@amodalai/runtime 0.3.69 → 0.3.71

package/dist/src/auth/strategies/cookie.d.ts

@@ -0,0 +1,41 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * CookieSessionStrategy — reads a session JWT from a cookie and verifies
+ * it against a JWKS endpoint. Useful for SPA + runtime stacks that don't
+ * sit behind cf-worker (or any other Bearer-injecting proxy) and need
+ * cookie-based session continuity in the browser.
+ *
+ * The JWT contract is the same as `JwksAuthStrategy` — same JWKS, same
+ * issuer check, same claim shape. The only difference is where the token
+ * lives (cookie vs Authorization header).
+ */
+import { createRemoteJWKSet } from 'jose';
+import type { Request } from 'express';
+import type { AuthResult, AuthStrategy } from '../types.js';
+export interface CookieSessionStrategyOptions {
+    /** Cookie name to read. Defaults to `'amodal_session'`. */
+    cookieName?: string;
+    /** JWKS endpoint URL — same shape as `JwksAuthStrategy`. */
+    jwksUrl: string;
+    /** Required `iss` claim. Defaults to no issuer check. */
+    issuer?: string;
+    /** Override `AuthSession.method`. Defaults to `'cookie'`. */
+    authMethod?: string;
+    /** Pass-through to `jose.createRemoteJWKSet`. */
+    jwksOptions?: Parameters<typeof createRemoteJWKSet>[1];
+}
+export declare class CookieSessionStrategy implements AuthStrategy {
+    readonly name = "cookie";
+    private readonly cookieName;
+    private readonly jwks;
+    private readonly issuer?;
+    private readonly authMethod;
+    constructor(options: CookieSessionStrategyOptions);
+    valid(req: Request): boolean;
+    authenticate(req: Request): Promise<AuthResult>;
+    private readCookie;
+}

package/dist/src/auth/strategies/cookie.js

@@ -0,0 +1,84 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * CookieSessionStrategy — reads a session JWT from a cookie and verifies
+ * it against a JWKS endpoint. Useful for SPA + runtime stacks that don't
+ * sit behind cf-worker (or any other Bearer-injecting proxy) and need
+ * cookie-based session continuity in the browser.
+ *
+ * The JWT contract is the same as `JwksAuthStrategy` — same JWKS, same
+ * issuer check, same claim shape. The only difference is where the token
+ * lives (cookie vs Authorization header).
+ */
+import { createRemoteJWKSet, jwtVerify } from 'jose';
+export class CookieSessionStrategy {
+    name = 'cookie';
+    cookieName;
+    jwks;
+    issuer;
+    authMethod;
+    constructor(options) {
+        this.cookieName = options.cookieName ?? 'amodal_session';
+        this.jwks = createRemoteJWKSet(new URL(options.jwksUrl), options.jwksOptions);
+        if (options.issuer !== undefined)
+            this.issuer = options.issuer;
+        this.authMethod = options.authMethod ?? 'cookie';
+    }
+    valid(req) {
+        return Boolean(this.readCookie(req));
+    }
+    async authenticate(req) {
+        const token = this.readCookie(req);
+        if (!token)
+            return { kind: 'rejected', reason: 'No session cookie' };
+        let payload;
+        try {
+            const result = await jwtVerify(token, this.jwks, this.issuer ? { issuer: this.issuer } : {});
+            payload = result.payload;
+        }
+        catch (err) {
+            const detail = err instanceof Error ? err.message : String(err);
+            return { kind: 'rejected', reason: `Cookie session JWT invalid: ${detail}` };
+        }
+        return { kind: 'authenticated', session: buildSession(payload, this.authMethod) };
+    }
+    readCookie(req) {
+        const header = req.headers['cookie'];
+        if (typeof header !== 'string' || header.length === 0)
+            return null;
+        for (const pair of header.split(';')) {
+            const trimmed = pair.trim();
+            const eq = trimmed.indexOf('=');
+            if (eq === -1)
+                continue;
+            const name = trimmed.slice(0, eq);
+            if (name !== this.cookieName)
+                continue;
+            const value = trimmed.slice(eq + 1);
+            return value.length > 0 ? decodeURIComponent(value) : null;
+        }
+        return null;
+    }
+}
+function buildSession(payload, method) {
+    const userId = typeof payload['user_id'] === 'string'
+        ? payload['user_id']
+        : typeof payload['sub'] === 'string'
+            ? payload['sub']
+            : '';
+    const session = { user: { id: userId }, method };
+    if (typeof payload['email'] === 'string')
+        session.user.email = payload['email'];
+    if (typeof payload['name'] === 'string')
+        session.user.name = payload['name'];
+    if (typeof payload['agent_id'] === 'string')
+        session.agentId = payload['agent_id'];
+    if (typeof payload['scope_id'] === 'string')
+        session.scopeId = payload['scope_id'];
+    session.claims = { ...payload };
+    return session;
+}
+//# sourceMappingURL=cookie.js.map

