@agentic-passport/next 0.3.0

package/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/dist/clerk.d.ts

@@ -0,0 +1,137 @@
+/**
+ * Clerk adapter for AgentPassport — pre-wires `onAgentSignup` and
+ * `onAgentSessionMint` so the vendor doesn't have to write provisioning
+ * or sign-in-token URL assembly by hand.
+ *
+ * Usage:
+ *
+ *   import { agentPassport } from '@agentic-passport/next';
+ *   import { clerkAgentProvisioner } from '@agentic-passport/next/clerk';
+ *   import { clerkClient } from '@clerk/nextjs/server';
+ *
+ *   export const getGate = agentPassport({
+ *     vendorOrigin: 'https://your-vendor.example',
+ *     trustedIssuers: ['https://issuer.example'],
+ *     scopes: ['keyword.search'],
+ *     hooks: clerkAgentProvisioner({
+ *       clerkClient,
+ *       postBootstrapPath: '/account',
+ *     }),
+ *   });
+ *
+ * Clerk is a *peer* dependency — the vendor brings their own
+ * `@clerk/nextjs` install. This adapter accepts the client function
+ * directly to avoid hard-coding the Clerk import path (the same SDK
+ * has worked across @clerk/nextjs 6.x and 7.x by this convention).
+ *
+ * What the two pre-wired hooks do:
+ *
+ *   onAgentSignup
+ *     1. Builds the canonical agent identity via `agentIdentity(ctx)`.
+ *     2. Looks up an existing Clerk user by externalId (idempotent on
+ *        repeat handshakes from the same agent keypair).
+ *     3. If found, refreshes the publicMetadata + returns the user id.
+ *     4. If not found, creates a new Clerk shadow user with the
+ *        canonical fields + skipPasswordRequirement (agents don't have
+ *        passwords).
+ *     5. Returns { allow: true, principal: { userId, grantedScopes } }.
+ *
+ *   onAgentSessionMint
+ *     1. Mints a one-time Clerk sign-in token for the user.
+ *     2. Assembles the bootstrap URL: <vendor>/sign-in?__clerk_ticket=...
+ *     3. Returns { bootstrap_url, final_url }.
+ *
+ * Vendors who want different behavior can either:
+ *   (a) Pass the adapter's result to `agentAuth` but override individual
+ *       hooks: `hooks: { ...clerkAgentProvisioner({...}), onAgentSignup: myHook }`.
+ *   (b) Skip the adapter and write the hooks themselves.
+ */
+import { type CanonicalAgentIdentity } from './next-adapter.js';
+import type { AgentSignupContext, AgentSignupResult, AgentSessionMintContext, AgentSessionMintResult } from './types.js';
+/**
+ * Subset of @clerk/nextjs/server's clerkClient() return shape that we
+ * actually use. Declared structurally so the adapter can accept any
+ * compatible Clerk SDK version without a hard import.
+ */
+export type ClerkClientLike = {
+    users: {
+        getUserList: (params: {
+            externalId: string[];
+        }) => Promise<{
+            data: Array<{
+                id: string;
+            }>;
+        }>;
+        updateUserMetadata: (userId: string, params: {
+            publicMetadata?: unknown;
+        }) => Promise<unknown>;
+        createUser: (params: {
+            externalId?: string;
+            emailAddress?: string[];
+            firstName?: string;
+            lastName?: string;
+            skipPasswordRequirement?: boolean;
+            publicMetadata?: unknown;
+        }) => Promise<{
+            id: string;
+        }>;
+    };
+    signInTokens: {
+        createSignInToken: (params: {
+            userId: string;
+            expiresInSeconds: number;
+        }) => Promise<{
+            token: string;
+            url: string;
+        }>;
+    };
+};
+export type ClerkAgentProvisionerOptions = {
+    /**
+     * Function that returns a Clerk client. In @clerk/nextjs/server this
+     * is `clerkClient` (an async factory). Pass it directly — the adapter
+     * calls it once per hook invocation.
+     */
+    clerkClient: () => Promise<ClerkClientLike>;
+    /**
+     * Vendor origin used to build the browser-bootstrap URL. Defaults to
+     * the gate's `vendorOrigin` — provide explicitly only when the
+     * sign-in route lives on a different origin than the rest of the app.
+     */
+    vendorOrigin?: string;
+    /**
+     * Path on the vendor that the agent's browser should land on after
+     * Clerk consumes the sign-in token. Defaults to `/account`.
