tep 0.11.0

data/lib/tep/assets.rb

@@ -0,0 +1,52 @@
+# Tep::Assets -- in-binary static asset store.
+#
+# Spinel produces a single static binary, so the natural way to
+# ship CSS / images / JS that an app needs is to bake them INTO
+# that binary rather than rely on a sibling `public/` directory.
+# The build-time translator (bin/tep) auto-discovers everything
+# under `<app_dir>/assets/` and emits `_add` calls that register
+# each file's bytes + content-type before any handler runs.
+#
+# The actual storage lives on the Tep::App singleton (`APP`):
+# two str_hashes keyed by path, one for body bytes and one for
+# mime. Routing via the app instance keeps spinel's class-var /
+# constant inference simple -- both are well-tracked instance
+# variables on a class with an explicit initialiser.
+#
+# Conventions
+# -----------
+#   * The asset is served at `/<relative path>` from the project's
+#     `assets/` dir. So `assets/logo.svg` -> `GET /logo.svg`.
+#   * MIME type inferred from extension at build time.
+#   * Binary assets pass through as Ruby string literals; spinel
+#     carries the bytes through to the C compile as const char *.
+#     NUL bytes truncate (spinel's :str doesn't track length), so
+#     binary assets containing 0x00 should be served via
+#     `Tep.public_dir` instead.
+module Tep
+  class Assets
+    def self._add(path, body, mime)
+      Tep::APP.add_asset(path, body, mime)
+    end
+
+    def self.has?(path)
+      Tep::APP.asset_bodies.has_key?(path)
+    end
+
+    # Serve `path` if it's known. Sets Content-Type / body and
+    # returns true; returns false if the path isn't bundled.
+    def self.serve(path, res)
+      if !Tep::APP.asset_bodies.has_key?(path)
+        return false
+      end
+      res.headers["Content-Type"] = Tep::APP.asset_mimes[path]
+      res.headers["Cache-Control"] = "public, max-age=3600"
+      # Content-hash ETag (#152): lets the browser revalidate with
+      # If-None-Match and get a 304 (handled by the server's
+      # Tep::Cache short-circuit) instead of re-downloading the body.
+      res.etag(Tep::APP.asset_etags[path])
+      res.set_body_if_empty(Tep::APP.asset_bodies[path])
+      true
+    end
+  end
+end

data/lib/tep/auth.rb

@@ -0,0 +1,78 @@
+# Tep::Auth -- the entry point for the Auth battery.
+#
+# Sets `req.identity` (a Tep::Identity) on every request, populated
+# by walking a fixed provider chain. Three providers ship:
+# Tep::AuthBearerToken (JWT HS256), Tep::AuthSessionCookie
+# (signed cookie), Tep::AuthOAuth2 (delegated-grant exchange).
+# Each one extends the chain by editing Tep::Auth.identify
+# (rather than via a runtime registry, because spinel's
+# PtrArray<Base> dispatch can't carry cls_id across heterogeneous
+# Provider subclasses -- see memory [[spinel_widening_dispatch]]).
+# Once spinel resolves the cls_id story the design doc's
+# Tep::Auth.providers.add(...) API will land; until then the
+# fixed-chain shape stays.
+#
+# Install pattern:
+#
+#   require 'sinatra'
+#   Tep::AuthBearerToken.set_secret(ENV["JWT_SECRET"])
+#   Tep::Auth.install!
+#
+#   # In handlers, req.identity is always populated -- either with
+#   # the bearer's identity or with Tep::Identity.anonymous.
+#   get '/me' do
+#     req.identity.subject
+#   end
+#
+# The auth filter is a SEPARATE slot from the user-installed
+# before-filter (see Tep::App#auth_filter). Both run, in order:
+# auth-filter first (populates req.identity), then user
+# before-filter (sees a fully-populated identity). This avoids the
+# "one filter slot" composition tax tep otherwise imposes.
+module Tep
+  module Auth
+    CORE_CAPABILITIES = [:read, :write, :authn, :authz]
+
+    # Walk the provider chain. First provider that returns a non-nil
+    # Identity wins. Returns nil if no provider matched -- caller is
+    # responsible for substituting Tep::Identity.anonymous.
+    #
+    # Order: BearerToken first (an explicit Authorization header is
+    # a stronger signal of caller intent than a passively-replayed
+    # cookie), then SessionCookie. Apps that want cookie-wins-bearer
+    # semantics can post-process req.identity in a before-filter.
+    def self.identify(req)
+      ident = Tep::AuthBearerToken.try(req)
+      if ident != nil
+        return ident
+      end
+      ident = Tep::AuthSessionCookie.try(req)
+      if ident != nil
+        return ident
+      end
+      nil
+    end
+
+    # Replaces the app's auth-filter slot with the real
+    # populate-req.identity filter. Idempotent.
+    def self.install!
+      Tep::APP.set_auth_filter(Tep::AuthFilter.new)
+      0
+    end
+  end
+
+  # The before-filter that runs the provider chain and writes the
+  # result to req.identity. Lives at top level (not Tep::Auth::Filter)
+  # to keep dispatch simple under spinel.
+  class AuthFilter < Tep::Filter
+    def before(req, res)
+      ident = Tep::Auth.identify(req)
+      if ident == nil
+        req.identity = Tep::Identity.anonymous
+      else
+        req.identity = ident
+      end
+      0
+    end
+  end
+end