package/dist/src/auth/strategies/cookie.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookie.js","sourceRoot":"","sources":["../../../../src/auth/strategies/cookie.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;;;;;GASG;AACH,OAAO,EAAC,kBAAkB,EAAE,SAAS,EAAC,MAAM,MAAM,CAAC;AAkBnD,MAAM,OAAO,qBAAqB;IACvB,IAAI,GAAG,QAAQ,CAAC;IACR,UAAU,CAAS;IACnB,IAAI,CAAkB;IACtB,MAAM,CAAU;IAChB,UAAU,CAAS;IAEpC,YAAY,OAAqC;QAC/C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,gBAAgB,CAAC;QACzD,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAC5B,IAAI,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,EACxB,OAAO,CAAC,WAAW,CACpB,CAAC;QACF,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS;YAAE,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC/D,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,QAAQ,CAAC;IACnD,CAAC;IAED,KAAK,CAAC,GAAY;QAChB,OAAO,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IACvC,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAY;QAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK;YAAE,OAAO,EAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,mBAAmB,EAAC,CAAC;QAEnE,IAAI,OAAmB,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAC5B,KAAK,EACL,IAAI,CAAC,IAAI,EACT,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAC,MAAM,EAAE,IAAI,CAAC,MAAM,EAAC,CAAC,CAAC,CAAC,EAAE,CACzC,CAAC;YACF,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC3B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAChE,OAAO,EAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,+BAA+B,MAAM,EAAE,EAAC,CAAC;QAC7E,CAAC;QAED,OAAO,EAAC,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,YAAY,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,EAAC,CAAC;IAClF,CAAC;IAEO,UAAU,CAAC,GAAY;QAC7B,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACrC,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACnE,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YACrC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAChC,IAAI,EAAE,KAAK,CAAC,CAAC;gBAAE,SAAS;YACxB,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAClC,IAAI,IAAI,KAAK,IAAI,CAAC,UAAU;gBAAE,SAAS;YACvC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;YACpC,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAC7D,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED,SAAS,YAAY,CAAC,OAAmB,EAAE,MAAc;IACvD,MAAM,MAAM,GACV,OAAO,OAAO,CAAC,SAAS,CAAC,KAAK,QAAQ;QACpC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;QACpB,CAAC,CAAC,OAAO,OAAO,CAAC,KAAK,CAAC,KAAK,QAAQ;YACpC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;YAChB,CAAC,CAAC,EAAE,CAAC;IACT,MAAM,OAAO,GAAgB,EAAC,IAAI,EAAE,EAAC,EAAE,EAAE,MAAM,EAAC,EAAE,MAAM,EAAC,CAAC;IAC1D,IAAI,OAAO,OAAO,CAAC,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAChF,IAAI,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7E,IAAI,OAAO,OAAO,CAAC,UAAU,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACnF,IAAI,OAAO,OAAO,CAAC,UAAU,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACnF,OAAO,CAAC,MAAM,GAAG,EAAC,GAAG,OAAO,EAAC,CAAC;IAC9B,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/src/auth/strategies/custom-loader.d.ts

@@ -0,0 +1,17 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * Load a custom AuthStrategy from a user-supplied module path. Used by
+ * `AuthConfig` `{type: 'custom', module: './path'}` to let agent owners
+ * drop in a verifier function for any auth system they already use
+ * (Auth0 SDK, Supabase getUser, internal verify endpoint, etc.).
+ *
+ * The module's default export must be an `AuthStrategy` (object with
+ * `name`, `valid`, `authenticate`). The shape is validated; a wrong-
+ * shape export throws at startup with a clear message.
+ */
+import type { AuthStrategy } from '../types.js';
+export declare function loadCustomStrategy(modulePath: string): Promise<AuthStrategy>;

package/dist/src/auth/strategies/custom-loader.js

@@ -0,0 +1,37 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+export async function loadCustomStrategy(modulePath) {
+    let mod;
+    try {
+        mod = await import(modulePath);
+    }
+    catch (err) {
+        const detail = err instanceof Error ? err.message : String(err);
+        throw new Error(`Failed to load custom auth strategy from '${modulePath}': ${detail}`, { cause: err });
+    }
+    if (typeof mod !== 'object' || mod === null) {
+        throw new Error(`Custom auth strategy at '${modulePath}' did not export anything`);
+    }
+    const candidate = 'default' in mod
+        ? mod.default
+        : mod;
+    if (!isStrategy(candidate)) {
+        throw new Error(`Custom auth strategy at '${modulePath}' default export does not match the AuthStrategy shape ` +
+            `({name: string, valid(req): boolean, authenticate(req): Promise<AuthResult>})`);
+    }
+    return candidate;
+}
+function isStrategy(value) {
+    if (typeof value !== 'object' || value === null)
+        return false;
+    if (!('name' in value) || !('valid' in value) || !('authenticate' in value)) {
+        return false;
+    }
+    return (typeof value.name === 'string' &&
+        typeof value.valid === 'function' &&
+        typeof value.authenticate === 'function');
+}
+//# sourceMappingURL=custom-loader.js.map

