os.Getenv("AGENTUITY_CLOUD_PROJECT_ID"), "Project ID")
-	rootCmd.Flags().StringP("token", "t", os.Getenv("AGENTUITY_SDK_KEY"), "Project SDK Key")
+	rootCmd.Flags().StringP("token", "t", "", "Deprecated")
 	rootCmd.Flags().StringP("endpoint-id", "e", "", "The endpoint id")
 	rootCmd.Flags().StringP("url", "u", "grpc://devmode.agentuity.com", "The gravity url")
 	rootCmd.Flags().String("log-level", "", "The log level to use")
 	rootCmd.Flags().Bool("health-check", false, "Enable health check server for heartbeat monitoring")
+	rootCmd.Flags().String("private-key", "", "EC private key for authentication (PEM string, base64-encoded PEM, or file path)")
 
 	// Mark required flags that must be passed in
 	rootCmd.MarkFlagRequired("endpoint-id")
+	rootCmd.MarkFlagRequired("private-key")
+}
+
+// loadPrivateKeyPEM loads a private key from various formats:
+// - PEM-encoded string (starts with "-----BEGIN")
+// - Base64-encoded PEM
+// - File path containing PEM data
+func loadPrivateKeyPEM(input string) ([]byte, error) {
+	if input == "" {
+		return nil, fmt.Errorf("private key is required")
+	}
+
+	// Check if it's already PEM format
+	if strings.HasPrefix(strings.TrimSpace(input), "-----BEGIN") {
+		return []byte(input), nil
+	}
+
+	// Check if it's a file path
+	if data, err := os.ReadFile(input); err == nil {
+		if strings.HasPrefix(strings.TrimSpace(string(data)), "-----BEGIN") {
+			return data, nil
+		}
+		// File contains base64
+		decoded, err := base64.StdEncoding.DecodeString(strings.TrimSpace(string(data)))
+		if err == nil && strings.HasPrefix(string(decoded), "-----BEGIN") {
+			return decoded, nil
+		}
+		return nil, fmt.Errorf("file does not contain valid PEM or base64-encoded PEM")
+	}
+
+	// Try base64 decode
+	decoded, err := base64.StdEncoding.DecodeString(strings.TrimSpace(input))
+	if err != nil {
+		return nil, fmt.Errorf("input is not valid PEM, base64, or file path: %w", err)
+	}
+	if !strings.HasPrefix(string(decoded), "-----BEGIN") {
+		return nil, fmt.Errorf("base64-decoded content is not valid PEM")
+	}
+	return decoded, nil
 }

go.mod

@@ -1,9 +1,9 @@
 module github.com/agentuity/gravity
 
-go 1.25.4
+go 1.25.5
 
 require (
-	github.com/agentuity/go-common v1.0.127
+	github.com/agentuity/go-common v1.0.142
 	github.com/spf13/cobra v1.10.1
 	gvisor.dev/gvisor v0.0.0-20240423190808-9d7a357edefe
 )
@@ -51,7 +51,3 @@ require (
 	google.golang.org/grpc v1.76.0 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 )
-
-replace github.com/agentuity/cli => ..
-
-replace pkg.agentuity.com/cloud/go => github.com/agentuity/go-common v1.0.111

go.sum

@@ -1,5 +1,5 @@
-github.com/agentuity/go-common v1.0.127 h1:KW1QJHtVizlyTqqq4LEmCnpJl9q0ZzlwxjFnDgjFMzM=
-github.com/agentuity/go-common v1.0.127/go.mod h1:C6bHmnDizFTbkB0jL7m3YVJTcaPKfc5bRRIYEva4ZTQ=
+github.com/agentuity/go-common v1.0.142 h1:hcrf9y0pYSne47B1ReM+VZdhuAJxDmJn1mM1VXiBemw=
+github.com/agentuity/go-common v1.0.142/go.mod h1:rvM6VhfltrwrfbjKjNToBQ7kNx3lR6955+n/G1C8soM=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cockroachdb/errors v1.12.0 h1:d7oCs6vuIMUQRVbi6jWWWEJZahLCfJpnJSVobd1/sUo=