data/lib/tep/auth_bearer_token.rb

@@ -0,0 +1,126 @@
+# Tep::AuthBearerToken -- JWT-HS256 bearer-token provider for the
+# Auth battery. Sniffs `Authorization: Bearer <token>`, verifies
+# the signature with the app's configured secret, decodes the
+# flat-JSON payload, and builds a Tep::Identity (with optional
+# Tep::AgentDelegation when the token represents an agent).
+#
+# Configuration:
+#
+#   Tep::AuthBearerToken.set_secret(ENV["JWT_SECRET"])
+#
+# Token payload schema (flat JSON, single level -- matches
+# Tep::Json's flat-object extraction surface):
+#
+#   {
+#     "sub":      "user:42",                    # principal_id (required)
+#     "exp":      1716396000,                   # unix epoch seconds
+#     "caps":     "read,write,post_summary",    # comma-separated symbols
+#     "delegate": "summarizer-bot|1716392400|1716396000|token"
+#                                               # optional; presence flips
+#                                               # the identity to an agent.
+#                                               # Format:
+#                                               # agent_id|issued_at|expires_at|origin
+#   }
+#
+# Why flat (not nested `acting_via: { ... }`): Tep::Json today
+# extracts flat keys only. A nested-object getter is a separate
+# tiny battery; for v1 of Auth the flat pipe-encoded delegate
+# string is the smallest thing that ships and round-trips
+# cleanly. The Identity / AgentDelegation Ruby surface stays
+# nested -- the encoding is only on the wire.
+#
+# Why a flat top-level class name (not Tep::Auth::BearerToken):
+# two-level namespacing on classes carries spinel cls_id risk
+# (see memory note [[spinel_widening_dispatch]]). The Tep::Auth
+# module owns the conceptual grouping; the class itself lives at
+# Tep:: level so dispatch is shallow.
+module Tep
+  class AuthBearerToken
+    # Set the shared HMAC secret. Apps call once at boot.
+    def self.set_secret(s)
+      Tep::APP.set_auth_bearer_secret(s)
+      0
+    end
+
+    # Attempt to identify the request. Returns a Tep::Identity on
+    # successful verification, nil if no Bearer header / bad
+    # signature / expired / malformed payload.
+    def self.try(req)
+      header = req.req_headers["authorization"]
+      if header.length < 8 || header[0, 7] != "Bearer "
+        return nil
+      end
+      token = header[7, header.length - 7]
+
+      secret = Tep::APP.auth_bearer_secret
+      if secret.length == 0
+        return nil
+      end
+
+      payload = Tep::Jwt.verify_and_decode(token, secret)
+      if payload.length == 0
+        return nil
+      end
+
+      # Check expiry first -- a token whose exp passed gets rejected
+      # even if the signature still verifies. exp is unix epoch sec.
+      exp = Tep::Json.get_int(payload, "exp")
+      if exp > 0 && Time.now.to_i >= exp
+        return nil
+      end
+
+      sub = Tep::Json.get_str(payload, "sub")
+      if sub.length == 0
+        return nil
+      end
+
+      caps_str = Tep::Json.get_str(payload, "caps")
+      caps = Tep::AuthBearerToken.parse_caps(caps_str)
+
+      delegate_str = Tep::Json.get_str(payload, "delegate")
+      delegation = Tep::AuthBearerToken.parse_delegate(delegate_str)
+
+      Tep::Identity.new(sub, delegation, caps)
+    end
+
+    # "read,write,post_summary" -> [:read, :write, :post_summary]
+    def self.parse_caps(s)
+      caps = [:_seed]
+      caps.delete_at(0)
+      if s.length == 0
+        return caps
+      end
+      s.split(",").each do |name|
+        if name.length > 0
+          caps.push(name.to_sym)
+        end
+      end
+      caps
+    end
+
+    # "agent_id|issued_at|expires_at|origin" -> AgentDelegation, or
+    # nil for empty / malformed. The four-segment pipe encoding
+    # avoids the nested-JSON limitation; pipes don't appear in
+    # agent ids (we constrain the issuance side).
+    #
+    # `.to_s` on parts[0] is a no-op type-witness for spinel:
+    # without it the inference for the first AgentDelegation arg
+    # widens to mrb_int in some larger-codebase compile paths (no
+    # other call site constrains agent_id to a String), and the
+    # generated C compares pointer-to-int.
+    def self.parse_delegate(s)
+      if s.length == 0
+        return nil
+      end
+      parts = s.split("|")
+      if parts.length < 4
+        return nil
+      end
+      agent_id   = parts[0].to_s
+      issued_at  = parts[1].to_i
+      expires_at = parts[2].to_i
+      origin     = parts[3].to_sym
+      Tep::AgentDelegation.new(agent_id, issued_at, expires_at, origin)
+    end
+  end
+end