package/dist/src/auth/strategies/custom-loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"custom-loader.js","sourceRoot":"","sources":["../../../../src/auth/strategies/custom-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAcH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,UAAkB;IAElB,IAAI,GAAY,CAAC;IACjB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAChE,MAAM,IAAI,KAAK,CACb,6CAA6C,UAAU,MAAM,MAAM,EAAE,EACrE,EAAC,KAAK,EAAE,GAAG,EAAC,CACb,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CACb,4BAA4B,UAAU,2BAA2B,CAClE,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GACb,SAAS,IAAI,GAAG;QACd,CAAC,CAAE,GAA0B,CAAC,OAAO;QACrC,CAAC,CAAE,GAAe,CAAC;IACvB,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CACb,4BAA4B,UAAU,yDAAyD;YAC7F,+EAA+E,CAClF,CAAC;IACJ,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,UAAU,CAAC,KAAc;IAChC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAC9D,IAAI,CAAC,CAAC,MAAM,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,OAAO,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,cAAc,IAAI,KAAK,CAAC,EAAE,CAAC;QAC5E,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,CACL,OAAQ,KAAyB,CAAC,IAAI,KAAK,QAAQ;QACnD,OAAQ,KAA0B,CAAC,KAAK,KAAK,UAAU;QACvD,OAAQ,KAAiC,CAAC,YAAY,KAAK,UAAU,CACtE,CAAC;AACJ,CAAC"}

package/dist/src/auth/strategies/header.d.ts

@@ -0,0 +1,35 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * HeaderAuthStrategy — reads the user identity from a configured request
+ * header (default `X-Auth-User`). For service-to-service calls behind a
+ * trusted proxy that authenticates upstream and writes the verified
+ * identity into a header.
+ *
+ * Security: never expose a route protected by this strategy directly to
+ * the public internet. Trusted-header strategies presume an upstream
+ * proxy strips the header on inbound requests and writes its own.
+ */
+import type { Request } from 'express';
+import type { AuthResult, AuthStrategy } from '../types.js';
+export interface HeaderAuthStrategyOptions {
+    /** Header name to read (case-insensitive). Defaults to `'X-Auth-User'`. */
+    headerName?: string;
+    /** Optional `agentId` to attach to the resulting session. */
+    agentId?: string;
+    /** Override `AuthSession.method`. Defaults to `'header'`. */
+    authMethod?: string;
+}
+export declare class HeaderAuthStrategy implements AuthStrategy {
+    readonly name = "header";
+    private readonly headerName;
+    private readonly agentId?;
+    private readonly authMethod;
+    constructor(options?: HeaderAuthStrategyOptions);
+    valid(req: Request): boolean;
+    authenticate(req: Request): Promise<AuthResult>;
+    private read;
+}

package/dist/src/auth/strategies/header.js

@@ -0,0 +1,42 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+export class HeaderAuthStrategy {
+    name = 'header';
+    headerName;
+    agentId;
+    authMethod;
+    constructor(options = {}) {
+        this.headerName = (options.headerName ?? 'X-Auth-User').toLowerCase();
+        if (options.agentId !== undefined)
+            this.agentId = options.agentId;
+        this.authMethod = options.authMethod ?? 'header';
+    }
+    valid(req) {
+        return Boolean(this.read(req));
+    }
+    async authenticate(req) {
+        const userId = this.read(req);
+        if (!userId)
+            return { kind: 'rejected', reason: 'Missing identity header' };
+        return {
+            kind: 'authenticated',
+            session: {
+                user: { id: userId },
+                method: this.authMethod,
+                ...(this.agentId ? { agentId: this.agentId } : {}),
+                scopeId: userId,
+            },
+        };
+    }
+    read(req) {
+        const value = req.headers[this.headerName];
+        const id = Array.isArray(value) ? value[0] : value;
+        if (typeof id !== 'string' || id.length === 0)
+            return null;
+        return id;
+    }
+}
+//# sourceMappingURL=header.js.map

