feat(specs): add forgeSecuredUserToken helper templates and manual tests

- Add agent_studio_helpers.mustache for all 10 non-JS languages
- Wire {{#isAgentStudioClient}} blocks in all api.mustache templates
- Add manual tests for all 11 languages
- Add generation.config.mjs protection for C#, JS __tests__, Scala manual dir

Author: Fluf22

clients/algoliasearch-client-javascript/packages/agent-studio/__tests__/agentStudio.node.test.ts

@@ -0,0 +1,49 @@
+import { createHmac } from 'node:crypto';
+
+import { expect, test } from 'vitest';
+
+import { agentStudioClient } from '../builds/node';
+
+test('forgeSecuredUserToken with default expiry', () => {
+  const client = agentStudioClient('APP_ID', 'API_KEY');
+
+  const token = client.forgeSecuredUserToken({
+    secretKey: 'my-secret-key',
+    secretKeyId: 'my-key-id',
+    userId: 'user-123',
+  });
+
+  const parts = token.split('.');
+  expect(parts).toHaveLength(3);
+
+  const header = JSON.parse(Buffer.from(parts[0], 'base64url').toString());
+  expect(header.alg).toBe('HS256');
+  expect(header.typ).toBe('JWT');
+  expect(header.kid).toBe('my-key-id');
+
+  const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+  expect(payload.sub).toBe('user-123');
+  const expectedExp = Math.floor(Date.now() / 1000) + 24 * 3600;
+  expect(Math.abs(payload.exp - expectedExp)).toBeLessThan(5);
+
+  const expectedSig = createHmac('sha256', 'my-secret-key')
+    .update(`${parts[0]}.${parts[1]}`)
+    .digest('base64url');
+  expect(parts[2]).toBe(expectedSig);
+});
+
+test('forgeSecuredUserToken with custom expiry', () => {
+  const client = agentStudioClient('APP_ID', 'API_KEY');
+
+  const token = client.forgeSecuredUserToken({
+    secretKey: 'my-secret-key',
+    secretKeyId: 'my-key-id',
+    userId: 'user-456',
+    expiresIn: 3600,
+  });
+
+  const parts = token.split('.');
+  const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+  const expectedExp = Math.floor(Date.now() / 1000) + 3600;
+  expect(Math.abs(payload.exp - expectedExp)).toBeLessThan(5);
+});

clients/algoliasearch-client-kotlin/client/src/commonTest/kotlin/com/algolia/client/TestForgeSecuredUserToken.kt

@@ -0,0 +1,59 @@
+package com.algolia.client
+
+import com.algolia.client.api.AgentStudioClient
+import com.algolia.client.extensions.internal.encodeKeySHA256
+import kotlin.io.encoding.Base64
+import kotlin.io.encoding.ExperimentalEncodingApi
+import kotlin.test.Test
+import kotlin.test.assertEquals
+import kotlin.test.assertTrue
+import kotlinx.datetime.Clock
+import kotlinx.serialization.json.Json
+import kotlinx.serialization.json.JsonObject
+import kotlinx.serialization.json.jsonPrimitive
+
+@OptIn(ExperimentalEncodingApi::class)
+class TestForgeSecuredUserToken {
+
+  @Test
+  fun forgeSecuredUserToken() {
+    val client = AgentStudioClient(appId = "appID", apiKey = "apiKey")
+
+    val token = client.forgeSecuredUserToken("my-secret-key", "my-key-id", "user-123")
+
+    val parts = token.split(".")
+    assertEquals(3, parts.size)
+
+    val headerJson = Base64.UrlSafe.decode(parts[0]).decodeToString()
+    val header = Json.decodeFromString<JsonObject>(headerJson)
+    assertEquals("HS256", header["alg"]!!.jsonPrimitive.content)
+    assertEquals("JWT", header["typ"]!!.jsonPrimitive.content)
+    assertEquals("my-key-id", header["kid"]!!.jsonPrimitive.content)
+
+    val payloadJson = Base64.UrlSafe.decode(parts[1]).decodeToString()
+    val payload = Json.decodeFromString<JsonObject>(payloadJson)
+    assertEquals("user-123", payload["sub"]!!.jsonPrimitive.content)
+    val exp = payload["exp"]!!.jsonPrimitive.content.toLong()
+    val expectedExp = Clock.System.now().epochSeconds + 24 * 3600
+    assertTrue(kotlin.math.abs(exp - expectedExp) < 5, "exp $exp should be within 5s of $expectedExp")
+
+    val expectedHmacHex = encodeKeySHA256(key = "my-secret-key", message = "${parts[0]}.${parts[1]}")
+    val actualSigBytes = Base64.UrlSafe.decode(parts[2])
+    val actualSigHex = actualSigBytes.joinToString("") { "%02x".format(it) }
+    assertEquals(expectedHmacHex, actualSigHex)
+  }
+
+  @Test
+  fun forgeSecuredUserTokenCustomExpiry() {
+    val client = AgentStudioClient(appId = "appID", apiKey = "apiKey")
+
+    val token = client.forgeSecuredUserToken("my-secret-key", "my-key-id", "user-456", 3600)
+
+    val parts = token.split(".")
+    val payloadJson = Base64.UrlSafe.decode(parts[1]).decodeToString()
+    val payload = Json.decodeFromString<JsonObject>(payloadJson)
+    val exp = payload["exp"]!!.jsonPrimitive.content.toLong()
+    val expectedExp = Clock.System.now().epochSeconds + 3600
+    assertTrue(kotlin.math.abs(exp - expectedExp) < 5, "exp $exp should be within 5s of $expectedExp")
+  }
+}

