@amodalai/runtime 0.3.70 → 0.3.72

package/dist/src/auth/__fixtures__/custom-strategy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"custom-strategy.js","sourceRoot":"","sources":["../../../../src/auth/__fixtures__/custom-strategy.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAUH,MAAM,cAAc,GAAG,cAAc,CAAC;AAEtC,MAAM,QAAQ,GAAiB;IAC7B,IAAI,EAAE,aAAa;IACnB,KAAK,CAAC,GAAY;QAChB,OAAO,OAAO,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC,KAAK,QAAQ,CAAC;IAC3D,CAAC;IACD,KAAK,CAAC,YAAY,CAAC,GAAY;QAC7B,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QAC5C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,cAAc,EAAE,CAAC;YAC1D,OAAO,EAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,kBAAkB,EAAC,CAAC;QACxD,CAAC;QACD,OAAO;YACL,IAAI,EAAE,eAAe;YACrB,OAAO,EAAE;gBACP,IAAI,EAAE,EAAC,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAC;gBAC9C,MAAM,EAAE,aAAa;aACtB;SACF,CAAC;IACJ,CAAC;CACF,CAAC;AAEF,eAAe,QAAQ,CAAC"}

package/dist/src/auth/compose.d.ts

@@ -0,0 +1,55 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * Composable auth middleware + router factories.
+ *
+ * `authenticate(...strategies)` returns an Express middleware that runs
+ * the strategies in order, picks the first one whose `valid(req)` is
+ * true, awaits its `authenticate(req)`, and attaches the resulting
+ * session to `res.locals.session` (or 401s the request). Single-winner.
+ *
+ * `authRouter(...strategies)` returns a router carrying any strategy-
+ * supplied routes (OAuth callbacks, login redirects, etc.). Mount it
+ * once at the application root.
+ *
+ * Per-route mounting solves the Studio / end-user route bifurcation:
+ * different routes pass different strategy lists, so a request to
+ * `/api/files` can never be authenticated by an end-user-only strategy
+ * (it isn't in the list).
+ */
+import { Router } from 'express';
+import type { RequestHandler } from 'express';
+import type { AuthStrategy, AuthSession } from './types.js';
+/** Hook fired once per request after the chain runs. Useful for metrics. */
+export interface AuthLogEvent {
+    /** Strategy that resolved the request, or `null` if no strategy matched. */
+    strategy: string | null;
+    outcome: 'authenticated' | 'rejected' | 'no-match';
+    reason?: string;
+    durationMs: number;
+}
+export interface AuthenticateOptions {
+    logger?: (event: AuthLogEvent) => void;
+}
+/**
+ * Build a middleware that authenticates requests against the given
+ * strategy chain. First strategy to match (`valid` && `authenticate →
+ * authenticated`) wins. Reject 401s the request. No matching strategy
+ * also 401s.
+ */
+export declare function authenticate(...args: Array<AuthStrategy | AuthenticateOptions>): RequestHandler;
+/**
+ * Build a router carrying any strategy-supplied routes. Strategies that
+ * own a login flow (OAuth callbacks, magic link, etc.) implement the
+ * optional `routes()` method; this factory mounts each one onto a single
+ * router for app-level wiring.
+ */
+export declare function authRouter(...strategies: readonly AuthStrategy[]): Router;
+/**
+ * Read the session attached by `authenticate(...)`. Returns `undefined`
+ * if no session is set (e.g. on routes that don't have auth middleware).
+ */
+export declare function getSession(res: import('express').Response): AuthSession | undefined;

package/dist/src/auth/compose.js

@@ -0,0 +1,142 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * Composable auth middleware + router factories.
+ *
+ * `authenticate(...strategies)` returns an Express middleware that runs
+ * the strategies in order, picks the first one whose `valid(req)` is
+ * true, awaits its `authenticate(req)`, and attaches the resulting
+ * session to `res.locals.session` (or 401s the request). Single-winner.
+ *
+ * `authRouter(...strategies)` returns a router carrying any strategy-
+ * supplied routes (OAuth callbacks, login redirects, etc.). Mount it
+ * once at the application root.
+ *
+ * Per-route mounting solves the Studio / end-user route bifurcation:
+ * different routes pass different strategy lists, so a request to
+ * `/api/files` can never be authenticated by an end-user-only strategy
+ * (it isn't in the list).
+ */
+import { Router } from 'express';
+const SESSION_KEY = 'session';
+/**
+ * Build a middleware that authenticates requests against the given
+ * strategy chain. First strategy to match (`valid` && `authenticate →
+ * authenticated`) wins. Reject 401s the request. No matching strategy
+ * also 401s.
