@amodalai/runtime 0.2.8 → 0.2.10

package/dist/src/role-provider.d.ts

@@ -0,0 +1,90 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * RoleProvider — minimal user role abstraction for role-gated routes.
+ *
+ * The OSS runtime defines this interface; hosting layers (cloud, self-hosted,
+ * `amodal dev`) provide their own implementations:
+ *  - `amodal dev`: returns `ops` for everyone (the developer is the only user)
+ *  - cloud: parses platform JWT claims → ops/admin/user
+ *  - self-hosted: customer plugs in their own auth (OIDC, custom JWT, etc.)
+ *
+ * The runtime gates admin/ops API routes through `requireRole` middleware
+ * which calls into the configured RoleProvider on each request.
+ */
+import type { Request, RequestHandler } from 'express';
+/**
+ * The three roles the runtime understands. Roles are ordered by privilege:
+ * `user` < `admin` < `ops`.
+ *
+ *  - `user`  — end-user. Can chat with the agent and see their own sessions.
+ *  - `admin` — agent admin (Sally). Can edit content (skills, knowledge, prompts)
+ *              and view operational state (sessions, automations, stores).
+ *              Cannot edit infrastructure (connections, model, tools).
+ *  - `ops`   — developer / platform admin. Can edit everything including
+ *              connections, model config, and custom tools. Can run evals and
+ *              inspect runtime internals.
+ */
+export type RuntimeRole = 'user' | 'admin' | 'ops';
+export interface RuntimeUser {
+    /** Stable identifier for the user (email, sub claim, or 'local-dev'). */
+    id: string;
+    /** The user's role. Determines which routes they can access. */
+    role: RuntimeRole;
+}
+export interface RoleProvider {
+    /**
+     * Resolve the current user from the HTTP request, or `null` if the request
+     * is unauthenticated.
+     *
+     * Implementations should be stateless and cheap to call — `requireRole`
+     * invokes them on every protected request.
+     */
+    resolveUser(req: Request): Promise<RuntimeUser | null>;
+}
+/**
+ * Default RoleProvider used when none is configured.
+ *
+ * Returns `ops` for every request — appropriate for `amodal dev` (where the
+ * developer is the only user) and for backwards compatibility with existing
+ * deployments that don't yet provide a RoleProvider.
+ *
+ * Hosting layers MUST replace this with their own implementation in production.
+ */
+export declare const defaultRoleProvider: RoleProvider;
+/**
+ * Express middleware factory that gates a route on a minimum role.
+ *
+ * Usage:
+ * ```
+ * app.put('/api/files/*', requireRole(roleProvider, 'admin'), handler);
+ * app.put('/api/connections/*', requireRole(roleProvider, 'ops'), handler);
+ * ```
+ *
+ * Behavior:
+ *  - 401 if `resolveUser` returns null (unauthenticated)
+ *  - 403 if the user's role is below the minimum
+ *  - Otherwise sets `res.locals.user` and calls `next()`
+ *
+ * The resolved user is attached to `res.locals.user` so handlers can read it
+ * without re-resolving.
+ */
+export declare function requireRole(roleProvider: RoleProvider, minRole: RuntimeRole): RequestHandler;
+/**
+ * Typed error thrown when the RoleProvider itself fails (not when a user
+ * is unauthenticated or forbidden — those are handled directly with HTTP
+ * status codes).
+ */
+export declare class RoleProviderError extends Error {
+    readonly code: string;
+    readonly cause: unknown;
+    constructor(code: string, message: string, cause?: unknown);
+}
+/**
+ * Compare two roles. Returns true if `a` is at least as privileged as `b`.
+ * Useful for inline checks inside route handlers.
+ */
+export declare function hasRole(user: RuntimeUser | null, minRole: RuntimeRole): boolean;

package/dist/src/role-provider.js

@@ -0,0 +1,127 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+import { asyncHandler } from './routes/route-helpers.js';
+import { createLogger } from './logger.js';
+const log = createLogger({ component: 'role-provider' });
+/**
+ * Numeric privilege level for each role. Used by `requireRole` to compare
+ * the resolved role against the route's minimum requirement.
+ */
+const ROLE_LEVEL = {
+    user: 0,
+    admin: 1,
+    ops: 2,
+};
+/**
+ * Default RoleProvider used when none is configured.
+ *
+ * Returns `ops` for every request — appropriate for `amodal dev` (where the
+ * developer is the only user) and for backwards compatibility with existing
+ * deployments that don't yet provide a RoleProvider.
+ *
+ * Hosting layers MUST replace this with their own implementation in production.
+ */
+export const defaultRoleProvider = {
+    async resolveUser() {
+        return { id: 'local-dev', role: 'ops' };
+    },
+};
+/**
+ * Express middleware factory that gates a route on a minimum role.
+ *
+ * Usage:
+ * ```
+ * app.put('/api/files/*', requireRole(roleProvider, 'admin'), handler);
+ * app.put('/api/connections/*', requireRole(roleProvider, 'ops'), handler);
+ * ```
+ *
+ * Behavior:
+ *  - 401 if `resolveUser` returns null (unauthenticated)
+ *  - 403 if the user's role is below the minimum
+ *  - Otherwise sets `res.locals.user` and calls `next()`
+ *
+ * The resolved user is attached to `res.locals.user` so handlers can read it
+ * without re-resolving.
+ */
+export function requireRole(roleProvider, minRole) {
+    const minLevel = ROLE_LEVEL[minRole];
+    return asyncHandler(async (req, res, next) => {
+        let user;
+        try {
+            user = await roleProvider.resolveUser(req);
+        }
+        catch (err) {
+            // RoleProvider failures are infrastructure errors. Log with context and
+            // forward as a typed error to the central error handler, which will
+            // sanitize the response (we deliberately don't expose the underlying
+            // error message to the client here).
+            log.error('role_provider_failed', {
+                path: req.path,
+                method: req.method,
+                required_role: minRole,
+                error: err instanceof Error ? err.message : String(err),
+            });
+            next(new RoleProviderError('role_provider_failed', 'Failed to resolve user role', err));
+            return;
+        }
+        if (!user) {
+            log.warn('role_check_unauthenticated', {
+                path: req.path,
+                method: req.method,
+                required_role: minRole,
+            });
+            res.status(401).json({
+                error: { code: 'unauthenticated', message: 'Authentication required' },
+            });
+            return;
+        }
+        if (ROLE_LEVEL[user.role] < minLevel) {
+            log.warn('role_check_forbidden', {
+                path: req.path,
+                method: req.method,
+                user_id: user.id,
+                current_role: user.role,
+                required_role: minRole,
+            });
+            res.status(403).json({
+                error: {
+                    code: 'forbidden',
+                    message: `Requires ${minRole} role`,
+                    required_role: minRole,
+                    current_role: user.role,
+                },
+            });
+            return;
+        }
+        res.locals['user'] = user;
+        next();
+    });
+}
+/**
+ * Typed error thrown when the RoleProvider itself fails (not when a user
+ * is unauthenticated or forbidden — those are handled directly with HTTP
+ * status codes).
+ */
+export class RoleProviderError extends Error {
+    code;
+    cause;
+    constructor(code, message, cause) {
+        super(message);
+        this.name = 'RoleProviderError';
+        this.code = code;
+        this.cause = cause;
+    }
+}
+/**
+ * Compare two roles. Returns true if `a` is at least as privileged as `b`.
+ * Useful for inline checks inside route handlers.
+ */
+export function hasRole(user, minRole) {
+    if (!user)
+        return false;
+    return ROLE_LEVEL[user.role] >= ROLE_LEVEL[minRole];
+}
+//# sourceMappingURL=role-provider.js.map