+     */
+    postBootstrapPath?: string;
+    /**
+     * Path that hosts Clerk's `<SignIn>` component. The adapter appends
+     * `?__clerk_ticket=...&redirect_url=...` to it. Defaults to
+     * `/sign-in` — matches Clerk's `signInUrl` convention.
+     */
+    signInPath?: string;
+    /**
+     * How long the sign-in token is valid (seconds). Defaults to 300s.
+     * Tokens are one-time-use, so this is just a safety bound.
+     */
+    signInTokenTtlSeconds?: number;
+    /**
+     * Hook to run AFTER the Clerk user is provisioned. Use for billing
+     * setup, audit log writes, tier assignment, etc. Receives the
+     * resolved Clerk user id + the canonical identity.
+     */
+    onProvisioned?: (params: {
+        clerkUserId: string;
+        identity: CanonicalAgentIdentity;
+        ctx: AgentSignupContext;
+    }) => Promise<void>;
+};
+/**
+ * Returns `{ onAgentSignup, onAgentSessionMint }` ready to drop into
+ * `agentPassport({ hooks })`.
+ */
+export declare function clerkAgentProvisioner(opts: ClerkAgentProvisionerOptions): {
+    onAgentSignup: (ctx: AgentSignupContext) => Promise<AgentSignupResult>;
+    onAgentSessionMint: (ctx: AgentSessionMintContext) => Promise<AgentSessionMintResult>;
+};
+//# sourceMappingURL=clerk.d.ts.map

package/dist/clerk.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"clerk.d.ts","sourceRoot":"","sources":["../src/clerk.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+CG;AAEH,OAAO,EAAiB,KAAK,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAC/E,OAAO,KAAK,EACV,kBAAkB,EAClB,iBAAiB,EACjB,uBAAuB,EACvB,sBAAsB,EACvB,MAAM,YAAY,CAAC;AAEpB;;;;GAIG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B,KAAK,EAAE;QACL,WAAW,EAAE,CAAC,MAAM,EAAE;YAAE,UAAU,EAAE,MAAM,EAAE,CAAA;SAAE,KAAK,OAAO,CAAC;YAAE,IAAI,EAAE,KAAK,CAAC;gBAAE,EAAE,EAAE,MAAM,CAAA;aAAE,CAAC,CAAA;SAAE,CAAC,CAAC;QAC5F,kBAAkB,EAAE,CAClB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE;YAAE,cAAc,CAAC,EAAE,OAAO,CAAA;SAAE,KACjC,OAAO,CAAC,OAAO,CAAC,CAAC;QACtB,UAAU,EAAE,CAAC,MAAM,EAAE;YACnB,UAAU,CAAC,EAAE,MAAM,CAAC;YACpB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;YACxB,SAAS,CAAC,EAAE,MAAM,CAAC;YACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,uBAAuB,CAAC,EAAE,OAAO,CAAC;YAClC,cAAc,CAAC,EAAE,OAAO,CAAC;SAC1B,KAAK,OAAO,CAAC;YAAE,EAAE,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;KAC/B,CAAC;IACF,YAAY,EAAE;QACZ,iBAAiB,EAAE,CAAC,MAAM,EAAE;YAC1B,MAAM,EAAE,MAAM,CAAC;YACf,gBAAgB,EAAE,MAAM,CAAC;SAC1B,KAAK,OAAO,CAAC;YAAE,KAAK,EAAE,MAAM,CAAC;YAAC,GAAG,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;KAC/C,CAAC;CACH,CAAC;AAEF,MAAM,MAAM,4BAA4B,GAAG;IACzC;;;;OAIG;IACH,WAAW,EAAE,MAAM,OAAO,CAAC,eAAe,CAAC,CAAC;IAC5C;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;OAGG;IACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B;;;;OAIG;IACH,aAAa,CAAC,EAAE,CAAC,MAAM,EAAE;QACvB,WAAW,EAAE,MAAM,CAAC;QACpB,QAAQ,EAAE,sBAAsB,CAAC;QACjC,GAAG,EAAE,kBAAkB,CAAC;KACzB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACrB,CAAC;AAEF;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,4BAA4B,GAAG;IACzE,aAAa,EAAE,CAAC,GAAG,EAAE,kBAAkB,KAAK,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACvE,kBAAkB,EAAE,CAAC,GAAG,EAAE,uBAAuB,KAAK,OAAO,CAAC,sBAAsB,CAAC,CAAC;CACvF,CA2DA"}

package/dist/clerk.js

@@ -0,0 +1,110 @@
+/**
+ * Clerk adapter for AgentPassport — pre-wires `onAgentSignup` and
+ * `onAgentSessionMint` so the vendor doesn't have to write provisioning
+ * or sign-in-token URL assembly by hand.