data/lib/tep/auth_oauth2.rb

@@ -0,0 +1,189 @@
+# Tep::AuthOAuth2 -- the OAuth2-style authorization-code issuance
+# surface. tep here is the AUTHORIZATION SERVER (not the OAuth
+# client) -- the entity that issues delegated-access tokens to
+# bots / agents / automation clients on behalf of human users.
+#
+# Flow (apps wire their own /oauth/authorize + /oauth/token routes
+# on top of these primitives):
+#
+#   1. Bot redirects the user to /oauth/authorize?client_id=summarizer-bot
+#      &redirect_uri=...&caps=read,post_summary.
+#   2. App's /authorize route looks up the client, checks the
+#      caps subset against allowed_caps, renders a consent
+#      screen ("summarizer-bot wants to act on your behalf...").
+#   3. User clicks "Allow". App calls:
+#        Tep::AuthOAuth2.issue_code(req.identity.principal_id,
+#                                   client_id, caps_str, 600)
+#      and redirects to the bot's redirect_uri with ?code=<code>.
+#   4. Bot exchanges the code at /oauth/token:
+#        Tep::AuthOAuth2.exchange_code(code, client_id)
+#      which returns a JWT whose `delegate` field is populated
+#      (acting_via on the resulting Tep::Identity).
+#   5. Bot uses the JWT as a Bearer token. Tep::AuthBearerToken
+#      parses it; req.identity is a delegated agent identity.
+#
+# The "agentic" framing: this is fundamentally OAuth2 with the
+# semantic shift that the granted token represents an agent
+# delegated by the user, not an "app" the user wants to share
+# data with. The consent UI's wording (rendered by the app, not
+# by tep) should make that clear to the user.
+#
+# Token issuance reuses Tep::Jwt + Tep::AuthBearerToken's wire
+# format -- no new token schema. The downstream Identity surface
+# is the same: `req.identity.agent?` is true, `acting_via.agent_id`
+# is the client_id, `acting_via.origin` is :oauth_grant.
+#
+# Storage is per-process (Tep::APP attrs). High-fanout setups
+# wanting cross-worker code redemption need a PG-backed extension;
+# noted but not in scope for v1.
+module Tep
+  module AuthOAuth2
+    # Default code TTL (seconds). Apps that need shorter / longer
+    # pass an explicit ttl_seconds to issue_code.
+    DEFAULT_CODE_TTL = 600
+
+    # Default token TTL (seconds). The JWT exp claim is set to
+    # `now + this`. Apps that need a different window pass an
+    # explicit token_ttl_seconds to exchange_code.
+    DEFAULT_TOKEN_TTL = 3600
+
+    # Register a client (bot / agent / automation peer) with the
+    # authorization server. Subsequent issue_code and exchange_code
+    # calls reference it by client_id. Re-registering an existing
+    # client_id replaces the prior entry.
+    def self.register_client(client_id, name, redirect_uri, allowed_caps)
+      Tep::AuthOAuth2.unregister_client(client_id)
+      client = Tep::AuthOAuth2Client.new(
+        client_id, name, redirect_uri, allowed_caps)
+      Tep::APP.auth_oauth2_clients.push(client)
+      0
+    end
+
+    def self.unregister_client(client_id)
+      clients = Tep::APP.auth_oauth2_clients
+      i = 0
+      while i < clients.length
+        if clients[i].client_id == client_id
+          clients.delete_at(i)
+          return 0
+        end
+        i += 1
+      end
+      0
+    end
+
+    def self.find_client(client_id)
+      clients = Tep::APP.auth_oauth2_clients
+      i = 0
+      while i < clients.length
+        if clients[i].client_id == client_id
+          return clients[i]
+        end
+        i += 1
+      end
+      nil
+    end
+
+    # Mint a one-time code tied to (principal, client, granted_caps).