+ */
+export function authenticate(...args) {
+    const strategies = [];
+    let options = {};
+    for (const arg of args) {
+        if (isStrategy(arg)) {
+            strategies.push(arg);
+        }
+        else {
+            options = arg;
+        }
+    }
+    return (req, res, next) => {
+        const startedAt = Date.now();
+        void runChain(strategies, req)
+            .then((result) => {
+            const durationMs = Date.now() - startedAt;
+            if (result.kind === 'authenticated') {
+                res.locals[SESSION_KEY] = result.session;
+                options.logger?.({
+                    strategy: result.session.method,
+                    outcome: 'authenticated',
+                    durationMs,
+                });
+                next();
+                return;
+            }
+            if (result.kind === 'rejected') {
+                options.logger?.({
+                    strategy: result.strategy,
+                    outcome: 'rejected',
+                    reason: result.reason,
+                    durationMs,
+                });
+                res.status(401).json({
+                    error: { code: 'UNAUTHORIZED', message: result.reason },
+                });
+                return;
+            }
+            options.logger?.({
+                strategy: null,
+                outcome: 'no-match',
+                durationMs,
+            });
+            res.status(401).json({
+                error: { code: 'UNAUTHORIZED', message: 'Missing authentication' },
+            });
+        })
+            .catch((err) => {
+            // `runChain` itself never throws — this catch is defensive against
+            // strategy implementations that violate the contract by throwing.
+            const durationMs = Date.now() - startedAt;
+            const message = err instanceof Error ? err.message : 'Unauthorized';
+            options.logger?.({
+                strategy: null,
+                outcome: 'rejected',
+                reason: message,
+                durationMs,
+            });
+            res.status(401).json({
+                error: { code: 'UNAUTHORIZED', message },
+            });
+        });
+    };
+}
+async function runChain(strategies, req) {
+    for (const strategy of strategies) {
+        if (!strategy.valid(req))
+            continue;
+        const result = await strategy.authenticate(req);
+        if (result.kind === 'authenticated') {
+            return { kind: 'authenticated', session: result.session };
+        }
+        if (result.kind === 'rejected') {
+            return { kind: 'rejected', strategy: strategy.name, reason: result.reason };
+        }
+    }
+    return { kind: 'no-match' };
+}
+function isStrategy(value) {
+    if (typeof value !== 'object' || value === null)
+        return false;
+    if (!('name' in value) || !('valid' in value) || !('authenticate' in value)) {
+        return false;
+    }
+    const candidate = value;
+    return (typeof candidate['valid'] === 'function' &&
+        typeof candidate['authenticate'] === 'function');
+}
+/**
+ * Build a router carrying any strategy-supplied routes. Strategies that
+ * own a login flow (OAuth callbacks, magic link, etc.) implement the
+ * optional `routes()` method; this factory mounts each one onto a single
+ * router for app-level wiring.
+ */
+export function authRouter(...strategies) {
+    const router = Router();
+    for (const strategy of strategies) {
+        if (strategy.routes) {
+            router.use(strategy.routes());
+        }
+    }
+    return router;
+}
+/**
+ * Read the session attached by `authenticate(...)`. Returns `undefined`
+ * if no session is set (e.g. on routes that don't have auth middleware).
+ */
+export function getSession(res) {
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion
+    return res.locals[SESSION_KEY];
+}
+//# sourceMappingURL=compose.js.map

package/dist/src/auth/compose.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"compose.js","sourceRoot":"","sources":["../../../src/auth/compose.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,EAAC,MAAM,EAAC,MAAM,SAAS,CAAC;AAI/B,MAAM,WAAW,GAAG,SAAS,CAAC;AAe9B;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAC1B,GAAG,IAA+C;IAElD,MAAM,UAAU,GAAmB,EAAE,CAAC;IACtC,IAAI,OAAO,GAAwB,EAAE,CAAC;IACtC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACpB,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACvB,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,GAAG,CAAC;QAChB,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACxB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,KAAK,QAAQ,CAAC,UAAU,EAAE,GAAG,CAAC;aAC3B,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE;YACf,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAC1C,IAAI,MAAM,