package/dist/src/auth/strategies/header.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"header.js","sourceRoot":"","sources":["../../../../src/auth/strategies/header.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAwBH,MAAM,OAAO,kBAAkB;IACpB,IAAI,GAAG,QAAQ,CAAC;IACR,UAAU,CAAS;IACnB,OAAO,CAAU;IACjB,UAAU,CAAS;IAEpC,YAAY,UAAqC,EAAE;QACjD,IAAI,CAAC,UAAU,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,aAAa,CAAC,CAAC,WAAW,EAAE,CAAC;QACtE,IAAI,OAAO,CAAC,OAAO,KAAK,SAAS;YAAE,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAClE,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,QAAQ,CAAC;IACnD,CAAC;IAED,KAAK,CAAC,GAAY;QAChB,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAY;QAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,CAAC,MAAM;YAAE,OAAO,EAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,yBAAyB,EAAC,CAAC;QAC1E,OAAO;YACL,IAAI,EAAE,eAAe;YACrB,OAAO,EAAE;gBACP,IAAI,EAAE,EAAC,EAAE,EAAE,MAAM,EAAC;gBAClB,MAAM,EAAE,IAAI,CAAC,UAAU;gBACvB,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAC,OAAO,EAAE,IAAI,CAAC,OAAO,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAChD,OAAO,EAAE,MAAM;aAChB;SACF,CAAC;IACJ,CAAC;IAEO,IAAI,CAAC,GAAY;QACvB,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC3C,MAAM,EAAE,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;QACnD,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAC3D,OAAO,EAAE,CAAC;IACZ,CAAC;CACF"}

package/dist/src/auth/strategies/jwks.d.ts

@@ -0,0 +1,38 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * JwksAuthStrategy — verifies Bearer JWTs against a remote JWKS endpoint.
+ *
+ * Cloud uses this for cf-worker-injected platform JWTs; self-hosters can
+ * point it at any JWKS-publishing IdP (their own auth server, Auth0,
+ * Keycloak, etc.) when they want a stateless verifier-only flow.
+ */
+import { createRemoteJWKSet } from 'jose';
+import type { Request } from 'express';
+import type { AuthResult, AuthStrategy } from '../types.js';
+export interface JwksAuthStrategyOptions {
+    /** URL of the JWKS endpoint (e.g. `https://api.example.com/.well-known/jwks.json`). */
+    jwksUrl: string;
+    /** Required `iss` claim. Defaults to no issuer check. */
+    issuer?: string;
+    /** Override the auth method label written to `AuthSession.method`. Defaults to `'jwks'`. */
+    authMethod?: string;
+    /**
+     * Pass-through to `jose.createRemoteJWKSet` for tighter control over
+     * JWKS caching / cooldown / refresh. Useful for ops visibility into
+     * key rotation across multi-instance fleets.
+     */
+    jwksOptions?: Parameters<typeof createRemoteJWKSet>[1];
+}
+export declare class JwksAuthStrategy implements AuthStrategy {
+    readonly name = "jwks";
+    private readonly jwks;
+    private readonly issuer?;
+    private readonly authMethod;
+    constructor(options: JwksAuthStrategyOptions);
+    valid(req: Request): boolean;
+    authenticate(req: Request): Promise<AuthResult>;
+}

package/dist/src/auth/strategies/jwks.js

@@ -0,0 +1,86 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * JwksAuthStrategy — verifies Bearer JWTs against a remote JWKS endpoint.
+ *
+ * Cloud uses this for cf-worker-injected platform JWTs; self-hosters can
+ * point it at any JWKS-publishing IdP (their own auth server, Auth0,
+ * Keycloak, etc.) when they want a stateless verifier-only flow.
+ */
+import { createRemoteJWKSet, jwtVerify } from 'jose';
+export class JwksAuthStrategy {
+    name = 'jwks';
+    jwks;
+    issuer;
+    authMethod;
+    constructor(options) {
+        this.jwks = createRemoteJWKSet(new URL(options.jwksUrl), options.jwksOptions);
+        if (options.issuer !== undefined)
+            this.issuer = options.issuer;
+        this.authMethod = options.authMethod ?? 'jwks';
+    }
+    valid(req) {
+        const token = readBearer(req);
+        if (!token)
+            return false;
+        return looksLikeJwt(token);
+    }
+    async authenticate(req) {
+        const token = readBearer(req);
+        if (!token)
+            return { kind: 'rejected', reason: 'No bearer token' };
+        let payload;
+        try {
+            const result = await jwtVerify(token, this.jwks, this.issuer ? { issuer: this.issuer } : {});
+            payload = result.payload;
+        }
+        catch (err) {
+            const detail = err instanceof Error ? err.message : String(err);
+            return { kind: 'rejected', reason: `JWT verification failed: ${detail}` };
+        }
+        return { kind: 'authenticated', session: buildSession(payload, this.authMethod) };
+    }
+}
+function buildSession(payload, method) {
+    const userId = typeof payload['user_id'] === 'string'
+        ? payload['user_id']
+        : typeof payload['sub'] === 'string'
+            ? payload['sub']
+            : '';
+    const session = { user: { id: userId }, method };
+    if (typeof payload['email'] === 'string')
+        session.user.email = payload['email'];
+    if (typeof payload['name'] === 'string')
+        session.user.name = payload['name'];
+    if (typeof payload['agent_id'] === 'string') {
+        session.agentId = payload['agent_id'];
+    }
+    else if (typeof payload['app_id'] === 'string') {
+        session.agentId = payload['app_id'];
+    }
+    if (typeof payload['scope_id'] === 'string')
+        session.scopeId = payload['scope_id'];
+    // Stash the full payload under `claims` so callers can read provider-
+    // specific data (groups, custom roles, etc.) without us trying to
+    // narrow it.
+    session.claims = { ...payload };
+    return session;
+}
+function readBearer(req) {
+    const auth = req.headers['authorization'];
+    if (typeof auth !== 'string')
+        return null;
+    if (!auth.startsWith('Bearer '))
+        return null;
+    const token = auth.slice(7);
+    return token.length > 0 ? token : null;
+}
+function looksLikeJwt(token) {
+    if (token.startsWith('ak_'))
+        return false;
+    return token.split('.').length === 3;
+}
+//# sourceMappingURL=jwks.js.map