package/dist/src/role-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-provider.js","sourceRoot":"","sources":["../../src/role-provider.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAgBH,OAAO,EAAC,YAAY,EAAC,MAAM,2BAA2B,CAAC;AACvD,OAAO,EAAC,YAAY,EAAC,MAAM,aAAa,CAAC;AAEzC,MAAM,GAAG,GAAG,YAAY,CAAC,EAAC,SAAS,EAAE,eAAe,EAAC,CAAC,CAAC;AAgBvD;;;GAGG;AACH,MAAM,UAAU,GAAgC;IAC9C,IAAI,EAAE,CAAC;IACP,KAAK,EAAE,CAAC;IACR,GAAG,EAAE,CAAC;CACP,CAAC;AAoBF;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAiB;IAC/C,KAAK,CAAC,WAAW;QACf,OAAO,EAAC,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,KAAK,EAAC,CAAC;IACxC,CAAC;CACF,CAAC;AAEF;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,WAAW,CACzB,YAA0B,EAC1B,OAAoB;IAEpB,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IACrC,OAAO,YAAY,CAAC,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC3C,IAAI,IAAwB,CAAC;QAC7B,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,YAAY,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QAC7C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,wEAAwE;YACxE,oEAAoE;YACpE,qEAAqE;YACrE,qCAAqC;YACrC,GAAG,CAAC,KAAK,CAAC,sBAAsB,EAAE;gBAChC,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,MAAM,EAAE,GAAG,CAAC,MAAM;gBAClB,aAAa,EAAE,OAAO;gBACtB,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aACxD,CAAC,CAAC;YACH,IAAI,CAAC,IAAI,iBAAiB,CACxB,sBAAsB,EACtB,6BAA6B,EAC7B,GAAG,CACJ,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,GAAG,CAAC,IAAI,CAAC,4BAA4B,EAAE;gBACrC,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,MAAM,EAAE,GAAG,CAAC,MAAM;gBAClB,aAAa,EAAE,OAAO;aACvB,CAAC,CAAC;YACH,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,EAAC,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,yBAAyB,EAAC;aACrE,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,QAAQ,EAAE,CAAC;YACrC,GAAG,CAAC,IAAI,CAAC,sBAAsB,EAAE;gBAC/B,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,MAAM,EAAE,GAAG,CAAC,MAAM;gBAClB,OAAO,EAAE,IAAI,CAAC,EAAE;gBAChB,YAAY,EAAE,IAAI,CAAC,IAAI;gBACvB,aAAa,EAAE,OAAO;aACvB,CAAC,CAAC;YACH,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE;oBACL,IAAI,EAAE,WAAW;oBACjB,OAAO,EAAE,YAAY,OAAO,OAAO;oBACnC,aAAa,EAAE,OAAO;oBACtB,YAAY,EAAE,IAAI,CAAC,IAAI;iBACxB;aACF,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;QAC1B,IAAI,EAAE,CAAC;IACT,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IACjC,IAAI,CAAS;IACJ,KAAK,CAAU;IACjC,YAAY,IAAY,EAAE,OAAe,EAAE,KAAe;QACxD,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;QAChC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;IACrB,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,UAAU,OAAO,CAAC,IAAwB,EAAE,OAAoB;IACpE,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,OAAO,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,OAAO,CAAC,CAAC;AACtD,CAAC"}

package/dist/src/role-provider.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+export {};