+    # Caller (the app's /authorize handler) is responsible for
+    # validating that granted_caps is a subset of the client's
+    # allowed_caps before calling -- the issuance surface itself
+    # trusts the caller.
+    #
+    # `caps_str` is comma-separated (matches Tep::AuthBearerToken's
+    # wire format). `ttl_seconds` is the lifetime; pass 0 for
+    # DEFAULT_CODE_TTL.
+    #
+    # Returns the opaque code string (base64url, ~32 chars).
+    def self.issue_code(principal_id, client_id, caps_str, ttl_seconds)
+      Tep::AuthOAuth2.sweep_expired_codes
+      ttl = ttl_seconds
+      if ttl <= 0
+        ttl = DEFAULT_CODE_TTL
+      end
+      code = Crypto.sp_crypto_random_b64url(24)
+      expires_at = Time.now.to_i + ttl
+      rec = Tep::AuthOAuth2Code.new(
+        code, principal_id, client_id, caps_str, expires_at)
+      Tep::APP.auth_oauth2_codes.push(rec)
+      code
+    end
+
+    # Redeem a code for a JWT. The code MUST have been issued for
+    # this exact client_id (no cross-client redemption). Returns
+    # the JWT string on success, "" on failure (unknown code,
+    # client_id mismatch, expired, already-redeemed).
+    #
+    # The JWT is single-use against the registry: a successful
+    # exchange_code removes the code from the registry.
+    #
+    # `token_ttl_seconds` is the JWT's exp lifetime; pass 0 for
+    # DEFAULT_TOKEN_TTL.
+    def self.exchange_code(code, client_id, token_ttl_seconds)
+      Tep::AuthOAuth2.sweep_expired_codes
+      codes = Tep::APP.auth_oauth2_codes
+      idx = -1
+      i = 0
+      while i < codes.length
+        if codes[i].code == code && codes[i].client_id == client_id
+          idx = i
+          i = codes.length
+        else
+          i += 1
+        end
+      end
+      if idx < 0
+        return ""
+      end
+      rec = codes[idx]
+      codes.delete_at(idx)
+      if rec.expired?(Time.now.to_i)
+        return ""
+      end
+      Tep::AuthOAuth2.mint_jwt(rec, token_ttl_seconds)
+    end
+
+    # Build the JWT payload and sign it. Uses Tep::Jwt with the
+    # same shared secret as Tep::AuthBearerToken, so apps don't
+    # need to manage a second secret -- one HS256 secret signs all
+    # tokens regardless of issuance path.
+    def self.mint_jwt(rec, token_ttl_seconds)
+      secret = Tep::APP.auth_bearer_secret
+      if secret.length == 0
+        return ""
+      end
+      ttl = token_ttl_seconds
+      if ttl <= 0
+        ttl = DEFAULT_TOKEN_TTL
+      end
+      now_ts = Time.now.to_i
+      exp_ts = now_ts + ttl
+      delegate_str = rec.client_id + "|" + now_ts.to_s + "|" +
+                     exp_ts.to_s + "|oauth_grant"
+      payload = "{" +
+        Tep::Json.encode_pair_str("sub", rec.principal_id) + "," +
+        Tep::Json.encode_pair_int("exp", exp_ts) + "," +
+        Tep::Json.encode_pair_str("caps", rec.caps_str) + "," +
+        Tep::Json.encode_pair_str("delegate", delegate_str) +
+      "}"
+      Tep::Jwt.encode_hs256(payload, secret)
+    end
+
+    # Walk the code registry, drop entries whose expires_at has
+    # passed. Called on every issue / exchange so the registry
+    # doesn't grow unboundedly even without explicit pruning.
+    # Back-to-front so delete_at indices stay valid mid-loop.
+    def self.sweep_expired_codes
+      codes = Tep::APP.auth_oauth2_codes
+      now_ts = Time.now.to_i
+      i = codes.length - 1
+      while i >= 0
+        if codes[i].expired?(now_ts)
+          codes.delete_at(i)
+        end
+        i -= 1
+      end
+      0
+    end
+  end
+end

