@agentuity/auth 0.0.109 → 0.0.111

package/dist/agentuity/react.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"react.d.ts","sourceRoot":"","sources":["../../src/agentuity/react.tsx"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAkE,MAAM,OAAO,CAAC;AACvF,OAAO,EAAE,gBAAgB,IAAI,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAG/E,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAEjE,OAAO,KAAK,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAMrD;;;;GAIG;AACH,MAAM,WAAW,iBAAiB,CACjC,QAAQ,SAAS,sBAAsB,EAAE,GAAG,sBAAsB,EAAE;IAEpE;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAE7B;;;;;OAKG;IACH,OAAO,CAAC,EAAE,QAAQ,CAAC;CACnB;AAED;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB;;;;;;;;;;;;;;;;;;;;gCAJG,CAAC;;;;;gCAIb,CAAC;;;;;gCAKG,CAAC;;;;;gCAGb,CAAA;;;;;gCAEZ,CAAC;;;;;;;;;;;;;;;;;;;;;;6BAgPS,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yBAAD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yBAAD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;6BAlKP,CAAC;;;;;;;;;;;;;;gCAiBF,CAAC;uCAGiB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCA2J29H,CAAC;qCAAkD,CAAC;;;;;;;;;iCAA8Q,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA+vX,CAAC;qCAAkD,CAAC;;;;;;;;;iCAA8Q,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAi5D,CAAC;qCAAkD,CAAC;;;;;;;;;iCAA8Q,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;KArQnllB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,SAAS,sBAAsB,EAAE,GAAG,EAAE,EAC9E,OAAO,CAAC,EAAE,iBAAiB,CAAC,QAAQ,CAAC,GACnC,UAAU,CAAC,OAAO,sBAAsB,CAAC;IAAE,OAAO,EAAE,QAAQ,CAAA;CAAE,CAAC,CAAC,CAkBlE;AAED;;GAEG;AACH,MAAM,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAM7D;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAChC,+BAA+B;IAC/B,UAAU,EAAE,UAAU,CAAC;IACvB,2DAA2D;IAC3D,IAAI,EAAE,QAAQ,GAAG,IAAI,CAAC;IACtB,4CAA4C;IAC5C,OAAO,EAAE,WAAW,GAAG,IAAI,CAAC;IAC5B,8CAA8C;IAC9C,SAAS,EAAE,OAAO,CAAC;IACnB,wDAAwD;IACxD,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,wCAAwC;IACxC,eAAe,EAAE,OAAO,CAAC;CACzB;AAID,MAAM,WAAW,iBAAiB;IACjC,+BAA+B;IAC/B,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;IAE1B;;;OAGG;IACH,UAAU,EAAE,UAAU,CAAC;IAEvB;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB;;;;;;;;;;;;;;OAcG;IACH,aAAa,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC;CAC/B;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,YAAY,CAAC,EAC5B,QAAQ,EACR,UAAU,EACV,eAAuB,EACvB,aAAwB,GACxB,EAAE,iBAAiB,2CA4EnB;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,OAAO,IAAI,gBAAgB,CAM1C"}

package/dist/agentuity/react.js

@@ -0,0 +1,206 @@
+import { jsx as _jsx } from "react/jsx-runtime";
+/**
+ * Auth React integration for @agentuity/auth.
+ *
+ * All React-specific code for auth.
+ * Import from '@agentuity/auth/react' for React components and hooks.
+ *
+ * @module agentuity/react
+ */
+import { useEffect, createContext, useContext, useState, useMemo } from 'react';
+import { createAuthClient as createBetterAuthClient } from 'better-auth/react';
+import { organizationClient, apiKeyClient } from 'better-auth/client/plugins';
+import { useAuth as useAgentuityReactAuth } from '@agentuity/react';
+/**
+ * Get the default client plugins for auth.
+ *
+ * These mirror the server-side plugins:
+ * - organizationClient: Multi-tenancy support
+ * - apiKeyClient: Programmatic API key management
+ *
+ * Note: jwt() and bearer() are server-only plugins.