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;gBACpC,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC;gBACzC,OAAO,CAAC,MAAM,EAAE,CAAC;oBACf,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM;oBAC/B,OAAO,EAAE,eAAe;oBACxB,UAAU;iBACX,CAAC,CAAC;gBACH,IAAI,EAAE,CAAC;gBACP,OAAO;YACT,CAAC;YACD,IAAI,MAAM,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;gBAC/B,OAAO,CAAC,MAAM,EAAE,CAAC;oBACf,QAAQ,EAAE,MAAM,CAAC,QAAQ;oBACzB,OAAO,EAAE,UAAU;oBACnB,MAAM,EAAE,MAAM,CAAC,MAAM;oBACrB,UAAU;iBACX,CAAC,CAAC;gBACH,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,KAAK,EAAE,EAAC,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAC;iBACtD,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YACD,OAAO,CAAC,MAAM,EAAE,CAAC;gBACf,QAAQ,EAAE,IAAI;gBACd,OAAO,EAAE,UAAU;gBACnB,UAAU;aACX,CAAC,CAAC;YACH,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,EAAC,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,wBAAwB,EAAC;aACjE,CAAC,CAAC;QACL,CAAC,CAAC;aACD,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;YACtB,mEAAmE;YACnE,kEAAkE;YAClE,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAC1C,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,cAAc,CAAC;YACpE,OAAO,CAAC,MAAM,EAAE,CAAC;gBACf,QAAQ,EAAE,IAAI;gBACd,OAAO,EAAE,UAAU;gBACnB,MAAM,EAAE,OAAO;gBACf,UAAU;aACX,CAAC,CAAC;YACH,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,EAAC,IAAI,EAAE,cAAc,EAAE,OAAO,EAAC;aACvC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACP,CAAC,CAAC;AACJ,CAAC;AAOD,KAAK,UAAU,QAAQ,CACrB,UAAmC,EACnC,GAA8B;IAE9B,KAAK,MAAM,QAAQ,IAAI,UAAU,EAAE,CAAC;QAClC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC;YAAE,SAAS;QACnC,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QAChD,IAAI,MAAM,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YACpC,OAAO,EAAC,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAC,CAAC;QAC1D,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YAC/B,OAAO,EAAC,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAC,CAAC;QAC5E,CAAC;IACH,CAAC;IACD,OAAO,EAAC,IAAI,EAAE,UAAU,EAAC,CAAC;AAC5B,CAAC;AAED,SAAS,UAAU,CAAC,KAAc;IAChC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAC9D,IAAI,CAAC,CAAC,MAAM,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,OAAO,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,cAAc,IAAI,KAAK,CAAC,EAAE,CAAC;QAC5E,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,SAAS,GAAG,KAAgC,CAAC;IACnD,OAAO,CACL,OAAO,SAAS,CAAC,OAAO,CAAC,KAAK,UAAU;QACxC,OAAO,SAAS,CAAC,cAAc,CAAC,KAAK,UAAU,CAChD,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,UAAU,CAAC,GAAG,UAAmC;IAC/D,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB,KAAK,MAAM,QAAQ,IAAI,UAAU,EAAE,CAAC;QAClC,IAAI,QAAQ,CAAC,MAAM,EAAE,CAAC;YACpB,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,UAAU,CACxB,GAA+B;IAE/B,uEAAuE;IACvE,OAAO,GAAG,CAAC,MAAM,CAAC,WAAW,CAA4B,CAAC;AAC5D,CAAC"}

package/dist/src/auth/compose.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+export {};

package/dist/src/auth/compose.test.js

@@ -0,0 +1,159 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+import { describe, it, expect, vi } from 'vitest';
+import express from 'express';
+import supertest from 'supertest';
+import { authenticate, authRouter, getSession } from './compose.js';
+function strategy(name, apply, fn) {
+    return { name, valid: apply, authenticate: fn };
+}
+function buildApp(...mw) {
+    const app = express();
+    for (const m of mw)
+        app.use(m);
+    app.get('/protected', (_req, res) => {
+        res.json({ session: res.locals['session'] ?? null });
+    });
+    return app;
+}
+describe('authenticate', () => {
+    it('returns 401 when no strategy is valid', async () => {
+        const app = buildApp(authenticate(strategy('a', () => false, () => Promise.reject(new Error('unreachable'))), strategy('b', () => false, () => Promise.reject(new Error('unreachable')))));
+        const res = await supertest(app).get('/protected');
+        expect(res.status).toBe(401);
+        expect(res.body).toEqual({
+            error: { code: 'UNAUTHORIZED', message: 'Missing authentication' },
+        });
+    });
+    it('first strategy whose valid returns true and authenticates wins', async () => {
+        const wins = vi.fn(() => Promise.resolve({
+            kind: 'authenticated',
+            session: { user: { id: 'u1' }, method: 'first' },
+        }));
+        const skipped = vi.fn();
+        const app = buildApp(authenticate(strategy('first', () => true, wins), strategy('second', () => true, skipped)));
+        const res = await supertest(app).get('/protected');
+        expect(res.status).toBe(200);
+        expect(res.body.session.method).toBe('first');
+        expect(wins).toHaveBeenCalledTimes(1);
+        expect(skipped).not.toHaveBeenCalled();
+    });
+    it('skips strategies whose valid returns false (cheap fall-through)', async () => {