+ *
+ * Usage:
+ *
+ *   import { agentPassport } from '@agentic-passport/next';
+ *   import { clerkAgentProvisioner } from '@agentic-passport/next/clerk';
+ *   import { clerkClient } from '@clerk/nextjs/server';
+ *
+ *   export const getGate = agentPassport({
+ *     vendorOrigin: 'https://your-vendor.example',
+ *     trustedIssuers: ['https://issuer.example'],
+ *     scopes: ['keyword.search'],
+ *     hooks: clerkAgentProvisioner({
+ *       clerkClient,
+ *       postBootstrapPath: '/account',
+ *     }),
+ *   });
+ *
+ * Clerk is a *peer* dependency — the vendor brings their own
+ * `@clerk/nextjs` install. This adapter accepts the client function
+ * directly to avoid hard-coding the Clerk import path (the same SDK
+ * has worked across @clerk/nextjs 6.x and 7.x by this convention).
+ *
+ * What the two pre-wired hooks do:
+ *
+ *   onAgentSignup
+ *     1. Builds the canonical agent identity via `agentIdentity(ctx)`.
+ *     2. Looks up an existing Clerk user by externalId (idempotent on
+ *        repeat handshakes from the same agent keypair).
+ *     3. If found, refreshes the publicMetadata + returns the user id.
+ *     4. If not found, creates a new Clerk shadow user with the
+ *        canonical fields + skipPasswordRequirement (agents don't have
+ *        passwords).
+ *     5. Returns { allow: true, principal: { userId, grantedScopes } }.
+ *
+ *   onAgentSessionMint
+ *     1. Mints a one-time Clerk sign-in token for the user.
+ *     2. Assembles the bootstrap URL: <vendor>/sign-in?__clerk_ticket=...
+ *     3. Returns { bootstrap_url, final_url }.
+ *
+ * Vendors who want different behavior can either:
+ *   (a) Pass the adapter's result to `agentAuth` but override individual
+ *       hooks: `hooks: { ...clerkAgentProvisioner({...}), onAgentSignup: myHook }`.
+ *   (b) Skip the adapter and write the hooks themselves.
+ */
+import { agentIdentity } from './next-adapter.js';
+/**
+ * Returns `{ onAgentSignup, onAgentSessionMint }` ready to drop into
+ * `agentPassport({ hooks })`.
+ */
+export function clerkAgentProvisioner(opts) {
+    const signInPath = opts.signInPath ?? '/sign-in';
+    const postBootstrapPath = opts.postBootstrapPath ?? '/account';
+    const ttl = opts.signInTokenTtlSeconds ?? 300;
+    return {
+        onAgentSignup: async (ctx) => {
+            const identity = agentIdentity(ctx);
+            const client = await opts.clerkClient();
+            const existing = await client.users.getUserList({ externalId: [identity.externalId] });
+            let userId;
+            const existingUser = existing.data[0];
+            if (existingUser) {
+                userId = existingUser.id;
+                await client.users.updateUserMetadata(userId, { publicMetadata: identity.publicMetadata });
+            }
+            else {
+                const created = await client.users.createUser({
+                    externalId: identity.externalId,
+                    emailAddress: identity.emailAddress,
+                    firstName: identity.firstName,
+                    lastName: identity.lastName,
+                    skipPasswordRequirement: true,
+                    publicMetadata: identity.publicMetadata,
+                });
+                userId = created.id;
+            }
+            if (opts.onProvisioned) {
+                await opts.onProvisioned({ clerkUserId: userId, identity, ctx });
+            }
+            return {
+                allow: true,
+                principal: { userId, grantedScopes: identity.grantedScopes },
+            };
+        },
+        onAgentSessionMint: async ({ userId }) => {
+            const client = await opts.clerkClient();
+            const token = await client.signInTokens.createSignInToken({
+                userId,
+                expiresInSeconds: ttl,
+            });
+            // Build the URL ourselves: Clerk's signInToken.url points at the
+            // configured sign-in URL without including the raw __clerk_ticket
+            // param, so the app's <SignIn> component has nothing to consume.
+            // Inserting the ticket directly lets <SignIn> auto-exchange on mount.