+ */
+export function getDefaultClientPlugins() {
+    return [organizationClient(), apiKeyClient()];
+}
+/**
+ * Create a pre-configured Auth client.
+ *
+ * This factory provides sensible defaults for Agentuity projects:
+ * - Uses `/api/auth` as the default base path
+ * - Automatically uses `window.location.origin` as base URL in browsers
+ * - Includes organization and API key plugins by default
+ *
+ * @example Basic usage (zero config)
+ * ```typescript
+ * import { createAuthClient } from '@agentuity/auth/react';
+ *
+ * export const authClient = createAuthClient();
+ * export const { signIn, signUp, signOut, useSession, getSession } = authClient;
+ * ```
+ *
+ * @example With custom base path
+ * ```typescript
+ * export const authClient = createAuthClient({
+ *   basePath: '/auth', // If mounted at /auth instead of /api/auth
+ * });
+ * ```
+ *
+ * @example With additional plugins
+ * ```typescript
+ * import { twoFactorClient } from 'better-auth/client/plugins';
+ *
+ * export const authClient = createAuthClient({
+ *   plugins: [twoFactorClient()],
+ * });
+ * ```
+ *
+ * @example With custom plugins only (no defaults)
+ * ```typescript
+ * import { organizationClient } from 'better-auth/client/plugins';
+ *
+ * export const authClient = createAuthClient({
+ *   skipDefaultPlugins: true,
+ *   plugins: [organizationClient()],
+ * });
+ * ```
+ */
+export function createAuthClient(options) {
+    const baseURL = options?.baseURL ?? (typeof window !== 'undefined' ? window.location.origin : '');
+    const basePath = options?.basePath ?? '/api/auth';
+    const defaultPlugins = options?.skipDefaultPlugins ? [] : getDefaultClientPlugins();
+    const userPlugins = options?.plugins ?? [];
+    // Merge default plugins with user plugins
+    // We pass through the full options to preserve type inference
+    // The return type preserves plugin type inference via the generic parameter
+    return createBetterAuthClient({
+        ...options,
+        baseURL,
+        basePath,
+        plugins: [...defaultPlugins, ...userPlugins],
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    });
+}
+const AuthContext = createContext(null);
+/**
+ * Auth provider component.
+ *
+ * This component integrates Auth with Agentuity's React context,
+ * automatically injecting auth tokens into API calls via useAgent and useWebsocket.
+ *
+ * Must be a child of AgentuityProvider.
+ *
+ * @example
+ * ```tsx
+ * import { AgentuityProvider } from '@agentuity/react';
+ * import { createAuthClient, AuthProvider } from '@agentuity/auth/react';
+ *
+ * const authClient = createAuthClient();
+ *
+ * <AgentuityProvider>
+ *   <AuthProvider authClient={authClient}>
+ *     <App />
+ *   </AuthProvider>
+ * </AgentuityProvider>
+ * ```
+ */
+export function AuthProvider({ children, authClient, refreshInterval = 60000, tokenEndpoint = '/token', }) {
+    const { setAuthHeader, setAuthLoading } = useAgentuityReactAuth();
+    const [user, setUser] = useState(null);
+    const [session, setSession] = useState(null);
+    const [isPending, setIsPending] = useState(true);
+    const [error, setError] = useState(null);
+    useEffect(() => {
+        if (!setAuthHeader || !setAuthLoading)
+            return;
+        const fetchAuthState = async () => {
+            try {
+                setAuthLoading(true);
+                setIsPending(true);
+                setError(null);
+                // Use the auth client's getSession method
+                const result = await authClient.getSession();
+                if (result.data?.user) {