package/dist/src/auth/strategies/jwks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwks.js","sourceRoot":"","sources":["../../../../src/auth/strategies/jwks.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;;GAMG;AACH,OAAO,EAAC,kBAAkB,EAAE,SAAS,EAAC,MAAM,MAAM,CAAC;AAoBnD,MAAM,OAAO,gBAAgB;IAClB,IAAI,GAAG,MAAM,CAAC;IACN,IAAI,CAAkB;IACtB,MAAM,CAAU;IAChB,UAAU,CAAS;IAEpC,YAAY,OAAgC;QAC1C,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAC5B,IAAI,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,EACxB,OAAO,CAAC,WAAW,CACpB,CAAC;QACF,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS;YAAE,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC/D,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,MAAM,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,GAAY;QAChB,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QACzB,OAAO,YAAY,CAAC,KAAK,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAY;QAC7B,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,CAAC,KAAK;YAAE,OAAO,EAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,iBAAiB,EAAC,CAAC;QAEjE,IAAI,OAAmB,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAC5B,KAAK,EACL,IAAI,CAAC,IAAI,EACT,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAC,MAAM,EAAE,IAAI,CAAC,MAAM,EAAC,CAAC,CAAC,CAAC,EAAE,CACzC,CAAC;YACF,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC3B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAChE,OAAO,EAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,4BAA4B,MAAM,EAAE,EAAC,CAAC;QAC1E,CAAC;QAED,OAAO,EAAC,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,YAAY,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,EAAC,CAAC;IAClF,CAAC;CACF;AAED,SAAS,YAAY,CAAC,OAAmB,EAAE,MAAc;IACvD,MAAM,MAAM,GACV,OAAO,OAAO,CAAC,SAAS,CAAC,KAAK,QAAQ;QACpC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;QACpB,CAAC,CAAC,OAAO,OAAO,CAAC,KAAK,CAAC,KAAK,QAAQ;YACpC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;YAChB,CAAC,CAAC,EAAE,CAAC;IACT,MAAM,OAAO,GAAgB,EAAC,IAAI,EAAE,EAAC,EAAE,EAAE,MAAM,EAAC,EAAE,MAAM,EAAC,CAAC;IAC1D,IAAI,OAAO,OAAO,CAAC,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAChF,IAAI,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7E,IAAI,OAAO,OAAO,CAAC,UAAU,CAAC,KAAK,QAAQ,EAAE,CAAC;QAC5C,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACxC,CAAC;SAAM,IAAI,OAAO,OAAO,CAAC,QAAQ,CAAC,KAAK,QAAQ,EAAE,CAAC;QACjD,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;IACD,IAAI,OAAO,OAAO,CAAC,UAAU,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACnF,sEAAsE;IACtE,kEAAkE;IAClE,aAAa;IACb,OAAO,CAAC,MAAM,GAAG,EAAC,GAAG,OAAO,EAAC,CAAC;IAC9B,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,UAAU,CAAC,GAAY;IAC9B,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAC1C,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC1C,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC5B,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;AACzC,CAAC;AAED,SAAS,YAAY,CAAC,KAAa;IACjC,IAAI,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;AACvC,CAAC"}