package/dist/src/role-provider.test.js

@@ -0,0 +1,179 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+import { describe, it, expect, vi } from 'vitest';
+import { defaultRoleProvider, requireRole, hasRole, RoleProviderError, } from './role-provider.js';
+function createMockRes() {
+    return {
+        status: vi.fn().mockReturnThis(),
+        json: vi.fn().mockReturnThis(),
+        locals: {},
+    };
+}
+function makeProvider(user) {
+    return {
+        async resolveUser() {
+            return user;
+        },
+    };
+}
+/**
+ * Run an Express middleware and wait for it to settle by racing two signals:
+ * either `next()` was called, or `res.json()` was called. This avoids the
+ * brittle `setTimeout(0)` microtask-flush hack.
+ */
+async function runMiddleware(middleware, res) {
+    const nextCalls = [];
+    const settled = new Promise((resolve) => {
+        const onSettle = () => { resolve(); };
+        res.json.mockImplementation(() => { onSettle(); return res; });
+        const next = (...args) => {
+            nextCalls.push(args);
+            onSettle();
+        };
+        middleware({}, res, next);
+    });
+    await settled;
+    return { nextCalls };
+}
+// ---------------------------------------------------------------------------
+// defaultRoleProvider
+// ---------------------------------------------------------------------------
+describe('defaultRoleProvider', () => {
+    it('returns ops for any request', async () => {
+        const user = await defaultRoleProvider.resolveUser({});
+        expect(user).toEqual({ id: 'local-dev', role: 'ops' });
+    });
+});
+// ---------------------------------------------------------------------------
+// hasRole
+// ---------------------------------------------------------------------------
+describe('hasRole', () => {
+    const user = { id: 'u1', role: 'user' };
+    const admin = { id: 'a1', role: 'admin' };
+    const ops = { id: 'o1', role: 'ops' };
+    it('user does not satisfy admin', () => {
+        expect(hasRole(user, 'admin')).toBe(false);
+    });
+    it('user does not satisfy ops', () => {
+        expect(hasRole(user, 'ops')).toBe(false);
+    });
+    it('user satisfies user', () => {
+        expect(hasRole(user, 'user')).toBe(true);
+    });
+    it('admin satisfies admin and user', () => {
+        expect(hasRole(admin, 'admin')).toBe(true);
+        expect(hasRole(admin, 'user')).toBe(true);
+    });
+    it('admin does not satisfy ops', () => {
+        expect(hasRole(admin, 'ops')).toBe(false);
+    });
+    it('ops satisfies all roles', () => {
+        expect(hasRole(ops, 'ops')).toBe(true);
+        expect(hasRole(ops, 'admin')).toBe(true);
+        expect(hasRole(ops, 'user')).toBe(true);
+    });
+    it('null user does not satisfy any role', () => {
+        expect(hasRole(null, 'user')).toBe(false);
+        expect(hasRole(null, 'admin')).toBe(false);
+        expect(hasRole(null, 'ops')).toBe(false);
+    });
+});
+// ---------------------------------------------------------------------------
+// requireRole
+// ---------------------------------------------------------------------------
+describe('requireRole', () => {
+    it('returns 401 when resolveUser returns null', async () => {
+        const res = createMockRes();
+        const middleware = requireRole(makeProvider(null), 'admin');
+        const { nextCalls } = await runMiddleware(middleware, res);
+        expect(res.status).toHaveBeenCalledWith(401);
+        expect(res.json).toHaveBeenCalledWith({
+            error: { code: 'unauthenticated', message: 'Authentication required' },
+        });
+        expect(nextCalls).toHaveLength(0);
+    });
+    it('returns 403 when user role is below minimum', async () => {
+        const res = createMockRes();
+        const middleware = requireRole(makeProvider({ id: 'u1', role: 'user' }), 'admin');
+        const { nextCalls } = await runMiddleware(middleware, res);
+        expect(res.status).toHaveBeenCalledWith(403);
+        expect(res.json).toHaveBeenCalledWith({
+            error: {
+                code: 'forbidden',
+                message: 'Requires admin role',
+                required_role: 'admin',
+                current_role: 'user',
+            },
+        });
+        expect(nextCalls).toHaveLength(0);
+    });
+    it('returns 403 when admin tries to access ops route', async () => {
+        const res = createMockRes();
+        const middleware = requireRole(makeProvider({ id: 'a1', role: 'admin' }), 'ops');
+        const { nextCalls } = await runMiddleware(middleware, res);
+        expect(res.status).toHaveBeenCalledWith(403);
+        expect(nextCalls).toHaveLength(0);
+    });
+    it('calls next() and sets res.locals.user when admin accesses admin route', async () => {
+        const user = { id: 'a1', role: 'admin' };
+        const res = createMockRes();
+        const middleware = requireRole(makeProvider(user), 'admin');
+        const { nextCalls } = await runMiddleware(middleware, res);
+        expect(res.status).not.toHaveBeenCalled();
+        expect(nextCalls).toHaveLength(1);
+        expect(nextCalls[0]).toEqual([]); // no error arg
+        expect(res.locals['user']).toEqual(user);
+    });
+    it('calls next() when ops accesses admin route', async () => {
+        const user = { id: 'o1', role: 'ops' };
+        const res = createMockRes();
+        const middleware = requireRole(makeProvider(user), 'admin');
+        const { nextCalls } = await runMiddleware(middleware, res);
+        expect(nextCalls).toHaveLength(1);
+        expect(res.locals['user']).toEqual(user);
+    });
+    it('calls next() when user accesses user-level route', async () => {
+        const user = { id: 'u1', role: 'user' };
+        const res = createMockRes();
+        const middleware = requireRole(makeProvider(user), 'user');
+        const { nextCalls } = await runMiddleware(middleware, res);
+        expect(nextCalls).toHaveLength(1);
+        expect(res.locals['user']).toEqual(user);
+    });
+    it('forwards RoleProviderError to error handler when resolveUser throws', async () => {
+        const provider = {
+            async resolveUser() {
+                throw new Error('database connection failed');
+            },
+        };
+        const res = createMockRes();
+        const middleware = requireRole(provider, 'admin');
+        const { nextCalls } = await runMiddleware(middleware, res);
+        expect(nextCalls).toHaveLength(1);
+        expect(nextCalls[0]).toHaveLength(1);
+        const err = nextCalls[0]?.[0];
+        expect(err).toBeInstanceOf(RoleProviderError);
+        expect(err.code).toBe('role_provider_failed');
+        // The original error is preserved as the cause for diagnostics
+        expect(err.cause).toBeInstanceOf(Error);
+        expect(err.cause.message).toBe('database connection failed');
+    });
+    it('does not write a response body when resolveUser throws', async () => {
+        // The middleware passes the error to next() instead of writing a response
+        // directly. The actual error sanitization happens in errorHandler.
+        const provider = {
+            async resolveUser() {
+                throw new Error('SECRET INTERNAL DETAIL');
+            },
+        };
+        const res = createMockRes();
+        const middleware = requireRole(provider, 'admin');
+        await runMiddleware(middleware, res);
+        expect(res.status).not.toHaveBeenCalled();
+        expect(res.json).not.toHaveBeenCalled();
+    });
+});
+//# sourceMappingURL=role-provider.test.js.map