+                    setUser(result.data.user);
+                    setSession(result.data.session ?? null);
+                    // Get the JWT token for API calls (unless disabled)
+                    if (tokenEndpoint !== false) {
+                        try {
+                            const tokenResult = await authClient.$fetch(tokenEndpoint, { method: 'GET' });
+                            const tokenData = tokenResult.data;
+                            if (tokenData?.token) {
+                                setAuthHeader(`Bearer ${tokenData.token}`);
+                            }
+                            else {
+                                setAuthHeader(null);
+                            }
+                        }
+                        catch {
+                            // Token endpoint might not exist, that's okay
+                            setAuthHeader(null);
+                        }
+                    }
+                    else {
+                        setAuthHeader(null);
+                    }
+                }
+                else {
+                    setUser(null);
+                    setSession(null);
+                    setAuthHeader(null);
+                }
+            }
+            catch (err) {
+                console.error('[AuthProvider] Failed to get auth state:', err);
+                setError(err instanceof Error ? err : new Error('Failed to get auth state'));
+                setUser(null);
+                setSession(null);
+                setAuthHeader(null);
+            }
+            finally {
+                setAuthLoading(false);
+                setIsPending(false);
+            }
+        };
+        fetchAuthState();
+        const interval = setInterval(fetchAuthState, refreshInterval);
+        return () => clearInterval(interval);
+    }, [authClient, refreshInterval, tokenEndpoint, setAuthHeader, setAuthLoading]);
+    const contextValue = useMemo(() => ({
+        authClient,
+        user,
+        session,
+        isPending,
+        error,
+        isAuthenticated: !isPending && user !== null,
+    }), [authClient, user, session, isPending, error]);
+    return _jsx(AuthContext.Provider, { value: contextValue, children: children });
+}
+/**
+ * Hook to access Auth state.
+ *
+ * This hook provides access to the current user and session.
+ * Must be used within an AuthProvider.
+ *
+ * @example
+ * ```tsx
+ * import { useAuth } from '@agentuity/auth/react';
+ *
+ * function Profile() {
+ *   const { user, session, isPending, isAuthenticated } = useAuth();
+ *
+ *   if (isPending) return <div>Loading...</div>;
+ *   if (!isAuthenticated) return <div>Not signed in</div>;
+ *
+ *   return <div>Welcome, {user.name}!</div>;
+ * }
+ * ```
+ */
+export function useAuth() {
+    const context = useContext(AuthContext);
+    if (!context) {
+        throw new Error('useAuth must be used within an AuthProvider');
+    }
+    return context;
+}
+//# sourceMappingURL=react.js.map

package/dist/agentuity/react.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"react.js","sourceRoot":"","sources":["../../src/agentuity/react.tsx"],"names":[],"mappings":";AAAA;;;;;;;GAOG;AAEH,OAAc,EAAE,SAAS,EAAE,aAAa,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,OAAO,CAAC;AACvF,OAAO,EAAE,gBAAgB,IAAI,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAC/E,OAAO,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAC9E,OAAO,EAAE,OAAO,IAAI,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AA4CpE;;;;;;;;GAQG;AACH,MAAM,UAAU,uBAAuB;IACtC,OAAO,CAAC,kBAAkB,EAAE,EAAE,YAAY,EAAE,CAAC,CAAC;AAC/C,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG;AACH,MAAM,UAAU,gBAAgB,CAC/B,OAAqC;IAErC,MAAM,OAAO,GACZ,OAAO,EAAE,OAAO,IAAI,CAAC,OAAO,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACnF,MAAM,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,WAAW,CAAC;IAElD,MAAM,cAAc,GAAG,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,uBAAuB,EAAE,CAAC;IACpF,MAAM,WAAW,GAAG,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC;IAE3C,0CAA0C;IAC1C,8DAA8D;IAC9D,4EAA4E;IAC5E,OAAO,sBAAsB,CAAC;QAC7B,GAAG,OAAO;QACV,OAAO;QACP,QAAQ;QACR,OAAO,EAAE,CAAC,GAAG,cAAc,EAAE,GAAG,WAAW,CAAC;QAC5C,8DAA8D;KAC9D,CAAQ,CAAC;AACX,CAAC;AA6BD,MAAM,WAAW,GAAG,aAAa,CAA0B,IAAI,CAAC,CAAC;AAoCjE;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,UAAU,YAAY,CAAC,EAC5B,QAAQ,EACR,UAAU,EACV,eAAe,GAAG,KAAK,EACvB,aAAa,GAAG,QAAQ,GACL;IACnB,MAAM,EAAE,aAAa,EAAE,cAAc,EAAE,GAAG,qBAAqB,EAAE,CAAC;IAClE,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,QAAQ,CAAkB,IAAI,CAAC,CAAC;IACxD,MAAM,CAAC,OAAO,EAAE,UAAU,CAAC,GAAG,QAAQ,CAAqB,IAAI,CAAC,CAAC;IACjE,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;IACjD,MAAM,CAAC,KAAK,EAAE,QAAQ,CAAC,GAAG,QAAQ,CAAe,IAAI,CAAC,CAAC;IAEvD,SAAS,CAAC,GAAG,EAAE;QACd,IAAI,CAAC,aAAa,IAAI,CAAC,cAAc;YAAE,OAAO;QAE9C,MAAM,cAAc,GAAG,KAAK,IAAI,EAAE;YACjC,IAAI,CAAC;gBACJ,cAAc,CAAC,IAAI,CAAC,CAAC;gBACrB,YAAY,CAAC,IAAI,CAAC,CAAC;gBACnB,QAAQ,CAAC,IAAI,CAAC,CAAC;gBAEf,0CAA0C;gBAC1C,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,UAAU,EAAE,CAAC;gBAE7C,IAAI,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;oBACvB,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAgB,CAAC,CAAC;oBACtC,UAAU,CAAE,MAAM,CAAC,IAAI,CAAC,OAAuB,IAAI,IAAI,CAAC,CAAC;oBAEzD,oDAAoD;oBACpD,IAAI,aAAa,KAAK,KAAK,EAAE,CAAC;wBAC7B,IAAI,CAAC;4BACJ,MAAM,WAAW,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,aAAa,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;4BAC9E,MAAM,SAAS,GAAG,WAAW,CAAC,IAAsC,CAAC;4BACrE,IAAI,SAAS,EAAE,KAAK,EAAE,CAAC;gCACtB,aAAa,CAAC,UAAU,SAAS,CAAC,KAAK,EAAE,CAAC,CAAC;4BAC5C,CAAC;iCAAM,CAAC;gCACP,aAAa,CAAC,IAAI,CAAC,CAAC;4BACrB,CAAC;wBACF,CAAC;wBAAC,MAAM,CAAC;4BACR,8CAA8C;4BAC9C,aAAa,CAAC,IAAI,CAAC,CAAC;wBACrB,CAAC;oBACF,CAAC;yBAAM,CAAC;wBACP,aAAa,CAAC,IAAI,CAAC,CAAC;oBACrB,CAAC;gBACF,CAAC;qBAAM,CAAC;oBACP,OAAO,CAAC,IAAI,CAAC,CAAC;oBACd,UAAU,CAAC,IAAI,CAAC,CAAC;oBACjB,aAAa,CAAC,IAAI,CAAC,CAAC;gBACrB,CAAC;YACF,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACd,OAAO,CAAC,KAAK,CAAC,0CAA0C,EAAE,GAAG,CAAC,CAAC;gBAC/D,QAAQ,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC,CAAC;gBAC7E,OAAO,CAAC,IAAI,CAAC,CAAC;gBACd,UAAU,CAAC,IAAI,CAAC,CAAC;gBACjB,aAAa,CAAC,IAAI,CAAC,CAAC;YACrB,CAAC;oBAAS,CAAC;gBACV,cAAc,CAAC,KAAK,CAAC,CAAC;gBACtB,YAAY,CAAC,KAAK,CAAC,CAAC;YACrB,CAAC;QACF,CAAC,CAAC;QAEF,cAAc,EAAE,CAAC;QAEjB,MAAM,QAAQ,GAAG,WAAW,CAAC,cAAc,EAAE,eAAe,CAAC,CAAC;QAC9D,OAAO,GAAG,EAAE,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC,EAAE,CAAC,UAAU,EAAE,eAAe,EAAE,aAAa,EAAE,aAAa,EAAE,cAAc,CAAC,CAAC,CAAC;IAEhF,MAAM,YAAY,GAAG,OAAO,CAC3B,GAAG,EAAE,CAAC,CAAC;QACN,UAAU;QACV,IAAI;QACJ,OAAO;QACP,SAAS;QACT,KAAK;QACL,eAAe,EAAE,CAAC,SAAS,IAAI,IAAI,KAAK,IAAI;KAC5C,CAAC,EACF,CAAC,UAAU,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,CAAC,CAC7C,CAAC;IAEF,OAAO,KAAC,WAAW,CAAC,QAAQ,IAAC,KAAK,EAAE,YAAY,YAAG,QAAQ,GAAwB,CAAC;AACrF,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,OAAO;IACtB,MAAM,OAAO,GAAG,UAAU,CAAC,WAAW,CAAC,CAAC;IACxC,IAAI,CAAC,OAAO,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,OAAO,CAAC;AAChB,CAAC"}

package/dist/agentuity/server.d.ts

@@ -0,0 +1,220 @@
+/**
+ * Auth Hono middleware and handlers for @agentuity/auth.