package/dist/src/auth/strategies/jwt-secret.d.ts

@@ -0,0 +1,25 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+import type { Request } from 'express';
+import type { AuthResult, AuthStrategy } from '../types.js';
+export interface JwtSecretAuthStrategyOptions {
+    secret: string;
+    algorithm?: 'HS256' | 'HS384' | 'HS512';
+    issuer?: string;
+    audience?: string;
+    authMethod?: string;
+}
+export declare class JwtSecretAuthStrategy implements AuthStrategy {
+    readonly name = "jwt-secret";
+    private readonly secretKey;
+    private readonly algorithm;
+    private readonly issuer?;
+    private readonly audience?;
+    private readonly authMethod;
+    constructor(options: JwtSecretAuthStrategyOptions);
+    valid(req: Request): boolean;
+    authenticate(req: Request): Promise<AuthResult>;
+}

package/dist/src/auth/strategies/jwt-secret.js

@@ -0,0 +1,82 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * JwtSecretAuthStrategy — verifies HMAC-signed Bearer JWTs against a
+ * shared secret. For ISV / server-mediated flows where another server
+ * (the agent owner's backend) mints JWTs and amodal verifies them with
+ * the same shared secret.
+ */
+import { jwtVerify } from 'jose';
+export class JwtSecretAuthStrategy {
+    name = 'jwt-secret';
+    secretKey;
+    algorithm;
+    issuer;
+    audience;
+    authMethod;
+    constructor(options) {
+        this.secretKey = new TextEncoder().encode(options.secret);
+        this.algorithm = options.algorithm ?? 'HS256';
+        if (options.issuer !== undefined)
+            this.issuer = options.issuer;
+        if (options.audience !== undefined)
+            this.audience = options.audience;
+        this.authMethod = options.authMethod ?? 'jwt-secret';
+    }
+    valid(req) {
+        const token = readBearer(req);
+        if (!token)
+            return false;
+        if (token.startsWith('ak_'))
+            return false;
+        return token.split('.').length === 3;
+    }
+    async authenticate(req) {
+        const token = readBearer(req);
+        if (!token)
+            return { kind: 'rejected', reason: 'No bearer token' };
+        let payload;
+        try {
+            const result = await jwtVerify(token, this.secretKey, {
+                algorithms: [this.algorithm],
+                ...(this.issuer ? { issuer: this.issuer } : {}),
+                ...(this.audience ? { audience: this.audience } : {}),
+            });
+            payload = result.payload;
+        }
+        catch (err) {
+            const detail = err instanceof Error ? err.message : String(err);
+            return { kind: 'rejected', reason: `JWT verification failed: ${detail}` };
+        }
+        return { kind: 'authenticated', session: buildSession(payload, this.authMethod) };
+    }
+}
+function buildSession(payload, method) {
+    const userId = typeof payload['user_id'] === 'string'
+        ? payload['user_id']
+        : typeof payload['sub'] === 'string'
+            ? payload['sub']
+            : '';
+    const session = { user: { id: userId }, method };
+    if (typeof payload['email'] === 'string')
+        session.user.email = payload['email'];
+    if (typeof payload['name'] === 'string')
+        session.user.name = payload['name'];
+    if (typeof payload['agent_id'] === 'string')
+        session.agentId = payload['agent_id'];
+    if (typeof payload['scope_id'] === 'string')
+        session.scopeId = payload['scope_id'];
+    session.claims = { ...payload };
+    return session;
+}
+function readBearer(req) {
+    const auth = req.headers['authorization'];
+    if (typeof auth !== 'string' || !auth.startsWith('Bearer '))
+        return null;
+    const token = auth.slice(7);
+    return token.length > 0 ? token : null;
+}
+//# sourceMappingURL=jwt-secret.js.map