package/dist/src/role-provider.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-provider.test.js","sourceRoot":"","sources":["../../src/role-provider.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAC,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAC,MAAM,QAAQ,CAAC;AAEhD,OAAO,EACL,mBAAmB,EACnB,WAAW,EACX,OAAO,EACP,iBAAiB,GAGlB,MAAM,oBAAoB,CAAC;AAQ5B,SAAS,aAAa;IACpB,OAAO;QACL,MAAM,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,cAAc,EAAE;QAChC,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,cAAc,EAAE;QAC9B,MAAM,EAAE,EAAE;KACX,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,IAAwB;IAC5C,OAAO;QACL,KAAK,CAAC,WAAW;YACf,OAAO,IAAI,CAAC;QACd,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,aAAa,CAC1B,UAA0C,EAC1C,GAAY;IAEZ,MAAM,SAAS,GAAgB,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;QAC5C,MAAM,QAAQ,GAAG,GAAS,EAAE,GAAG,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;QAC5C,GAAG,CAAC,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/D,MAAM,IAAI,GAAiB,CAAC,GAAG,IAAe,EAAE,EAAE;YAChD,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACrB,QAAQ,EAAE,CAAC;QACb,CAAC,CAAC;QACF,UAAU,CAAC,EAAa,EAAE,GAA0B,EAAE,IAAI,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IACH,MAAM,OAAO,CAAC;IACd,OAAO,EAAC,SAAS,EAAC,CAAC;AACrB,CAAC;AAED,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,EAAE,CAAC,6BAA6B,EAAE,KAAK,IAAI,EAAE;QAC3C,MAAM,IAAI,GAAG,MAAM,mBAAmB,CAAC,WAAW,CAAC,EAAa,CAAC,CAAC;QAClE,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,EAAC,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,KAAK,EAAC,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,QAAQ,CAAC,SAAS,EAAE,GAAG,EAAE;IACvB,MAAM,IAAI,GAAgB,EAAC,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAC,CAAC;IACnD,MAAM,KAAK,GAAgB,EAAC,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAC,CAAC;IACrD,MAAM,GAAG,GAAgB,EAAC,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAC,CAAC;IAEjD,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACnC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qBAAqB,EAAE,GAAG,EAAE;QAC7B,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzC,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3C,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAE9E,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;IAC3B,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;QAC5B,MAAM,UAAU,GAAG,WAAW,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;QAC5D,MAAM,EAAC,SAAS,EAAC,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QAEzD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAC7C,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,oBAAoB,CAAC;YACpC,KAAK,EAAE,EAAC,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,yBAAyB,EAAC;SACrE,CAAC,CAAC;QACH,MAAM,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QAC3D,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;QAC5B,MAAM,UAAU,GAAG,WAAW,CAAC,YAAY,CAAC,EAAC,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAC,CAAC,EAAE,OAAO,CAAC,CAAC;QAChF,MAAM,EAAC,SAAS,EAAC,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QAEzD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAC7C,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,oBAAoB,CAAC;YACpC,KAAK,EAAE;gBACL,IAAI,EAAE,WAAW;gBACjB,OAAO,EAAE,qBAAqB;gBAC9B,aAAa,EAAE,OAAO;gBACtB,YAAY,EAAE,MAAM;aACrB;SACF,CAAC,CAAC;QACH,MAAM,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;QAC5B,MAAM,UAAU,GAAG,WAAW,CAAC,YAAY,CAAC,EAAC,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAC,CAAC,EAAE,KAAK,CAAC,CAAC;QAC/E,MAAM,EAAC,SAAS,EAAC,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QAEzD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAC7C,MAAM,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,KAAK,IAAI,EAAE;QACrF,MAAM,IAAI,GAAgB,EAAC,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAC,CAAC;QACpD,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;QAC5B,MAAM,UAAU,GAAG,WAAW,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;QAC5D,MAAM,EAAC,SAAS,EAAC,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QAEzD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;QAC1C,MAAM,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAClC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,eAAe;QACjD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,MAAM,IAAI,GAAgB,EAAC,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAC,CAAC;QAClD,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;QAC5B,MAAM,UAAU,GAAG,WAAW,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;QAC5D,MAAM,EAAC,SAAS,EAAC,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QAEzD,MAAM,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAClC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,IAAI,GAAgB,EAAC,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAC,CAAC;QACnD,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;QAC5B,MAAM,UAAU,GAAG,WAAW,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,CAAC;QAC3D,MAAM,EAAC,SAAS,EAAC,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QAEzD,MAAM,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAClC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qEAAqE,EAAE,KAAK,IAAI,EAAE;QACnF,MAAM,QAAQ,GAAiB;YAC7B,KAAK,CAAC,WAAW;gBACf,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;YAChD,CAAC;SACF,CAAC;QACF,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;QAC5B,MAAM,UAAU,GAAG,WAAW,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAClD,MAAM,EAAC,SAAS,EAAC,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QAEzD,MAAM,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAClC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACrC,MAAM,GAAG,GAAG,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC9B,MAAM,CAAC,GAAG,CAAC,CAAC,cAAc,CAAC,iBAAiB,CAAC,CAAC;QAC9C,MAAM,CAAE,GAAyB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QACrE,+DAA+D;QAC/D,MAAM,CAAE,GAAyB,CAAC,KAAK,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;QAC/D,MAAM,CAAG,GAAyB,CAAC,KAAe,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IACjG,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;QACtE,0EAA0E;QAC1E,mEAAmE;QACnE,MAAM,QAAQ,GAAiB;YAC7B,KAAK,CAAC,WAAW;gBACf,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;YAC5C,CAAC;SACF,CAAC;QACF,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;QAC5B,MAAM,UAAU,GAAG,WAAW,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAClD,MAAM,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QAErC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;QAC1C,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IAC1C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/src/routes/route-helpers.js

@@ -71,7 +71,7 @@ export async function fireDrainHooks(sessionManager, hooks, ctx) {
         });
     }
     if (hooks?.onSessionPersist) {
-        hooks.onSessionPersist(session.id, [], 'completed', {
+        hooks.onSessionPersist(session.id, session.messages, 'completed', {
             model: session.model,
             provider: session.providerName,
         });