+ *
+ * Provides session and API key authentication middleware for Hono applications.
+ *
+ * @module agentuity/server
+ */
+import type { Context, MiddlewareHandler } from 'hono';
+import type { AuthBase } from './config';
+import type { AuthUser, AuthSession, AuthOrgContext, AuthInterface } from './types';
+/**
+ * Configuration for OpenTelemetry span attributes.
+ * All attributes are included by default. Set to `false` to opt-out of specific PII.
+ */
+export interface OtelSpansConfig {
+    /**
+     * Include user email in spans (`auth.user.email`).
+     * @default true
+     */
+    email?: boolean;
+    /**
+     * Include organization name in spans (`auth.org.name`).
+     * @default true
+     */
+    orgName?: boolean;
+}
+export interface AuthMiddlewareOptions {
+    /**
+     * If true, don't return 401 on missing auth - just continue without auth context.
+     * Useful for routes that work for both authenticated and anonymous users.
+     */
+    optional?: boolean;
+    /**
+     * Configure which attributes are included in OpenTelemetry spans.
+     * All PII attributes are included by default. Use this to opt-out of specific fields.
+     *
+     * @example Disable email in spans
+     * ```typescript
+     * createSessionMiddleware(auth, { otelSpans: { email: false } })
+     * ```
+     */
+    otelSpans?: OtelSpansConfig;
+    /**
+     * Require that the authenticated user has one of the given org roles.
+     * If the user is authenticated but lacks the required role, a 403 is returned.
+     * Only applies when authentication succeeds (ignored for optional + anonymous).
+     *
+     * @example Require admin or owner role
+     * ```typescript
+     * createSessionMiddleware(auth, { hasOrgRole: ['admin', 'owner'] })
+     * ```
+     */
+    hasOrgRole?: string | string[];
+}
+export interface ApiKeyMiddlewareOptions {
+    /**
+     * If true, don't return 401 on missing/invalid API key - just continue without auth context.
+     */
+    optional?: boolean;
+    /**
+     * Configure which attributes are included in OpenTelemetry spans.
+     * All PII attributes are included by default. Use this to opt-out of specific fields.
+     *
+     * @example Disable email in spans
+     * ```typescript
+     * createApiKeyMiddleware(auth, { otelSpans: { email: false } })
+     * ```
+     */
+    otelSpans?: OtelSpansConfig;
+    /**
+     * Require that the API key has specific permissions.
+     * If the API key lacks any required permission, a 403 is returned.
+     *
+     * @example Require project write permission
+     * ```typescript
+     * createApiKeyMiddleware(auth, { hasPermission: { project: 'write' } })
+     * ```
+     *
+     * @example Require multiple permissions
+     * ```typescript
+     * createApiKeyMiddleware(auth, {
+     *   hasPermission: { project: ['read', 'write'], admin: '*' }
+     * })
+     * ```
+     */
+    hasPermission?: Record<string, string | string[]>;
+}
+/**
+ * Hono context variables set by the middleware.