package/dist/src/auth/strategies/jwt-secret.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-secret.js","sourceRoot":"","sources":["../../../../src/auth/strategies/jwt-secret.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;GAKG;AACH,OAAO,EAAC,SAAS,EAAC,MAAM,MAAM,CAAC;AAa/B,MAAM,OAAO,qBAAqB;IACvB,IAAI,GAAG,YAAY,CAAC;IACZ,SAAS,CAAa;IACtB,SAAS,CAAS;IAClB,MAAM,CAAU;IAChB,QAAQ,CAAU;IAClB,UAAU,CAAS;IAEpC,YAAY,OAAqC;QAC/C,IAAI,CAAC,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC1D,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC;QAC9C,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS;YAAE,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC/D,IAAI,OAAO,CAAC,QAAQ,KAAK,SAAS;YAAE,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QACrE,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,YAAY,CAAC;IACvD,CAAC;IAED,KAAK,CAAC,GAAY;QAChB,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QACzB,IAAI,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAC1C,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;IACvC,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAY;QAC7B,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,CAAC,KAAK;YAAE,OAAO,EAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,iBAAiB,EAAC,CAAC;QAEjE,IAAI,OAAmB,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,SAAS,EAAE;gBACpD,UAAU,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC;gBAC5B,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAC,MAAM,EAAE,IAAI,CAAC,MAAM,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC7C,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;aACpD,CAAC,CAAC;YACH,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC3B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAChE,OAAO,EAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,4BAA4B,MAAM,EAAE,EAAC,CAAC;QAC1E,CAAC;QAED,OAAO,EAAC,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,YAAY,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,EAAC,CAAC;IAClF,CAAC;CACF;AAED,SAAS,YAAY,CAAC,OAAmB,EAAE,MAAc;IACvD,MAAM,MAAM,GACV,OAAO,OAAO,CAAC,SAAS,CAAC,KAAK,QAAQ;QACpC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;QACpB,CAAC,CAAC,OAAO,OAAO,CAAC,KAAK,CAAC,KAAK,QAAQ;YACpC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;YAChB,CAAC,CAAC,EAAE,CAAC;IACT,MAAM,OAAO,GAAgB,EAAC,IAAI,EAAE,EAAC,EAAE,EAAE,MAAM,EAAC,EAAE,MAAM,EAAC,CAAC;IAC1D,IAAI,OAAO,OAAO,CAAC,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAChF,IAAI,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7E,IAAI,OAAO,OAAO,CAAC,UAAU,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACnF,IAAI,OAAO,OAAO,CAAC,UAAU,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACnF,OAAO,CAAC,MAAM,GAAG,EAAC,GAAG,OAAO,EAAC,CAAC;IAC9B,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,UAAU,CAAC,GAAY;IAC9B,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAC1C,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IACzE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC5B,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;AACzC,CAAC"}

package/dist/src/auth/strategies/jwt-secret.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+export {};

package/dist/src/auth/strategies/jwt-secret.test.js

@@ -0,0 +1,75 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+import { describe, it, expect } from 'vitest';
+import { SignJWT } from 'jose';
+import { JwtSecretAuthStrategy } from './jwt-secret.js';
+const SECRET = 'a-secret-of-at-least-16-chars';
+const KEY = new TextEncoder().encode(SECRET);
+async function mintHs256(payload, { iss, aud } = {}) {
+    let jwt = new SignJWT(payload).setProtectedHeader({ alg: 'HS256' }).setIssuedAt().setExpirationTime('5m');
+    if (iss)
+        jwt = jwt.setIssuer(iss);
+    if (aud)
+        jwt = jwt.setAudience(aud);
+    return jwt.sign(KEY);
+}
+function reqWith(token) {
+    return {
+        headers: token === null ? {} : { authorization: `Bearer ${token}` },
+    };
+}
+describe('JwtSecretAuthStrategy', () => {
+    it('valid() is false without a Bearer header', () => {
+        const s = new JwtSecretAuthStrategy({ secret: SECRET });
+        expect(s.valid(reqWith(null))).toBe(false);
+    });
+    it('valid() is false on ak_-prefixed tokens', () => {
+        const s = new JwtSecretAuthStrategy({ secret: SECRET });
+        expect(s.valid(reqWith('ak_x'))).toBe(false);
+    });
+    it('valid() is true on a 3-segment Bearer', () => {
+        const s = new JwtSecretAuthStrategy({ secret: SECRET });
+        expect(s.valid(reqWith('aa.bb.cc'))).toBe(true);
+    });
+    it('authenticates a JWT signed with the matching secret', async () => {
+        const token = await mintHs256({ sub: 'u-1', email: 'a@b' });
+        const s = new JwtSecretAuthStrategy({ secret: SECRET });
+        const r = await s.authenticate(reqWith(token));
+        expect(r.kind).toBe('authenticated');
+        if (r.kind === 'authenticated') {
+            expect(r.session.user).toEqual({ id: 'u-1', email: 'a@b' });
+            expect(r.session.method).toBe('jwt-secret');
+        }
+    });
+    it('rejects a JWT signed with a different secret', async () => {
+        const token = await new SignJWT({ sub: 'u-1' })
+            .setProtectedHeader({ alg: 'HS256' })
+            .setIssuedAt()
+            .setExpirationTime('5m')
+            .sign(new TextEncoder().encode('different-secret-of-16-chars'));
+        const s = new JwtSecretAuthStrategy({ secret: SECRET });
+        const r = await s.authenticate(reqWith(token));
+        expect(r.kind).toBe('rejected');
+    });
+    it('enforces issuer when configured', async () => {
+        const goodToken = await mintHs256({ sub: 'u' }, { iss: 'expected-issuer' });
+        const badToken = await mintHs256({ sub: 'u' }, { iss: 'wrong-issuer' });
+        const s = new JwtSecretAuthStrategy({ secret: SECRET, issuer: 'expected-issuer' });
+        expect((await s.authenticate(reqWith(goodToken))).kind).toBe('authenticated');
+        expect((await s.authenticate(reqWith(badToken))).kind).toBe('rejected');
+    });
+    it('rejects an expired token', async () => {
+        const expired = await new SignJWT({ sub: 'u' })
+            .setProtectedHeader({ alg: 'HS256' })
+            .setIssuedAt(Math.floor(Date.now() / 1000) - 3600)
+            .setExpirationTime(Math.floor(Date.now() / 1000) - 60)
+            .sign(KEY);
+        const s = new JwtSecretAuthStrategy({ secret: SECRET });
+        const r = await s.authenticate(reqWith(expired));
+        expect(r.kind).toBe('rejected');
+    });
+});
+//# sourceMappingURL=jwt-secret.test.js.map