package/dist/src/routes/route-helpers.js.map

@@ -1 +1 @@
-{"version":3,"file":"route-helpers.js","sourceRoot":"","sources":["../../../src/routes/route-helpers.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAcH,8EAA8E;AAC9E,wBAAwB;AACxB,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAC1B,EAA0F;IAE1F,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACxB,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClD,CAAC,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,wEAAwE;AACxE,MAAM,CAAC,MAAM,iBAAiB,GAAG,SAAS,CAAC;AAE3C,0DAA0D;AAC1D,MAAM,CAAC,MAAM,uBAAuB,GAAG,mBAAmB,CAAC;AAW3D;;;GAGG;AACH,MAAM,UAAU,YAAY,CAC1B,KAA8B,EAC9B,OAAgB;IAEhB,IAAI,CAAC,KAAK,EAAE,aAAa;QAAE,OAAO,SAAS,CAAC;IAC5C,OAAO,CAAC,KAAgB,EAAE,EAAE;QAC1B,KAAK,CAAC,aAAa,EAAE,CAAC;YACpB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,aAAa,EAAE,CAAC;YAChB,MAAM,EAAE;gBACN,WAAW,EAAE,KAAK,CAAC,WAAW;gBAC9B,YAAY,EAAE,KAAK,CAAC,YAAY;gBAChC,YAAY,EAAE,KAAK,CAAC,iBAAiB;aACtC;SACF,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,cAAwC,EACxC,KAA8B,EAC9B,GAAiB;IAEjB,MAAM,EAAC,OAAO,EAAE,SAAS,EAAC,GAAG,GAAG,CAAC;IAEjC,2EAA2E;IAC3E,2EAA2E;IAC3E,4EAA4E;IAC5E,MAAM,cAAc,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAEtC,IAAI,KAAK,EAAE,UAAU,EAAE,CAAC;QACtB,KAAK,CAAC,UAAU,CAAC;YACf,KAAK,EAAE,uBAAuB;YAC9B,aAAa,EAAE,OAAO,CAAC,EAAE;YACzB,OAAO,EAAE;gBACP,UAAU,EAAE,OAAO,CAAC,EAAE;gBACtB,UAAU,EAAE,SAAS;gBACrB,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,QAAQ,EAAE,OAAO,CAAC,YAAY;aAC/B;SACF,CAAC,CAAC;IACL,CAAC;IAED,IAAI,KAAK,EAAE,gBAAgB,EAAE,CAAC;QAC5B,KAAK,CAAC,gBAAgB,CAAC,OAAO,CAAC,EAAE,EAAE,EAAE,EAAE,WAAW,EAAE;YAClD,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,QAAQ,EAAE,OAAO,CAAC,YAAY;SAC/B,CAAC,CAAC;IACL,CAAC;AACH,CAAC"}
+{"version":3,"file":"route-helpers.js","sourceRoot":"","sources":["../../../src/routes/route-helpers.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAcH,8EAA8E;AAC9E,wBAAwB;AACxB,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAC1B,EAA0F;IAE1F,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACxB,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClD,CAAC,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,wEAAwE;AACxE,MAAM,CAAC,MAAM,iBAAiB,GAAG,SAAS,CAAC;AAE3C,0DAA0D;AAC1D,MAAM,CAAC,MAAM,uBAAuB,GAAG,mBAAmB,CAAC;AAW3D;;;GAGG;AACH,MAAM,UAAU,YAAY,CAC1B,KAA8B,EAC9B,OAAgB;IAEhB,IAAI,CAAC,KAAK,EAAE,aAAa;QAAE,OAAO,SAAS,CAAC;IAC5C,OAAO,CAAC,KAAgB,EAAE,EAAE;QAC1B,KAAK,CAAC,aAAa,EAAE,CAAC;YACpB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,aAAa,EAAE,CAAC;YAChB,MAAM,EAAE;gBACN,WAAW,EAAE,KAAK,CAAC,WAAW;gBAC9B,YAAY,EAAE,KAAK,CAAC,YAAY;gBAChC,YAAY,EAAE,KAAK,CAAC,iBAAiB;aACtC;SACF,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,cAAwC,EACxC,KAA8B,EAC9B,GAAiB;IAEjB,MAAM,EAAC,OAAO,EAAE,SAAS,EAAC,GAAG,GAAG,CAAC;IAEjC,2EAA2E;IAC3E,2EAA2E;IAC3E,4EAA4E;IAC5E,MAAM,cAAc,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAEtC,IAAI,KAAK,EAAE,UAAU,EAAE,CAAC;QACtB,KAAK,CAAC,UAAU,CAAC;YACf,KAAK,EAAE,uBAAuB;YAC9B,aAAa,EAAE,OAAO,CAAC,EAAE;YACzB,OAAO,EAAE;gBACP,UAAU,EAAE,OAAO,CAAC,EAAE;gBACtB,UAAU,EAAE,SAAS;gBACrB,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,QAAQ,EAAE,OAAO,CAAC,YAAY;aAC/B;SACF,CAAC,CAAC;IACL,CAAC;IAED,IAAI,KAAK,EAAE,gBAAgB,EAAE,CAAC;QAC5B,KAAK,CAAC,gBAAgB,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,QAAQ,EAAE,WAAW,EAAE;YAChE,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,QAAQ,EAAE,OAAO,CAAC,YAAY;SAC/B,CAAC,CAAC;IACL,CAAC;AACH,CAAC"}

package/dist/src/server.d.ts

@@ -19,6 +19,7 @@ import type { AuthContext } from './middleware/auth.js';
 import type { SessionComponents } from './session/session-builder.js';
 import type { ServerConfig } from './types.js';
 import { RuntimeEventBus } from './events/event-bus.js';
+import { type RoleProvider } from './role-provider.js';
 export interface ServerInstance {
     app: Express;
     start: () => Promise<http.Server>;
@@ -35,6 +36,19 @@ export interface CreateServerOptions {
     fallbackMiddleware?: express.RequestHandler;
     /** Auth middleware for protected routes (injected by hosting layer) */
     authMiddleware?: express.RequestHandler;
+    /**
+     * RoleProvider for role-gated routes (config editing, admin actions, etc).
+     *
+     * Defaults to `defaultRoleProvider` which returns `ops` for all requests —
+     * appropriate for `amodal dev` where the developer is the only user.
+     *
+     * Hosting layers (cloud, self-hosted) should provide their own implementation
+     * that maps the request's auth context to a `user`/`admin`/`ops` role.
+     *
+     * The runtime exposes the resolved role at `GET /api/me` and uses it to
+     * gate config-editing routes via the `requireRole` middleware.
+     */
+    roleProvider?: RoleProvider;
     /** Additional routers to mount (e.g., session history proxy) */
     additionalRouters?: express.Router[];
     /** Factory that builds per-request stream hooks from the auth context */
@@ -75,6 +89,8 @@ export interface CreateServerOptions {
     };
     /** Event bus for channel lifecycle events. If omitted, a minimal one is created. */
     channelEventBus?: RuntimeEventBus;
+    /** Optional session store for persisting sessions across restarts. */
+    sessionStore?: import('./session/store.js').SessionStore;
 }
 /**
  * Create the Express server with all routes, session management, and graceful shutdown.