config/generation.config.mjs

@@ -31,6 +31,7 @@ export const patterns = [
   '!tests/output/csharp/src/TimeoutIntegrationTests.cs',
   '!tests/output/csharp/src/Utils/**',
   '!tests/output/csharp/src/TransformationOptionsTests.cs',
+  '!tests/output/csharp/src/ForgeSecuredUserTokenTests.cs',
 
   // Dart
   '!clients/algoliasearch-client-dart/**',
@@ -82,6 +83,7 @@ export const patterns = [
   '!clients/algoliasearch-client-javascript/packages/client-common/**',
   '!clients/algoliasearch-client-javascript/packages/logger-console/**',
   '!clients/algoliasearch-client-javascript/packages/algoliasearch/__tests__/**',
+  '!clients/algoliasearch-client-javascript/packages/agent-studio/__tests__/**',
   '!clients/algoliasearch-client-javascript/packages/algoliasearch/vitest.config.ts',
 
   'tests/output/javascript/package.json',
@@ -153,6 +155,8 @@ export const patterns = [
   '!clients/algoliasearch-client-scala/src/main/scala/algoliasearch/config/**',
   '!clients/algoliasearch-client-scala/src/main/scala/algoliasearch/extension/**',
 
+  '!tests/output/scala/src/test/scala/algoliasearch/manual/**',
+
   // Swift
   'clients/algoliasearch-client-swift/**',
   '!clients/algoliasearch-client-swift/*',

templates/csharp/agent_studio_helpers.mustache

@@ -0,0 +1,23 @@
+{{#isAgentStudioClient}}
+      /// <summary>
+      /// Helper: Forges a secured user token (JWT) for Agent Studio authenticated requests.
+      /// </summary>
+      /// <param name="secretKey">The secret key to sign the token with.</param>
+      /// <param name="secretKeyId">The key ID to include in the JWT header (kid).</param>
+      /// <param name="userId">The user identifier to include as the subject (sub) claim.</param>
+      /// <param name="expiresIn">The token expiration in seconds from now. Defaults to 86400 (24 hours).</param>
+      /// <returns>The signed JWT token.</returns>
+      public string ForgeSecuredUserToken(string secretKey, string secretKeyId, string userId, int expiresIn = 86400)
+      {
+          static string Base64UrlEncode(byte[] data) =>
+              Convert.ToBase64String(data).TrimEnd('=').Replace('+', '-').Replace('/', '_');
+
+          var header = Base64UrlEncode(System.Text.Encoding.UTF8.GetBytes("{\"alg\":\"HS256\",\"typ\":\"JWT\",\"kid\":\"" + secretKeyId + "\"}"));
+          var payload = Base64UrlEncode(System.Text.Encoding.UTF8.GetBytes("{\"sub\":\"" + userId + "\",\"exp\":" + (DateTimeOffset.UtcNow.ToUnixTimeSeconds() + expiresIn) + "}"));
+
+          using var hmac = new System.Security.Cryptography.HMACSHA256(System.Text.Encoding.UTF8.GetBytes(secretKey));
+          var signature = Base64UrlEncode(hmac.ComputeHash(System.Text.Encoding.UTF8.GetBytes(header + "." + payload)));
+
+          return header + "." + payload + "." + signature;
+      }
+{{/isAgentStudioClient}}

templates/csharp/api.mustache

@@ -516,5 +516,9 @@ namespace Algolia.Search.Clients;
 