data/lib/tep/auth_oauth2_client.rb

@@ -0,0 +1,29 @@
+# Tep::AuthOAuth2Client -- one entry in the OAuth2 client registry.
+# Represents a "bot" / "agent" / "automation client" that can be
+# delegated permissions to act on behalf of a human principal via
+# the OAuth2-style authorization-code flow.
+#
+# Created by Tep::AuthOAuth2.register_client. Apps don't typically
+# instantiate this directly -- the registry takes
+# (client_id, name, redirect_uri, allowed_caps) and stores the
+# resulting Client.
+#
+# `allowed_caps` is the MAXIMUM set of capabilities this client
+# can ever be granted. At consent time the human grants a subset
+# (or all) of these to the specific code being issued. The granted
+# set on the eventual JWT is always a subset of allowed_caps.
+module Tep
+  class AuthOAuth2Client
+    attr_reader :client_id        # String, opaque (e.g. "summarizer-bot")
+    attr_reader :name             # Human-readable display name for consent UI
+    attr_reader :redirect_uri     # Where to redirect with ?code=... after consent
+    attr_reader :allowed_caps     # Array of symbols (ceiling on granted caps)
+
+    def initialize(client_id, name, redirect_uri, allowed_caps)
+      @client_id     = client_id
+      @name          = name
+      @redirect_uri  = redirect_uri
+      @allowed_caps  = allowed_caps
+    end
+  end
+end

data/lib/tep/auth_oauth2_code.rb

@@ -0,0 +1,40 @@
+# Tep::AuthOAuth2Code -- one entry in the short-lived
+# authorization-code registry. Created by
+# Tep::AuthOAuth2.issue_code at the moment a human consents to a
+# specific (client, caps) grant; consumed by
+# Tep::AuthOAuth2.exchange_code when the client redeems the code
+# for a JWT.
+#
+# Codes are single-use and short-lived (typically 5-10 minutes).
+# The registry sweeps expired entries on every lookup so
+# memory doesn't accumulate even without explicit pruning.
+#
+# Storage scope is per-process: the registry lives on Tep::APP,
+# which is per-worker under prefork. A bot redeeming a code MUST
+# do so against the same worker that issued it. For most apps
+# that's invisible (one human, one worker handling both the
+# consent submission and the immediate redirect-then-redeem
+# sequence), but high-fanout production setups will want
+# cross-worker code storage (PG-backed) -- a future battery
+# extension.
+module Tep
+  class AuthOAuth2Code
+    attr_reader :code             # opaque base64url string
+    attr_reader :principal_id     # the human granting access
+    attr_reader :client_id        # which client this code was issued for
+    attr_reader :caps_str         # comma-separated symbols (granted subset)
+    attr_reader :expires_at       # unix epoch seconds; >= now means alive
+
+    def initialize(code, principal_id, client_id, caps_str, expires_at)
+      @code         = code
+      @principal_id = principal_id
+      @client_id    = client_id
+      @caps_str     = caps_str
+      @expires_at   = expires_at
+    end
+
+    def expired?(now)
+      now >= @expires_at
+    end
+  end
+end