package/dist/src/server.js

@@ -19,6 +19,8 @@ import { RuntimeEventBus } from './events/event-bus.js';
 import { createChannelsRouter } from './channels/routes.js';
 import { MessageDedupCache } from './channels/dedup-cache.js';
 import { log, createLogger } from './logger.js';
+import { defaultRoleProvider } from './role-provider.js';
+import { asyncHandler } from './routes/route-helpers.js';
 /**
  * Create the Express server with all routes, session management, and graceful shutdown.
  */
@@ -30,6 +32,7 @@ export function createServer(options) {
     const sessionManager = new StandaloneSessionManager({
         logger: sessionLogger,
         ttlMs: config.sessionTtlMs,
+        ...(options.sessionStore ? { store: options.sessionStore } : {}),
     });
     sessionManager.start();
     const shared = {
@@ -66,6 +69,24 @@ export function createServer(options) {
             active_sessions: sessionManager.size,
         });
     });
+    // RoleProvider — defaults to "everyone is ops" for amodal dev / backwards compat.
+    // Hosting layers inject their own provider via createServer options.
+    const roleProvider = options.roleProvider ?? defaultRoleProvider;
+    // GET /api/me — returns the current user's role.
+    // Used by the runtime-app frontend to decide which nav items / pages to show.
+    // Returns 401 if unauthenticated, otherwise { id, role }.
+    app.get('/api/me', asyncHandler(async (req, res) => {
+        const user = await roleProvider.resolveUser(req);
+        if (!user) {
+            log.warn('api_me_unauthenticated', { path: req.path });
+            res.status(401).json({
+                error: { code: 'unauthenticated', message: 'Authentication required' },
+            });
+            return;
+        }
+        log.debug('api_me_resolved', { user_id: user.id, role: user.role });
+        res.json(user);
+    }));
     // Auth middleware for protected routes (injected by hosting layer)
     if (options.authMiddleware) {
         app.use('/chat', options.authMiddleware);