       {{/supportsAsync}}
       {{/operation}}
+
+      {{#isAgentStudioClient}}
+{{> agent_studio_helpers}}
+      {{/isAgentStudioClient}}
   }
   {{/operations}}

templates/dart/agent_studio_helpers.mustache

@@ -0,0 +1,25 @@
+  /// Helper: Forges a secured user token (JWT) for Agent Studio authenticated requests.
+  ///
+  /// Parameters:
+  /// * [secretKey] The secret key to sign the token with.
+  /// * [secretKeyId] The key ID to include in the JWT header (kid).
+  /// * [userId] The user identifier to include as the subject (sub) claim.
+  /// * [expiresIn] The token expiration in seconds from now. Defaults to 86400 (24 hours).
+  String forgeSecuredUserToken({
+    required String secretKey,
+    required String secretKeyId,
+    required String userId,
+    int expiresIn = 86400,
+  }) {
+    String base64UrlEncode(List<int> data) =>
+        base64Url.encode(data).replaceAll('=', '');
+
+    final header = base64UrlEncode(utf8.encode('{"alg":"HS256","typ":"JWT","kid":"$secretKeyId"}'));
+    final exp = (DateTime.now().millisecondsSinceEpoch ~/ 1000) + expiresIn;
+    final payload = base64UrlEncode(utf8.encode('{"sub":"$userId","exp":$exp}'));
+
+    final hmac = Hmac(sha256, utf8.encode(secretKey));
+    final signature = base64UrlEncode(hmac.convert(utf8.encode('$header.$payload')).bytes);
+
+    return '$header.$payload.$signature';
+  }

templates/dart/api.mustache

@@ -3,6 +3,10 @@
 import 'package:algolia_client_core/algolia_client_core.dart';
 import 'package:{{pubName}}/src/deserialize.dart';
 import 'package:{{pubName}}/src/version.dart';
+{{#isAgentStudioClient}}
+import 'dart:convert';
+import 'package:crypto/crypto.dart';
+{{/isAgentStudioClient}}
 
 {{#operations}}
 {{#imports}}import '{{{.}}}';
@@ -183,6 +187,10 @@ final class {{classname}} implements ApiClient {
   }  
   {{/operation}}
 
+{{#isAgentStudioClient}}
+{{> agent_studio_helpers}}
+{{/isAgentStudioClient}}
+
 {{^isCompositionClient}}
   @Deprecated('This operation has been deprecated, use `customPost` instead')
   Future<Object> post({

templates/go/agent_studio_helpers.mustache

@@ -0,0 +1,34 @@
+/*
+ForgeSecuredUserToken forges a secured user token (JWT) for Agent Studio authenticated requests.
+
+  - secretKey: The secret key to sign the token with.
+  - secretKeyId: The key ID to include in the JWT header (kid).
+  - userId: The user identifier to include as the subject (sub) claim.
+  - opts: Optional request options. Use WithExpiresIn to set a custom expiration (defaults to 24 hours).
+
+@return string - The signed JWT token.
+*/
+func (c *APIClient) ForgeSecuredUserToken(secretKey string, secretKeyId string, userId string, opts ...RequestOption) (string, error) {
+	conf := config{}
+	for _, opt := range opts {
+		opt.apply(&conf)
+	}
+
+	expiresIn := 24 * 3600 // 24 hours
+	if conf.expiresIn > 0 {
+		expiresIn = conf.expiresIn
+	}
+
+	header := base64URLEncode([]byte(fmt.Sprintf(`{"alg":"HS256","typ":"JWT","kid":"%s"}`, secretKeyId)))
+	payload := base64URLEncode([]byte(fmt.Sprintf(`{"sub":"%s","exp":%d}`, userId, time.Now().Unix()+int64(expiresIn))))
+
+	mac := hmac.New(sha256.New, []byte(secretKey))
+	mac.Write([]byte(header + "." + payload))
+	signature := base64URLEncode(mac.Sum(nil))
+
+	return header + "." + payload + "." + signature, nil
+}
+
+func base64URLEncode(data []byte) string {
+	return strings.TrimRight(base64.URLEncoding.EncodeToString(data), "=")
+}