+        const skipped = vi.fn();
+        const fallback = vi.fn(() => Promise.resolve({
+            kind: 'authenticated',
+            session: { user: { id: 'u1' }, method: 'fallback' },
+        }));
+        const app = buildApp(authenticate(strategy('skip', () => false, skipped), strategy('fallback', () => true, fallback)));
+        const res = await supertest(app).get('/protected');
+        expect(res.status).toBe(200);
+        expect(res.body.session.method).toBe('fallback');
+        expect(skipped).not.toHaveBeenCalled();
+    });
+    it("rejected result short-circuits with 401 (chain doesn't fall through)", async () => {
+        const fallback = vi.fn();
+        const app = buildApp(authenticate(strategy('rejector', () => true, () => Promise.resolve({ kind: 'rejected', reason: 'bad token' })), strategy('fallback', () => true, fallback)));
+        const res = await supertest(app).get('/protected');
+        expect(res.status).toBe(401);
+        expect(res.body).toEqual({
+            error: { code: 'UNAUTHORIZED', message: 'bad token' },
+        });
+        expect(fallback).not.toHaveBeenCalled();
+    });
+    it('a strategy that throws is treated as a rejection (defensive)', async () => {
+        const app = buildApp(authenticate(strategy('thrower', () => true, () => Promise.reject(new Error('boom')))));
+        const res = await supertest(app).get('/protected');
+        expect(res.status).toBe(401);
+        expect(res.body.error.message).toBe('boom');
+    });
+    it('logger receives a structured event per request', async () => {
+        const events = [];
+        const app = buildApp(authenticate(strategy('s1', () => true, () => Promise.resolve({
+            kind: 'authenticated',
+            session: { user: { id: 'u1' }, method: 's1' },
+        })), { logger: (e) => events.push(e) }));
+        await supertest(app).get('/protected');
+        expect(events).toHaveLength(1);
+        const ev = events[0];
+        expect(ev.strategy).toBe('s1');
+        expect(ev.outcome).toBe('authenticated');
+        expect(typeof ev.durationMs).toBe('number');
+    });
+    it('logger sees no-match when nothing applies', async () => {
+        const events = [];
+        const app = buildApp(authenticate(strategy('s1', () => false, () => Promise.reject(new Error('unreachable'))), { logger: (e) => events.push(e) }));
+        await supertest(app).get('/protected');
+        expect(events).toHaveLength(1);
+        const ev = events[0];
+        expect(ev.strategy).toBeNull();
+        expect(ev.outcome).toBe('no-match');
+    });
+    it('different routes can use different strategy chains (Studio vs end-user)', async () => {
+        const platformJwt = strategy('platform-jwt', (req) => req.headers['authorization'] === 'Bearer platform', () => Promise.resolve({
+            kind: 'authenticated',
+            session: { user: { id: 'admin' }, method: 'platform-jwt' },
+        }));
+        const endUser = strategy('end-user', (req) => req.headers['authorization'] === 'Bearer end-user', () => Promise.resolve({
+            kind: 'authenticated',
+            session: { user: { id: 'enduser' }, method: 'end-user' },
+        }));
+        const app = express();
+        app.use('/api/files', authenticate(platformJwt));
+        app.use('/chat', authenticate(platformJwt, endUser));
+        app.get('/api/files', (_req, res) => res.json({ m: res.locals['session'].method }));
+        app.get('/chat', (_req, res) => res.json({ m: res.locals['session'].method }));
+        // Studio route accepts platform JWT
+        let res = await supertest(app).get('/api/files').set('Authorization', 'Bearer platform');
+        expect(res.status).toBe(200);
+        expect(res.body.m).toBe('platform-jwt');
+        // Studio route REJECTS end-user token (strategy not in list)
+        res = await supertest(app).get('/api/files').set('Authorization', 'Bearer end-user');
+        expect(res.status).toBe(401);
+        // Chat route accepts end-user token
+        res = await supertest(app).get('/chat').set('Authorization', 'Bearer end-user');
+        expect(res.status).toBe(200);
+        expect(res.body.m).toBe('end-user');
+        // Chat route also accepts platform JWT (Studio dev testing)
+        res = await supertest(app).get('/chat').set('Authorization', 'Bearer platform');
+        expect(res.status).toBe(200);
+        expect(res.body.m).toBe('platform-jwt');
+    });
+});
+describe('authRouter', () => {
+    it('mounts strategy-supplied login routes', async () => {
+        const oauthMock = {
+            name: 'oauth-mock',
+            valid: () => false,
+            authenticate: () => Promise.resolve({ kind: 'rejected', reason: 'never' }),
+            routes: () => {
+                const r = express.Router();