package/dist/src/server.js.map

@@ -1 +1 @@
-{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/server.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;;;;GAMG;AAEH,OAAO,OAAO,MAAM,SAAS,CAAC;AAI9B,OAAO,EAAC,YAAY,EAAC,MAAM,+BAA+B,CAAC;AAC3D,OAAO,EAAC,sBAAsB,EAAC,MAAM,yBAAyB,CAAC;AAC/D,OAAO,EAAC,oBAAoB,EAAC,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EAAC,wBAAwB,EAAC,MAAM,sBAAsB,CAAC;AAK9D,OAAO,EAAC,eAAe,EAAC,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAC,oBAAoB,EAAC,MAAM,sBAAsB,CAAC;AAC1D,OAAO,EAAC,iBAAiB,EAAC,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAC,GAAG,EAAE,YAAY,EAAC,MAAM,aAAa,CAAC;AA8D9C;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,OAA4B;IACvD,MAAM,EAAC,MAAM,EAAC,GAAG,OAAO,CAAC;IACzB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,6BAA6B;IAC7B,MAAM,aAAa,GAAG,YAAY,CAAC,EAAC,SAAS,EAAE,gBAAgB,EAAC,CAAC,CAAC;IAClE,MAAM,cAAc,GAAG,IAAI,wBAAwB,CAAC;QAClD,MAAM,EAAE,aAAa;QACrB,KAAK,EAAE,MAAM,CAAC,YAAY;KAC3B,CAAC,CAAC;IACH,cAAc,CAAC,KAAK,EAAE,CAAC;IAEvB,MAAM,MAAM,GAAG;QACb,YAAY,EAAE,IAAI;QAClB,UAAU,EAAE,IAAI;QAChB,MAAM,EAAE,GAAG;KACZ,CAAC;IAEF,sBAAsB;IACtB,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;IAEtB,kBAAkB;IAClB,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,GAAG,CAAC;IAC5C,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC1B,GAAG,CAAC,MAAM,CAAC,6BAA6B,EAAE,UAAU,CAAC,CAAC;QACtD,GAAG,CAAC,MAAM,CAAC,8BAA8B,EAAE,+DAA+D,CAAC,CAAC;QAC5G,GAAG,CAAC,MAAM,CAAC,8BAA8B,EAAE,wCAAwC,CAAC,CAAC;QACrF,GAAG,CAAC,MAAM,CAAC,+BAA+B,EAAE,+BAA+B,CAAC,CAAC;QAC7E,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC9B,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;YACpB,OAAO;QACT,CAAC;QACD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAExB,iEAAiE;IACjE,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;QAC1B,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IACjC,CAAC;IAED,SAAS;IACT,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;QAC/B,GAAG,CAAC,IAAI,CAAC;YACP,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YACjC,eAAe,EAAE,cAAc,CAAC,IAAI;SACrC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,mEAAmE;IACnE,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;QAC3B,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;QACzC,GAAG,CAAC,GAAG,CAAC,cAAc,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;QAChD,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IAC/C,CAAC;IAED,GAAG,CAAC,GAAG,CAAC,sBAAsB,CAAC;QAC7B,cAAc;QACd,cAAc,EAAE,EAAC,cAAc,EAAE,OAAO,CAAC,cAAc,EAAC;QACxD,MAAM;QACN,iBAAiB,EAAE,OAAO,CAAC,iBAAiB;QAC5C,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;QAChD,cAAc,EAAE,OAAO,CAAC,cAAc;KACvC,CAAC,CAAC,CAAC;IACJ,GAAG,CAAC,GAAG,CAAC,oBAAoB,CAAC;QAC3B,cAAc;QACd,cAAc,EAAE,EAAC,cAAc,EAAE,OAAO,CAAC,cAAc,EAAC;QACxD,MAAM;QACN,iBAAiB,EAAE,OAAO,CAAC,iBAAiB;QAC5C,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;QAChD,cAAc,EAAE,OAAO,CAAC,cAAc;KACvC,CAAC,CAAC,CAAC;IAEJ,qBAAqB;IACrB,IAAI,OAAO,CAAC,eAAe,IAAI,OAAO,CAAC,eAAe,CAAC,IAAI,GAAG,CAAC,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;QAChG,MAAM,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,IAAI,eAAe,CAAC;YACrE,eAAe,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;gBAC9B,GAAG,CAAC,IAAI,CAAC,kCAAkC,EAAE;oBAC3C,GAAG,EAAE,KAAK,CAAC,GAAG;oBACd,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;iBACxD,CAAC,CAAC;YACL,CAAC;SACF,CAAC,CAAC;QAEH,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,oBAAoB,CAAC;YACxC,QAAQ,EAAE,OAAO,CAAC,eAAe;YACjC,aAAa,EAAE,OAAO,CAAC,oBAAoB;YAC3C,cAAc;YACd,UAAU,EAAE,IAAI,iBAAiB,EAAE;YACnC,QAAQ,EAAE,eAAe;YACzB,MAAM,EAAE,GAAG;SACZ,CAAC,CAAC,CAAC;QAEJ,GAAG,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAC,QAAQ,EAAE,CAAC,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC,EAAC,CAAC,CAAC;IACvF,CAAC;IAED,sEAAsE;IACtE,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;QAC9B,KAAK,MAAM,MAAM,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;YAC/C,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,qEAAqE;IACrE,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC;QAC/B,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACtC,CAAC;IAED,+BAA+B;IAC/B,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAEtB,IAAI,MAAM,GAAuB,IAAI,CAAC;IAEtC,OAAO;QACL,GAAG;QAEH,KAAK,CAAC,KAAK;YACT,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;gBAC7B,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE;oBAC3D,GAAG,CAAC,IAAI,CAAC,uBAAuB,EAAE,EAAC,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAC,CAAC,CAAC;oBAC1E,OAAO,CAAC,UAAU,CAAC,CAAC;gBACtB,CAAC,CAAC,CAAC;gBACH,MAAM,GAAG,UAAU,CAAC;YACtB,CAAC,CAAC,CAAC;QACL,CAAC;QAED,KAAK,CAAC,IAAI;YACR,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,CAAC,GAAG,MAAM,CAAC;gBACjB,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;oBAC1C,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;wBACd,IAAI,GAAG;4BAAE,MAAM,CAAC,GAAG,CAAC,CAAC;;4BAChB,OAAO,EAAE,CAAC;oBACjB,CAAC,CAAC,CAAC;oBACH,CAAC,CAAC,mBAAmB,EAAE,CAAC;gBAC1B,CAAC,CAAC,CAAC;gBACH,MAAM,GAAG,IAAI,CAAC;YAChB,CAAC;YAED,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;gBACvB,MAAM,OAAO,CAAC,UAAU,EAAE,CAAC;YAC7B,CAAC;YAED,MAAM,cAAc,CAAC,QAAQ,EAAE,CAAC;YAEhC,GAAG,CAAC,IAAI,CAAC,uBAAuB,EAAE,EAAE,CAAC,CAAC;QACxC,CAAC;KACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/server.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;;;;GAMG;AAEH,OAAO,OAAO,MAAM,SAAS,CAAC;AAI9B,OAAO,EAAC,YAAY,EAAC,MAAM,+BAA+B,CAAC;AAC3D,OAAO,EAAC,sBAAsB,EAAC,MAAM,yBAAyB,CAAC;AAC/D,OAAO,EAAC,oBAAoB,EAAC,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EAAC,wBAAwB,EAAC,MAAM,sBAAsB,CAAC;AAK9D,OAAO,EAAC,eAAe,EAAC,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAC,oBAAoB,EAAC,MAAM,sBAAsB,CAAC;AAC1D,OAAO,EAAC,iBAAiB,EAAC,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAC,GAAG,EAAE,YAAY,EAAC,MAAM,aAAa,CAAC;AAC9C,OAAO,EAAC,mBAAmB,EAAoB,MAAM,oBAAoB,CAAC;AAC1E,OAAO,EAAC,YAAY,EAAC,MAAM,2BAA2B,CAAC;AA6EvD;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,OAA4B;IACvD,MAAM,EAAC,MAAM,EAAC,GAAG,OAAO,CAAC;IACzB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,6BAA6B;IAC7B,MAAM,aAAa,GAAG,YAAY,CAAC,EAAC,SAAS,EAAE,gBAAgB,EAAC,CAAC,CAAC;IAClE,MAAM,cAAc,GAAG,IAAI,wBAAwB,CAAC;QAClD,MAAM,EAAE,aAAa;QACrB,KAAK,EAAE,MAAM,CAAC,YAAY;QAC1B,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,EAAC,KAAK,EAAE,OAAO,CAAC,YAAY,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;KAC/D,CAAC,CAAC;IACH,cAAc,CAAC,KAAK,EAAE,CAAC;IAEvB,MAAM,MAAM,GAAG;QACb,YAAY,EAAE,IAAI;QAClB,UAAU,EAAE,IAAI;QAChB,MAAM,EAAE,GAAG;KACZ,CAAC;IAEF,sBAAsB;IACtB,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;IAEtB,kBAAkB;IAClB,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,GAAG,CAAC;IAC5C,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC1B,GAAG,CAAC,MAAM,CAAC,6BAA6B,EAAE,UAAU,CAAC,CAAC;QACtD,GAAG,CAAC,MAAM,CAAC,8BAA8B,EAAE,+DAA+D,CAAC,CAAC;QAC5G,GAAG,CAAC,MAAM,CAAC,8BAA8B,EAAE,wCAAwC,CAAC,CAAC;QACrF,GAAG,CAAC,MAAM,CAAC,+BAA+B,EAAE,+BAA+B,CAAC,CAAC;QAC7E,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC9B,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;YACpB,OAAO;QACT,CAAC;QACD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAExB,iEAAiE;IACjE,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;QAC1B,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IACjC,CAAC;IAED,SAAS;IACT,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;QAC/B,GAAG,CAAC,IAAI,CAAC;YACP,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YACjC,eAAe,EAAE,cAAc,CAAC,IAAI;SACrC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,kFAAkF;IAClF,qEAAqE;IACrE,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,mBAAmB,CAAC;IAEjE,iDAAiD;IACjD,8EAA8E;IAC9E,0DAA0D;IAC1D,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,YAAY,CAAC,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACjD,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACjD,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,GAAG,CAAC,IAAI,CAAC,wBAAwB,EAAE,EAAC,IAAI,EAAE,GAAG,CAAC,IAAI,EAAC,CAAC,CAAC;YACrD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,EAAC,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,yBAAyB,EAAC;aACrE,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,GAAG,CAAC,KAAK,CAAC,iBAAiB,EAAE,EAAC,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAC,CAAC,CAAC;QAClE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjB,CAAC,CAAC,CAAC,CAAC;IAEJ,mEAAmE;IACnE,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;QAC3B,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;QACzC,GAAG,CAAC,GAAG,CAAC,cAAc,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;QAChD,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IAC/C,CAAC;IAED,GAAG,CAAC,GAAG,CAAC,sBAAsB,CAAC;QAC7B,cAAc;QACd,cAAc,EAAE,EAAC,cAAc,EAAE,OAAO,CAAC,cAAc,EAAC;QACxD,MAAM;QACN,iBAAiB,EAAE,OAAO,CAAC,iBAAiB;QAC5C,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;QAChD,cAAc,EAAE,OAAO,CAAC,cAAc;KACvC,CAAC,CAAC,CAAC;IACJ,GAAG,CAAC,GAAG,CAAC,oBAAoB,CAAC;QAC3B,cAAc;QACd,cAAc,EAAE,EAAC,cAAc,EAAE,OAAO,CAAC,cAAc,EAAC;QACxD,MAAM;QACN,iBAAiB,EAAE,OAAO,CAAC,iBAAiB;QAC5C,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;QAChD,cAAc,EAAE,OAAO,CAAC,cAAc;KACvC,CAAC,CAAC,CAAC;IAEJ,qBAAqB;IACrB,IAAI,OAAO,CAAC,eAAe,IAAI,OAAO,CAAC,eAAe,CAAC,IAAI,GAAG,CAAC,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;QAChG,MAAM,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,IAAI,eAAe,CAAC;YACrE,eAAe,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;gBAC9B,GAAG,CAAC,IAAI,CAAC,kCAAkC,EAAE;oBAC3C,GAAG,EAAE,KAAK,CAAC,GAAG;oBACd,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;iBACxD,CAAC,CAAC;YACL,CAAC;SACF,CAAC,CAAC;QAEH,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,oBAAoB,CAAC;YACxC,QAAQ,EAAE,OAAO,CAAC,eAAe;YACjC,aAAa,EAAE,OAAO,CAAC,oBAAoB;YAC3C,cAAc;YACd,UAAU,EAAE,IAAI,iBAAiB,EAAE;YACnC,QAAQ,EAAE,eAAe;YACzB,MAAM,EAAE,GAAG;SACZ,CAAC,CAAC,CAAC;QAEJ,GAAG,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAC,QAAQ,EAAE,CAAC,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC,EAAC,CAAC,CAAC;IACvF,CAAC;IAED,sEAAsE;IACtE,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;QAC9B,KAAK,MAAM,MAAM,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;YAC/C,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,qEAAqE;IACrE,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC;QAC/B,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACtC,CAAC;IAED,+BAA+B;IAC/B,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAEtB,IAAI,MAAM,GAAuB,IAAI,CAAC;IAEtC,OAAO;QACL,GAAG;QAEH,KAAK,CAAC,KAAK;YACT,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;gBAC7B,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE;oBAC3D,GAAG,CAAC,IAAI,CAAC,uBAAuB,EAAE,EAAC,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAC,CAAC,CAAC;oBAC1E,OAAO,CAAC,UAAU,CAAC,CAAC;gBACtB,CAAC,CAAC,CAAC;gBACH,MAAM,GAAG,UAAU,CAAC;YACtB,CAAC,CAAC,CAAC;QACL,CAAC;QAED,KAAK,CAAC,IAAI;YACR,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,CAAC,GAAG,MAAM,CAAC;gBACjB,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;oBAC1C,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;wBACd,IAAI,GAAG;4BAAE,MAAM,CAAC,GAAG,CAAC,CAAC;;4BAChB,OAAO,EAAE,CAAC;oBACjB,CAAC,CAAC,CAAC;oBACH,CAAC,CAAC,mBAAmB,EAAE,CAAC;gBAC1B,CAAC,CAAC,CAAC;gBACH,MAAM,GAAG,IAAI,CAAC;YAChB,CAAC;YAED,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;gBACvB,MAAM,OAAO,CAAC,UAAU,EAAE,CAAC;YAC7B,CAAC;YAED,MAAM,cAAc,CAAC,QAAQ,EAAE,CAAC;YAEhC,GAAG,CAAC,IAAI,CAAC,uBAAuB,EAAE,EAAE,CAAC,CAAC;QACxC,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/src/server.test.js