templates/go/api.mustache

@@ -20,6 +20,11 @@ import (
   "slices"
   "sort"
   {{/isSearchClient}}
+  {{#isAgentStudioClient}}
+  "crypto/hmac"
+  "crypto/sha256"
+  "encoding/base64"
+  {{/isAgentStudioClient}}
   "time"
 
   "github.com/algolia/algoliasearch-client-go/v4/algolia/utils"
@@ -64,6 +69,11 @@ type config struct {
   // -- WaitForApiKey options
   apiKey *ApiKey
   {{/isSearchClient}}
+
+  {{#isAgentStudioClient}}
+  // -- ForgeSecuredUserToken options
+  expiresIn int
+  {{/isAgentStudioClient}}
 }
 
 type RequestOption interface {
@@ -254,6 +264,14 @@ func WithApiKey(apiKey *ApiKey) waitForApiKeyOption {
 	})
 }
 
+{{#isAgentStudioClient}}
+func WithExpiresIn(expiresIn int) requestOption {
+	return requestOption(func(c *config) {
+		c.expiresIn = expiresIn
+	})
+}
+{{/isAgentStudioClient}}
+
 // --------- Helper to convert options ---------
 
 func toRequestOptions[T RequestOption](opts []T) []RequestOption {
@@ -575,4 +593,8 @@ func (c *APIClient) {{nickname}}({{#hasParams}}r {{#structPrefix}}{{&classname}}
 {{> helpers}}
 
 {{> ingestion_helpers}}
-{{/isIngestionClient}}
+{{/isIngestionClient}}
+
+{{#isAgentStudioClient}}
+{{> agent_studio_helpers}}
+{{/isAgentStudioClient}}

templates/java/agent_studio_helpers.mustache

@@ -0,0 +1,33 @@
+{{#isAgentStudioClient}}
+/**
+ * Helper: Forges a secured user token (JWT) for Agent Studio authenticated requests.
+ *
+ * @param secretKey The secret key to sign the token with.
+ * @param secretKeyId The key ID to include in the JWT header (kid).
+ * @param userId The user identifier to include as the subject (sub) claim.
+ * @param expiresIn The token expiration in seconds from now. Defaults to 86400 (24 hours).
+ * @return The signed JWT token.
+ */
+public String forgeSecuredUserToken(String secretKey, String secretKeyId, String userId, int expiresIn) {
+  try {
+    String header = base64UrlEncode(String.format("{\"alg\":\"HS256\",\"typ\":\"JWT\",\"kid\":\"%s\"}", secretKeyId).getBytes(java.nio.charset.StandardCharsets.UTF_8));
+    String payload = base64UrlEncode(String.format("{\"sub\":\"%s\",\"exp\":%d}", userId, Instant.now().getEpochSecond() + expiresIn).getBytes(java.nio.charset.StandardCharsets.UTF_8));
+
+    Mac mac = Mac.getInstance("HmacSHA256");
+    mac.init(new SecretKeySpec(secretKey.getBytes(java.nio.charset.StandardCharsets.UTF_8), "HmacSHA256"));
+    String signature = base64UrlEncode(mac.doFinal((header + "." + payload).getBytes(java.nio.charset.StandardCharsets.UTF_8)));
+
+    return header + "." + payload + "." + signature;
+  } catch (NoSuchAlgorithmException | InvalidKeyException e) {
+    throw new AlgoliaRuntimeException("Failed to forge secured user token", e);
+  }
+}
+
+public String forgeSecuredUserToken(String secretKey, String secretKeyId, String userId) {
+  return forgeSecuredUserToken(secretKey, secretKeyId, userId, 24 * 3600);
+}
+
+private static String base64UrlEncode(byte[] data) {
+  return Base64.getUrlEncoder().withoutPadding().encodeToString(data);
+}
+{{/isAgentStudioClient}}