+            const origin = (opts.vendorOrigin ?? '').replace(/\/$/, '');
+            if (!origin) {
+                throw new Error('clerkAgentProvisioner: vendorOrigin must be set (pass via options or default to the gate config)');
+            }
+            const finalUrl = `${origin}${postBootstrapPath}`;
+            const bootstrapUrl = `${origin}${signInPath}` +
+                `?__clerk_ticket=${encodeURIComponent(token.token)}` +
+                `&redirect_url=${encodeURIComponent(finalUrl)}`;
+            return { bootstrap_url: bootstrapUrl, final_url: finalUrl };
+        },
+    };
+}
+//# sourceMappingURL=clerk.js.map

package/dist/clerk.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"clerk.js","sourceRoot":"","sources":["../src/clerk.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+CG;AAEH,OAAO,EAAE,aAAa,EAA+B,MAAM,mBAAmB,CAAC;AA8E/E;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAAkC;IAItE,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC;IACjD,MAAM,iBAAiB,GAAG,IAAI,CAAC,iBAAiB,IAAI,UAAU,CAAC;IAC/D,MAAM,GAAG,GAAG,IAAI,CAAC,qBAAqB,IAAI,GAAG,CAAC;IAE9C,OAAO;QACL,aAAa,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE;YAC3B,MAAM,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;YACxC,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,UAAU,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;YACvF,IAAI,MAAc,CAAC;YACnB,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACtC,IAAI,YAAY,EAAE,CAAC;gBACjB,MAAM,GAAG,YAAY,CAAC,EAAE,CAAC;gBACzB,MAAM,MAAM,CAAC,KAAK,CAAC,kBAAkB,CAAC,MAAM,EAAE,EAAE,cAAc,EAAE,QAAQ,CAAC,cAAc,EAAE,CAAC,CAAC;YAC7F,CAAC;iBAAM,CAAC;gBACN,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC;oBAC5C,UAAU,EAAE,QAAQ,CAAC,UAAU;oBAC/B,YAAY,EAAE,QAAQ,CAAC,YAAY;oBACnC,SAAS,EAAE,QAAQ,CAAC,SAAS;oBAC7B,QAAQ,EAAE,QAAQ,CAAC,QAAQ;oBAC3B,uBAAuB,EAAE,IAAI;oBAC7B,cAAc,EAAE,QAAQ,CAAC,cAAc;iBACxC,CAAC,CAAC;gBACH,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC;YACtB,CAAC;YACD,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;gBACvB,MAAM,IAAI,CAAC,aAAa,CAAC,EAAE,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;YACnE,CAAC;YACD,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,SAAS,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE,QAAQ,CAAC,aAAa,EAAE;aAC7D,CAAC;QACJ,CAAC;QAED,kBAAkB,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;YACvC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;YACxC,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,iBAAiB,CAAC;gBACxD,MAAM;gBACN,gBAAgB,EAAE,GAAG;aACtB,CAAC,CAAC;YACH,iEAAiE;YACjE,kEAAkE;YAClE,iEAAiE;YACjE,sEAAsE;YACtE,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YAC5D,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,KAAK,CACb,kGAAkG,CACnG,CAAC;YACJ,CAAC;YACD,MAAM,QAAQ,GAAG,GAAG,MAAM,GAAG,iBAAiB,EAAE,CAAC;YACjD,MAAM,YAAY,GAChB,GAAG,MAAM,GAAG,UAAU,EAAE;gBACxB,mBAAmB,kBAAkB,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;gBACpD,iBAAiB,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC;YAClD,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;QAC9D,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/handler.d.ts

@@ -0,0 +1,71 @@
+/**
+ * Framework-agnostic AgentPassport handler. Built on @agentic-passport/core verifiers.
+ *
+ * Adapters (this package's middleware.ts, or @agentic-passport/express, etc.) translate
+ * framework-native requests into NormalizedRequest, call handleAgentRequest, and
+ * translate the NormalizedResponse back into the framework's response type.
+ *
+ * State is injected via config.store. Use inMemoryStore() for tests / single-
+ * instance dev; use kvStore(env) on Workers so state survives across isolates.