@@ -6,6 +6,19 @@
 import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
 import request from 'supertest';
 import { createServer } from './server.js';
+const ROLE_TEST_CONFIG = {
+    port: 0,
+    host: '127.0.0.1',
+    sessionTtlMs: 30_000,
+    automations: [],
+};
+function makeRoleProvider(user) {
+    return {
+        async resolveUser() {
+            return user;
+        },
+    };
+}
 describe('createServer', () => {
     let serverInstance;
     beforeEach(() => {
@@ -47,4 +60,75 @@ describe('createServer', () => {
         expect(res.status).toBe(404);
     });
 });
+describe('createServer - /api/me', () => {
+    let serverInstance;
+    afterEach(async () => {
+        if (serverInstance)
+            await serverInstance.stop();
+    });
+    it('returns ops user by default (no roleProvider configured)', async () => {
+        serverInstance = createServer({
+            config: ROLE_TEST_CONFIG,
+            version: 'test',
+        });
+        const res = await request(serverInstance.app).get('/api/me');
+        expect(res.status).toBe(200);
+        expect(res.body).toEqual({ id: 'local-dev', role: 'ops' });
+    });
+    it('returns user from configured RoleProvider', async () => {
+        serverInstance = createServer({
+            config: ROLE_TEST_CONFIG,
+            roleProvider: makeRoleProvider({ id: 'sally@acme.com', role: 'admin' }),
+        });
+        const res = await request(serverInstance.app).get('/api/me');
+        expect(res.status).toBe(200);
+        expect(res.body).toEqual({ id: 'sally@acme.com', role: 'admin' });
+    });
+    it('returns 401 when RoleProvider returns null', async () => {
+        serverInstance = createServer({
+            config: ROLE_TEST_CONFIG,
+            roleProvider: makeRoleProvider(null),
+        });
+        const res = await request(serverInstance.app).get('/api/me');
+        expect(res.status).toBe(401);
+        expect(res.body).toEqual({
+            error: { code: 'unauthenticated', message: 'Authentication required' },
+        });
+    });
+    it('returns 500 when RoleProvider throws', async () => {
+        serverInstance = createServer({
+            config: ROLE_TEST_CONFIG,
+            roleProvider: {
+                async resolveUser() {
+                    throw new Error('database connection failed');
+                },
+            },
+        });
+        const res = await request(serverInstance.app).get('/api/me');
+        expect(res.status).toBe(500);
+        expect(res.body).toHaveProperty('error');
+    });
+    it('passes the request through to the provider', async () => {
+        let capturedHeader;
+        serverInstance = createServer({
+            config: ROLE_TEST_CONFIG,
+            roleProvider: {
+                async resolveUser(req) {
+                    const auth = req.headers['authorization'];
+                    capturedHeader = typeof auth === 'string' ? auth : undefined;
+                    if (capturedHeader === 'Bearer test-token') {
+                        return { id: 'test-user', role: 'ops' };
+                    }
+                    return null;
+                },
+            },
+        });
+        const res = await request(serverInstance.app)
+            .get('/api/me')
+            .set('Authorization', 'Bearer test-token');
+        expect(res.status).toBe(200);
+        expect(capturedHeader).toBe('Bearer test-token');
+        expect(res.body).toEqual({ id: 'test-user', role: 'ops' });
+    });
+});
 //# sourceMappingURL=server.test.js.map