+ */
+export type AuthEnv = {
+    Variables: {
+        auth: AuthInterface<AuthUser>;
+        user: AuthUser | null;
+        authSession: AuthSession | null;
+        org: AuthOrgContext | null;
+    };
+};
+/**
+ * Create Hono middleware that validates sessions.
+ *
+ * Sets context variables (`user`, `session`, `org`, `auth`) for authenticated requests.
+ *
+ * OpenTelemetry spans are automatically enriched with auth attributes:
+ * - `auth.user.id` - User ID (always included)
+ * - `auth.user.email` - User email (included by default, opt-out via `otelSpans.email: false`)
+ * - `auth.method` - 'session' or 'bearer' (always included)
+ * - `auth.provider` - 'Auth' (always included)
+ * - `auth.org.id` - Active organization ID (always included if set)
+ * - `auth.org.name` - Organization name (included by default, opt-out via `otelSpans.orgName: false`)
+ *
+ * @example Basic usage
+ * ```typescript
+ * import { createSessionMiddleware } from '@agentuity/auth';
+ * import { auth } from './auth';
+ *
+ * const app = new Hono();
+ * app.use('/api/*', createSessionMiddleware(auth));
+ *
+ * app.get('/api/me', (c) => {
+ *   const user = c.var.user;
+ *   if (!user) return c.json({ error: 'Unauthorized' }, 401);
+ *   return c.json({ id: user.id });
+ * });
+ * ```
+ *
+ * @example Using auth wrapper with org role check
+ * ```typescript
+ * app.get('/api/admin', createSessionMiddleware(auth, { hasOrgRole: ['admin', 'owner'] }), async (c) => {
+ *   const user = await c.var.auth.getUser();
+ *   return c.json({ id: user.id, message: 'Welcome admin!' });
+ * });
+ * ```
+ */
+export declare function createSessionMiddleware(auth: AuthBase, options?: AuthMiddlewareOptions): MiddlewareHandler<AuthEnv>;
+/**
+ * Create Hono middleware that validates API keys.
+ *
+ * This middleware ONLY accepts API key authentication via:
+ * - `x-agentuity-auth-api-key` header (preferred)
+ * - `Authorization: ApiKey <key>` header
+ *
+ * It does NOT use sessions. For routes that accept both session and API key,
+ * compose with createSessionMiddleware using `{ optional: true }`.
+ *
+ * @example API key only route with permission check
+ * ```typescript
+ * import { createApiKeyMiddleware } from '@agentuity/auth';
+ *
+ * app.post('/webhooks/*', createApiKeyMiddleware(auth, {
+ *   hasPermission: { webhook: 'write' }
+ * }));
+ *
+ * app.post('/webhooks/github', async (c) => {
+ *   // Permission already verified by middleware
+ *   return c.json({ success: true });
+ * });
+ * ```
+ *
+ * @example Either session OR API key (compose with optional)
+ * ```typescript
+ * app.use('/api/*', createSessionMiddleware(auth, { optional: true }));
+ * app.use('/api/*', createApiKeyMiddleware(auth, { optional: true }));
+ *
+ * app.get('/api/data', async (c) => {
+ *   // Works with session OR API key
+ *   if (!c.var.user) return c.json({ error: 'Unauthorized' }, 401);
+ *   return c.json({ data: '...' });
+ * });
+ * ```
+ */
+export declare function createApiKeyMiddleware(auth: AuthBase, options?: ApiKeyMiddlewareOptions): MiddlewareHandler<AuthEnv>;
+/**
+ * Configuration options for mounting auth routes.
+ */
+export interface MountAuthRoutesOptions {
+    /**
+     * Headers to forward from auth responses to the client.
+     * Only headers in this list will be forwarded (case-insensitive).
+     * `set-cookie` is always forwarded with append behavior regardless of this setting.
+     *
+     * @default ['set-cookie', 'content-type', 'location', 'cache-control', 'pragma', 'expires', 'vary', 'etag', 'last-modified']
+     */
+    allowList?: string[];
+}
+/**
+ * Mount auth routes with proper cookie handling and header filtering.