+                r.get('/auth/oauth-mock/start', (_req, res) => res.json({ redirected: true }));
+                return r;
+            },
+        };
+        const app = express();
+        app.use(authRouter(oauthMock));
+        const res = await supertest(app).get('/auth/oauth-mock/start');
+        expect(res.status).toBe(200);
+        expect(res.body).toEqual({ redirected: true });
+    });
+});
+describe('getSession', () => {
+    it('returns the session attached by authenticate', async () => {
+        const app = express();
+        app.use(authenticate(strategy('s1', () => true, () => Promise.resolve({
+            kind: 'authenticated',
+            session: { user: { id: 'u1' }, method: 's1' },
+        }))));
+        app.get('/x', (_req, res) => {
+            const s = getSession(res);
+            res.json({ id: s?.user.id });
+        });
+        const r = await supertest(app).get('/x');
+        expect(r.body).toEqual({ id: 'u1' });
+    });
+});
+//# sourceMappingURL=compose.test.js.map

package/dist/src/auth/compose.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"compose.test.js","sourceRoot":"","sources":["../../../src/auth/compose.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAC,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAC,MAAM,QAAQ,CAAC;AAChD,OAAO,OAAO,MAAM,SAAS,CAAC;AAC9B,OAAO,SAAS,MAAM,WAAW,CAAC;AAClC,OAAO,EAAC,YAAY,EAAE,UAAU,EAAE,UAAU,EAAC,MAAM,cAAc,CAAC;AAGlE,SAAS,QAAQ,CACf,IAAY,EACZ,KAAwC,EACxC,EAAiD;IAEjD,OAAO,EAAC,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE,EAAC,CAAC;AAChD,CAAC;AAED,SAAS,QAAQ,CAAC,GAAG,EAA4B;IAC/C,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;IACtB,KAAK,MAAM,CAAC,IAAI,EAAE;QAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAC/B,GAAG,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;QAClC,GAAG,CAAC,IAAI,CAAC,EAAC,OAAO,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,IAAI,EAAC,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IACH,OAAO,GAAG,CAAC;AACb,CAAC;AAED,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;QACrD,MAAM,GAAG,GAAG,QAAQ,CAClB,YAAY,CACV,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,EAC1E,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAC3E,CACF,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACnD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC;YACvB,KAAK,EAAE,EAAC,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,wBAAwB,EAAC;SACjE,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gEAAgE,EAAE,KAAK,IAAI,EAAE;QAC9E,MAAM,IAAI,GAAG,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CACtB,OAAO,CAAC,OAAO,CAAa;YAC1B,IAAI,EAAE,eAAe;YACrB,OAAO,EAAE,EAAC,IAAI,EAAE,EAAC,EAAE,EAAE,IAAI,EAAC,EAAE,MAAM,EAAE,OAAO,EAAC;SAC7C,CAAC,CACH,CAAC;QACF,MAAM,OAAO,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QACxB,MAAM,GAAG,GAAG,QAAQ,CAClB,YAAY,CACV,QAAQ,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,EACnC,QAAQ,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,OAAO,CAAC,CACxC,CACF,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACnD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC9C,MAAM,CAAC,IAAI,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;QACtC,MAAM,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iEAAiE,EAAE,KAAK,IAAI,EAAE;QAC/E,MAAM,OAAO,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QACxB,MAAM,QAAQ,GAAG,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAC1B,OAAO,CAAC,OAAO,CAAa;YAC1B,IAAI,EAAE,eAAe;YACrB,OAAO,EAAE,EAAC,IAAI,EAAE,EAAC,EAAE,EAAE,IAAI,EAAC,EAAE,MAAM,EAAE,UAAU,EAAC;SAChD,CAAC,CACH,CAAC;QACF,MAAM,GAAG,GAAG,QAAQ,CAClB,YAAY,CACV,QAAQ,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,OAAO,CAAC,EACtC,QAAQ,CAAC,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,QAAQ,CAAC,CAC3C,CACF,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACnD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACjD,MAAM,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sEAAsE,EAAE,KAAK,IAAI,EAAE;QACpF,MAAM,QAAQ,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,QAAQ,CAClB,YAAY,CACV,QAAQ,CAAC,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,CACpC,OAAO,CAAC,OAAO,CAAa,EAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,WAAW,EAAC,CAAC,CACrE,EACD,QAAQ,CAAC,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,QAAQ,CAAC,CAC3C,CACF,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACnD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC;YACvB,KAAK,EAAE,EAAC,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,WAAW,EAAC;SACpD,CAAC,CAAC;QACH,MAAM,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,KAAK,IAAI,EAAE;QAC5E,MAAM,GAAG,GAAG,QAAQ,CAClB,YAAY,CACV,QAAQ,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CACzE,CACF,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACnD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,