+ */
+import { AuditLog, ErrorCode, type DiscoveryDoc } from '@agentic-passport/protocol';
+import type { AgentPassportConfig, AgentPrincipal, AgentStateStore } from './types.js';
+export type NormalizedRequest = {
+    method: string;
+    url: string;
+    headers: Readonly<Record<string, string | undefined>>;
+    body: Buffer;
+};
+export type NormalizedResponse = {
+    status: number;
+    headers: Record<string, string>;
+    body: Buffer;
+};
+export type AgentPassportInstance = {
+    readonly config: AgentPassportConfig;
+    /** Underlying state store. Tests and admin tools may read/write directly. */
+    readonly store: AgentStateStore;
+    /** Per-instance audit log. NOTE: not shared across isolates in v0. */
+    readonly audit: AuditLog;
+    isAgentRequest(req: {
+        headers: Readonly<Record<string, string | undefined>>;
+    }): boolean;
+    handle(req: NormalizedRequest): Promise<NormalizedResponse>;
+    authorizeApiCall(req: NormalizedRequest, requiredScope: string | null): Promise<{
+        ok: true;
+        principal: AgentPrincipal;
+    } | {
+        ok: false;
+        code: ErrorCode;
+    }>;
+    discoveryDoc(): DiscoveryDoc;
+    auditEntries(): readonly ReturnType<AuditLog['all']>[number][];
+};
+/**
+ * Define an AgentPassport gate. Returns a cached factory — call the returned
+ * function from anywhere in your app; the gate is built once on first
+ * call and reused thereafter.
+ *
+ *   // lib/agent-gate.ts
+ *   export const getGate = agentPassport({
+ *     vendorOrigin: 'https://kwrds.ai',
+ *     trustedIssuers: ['https://issuer.example.com'],
+ *     scopes: ['keyword.search'],
+ *     hooks: { onAgentSignup: async (ctx) => {...} },
+ *   });
+ *
+ *   // route handlers:
+ *   export const POST = (req: Request) => handleAgentPassport(req, getGate);
+ *
+ * Lazy init: JWKS fetching and signing-key loading happen on the first
+ * call to the returned function, not at module load. Subsequent calls
+ * return the cached instance.
+ */
+export declare function agentPassport(config: AgentPassportConfig): () => Promise<AgentPassportInstance>;
+import { isAgentRequest } from './is-agent-request.js';
+export { isAgentRequest };
+/** @deprecated Renamed to {@link agentAuth}. Will be removed in 0.1.0. */
+export declare const agentGate: typeof agentPassport;
+/** @deprecated Renamed to {@link AgentPassportInstance}. */
+export type AgentGateInstance = AgentPassportInstance;
+//# sourceMappingURL=handler.d.ts.map

package/dist/handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../src/handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,EAEL,QAAQ,EACR,SAAS,EAIT,KAAK,YAAY,EAGlB,MAAM,4BAA4B,CAAC;AAQpC,OAAO,KAAK,EAAE,mBAAmB,EAAE,cAAc,EAAyC,eAAe,EAAE,MAAM,YAAY,CAAC;AAQ9H,MAAM,MAAM,iBAAiB,GAAG;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC;IACtD,IAAI,EAAE,MAAM,CAAC;CACd,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,EAAE,MAAM,CAAC;CACd,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,QAAQ,CAAC,MAAM,EAAE,mBAAmB,CAAC;IACrC,6EAA6E;IAC7E,QAAQ,CAAC,KAAK,EAAE,eAAe,CAAC;IAChC,sEAAsE;IACtE,QAAQ,CAAC,KAAK,EAAE,QAAQ,CAAC;IACzB,cAAc,CAAC,GAAG,EAAE;QAAE,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC,CAAA;KAAE,GAAG,OAAO,CAAC;IACxF,MAAM,CAAC,GAAG,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC5D,gBAAgB,CAAC,GAAG,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAC7E;QAAE,EAAE,EAAE,IAAI,CAAC;QAAC,SAAS,EAAE,cAAc,CAAA;KAAE,GAAG;QAAE,EAAE,EAAE,KAAK,CAAC;QAAC,IAAI,EAAE,SAAS,CAAA;KAAE,CACzE,CAAC;IACF,YAAY,IAAI,YAAY,CAAC;IAC7B,YAAY,IAAI,SAAS,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;CAChE,CAAC;AAoBF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,mBAAmB,GAAG,MAAM,OAAO,CAAC,qBAAqB,CAAC,CAO/F;AAsDD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,cAAc,EAAE,CAAC;AAE1B,0EAA0E;AAC1E,eAAO,MAAM,SAAS,sBAAgB,CAAC;AACvC,4DAA4D;AAC5D,MAAM,MAAM,iBAAiB,GAAG,qBAAqB,CAAC"}