+ *
+ * This wrapper handles cookie merging between auth responses and other middleware.
+ * It ensures both session cookies AND other cookies (like thread cookies)
+ * are preserved while preventing unintended headers from leaking through.
+ *
+ * @example Basic usage
+ * ```typescript
+ * import { mountAuthRoutes } from '@agentuity/auth';
+ * import { auth } from './auth';
+ *
+ * const api = createRouter();
+ *
+ * // Mount all auth routes (sign-in, sign-up, sign-out, session, etc.)
+ * api.on(['GET', 'POST'], '/api/auth/*', mountAuthRoutes(auth));
+ * ```
+ *
+ * @example With custom header allowlist
+ * ```typescript
+ * api.on(['GET', 'POST'], '/api/auth/*', mountAuthRoutes(auth, {
+ *   allowList: ['set-cookie', 'content-type', 'location', 'x-custom-header']
+ * }));
+ * ```
+ */
+export declare function mountAuthRoutes(auth: AuthBase, options?: MountAuthRoutesOptions): (c: Context) => Promise<Response>;
+declare module 'hono' {
+    interface ContextVariableMap {
+        auth: AuthInterface<AuthUser>;
+        user: AuthUser | null;
+        authSession: AuthSession | null;
+        org: AuthOrgContext | null;
+    }
+}
+//# sourceMappingURL=server.d.ts.map

package/dist/agentuity/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/agentuity/server.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAC;AAGvD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,KAAK,EACX,QAAQ,EACR,WAAW,EACX,cAAc,EAGd,aAAa,EACb,MAAM,SAAS,CAAC;AAEjB;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC/B;;;OAGG;IACH,KAAK,CAAC,EAAE,OAAO,CAAC;IAEhB;;;OAGG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,MAAM,WAAW,qBAAqB;IACrC;;;OAGG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;IAEnB;;;;;;;;OAQG;IACH,SAAS,CAAC,EAAE,eAAe,CAAC;IAE5B;;;;;;;;;OASG;IACH,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;CAC/B;AAED,MAAM,WAAW,uBAAuB;IACvC;;OAEG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;IAEnB;;;;;;;;OAQG;IACH,SAAS,CAAC,EAAE,eAAe,CAAC;IAE5B;;;;;;;;;;;;;;;OAeG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC;CAClD;AAED;;GAEG;AACH,MAAM,MAAM,OAAO,GAAG;IACrB,SAAS,EAAE;QACV,IAAI,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;QAC9B,IAAI,EAAE,QAAQ,GAAG,IAAI,CAAC;QACtB,WAAW,EAAE,WAAW,GAAG,IAAI,CAAC;QAChC,GAAG,EAAE,cAAc,GAAG,IAAI,CAAC;KAC3B,CAAC;CACF,CAAC;AAuMF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,wBAAgB,uBAAuB,CACtC,IAAI,EAAE,QAAQ,EACd,OAAO,GAAE,qBAA0B,GACjC,iBAAiB,CAAC,OAAO,CAAC,CA6F5B;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,wBAAgB,sBAAsB,CACrC,IAAI,EAAE,QAAQ,EACd,OAAO,GAAE,uBAA4B,GACnC,iBAAiB,CAAC,OAAO,CAAC,CAoI5B;AAsBD;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACtC;;;;;;OAMG;IACH,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACrB;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,eAAe,CAC9B,IAAI,EAAE,QAAQ,EACd,OAAO,GAAE,sBAA2B,GAClC,CAAC,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAgCnC;AAMD,OAAO,QAAQ,MAAM,CAAC;IACrB,UAAU,kBAAkB;QAC3B,IAAI,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;QAC9B,IAAI,EAAE,QAAQ,GAAG,IAAI,CAAC;QACtB,WAAW,EAAE,WAAW,GAAG,IAAI,CAAC;QAChC,GAAG,EAAE,cAAc,GAAG,IAAI,CAAC;KAC3B;CACD"}