MAAM,GAAc,EAAE,CAAC;QAC7B,MAAM,GAAG,GAAG,QAAQ,CAClB,YAAY,CACV,QAAQ,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,CAC9B,OAAO,CAAC,OAAO,CAAa;YAC1B,IAAI,EAAE,eAAe;YACrB,OAAO,EAAE,EAAC,IAAI,EAAE,EAAC,EAAE,EAAE,IAAI,EAAC,EAAE,MAAM,EAAE,IAAI,EAAC;SAC1C,CAAC,CACH,EACD,EAAC,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAC,CAChC,CACF,CAAC;QACF,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACvC,MAAM,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC/B,MAAM,EAAE,GAAG,MAAM,CAAC,CAAC,CAA4D,CAAC;QAChF,MAAM,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/B,MAAM,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACzC,MAAM,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,MAAM,GAAc,EAAE,CAAC;QAC7B,MAAM,GAAG,GAAG,QAAQ,CAClB,YAAY,CACV,QAAQ,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,EAC3E,EAAC,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAC,CAChC,CACF,CAAC;QACF,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACvC,MAAM,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC/B,MAAM,EAAE,GAAG,MAAM,CAAC,CAAC,CAA+C,CAAC;QACnE,MAAM,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC;QAC/B,MAAM,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yEAAyE,EAAE,KAAK,IAAI,EAAE;QACvF,MAAM,WAAW,GAAG,QAAQ,CAAC,cAAc,EACzC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,KAAK,iBAAiB,EAC3D,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAa;YAChC,IAAI,EAAE,eAAe;YACrB,OAAO,EAAE,EAAC,IAAI,EAAE,EAAC,EAAE,EAAE,OAAO,EAAC,EAAE,MAAM,EAAE,cAAc,EAAC;SACvD,CAAC,CACH,CAAC;QACF,MAAM,OAAO,GAAG,QAAQ,CAAC,UAAU,EACjC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,KAAK,iBAAiB,EAC3D,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAa;YAChC,IAAI,EAAE,eAAe;YACrB,OAAO,EAAE,EAAC,IAAI,EAAE,EAAC,EAAE,EAAE,SAAS,EAAC,EAAE,MAAM,EAAE,UAAU,EAAC;SACrD,CAAC,CACH,CAAC;QAEF,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;QACtB,GAAG,CAAC,GAAG,CAAC,YAAY,EAAE,YAAY,CAAC,WAAW,CAAC,CAAC,CAAC;QACjD,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;QACrD,GAAG,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,EAAC,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,EAAC,CAAC,CAAC,CAAC;QAClF,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,EAAC,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,EAAC,CAAC,CAAC,CAAC;QAE7E,oCAAoC;QACpC,IAAI,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,GAAG,CAAC,eAAe,EAAE,iBAAiB,CAAC,CAAC;QACzF,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAExC,6DAA6D;QAC7D,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,GAAG,CAAC,eAAe,EAAE,iBAAiB,CAAC,CAAC;QACrF,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAE7B,oCAAoC;QACpC,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,eAAe,EAAE,iBAAiB,CAAC,CAAC;QAChF,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAEpC,4DAA4D;QAC5D,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,eAAe,EAAE,iBAAiB,CAAC,CAAC;QAChF,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,YAAY,EAAE,GAAG,EAAE;IAC1B,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;QACrD,MAAM,SAAS,GAAiB;YAC9B,IAAI,EAAE,YAAY;YAClB,KAAK,EAAE,GAAG,EAAE,CAAC,KAAK;YAClB,YAAY,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,EAAC,CAAC;YACxE,MAAM,EAAE,GAAG,EAAE;gBACX,MAAM,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;gBAC3B,CAAC,CAAC,GAAG,CAAC,wBAAwB,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,EAAC,UAAU,EAAE,IAAI,EAAC,CAAC,CAAC,CAAC;gBAC7E,OAAO,CAAC,CAAC;YACX,CAAC;SACF,CAAC;QACF,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;QACtB,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;QAC/B,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;QAC/D,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,EAAC,UAAU,EAAE,IAAI,EAAC,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,YAAY,EAAE,GAAG,EAAE;IAC1B,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;QACtB,GAAG,CAAC,GAAG,CACL,YAAY,CACV,QAAQ,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,CAC9B,OAAO,CAAC,OAAO,CAAa;YAC1B,IAAI,EAAE,eAAe;YACrB,OAAO,EAAE,EAAC,IAAI,EAAE,EAAC,EAAE,EAAE,IAAI,EAAC,EAAE,MAAM,EAAE,IAAI,EAAC;SAC1C,CAAC,CACH,CACF,CACF,CAAC;QACF,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;YAC1B,MAAM,CAAC,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;YAC1B,GAAG,CAAC,IAAI,CAAC,EAAC,EAAE,EAAE,CAAC,EAAE,IAAI,CAAC,EAAE,EAAC,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACzC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,EAAC,EAAE,EAAE,IAAI,EAAC,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/src/auth/config.d.ts

@@ -0,0 +1,261 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * Config-driven auth — discriminated union the agent owner sets in
+ * `amodal.json` (or whatever surfaces the runtime through). The host
+ * resolves any `env:` references against its secrets store before
+ * passing the config to `createAuthStrategy(config)`.