package/dist/src/auth/strategies/jwt-secret.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-secret.test.js","sourceRoot":"","sources":["../../../../src/auth/strategies/jwt-secret.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAC,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAC,MAAM,QAAQ,CAAC;AAC5C,OAAO,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAE7B,OAAO,EAAC,qBAAqB,EAAC,MAAM,iBAAiB,CAAC;AAEtD,MAAM,MAAM,GAAG,+BAA+B,CAAC;AAC/C,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AAE7C,KAAK,UAAU,SAAS,CAAC,OAAgC,EAAE,EAAC,GAAG,EAAE,GAAG,KAAkC,EAAE;IACtG,IAAI,GAAG,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC,kBAAkB,CAAC,EAAC,GAAG,EAAE,OAAO,EAAC,CAAC,CAAC,WAAW,EAAE,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC;IACxG,IAAI,GAAG;QAAE,GAAG,GAAG,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,GAAG;QAAE,GAAG,GAAG,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACpC,OAAO,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACvB,CAAC;AAED,SAAS,OAAO,CAAC,KAAoB;IACnC,OAAO;QACL,OAAO,EAAE,KAAK,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAC,aAAa,EAAE,UAAU,KAAK,EAAE,EAAC;KAC5C,CAAC;AAC1B,CAAC;AAED,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,CAAC,GAAG,IAAI,qBAAqB,CAAC,EAAC,MAAM,EAAE,MAAM,EAAC,CAAC,CAAC;QACtD,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,CAAC,GAAG,IAAI,qBAAqB,CAAC,EAAC,MAAM,EAAE,MAAM,EAAC,CAAC,CAAC;QACtD,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,CAAC,GAAG,IAAI,qBAAqB,CAAC,EAAC,MAAM,EAAE,MAAM,EAAC,CAAC,CAAC;QACtD,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,EAAC,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAC,CAAC,CAAC;QAC1D,MAAM,CAAC,GAAG,IAAI,qBAAqB,CAAC,EAAC,MAAM,EAAE,MAAM,EAAC,CAAC,CAAC;QACtD,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QAC/C,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACrC,IAAI,CAAC,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YAC/B,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,EAAC,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAC,CAAC,CAAC;YAC1D,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,KAAK,GAAG,MAAM,IAAI,OAAO,CAAC,EAAC,GAAG,EAAE,KAAK,EAAC,CAAC;aAC1C,kBAAkB,CAAC,EAAC,GAAG,EAAE,OAAO,EAAC,CAAC;aAClC,WAAW,EAAE;aACb,iBAAiB,CAAC,IAAI,CAAC;aACvB,IAAI,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,8BAA8B,CAAC,CAAC,CAAC;QAClE,MAAM,CAAC,GAAG,IAAI,qBAAqB,CAAC,EAAC,MAAM,EAAE,MAAM,EAAC,CAAC,CAAC;QACtD,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QAC/C,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,EAAC,GAAG,EAAE,GAAG,EAAC,EAAE,EAAC,GAAG,EAAE,iBAAiB,EAAC,CAAC,CAAC;QACxE,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,EAAC,GAAG,EAAE,GAAG,EAAC,EAAE,EAAC,GAAG,EAAE,cAAc,EAAC,CAAC,CAAC;QACpE,MAAM,CAAC,GAAG,IAAI,qBAAqB,CAAC,EAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,iBAAiB,EAAC,CAAC,CAAC;QACjF,MAAM,CAAC,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QAC9E,MAAM,CAAC,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0BAA0B,EAAE,KAAK,IAAI,EAAE;QACxC,MAAM,OAAO,GAAG,MAAM,IAAI,OAAO,CAAC,EAAC,GAAG,EAAE,GAAG,EAAC,CAAC;aAC1C,kBAAkB,CAAC,EAAC,GAAG,EAAE,OAAO,EAAC,CAAC;aAClC,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC;aACjD,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;aACrD,IAAI,CAAC,GAAG,CAAC,CAAC;QACb,MAAM,CAAC,GAAG,IAAI,qBAAqB,CAAC,EAAC,MAAM,EAAE,MAAM,EAAC,CAAC,CAAC;QACtD,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;QACjD,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}