data/lib/tep/auth_session_cookie.rb

@@ -0,0 +1,132 @@
+# Tep::AuthSessionCookie -- the SessionCookie provider for the Auth
+# battery. Reads identity fields off the signed session cookie that
+# Tep::Session already round-trips through Tep::App#dispatch.
+#
+# Configuration:
+#
+#   Tep.session_secret = ENV["TEP_SESSION_SECRET"]
+#   Tep::Auth.install!     # enables both Bearer + SessionCookie
+#
+# Identity in the session is stored as four keys (identity_sub /
+# identity_caps / identity_delegate / identity_exp). The whole
+# cookie is HMAC-signed (Tep::Session's existing payload+sig
+# format), so forgery requires the secret. The identity payload IS
+# visible to the client -- the cookie is signed, not encrypted --
+# so don't put secrets in caps or in the delegate fields. Standard
+# session-cookie tradeoff.
+#
+# Login / logout:
+#
+#   post '/login' do
+#     # ... verify the user's password / OAuth handshake / etc ...
+#     ident = Tep::Identity.new("user:42", nil, [:read, :write])
+#     Tep::AuthSessionCookie.set(req, ident)
+#     # The session will be re-signed + emitted via Set-Cookie by
+#     # tep's normal session lifecycle (App#dispatch end).
+#     ""
+#   end
+#
+#   post '/logout' do
+#     Tep::AuthSessionCookie.clear(req)
+#     ""
+#   end
+#
+# Provider-chain order: tried AFTER Tep::AuthBearerToken in
+# Tep::Auth.identify. Bearer wins if both present, on the
+# principle that an explicit Authorization header is a stronger
+# signal of caller intent than a passively-replayed cookie.
+#
+# Flat namespacing (Tep::AuthSessionCookie, not
+# Tep::Auth::SessionCookie) mirrors Tep::AuthBearerToken for the
+# same spinel cls_id reasons -- see memory note
+# [[spinel_widening_dispatch]].
+module Tep
+  class AuthSessionCookie
+    # Write an Identity into req.session. Caller is responsible for
+    # ensuring Tep.session_secret is configured -- otherwise the
+    # response cookie won't get signed and the next request can't
+    # round-trip the identity back.
+    #
+    # `exp` is unix epoch seconds; nil disables expiry (the cookie
+    # itself still expires per its own Max-Age / Expires headers
+    # or browser session lifetime).
+    def self.set(req, identity, exp)
+      req.session.set("identity_sub", identity.principal_id)
+      req.session.set("identity_caps",
+        Tep::AuthSessionCookie.format_caps(identity.capabilities))
+      delegate = identity.acting_via
+      if delegate == nil
+        req.session.set("identity_delegate", "")
+      else
+        req.session.set("identity_delegate",
+          Tep::AuthSessionCookie.format_delegate(delegate))
+      end
+      if exp > 0
+        req.session.set("identity_exp", exp.to_s)
+      else
+        req.session.set("identity_exp", "")
+      end
+      0
+    end
+
+    # Drop the identity fields from req.session. The session itself
+    # stays valid (signed cookie continues to round-trip), but any
+    # subsequent try() returns nil because identity_sub is empty.
+    def self.clear(req)
+      req.session.set("identity_sub", "")
+      req.session.set("identity_caps", "")
+      req.session.set("identity_delegate", "")
+      req.session.set("identity_exp", "")
+      0
+    end
+
+    # Attempt to recover an Identity from req.session. Returns nil
+    # if the session has no identity (no prior #set call, or after
+    # #clear) or the stored identity is expired.
+    def self.try(req)
+      sub = req.session.get("identity_sub")
+      if sub.length == 0
+        return nil
+      end
+
+      exp_str = req.session.get("identity_exp")
+      if exp_str.length > 0
+        exp = exp_str.to_i
+        if exp > 0 && Time.now.to_i >= exp
+          return nil
+        end
+      end
+
+      caps_str = req.session.get("identity_caps")
+      caps = Tep::AuthBearerToken.parse_caps(caps_str)
+
+      delegate_str = req.session.get("identity_delegate")
+      delegation = Tep::AuthBearerToken.parse_delegate(delegate_str)
+
+      Tep::Identity.new(sub, delegation, caps)
+    end
+
+    # [:read, :write, :post_summary] -> "read,write,post_summary"
+    def self.format_caps(caps)
+      out = ""
+      first = true
+      caps.each do |c|
+        if !first
+          out = out + ","
+        end
+        out = out + c.to_s
+        first = false
+      end
+      out
+    end
+
+    # AgentDelegation -> "agent_id|issued_at|expires_at|origin".
+    # Inverse of Tep::AuthBearerToken.parse_delegate.
+    def self.format_delegate(deleg)
+      deleg.agent_id + "|" +
+        deleg.issued_at.to_s + "|" +
+        deleg.expires_at.to_s + "|" +
+        deleg.origin.to_s
+    end
+  end
+end