+ *
+ *   {
+ *     "auth": {
+ *       "type": "oidc",
+ *       "issuer": "https://acme.okta.com",
+ *       ...
+ *     }
+ *   }
+ */
+import { z } from 'zod';
+declare const NoneAuthConfigSchema: z.ZodObject<{
+    type: z.ZodLiteral<"none">;
+    /** Synthesized user id for the anonymous session. Defaults to `'anonymous'`. */
+    userId: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    type: "none";
+    userId?: string | undefined;
+}, {
+    type: "none";
+    userId?: string | undefined;
+}>;
+declare const JwtSecretAuthConfigSchema: z.ZodObject<{
+    type: z.ZodLiteral<"jwt_secret">;
+    /** Shared HMAC secret used to verify incoming JWTs. */
+    secret: z.ZodString;
+    /** HMAC algorithm. Defaults to HS256. */
+    algorithm: z.ZodOptional<z.ZodEnum<["HS256", "HS384", "HS512"]>>;
+    /** Expected `iss` claim. Optional. */
+    issuer: z.ZodOptional<z.ZodString>;
+    /** Expected `aud` claim. Optional. */
+    audience: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    type: "jwt_secret";
+    secret: string;
+    issuer?: string | undefined;
+    audience?: string | undefined;
+    algorithm?: "HS256" | "HS384" | "HS512" | undefined;
+}, {
+    type: "jwt_secret";
+    secret: string;
+    issuer?: string | undefined;
+    audience?: string | undefined;
+    algorithm?: "HS256" | "HS384" | "HS512" | undefined;
+}>;
+declare const OidcAuthConfigSchema: z.ZodObject<{
+    type: z.ZodLiteral<"oidc">;
+    /** OIDC issuer URL — the IdP's discovery base (`https://acme.okta.com`). */
+    issuer: z.ZodString;
+    clientId: z.ZodString;
+    clientSecret: z.ZodString;
+    /** Where the IdP redirects back after login. Must be registered with the IdP. */
+    callbackUrl: z.ZodString;
+    /** OAuth scopes to request. Defaults to `['openid', 'email', 'profile']`. */
+    scopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    /**
+     * HMAC secret used to sign the session JWT stored in the runtime's cookie.
+     * Distinct from the IdP — this is purely the runtime's session signing key.
+     */
+    sessionSecret: z.ZodString;
+    /** Cookie name for the session JWT. Defaults to `'amodal_session'`. */
+    cookieName: z.ZodOptional<z.ZodString>;
+    /** Session TTL in seconds. Defaults to 24h. */
+    sessionTtlSeconds: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    type: "oidc";
+    issuer: string;
+    clientId: string;
+    clientSecret: string;
+    callbackUrl: string;
+    sessionSecret: string;
+    scopes?: string[] | undefined;
+    cookieName?: string | undefined;
+    sessionTtlSeconds?: number | undefined;
+}, {
+    type: "oidc";
+    issuer: string;
+    clientId: string;
+    clientSecret: string;
+    callbackUrl: string;
+    sessionSecret: string;
+    scopes?: string[] | undefined;
+    cookieName?: string | undefined;
+    sessionTtlSeconds?: number | undefined;
+}>;
+declare const HeaderAuthConfigSchema: z.ZodObject<{
+    type: z.ZodLiteral<"header">;
+    headerName: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    type: "header";
+    headerName?: string | undefined;
+}, {
+    type: "header";
+    headerName?: string | undefined;
+}>;
+declare const CustomAuthConfigSchema: z.ZodObject<{
+    type: z.ZodLiteral<"custom">;
+    /**
+     * Module path (relative to the agent's runtime directory) whose default
+     * export implements the `AuthStrategy` interface. The runtime imports
+     * this file at startup and validates the shape.
+     */
+    module: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    type: "custom";
+    module: string;
+}, {
+    type: "custom";
+    module: string;
+}>;
+/**
+ * "Sign in with Amodal" — verifies platform JWTs minted by the Amodal
+ * cloud (or any self-hosted Amodal-equivalent platform). Agent owners on
+ * the Amodal cloud need zero config; the cloud's deploy pipeline injects
+ * the JWKS URL via the `AMODAL_JWKS_URL` env var. Self-hosters override
+ * via the optional `jwksUrl` field.