internal/stack/certs.go

@@ -0,0 +1,70 @@
+package stack
+
+import (
+	"net/url"
+	"strings"
+
+	"github.com/agentuity/go-common/logger"
+)
+
+const gravityPublicCACertProd = `-----BEGIN CERTIFICATE-----
+MIIBvDCCAWKgAwIBAgIIQpGyfo9xbKUwCgYIKoZIzj0EAwIwQjELMAkGA1UEBhMC
+VVMxFzAVBgNVBAoTDkFnZW50dWl0eSwgSW5jMRowGAYDVQQDExFBZ2VudHVpdHkg
+Um9vdCBDQTAeFw0yNTA4MjgyMDAyNDJaFw0zNTA4MjgyMTAyNDJaMEIxCzAJBgNV
+BAYTAlVTMRcwFQYDVQQKEw5BZ2VudHVpdHksIEluYzEaMBgGA1UEAxMRQWdlbnR1
+aXR5IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASuQLIe47OC2EtE
+3cwkXJ3siuBeoi5FuJ5wmny1BqA60FrHqHnCiYHIZSyv79WvGs6NAxlJsCQbBtcE
+FNvrFfUso0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
+HQ4EFgQURmQweSNnxsTZ/ckG+A08IW7S+fwwCgYIKoZIzj0EAwIDSAAwRQIhAJzN
+k5ZrKQPMCAEh1zBuUbWTcuRCnqdk583gcCBkUo58AiBny+nX/KLE46z1B1NK8qg9
+/K75YibTFYFFQAXMF10aNg==
+-----END CERTIFICATE-----`
+
+const gravityPublicCACertDev = `-----BEGIN CERTIFICATE-----
+MIIBtTCCAVugAwIBAgIBATAKBggqhkjOPQQDAjBCMQswCQYDVQQGEwJVUzEXMBUG
+A1UEChMOQWdlbnR1aXR5LCBJbmMxGjAYBgNVBAMTEUFnZW50dWl0eSBSb290IENB
+MB4XDTI1MDgyNzIwNTIxM1oXDTM1MDgyNzIxNTIxM1owQjELMAkGA1UEBhMCVVMx
+FzAVBgNVBAoTDkFnZW50dWl0eSwgSW5jMRowGAYDVQQDExFBZ2VudHVpdHkgUm9v
+dCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMleqtFE+8V/nC2eUEOEkfX+
+SZDT9+QSIr2B2HoCllDVnyzOKZFGxURvr90dKa/SUiwfS6LjZp6xNUv2gP7GOIWj
+QjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSg
+O9ViNhPYNISETcjqCsgs+TN80TAKBggqhkjOPQQDAgNIADBFAiAPcCANK2aU/Q/t
+J4R6Su68r+iGJKpONFOiD3DX3p8oMgIhAI32feTJZwUVkNtjTYBRxoYUdZlyobp1
+lTpZE2H0bHCM
+-----END CERTIFICATE-----
+`
+
+// GravityCACertificate returns the Agentuity gravity CA certificate
+func GravityCACertificate(logger logger.Logger, gravityURL string) string {
+	// Select the appropriate hash based on the API URL
+	if isDevelopmentGravityURL(gravityURL) {
+		logger.Debug("Using development CA")
+		return gravityPublicCACertDev
+	}
+
+	logger.Debug("Using production CA")
+	return gravityPublicCACertProd
+}
+
+// isDevelopmentGravityURL determines if we're in a development environment based on the API URL
+func isDevelopmentGravityURL(apiURL string) bool {
+	parsedURL, err := url.Parse(apiURL)
+	if err != nil {
+		return false
+	}
+
+	// Extract hostname, stripping any port
+	hostname := parsedURL.Hostname()
+
+	// Exact matches for development environments
+	if hostname == "localhost" || hostname == "127.0.0.1" || hostname == "host.docker" {
+		return true
+	}
+
+	// Safe suffix check for agentuity.io domain
+	if hostname == "agentuity.io" || strings.HasSuffix(hostname, ".agentuity.io") {
+		return true
+	}
+
+	return false
+}

internal/stack/gravityClient.go

@@ -17,13 +17,14 @@ type GravityClient struct {
 	logger    logger.Logger
 	config    provider.Configuration
 	Connected chan struct{}
+	onConnect func(*provider.Configuration) error
 }
 
 func (p *GravityClient) Configure(config provider.Configuration) error {
 	p.logger.Debug("configuring provider")
 	p.config = config
 	p.Connected <- struct{}{}
-	return nil
+	return p.onConnect(&config)
 }
 
 func (p *GravityClient) Deprovision(ctx context.Context, resourceID string, reason provider.DeprovisionReason) error {