+ */
+declare const AmodalAuthConfigSchema: z.ZodObject<{
+    type: z.ZodLiteral<"amodal">;
+    jwksUrl: z.ZodOptional<z.ZodString>;
+    issuer: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    type: "amodal";
+    issuer?: string | undefined;
+    jwksUrl?: string | undefined;
+}, {
+    type: "amodal";
+    issuer?: string | undefined;
+    jwksUrl?: string | undefined;
+}>;
+export declare const AuthConfigSchema: z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
+    type: z.ZodLiteral<"none">;
+    /** Synthesized user id for the anonymous session. Defaults to `'anonymous'`. */
+    userId: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    type: "none";
+    userId?: string | undefined;
+}, {
+    type: "none";
+    userId?: string | undefined;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"jwt_secret">;
+    /** Shared HMAC secret used to verify incoming JWTs. */
+    secret: z.ZodString;
+    /** HMAC algorithm. Defaults to HS256. */
+    algorithm: z.ZodOptional<z.ZodEnum<["HS256", "HS384", "HS512"]>>;
+    /** Expected `iss` claim. Optional. */
+    issuer: z.ZodOptional<z.ZodString>;
+    /** Expected `aud` claim. Optional. */
+    audience: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    type: "jwt_secret";
+    secret: string;
+    issuer?: string | undefined;
+    audience?: string | undefined;
+    algorithm?: "HS256" | "HS384" | "HS512" | undefined;
+}, {
+    type: "jwt_secret";
+    secret: string;
+    issuer?: string | undefined;
+    audience?: string | undefined;
+    algorithm?: "HS256" | "HS384" | "HS512" | undefined;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"oidc">;
+    /** OIDC issuer URL — the IdP's discovery base (`https://acme.okta.com`). */
+    issuer: z.ZodString;
+    clientId: z.ZodString;
+    clientSecret: z.ZodString;
+    /** Where the IdP redirects back after login. Must be registered with the IdP. */
+    callbackUrl: z.ZodString;
+    /** OAuth scopes to request. Defaults to `['openid', 'email', 'profile']`. */
+    scopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    /**
+     * HMAC secret used to sign the session JWT stored in the runtime's cookie.
+     * Distinct from the IdP — this is purely the runtime's session signing key.
+     */
+    sessionSecret: z.ZodString;
+    /** Cookie name for the session JWT. Defaults to `'amodal_session'`. */
+    cookieName: z.ZodOptional<z.ZodString>;
+    /** Session TTL in seconds. Defaults to 24h. */
+    sessionTtlSeconds: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    type: "oidc";
+    issuer: string;
+    clientId: string;
+    clientSecret: string;
+    callbackUrl: string;
+    sessionSecret: string;
+    scopes?: string[] | undefined;
+    cookieName?: string | undefined;
+    sessionTtlSeconds?: number | undefined;
+}, {
+    type: "oidc";
+    issuer: string;
+    clientId: string;
+    clientSecret: string;
+    callbackUrl: string;
+    sessionSecret: string;
+    scopes?: string[] | undefined;
+    cookieName?: string | undefined;
+    sessionTtlSeconds?: number | undefined;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"header">;
+    headerName: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    type: "header";
+    headerName?: string | undefined;
+}, {
+    type: "header";
+    headerName?: string | undefined;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"custom">;
+    /**
+     * Module path (relative to the agent's runtime directory) whose default
+     * export implements the `AuthStrategy` interface. The runtime imports
+     * this file at startup and validates the shape.
+     */
+    module: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    type: "custom";
+    module: string;
+}, {
+    type: "custom";
+    module: string;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"amodal">;
+    jwksUrl: z.ZodOptional<z.ZodString>;
+    issuer: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    type: "amodal";
+    issuer?: string | undefined;
+    jwksUrl?: string | undefined;
+}, {
+    type: "amodal";
+    issuer?: string | undefined;
+    jwksUrl?: string | undefined;
+}>]>;
+export type AuthConfig = z.infer<typeof AuthConfigSchema>;
+export type NoneAuthConfig = z.infer<typeof NoneAuthConfigSchema>;
+export type JwtSecretAuthConfig = z.infer<typeof JwtSecretAuthConfigSchema>;
+export type OidcAuthConfig = z.infer<typeof OidcAuthConfigSchema>;
+export type HeaderAuthConfig = z.infer<typeof HeaderAuthConfigSchema>;
+export type CustomAuthConfig = z.infer<typeof CustomAuthConfigSchema>;
+export type AmodalAuthConfig = z.infer<typeof AmodalAuthConfigSchema>;
+/**
+ * Parse + validate an `auth` block from agent config. Throws a clear
+ * error on any malformed shape so misconfiguration fails at startup
+ * rather than at first request. Pass `undefined` / missing config to
+ * default to `{type: 'none'}`.
+ */
+export declare function parseAuthConfig(raw: unknown): AuthConfig;
+export {};